[syzbot] [wireless?] WARNING in rate_control_rate_init (2)
30 views
Skip to first unread message
syzbot
Jul 2, 2023, 11:15:59 AM7/2/23
to da...@davemloft.net, edum...@google.com, joha...@sipsolutions.net, ku...@kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, ll...@lists.linux.dev, nat...@kernel.org, ndesau...@google.com, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com, tr...@redhat.com
Hello,
syzbot found the following issue on:
HEAD commit: 6e2332e0ab53 Merge tag 'cgroup-for-6.5' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16e1c60b280000
kernel config: https://syzkaller.appspot.com/x/.config?x=b8f24c1070268858
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=171c0767280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10113ebd280000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-6e2332e0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5c6bc163c340/vmlinux-6e2332e0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f1e705993336/bzImage-6e2332e0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+62d7ee...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5126 at net/mac80211/rate.c:48 rate_control_rate_init+0x548/0x740 net/mac80211/rate.c:48
Modules linked in:
CPU: 0 PID: 5126 Comm: syz-executor279 Not tainted 6.4.0-syzkaller-01647-g6e2332e0ab53 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:rate_control_rate_init+0x548/0x740 net/mac80211/rate.c:48
Code: f7 48 c7 c2 00 84 7f 8b be 09 03 00 00 48 c7 c7 c0 83 7f 8b c6 05 f9 bc d6 04 01 e8 22 ac d6 f7 e9 d8 fd ff ff e8 a8 16 f6 f7 <0f> 0b e8 c1 32 83 00 31 ff 89 c3 89 c6 e8 b6 12 f6 f7 85 db 75 27
RSP: 0018:ffffc90003197280 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8881070796c0 RCX: 0000000000000000
RDX: ffff88802a51cb80 RSI: ffffffff898db228 RDI: 0000000000000005
RBP: ffff8880255c0000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
R13: 0000000000000000 R14: ffff888021f30de0 R15: ffff888032530000
FS: 000055555570f300(0000) GS:ffff88806b600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000080 CR3: 000000001f594000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sta_apply_auth_flags.constprop.0+0x424/0x4a0 net/mac80211/cfg.c:1678
sta_apply_parameters+0xaf8/0x16f0 net/mac80211/cfg.c:2005
ieee80211_add_station+0x3d0/0x620 net/mac80211/cfg.c:2070
rdev_add_station net/wireless/rdev-ops.h:201 [inline]
nl80211_new_station+0x1258/0x1b20 net/wireless/nl80211.c:7564
genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065
netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2546
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1913
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg+0xde/0x190 net/socket.c:748
____sys_sendmsg+0x722/0x900 net/socket.c:2504
___sys_sendmsg+0x110/0x1b0 net/socket.c:2558
__sys_sendmsg+0xf7/0x1c0 net/socket.c:2587
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc033504a69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe0868f2d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000000ae5a RCX: 00007fc033504a69
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000004
RBP: 0000000000000000 R08: 00007ffe0868f478 R09: 00007ffe0868f478
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe0868f2ec
R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 6e2332e0ab53 Merge tag 'cgroup-for-6.5' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16e1c60b280000
kernel config: https://syzkaller.appspot.com/x/.config?x=b8f24c1070268858
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=171c0767280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10113ebd280000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-6e2332e0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5c6bc163c340/vmlinux-6e2332e0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f1e705993336/bzImage-6e2332e0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+62d7ee...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5126 at net/mac80211/rate.c:48 rate_control_rate_init+0x548/0x740 net/mac80211/rate.c:48
Modules linked in:
CPU: 0 PID: 5126 Comm: syz-executor279 Not tainted 6.4.0-syzkaller-01647-g6e2332e0ab53 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:rate_control_rate_init+0x548/0x740 net/mac80211/rate.c:48
Code: f7 48 c7 c2 00 84 7f 8b be 09 03 00 00 48 c7 c7 c0 83 7f 8b c6 05 f9 bc d6 04 01 e8 22 ac d6 f7 e9 d8 fd ff ff e8 a8 16 f6 f7 <0f> 0b e8 c1 32 83 00 31 ff 89 c3 89 c6 e8 b6 12 f6 f7 85 db 75 27
RSP: 0018:ffffc90003197280 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8881070796c0 RCX: 0000000000000000
RDX: ffff88802a51cb80 RSI: ffffffff898db228 RDI: 0000000000000005
RBP: ffff8880255c0000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
R13: 0000000000000000 R14: ffff888021f30de0 R15: ffff888032530000
FS: 000055555570f300(0000) GS:ffff88806b600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000080 CR3: 000000001f594000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sta_apply_auth_flags.constprop.0+0x424/0x4a0 net/mac80211/cfg.c:1678
sta_apply_parameters+0xaf8/0x16f0 net/mac80211/cfg.c:2005
ieee80211_add_station+0x3d0/0x620 net/mac80211/cfg.c:2070
rdev_add_station net/wireless/rdev-ops.h:201 [inline]
nl80211_new_station+0x1258/0x1b20 net/wireless/nl80211.c:7564
genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065
netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2546
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1913
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg+0xde/0x190 net/socket.c:748
____sys_sendmsg+0x722/0x900 net/socket.c:2504
___sys_sendmsg+0x110/0x1b0 net/socket.c:2558
__sys_sendmsg+0xf7/0x1c0 net/socket.c:2587
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc033504a69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe0868f2d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000000ae5a RCX: 00007fc033504a69
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000004
RBP: 0000000000000000 R08: 00007ffe0868f478 R09: 00007ffe0868f478
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe0868f2ec
R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Nov 28, 2023, 6:57:06 PM11/28/23
to da...@davemloft.net, edum...@google.com, johann...@intel.com, joha...@sipsolutions.net, ku...@kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, ll...@lists.linux.dev, nat...@kernel.org, ndesau...@google.com, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com, tr...@redhat.com
syzbot has bisected this issue to:
commit b303835dabe0340f932ebb4e260d2229f79b0684
Author: Johannes Berg <johann...@intel.com>
Date: Sat Jul 23 20:08:49 2022 +0000
wifi: mac80211: accept STA changes without link changes
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=125a86dce80000
start commit: a214724554ae Merge tag 'wireless-next-2023-11-27' of git:/..
git tree: net-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=115a86dce80000
console output: https://syzkaller.appspot.com/x/log.txt?x=165a86dce80000
kernel config: https://syzkaller.appspot.com/x/.config?x=abf6d5a82dab01fe
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a4fc64e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1363b22ce80000
Reported-by: syzbot+62d7ee...@syzkaller.appspotmail.com
Fixes: b303835dabe0 ("wifi: mac80211: accept STA changes without link changes")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit b303835dabe0340f932ebb4e260d2229f79b0684
Author: Johannes Berg <johann...@intel.com>
Date: Sat Jul 23 20:08:49 2022 +0000
wifi: mac80211: accept STA changes without link changes
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=125a86dce80000
start commit: a214724554ae Merge tag 'wireless-next-2023-11-27' of git:/..
git tree: net-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=115a86dce80000
console output: https://syzkaller.appspot.com/x/log.txt?x=165a86dce80000
kernel config: https://syzkaller.appspot.com/x/.config?x=abf6d5a82dab01fe
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a4fc64e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1363b22ce80000
Reported-by: syzbot+62d7ee...@syzkaller.appspotmail.com
Fixes: b303835dabe0 ("wifi: mac80211: accept STA changes without link changes")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Edward Adam Davis
Nov 28, 2023, 10:00:59 PM11/28/23
to syzbot+62d7ee...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test WARNING in rate_control_rate_init
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6e2332e0ab53
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 606b1b2e4123..13d52452a124 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1796,7 +1796,7 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
!params->supported_rates_len &&
!params->ht_capa && !params->vht_capa &&
!params->he_capa && !params->eht_capa &&
- !params->opmode_notif_used)
+ !params->opmode_notif_used && 0)
return 0;
if (!link || !link_sta)
@@ -1817,6 +1817,7 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
} else if (new_link) {
return -EINVAL;
}
+ printk("b, %p \n", rcu_access_pointer(sdata->vif.bss_conf.chanctx_conf));
