From: syzbot <syzbot+b6ce23950fd636e6efb6@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] mac80211: don't encrypt pre-auth (ETH_P_PREAUTH) frames
Date: Sun, 12 Jul 2026 18:22:19 -0700 [thread overview]
Message-ID: <6a543dcb.574492cf.19a3b.0019.GAE@google.com> (raw)
In-Reply-To: <6a54082c.574492cf.19a3b.0015.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] mac80211: don't encrypt pre-auth (ETH_P_PREAUTH) frames
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Pre-authentication frames (ETH_P_PREAUTH, 0x88C7) are sent before
the authentication handshake completes with the target AP, so no
encryption key exists for them yet. Unlike normal EAPOL frames
(ETH_P_8021X, 0x888E) which are registered as the control port
protocol, pre-auth frames are not recognized as control port frames,
causing the kernel to incorrectly assign the current AP's key and
attempt encryption, resulting in a WARN_ON in ieee80211_encrypt_tx_skb
when the cipher is not handled.
Fix this by setting IEEE80211_TX_INTFL_DONT_ENCRYPT for pre-auth
frames in ieee80211_tx_h_check_control_port_protocol(), so that
key selection skips them and they are sent unencrypted as intended.
Reported-by: syzbot+b6ce23950fd636e6efb6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b6ce23950fd636e6efb6
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
net/mac80211/tx.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index c13b209fad47..b3acfd69380f 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -557,6 +557,9 @@ ieee80211_tx_h_check_control_port_protocol(struct ieee80211_tx_data *tx)
info->flags |= IEEE80211_TX_CTL_USE_MINRATE;
}
+ if (tx->skb->protocol == htons(ETH_P_PREAUTH))
+ info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
+
return TX_CONTINUE;
}
--
2.43.0
next prev parent reply other threads:[~2026-07-13 1:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-12 21:33 [syzbot] [wireless?] WARNING in ieee80211_encrypt_tx_skb syzbot
2026-07-13 0:50 ` Forwarded: [PATCH] mac80211: debug print key cipher in ieee80211_tx_h_encrypt syzbot
2026-07-13 1:22 ` syzbot [this message]
2026-07-15 20:27 ` Forwarded: syzbot
2026-07-16 13:09 ` Forwarded: syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a543dcb.574492cf.19a3b.0019.GAE@google.com \
--to=syzbot+b6ce23950fd636e6efb6@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.