tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'wireless-2026-01-08' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless

Johannes Berg says:

====================
Couple of fixes:
- mac80211:
- long-standing injection bug due to chanctx rework
- more recent interface iteration issue
- collect statistics before removing stations
- hwsim:
- fix NAN frequency typo (potential NULL ptr deref)
- fix locking of radio lock (needs softirqs disabled)
- wext:
- ancient issue with compat and events copying some
uninitialized stack data to userspace

* tag 'wireless-2026-01-08' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
wifi: mac80211: collect station statistics earlier when disconnect
wifi: mac80211: restore non-chanctx injection behaviour
wifi: mac80211_hwsim: disable BHs for hwsim_radio_lock
wifi: mac80211: don't iterate not running interfaces
wifi: mac80211_hwsim: fix typo in frequency notification
wifi: avoid kernel-infoleak from struct iw_point
====================

Link: https://patch.msgid.link/20260108140141.139687-3-johannes@sipsolutions.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 804809ae 4d984b05

+20 -6
+3 -3
drivers/net/wireless/virtual/mac80211_hwsim.c
··· 4040 4040 ieee80211_vif_to_wdev(data->nan_device_vif); 4041 4041 4042 4042 if (data->nan_curr_dw_band == NL80211_BAND_5GHZ) 4043 - ch = ieee80211_get_channel(hw->wiphy, 5475); 4043 + ch = ieee80211_get_channel(hw->wiphy, 5745); 4044 4044 else 4045 4045 ch = ieee80211_get_channel(hw->wiphy, 2437); 4046 4046 ··· 4112 4112 hrtimer_cancel(&data->nan_timer); 4113 4113 data->nan_device_vif = NULL; 4114 4114 4115 - spin_lock(&hwsim_radio_lock); 4115 + spin_lock_bh(&hwsim_radio_lock); 4116 4116 list_for_each_entry(data2, &hwsim_radios, list) { 4117 4117 if (data2->nan_device_vif) { 4118 4118 nan_cluster_running = true; 4119 4119 break; 4120 4120 } 4121 4121 } 4122 - spin_unlock(&hwsim_radio_lock); 4122 + spin_unlock_bh(&hwsim_radio_lock); 4123 4123 4124 4124 if (!nan_cluster_running) 4125 4125 memset(hwsim_nan_cluster_id, 0, ETH_ALEN);
+3
net/mac80211/chan.c
··· 90 90 /* next (or first) interface */ 91 91 iter->sdata = list_prepare_entry(iter->sdata, &local->interfaces, list); 92 92 list_for_each_entry_continue(iter->sdata, &local->interfaces, list) { 93 + if (!ieee80211_sdata_running(iter->sdata)) 94 + continue; 95 + 93 96 /* AP_VLAN has a chanctx pointer but follows AP */ 94 97 if (iter->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) 95 98 continue;
+4 -3
net/mac80211/sta_info.c
··· 1533 1533 } 1534 1534 } 1535 1535 1536 + sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); 1537 + if (sinfo) 1538 + sta_set_sinfo(sta, sinfo, true); 1539 + 1536 1540 if (sta->uploaded) { 1537 1541 ret = drv_sta_state(local, sdata, sta, IEEE80211_STA_NONE, 1538 1542 IEEE80211_STA_NOTEXIST); ··· 1545 1541 1546 1542 sta_dbg(sdata, "Removed STA %pM\n", sta->sta.addr); 1547 1543 1548 - sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); 1549 - if (sinfo) 1550 - sta_set_sinfo(sta, sinfo, true); 1551 1544 cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL); 1552 1545 kfree(sinfo); 1553 1546
+2
net/mac80211/tx.c
··· 2397 2397 2398 2398 if (chanctx_conf) 2399 2399 chandef = &chanctx_conf->def; 2400 + else if (local->emulate_chanctx) 2401 + chandef = &local->hw.conf.chandef; 2400 2402 else 2401 2403 goto fail_rcu; 2402 2404
+4
net/wireless/wext-core.c
··· 1101 1101 return ioctl_standard_call(dev, iwr, cmd, info, handler); 1102 1102 1103 1103 iwp_compat = (struct compat_iw_point *) &iwr->u.data; 1104 + 1105 + /* struct iw_point has a 32bit hole on 64bit arches. */ 1106 + memset(&iwp, 0, sizeof(iwp)); 1107 + 1104 1108 iwp.pointer = compat_ptr(iwp_compat->pointer); 1105 1109 iwp.length = iwp_compat->length; 1106 1110 iwp.flags = iwp_compat->flags;
+4
net/wireless/wext-priv.c
··· 228 228 struct iw_point iwp; 229 229 230 230 iwp_compat = (struct compat_iw_point *) &iwr->u.data; 231 + 232 + /* struct iw_point has a 32bit hole on 64bit arches. */ 233 + memset(&iwp, 0, sizeof(iwp)); 234 + 231 235 iwp.pointer = compat_ptr(iwp_compat->pointer); 232 236 iwp.length = iwp_compat->length; 233 237 iwp.flags = iwp_compat->flags;