[moderation] [wireless?] general protection fault in __ieee80211_get_radio_mask
0 views
Skip to first unread message
syzbot
5:54 PM (5 hours ago) 5:54 PM
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b85966adbf5d Merge tag 'net-next-7.2' of git://git.kernel...
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16143766580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9a9f723a32776544
dashboard link: https://syzkaller.appspot.com/bug?extid=abff43d2d045e37c0bb2
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
CC: [joha...@sipsolutions.net linux-...@vger.kernel.org linux-w...@vger.kernel.org net...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d65306d96573/disk-b85966ad.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ef43139aab0e/vmlinux-b85966ad.xz
kernel image: https://storage.googleapis.com/syzbot-assets/26d4d1ab67c3/bzImage-b85966ad.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+abff43...@syzkaller.appspotmail.com
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
Oops: general protection fault, probably for non-canonical address 0xdffffc000000069f: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x00000000000034f8-0x00000000000034ff]
CPU: 0 UID: 0 PID: 7823 Comm: kworker/u8:9 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:__ieee80211_get_radio_mask+0xa1/0x420 net/mac80211/util.c:4225
Code: 04 00 00 00 00 eb 1e e8 ed 06 9f f6 49 89 de 49 83 fc 0e 0f 84 71 03 00 00 e8 db 06 9f f6 48 83 c5 08 49 ff c4 48 8b 44 24 30 <42> 0f b6 04 38 84 c0 0f 85 f6 02 00 00 48 8b 44 24 08 44 0f b7 28
RSP: 0018:ffffc90003636fb8 EFLAGS: 00010202
RAX: 000000000000069f RBX: 0000000000000ec0 RCX: ffff8880276f8000
RDX: 0000000000000330 RSI: 0000000000000000 RDI: 0000000000000ec0
RBP: 0000000000003480 R08: ffff888079520ad7 R09: 1ffff1100f2a415a
R10: dffffc0000000000 R11: ffffffff8b26ee80 R12: 0000000000000000
R13: ffff888079520020 R14: 0000000000000ed0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff88812527c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000001d4000 CR3: 0000000052412000 CR4: 00000000003526f0
Call Trace:
<TASK>
rdev_get_radio_mask net/wireless/rdev-ops.h:1605 [inline]
cfg80211_calculate_bi_data net/wireless/util.c:2431 [inline]
cfg80211_iter_combinations+0x260/0x1c90 net/wireless/util.c:2504
ieee80211_max_num_channels+0x186/0x250 net/mac80211/util.c:4389
ieee80211_can_create_new_chanctx+0x1df/0x270 net/mac80211/chan.c:256
ieee80211_find_available_radio net/mac80211/chan.c:1529 [inline]
ieee80211_find_or_create_chanctx+0x4e2/0x7b0 net/mac80211/chan.c:2208
_ieee80211_link_use_channel+0x4fd/0xcb0 net/mac80211/chan.c:2319
ieee80211_link_use_channel net/mac80211/ieee80211_i.h:2823 [inline]
__ieee80211_sta_join_ibss+0x6a4/0x1660 net/mac80211/ibss.c:292
ieee80211_sta_create_ibss+0x300/0x480 net/mac80211/ibss.c:1286
ieee80211_sta_find_ibss net/mac80211/ibss.c:1415 [inline]
ieee80211_ibss_work+0xd99/0x1060 net/mac80211/ibss.c:1636
cfg80211_wiphy_work+0x29e/0x420 net/wireless/core.c:538
process_one_work kernel/workqueue.c:3314 [inline]
process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3397
worker_thread+0xa47/0xfb0 kernel/workqueue.c:3478
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__ieee80211_get_radio_mask+0xa1/0x420 net/mac80211/util.c:4225
Code: 04 00 00 00 00 eb 1e e8 ed 06 9f f6 49 89 de 49 83 fc 0e 0f 84 71 03 00 00 e8 db 06 9f f6 48 83 c5 08 49 ff c4 48 8b 44 24 30 <42> 0f b6 04 38 84 c0 0f 85 f6 02 00 00 48 8b 44 24 08 44 0f b7 28
RSP: 0018:ffffc90003636fb8 EFLAGS: 00010202
RAX: 000000000000069f RBX: 0000000000000ec0 RCX: ffff8880276f8000
RDX: 0000000000000330 RSI: 0000000000000000 RDI: 0000000000000ec0
RBP: 0000000000003480 R08: ffff888079520ad7 R09: 1ffff1100f2a415a
R10: dffffc0000000000 R11: ffffffff8b26ee80 R12: 0000000000000000
R13: ffff888079520020 R14: 0000000000000ed0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff88812527c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000004f9000 CR3: 0000000084fec000 CR4: 00000000003526f0
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: eb 1e jmp 0x24
6: e8 ed 06 9f f6 call 0xf69f06f8
b: 49 89 de mov %rbx,%r14
e: 49 83 fc 0e cmp $0xe,%r12
12: 0f 84 71 03 00 00 je 0x389
18: e8 db 06 9f f6 call 0xf69f06f8
1d: 48 83 c5 08 add $0x8,%rbp
21: 49 ff c4 inc %r12
24: 48 8b 44 24 30 mov 0x30(%rsp),%rax
* 29: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 0f 85 f6 02 00 00 jne 0x32c
36: 48 8b 44 24 08 mov 0x8(%rsp),%rax
3b: 44 0f b7 28 movzwl (%rax),%r13d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: b85966adbf5d Merge tag 'net-next-7.2' of git://git.kernel...
