From: Serhat Kumral <serhatkumral1@gmail.com>
To: ghwns6743@gmail.com
Cc: benjamin.berg@intel.com, johannes@sipsolutions.net,
linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
miriam.rachel.korenblit@intel.com, serhatkumral1@gmail.com,
syzbot+21629c14aa749636db9d@syzkaller.appspotmail.com
Subject: Re: [PATCH wireless] wifi: mac80211_hwsim: avoid division by zero in mac80211_hwsim_write_tsf()
Date: Fri, 26 Jun 2026 10:37:38 +0300 [thread overview]
Message-ID: <20260626073738.13014-1-serhatkumral1@gmail.com> (raw)
In-Reply-To: <20260627134827.12531-1-ghwns6743@gmail.com>
Thanks a lot for the independent confirmation and for tracking down the
exact mechanism -- the OOB read landing inside struct mac80211_hwsim_data
(via sband->bitrates = data->rates) explains precisely why KASAN stays
quiet. Appreciate you sharing the reproducer too.
On hardening ieee80211_get_tx_rate() centrally: I'd defer to Johannes on
the preferred direction, since it touches callers across several drivers
(ath5k, adm8211, and likely others) that currently dereference the
return value without a NULL check -- any change there needs an audit of
all of them, which felt out of scope for this fix. If it's considered
worth doing, I'd be happy to help with that audit.
prev parent reply other threads:[~2026-06-27 17:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 21:56 [PATCH wireless] wifi: mac80211_hwsim: avoid division by zero in mac80211_hwsim_write_tsf() Serhat Kumral
2026-06-27 13:48 ` [PATCH] " Hojun Choi
2026-06-26 7:37 ` Serhat Kumral [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626073738.13014-1-serhatkumral1@gmail.com \
--to=serhatkumral1@gmail.com \
--cc=benjamin.berg@intel.com \
--cc=ghwns6743@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=miriam.rachel.korenblit@intel.com \
--cc=syzbot+21629c14aa749636db9d@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox