 
            When we are not connected to a channel, sending channel "switch" announcement doesn't make any sense.
The BSS list is empty in that case. This causes the for loop in cfg80211_get_bss() to be bypassed, so the function returns NULL (check line 1424 of net/wireless/scan.c), causing the WARN_ON() in ieee80211_ibss_csa_beacon() to get triggered (check line 500 of net/mac80211/ibss.c), which was consequently reported on the syzkaller dashboard.
Thus, check if we have an existing connection before generating the CSA beacon in ieee80211_ibss_finish_csa().
Fixes: cd7760e62c2a ("mac80211: add support for CSA in IBSS mode") Bug report: https://syzkaller.appspot.com/bug?id=05603ef4ae8926761b678d2939a3b2ad28ab9ca... Reported-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com Cc: stable@vger.kernel.org
Signed-off-by: Siddh Raman Pant code@siddh.me --- The fixes commit is old, and syzkaller shows the problem exists for 4.19 and 4.14 as well, so CC'd stable list.
net/mac80211/ibss.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c index d56890e3fabb..9b283bbc7bb4 100644 --- a/net/mac80211/ibss.c +++ b/net/mac80211/ibss.c @@ -530,6 +530,10 @@ int ieee80211_ibss_finish_csa(struct ieee80211_sub_if_data *sdata)
sdata_assert_lock(sdata);
+ /* When not connected/joined, sending CSA doesn't make sense. */ + if (ifibss->state != IEEE80211_IBSS_MLME_JOINED) + return -ENOLINK; + /* update cfg80211 bss information with the new channel */ if (!is_zero_ether_addr(ifibss->bssid)) { cbss = cfg80211_get_bss(sdata->local->hw.wiphy,
 
            On Sun, Aug 14, 2022 at 08:45:12PM +0530, Siddh Raman Pant via Linux-kernel-mentees wrote:
When we are not connected to a channel, sending channel "switch" announcement doesn't make any sense.
The BSS list is empty in that case. This causes the for loop in cfg80211_get_bss() to be bypassed, so the function returns NULL (check line 1424 of net/wireless/scan.c), causing the WARN_ON() in ieee80211_ibss_csa_beacon() to get triggered (check line 500 of net/mac80211/ibss.c), which was consequently reported on the syzkaller dashboard.
Thus, check if we have an existing connection before generating the CSA beacon in ieee80211_ibss_finish_csa().
Fixes: cd7760e62c2a ("mac80211: add support for CSA in IBSS mode") Bug report: https://syzkaller.appspot.com/bug?id=05603ef4ae8926761b678d2939a3b2ad28ab9ca... Reported-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com Cc: stable@vger.kernel.org
Signed-off-by: Siddh Raman Pant code@siddh.me
Please no blank line before your signed-off-by line or the tools will not like it.
And did sysbot verify that this change solved the problem?
thanks,
greg k-h
 
            On Mon, 15 Aug 2022 12:30:13 +0530 Greg KH wrote:
Please no blank line before your signed-off-by line or the tools will not like it.
Oh okay, noted.
And did sysbot verify that this change solved the problem?
Syzbot was failing to boot for reasons unrelated to the patch. I tried testing three times, and every time the boot was failing. It was taking more than 5 hours for syzbot to pick up the patch from pending state every time, so I now posted it.
You can look at the syzkaller group page here: https://groups.google.com/g/syzkaller-bugs/c/bGZwWS4Q3ek/m/dQ3pdAVSAAAJ (Pardon the atrocious HTML email at the end, I used a mobile app to email and forgot it doesn't send in plaintext.)
I have locally tested this with the reproducer syzbot gave.
Thanks, Siddh
linux-stable-mirror@lists.linaro.org