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16143766580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9a9f723a32776544
dashboard link: https://syzkaller.appspot.com/bug?extid=abff43d2d045e37c0bb2
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
CC: [joha...@sipsolutions.net linux-...@vger.kernel.org linux-w...@vger.kernel.org net...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d65306d96573/disk-b85966ad.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ef43139aab0e/vmlinux-b85966ad.xz
kernel image: https://storage.googleapis.com/syzbot-assets/26d4d1ab67c3/bzImage-b85966ad.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+abff43...@syzkaller.appspotmail.com
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
Oops: general protection fault, probably for non-canonical address 0xdffffc000000069f: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x00000000000034f8-0x00000000000034ff]
CPU: 0 UID: 0 PID: 7823 Comm: kworker/u8:9 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:__ieee80211_get_radio_mask+0xa1/0x420 net/mac80211/util.c:4225
Code: 04 00 00 00 00 eb 1e e8 ed 06 9f f6 49 89 de 49 83 fc 0e 0f 84 71 03 00 00 e8 db 06 9f f6 48 83 c5 08 49 ff c4 48 8b 44 24 30 <42> 0f b6 04 38 84 c0 0f 85 f6 02 00 00 48 8b 44 24 08 44 0f b7 28
RSP: 0018:ffffc90003636fb8 EFLAGS: 00010202
RAX: 000000000000069f RBX: 0000000000000ec0 RCX: ffff8880276f8000
RDX: 0000000000000330 RSI: 0000000000000000 RDI: 0000000000000ec0
RBP: 0000000000003480 R08: ffff888079520ad7 R09: 1ffff1100f2a415a
R10: dffffc0000000000 R11: ffffffff8b26ee80 R12: 0000000000000000
R13: ffff888079520020 R14: 0000000000000ed0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff88812527c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000001d4000 CR3: 0000000052412000 CR4: 00000000003526f0
Call Trace:
<TASK>
rdev_get_radio_mask net/wireless/rdev-ops.h:1605 [inline]
cfg80211_calculate_bi_data net/wireless/util.c:2431 [inline]
cfg80211_iter_combinations+0x260/0x1c90 net/wireless/util.c:2504
ieee80211_max_num_channels+0x186/0x250 net/mac80211/util.c:4389
ieee80211_can_create_new_chanctx+0x1df/0x270 net/mac80211/chan.c:256
ieee80211_find_available_radio net/mac80211/chan.c:1529 [inline]
ieee80211_find_or_create_chanctx+0x4e2/0x7b0 net/mac80211/chan.c:2208
_ieee80211_link_use_channel+0x4fd/0xcb0 net/mac80211/chan.c:2319
ieee80211_link_use_channel net/mac80211/ieee80211_i.h:2823 [inline]
__ieee80211_sta_join_ibss+0x6a4/0x1660 net/mac80211/ibss.c:292
ieee80211_sta_create_ibss+0x300/0x480 net/mac80211/ibss.c:1286
ieee80211_sta_find_ibss net/mac80211/ibss.c:1415 [inline]
ieee80211_ibss_work+0xd99/0x1060 net/mac80211/ibss.c:1636
cfg80211_wiphy_work+0x29e/0x420 net/wireless/core.c:538
process_one_work kernel/workqueue.c:3314 [inline]
process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3397
worker_thread+0xa47/0xfb0 kernel/workqueue.c:3478
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__ieee80211_get_radio_mask+0xa1/0x420 net/mac80211/util.c:4225
Code: 04 00 00 00 00 eb 1e e8 ed 06 9f f6 49 89 de 49 83 fc 0e 0f 84 71 03 00 00 e8 db 06 9f f6 48 83 c5 08 49 ff c4 48 8b 44 24 30 <42> 0f b6 04 38 84 c0 0f 85 f6 02 00 00 48 8b 44 24 08 44 0f b7 28
RSP: 0018:ffffc90003636fb8 EFLAGS: 00010202
RAX: 000000000000069f RBX: 0000000000000ec0 RCX: ffff8880276f8000
RDX: 0000000000000330 RSI: 0000000000000000 RDI: 0000000000000ec0
RBP: 0000000000003480 R08: ffff888079520ad7 R09: 1ffff1100f2a415a
R10: dffffc0000000000 R11: ffffffff8b26ee80 R12: 0000000000000000
R13: ffff888079520020 R14: 0000000000000ed0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff88812527c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000004f9000 CR3: 0000000084fec000 CR4: 00000000003526f0
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: eb 1e jmp 0x24
6: e8 ed 06 9f f6 call 0xf69f06f8
b: 49 89 de mov %rbx,%r14
e: 49 83 fc 0e cmp $0xe,%r12
12: 0f 84 71 03 00 00 je 0x389
18: e8 db 06 9f f6 call 0xf69f06f8
1d: 48 83 c5 08 add $0x8,%rbp
21: 49 ff c4 inc %r12
24: 48 8b 44 24 30 mov 0x30(%rsp),%rax
* 29: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 0f 85 f6 02 00 00 jne 0x32c
36: 48 8b 44 24 08 mov 0x8(%rsp),%rax
3b: 44 0f b7 28 movzwl (%rax),%r13d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages