From: Deepanshu Kartikey <kartikey406@gmail.com> mainline inclusion from mainline-v7.0-rc5 commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14584 CVE: CVE-2026-43052 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b upstream. When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the station exists but not whether it is actually a TDLS station. This allows the operation to proceed for non-TDLS stations, causing unintended side effects like modifying channel context and HT protection before failing. Add a check for sta->sta.tdls early in the ENABLE_LINK case, before any side effects occur, to ensure the operation is only allowed for actual TDLS peers. Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com Suggested-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> [ Alexey: Adapted to the older sta_mtx locking and error-handling flow. ] Signed-off-by: Alexey Panov <apanov@astralinux.ru> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Yi Yang <yiyang13@huawei.com> --- net/mac80211/tdls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c index e01e4daeb8cd..66e32f1d0a98 100644 --- a/net/mac80211/tdls.c +++ b/net/mac80211/tdls.c @@ -1380,7 +1380,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev, mutex_lock(&local->sta_mtx); sta = sta_info_get(sdata, peer); - if (!sta) { + if (!sta || !sta->sta.tdls) { mutex_unlock(&local->sta_mtx); ret = -ENOLINK; break; -- 2.25.1