From: Moon Hee Lee moonhee.lee.ca@gmail.com
[ Upstream commit ff4071c60018a668249dc6a2df7d16330543540e ]
ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only present after JOIN_OCB.
RX may run before JOIN_OCB is executed, in which case the OCB interface is not operational. Skip RX peer handling when the interface is not joined to avoid warnings in the RX path.
Reported-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b364457b2d1d4e4a3054 Tested-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com Signed-off-by: Moon Hee Lee moonhee.lee.ca@gmail.com Link: https://patch.msgid.link/20251216035932.18332-1-moonhee.lee.ca@gmail.com Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
OCB support has been in the kernel since 2014 - it exists in all supported stable trees.
## 3. CLASSIFICATION
- **Type:** Bug fix - fixes kernel warnings triggered by a race condition - **Category:** Not an exception category - straightforward bug fix - **Security:** Not directly security-related, but the WARN_ON_ONCE could trigger panic on systems with `panic_on_warn=1`
## 4. SCOPE AND RISK ASSESSMENT
- **Size:** Minimal - 3 lines added (one check + early return) - **Files:** 1 file (net/mac80211/ocb.c) - **Complexity:** Very low - simple flag check before proceeding - **Risk:** Extremely low - Uses existing `joined` flag already used elsewhere in the same file - Follows established pattern (identical check exists at line 126) - Cannot break existing functionality - before join, nothing should happen anyway
## 5. USER IMPACT
- **Affected users:** OCB mode users (vehicle-to-vehicle communications, IEEE 802.11p) - **Severity:** Medium - causes kernel warnings in RX path - **Systems with `panic_on_warn=1`:** This could cause system crashes - **Reproducibility:** Confirmed reproducible by syzkaller
## 6. STABILITY INDICATORS
- **Tested-by: syzbot** - Fix verified by the same fuzzer that found the bug - **Maintainer sign-off:** Johannes Berg (mac80211 maintainer) - **Pattern established:** Same check pattern already used in `ieee80211_ocb_work()`
## 7. DEPENDENCY CHECK
- No dependencies on other commits - Uses existing `joined` flag (in kernel since 2014) - Will apply cleanly to any stable tree with OCB support
## SUMMARY
This is an ideal stable backport candidate:
1. **Obviously correct:** Simple early-return check using existing flag, follows pattern already in the code 2. **Fixes real bug:** Syzbot-reported, reproducible kernel warnings 3. **Small and contained:** 3 lines, single file, no side effects 4. **No new features:** Just adds a defensive check 5. **Low risk:** Cannot break anything - OCB shouldn't process RX before joining anyway 6. **Tested:** Verified by syzbot
The fix prevents kernel warnings (and potential crashes on `panic_on_warn` systems) when RX frames arrive on an OCB interface before it has finished the join operation. It's a simple, surgical fix with no risk of regression.
**YES**
net/mac80211/ocb.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/net/mac80211/ocb.c b/net/mac80211/ocb.c index a5d4358f122a..ebb4f4d88c23 100644 --- a/net/mac80211/ocb.c +++ b/net/mac80211/ocb.c @@ -47,6 +47,9 @@ void ieee80211_ocb_rx_no_sta(struct ieee80211_sub_if_data *sdata, struct sta_info *sta; int band;
+ if (!ifocb->joined) + return; + /* XXX: Consider removing the least recently used entry and * allow new one to be added. */