lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <69282e1e.a70a0220.d98e3.00fa.GAE@google.com>
Date: Thu, 27 Nov 2025 02:55:26 -0800
From: syzbot <syzbot+6506f7abde798179ecc4@...kaller.appspotmail.com>
To: johannes@...solutions.net, linux-kernel@...r.kernel.org, 
	linux-wireless@...r.kernel.org, netdev@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [wireless?] WARNING in drv_unassign_vif_chanctx (3)

syzbot has found a reproducer for the following issue on:

HEAD commit:    4941a17751c9 Merge tag 'trace-ringbuffer-v6.18-rc7' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12503e12580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6824ec1757ea1310
dashboard link: https://syzkaller.appspot.com/bug?extid=6506f7abde798179ecc4
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=168cee12580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15536f42580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-4941a177.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/df31d5f8fbe6/vmlinux-4941a177.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5039c51e9d30/bzImage-4941a177.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6506f7abde798179ecc4@...kaller.appspotmail.com

netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
bridge_slave_1: left allmulticast mode
bridge_slave_1: left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
bridge_slave_0: left allmulticast mode
bridge_slave_0: left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): (slave wlan1): Releasing backup interface
bond0 (unregistering): Released all slaves
------------[ cut here ]------------
wlan1: Failed check-sdata-in-driver check, flags: 0x0
WARNING: CPU: 0 PID: 13 at net/mac80211/driver-ops.c:366 drv_unassign_vif_chanctx+0x247/0x850 net/mac80211/driver-ops.c:366
Modules linked in:
CPU: 0 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:drv_unassign_vif_chanctx+0x247/0x850 net/mac80211/driver-ops.c:366
Code: 74 24 10 48 81 c6 20 01 00 00 48 89 74 24 10 e8 af ec ee f6 8b 54 24 04 48 8b 74 24 10 48 c7 c7 40 b6 e2 8c e8 fa 1f ad f6 90 <0f> 0b 90 90 e8 90 ec ee f6 4c 89 f2 48 b8 00 00 00 00 00 fc ff df
RSP: 0018:ffffc900001075a8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880501e8d80 RCX: ffffffff817b1cd8
RDX: ffff88801da88000 RSI: ffffffff817b1ce5 RDI: 0000000000000001
RBP: ffff888052578e80 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8880501eaad8
R13: 0000000000000000 R14: ffff8880501e97b8 R15: ffff8880501eaa80
FS:  0000000000000000(0000) GS:ffff8880d6a05000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd732ef6fe8 CR3: 000000000e182000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 ieee80211_assign_link_chanctx+0x3f1/0xf00 net/mac80211/chan.c:905
 __ieee80211_link_release_channel+0x273/0x4b0 net/mac80211/chan.c:1879
 ieee80211_link_release_channel+0x128/0x200 net/mac80211/chan.c:2154
 unregister_netdevice_many_notify+0x1402/0x25c0 net/core/dev.c:12305
 unregister_netdevice_many net/core/dev.c:12347 [inline]
 unregister_netdevice_queue+0x305/0x3f0 net/core/dev.c:12161
 unregister_netdevice include/linux/netdevice.h:3389 [inline]
 _cfg80211_unregister_wdev+0x64b/0x830 net/wireless/core.c:1284
 ieee80211_remove_interfaces+0x34e/0x740 net/mac80211/iface.c:2394
 ieee80211_unregister_hw+0x55/0x3a0 net/mac80211/main.c:1681
 mac80211_hwsim_del_radio drivers/net/wireless/virtual/mac80211_hwsim.c:5915 [inline]
 hwsim_exit_net+0x788/0x1590 drivers/net/wireless/virtual/mac80211_hwsim.c:6806
 ops_exit_list net/core/net_namespace.c:199 [inline]
 ops_undo_list+0x2ee/0xab0 net/core/net_namespace.c:252
 cleanup_net+0x41b/0x8b0 net/core/net_namespace.c:695
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
 process_scheduled_works kernel/workqueue.c:3346 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