if (params->txpwr_set) {
link_sta->pub->txpwr.type = params->txpwr.type;
@@ -1868,6 +1869,7 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
params->opmode_notif,
sband->band);
}
+ printk("e, %p \n", rcu_access_pointer(sdata->vif.bss_conf.chanctx_conf));
return ret;
}
@@ -1982,6 +1984,10 @@ static int sta_apply_parameters(struct ieee80211_local *local,
if (params->listen_interval >= 0)
sta->listen_interval = params->listen_interval;
+ printk("b, stp: %d, sa: %d, src: %d\n",
+ test_sta_flag(sta, WLAN_STA_TDLS_PEER),
+ test_sta_flag(sta, WLAN_STA_ASSOC),
+ test_sta_flag(sta, WLAN_STA_RATE_CONTROL));
ret = sta_link_apply_parameters(local, sta, false,
¶ms->link_sta_params);
if (ret)
@@ -1996,6 +2002,10 @@ static int sta_apply_parameters(struct ieee80211_local *local,
if (params->airtime_weight)
sta->airtime_weight = params->airtime_weight;
+ printk("a, stp: %d, sa: %d, src: %d\n",
+ test_sta_flag(sta, WLAN_STA_TDLS_PEER),
+ test_sta_flag(sta, WLAN_STA_ASSOC),
+ test_sta_flag(sta, WLAN_STA_RATE_CONTROL));
/* set the STA state after all sta info from usermode has been set */
if (test_sta_flag(sta, WLAN_STA_TDLS_PEER) ||
set & BIT(NL80211_STA_FLAG_ASSOCIATED)) {
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6e2332e0ab53
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 606b1b2e4123..13d52452a124 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1796,7 +1796,7 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
!params->supported_rates_len &&
!params->ht_capa && !params->vht_capa &&
!params->he_capa && !params->eht_capa &&
- !params->opmode_notif_used)
+ !params->opmode_notif_used && 0)
return 0;
if (!link || !link_sta)
@@ -1817,6 +1817,7 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
} else if (new_link) {
return -EINVAL;
}
+ printk("b, %p \n", rcu_access_pointer(sdata->vif.bss_conf.chanctx_conf));
if (params->txpwr_set) {
link_sta->pub->txpwr.type = params->txpwr.type;
@@ -1868,6 +1869,7 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
params->opmode_notif,
sband->band);
}
+ printk("e, %p \n", rcu_access_pointer(sdata->vif.bss_conf.chanctx_conf));
return ret;
}
@@ -1982,6 +1984,10 @@ static int sta_apply_parameters(struct ieee80211_local *local,
if (params->listen_interval >= 0)
sta->listen_interval = params->listen_interval;
+ printk("b, stp: %d, sa: %d, src: %d\n",
+ test_sta_flag(sta, WLAN_STA_TDLS_PEER),
+ test_sta_flag(sta, WLAN_STA_ASSOC),
+ test_sta_flag(sta, WLAN_STA_RATE_CONTROL));
ret = sta_link_apply_parameters(local, sta, false,
¶ms->link_sta_params);
if (ret)
@@ -1996,6 +2002,10 @@ static int sta_apply_parameters(struct ieee80211_local *local,
if (params->airtime_weight)
sta->airtime_weight = params->airtime_weight;
+ printk("a, stp: %d, sa: %d, src: %d\n",
+ test_sta_flag(sta, WLAN_STA_TDLS_PEER),
+ test_sta_flag(sta, WLAN_STA_ASSOC),
+ test_sta_flag(sta, WLAN_STA_RATE_CONTROL));
/* set the STA state after all sta info from usermode has been set */
if (test_sta_flag(sta, WLAN_STA_TDLS_PEER) ||
set & BIT(NL80211_STA_FLAG_ASSOCIATED)) {
syzbot
Nov 28, 2023, 10:43:12 PM11/28/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+62d7ee...@syzkaller.appspotmail.com
Tested on:
commit: 6e2332e0 Merge tag 'cgroup-for-6.5' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11250ac2e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=102b18358d5797d8
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1751b70ce80000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+62d7ee...@syzkaller.appspotmail.com
Tested on:
commit: 6e2332e0 Merge tag 'cgroup-for-6.5' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11250ac2e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=102b18358d5797d8
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1751b70ce80000
Note: testing is done by a robot and is best-effort only.
Edward Adam Davis
Nov 28, 2023, 10:59:27 PM11/28/23
to syzbot+62d7ee...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test WARNING in rate_control_rate_init
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6e2332e0ab53
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 606b1b2e4123..e97ed85b7723 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6e2332e0ab53
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1787,22 +1787,12 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
rcu_dereference_protected(sta->link[link_id],
lockdep_is_held(&local->hw.wiphy->mtx));
- /*
- * If there are no changes, then accept a link that doesn't exist,
- * unless it's a new link.
- */
- if (params->link_id < 0 && !new_link &&
- !params->link_mac && !params->txpwr_set &&
- !params->supported_rates_len &&
- !params->ht_capa && !params->vht_capa &&
- !params->he_capa && !params->eht_capa &&
- !params->opmode_notif_used)
- return 0;
-
+ printk("%p, %p, %d\n", link, link_sta, new_link);
if (!link || !link_sta)
return -EINVAL;
sband = ieee80211_get_link_sband(link);
+ printk("%p\n", sband);
if (!sband)
return -EINVAL;
@@ -1812,11 +1802,23 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
memcpy(link_sta->pub->addr, params->link_mac, ETH_ALEN);
} else if (!ether_addr_equal(link_sta->addr,
params->link_mac)) {
+ printk("%s\n", __func__);
return -EINVAL;
}
} else if (new_link) {
return -EINVAL;
}
+ /*
} else if (new_link) {
return -EINVAL;
}
+ * If there are no changes, then accept a link that doesn't exist,
+ * unless it's a new link.
+ */
+ if (params->link_id < 0 && !new_link &&
+ !params->link_mac && !params->txpwr_set &&
+ !params->supported_rates_len &&
+ !params->ht_capa && !params->vht_capa &&
+ !params->he_capa && !params->eht_capa &&
+ !params->opmode_notif_used)
+ return 0;
if (params->txpwr_set) {
link_sta->pub->txpwr.type = params->txpwr.type;
if (params->listen_interval >= 0)
sta->listen_interval = params->listen_interval;
+ printk("b, stp: %d, sa: %d, src: %d\n",
+ test_sta_flag(sta, WLAN_STA_TDLS_PEER),
+ test_sta_flag(sta, WLAN_STA_ASSOC),
+ test_sta_flag(sta, WLAN_STA_RATE_CONTROL));
ret = sta_link_apply_parameters(local, sta, false,
¶ms->link_sta_params);
if (ret)
@@ -1996,6 +2003,10 @@ static int sta_apply_parameters(struct ieee80211_local *local,
sta->listen_interval = params->listen_interval;
+ printk("b, stp: %d, sa: %d, src: %d\n",
+ test_sta_flag(sta, WLAN_STA_TDLS_PEER),
+ test_sta_flag(sta, WLAN_STA_ASSOC),
+ test_sta_flag(sta, WLAN_STA_RATE_CONTROL));
ret = sta_link_apply_parameters(local, sta, false,
¶ms->link_sta_params);
if (ret)
syzbot
Nov 28, 2023, 11:40:08 PM11/28/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+62d7ee...@syzkaller.appspotmail.com
Tested on:
commit: 6e2332e0 Merge tag 'cgroup-for-6.5' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11050a52e80000
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+62d7ee...@syzkaller.appspotmail.com
Tested on:
commit: 6e2332e0 Merge tag 'cgroup-for-6.5' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=102b18358d5797d8
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17139952e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Nov 29, 2023, 12:48:56 AM11/29/23
to syzbot+62d7ee...@syzkaller.appspotmail.com, da...@davemloft.net, edum...@google.com, joha...@sipsolutions.net, ku...@kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, ll...@lists.linux.dev, nat...@kernel.org, ndesau...@google.com, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com, tr...@redhat.com
[Syz report]
WARNING: CPU: 1 PID: 5067 at net/mac80211/rate.c:48 rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
Modules linked in:
CPU: 1 PID: 5067 Comm: syz-executor413 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
Code: 48 c7 c2 00 46 0c 8c be 08 03 00 00 48 c7 c7 c0 45 0c 8c c6 05 70 79 0b 05 01 e8 1b a0 6f f7 e9 e0 fd ff ff e8 61 b3 8f f7 90 <0f> 0b 90 e9 36 ff ff ff e8 53 b3 8f f7 e8 5e 0b 78 f7 31 ff 89 c3
RSP: 0018:ffffc90003c57248 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888016bc4000 RCX: ffffffff89f7d519
RDX: ffff888076d43b80 RSI: ffffffff89f7d6df RDI: 0000000000000005
RBP: ffff88801daaae20 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000001
R13: 0000000000000000 R14: ffff888020030e20 R15: ffff888078f08000
FS: 0000555556b94380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
sta_apply_parameters+0xaf1/0x16c0 net/mac80211/cfg.c:2002
ieee80211_add_station+0x3fa/0x6c0 net/mac80211/cfg.c:2068
rdev_add_station net/wireless/rdev-ops.h:201 [inline]
nl80211_new_station+0x13ba/0x1a70 net/wireless/nl80211.c:7603
genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972
genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
[Analysis]
When ieee80211_get_link_sband() fails to find a valid sband and first checks
for params in sta_link_apply_parameters(), it will return 0 due to new_link
being 0, which will lead to an incorrect process after sta_apply_parameters().
