lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <696d52b6.050a0220.3390f1.0025.GAE@google.com>
Date: Sun, 18 Jan 2026 13:37:58 -0800
From: syzbot <syzbot+2cecf0e829ae2219d419@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: Private message regarding: [syzbot] [wireless?] WARNING in
 drv_get_tsf (2)

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: Private message regarding: [syzbot] [wireless?] WARNING in drv_get_tsf (2)
Author: kapoorarnav43@...il.com

#syz test

commit 0cd0a5cff75a12d3cf1fa0675950ef0dcc647799 (HEAD -> master)
Author: Arnav Kapoor <kapoorarnav43@...il.com>
Date:   Mon Jan 19 03:03:18 2026 +0530

    mac80211: Fix WARNING in drv_get_tsf debugfs access
    
    The debugfs tsf read function was calling drv_get_tsf() even when the
    interface was not registered with the driver, causing a WARN_ON to be
    triggered. This is inappropriate for debugfs access.
    
    Fix this by checking the IEEE80211_SDATA_IN_DRIVER flag in the debugfs
    read function and returning -1ULL directly when the interface is not
    in the driver, avoiding the warning.
    
    Reported-by: syzbot+15f88dfa580000@...kaller.appspotmail.com
    Signed-off-by: Arnav Kapoor <kapoorarnav43@...il.com>

diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 30a5a978a..669e7c519 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -656,7 +656,10 @@ static ssize_t ieee80211_if_fmt_tsf(
        struct ieee80211_local *local = sdata->local;
        u64 tsf;
 
-       tsf = drv_get_tsf(local, (struct ieee80211_sub_if_data *)sdata);
+       if (!(sdata->flags & IEEE80211_SDATA_IN_DRIVER))
+               tsf = -1ULL;
+       else
+               tsf = drv_get_tsf(local, (struct ieee80211_sub_if_data 
*)sdata);
 
        return scnprintf(buf, buflen, "0x%016llx\n", (unsigned long long) 
tsf);
 }

On Monday, 19 January 2026 at 02:56:22 UTC+5:30 syzbot wrote:

Hello, 

syzbot found the following issue on: 

HEAD commit: 944aacb68baf Merge tag 'scsi-fixes' of git://git.kernel.or.. 
git tree: upstream 
console output: https://syzkaller.appspot.com/x/log.txt?x=15f88dfa580000 
kernel config: https://syzkaller.appspot.com/x/.config?x=ae589cd0a6acd9be 
dashboard link: https://syzkaller.appspot.com/bug?extid=2cecf0e829ae2219d419 
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for 
Debian) 2.40 
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16259d9a580000 

Downloadable assets: 
disk image: 
https://storage.googleapis.com/syzbot-assets/1971a9dd2936/disk-944aacb6.raw.xz 
vmlinux: 
https://storage.googleapis.com/syzbot-assets/cf50ec150c97/vmlinux-944aacb6.xz 
kernel image: 
https://storage.googleapis.com/syzbot-assets/eee3d7722c03/bzImage-944aacb6.xz 

IMPORTANT: if you fix the issue, please add the following tag to the 
commit: 
Reported-by: syzbot+2cecf0...@...kaller.appspotmail.com 

------------[ cut here ]------------ 
wlan1: Failed check-sdata-in-driver check, flags: 0x0 
WARNING: net/mac80211/driver-ops.c:255 at drv_get_tsf+0x187/0x6f0 
net/mac80211/driver-ops.c:255, CPU#0: kworker/u8:11/3538 
Modules linked in: 
CPU: 0 UID: 0 PID: 3538 Comm: kworker/u8:11 Not tainted syzkaller #0 
PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS 
Google 10/25/2025 
Workqueue: events_unbound cfg80211_wiphy_work 
RIP: 0010:drv_get_tsf+0x18d/0x6f0 net/mac80211/driver-ops.c:255 
Code: 0a 00 00 4d 85 e4 0f 84 95 04 00 00 e8 8c 9a dc f6 49 81 c4 20 01 00 
00 e8 80 9a dc f6 48 8d 3d 49 e9 b6 05 44 89 f2 4c 89 e6 <67> 48 0f b9 3a 
e8 69 9a dc f6 4c 89 ea 48 b8 00 00 00 00 00 fc ff 
RSP: 0018:ffffc9000c49fb08 EFLAGS: 00010293 
RAX: 0000000000000000 RBX: ffff88805c0c4d80 RCX: ffffffff8ae1c32f 
RDX: 0000000000000000 RSI: ffff88805c0c4120 RDI: ffffffff9098acd0 
RBP: ffff888031cc8e80 R08: 0000000000000005 R09: 0000000000000000 
R10: 0000000000000000 R11: ffff88803190c830 R12: ffff88805c0c4120 
R13: ffff88805c0c57b8 R14: 0000000000000000 R15: ffff888031cc86d0 
FS: 0000000000000000(0000) GS:ffff8881248f9000(0000) knlGS:0000000000000000 
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
CR2: 00007f239b3156c0 CR3: 0000000075ed0000 CR4: 00000000003526f0 
Call Trace: 
<TASK> 
ieee80211_if_fmt_tsf+0x42/0x70 net/mac80211/debugfs_netdev.c:659 
wiphy_locked_debugfs_read_work+0xe6/0x1c0 net/wireless/debugfs.c:168 
cfg80211_wiphy_work+0x3fb/0x560 net/wireless/core.c:438 
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 
process_scheduled_works kernel/workqueue.c:3340 [inline] 
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 
kthread+0x3c5/0x780 kernel/kthread.c:463 
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 
</TASK> 
---------------- 
Code disassembly (best guess), 1 bytes skipped: 
0: 00 00 add %al,(%rax) 
2: 4d 85 e4 test %r12,%r12 
5: 0f 84 95 04 00 00 je 0x4a0 
b: e8 8c 9a dc f6 call 0xf6dc9a9c 
10: 49 81 c4 20 01 00 00 add $0x120,%r12 
17: e8 80 9a dc f6 call 0xf6dc9a9c 
1c: 48 8d 3d 49 e9 b6 05 lea 0x5b6e949(%rip),%rdi # 0x5b6e96c 
23: 44 89 f2 mov %r14d,%edx 
26: 4c 89 e6 mov %r12,%rsi 
* 29: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 
2e: e8 69 9a dc f6 call 0xf6dc9a9c 
33: 4c 89 ea mov %r13,%rdx 
36: 48 rex.W 
37: b8 00 00 00 00 mov $0x0,%eax 
3c: 00 fc add %bh,%ah 
3e: ff .byte 0xff 


--- 
This report is generated by a bot. It may contain errors. 
See https://goo.gl/tpsmEJ for more information about syzbot. 
syzbot engineers can be reached at syzk...@...glegroups.com. 

syzbot will keep track of this issue. See: 
https://goo.gl/tpsmEJ#status for how to communicate with syzbot. 

If the report is already addressed, let syzbot know by replying with: 
#syz fix: exact-commit-title 

If you want syzbot to run the reproducer, reply with: 
#syz test: git://repo/address.git branch-or-commit-hash 
If you attach or paste a git patch, syzbot will apply it before testing. 

If you want to overwrite report's subsystems, reply with: 
#syz set subsystems: new-subsystem 
(See the list of subsystem names on the web dashboard) 

If the report is a duplicate of another one, reply with: 
#syz dup: exact-subject-of-another-report 

If you want to undo deduplication, reply with: 
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