general protection fault in ieee80211_assign_vif

general protection fault in ieee80211_assign_vif_chanctx
Status: upstream: reported C repro on 2021/02/05 23:40
Reported-by: syzbot+bbf402b783eeb6d908db@syzkaller.appspotmail.com
Fix commit: 563fbefed46a cfg80211: call cfg80211_stop_ap when switch from P2P_GO type
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 360d, last: 98d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: general protection fault in ieee80211_chanctx_num_assigned (log)
Repro: C syz .config

similar bugs (1):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-54	general protection fault in ieee80211_assign_vif_chanctx	C			3	473d	479d	0/1	upstream: reported C repro on 2020/10/05 21:07

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/10/27 08:26	19m	phind.uet@gmail.com	patch	upstream	OK
2021/10/27 08:19	0m	phind.uet@gmail.com	patch	upstream	error
2021/10/27 01:03	11m	phind.uet@gmail.com		upstream	report log
2021/10/26 14:57	10m	phind.uet@gmail.com		linux-next	report log

Sample crash report:

general protection fault, probably for non-canonical address 0xfbd59c0000000020: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
CPU: 1 PID: 8395 Comm: syz-executor137 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ieee80211_chanctx_num_assigned net/mac80211/chan.c:22 [inline]
RIP: 0010:ieee80211_assign_vif_chanctx+0x6a7/0xa80 net/mac80211/chan.c:746
Code: f8 48 83 7c 24 08 00 0f 85 91 00 00 00 e9 f2 00 00 00 e8 6c 74 7e f8 49 83 c6 20 31 db 4c 89 f5 0f 1f 00 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 ea 4a c2 f8 48 8b 6d 00 4c 39 f5
RSP: 0018:ffffc9000167f670 EFLAGS: 00010a02
RAX: 1bd5a00000000020 RBX: 0000000000000002 RCX: ffff888020cc1c40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: dead000000000100 R08: ffffffff88fa99ba R09: fffffbfff1b6b276
R10: fffffbfff1b6b276 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888013f5e220 R15: ffff88801b86cc00
FS:  0000000001cd3300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6c9d6cc710 CR3: 000000001c8af000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __ieee80211_vif_release_channel+0x279/0x540 net/mac80211/chan.c:1619
 ieee80211_vif_release_channel+0x13e/0x1a0 net/mac80211/chan.c:1833
 ieee80211_ibss_disconnect+0x6ef/0x870 net/mac80211/ibss.c:735
 ieee80211_ibss_leave+0x26/0xf0 net/mac80211/ibss.c:1871
 rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
 __cfg80211_leave_ibss+0x11c/0x200 net/wireless/ibss.c:213
 cfg80211_leave_ibss+0x5c/0x70 net/wireless/ibss.c:231
 cfg80211_change_iface+0x46c/0xb40 net/wireless/util.c:1047
 nl80211_set_interface+0x497/0x7f0 net/wireless/nl80211.c:3912
 genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0xe4e/0x1280 net/netlink/genetlink.c:800
 netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2502
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x786/0x940 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x9ae/0xd50 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg net/socket.c:674 [inline]
 ____sys_sendmsg+0x519/0x800 net/socket.c:2350
 ___sys_sendmsg net/socket.c:2404 [inline]
 __sys_sendmsg+0x2bf/0x370 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x448179
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffd32c7b08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000000b608 RCX: 0000000000448179
RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007fffd32c7ca8 R09: 00007fffd32c7ca8
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffd32c7b1c
R13: 431bde82d7b634db R14: 00000000004b5018 R15: 00000000004004b8
Modules linked in:
---[ end trace 9283e7dc6160772c ]---
RIP: 0010:ieee80211_chanctx_num_assigned net/mac80211/chan.c:22 [inline]
RIP: 0010:ieee80211_assign_vif_chanctx+0x6a7/0xa80 net/mac80211/chan.c:746
Code: f8 48 83 7c 24 08 00 0f 85 91 00 00 00 e9 f2 00 00 00 e8 6c 74 7e f8 49 83 c6 20 31 db 4c 89 f5 0f 1f 00 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 ea 4a c2 f8 48 8b 6d 00 4c 39 f5
RSP: 0018:ffffc9000167f670 EFLAGS: 00010a02
RAX: 1bd5a00000000020 RBX: 0000000000000002 RCX: ffff888020cc1c40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: dead000000000100 R08: ffffffff88fa99ba R09: fffffbfff1b6b276
R10: fffffbfff1b6b276 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888013f5e220 R15: ffff88801b86cc00
FS:  0000000001cd3300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f852003d078 CR3: 000000001c8af000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce-smack-root	2021/10/21 14:59	upstream	2f111a6fd5b5	e613994b	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2021/09/21 14:32	upstream	d9fb678414c0	e613994b	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2021/08/22 09:06	upstream	9ff50bf2f2ff	e613994b	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2021/07/22 22:11	upstream	9bead1b58c4c	e613994b	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2021/06/22 15:09	upstream	a96bfed64c89	e613994b	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2021/05/23 11:37	upstream	4d7620341eda	e613994b	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2021/04/23 11:16	upstream	18a3c5f7abfd	e613994b	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2021/03/15 20:47	upstream	1e28eed17697	98682e5e	.config	log	report	syz	C

Crashes (4):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Title
ci-upstream-kasan-gce-smack-root	2021/03/24 09:35	upstream	7acac4b3196c	e613994b	.config	log	report	syz	C	general protection fault in ieee80211_assign_vif_chanctx
ci-upstream-kasan-gce-smack-root	2021/02/13 20:26	upstream	c6d8570e4d64	98682e5e	.config	log	report	syz	C	general protection fault in ieee80211_assign_vif_chanctx
ci-upstream-kasan-gce-smack-root	2021/02/03 18:50	upstream	3aaf0a27ffc2	624dad51	.config	log	report	syz	C	general protection fault in ieee80211_assign_vif_chanctx
ci-upstream-kasan-gce-smack-root	2021/02/01 23:31	upstream	1048ba83fb1c	e6b95f32	.config	log	report	syz	C	general protection fault in ieee80211_assign_vif_chanctx