From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Edward Adam Davis <eadavis@qq.com>,
syzbot+064815c6cd721082a52a@syzkaller.appspotmail.com,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>,
johannes@sipsolutions.net, linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.1 34/46] wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled
Date: Tue, 3 Jun 2025 21:03:52 -0400 [thread overview]
Message-ID: <20250604010404.5109-34-sashal@kernel.org> (raw)
In-Reply-To: <20250604010404.5109-1-sashal@kernel.org>
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit c575f5374be7a5c4be4acb9fe6be3a4669d94674 ]
Setting tsf is meaningless if beacon is disabled, so check that beacon
is enabled before setting tsf.
Reported-by: syzbot+064815c6cd721082a52a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=064815c6cd721082a52a
Tested-by: syzbot+064815c6cd721082a52a@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Link: https://patch.msgid.link/tencent_3609AC2EFAAED68CA5A7E3C6D212D1C67806@qq.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Perfect! Now I can see the exact issue. The function uses `do_div(delta,
bcn_int)` where `bcn_int` comes from `data->link_data[0].beacon_int`.
When beacons are disabled, this value could be 0, leading to a division
by zero error. **YES** This commit should be backported to stable kernel
trees. Here's my extensive analysis: ## Analysis of the Commit ### The
Bug The commit fixes a **division by zero vulnerability** in the
`mac80211_hwsim_set_tsf()` function. The issue occurs when: 1. **Beacons
are disabled** (`enable_beacon = false`) 2. **Beacon interval becomes
0** (as seen in line 2569: `link_data->beacon_int = 0;`) 3. **TSF is
still being set**, leading to `do_div(delta, bcn_int)` operations where
`bcn_int = 0` ### Code Analysis The problematic code was: ```c u32
bcn_int = data->link_data[0].beacon_int; // Could be 0 when beacons
disabled u64 delta = abs(tsf - now); // ... data->bcn_delta =
do_div(delta, bcn_int); // Division by zero! ``` The fix adds a safety
check: ```c conf = link_conf_dereference_protected(vif,
data->link_data[0].link_id); if (conf && !conf->enable_beacon) return;
// Exit early when beacons are disabled ``` ### Why This Should Be
Backported 1. **Critical Bug Fix**: This fixes a **division by zero
kernel bug** that could cause kernel panics or crashes. 2. **Security
Issue**: The commit references a **syzbot report**
(`syzbot+064815c6cd721082a52a@syzkaller.appspotmail.com`), indicating
this is a reproducible security issue found by automated fuzzing. 3.
**Small and Contained**: The fix is minimal - just 5 lines of code that
add a safety check. It follows the stable tree rule of being a small,
targeted fix. 4. **No Architectural Changes**: This doesn't introduce
new features or make architectural changes. It simply prevents an
invalid operation from occurring. 5. **Low Regression Risk**: The fix is
defensive programming - it only prevents the function from executing
when beacons are disabled, which makes logical sense since TSF
adjustment is meaningless without beacons. 6. **Driver-Specific**: This
affects the `mac80211_hwsim` virtual driver, which is commonly used for
testing and virtualization, making the fix important for testing
infrastructure. 7. **Logical Fix**: The commit message clearly states
"Setting tsf is meaningless if beacon is disabled" - this is a logical
improvement that prevents undefined behavior. ### Backport Suitability -
✅ **Bug fix**: Yes, fixes division by zero - ✅ **Small change**: Only 5
lines added - ✅ **Contained**: Limited to one function in one driver - ✅
**Low risk**: Defensive check, cannot cause regressions - ✅ **Security
relevant**: Prevents kernel crashes - ✅ **Clear benefit**: Prevents
undefined behavior This is exactly the type of commit that stable trees
are designed for - a small, targeted fix for a real bug that affects
system stability.
drivers/net/wireless/mac80211_hwsim.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index abcd165a62cfe..80a2a668cfb9e 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -1091,6 +1091,11 @@ static void mac80211_hwsim_set_tsf(struct ieee80211_hw *hw,
/* MLD not supported here */
u32 bcn_int = data->link_data[0].beacon_int;
u64 delta = abs(tsf - now);
+ struct ieee80211_bss_conf *conf;
+
+ conf = link_conf_dereference_protected(vif, data->link_data[0].link_id);
+ if (conf && !conf->enable_beacon)
+ return;
/* adjust after beaconing with new timestamp at old TBTT */
if (tsf > now) {
--
2.39.5
next prev parent reply other threads:[~2025-06-04 1:05 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-04 1:03 [PATCH AUTOSEL 6.1 01/46] net: macb: Check return value of dma_set_mask_and_coherent() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 02/46] net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 03/46] tipc: use kfree_sensitive() for aead cleanup Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 04/46] bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 05/46] i2c: designware: Invoke runtime suspend on quick slave re-registration Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 06/46] emulex/benet: correct command version selection in be_cmd_get_stats() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 07/46] wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 08/46] wifi: mt76: mt7921: add 160 MHz AP for mt7922 device Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 09/46] sctp: Do not wake readers in __sctp_write_space() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 10/46] cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 11/46] i2c: tegra: check msg length in SMBUS block read Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 12/46] i2c: npcm: Add clock toggle recovery Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 13/46] net: dlink: add synchronization for stats update Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 14/46] wifi: ath11k: Fix QMI memory reuse logic Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 15/46] tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 16/46] tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 17/46] x86/sgx: Prevent attempts to reclaim poisoned pages Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 18/46] ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 19/46] openvswitch: Stricter validation for the userspace action Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 20/46] net: atlantic: generate software timestamp just before the doorbell Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 21/46] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 22/46] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 23/46] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 24/46] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 25/46] net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 26/46] net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 27/46] wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 28/46] wifi: mac80211: do not offer a mesh path if forwarding is disabled Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 29/46] bpftool: Fix cgroup command to only show cgroup bpf programs Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 30/46] clk: rockchip: rk3036: mark ddrphy as critical Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 31/46] libbpf: Add identical pointer detection to btf_dedup_is_equiv() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 32/46] scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 33/46] iommu/amd: Ensure GA log notifier callbacks finish running before module unload Sasha Levin
2025-06-04 1:03 ` Sasha Levin [this message]
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 35/46] net: bridge: mcast: update multicast contex when vlan state is changed Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 36/46] net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 37/46] vxlan: Do not treat dst cache initialization errors as fatal Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 38/46] software node: Correct a OOB check in software_node_get_reference_args() Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 39/46] pinctrl: mcp23s08: Reset all pins to input at probe Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 40/46] scsi: lpfc: Use memcpy() for BIOS version Sasha Levin
2025-06-04 1:03 ` [PATCH AUTOSEL 6.1 41/46] sock: Correct error checking condition for (assign|release)_proto_idx() Sasha Levin
2025-06-04 1:04 ` [PATCH AUTOSEL 6.1 42/46] i40e: fix MMIO write access to an invalid page in i40e_clear_hw Sasha Levin
2025-06-04 1:04 ` [PATCH AUTOSEL 6.1 43/46] ice: fix check for existing switch rule Sasha Levin
2025-06-04 1:04 ` [PATCH AUTOSEL 6.1 44/46] bpf, sockmap: Fix data lost during EAGAIN retries Sasha Levin
2025-06-04 1:04 ` [PATCH AUTOSEL 6.1 45/46] net: ethernet: cortina: Use TOE/TSO on all TCP Sasha Levin
2025-06-04 1:04 ` [PATCH AUTOSEL 6.1 46/46] octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250604010404.5109-34-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=eadavis@qq.com \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+064815c6cd721082a52a@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox