From ddf1337ca43d8cd7dd056c437270df4325d1a787 Mon Sep 17 00:00:00 2001
From: Igor Pecovnik <igor@armbian.com>
Date: Tue, 7 Oct 2025 09:14:05 +0200
Subject: [PATCH] Add Wi-Fi injection patch for Linux 6.12 kernels.

---
 .../compilation/patch/drivers-harness.sh      |   1 +
 .../compilation/patch/drivers_network.sh      |  10 ++
 patch/misc/wireless-injection-6.12.patch      | 136 ++++++++++++++++++
 3 files changed, 147 insertions(+)
 create mode 100644 patch/misc/wireless-injection-6.12.patch

diff --git a/lib/functions/compilation/patch/drivers-harness.sh b/lib/functions/compilation/patch/drivers-harness.sh
index 6bf8abd9a2..71da14e770 100644
--- a/lib/functions/compilation/patch/drivers-harness.sh
+++ b/lib/functions/compilation/patch/drivers-harness.sh
@@ -101,6 +101,7 @@ function kernel_drivers_prepare_harness() {
 
 	declare -a all_drivers=(
 		driver_generic_bring_back_ipx
+		driver_wifi_injection
 		driver_mt7921u_add_pids
 		driver_rtl8152_rtl8153
 		driver_rtl8189ES
diff --git a/lib/functions/compilation/patch/drivers_network.sh b/lib/functions/compilation/patch/drivers_network.sh
index 27a9a4097a..1d2bc251c5 100644
--- a/lib/functions/compilation/patch/drivers_network.sh
+++ b/lib/functions/compilation/patch/drivers_network.sh
@@ -34,6 +34,16 @@ function driver_generic_bring_back_ipx() {
 	fi
 }
 
+driver_wifi_injection() {
+	# - Apply driver-level fixes for monitor/injection path for 6.12 series
+	# - Add compatibility shims for cfg80211/mac80211 where API changed in 6.12
+	# - Add Kconfig option and module parameter notes for enabling injection
+	if linux-version compare "${version}" ge 6.12; then
+                display_alert "Adding" "Enables Wi-Fi packet injection and monitor-mode tweaks" "info"
+                process_patch_file "${SRC}/patch/misc/wireless-injection-6.12.patch" "applying"
+	fi
+}
+
 driver_rtl8189ES() {
 
