syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1336]
Subsystems
🐞 Fixed [7133]
🐞 Invalid [18879]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap

Status: upstream: reported C repro on 2026/05/30 20:57
Subsystems: wireless
Labels: prio:normal
[Documentation on labels]
Reported-by: syzbot+8e0622f6d9446420271f@syzkaller.appspotmail.com
Fix commit: wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap
Patched on: [ci-upstream-net-this-kasan-gce], missing on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 109d, last: 20m
Cause bisection: failed (error log, bisect log)
  
✨ AI Jobs (2)
ID Workflow Result Correct Bug Created Started Finished Revision Error
441b91be-1b5e-4560-9301-59d59e8a899c assessment-security DenialOfService: ❌ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ❌ UserNamespace: ✅ VMGuestTrigger: ❌ VMHostTrigger: ❌ UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap 2026/06/01 02:54 2026/06/01 02:54 2026/06/01 03:47 6b4a844333e83556da95d61d7f207e7ef5cd4bc6
ffe0e579-28f9-420b-a453-a3823c66f4c1 assessment-security 💥 UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap 2026/05/15 10:08 2026/05/15 10:08 2026/05/15 10:09 9cd3beaadf14b3a22d15fd97a0bf081ee41ebe01 failed to run ["git" "pull" "origin" "HEAD" "--depth=1" "--allow-unrelated-histories"]: exit status 1 fatal: write error: No space left on device fatal: fetch-pack: invalid index-pack output
Discussions (2)
Title Replies (including bot) Last reply
[PATCH] wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap 1 (1) 2026/05/31 01:17
[syzbot] [wireless?] UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap 0 (2) 2026/05/31 00:33
Last patch testing requests (5)
Created Duration User Patch Repo Result
2026/05/31 00:33 29m kartikey406@gmail.com patch upstream error
2026/03/05 23:08 49m retest repro linux-next report log
2026/03/05 23:21 18m retest repro upstream report log
2026/03/05 23:21 12m retest repro upstream report log
2026/03/05 23:08 18m retest repro linux-next report log

Sample crash report:
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in net/mac80211/tx.c:2184:30
shift exponent 85 is too large for 64-bit type 'long unsigned int'
CPU: 2 UID: 0 PID: 5936 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 ubsan_epilogue+0xa/0x30 lib/ubsan.c:233
 __ubsan_handle_shift_out_of_bounds+0x279/0x2a0 lib/ubsan.c:494
 ieee80211_parse_tx_radiotap.cold+0x1a/0x1f net/mac80211/tx.c:2184
 ieee80211_monitor_start_xmit+0x901/0x1280 net/mac80211/tx.c:2461
 __netdev_start_xmit include/linux/netdevice.h:5368 [inline]
 netdev_start_xmit include/linux/netdevice.h:5377 [inline]
 xmit_one net/core/dev.c:3888 [inline]
 dev_hard_start_xmit+0x128/0x7a0 net/core/dev.c:3904
 __dev_queue_xmit+0x1baa/0x4950 net/core/dev.c:4870
 dev_queue_xmit include/linux/netdevice.h:3418 [inline]
 packet_xmit+0x243/0x310 net/packet/af_packet.c:276
 packet_snd net/packet/af_packet.c:3082 [inline]
 packet_sendmsg+0x319a/0x5100 net/packet/af_packet.c:3114
 sock_sendmsg_nosec net/socket.c:787 [inline]
 __sock_sendmsg net/socket.c:802 [inline]
 __sys_sendto+0x468/0x4b0 net/socket.c:2265
 __do_sys_sendto net/socket.c:2272 [inline]
 __se_sys_sendto net/socket.c:2268 [inline]
 __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2268
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8a9ed9ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe039a1318 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f8a9f015fa0 RCX: 00007f8a9ed9ce59
RDX: 0000000000000038 RSI: 0000200000000640 RDI: 0000000000000007
RBP: 00007f8a9ee32d6f R08: 0000200000000380 R09: 0000000000000014
R10: 0000000004000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8a9f015fac R14: 00007f8a9f015fa0 R15: 00007f8a9f015fa0
 </TASK>
---[ end trace ]---

Crashes (65):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/04 17:57 upstream ba3e43a9e601 197909be .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 07:08 upstream 3e48a11675c5 1e62d198 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 05:40 upstream 3e48a11675c5 1e62d198 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/04/26 17:36 net e728258debd5 9c2d0995 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/04/26 16:13 net e728258debd5 9c2d0995 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/05/31 20:03 net-next 841559836550 6b4a8443 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/05/31 18:34 net-next 841559836550 6b4a8443 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 11:57 linux-next 635c467cc14e 1e62d198 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 10:34 linux-next 635c467cc14e 1e62d198 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/05/29 01:00 upstream 8fde5d1d47f6 4624854e .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/05/29 00:13 upstream 8fde5d1d47f6 4624854e .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/05/15 05:48 upstream 66182ca873a4 6ccb967e .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/05/13 03:17 upstream c21b90f77687 a0949470 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/05/12 21:51 upstream c21b90f77687 a0949470 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/05/07 19:52 upstream 8ab992f815d6 0211be7b .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/05/03 04:17 upstream 66edb901bf87 a0d91488 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/05/01 15:07 upstream 26fd6bff2c05 753c55b9 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/05/01 15:07 upstream 26fd6bff2c05 753c55b9 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/04/25 03:42 upstream 892c894b4ba4 9c2d0995 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/03/22 12:35 upstream 113ae7b4decc 5b92003d .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/03/20 07:22 upstream e9825d1c7957 2f245add .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/03/09 02:37 upstream 014441d1e4b2 5cb44a80 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/03/08 08:52 upstream c23719abc330 5cb44a80 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/03/08 08:51 upstream c23719abc330 5cb44a80 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/03/08 08:50 upstream c23719abc330 5cb44a80 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/03/07 19:51 upstream 4ae12d8bd9a8 5cb44a80 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/19 22:57 upstream 2b7a25df823d 73a252ac .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/19 22:57 upstream 2b7a25df823d 73a252ac .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 18:11 upstream ca4ee40bf13d 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:17 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:17 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:15 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:15 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:15 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:15 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:15 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:15 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:14 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:14 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:14 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:14 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:14 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:14 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:13 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:13 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:13 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:12 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:11 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 04:10 upstream 3e48a11675c5 1e62d198 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/04/24 05:10 net 5e6391da4539 9cfb3ca7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
2026/02/15 11:10 linux-next 635c467cc14e 1e62d198 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce UBSAN: shift-out-of-bounds in ieee80211_parse_tx_radiotap
* Struck through repros no longer work on HEAD.