[BUG] Regression: Frame injection fails when AP mode is active (regression in kernel 6.1 and 6.9) #652
Description
In order to facilitate work to fix the below bug, I am posting the majority of bug that was posted in linux-wireless a few months ago:
Description:
Monitor mode packet injection fails when performed on a virtual monitor interface created while the physical interface is running in AP mode. This worked correctly in all kernel versions up to v6.8.x but fails starting from v6.9.0.
A maintainer of the rtw88 repository hinted that the issue might originate from the following commit. After compiling and testing the parent commit, I can confirm that the issue appears to originate from following commit.
* Commit: wifi: mac80211: simplify non-chanctx drivers · torvalds/linux@0a44dfc " wifi: mac80211: simplify non-chanctx drivers"
* URL: https://github.com/torvalds/linux/commit/0a44dfc070749514b804ccac0b1fd38718f7daa1
Reproduction Steps:
1. Configure AP mode on wlan0 using hostapd
2. Create a virtual monitor interface:
iw dev wlan0 interface add wlan0mon type monitor addr 12:34:56:78:AB:CD
3. Test frame injection with your preferred method
aireplay-ng -9 wlan0mon
Results:
Working behavior (≤v6.8):
23:58:12 Trying broadcast probe requests...
23:58:12 Injection is working!
23:58:14 xx:xx:xx:xx:xx:xx - channel: 1 - 'xxxxxxx'
23:58:20 30/30: 100%
23:58:20 xx:xx:xx:xx:xx:xx - channel: 1 - 'xxxxxxx'
23:58:21 Ping (min/avg/max): 4.066ms/27.308ms/170.734ms Power: -24.87
23:58:21 30/30: 100%
Broken behavior (≥v6.9):
23:58:12 Trying broadcast probe requests...
23:58:14 xx:xx:xx:xx:xx:xx - channel: 1 - 'xxxxxxx'
23:58:20 0/30: 0%
23:58:20 xx:xx:xx:xx:xx:xx - channel: 1 - 'xxxxxxx'
23:58:21 Ping (min/avg/max): 4.066ms/27.308ms/170.734ms Power: -24.87
23:58:21 0/30: 0%
Kernel Testing Matrix:
Working kernels:
* linux-image-6.1.0-kali9-amd64 (6.1.27-1kali1)
* linux-image-6.1.127-custom (6.1.127-1)
* linux-image-unsigned-6.2.0-060200-generic
* linux-image-unsigned-6.2.0-060200rc1-generic
* linux-image-unsigned-6.3.0-060300-generic
* linux-image-unsigned-6.4.0-060400-generic
* linux-image-unsigned-6.5.0-060500-generic
* linux-image-unsigned-6.6.63-060663-generic
* linux-image-unsigned-6.7.10-060710-generic
* linux-image-unsigned-6.8.12-060812-generic
Broken kernels:
* linux-image-unsigned-6.9.0-060900-generic
* linux-image-unsigned-6.9.10-060910-generic
* linux-image-amd64/kali-rolling (6.11.2-1kali1)
* linux-image-unsigned-6.12.0-061200-generic
* linux-image-6.12.13-amd64
* linux-image-6.12.20-amd64
* linux-image-6.12.25-amd64
* linux-image-6.13.1/bookworm (6.13.1-1)
* linux-image-6.14.0
* linux-image-6.14.5
* linux-image-6.15.1-toeirei
* linux-image-6.15.3-toeirei
Additional Information:
This regression is not limited to the specific scenario described above. The issue affects multiple interface combinations:
- Creating a monitor interface while the physical interface runs in AP mode (as described)
- Creating an AP interface on a VIF while the physical interface is in monitor mode, then attempting injection on the physical interface
- Using the physical interface in client mode with a monitor VIF - injection fails in this configuration as well
The poster of this bug is showing kernel 6.9 as the point where the bug showed up, however it shows up at that point with the "non-chanctx" drivers such as the rtw88 usb drivers. For the "chanctx" drivers such as those from Mediatek, the bug shows up with kernel 6.1.
I am asking all users with this bug to provide a brief on your case so that we have more information to work with.