[Fix]
First obtain sband and perform a non null check before checking the params.
Fixes: b303835dabe0 ("wifi: mac80211: accept STA changes without link changes")
Reported-and-tested-by: syzbot+62d7ee...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
net/mac80211/cfg.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 606b1b2e4123..8012dcdbcb5f 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1787,6 +1787,13 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
+ return -EINVAL;
+
+ sband = ieee80211_get_link_sband(link);
+ if (!sband)
+ return -EINVAL;
+
/*
!params->opmode_notif_used)
return 0;
- if (!link || !link_sta)
- return -EINVAL;
-
- sband = ieee80211_get_link_sband(link);
- if (!sband)
- return -EINVAL;
-
if (params->link_mac) {
if (new_link) {
memcpy(link_sta->addr, params->link_mac, ETH_ALEN);
--
2.43.0
WARNING: CPU: 1 PID: 5067 at net/mac80211/rate.c:48 rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
Modules linked in:
CPU: 1 PID: 5067 Comm: syz-executor413 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
Code: 48 c7 c2 00 46 0c 8c be 08 03 00 00 48 c7 c7 c0 45 0c 8c c6 05 70 79 0b 05 01 e8 1b a0 6f f7 e9 e0 fd ff ff e8 61 b3 8f f7 90 <0f> 0b 90 e9 36 ff ff ff e8 53 b3 8f f7 e8 5e 0b 78 f7 31 ff 89 c3
RSP: 0018:ffffc90003c57248 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888016bc4000 RCX: ffffffff89f7d519
RDX: ffff888076d43b80 RSI: ffffffff89f7d6df RDI: 0000000000000005
RBP: ffff88801daaae20 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000001
R13: 0000000000000000 R14: ffff888020030e20 R15: ffff888078f08000
FS: 0000555556b94380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 0000000076d22000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sta_apply_auth_flags.constprop.0+0x4b7/0x510 net/mac80211/cfg.c:1674
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sta_apply_parameters+0xaf1/0x16c0 net/mac80211/cfg.c:2002
ieee80211_add_station+0x3fa/0x6c0 net/mac80211/cfg.c:2068
rdev_add_station net/wireless/rdev-ops.h:201 [inline]
nl80211_new_station+0x13ba/0x1a70 net/wireless/nl80211.c:7603
genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972
genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
[Analysis]
When ieee80211_get_link_sband() fails to find a valid sband and first checks
for params in sta_link_apply_parameters(), it will return 0 due to new_link
being 0, which will lead to an incorrect process after sta_apply_parameters().
[Fix]
First obtain sband and perform a non null check before checking the params.
Fixes: b303835dabe0 ("wifi: mac80211: accept STA changes without link changes")
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
net/mac80211/cfg.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 606b1b2e4123..8012dcdbcb5f 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1787,6 +1787,13 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
rcu_dereference_protected(sta->link[link_id],
lockdep_is_held(&local->hw.wiphy->mtx));
+ if (!link || !link_sta)
lockdep_is_held(&local->hw.wiphy->mtx));
+ return -EINVAL;
+
+ sband = ieee80211_get_link_sband(link);
+ if (!sband)
+ return -EINVAL;
+
/*
* If there are no changes, then accept a link that doesn't exist,
* unless it's a new link.
