Linux wireless drivers development
 help / color / mirror / Atom feed
* [PATCH wireless] wifi: mac80211_hwsim: avoid division by zero in mac80211_hwsim_write_tsf()
@ 2026-06-25 21:56 Serhat Kumral
  2026-06-27 13:48 ` [PATCH] " Hojun Choi
  0 siblings, 1 reply; 3+ messages in thread
From: Serhat Kumral @ 2026-06-25 21:56 UTC (permalink / raw)
  To: Johannes Berg, linux-wireless
  Cc: Benjamin Berg, Miri Korenblit, linux-kernel,
	syzbot+21629c14aa749636db9d, Serhat Kumral

mac80211_hwsim_write_tsf() adjusts the timestamp of beacon, probe
response and S1G beacon frames by dividing a constant by the legacy
bitrate of the selected tx rate, e.g.:

	mgmt->u.probe_resp.timestamp =
		cpu_to_le64(sim_time + data->tsf_offset +
			    24 * 8 * 10 / bitrate);

bitrate is taken from ieee80211_get_tx_rate(), which indexes the band's
legacy bitrates[] table by control.rates[0].idx without checking the
HT/VHT/S1G MCS flags or the table bounds. For an MCS rate the idx is not
a legacy-rate index, so the returned rate can have a bitrate of 0. The
code only guarded against a NULL rate, not a zero bitrate, so the
division can divide by zero. As the call trace shows, this is reachable
from user space by injecting a frame on a monitor interface:

	divide error: 0000 [#1] SMP KASAN NOPTI
	RIP: 0010:mac80211_hwsim_write_tsf+0x3a3/0x590
	Call Trace:
	 mac80211_hwsim_tx_frame_no_nl+0x16b/0x1760
	 mac80211_hwsim_tx+0x1784/0x2500
	 ieee80211_tx_frags+0x3df/0x890
	 ieee80211_monitor_start_xmit+0xb33/0x1280
	 __dev_queue_xmit+0x1435/0x37f0
	 packet_sendmsg+0x3d95/0x5040

Fixing this in ieee80211_get_tx_rate() is not viable: callers such as
ath5k and adm8211 dereference its return value without a NULL check, so
making it return NULL for MCS rates would only move the crash elsewhere.
Keep the fix local and fall back to the existing default of 100 whenever
the reported bitrate is zero, in line with the existing "/* TODO: get
MCS */" note above.

Fixes: e75129031f1c ("wifi: mac80211_hwsim: move timestamp writing later in the datapath")
Reported-by: syzbot+21629c14aa749636db9d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=21629c14aa749636db9d
Signed-off-by: Serhat Kumral <serhatkumral1@gmail.com>
---
 drivers/net/wireless/virtual/mac80211_hwsim_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/virtual/mac80211_hwsim_main.c b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
index 0dd8a6c85953..c745395d2042 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim_main.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
@@ -1604,7 +1604,7 @@ static void mac80211_hwsim_write_tsf(struct mac80211_hwsim_data *data,
 	spin_lock_bh(&data->tsf_offset_lock);
 
 	txrate = ieee80211_get_tx_rate(data->hw, info);
-	if (txrate)
+	if (txrate && txrate->bitrate)
 		bitrate = txrate->bitrate;
 
 	if (skb->len >= offsetofend(typeof(*mgmt), u.probe_resp.timestamp) &&
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-27 17:14 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-25 21:56 [PATCH wireless] wifi: mac80211_hwsim: avoid division by zero in mac80211_hwsim_write_tsf() Serhat Kumral
2026-06-27 13:48 ` [PATCH] " Hojun Choi
2026-06-26  7:37   ` [PATCH wireless] " Serhat Kumral

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox