| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260207050035.6720-1-dhyan19022009@gmail.com>
Date: Sat, 7 Feb 2026 10:30:35 +0530
From: Dhyan K Prajapati <dhyan19022009@...il.com>
To: Johannes Berg <johannes@...solutions.net>
Cc: linux-wireless@...r.kernel.org,
linux-kernel@...r.kernel.org,
Dhyan K Prajapati <dhyaan19022009@...il.com>,
Dhyan K Prajapati <dhyan19022009@...il.com>
Subject: [PATCH] wifi: mac80211: skip BSS_CHANGED_TXPOWER notification for monitor mode
From: Dhyan K Prajapati <dhyaan19022009@...il.com>
Monitor mode interfaces don't maintain BSS context. The BSS_CHANGED_TXPOWER notification
indicates transmit power constrains recieved from an associated access point which isn't really
applicable to monitor mode as it does not associate with any BSS
after a commit back in july 2025,("wifi: mac80211: fix WARN_ON for monitor mode
on some devices") monitor interfaces with WANT_MONITOR_VIF began recieving link
change notifications during ieee_add_virtual_monitor(), when ieee_link_use_channel()
assigns a channel context it triggers ieee_recalc_power() which sends BSS_CHANGED_TXPOWER
notifications to driver, driver using legacy bss_info_changed callbeack recieve
link->conf as the bss_conf parameter for monitor mode that points to vif.bss_conf which is not fully initialised
in monitor interfaces, so drivers like iwldvm dereference null and crash
since BSS_CHANGED_TXPOWER notifications are meaningless for monitor mode, we can skip
the notification entirely,monitor mode transmit power remains configurable via
nl80211
Hardware: Dell Latitude E6430
Device: Intel Centrino Advanced-N 6205 [Taylor Peak]
Crash trace:
BUG: kernel NULL pointer dereference at 0000000000000000
RIP: iwlagn_bss_info_changed+0x19d/0x640 [iwldvm]
Call Trace:
drv_link_info_changed+0x2b5/0x2c0
ieee80211_link_info_change_notify+0x13d/0x160
__ieee80211_recalc_txpower+0x44/0xd0
ieee80211_recalc_txpower+0x5c/0x60
ieee80211_assign_link_chanctx+0x182/0x410
ieee80211_link_use_channel+0x413/0x450
ieee80211_add_virtual_monitor+0x17c/0x2b0
Tested-by: Dhyan K Prajapati <dhyan19022009@...il.com>
Signed-off-by: Dhyan K Prajapati <dhyan19022009@...il.com>
---
net/mac80211/iface.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 515384ca2..2d5b4cc60 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -76,10 +76,16 @@ bool __ieee80211_recalc_txpower(struct ieee80211_link_data *link)
void ieee80211_recalc_txpower(struct ieee80211_link_data *link,
bool update_bss)
{
+ struct ieee80211_sub_if_data *sdata = link->sdata;
+
if (__ieee80211_recalc_txpower(link) ||
- (update_bss && ieee80211_sdata_running(link->sdata)))
+ (update_bss && ieee80211_sdata_running(link->sdata))) {
+ if (sdata->vif.type == NL80211_IFTYPE_MONITOR)
+ return;
+
ieee80211_link_info_change_notify(link->sdata, link,
BSS_CHANGED_TXPOWER);
+ }
}
static u32 __ieee80211_idle_off(struct ieee80211_local *local)
--
2.43.0
Powered by blists - more mailing lists