syzbot

 sign-in | mailing list | source | docs
🐞 Open [782]
🐞 Fixed [129]
🐞 Invalid [842]
Missing Backports [74]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

WARNING in ieee80211_free_ack_frame

Status: upstream: reported on 2025/08/03 17:18
Reported-by: syzbot+b8d193f52213886b7e01@syzkaller.appspotmail.com
First crash: 24d, last: 24d
Similar bugs (4)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 WARNING in ieee80211_free_ack_frame -1 C error 97 920d 1785d 0/1 upstream: reported C repro on 2020/10/07 07:47
upstream WARNING in ieee80211_free_ack_frame (2) wireless -1 C error done 170 4d12h 1381d 0/29 upstream: reported C repro on 2021/11/15 07:38
upstream WARNING in ieee80211_free_ack_frame wireless -1 syz done 117 1391d 1785d 20/29 fixed on 2021/11/10 00:50
linux-5.15 WARNING in ieee80211_free_ack_frame origin:upstream -1 C error 1 39d 885d 0/3 upstream: reported C repro on 2023/03/26 11:43

Sample crash report:
------------[ cut here ]------------
Have pending ack frames!
WARNING: CPU: 1 PID: 9 at net/mac80211/main.c:1508 ieee80211_free_ack_frame+0x64/0x6c net/mac80211/main.c:1508
Modules linked in:
CPU: 1 PID: 9 Comm: kworker/u4:0 Not tainted 6.1.147-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: netns cleanup_net
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ieee80211_free_ack_frame+0x64/0x6c net/mac80211/main.c:1508
lr : ieee80211_free_ack_frame+0x64/0x6c net/mac80211/main.c:1508
sp : ffff80001c857760
x29: ffff80001c857760 x28: 0000000000000000 x27: ffff80001c8577a0
x26: dfff800000000000 x25: dfff800000000000 x24: ffff0000f5fa8000
x23: 0000000000000001 x22: ffff0000f4e358f0 x21: ffff0000f5f8b288
x20: ffff800017a78000 x19: ffff0000d26b8500 x18: ffff800011aabce0
x17: 0000000000000000 x16: ffff8000082d2374 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000ff0100
x11: ff00800008191c9c x10: 0000000000000000 x9 : 604b0b170ed12200
x8 : 604b0b170ed12200 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80001c8571f8 x4 : ffff800015194800 x3 : ffff80000852e34c
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
Call trace:
 ieee80211_free_ack_frame+0x64/0x6c net/mac80211/main.c:1508
 idr_for_each+0x17c/0x248 lib/idr.c:208
 ieee80211_free_hw+0xc4/0x40c net/mac80211/main.c:1526
 mac80211_hwsim_del_radio+0x260/0x3a8 drivers/net/wireless/mac80211_hwsim.c:4691
 hwsim_exit_net+0x49c/0x558 drivers/net/wireless/mac80211_hwsim.c:5475
 ops_exit_list net/core/net_namespace.c:172 [inline]
 cleanup_net+0x5c4/0xa74 net/core/net_namespace.c:640
 process_one_work+0x7f4/0x13a8 kernel/workqueue.c:2292
 worker_thread+0x8c8/0xfbc kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:849
irq event stamp: 5224990
hardirqs last  enabled at (5224989): [<ffff80000830848c>] __up_console_sem+0xb4/0x100 kernel/printk/printk.c:261
hardirqs last disabled at (5224990): [<ffff8000119455d8>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last  enabled at (5222294): [<ffff80000fd5de30>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
softirqs last  enabled at (5222294): [<ffff80000fd5de30>] netif_addr_unlock_bh include/linux/netdevice.h:4510 [inline]
softirqs last  enabled at (5222294): [<ffff80000fd5de30>] dev_mc_flush+0x1b0/0x1f4 net/core/dev_addr_lists.c:1036
softirqs last disabled at (5222292): [<ffff80000fd5e360>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device veth1_macvtap left promiscuous mode
device veth0_macvtap left promiscuous mode
device veth1_vlan left promiscuous mode
device veth0_vlan left promiscuous mode
device veth1_macvtap left promiscuous mode
device veth1_vlan left promiscuous mode
device veth0_vlan left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): Released all slaves
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): Released all slaves
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/08/03 17:17 linux-6.1.y 3594f306da12 7368264b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING in ieee80211_free_ack_frame
* Struck through repros no longer work on HEAD.