Linux wireless drivers development
 help / color / mirror / Atom feed
From: Serhat Kumral <serhatkumral1@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>,
	linux-wireless@vger.kernel.org
Cc: Benjamin Berg <benjamin.berg@intel.com>,
	Miri Korenblit <miriam.rachel.korenblit@intel.com>,
	linux-kernel@vger.kernel.org,
	syzbot+21629c14aa749636db9d@syzkaller.appspotmail.com,
	Serhat Kumral <serhatkumral1@gmail.com>
Subject: [PATCH wireless] wifi: mac80211_hwsim: avoid division by zero in mac80211_hwsim_write_tsf()
Date: Fri, 26 Jun 2026 00:56:06 +0300	[thread overview]
Message-ID: <20260625215606.11049-1-serhatkumral1@gmail.com> (raw)

mac80211_hwsim_write_tsf() adjusts the timestamp of beacon, probe
response and S1G beacon frames by dividing a constant by the legacy
bitrate of the selected tx rate, e.g.:

	mgmt->u.probe_resp.timestamp =
		cpu_to_le64(sim_time + data->tsf_offset +
			    24 * 8 * 10 / bitrate);

bitrate is taken from ieee80211_get_tx_rate(), which indexes the band's
legacy bitrates[] table by control.rates[0].idx without checking the
HT/VHT/S1G MCS flags or the table bounds. For an MCS rate the idx is not
a legacy-rate index, so the returned rate can have a bitrate of 0. The
code only guarded against a NULL rate, not a zero bitrate, so the
division can divide by zero. As the call trace shows, this is reachable
from user space by injecting a frame on a monitor interface:

	divide error: 0000 [#1] SMP KASAN NOPTI
	RIP: 0010:mac80211_hwsim_write_tsf+0x3a3/0x590
	Call Trace:
	 mac80211_hwsim_tx_frame_no_nl+0x16b/0x1760
	 mac80211_hwsim_tx+0x1784/0x2500
	 ieee80211_tx_frags+0x3df/0x890
	 ieee80211_monitor_start_xmit+0xb33/0x1280
	 __dev_queue_xmit+0x1435/0x37f0
	 packet_sendmsg+0x3d95/0x5040

Fixing this in ieee80211_get_tx_rate() is not viable: callers such as
ath5k and adm8211 dereference its return value without a NULL check, so
making it return NULL for MCS rates would only move the crash elsewhere.
Keep the fix local and fall back to the existing default of 100 whenever
the reported bitrate is zero, in line with the existing "/* TODO: get
MCS */" note above.

Fixes: e75129031f1c ("wifi: mac80211_hwsim: move timestamp writing later in the datapath")
Reported-by: syzbot+21629c14aa749636db9d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=21629c14aa749636db9d
Signed-off-by: Serhat Kumral <serhatkumral1@gmail.com>
---
 drivers/net/wireless/virtual/mac80211_hwsim_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/virtual/mac80211_hwsim_main.c b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
index 0dd8a6c85953..c745395d2042 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim_main.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
@@ -1604,7 +1604,7 @@ static void mac80211_hwsim_write_tsf(struct mac80211_hwsim_data *data,
 	spin_lock_bh(&data->tsf_offset_lock);
 
 	txrate = ieee80211_get_tx_rate(data->hw, info);
-	if (txrate)
+	if (txrate && txrate->bitrate)
 		bitrate = txrate->bitrate;
 
 	if (skb->len >= offsetofend(typeof(*mgmt), u.probe_resp.timestamp) &&
-- 
2.54.0


             reply	other threads:[~2026-06-26 11:12 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-25 21:56 Serhat Kumral [this message]
2026-06-27 13:48 ` [PATCH] wifi: mac80211_hwsim: avoid division by zero in mac80211_hwsim_write_tsf() Hojun Choi
2026-06-26  7:37   ` [PATCH wireless] " Serhat Kumral

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260625215606.11049-1-serhatkumral1@gmail.com \
    --to=serhatkumral1@gmail.com \
    --cc=benjamin.berg@intel.com \
    --cc=johannes@sipsolutions.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=miriam.rachel.korenblit@intel.com \
    --cc=syzbot+21629c14aa749636db9d@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox