From: Miri Korenblit miriam.rachel.korenblit@intel.com
[ Upstream commit d7a54d02db41f72f0581a3c77c75b0993ed3f6e2 ]
This is currently not initialized for a virtual monitor, leading to a NULL pointer dereference when - for example - iterating over all the keys of all the vifs.
Reviewed-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Miri Korenblit miriam.rachel.korenblit@intel.com Link: https://patch.msgid.link/20250709233400.8dcefe578497.I4c90a00ae3256520e06319... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
Based on my analysis of the commit and the code changes, here is my assessment:
**YES**
This commit should be backported to stable kernel trees for the following reasons:
1. **Critical NULL Pointer Dereference Fix**: The commit fixes a NULL pointer dereference that occurs when iterating over the key_list of virtual monitor interfaces. This is a crash-inducing bug that affects system stability.
2. **Clear Bug with Simple Fix**: The issue is straightforward - the `key_list` was not initialized for virtual monitor interfaces created via `ieee80211_add_virtual_monitor()`. The fix is minimal and contained - it simply moves the `INIT_LIST_HEAD(&sdata->key_list)` initialization from `ieee80211_if_add()` into `ieee80211_sdata_init()`, ensuring all sdata structures have their key_list properly initialized.
3. **Real-World Impact**: The bug can be triggered when any code iterates over all interfaces and their keys. Looking at the code, functions like `ieee80211_iter_keys()` and `ieee80211_iter_keys_rcu()` iterate through all interfaces when called without a specific vif parameter: ```c list_for_each_entry(sdata, &local->interfaces, list) list_for_each_entry_safe(key, tmp, &sdata->key_list, list) ``` This would cause a NULL pointer dereference when it encounters a virtual monitor interface.
4. **Minimal Risk**: The change is extremely low risk - it only adds initialization of a list head that should have been initialized all along. There are no architectural changes or feature additions.
5. **Follows Stable Rules**: This perfectly fits the stable kernel criteria: - Fixes a real bug (NULL pointer dereference/crash) - Small and contained change (2 lines moved) - Obviously correct fix - No new features or behaviors introduced
The commit is similar in nature to commit #5 in the reference list which was marked as suitable for backporting - both fix NULL pointer dereferences in the wifi/mac80211 subsystem with minimal, targeted changes.
net/mac80211/iface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index 7d93e5aa595b2..0485a78eda366 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -1117,6 +1117,8 @@ static void ieee80211_sdata_init(struct ieee80211_local *local, { sdata->local = local;
+ INIT_LIST_HEAD(&sdata->key_list); + /* * Initialize the default link, so we can use link_id 0 for non-MLD, * and that continues to work for non-MLD-aware drivers that use just @@ -2177,8 +2179,6 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name,
ieee80211_init_frag_cache(&sdata->frags);
- INIT_LIST_HEAD(&sdata->key_list); - wiphy_delayed_work_init(&sdata->dec_tailroom_needed_wk, ieee80211_delayed_tailroom_dec);