WARNING in ieee80211_start_next

WARNING in ieee80211_start_next_roc
Status: upstream: reported C repro on 2020/12/09 02:03
Reported-by: syzbot+c3a167b5615df4ccd7fb@syzkaller.appspotmail.com
First crash: 197d, last: 4d00h

Cause bisection: introduced by (bisect log) [no-op commit]:
commit 6ad8c632ee48ae099aa13704ef18a641220fe211
Author: Sudarsana Reddy Kalluru <sudarsana.kalluru@qlogic.com>
Date: Wed Jun 8 10:22:10 2016 +0000

qed: Add support for query/config dcbx.

Crash: KASAN: null-ptr-deref Read (log)
Repro: C syz .config

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	WARNING in ieee80211_start_next_roc	C			7	7d21h	162d	0/1	upstream: reported C repro on 2021/01/09 02:54
linux-4.14	WARNING in ieee80211_start_next_roc	C			1	28d	223d	0/1	upstream: reported C repro on 2020/11/08 18:11

Sample crash report:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 10127 at net/mac80211/offchannel.c:401 ieee80211_start_next_roc+0x1f4/0x240 net/mac80211/offchannel.c:401
Modules linked in:
CPU: 1 PID: 10127 Comm: syz-executor756 Not tainted 5.12.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ieee80211_start_next_roc+0x1f4/0x240 net/mac80211/offchannel.c:401
Code: 18 22 00 00 48 89 ef 48 89 c2 e8 47 a7 0b 00 5b 5d e9 20 61 18 f9 e8 1b 61 18 f9 48 89 ef e8 c3 73 ff ff eb 8d e8 0c 61 18 f9 <0f> 0b eb 84 48 c7 c7 6c 58 c6 8d e8 2c 1c 5c f9 e9 2f fe ff ff e8
RSP: 0018:ffffc9000161f448 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff888026c5d4c0 RSI: ffffffff885b8784 RDI: 0000000000000003
RBP: ffff888144990d00 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff885b869d R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000001 R15: ffff888144992680
FS:  00007f7318ade700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd38c183028 CR3: 000000001d8fc000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __ieee80211_scan_completed+0x602/0xed0 net/mac80211/scan.c:477
 ieee80211_scan_cancel+0x165/0x9a0 net/mac80211/scan.c:1266
 ieee80211_do_stop+0x1906/0x20e0 net/mac80211/iface.c:383
 ieee80211_runtime_change_iftype net/mac80211/iface.c:1640 [inline]
 ieee80211_if_change_type+0x2c5/0x6e0 net/mac80211/iface.c:1678
 ieee80211_change_iface+0x26/0x210 net/mac80211/cfg.c:157
 rdev_change_virtual_intf net/wireless/rdev-ops.h:69 [inline]
 cfg80211_change_iface+0x335/0xf30 net/wireless/util.c:1067
 nl80211_set_interface+0x65c/0x8d0 net/wireless/nl80211.c:3916
 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 __sys_sendto+0x21c/0x320 net/socket.c:1977
 __do_sys_sendto net/socket.c:1989 [inline]
 __se_sys_sendto net/socket.c:1985 [inline]
 __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1985
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4073ec
Code: 9a fb ff ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 c0 fb ff ff 48 8b
RSP: 002b:00007f7318add190 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f7318add280 RCX: 00000000004073ec
RDX: 0000000000000024 RSI: 00007f7318add2d0 RDI: 0000000000000007
RBP: 0000000000000000 R08: 00007f7318add1e4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00007f7318add2d0 R14: 0000000000000007 R15: 0000000000000000

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce	2021/06/13 15:45	upstream	8ecfa36c	805b5003	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2021/04/06 11:14	upstream	0a50438c	e4b4d570	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/01/04 02:10	upstream	e71ba945	20366b87	.config	log	report	syz	C

Crashes (26):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce	2021/04/28 09:58	upstream	57fa2369	805b5003	.config	log	report	syz	C		WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce	2021/04/20 07:12	upstream	7af08140	4285c989	.config	log	report	syz	C		WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce-selinux-root	2021/04/16 09:27	upstream	7e25f40e	c59079a6	.config	log	report	syz	C		WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce-root	2021/03/07 10:53	upstream	a38fd874	e4b4d570	.config	log	report	syz	C		WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce	2020/12/05 01:54	upstream	e87297fa	20366b87	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2021/04/30 01:26	upstream	d2b6f8a1	77e2b668	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce	2021/04/30 01:26	upstream	d2b6f8a1	77e2b668	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce-smack-root	2021/04/30 01:21	upstream	d2b6f8a1	77e2b668	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce	2021/04/15 12:38	upstream	7f75285c	fcdb12ba	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce-selinux-root	2021/02/17 10:59	upstream	f40ddce8	052f8d9f	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce-selinux-root	2021/02/15 03:42	upstream	f40ddce8	98682e5e	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce-smack-root	2021/02/13 01:00	upstream	dcc0b490	98682e5e	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce-smack-root	2021/01/24 00:39	upstream	e1ae4b0b	52e37319	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce	2021/01/19 05:12	upstream	1e2a199f	63631df1	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce	2021/01/17 16:19	upstream	0da0a8a0	813be542	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce-386	2021/02/03 12:54	upstream	3aaf0a27	624dad51	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-kasan-gce-386	2021/01/19 03:32	upstream	1e2a199f	63631df1	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-net-this-kasan-gce	2021/05/14 08:06	net	e4df1b0c	8bdd5343	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-net-this-kasan-gce	2021/05/12 19:20	net	440c3247	da958a4d	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-net-this-kasan-gce	2021/05/07 11:06	net	bbd6f0a9	f6da8120	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-net-this-kasan-gce	2021/05/06 16:12	net	bbd6f0a9	06585184	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-net-this-kasan-gce	2021/05/03 16:52	net	bbd6f0a9	ad61f371	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-net-this-kasan-gce	2021/04/30 12:25	net	bbd6f0a9	77e2b668	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-net-kasan-gce	2021/06/16 06:59	net-next	925a56b2	990d3cbe	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-net-kasan-gce	2021/04/12 07:03	net-next	5b489fea	bfeda1b1	.config	log	report			info	WARNING in ieee80211_start_next_roc
ci-upstream-net-kasan-gce	2021/02/12 15:41	net-next	3c5a2fd0	a5f86b15	.config	log	report			info	WARNING in ieee80211_start_next_roc