 	# Wireless drivers for Realtek 8189ES chipsets
diff --git a/patch/misc/wireless-injection-6.12.patch b/patch/misc/wireless-injection-6.12.patch
new file mode 100644
index 0000000000..8436616c3d
--- /dev/null
+++ b/patch/misc/wireless-injection-6.12.patch
@@ -0,0 +1,136 @@
+From 49fba7b2eb838456de98342753ba32055643d757 Mon Sep 17 00:00:00 2001
+From: Steev Klimaszewski <steev@kali.org>
+Date: Wed, 21 May 2025 13:37:51 -0500
+Subject: [PATCH] Add kali wifi injection patch for 6.12 kernels
+
+---
+ patches/kali-wifi-injection-6.12.patch | 117 +++++++++++++++++++++++++
+ 1 file changed, 117 insertions(+)
+ create mode 100644 patches/kali-wifi-injection-6.12.patch
+
+diff --git a/patches/kali-wifi-injection-6.12.patch b/patches/kali-wifi-injection-6.12.patch
+new file mode 100644
+index 00000000..7dc66fbd
+--- /dev/null
++++ b/patches/kali-wifi-injection-6.12.patch
+@@ -0,0 +1,117 @@
++--- a/net/mac80211/tx.c
+++++ b/net/mac80211/tx.c
++@@ -824,11 +824,19 @@ ieee80211_tx_h_sequence(struct ieee80211
++ 
++ 	/*
++ 	 * Packet injection may want to control the sequence
++-	 * number, if we have no matching interface then we
++-	 * neither assign one ourselves nor ask the driver to.
+++	 * number, so if an injected packet is found, skip
+++	 * renumbering it. Also make the packet NO_ACK to avoid
+++	 * excessive retries (ACKing and retrying should be
+++	 * handled by the injecting application).
+++	 * FIXME This may break hostapd and some other injectors.
+++	 * This should be done using a radiotap flag.
++ 	 */
++-	if (unlikely(info->control.vif->type == NL80211_IFTYPE_MONITOR))
+++	if (unlikely((info->flags & IEEE80211_TX_CTL_INJECTED) &&
+++	   !(tx->sdata->u.mntr.flags & MONITOR_FLAG_COOK_FRAMES))) {
+++		if (!ieee80211_has_morefrags(hdr->frame_control))
+++			info->flags |= IEEE80211_TX_CTL_NO_ACK;
++ 		return TX_CONTINUE;
+++	}
++ 
++ 	if (unlikely(ieee80211_is_ctl(hdr->frame_control)))
++ 		return TX_CONTINUE;
++@@ -2059,6 +2067,10 @@ void ieee80211_xmit(struct ieee80211_sub
++ 	}
++ 
++ 	ieee80211_set_qos_hdr(sdata, skb);
+++	// Don't overwrite QoS header in monitor mode
+++	if (likely(info->control.vif->type != NL80211_IFTYPE_MONITOR)) {
+++	    ieee80211_set_qos_hdr(sdata, skb);
+++	}
++ 	ieee80211_tx(sdata, sta, skb, false);
++ }
++ 
++--- a/net/wireless/chan.c
+++++ b/net/wireless/chan.c
++@@ -1582,8 +1582,10 @@ int cfg80211_set_monitor_channel(struct
++ {
++ 	if (!rdev->ops->set_monitor_channel)
++ 		return -EOPNOTSUPP;
++-	if (!cfg80211_has_monitors_only(rdev))
++-		return -EBUSY;
+++	// Always allow user to change channel, even if there is another normal
+++	// virtual interface using the device.
+++	//if (!cfg80211_has_monitors_only(rdev))
+++	//	return -EBUSY;
++ 
++ 	return rdev_set_monitor_channel(rdev, chandef);
++ }
++--- a/drivers/net/wireless/zydas/zd1211rw/zd_mac.c
+++++ b/drivers/net/wireless/zydas/zd1211rw/zd_mac.c
++@@ -229,14 +229,19 @@ void zd_mac_clear(struct zd_mac *mac)
++ static int set_rx_filter(struct zd_mac *mac)
++ {
++ 	unsigned long flags;
++-	u32 filter = STA_RX_FILTER;
+++	struct zd_ioreq32 ioreqs[] = {
+++		{CR_RX_FILTER, STA_RX_FILTER},
+++		{ CR_SNIFFER_ON, 0U },
+++	};
++ 
++ 	spin_lock_irqsave(&mac->lock, flags);
++-	if (mac->pass_ctrl)
++-		filter |= RX_FILTER_CTRL;
+++	if (mac->pass_ctrl) {
+++		ioreqs[0].value |= 0xFFFFFFFF;
+++		ioreqs[1].value = 0x1;
+++	}
++ 	spin_unlock_irqrestore(&mac->lock, flags);
++ 
++-	return zd_iowrite32(&mac->chip, CR_RX_FILTER, filter);
+++	return zd_iowrite32a(&mac->chip, ioreqs, ARRAY_SIZE(ioreqs));
++ }
++ 
++ static int set_mac_and_bssid(struct zd_mac *mac)
++@@ -1042,7 +1047,8 @@ int zd_mac_rx(struct ieee80211_hw *hw, c
++ 	/* Caller has to ensure that length >= sizeof(struct rx_status). */
++ 	status = (struct rx_status *)
++ 		(buffer + (length - sizeof(struct rx_status)));
++-	if (status->frame_status & ZD_RX_ERROR) {
+++	if ((status->frame_status & ZD_RX_ERROR) ||
+++		(status->frame_status & ~0x21)) {
++ 		if (mac->pass_failed_fcs &&
++ 				(status->frame_status & ZD_RX_CRC32_ERROR)) {
++ 			stats.flag |= RX_FLAG_FAILED_FCS_CRC;
++@@ -1391,7 +1397,7 @@ struct ieee80211_hw *zd_mac_alloc_hw(str
++ 	ieee80211_hw_set(hw, MFP_CAPABLE);
++ 	ieee80211_hw_set(hw, HOST_BROADCAST_PS_BUFFERING);
++ 	ieee80211_hw_set(hw, RX_INCLUDES_FCS);
++-	ieee80211_hw_set(hw, SIGNAL_UNSPEC);
+++	ieee80211_hw_set(hw, SIGNAL_DBM);
++ 
++ 	hw->wiphy->interface_modes =
++ 		BIT(NL80211_IFTYPE_MESH_POINT) |
++--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
++@@ -248,8 +248,17 @@ static void rtl8187_tx(struct ieee80211_
++ 	flags |= RTL818X_TX_DESC_FLAG_NO_ENC;
++ 
++ 	flags |= ieee80211_get_tx_rate(dev, info)->hw_value << 24;
+++
+++	// When this flag is set the firmware waits untill ALL fragments have
+++	// reached the USB device. Then it sends the first fragment and waits
+++	// for ACKS's. Of course in monitor mode it won't detect these ACK's.
++ 	if (ieee80211_has_morefrags(tx_hdr->frame_control))
++-		flags |= RTL818X_TX_DESC_FLAG_MOREFRAG;
+++	{
+++		// If info->control.vif is NULL it's most likely in monitor mode
+++		if (likely(info->control.vif != NULL && info->control.vif->type != NL80211_IFTYPE_MONITOR)) {
+++			flags |= RTL818X_TX_DESC_FLAG_MOREFRAG;
+++		}
+++	}
++ 
++ 	/* HW will perform RTS-CTS when only RTS flags is set.
++ 	 * HW will perform CTS-to-self when both RTS and CTS flags are set.
+-- 
+GitLab
+