[PATCH RFC] wifi: mac80211: fix rate control warnings and out-of-bounds access

[PATCH RFC] wifi: mac80211: fix rate control warnings and out-of-bounds access

[syzbot]

A warning in __rate_control_send_low() can be triggered when no supported
transmission rate is found for a frame. This condition is fully reachable
from user space by providing conflicting configurations, such as requesting
a non-CCK rate for a station that only supports CCK rates, or creating a
station with no supported rates.

WARNING: net/mac80211/rate.c:406 at __rate_control_send_low+0x524/0x800
net/mac80211/rate.c:401
...
Call Trace:
 rate_control_send_low+0xf9/0x7b0 net/mac80211/rate.c:429
 rate_control_get_rate+0x20b/0x5d0 net/mac80211/rate.c:943
 ieee80211_tx_h_rate_ctrl+0xafa/0x1760 net/mac80211/tx.c:764
 invoke_tx_handlers_late+0xb5/0x1830 net/mac80211/tx.c:1859
 ieee80211_tx+0x2d7/0x4b0 net/mac80211/tx.c:1983
 __ieee80211_tx_skb_tid_band+0x50f/0x680 net/mac80211/tx.c:6371
 ieee80211_tx_skb_tid_band net/mac80211/ieee80211_i.h:2456 [inline]
 ieee80211_send_scan_probe_req net/mac80211/scan.c:685 [inline]
 ieee80211_scan_state_send_probe+0x5b3/0xa00 net/mac80211/scan.c:713
 ieee80211_scan_work+0x488/0x1ab0 net/mac80211/scan.c:1174

Since WARN_ONCE must not be used for conditions that can legitimately
happen, and proper logging should be used instead, this is downgraded to a
wiphy_dbg message. The code already safely falls back to the lowest rate.

While investigating, a secondary bug was found. If a driver calls
ieee80211_get_tx_rates() with a custom dest array and dest[0].idx < 0,
__rate_control_send_low() updates info->control.rates[0].idx but does not
update dest[0].idx. Consequently, dest[0].idx remains < 0, leading to an
out-of-bounds array access when rate_fixup_ratelist() is subsequently
called. This is fixed by copying the updated rate back to dest if dest !=
info->control.rates.

Additionally, a WARN in ieee80211_tx_h_rate_ctrl() can be triggered when a
frame is sent to an associated station while scanning, but the station has
no usable bitrates on the current band. This is also user-triggerable by
scanning on a band where the target station has no supported rates. This
warning is similarly downgraded to a wiphy_dbg message, while keeping the
existing behavior of dropping the frame.

Fixes: 2103dec14792 ("mac80211: select and adjust bitrates according to channel mode")
Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot
Reported-by: syzbot+34463a129786910405dd@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=34463a129786910405dd
Link: https://syzkaller.appspot.com/ai_job?id=e8a36bfc-63cc-4c4b-922c-20a8151f983a
To: "Johannes Berg" <johannes@sipsolutions.net>
To: <linux-wireless@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>

---
diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
index 31af7dd6a..1a9f9b3a7 100644
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -398,12 +398,13 @@ static void __rate_control_send_low(struct ieee80211_hw *hw,
 		info->control.rates[0].idx = i;
 		break;
 	}
-	WARN_ONCE(i == sband->n_bitrates,
-		  "no supported rates for sta %pM (0x%x, band %d) in rate_mask 0x%x with flags 0x%x\n",
-		  sta ? sta->addr : NULL,
-		  sta ? sta->deflink.supp_rates[sband->band] : -1,
-		  sband->band,
-		  rate_mask, rate_flags);
+	if (i == sband->n_bitrates)
+		wiphy_dbg(
+			hw->wiphy,
+			"no supported rates for sta %pM (0x%x, band %d) in rate_mask 0x%x with flags 0x%x\n",
+			sta ? sta->addr : NULL,
+			sta ? sta->deflink.supp_rates[sband->band] : -1,
+			sband->band, rate_mask, rate_flags);
 
 	info->control.rates[0].count =
 		(info->flags & IEEE80211_TX_CTL_NO_ACK) ?
@@ -915,9 +916,12 @@ void ieee80211_get_tx_rates(struct ieee80211_vif *vif,
 	if (!(info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK))
 		mask = sdata->rc_rateidx_mask[info->band];
 
-	if (dest[0].idx < 0)
+	if (dest[0].idx < 0) {
 		__rate_control_send_low(&sdata->local->hw, sband, sta, info,
 					mask);
+		if (dest != info->control.rates)
+			dest[0] = info->control.rates[0];
+	}
 
 	if (sta)
 		rate_fixup_ratelist(vif, sband, info, dest, max_rates);
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index ea7f63e1f..1a0a9333a 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -747,15 +747,17 @@ ieee80211_tx_h_rate_ctrl(struct ieee80211_tx_data *tx)
 	 * Lets not bother rate control if we're associated and cannot
 	 * talk to the sta. This should not happen.
 	 */
-	if (WARN(test_bit(SCAN_SW_SCANNING, &tx->local->scanning) && assoc &&
-		 !rate_usable_index_exists(sband, &tx->sta->sta),
-		 "%s: Dropped data frame as no usable bitrate found while "
-		 "scanning and associated. Target station: "
-		 "%pM on %d GHz band\n",
-		 tx->sdata->name,
-		 encap ? ((struct ethhdr *)hdr)->h_dest : hdr->addr1,
-		 info->band ? 5 : 2))
+	if (unlikely(test_bit(SCAN_SW_SCANNING, &tx->local->scanning) &&
+		     assoc &&
+		     !rate_usable_index_exists(sband, &tx->sta->sta))) {
+		wiphy_dbg(
+			tx->local->hw.wiphy,
+			"%s: Dropped data frame as no usable bitrate found while scanning and associated. Target station: %pM on %d GHz band\n",
+			tx->sdata->name,
+			encap ? ((struct ethhdr *)hdr)->h_dest : hdr->addr1,
+			info->band ? 5 : 2);
 		return TX_DROP;
+	}
 
 	/*
 	 * If we're associated with the sta at this point we know we can at


base-commit: 8cd9520d35a6c38db6567e97dd93b1f11f185dc6
-- 
This is an AI-generated patch subject to moderation.
Reply with '#syz upstream' to Sign-off the patch as a human author
and send it to the upstream kernel mailing lists.
Reply with '#syz reject' to reject it ('#syz unreject' to undo).

See https://goo.gle/syzbot-ai-patches for information about AI-generated patches.
You can comment on the patch as usual, syzbot will try to address
the comments and send a new version of the patch if necessary.
syzbot engineers can be reached at syzkaller@googlegroups.com.