@@ -1799,13 +1806,6 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
!params->opmode_notif_used)
return 0;
- if (!link || !link_sta)
- return -EINVAL;
-
- sband = ieee80211_get_link_sband(link);
- if (!sband)
- return -EINVAL;
-
if (params->link_mac) {
if (new_link) {
memcpy(link_sta->addr, params->link_mac, ETH_ALEN);
--
2.43.0
Johannes Berg
Nov 29, 2023, 1:57:18 AM11/29/23
to Edward Adam Davis, syzbot+62d7ee...@syzkaller.appspotmail.com, da...@davemloft.net, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, ll...@lists.linux.dev, nat...@kernel.org, ndesau...@google.com, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com, tr...@redhat.com
On Wed, 2023-11-29 at 13:48 +0800, Edward Adam Davis wrote:
>
> [Analysis]
> When ieee80211_get_link_sband() fails to find a valid sband and first checks
> for params in sta_link_apply_parameters(), it will return 0 due to new_link
> being 0, which will lead to an incorrect process after sta_apply_parameters().
>
> [Fix]
> First obtain sband and perform a non null check before checking the params.
Not sure I can even disagree with that analysis, it seems right, but ...
>
> [Analysis]
> When ieee80211_get_link_sband() fails to find a valid sband and first checks
> for params in sta_link_apply_parameters(), it will return 0 due to new_link
> being 0, which will lead to an incorrect process after sta_apply_parameters().
>
> [Fix]
> First obtain sband and perform a non null check before checking the params.
> + if (!link || !link_sta)
> + return -EINVAL;
> +
> + sband = ieee80211_get_link_sband(link);
> + if (!sband)
> + return -EINVAL;
> +
> /*
> * If there are no changes, then accept a link that doesn't exist,
> * unless it's a new link.
since you've already returned for !link_sta?
johannes
Edward Adam Davis
Nov 29, 2023, 3:18:37 AM11/29/23
to joha...@sipsolutions.net, da...@davemloft.net, ead...@qq.com, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, ll...@lists.linux.dev, nat...@kernel.org, ndesau...@google.com, net...@vger.kernel.org, pab...@redhat.com, syzbot+62d7ee...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, tr...@redhat.com
Edward
Johannes Berg
Nov 29, 2023, 3:33:35 AM11/29/23
to Edward Adam Davis, da...@davemloft.net, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, ll...@lists.linux.dev, nat...@kernel.org, ndesau...@google.com, net...@vger.kernel.org, pab...@redhat.com, syzbot+62d7ee...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, tr...@redhat.com
accept it in that case?
That said, I just threw the patch into our internal testing machinery
quickly (probably has more MLO tests than upstream hostap for now), and
it worked just fine ...
Maybe we should just remove the comment?
johannes
Edward Adam Davis
Nov 29, 2023, 3:55:04 AM11/29/23
to joha...@sipsolutions.net, da...@davemloft.net, ead...@qq.com, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, ll...@lists.linux.dev, nat...@kernel.org, ndesau...@google.com, net...@vger.kernel.org, pab...@redhat.com, syzbot+62d7ee...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, tr...@redhat.com
3 /*
2 * If there are no changes, then accept a link that doesn't exist,
1 * unless it's a new link.
1800 */
Edward
Johannes Berg
Nov 29, 2023, 4:15:14 AM11/29/23
to Edward Adam Davis, da...@davemloft.net, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, ll...@lists.linux.dev, nat...@kernel.org, ndesau...@google.com, net...@vger.kernel.org, pab...@redhat.com, syzbot+62d7ee...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, tr...@redhat.com
johannes
Edward Adam Davis
Nov 29, 2023, 6:04:40 AM11/29/23
to syzbot+62d7ee...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test WARNING in rate_control_rate_init
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6e2332e0ab53
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6e2332e0ab53
index 606b1b2e4123..d0b5a5dd7410 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1788,10 +1788,10 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
lockdep_is_held(&local->hw.wiphy->mtx));
/*
- * If there are no changes, then accept a link that doesn't exist,
+ * If there are no changes, then accept a link that exist,
* unless it's a new link.
