ci starts bisection 2025-06-13 11:54:45.007269767 +0000 UTC m=+149310.405447501
bisecting cause commit starting from d9816ec74e6d6aa29219d010bba3f780ba1d9d75
building syzkaller on 5d7e17caf7d0971d22446d8a81bcf1cd8c18a0dc
ensuring issue is reproducible on original commit d9816ec74e6d6aa29219d010bba3f780ba1d9d75

testing commit d9816ec74e6d6aa29219d010bba3f780ba1d9d75 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: b5144c7cc1bb60032b36388b42c88e8b137d410985f26d796ae8dfc7d598b165
all runs: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
representative crash: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data, types: [UBSAN]
check whether we can drop unnecessary instrumentation
disabling configs for [HANG LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit d9816ec74e6d6aa29219d010bba3f780ba1d9d75 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 2acc1936fca2c3da64f5529559f8121e7f7ceb6d14d445b3e82107e9f6507f1b
all runs: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
representative crash: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data, types: [UBSAN]
the bug reproduces without the instrumentation
disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
kconfig minimization: base=4091 full=8360 leaves diff=2131
split chunks (needed=false): <2131>
split chunk #0 of len 2131 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit d9816ec74e6d6aa29219d010bba3f780ba1d9d75 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: f128d34e97d0ad82fd27d723abf71d74fbb87bdba1248abba26edeeaf8350a05
all runs: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
representative crash: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data, types: [UBSAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [HANG LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit d9816ec74e6d6aa29219d010bba3f780ba1d9d75 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 8167bbb5b87a61d2520e8256e1181d315311899230d79213cb216724f6c973a2
all runs: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
representative crash: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data, types: [UBSAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK BUG], they are not needed
testing commit d9816ec74e6d6aa29219d010bba3f780ba1d9d75 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: a21517dca521e77063513748f48603576cab4fe6101b0c40cf40007cc1eb3f98
all runs: OK
false negative chance: 0.000
testing without sub-chunk 4/5
disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit d9816ec74e6d6aa29219d010bba3f780ba1d9d75 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 996f7fa988be101e1349a2583afef4f55adb162d33a4f92714c439228eb0d136
all runs: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
representative crash: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data, types: [UBSAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK BUG KASAN], they are not needed
testing commit d9816ec74e6d6aa29219d010bba3f780ba1d9d75 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 65df1f12e786390e1a80fedd3630eeef998236cf188c5e4afbb0894b701f3e60
all runs: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
representative crash: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data, types: [UBSAN]
the chunk can be dropped
minimized to 427 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE DVB_CORE FB_CORE HAMRADIO HID_LOGITECH HSR INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE IP6_NF_RAW IPV6_MULTIPLE_TABLES IP_NF_RAW IP_SET IP_SET_HASH_NETPORTNET IP_SET_LIST_SET IP_VS IP_VS_DH IP_VS_FO IP_VS_FTP IP_VS_IPV6 IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_TCP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IRQ_BYPASS_MANAGER IRQ_POLL IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_IMON_RAW IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TOY IR_TTUSBIR ISDN ISDN_CAPI JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_PXRC JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMMON KVM_COMPAT KVM_ELIDE_TLB_FLUSH_IF_YOUNG KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_GENERIC_HARDWARE_ENABLING KVM_GENERIC_MEMORY_ATTRIBUTES KVM_GENERIC_MMU_NOTIFIER KVM_GENERIC_PRE_FAULT_MEMORY KVM_GENERIC_PRIVATE_MEM KVM_HYPERV KVM_MMIO KVM_MMU_LOCKLESS_AGING KVM_PRIVATE_MEM KVM_PROVE_MMU KVM_SW_PROTECTED_VM KVM_VFIO KVM_X86 KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_CLASS_MULTICOLOR LEGACY_PTYS LIBNVDIMM LINEAR_RANGES LLC LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGITECH_FF LOGIWHEELS_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MCTP MDIO_MVUSB MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MIN_HEAP MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MITIGATION_ITS MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MM_ID MODULE_SRCVERSION_ALL MOST MOST_USB_HDM MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_BPF_LINK NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_GLUE_CT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XTABLES_COMPAT NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETLABEL NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_CRC32C NET_DEVLINK NET_DEVMEM NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MQPRIO_LIB NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SHAPER NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_CONNLIMIT NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_OVS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_SNMP NF_CONNTRACK_TFTP NF_CONNTRACK_TIMEOUT NF_CONNTRACK_TIMESTAMP NF_CONNTRACK_ZONES NF_CT_NETLINK_HELPER NF_CT_NETLINK_TIMEOUT NF_CT_PROTO_DCCP NF_CT_PROTO_GRE NF_CT_PROTO_SCTP NF_CT_PROTO_UDPLITE NF_DUP_IPV4 NF_DUP_IPV6 NF_DUP_NETDEV NF_FLOW_TABLE NF_FLOW_TABLE_INET NF_NAT_AMANDA NF_NAT_H323 NF_NAT_OVS NF_NAT_PPTP NF_NAT_REDIRECT NF_NAT_SNMP_BASIC NF_NAT_TFTP NF_SOCKET_IPV4 NF_SOCKET_IPV6 NF_TABLES NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV NF_TPROXY_IPV4 PAGE_POOL PARTITION_ADVANCED PSAMPLE RC_CORE RC_DEVICES RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV WAN WATCH_QUEUE WIRELESS WLAN WWAN X25]
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK BUG KASAN], they are not needed
picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags
testing release v6.15
testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: ffd9108b2aa206f60599ffd4e79315ed36196d28eb54c1b3ef3bb53a0678c76d
all runs: OK
false negative chance: 0.000
# git bisect start d9816ec74e6d6aa29219d010bba3f780ba1d9d75 0ff41df1cb268fc69e703a08a57ee14ae967d0ca
Bisecting: 6583 revisions left to test after this (roughly 13 steps)
[47cf96fbe393839b125a9b694a8cfdd3f4216baa] Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

testing commit 47cf96fbe393839b125a9b694a8cfdd3f4216baa gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 5364929e1ca3b125042092b2dfbe94776422b46a1086acdad7f832bba226c671
all runs: OK
false negative chance: 0.000
# git bisect good 47cf96fbe393839b125a9b694a8cfdd3f4216baa
Bisecting: 3292 revisions left to test after this (roughly 12 steps)
[1fbbb629452ca16909b440b9217a28f42202dc60] Merge tag 'acpi-6.16-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

testing commit 1fbbb629452ca16909b440b9217a28f42202dc60 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 7d234b23ad9e02f8297bd7e77dba124df104162887646d7754e0c57e81d76927
all runs: OK
false negative chance: 0.000
# git bisect good 1fbbb629452ca16909b440b9217a28f42202dc60
Bisecting: 1645 revisions left to test after this (roughly 11 steps)
[a2604f8d43bf414db54c42ca6ea52803ce1c0b2f] Merge tag 'i3c/for-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux

testing commit a2604f8d43bf414db54c42ca6ea52803ce1c0b2f gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 13a6364a8f94da444af3814cf7a69d9aaae40a5aa9ec59a2f0a42a5c4cdbb4d8
all runs: OK
false negative chance: 0.000
# git bisect good a2604f8d43bf414db54c42ca6ea52803ce1c0b2f
Bisecting: 926 revisions left to test after this (roughly 10 steps)
[70087d2200d4a3bd31812ab4578c9ec70ea344af] Merge tag 'trace-v6.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