*/
- if (params->link_id < 0 && !new_link &&
+ if ((sta->sta.valid_links & BIT(params->link_id)) && !new_link &&
- if (params->link_id < 0 && !new_link &&
!params->link_mac && !params->txpwr_set &&
!params->supported_rates_len &&
!params->ht_capa && !params->vht_capa &&
--
2.43.0
syzbot
Nov 29, 2023, 6:19:06 AM11/29/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: shift-out-of-bounds in sta_link_apply_parameters
================================================================================
UBSAN: shift-out-of-bounds in net/mac80211/cfg.c:1798:30
shift exponent -1 is negative
CPU: 1 PID: 5418 Comm: syz-executor.0 Not tainted 6.4.0-syzkaller-01647-g6e2332e0ab53-dirty #0
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_shift_out_of_bounds+0x2a6/0x480 lib/ubsan.c:387
sta_link_apply_parameters.cold+0x1a/0x1f net/mac80211/cfg.c:1798
sta_apply_parameters+0x87d/0x16b0 net/mac80211/cfg.c:1988
ieee80211_add_station+0x3ca/0x610 net/mac80211/cfg.c:2070
rdev_add_station net/wireless/rdev-ops.h:201 [inline]
nl80211_new_station+0x13e8/0x1af0 net/wireless/nl80211.c:7564
genl_family_rcv_msg_doit.isra.0+0x1ef/0x2d0 net/netlink/genetlink.c:968
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
genl_rcv_msg+0x559/0x800 net/netlink/genetlink.c:1065
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2546
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x93c/0xe30 net/netlink/af_netlink.c:1913
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:748
____sys_sendmsg+0x69f/0x950 net/socket.c:2504
___sys_sendmsg+0x135/0x1d0 net/socket.c:2558
__sys_sendmsg+0x117/0x1e0 net/socket.c:2587
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f084350a0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f084299bf80 RCX: 00007f084287cae9
RDX: 0000000000000000 RSI: 00000000200004c0 RDI: 0000000000000004
RBP: 00007f08428c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f084299bf80 R15: 00007ffe7b058668
</TASK>
================================================================================
Tested on:
commit: 6e2332e0 Merge tag 'cgroup-for-6.5' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1250b438e80000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: shift-out-of-bounds in sta_link_apply_parameters
================================================================================
UBSAN: shift-out-of-bounds in net/mac80211/cfg.c:1798:30
shift exponent -1 is negative
CPU: 1 PID: 5418 Comm: syz-executor.0 Not tainted 6.4.0-syzkaller-01647-g6e2332e0ab53-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_shift_out_of_bounds+0x2a6/0x480 lib/ubsan.c:387
sta_link_apply_parameters.cold+0x1a/0x1f net/mac80211/cfg.c:1798
sta_apply_parameters+0x87d/0x16b0 net/mac80211/cfg.c:1988
ieee80211_add_station+0x3ca/0x610 net/mac80211/cfg.c:2070
rdev_add_station net/wireless/rdev-ops.h:201 [inline]
nl80211_new_station+0x13e8/0x1af0 net/wireless/nl80211.c:7564
genl_family_rcv_msg_doit.isra.0+0x1ef/0x2d0 net/netlink/genetlink.c:968
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
genl_rcv_msg+0x559/0x800 net/netlink/genetlink.c:1065
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2546
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x93c/0xe30 net/netlink/af_netlink.c:1913
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:748
____sys_sendmsg+0x69f/0x950 net/socket.c:2504
___sys_sendmsg+0x135/0x1d0 net/socket.c:2558
__sys_sendmsg+0x117/0x1e0 net/socket.c:2587
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f084287cae9
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f084350a0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f084299bf80 RCX: 00007f084287cae9
RDX: 0000000000000000 RSI: 00000000200004c0 RDI: 0000000000000004
RBP: 00007f08428c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f084299bf80 R15: 00007ffe7b058668
</TASK>
================================================================================
Tested on:
commit: 6e2332e0 Merge tag 'cgroup-for-6.5' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=102b18358d5797d8
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13b51b78e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Nov 29, 2023, 6:26:34 AM11/29/23
to syzbot+62d7ee...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test WARNING in rate_control_rate_init
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6e2332e0ab53
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 606b1b2e4123..d0b5a5dd7410 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1788,10 +1788,10 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
lockdep_is_held(&local->hw.wiphy->mtx));
/*
- * If there are no changes, then accept a link that doesn't exist,
+ * If there are no changes, then accept a link that exist,
* unless it's a new link.
*/
- if (params->link_id < 0 && !new_link &&
+ if (params->link_id >= 0 && !new_link &&
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6e2332e0ab53
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 606b1b2e4123..d0b5a5dd7410 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1788,10 +1788,10 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
lockdep_is_held(&local->hw.wiphy->mtx));
/*
- * If there are no changes, then accept a link that doesn't exist,
+ * If there are no changes, then accept a link that exist,
* unless it's a new link.
*/
- if (params->link_id < 0 && !new_link &&
syzbot
Nov 29, 2023, 7:02:08 AM11/29/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+62d7ee...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+62d7ee...@syzkaller.appspotmail.com
Tested on:
commit: 6e2332e0 Merge tag 'cgroup-for-6.5' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1109b70ce80000
commit: 6e2332e0 Merge tag 'cgroup-for-6.5' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=102b18358d5797d8
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10c686dce80000
dashboard link: https://syzkaller.appspot.com/bug?extid=62d7eef57b09bfebcd84
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Nov 29, 2023, 7:18:09 AM11/29/23
to joha...@sipsolutions.net, da...@davemloft.net, ead...@qq.com, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, ll...@lists.linux.dev, nat...@kernel.org, ndesau...@google.com, net...@vger.kernel.org, pab...@redhat.com, syzbot+62d7ee...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, tr...@redhat.com
[Syz report]
WARNING: CPU: 1 PID: 5067 at net/mac80211/rate.c:48 rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
Modules linked in:
CPU: 1 PID: 5067 Comm: syz-executor413 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0
WARNING: CPU: 1 PID: 5067 at net/mac80211/rate.c:48 rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
Code: 48 c7 c2 00 46 0c 8c be 08 03 00 00 48 c7 c7 c0 45 0c 8c c6 05 70 79 0b 05 01 e8 1b a0 6f f7 e9 e0 fd ff ff e8 61 b3 8f f7 90 <0f> 0b 90 e9 36 ff ff ff e8 53 b3 8f f7 e8 5e 0b 78 f7 31 ff 89 c3
RSP: 0018:ffffc90003c57248 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888016bc4000 RCX: ffffffff89f7d519
RDX: ffff888076d43b80 RSI: ffffffff89f7d6df RDI: 0000000000000005
RBP: ffff88801daaae20 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000001
R13: 0000000000000000 R14: ffff888020030e20 R15: ffff888078f08000
FS: 0000555556b94380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 0000000076d22000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sta_apply_auth_flags.constprop.0+0x4b7/0x510 net/mac80211/cfg.c:1674
sta_apply_parameters+0xaf1/0x16c0 net/mac80211/cfg.c:2002
ieee80211_add_station+0x3fa/0x6c0 net/mac80211/cfg.c:2068
rdev_add_station net/wireless/rdev-ops.h:201 [inline]
nl80211_new_station+0x13ba/0x1a70 net/wireless/nl80211.c:7603
genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972
genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
Code: 48 c7 c2 00 46 0c 8c be 08 03 00 00 48 c7 c7 c0 45 0c 8c c6 05 70 79 0b 05 01 e8 1b a0 6f f7 e9 e0 fd ff ff e8 61 b3 8f f7 90 <0f> 0b 90 e9 36 ff ff ff e8 53 b3 8f f7 e8 5e 0b 78 f7 31 ff 89 c3
RSP: 0018:ffffc90003c57248 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888016bc4000 RCX: ffffffff89f7d519
RDX: ffff888076d43b80 RSI: ffffffff89f7d6df RDI: 0000000000000005
RBP: ffff88801daaae20 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000001
R13: 0000000000000000 R14: ffff888020030e20 R15: ffff888078f08000
FS: 0000555556b94380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 0000000076d22000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sta_apply_auth_flags.constprop.0+0x4b7/0x510 net/mac80211/cfg.c:1674
sta_apply_parameters+0xaf1/0x16c0 net/mac80211/cfg.c:2002
ieee80211_add_station+0x3fa/0x6c0 net/mac80211/cfg.c:2068
rdev_add_station net/wireless/rdev-ops.h:201 [inline]
nl80211_new_station+0x13ba/0x1a70 net/wireless/nl80211.c:7603
genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972
genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
[Analysis]
It is inappropriate to make a link configuration change judgment on an
netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
[Analysis]
non-existent and non new link.
[Fix]
Quickly exit when there is a existent link and the link configuration has not
changed.
Fixes: b303835dabe0 ("wifi: mac80211: accept STA changes without link changes")
Reported-and-tested-by: syzbot+62d7ee...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 606b1b2e4123..d0b5a5dd7410 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1788,10 +1788,10 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
lockdep_is_held(&local->hw.wiphy->mtx));
/*
+ * If there are no changes, then accept a link that exist,
* unless it's a new link.
Reply all
Reply to author
Forward
0 new messages