testing commit 70087d2200d4a3bd31812ab4578c9ec70ea344af gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: fe44c3ffc48abc738cbc28a3ae45605ee58a2d7ae951378845d7881ccc2ef0a9
all runs: OK
false negative chance: 0.000
# git bisect good 70087d2200d4a3bd31812ab4578c9ec70ea344af
Bisecting: 460 revisions left to test after this (roughly 9 steps)
[3719a04a80caf660f899a462cd8f3973bcfa676e] Merge tag 'pci-v6.16-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci

testing commit 3719a04a80caf660f899a462cd8f3973bcfa676e gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 5c2874d011b26960c21fc9d14dcaa4baf7342068c56a3858703c9f07f89bb144
all runs: OK
false negative chance: 0.000
# git bisect good 3719a04a80caf660f899a462cd8f3973bcfa676e
Bisecting: 212 revisions left to test after this (roughly 8 steps)
[d12ed2b7e1fe5c9e4a372a95fb7635a7f81eff6a] Merge tag 'phy-for-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy

testing commit d12ed2b7e1fe5c9e4a372a95fb7635a7f81eff6a gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: ccf92aa94c025f9d948944d3812922d716d6e3a7275c543d70ae84fd91096204
all runs: OK
false negative chance: 0.000
# git bisect good d12ed2b7e1fe5c9e4a372a95fb7635a7f81eff6a
Bisecting: 106 revisions left to test after this (roughly 7 steps)
[cfc4ca8986bb1f6182da6cd7bb57f228590b4643] Merge tag 'uml-for-linux-6.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/uml/linux

testing commit cfc4ca8986bb1f6182da6cd7bb57f228590b4643 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 29f51e645bc260757b6b11e014d215291d5d0d4692b0dc11c1eca5392fc3929f
all runs: OK
false negative chance: 0.000
# git bisect good cfc4ca8986bb1f6182da6cd7bb57f228590b4643
Bisecting: 54 revisions left to test after this (roughly 6 steps)
[501fe52aa908c96f2c9b8d54767938a1a5960354] net: wwan: mhi_wwan_mbim: use correct mux_id for multiplexing

testing commit 501fe52aa908c96f2c9b8d54767938a1a5960354 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: efb118d4f9af29ac612878b86e572c3690a1e0b778ae32dcb44099561455aaaf
all runs: OK
false negative chance: 0.000
# git bisect good 501fe52aa908c96f2c9b8d54767938a1a5960354
Bisecting: 24 revisions left to test after this (roughly 5 steps)
[4bbe2e570f454ca1765d4e45b9b8266c4e65c581] Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue

testing commit 4bbe2e570f454ca1765d4e45b9b8266c4e65c581 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 67aa2e264c09dbad89bc4dbc30ad1dd6416bca947d17bc3f878d96f136526ed4
all runs: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
representative crash: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data, types: [UBSAN]
# git bisect bad 4bbe2e570f454ca1765d4e45b9b8266c4e65c581
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[edafd348a0548b6945c3cf77273f0a88a181362a] Merge tag 'nf-25-06-05' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

testing commit edafd348a0548b6945c3cf77273f0a88a181362a gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 7b07285607c3bf8a912278465ca7bc636b07eedd8292b986e8b866cd5a473345
all runs: OK
false negative chance: 0.000
# git bisect good edafd348a0548b6945c3cf77273f0a88a181362a
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[4d401c5534ab132a44f9afbf18a6d861b1320c98] Merge tag 'wireless-2025-06-05' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless

testing commit 4d401c5534ab132a44f9afbf18a6d861b1320c98 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 55c9d2755d3f05d66bff4144296ba39247addd5eba53c2546a9380a17ca4484b
all runs: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
representative crash: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data, types: [UBSAN]
# git bisect bad 4d401c5534ab132a44f9afbf18a6d861b1320c98
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[847a4bf1b4bdcc224196d77714f71e36822fed70] wifi: iwlwifi: pcie: fix non-MSIX handshake register

testing commit 847a4bf1b4bdcc224196d77714f71e36822fed70 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 639f6a16016f90a32a4d454e0687475fe83fb32025b32d1fe83e128977d16282
all runs: OK
false negative chance: 0.000
# git bisect good 847a4bf1b4bdcc224196d77714f71e36822fed70
Bisecting: 2 revisions left to test after this (roughly 1 step)
[f81aa834bfa91c827f290b62a245e23c5ad2813c] wifi: iwlwifi: mld: Move regulatory domain initialization

testing commit f81aa834bfa91c827f290b62a245e23c5ad2813c gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 4371ede78680f15ef398ea12e999095d8b6717ac197617111d78de4dd2afa199
all runs: OK
false negative chance: 0.000
# git bisect good f81aa834bfa91c827f290b62a245e23c5ad2813c
Bisecting: 0 revisions left to test after this (roughly 1 step)
[787fe16b435668205fba19aaa7387972b7575991] Merge tag 'iwlwifi-fixes-2025-06-04' of https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next

testing commit 787fe16b435668205fba19aaa7387972b7575991 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 948687e21ac9f565319065a63384f3b7a5d575646c87bd19b26d409df02a7c2f
run #0: infra problem: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS ErrorDetails:[0xc004528690 0xc004528780 0xc004528820] Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request.  '(resource type:compute)'. ForceSendFields:[] NullFields:[]}
run #1: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
run #2: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
run #3: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
run #4: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
run #5: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
run #6: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
run #7: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
run #8: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
run #9: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
representative crash: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data, types: [UBSAN]
# git bisect bad 787fe16b435668205fba19aaa7387972b7575991
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[1e1f706fc2ce90eaaf3480b3d5f27885960d751c] wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements

testing commit 1e1f706fc2ce90eaaf3480b3d5f27885960d751c gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: e6909cd123f085952ec2ba3f87521fccd3b9fd7f12d293958ed99a8bc39255d4
all runs: crashed: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
representative crash: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data, types: [UBSAN]
# git bisect bad 1e1f706fc2ce90eaaf3480b3d5f27885960d751c
1e1f706fc2ce90eaaf3480b3d5f27885960d751c is the first bad commit
commit 1e1f706fc2ce90eaaf3480b3d5f27885960d751c
Author: Lachlan Hodges <lachlan.hodges@morsemicro.com>
Date:   Tue Jun 3 15:35:38 2025 +1000

    wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements
    
    S1G beacons are not traditional beacons but a type of extension frame.
    Extension frames contain the frame control and duration fields, followed
    by zero or more optional fields before the frame body. These optional
    fields are distinct from the variable length elements.
    
    The presence of optional fields is indicated in the frame control field.
    To correctly locate the elements offset, the frame control must be parsed
    to identify which optional fields are present. Currently, mac80211 parses
    S1G beacons based on fixed assumptions about the frame layout, without
    inspecting the frame control field. This can result in incorrect offsets
    to the "variable" portion of the frame.
    
    Properly parse S1G beacon frames by using the field lengths defined in
    IEEE 802.11-2024, section 9.3.4.3, ensuring that the elements offset is
    calculated accurately.
    
    Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results")
    Fixes: cd418ba63f0c ("mac80211: convert S1G beacon to scan results")
    Signed-off-by: Lachlan Hodges <lachlan.hodges@morsemicro.com>
    Link: https://patch.msgid.link/20250603053538.468562-1-lachlan.hodges@morsemicro.com
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 include/linux/ieee80211.h | 79 +++++++++++++++++++++++++++++++++++++++++------
 net/mac80211/mlme.c       |  7 ++---
 net/mac80211/scan.c       | 11 +++----
 net/wireless/scan.c       | 18 +++++------
 4 files changed, 83 insertions(+), 32 deletions(-)

accumulated error probability: 0.00
parent commit 1b98f357dadd6ea613a435fbaef1a5dd7b35fd21 wasn't tested
testing commit 1b98f357dadd6ea613a435fbaef1a5dd7b35fd21 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 4db5ca5e91ad79736d374231930ec717b67b44c95ca8f6171d1f7f5b5ab7c927
culprit signature: e6909cd123f085952ec2ba3f87521fccd3b9fd7f12d293958ed99a8bc39255d4
parent  signature: 4db5ca5e91ad79736d374231930ec717b67b44c95ca8f6171d1f7f5b5ab7c927
revisions tested: 23, total time: 9h34m55.588887696s (build: 5h7m48.856439456s, test: 3h57m36.409438402s)
first bad commit: 1e1f706fc2ce90eaaf3480b3d5f27885960d751c wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements
recipients (to): ["johannes.berg@intel.com" "lachlan.hodges@morsemicro.com" "linux-kernel@vger.kernel.org"]
recipients (cc): ["johannes@sipsolutions.net" "linux-wireless@vger.kernel.org"]
crash: UBSAN: array-index-out-of-bounds in cfg80211_inform_bss_frame_data
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3288:35
index 8 is out of range for type 'u8[0]' (aka 'unsigned char[0]')
CPU: 1 UID: 0 PID: 11724 Comm: syz-executor629 Not tainted 6.15.0-syzkaller #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x11f/0x1b0 lib/dump_stack.c:120
 ubsan_epilogue+0xa/0x40 lib/ubsan.c:231
 __ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:453
 cfg80211_inform_bss_frame_data+0x33c/0x3f0 net/wireless/scan.c:3288
 ieee80211_bss_info_update+0x256/0x320 net/mac80211/scan.c:226
 ieee80211_scan_rx+0x2ae/0x3b0 net/mac80211/scan.c:355
 __ieee80211_rx_handle_packet+0x6d9/0x960 net/mac80211/rx.c:5179
 ieee80211_rx_list+0x330/0x390 net/mac80211/rx.c:5416
 ieee80211_rx_napi+0x79/0x130 net/mac80211/rx.c:5439
 ieee80211_rx include/net/mac80211.h:5185 [inline]
 ieee80211_handle_queued_frames+0xb9/0xf0 net/mac80211/main.c:441
 tasklet_action_common+0xbd/0x2a0 kernel/softirq.c:829
 handle_softirqs+0xfe/0x350 kernel/softirq.c:579
 do_softirq+0x85/0xf0 kernel/softirq.c:480
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x6b/0x70 kernel/softirq.c:407
 ieee80211_tx_skb_tid+0xab/0x120 net/mac80211/tx.c:6118
 ieee80211_mgmt_tx+0xa67/0xb10 net/mac80211/offchannel.c:1023
 rdev_mgmt_tx net/wireless/rdev-ops.h:762 [inline]
 cfg80211_mlme_mgmt_tx+0x47c/0x8e0 net/wireless/mlme.c:938
 nl80211_tx_mgmt+0x5ce/0x6f0 net/wireless/nl80211.c:12918
 genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x3a7/0x3f0 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2534
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
 netlink_unicast+0x3ba/0x480 net/netlink/af_netlink.c:1339
 netlink_sendmsg+0x494/0x590 net/netlink/af_netlink.c:1883
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg+0xc9/0xf0 net/socket.c:727
 ____sys_sendmsg+0x257/0x360 net/socket.c:2566
 ___sys_sendmsg+0x2de/0x320 net/socket.c:2620
 __sys_sendmsg net/socket.c:2652 [inline]
 __do_sys_sendmsg net/socket.c:2657 [inline]
 __se_sys_sendmsg net/socket.c:2655 [inline]
 __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2655
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f309cdf08e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe42085d78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f309cdf08e9
RDX: 0000000000000000 RSI: 0000200000000080 RDI: 0000000000000004
RBP: 00000000000f4240 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000006c680
R13: 00007ffe42085df0 R14: 00007ffe42085dac R15: 00007ffe42085de0
 </TASK>
---[ end trace ]---