AI Trajectory

Trajectory: (Expand/Collapse All)
Seq	Timestamp	Type	Name	Duration
0/0	2026/06/23 10:43	flow	patch-triage	0m Args: null Results: { "EnableConfigs": null, "FocusSymbols": [], "Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 devices. There is no software emulation for this specific hardware in virtualized environments like QEMU or GCE, making these code paths unreachable during fuzzing.", "WorthFuzzing": false }
1/1	2026/06/23 10:43	action	read-patch-diff	0m Args: null Results: { "PatchDiff": "commit 55ca3fe9f2f3ffa21928ee879843264b803925b5\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Tue Jun 23 10:43:18 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c\nindex af354bef5c0d79..26b46a40458084 100644\n--- a/drivers/net/wireless/ath/ath12k/mac.c\n+++ b/drivers/net/wireless/ath/ath12k/mac.c\n@@ -10117,7 +10117,8 @@ static void ath12k_mac_update_vif_offload(struct ath12k_link_vif arvif)\n \tif (vif-\u003etype != NL80211_IFTYPE_STATION \u0026\u0026\n \t vif-\u003etype != NL80211_IFTYPE_AP)\n \t\tvif-\u003eoffload_flags \u0026= ~(IEEE80211_OFFLOAD_ENCAP_ENABLED \|\n-\t\t\t\t\tIEEE80211_OFFLOAD_DECAP_ENABLED);\n+\t\t\t\t\tIEEE80211_OFFLOAD_DECAP_ENABLED \|\n+\t\t\t\t\tIEEE80211_OFFLOAD_ENCAP_MCAST);\n \n \tif (vif-\u003eoffload_flags \u0026 IEEE80211_OFFLOAD_ENCAP_ENABLED) {\n \t\tahvif-\u003edp_vif.tx_encap_type = ATH12K_HW_TXRX_ETHERNET;\n@@ -10136,6 +10137,9 @@ static void ath12k_mac_update_vif_offload(struct ath12k_link_vif arvif)\n \t\tvif-\u003eoffload_flags \u0026= ~IEEE80211_OFFLOAD_ENCAP_ENABLED;\n \t}\n \n+\tif (vif-\u003eoffload_flags \u0026 IEEE80211_OFFLOAD_ENCAP_ENABLED)\n+\t\tvif-\u003eoffload_flags \|= IEEE80211_OFFLOAD_ENCAP_MCAST;\n+\n \tparam_id = WMI_VDEV_PARAM_RX_DECAP_TYPE;\n \tif (vif-\u003eoffload_flags \u0026 IEEE80211_OFFLOAD_DECAP_ENABLED)\n \t\tparam_value = ATH12K_HW_TXRX_ETHERNET;\ndiff --git a/drivers/net/wireless/ath/ath12k/wifi7/hw.c b/drivers/net/wireless/ath/ath12k/wifi7/hw.c\nindex 3d59fa452ec03d..e5bf9d2181040d 100644\n--- a/drivers/net/wireless/ath/ath12k/wifi7/hw.c\n+++ b/drivers/net/wireless/ath/ath12k/wifi7/hw.c\n@@ -903,6 +903,7 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw,\n \tstruct ethhdr eth;\n \tbool is_prb_rsp;\n \tu16 mcbc_gsn;\n+\tu8 cb_flags;\n \tu8 link_id;\n \tint ret;\n \tstruct ath12k_dp tmp_dp;\n@@ -996,8 +997,13 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw,\n \t ieee80211_has_protected(hdr-\u003eframe_control))\n \t\tis_dvlan = true;\n \n+\t/\n+\t Add a sta pointer check to differentiate multicast encapsulation\n+\t * offload packets, as the ATH12K_SKB_HW_80211_ENCAP flag is also set\n+\t * for such packets.\n+\t /\n \tif (!vif-\u003evalid_links \|\| !is_mcast \|\| is_dvlan \|\|\n-\t (skb_cb-\u003eflags \u0026 ATH12K_SKB_HW_80211_ENCAP) \|\|\n+\t ((skb_cb-\u003eflags \u0026 ATH12K_SKB_HW_80211_ENCAP) \u0026\u0026 sta) \|\|\n \t test_bit(ATH12K_FLAG_RAW_MODE, \u0026ar-\u003eab-\u003edev_flags)) {\n \t\tret = ath12k_wifi7_dp_tx(dp_pdev, arvif, arsta, skb, false, 0, is_mcast);\n \t\tif (unlikely(ret)) {\n@@ -1009,6 +1015,7 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw,\n \t\tmcbc_gsn = atomic_inc_return(\u0026ahvif-\u003edp_vif.mcbc_gsn) \u0026 0xfff;\n \n \t\tlinks_map = ahvif-\u003elinks_map;\n+\t\tcb_flags = skb_cb-\u003eflags;\n \t\tfor_each_set_bit(link_id, \u0026links_map,\n \t\t\t\t IEEE80211_MLD_MAX_NUM_LINKS) {\n \t\t\ttmp_arvif = rcu_dereference(ahvif-\u003elink[link_id]);\n@@ -1016,21 +1023,45 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw,\n \t\t\t\tcontinue;\n \n \t\t\ttmp_ar = tmp_arvif-\u003ear;\n-\t\t\ttmp_dp_pdev = ath12k_dp_to_pdev_dp(tmp_ar-\u003eab-\u003edp,\n+\t\t\ttmp_dp = ath12k_ab_to_dp(tmp_ar-\u003eab);\n+\t\t\ttmp_dp_pdev = ath12k_dp_to_pdev_dp(tmp_dp,\n \t\t\t\t\t\t\t tmp_ar-\u003epdev_idx);\n \t\t\tif (!tmp_dp_pdev)\n \t\t\t\tcontinue;\n-\t\t\tmsdu_copied = skb_copy(skb, GFP_ATOMIC);\n-\t\t\tif (!msdu_copied) {\n-\t\t\t\tath12k_err(ar-\u003eab,\n-\t\t\t\t\t \"skb copy failure link_id 0x%X vdevid 0x%X\\n\",\n-\t\t\t\t\t link_id, tmp_arvif-\u003evdev_id);\n-\t\t\t\tcontinue;\n-\t\t\t}\n \n-\t\t\tath12k_mlo_mcast_update_tx_link_address(vif, link_id,\n-\t\t\t\t\t\t\t\tmsdu_copied,\n-\t\t\t\t\t\t\t\tinfo_flags);\n+\t\t\tif (cb_flags \u0026 ATH12K_SKB_HW_80211_ENCAP) {\n+\t\t\t\t/\n+\t\t\t\t * skb-\u003edata may be modified for the iova_mask devices.\n+\t\t\t\t * It is better to use skb_copy() for such devices\n+\t\t\t\t * to avoid any potential skb corruption related issues.\n+\t\t\t\t /\n+\t\t\t\tif (tmp_dp-\u003ehw_params-\u003eiova_mask)\n+\t\t\t\t\tmsdu_copied = skb_copy(skb, GFP_ATOMIC);\n+\t\t\t\telse\n+\t\t\t\t\t/\n+\t\t\t\t\t * ath12k_wifi7_dp_tx() should treat cloned HW-encap\n+\t\t\t\t\t * Ethernet multicast frames as read-only.\n+\t\t\t\t\t /\n+\t\t\t\t\tmsdu_copied = skb_clone(skb, GFP_ATOMIC);\n+\t\t\t\tif (!msdu_copied) {\n+\t\t\t\t\tath12k_err(ar-\u003eab,\n+\t\t\t\t\t\t \"skb copy/clone failure link_id 0x%X vdevid 0x%X\\n\",\n+\t\t\t\t\t\t link_id, tmp_arvif-\u003evdev_id);\n+\t\t\t\t\tcontinue;\n+\t\t\t\t}\n+\t\t\t} else {\n+\t\t\t\tmsdu_copied = skb_copy(skb, GFP_ATOMIC);\n+\t\t\t\tif (!msdu_copied) {\n+\t\t\t\t\tath12k_err(ar-\u003eab,\n+\t\t\t\t\t\t \"skb copy failure link_id 0x%X vdevid 0x%X\\n\",\n+\t\t\t\t\t\t link_id, tmp_arvif-\u003evdev_id);\n+\t\t\t\t\tcontinue;\n+\t\t\t\t}\n+\n+\t\t\t\tath12k_mlo_mcast_update_tx_link_address(vif, link_id,\n+\t\t\t\t\t\t\t\t\tmsdu_copied,\n+\t\t\t\t\t\t\t\t\tinfo_flags);\n+\t\t\t}\n \n \t\t\tskb_cb = ATH12K_SKB_CB(msdu_copied);\n \t\t\tskb_cb-\u003elink_id = link_id;\n@@ -1046,7 +1077,6 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw,\n \t\t\tif (unlikely(!ahvif-\u003edp_vif.key_cipher))\n \t\t\t\tgoto skip_peer_find;\n \n-\t\t\ttmp_dp = ath12k_ab_to_dp(tmp_ar-\u003eab);\n \t\t\tspin_lock_bh(\u0026tmp_dp-\u003edp_lock);\n \t\t\tpeer = ath12k_dp_link_peer_find_by_addr(tmp_dp,\n \t\t\t\t\t\t\t\ttmp_arvif-\u003ebssid);\n@@ -1065,11 +1095,16 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw,\n \t\t\t\tskb_cb-\u003ecipher = key-\u003ecipher;\n \t\t\t\tskb_cb-\u003eflags \|= ATH12K_SKB_CIPHER_SET;\n \n+\t\t\t\tif (skb_cb-\u003eflags \u0026 ATH12K_SKB_HW_80211_ENCAP)\n+\t\t\t\t\tgoto skip_fctl_protected_check;\n+\n \t\t\t\thdr = (struct ieee80211_hdr )msdu_copied-\u003edata;\n \t\t\t\tif (!ieee80211_has_protected(hdr-\u003eframe_control))\n \t\t\t\t\thdr-\u003eframe_control \|=\n \t\t\t\t\t\tcpu_to_le16(IEEE80211_FCTL_PROTECTED);\n \t\t\t}\n+\n+skip_fctl_protected_check:\n \t\t\tspin_unlock_bh(\u0026tmp_dp-\u003edp_lock);\n \n skip_peer_find:\n" }
2/1	2026/06/23 10:43	agent	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: { "EnableConfigs": null, "FocusSymbols": [], "Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 devices. There is no software emulation for this specific hardware in virtualized environments like QEMU or GCE, making these code paths unreachable during fuzzing.", "WorthFuzzing": false } Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes: commit 55ca3fe9f2f3ffa21928ee879843264b803925b5 Author: syz-cluster <triage@syzkaller.com> Date: Tue Jun 23 10:43:18 2026 +0000 syz-cluster: applied patch under review diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c index af354bef5c0d79..26b46a40458084 100644 --- a/drivers/net/wireless/ath/ath12k/mac.c +++ b/drivers/net/wireless/ath/ath12k/mac.c @@ -10117,7 +10117,8 @@ static void ath12k_mac_update_vif_offload(struct ath12k_link_vif arvif) if (vif->type != NL80211_IFTYPE_STATION && vif->type != NL80211_IFTYPE_AP) vif->offload_flags &= ~(IEEE80211_OFFLOAD_ENCAP_ENABLED \| - IEEE80211_OFFLOAD_DECAP_ENABLED); + IEEE80211_OFFLOAD_DECAP_ENABLED \| + IEEE80211_OFFLOAD_ENCAP_MCAST); if (vif->offload_flags & IEEE80211_OFFLOAD_ENCAP_ENABLED) { ahvif->dp_vif.tx_encap_type = ATH12K_HW_TXRX_ETHERNET; @@ -10136,6 +10137,9 @@ static void ath12k_mac_update_vif_offload(struct ath12k_link_vif arvif) vif->offload_flags &= ~IEEE80211_OFFLOAD_ENCAP_ENABLED; } + if (vif->offload_flags & IEEE80211_OFFLOAD_ENCAP_ENABLED) + vif->offload_flags \|= IEEE80211_OFFLOAD_ENCAP_MCAST; + param_id = WMI_VDEV_PARAM_RX_DECAP_TYPE; if (vif->offload_flags & IEEE80211_OFFLOAD_DECAP_ENABLED) param_value = ATH12K_HW_TXRX_ETHERNET; diff --git a/drivers/net/wireless/ath/ath12k/wifi7/hw.c b/drivers/net/wireless/ath/ath12k/wifi7/hw.c index 3d59fa452ec03d..e5bf9d2181040d 100644 --- a/drivers/net/wireless/ath/ath12k/wifi7/hw.c +++ b/drivers/net/wireless/ath/ath12k/wifi7/hw.c @@ -903,6 +903,7 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw, struct ethhdr eth; bool is_prb_rsp; u16 mcbc_gsn; + u8 cb_flags; u8 link_id; int ret; struct ath12k_dp tmp_dp; @@ -996,8 +997,13 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw, ieee80211_has_protected(hdr->frame_control)) is_dvlan = true; + /* + * Add a sta pointer check to differentiate multicast encapsulation + * offload packets, as the ATH12K_SKB_HW_80211_ENCAP flag is also set + * for such packets. + / if (!vif->valid_links \|\| !is_mcast \|\| is_dvlan \|\| - (skb_cb->flags & ATH12K_SKB_HW_80211_ENCAP) \|\| + ((skb_cb->flags & ATH12K_SKB_HW_80211_ENCAP) && sta) \|\| test_bit(ATH12K_FLAG_RAW_MODE, &ar->ab->dev_flags)) { ret = ath12k_wifi7_dp_tx(dp_pdev, arvif, arsta, skb, false, 0, is_mcast); if (unlikely(ret)) { @@ -1009,6 +1015,7 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw, mcbc_gsn = atomic_inc_return(&ahvif->dp_vif.mcbc_gsn) & 0xfff; links_map = ahvif->links_map; + cb_flags = skb_cb->flags; for_each_set_bit(link_id, &links_map, IEEE80211_MLD_MAX_NUM_LINKS) { tmp_arvif = rcu_dereference(ahvif->link[link_id]); @@ -1016,21 +1023,45 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw, continue; tmp_ar = tmp_arvif->ar; - tmp_dp_pdev = ath12k_dp_to_pdev_dp(tmp_ar->ab->dp, + tmp_dp = ath12k_ab_to_dp(tmp_ar->ab); + tmp_dp_pdev = ath12k_dp_to_pdev_dp(tmp_dp, tmp_ar->pdev_idx); if (!tmp_dp_pdev) continue; - msdu_copied = skb_copy(skb, GFP_ATOMIC); - if (!msdu_copied) { - ath12k_err(ar->ab, - "skb copy failure link_id 0x%X vdevid 0x%X\n", - link_id, tmp_arvif->vdev_id); - continue; - } - ath12k_mlo_mcast_update_tx_link_address(vif, link_id, - msdu_copied, - info_flags); + if (cb_flags & ATH12K_SKB_HW_80211_ENCAP) { + / + * skb->data may be modified for the iova_mask devices. + * It is better to use skb_copy() for such devices + * to avoid any potential skb corruption related issues. + / + if (tmp_dp->hw_params->iova_mask) + msdu_copied = skb_copy(skb, GFP_ATOMIC); + else + / + * ath12k_wifi7_dp_tx() should treat cloned HW-encap + * Ethernet multicast frames as read-only. + / + msdu_copied = skb_clone(skb, GFP_ATOMIC); + if (!msdu_copied) { + ath12k_err(ar->ab, + "skb copy/clone failure link_id 0x%X vdevid 0x%X\n", + link_id, tmp_arvif->vdev_id); + continue; + } + } else { + msdu_copied = skb_copy(skb, GFP_ATOMIC); + if (!msdu_copied) { + ath12k_err(ar->ab, + "skb copy failure link_id 0x%X vdevid 0x%X\n", + link_id, tmp_arvif->vdev_id); + continue; + } + + ath12k_mlo_mcast_update_tx_link_address(vif, link_id, + msdu_copied, + info_flags); + } skb_cb = ATH12K_SKB_CB(msdu_copied); skb_cb->link_id = link_id; @@ -1046,7 +1077,6 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw, if (unlikely(!ahvif->dp_vif.key_cipher)) goto skip_peer_find; - tmp_dp = ath12k_ab_to_dp(tmp_ar->ab); spin_lock_bh(&tmp_dp->dp_lock); peer = ath12k_dp_link_peer_find_by_addr(tmp_dp, tmp_arvif->bssid); @@ -1065,11 +1095,16 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw hw, skb_cb->cipher = key->cipher; skb_cb->flags \|= ATH12K_SKB_CIPHER_SET; + if (skb_cb->flags & ATH12K_SKB_HW_80211_ENCAP) + goto skip_fctl_protected_check; + hdr = (struct ieee80211_hdr )msdu_copied->data; if (!ieee80211_has_protected(hdr->frame_control)) hdr->frame_control \|= cpu_to_le16(IEEE80211_FCTL_PROTECTED); } + +skip_fctl_protected_check: spin_unlock_bh(&tmp_dp->dp_lock); skip_peer_find:
3/2	2026/06/23 10:43	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 4144 output: 39 thoughts: 323 Thoughts: Analyzing the Reachability of This Multicast Encapsulation Offload Patch Okay, so I've got this patch that touches `ath12k/mac.c` and `ath12k/wifi7/hw.c`. This is about enabling multicast encapsulation offload, which is interesting. It's tweaking `ath12k_mac_update_vif_offload` and `ath12k_wifi7_mac_op_tx`, specifically around setting `IEEE80211_OFFLOAD_ENCAP_MCAST`. Right, standard stuff for offload. Now, my immediate concern, as always with these kinds of driver changes, is reachability. Can I actually trigger this code in a testing environment? `ath12k` is Qualcomm's Wi-Fi 7 driver, a hardware driver. That makes things immediately tricky. Can I fuzz this thing? Hardware drivers are usually a pain to fuzz directly in a virtualized setting. Unless there's a software emulator... like `mac80211_hwsim`, but that's generic, not specifically for `ath12k`. Wait a minute, does syzkaller even support this driver? I need to check if there are specific configurations that syzkaller uses for ath12k. Otherwise, if it's just a raw hardware driver without an emulation layer, this patch might be essentially unreachable in a typical test setup. It's a waste of time and effort to review. Need to check if it's PCI or AHB, or some other bus interface, in the ath12k code, to determine what's possible.
4/2	2026/06/23 10:43	tool	grepper	0m Args: { "Expression": "ath12k", "PathPrefix": "drivers/net/wireless/ath/ath12k/Kconfig" } Results: { "Output": "drivers/net/wireless/ath/ath12k/Kconfig=2=config ATH12K\ndrivers/net/wireless/ath/ath12k/Kconfig:3:\ttristate \"Qualcomm Wi-Fi 7 support (ath12k)\"\ndrivers/net/wireless/ath/ath12k/Kconfig-4-\tdepends on MAC80211 \u0026\u0026 HAS_DMA \u0026\u0026 PCI\n--\ndrivers/net/wireless/ath/ath12k/Kconfig-14-\ndrivers/net/wireless/ath/ath12k/Kconfig:15:\t If you choose to build a module, it'll be called ath12k.\ndrivers/net/wireless/ath/ath12k/Kconfig-16-\ndrivers/net/wireless/ath/ath12k/Kconfig=17=config ATH12K_AHB\ndrivers/net/wireless/ath/ath12k/Kconfig:18:\tbool \"Qualcomm ath12k AHB support\"\ndrivers/net/wireless/ath/ath12k/Kconfig-19-\tdepends on ATH12K \u0026\u0026 REMOTEPROC\n--\ndrivers/net/wireless/ath/ath12k/Kconfig=25=config ATH12K_DEBUG\ndrivers/net/wireless/ath/ath12k/Kconfig:26:\tbool \"ath12k debugging\"\ndrivers/net/wireless/ath/ath12k/Kconfig-27-\tdepends on ATH12K\n--\ndrivers/net/wireless/ath/ath12k/Kconfig=35=config ATH12K_DEBUGFS\ndrivers/net/wireless/ath/ath12k/Kconfig:36:\tbool \"Qualcomm ath12k debugfs support\"\ndrivers/net/wireless/ath/ath12k/Kconfig-37-\tdepends on ATH12K \u0026\u0026 MAC80211_DEBUGFS\ndrivers/net/wireless/ath/ath12k/Kconfig-38-\thelp\ndrivers/net/wireless/ath/ath12k/Kconfig:39:\t Enable ath12k debugfs support\ndrivers/net/wireless/ath/ath12k/Kconfig-40-\n--\ndrivers/net/wireless/ath/ath12k/Kconfig=44=config ATH12K_TRACING\ndrivers/net/wireless/ath/ath12k/Kconfig:45:\tbool \"ath12k tracing support\"\ndrivers/net/wireless/ath/ath12k/Kconfig-46-\tdepends on ATH12K \u0026\u0026 EVENT_TRACING\ndrivers/net/wireless/ath/ath12k/Kconfig-47-\thelp\ndrivers/net/wireless/ath/ath12k/Kconfig:48:\t Enable ath12k tracing infrastructure.\ndrivers/net/wireless/ath/ath12k/Kconfig-49-\n--\ndrivers/net/wireless/ath/ath12k/Kconfig=53=config ATH12K_COREDUMP\ndrivers/net/wireless/ath/ath12k/Kconfig:54:\tbool \"ath12k coredump\"\ndrivers/net/wireless/ath/ath12k/Kconfig-55-\tdepends on ATH12K\n--\ndrivers/net/wireless/ath/ath12k/Kconfig-57-\thelp\ndrivers/net/wireless/ath/ath12k/Kconfig:58:\t Enable ath12k coredump collection\ndrivers/net/wireless/ath/ath12k/Kconfig-59-\n" }
5/2	2026/06/23 10:43	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 5727 output: 35 thoughts: 62 Thoughts: Analyzing the ATH12K Driver Dependency Okay, so I'm looking at this `ATH12K` driver, and immediately my mind goes to dependencies. It looks like it's built on top of `MAC80211`, which is standard, and then requires either `HAS_DMA && PCI` or `ATH12K_AHB`. That's a key distinction right there. I need to keep that in mind when considering different hardware configurations. The next question that pops up, given I know a bit about the space and the potential challenges of hardware support, is whether there's any software emulation layer or virtual device interface for `ath12k`. It's always useful to know if I can test or simulate the functionality without needing the exact hardware. This helps with debugging and development if I can test things without a physical setup. I need to check the codebase for any hints of that. Is there a virtual device model in the kernel, or some sort of userspace emulation that's been put together? Let me dive in and see what's there.
6/2	2026/06/23 10:43	tool	grepper	0m Error: no matches Args: { "Expression": "hwsim", "PathPrefix": "drivers/net/wireless/ath/ath12k/" } Results: { "error": "no matches" }
7/2	2026/06/23 10:43	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 6072 output: 36 thoughts: 283 Thoughts: Fuzzing Ath12k: A Virtualization Conundrum Okay, so there's no hwsim for ath12k. That's a problem. I need to figure out if there's any other viable path for fuzzing this driver. I usually look to PCI devices, and if syzkaller has a PCI fuzzer, that can be a good starting point. But, ath12k is a specific hardware driver; it's not some generic, software-emulated hardware. Wait, syzkaller does have a PCI fuzzer, but it's very limited, and frankly, we usually don't bother fuzzing drivers for specific hardware. We tend to focus on generic subsystems or those with software emulation, like vhci, mac80211_hwsim, or netdevsim. Hold on, I need to go back and check the instructions again. I remember something about virtualized environments. Right, the instructions say to return WorthFuzzing=false if the patch only affects code that's impossible to hit in virtualized environments like GCE or QEMU. That's key. And I know that ath12k is a specific driver for Qualcomm Wi-Fi 7 devices. There's no software emulation like mac80211_hwsim, which emulates generic mac80211 hardware – not ath12k specifically. Therefore, any new code would be inaccessible in a virtualized environment. Just to be absolutely sure, I'm going to double-check my resources one last time. I want to make sure I haven't missed any hidden emulation of ath12k.
8/2	2026/06/23 10:43	tool	grepper	0m Error: no matches Args: { "Expression": "QEMU", "PathPrefix": "drivers/net/wireless/ath/ath12k/" } Results: { "error": "no matches" }
9/2	2026/06/23 10:43	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 6765 output: 35 thoughts: 21 Thoughts: Okay, here's my summary, presented as a stream of thought: Checking for Fuzzing and Emulation within ath12k Alright, let's dive in. I need to quickly assess the landscape of the ath12k driver. My primary interest right now revolves around the presence or absence of fuzzing and/or emulation techniques being utilized within its development, testing, or security analysis. I need to quickly find out if anyone is specifically using fuzzing to find bugs, or emulation for more rigorous testing and analysis of its behaviour. I'll need to check the codebase directly for mentions, any related documentation, maybe even discussions on mailing lists if I can find them. The goal is to see how robust the design is, and how carefully they are checking their work.
10/2	2026/06/23 10:43	tool	grepper	0m Error: no matches Args: { "Expression": "fuzz", "PathPrefix": "drivers/net/wireless/ath/ath12k/" } Results: { "error": "no matches" }
11/2	2026/06/23 10:43	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 6999 output: 87 thoughts: 81 Thoughts: My Assessment of the Patch's Fuzzing Suitability Okay, so I'm looking at this patch and immediately see it's dealing with the `ath12k` driver. That clicks – that's a hardware-specific driver. Specifically, it's for Qualcomm's Wi-Fi 7 silicon. Given my experience, I know there's no realistic way to emulate this hardware properly in virtualized environments like QEMU or Google Compute Engine. The code paths this patch touches simply won't be exercised by any fuzzing I'd throw at it. Therefore, from a practical standpoint, this patch's fuzzing worthiness is essentially zero. I'm going to set `WorthFuzzing = false`. No point in wasting resources on something that's fundamentally unreachable under standard fuzzing setups.
12/2	2026/06/23 10:43	tool	set-results	0m Args: { "EnableConfigs": [], "FocusSymbols": [], "Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 devices. There is no software emulation for this specific hardware in virtualized environments like QEMU or GCE, making these code paths unreachable during fuzzing.", "WorthFuzzing": false } Results: { "EnableConfigs": null, "FocusSymbols": [], "Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 devices. There is no software emulation for this specific hardware in virtualized environments like QEMU or GCE, making these code paths unreachable during fuzzing.", "WorthFuzzing": false }

Trajectory: (Expand/Collapse All)

Seq

Timestamp

Type

Name

Duration

0/0

2026/06/23 10:43

flow

patch-triage

Args:

null

Results:

{
  "EnableConfigs": null,
  "FocusSymbols": [],
  "Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 devices. There is no software emulation for this specific hardware in virtualized environments like QEMU or GCE, making these code paths unreachable during fuzzing.",
  "WorthFuzzing": false
}

1/1

2026/06/23 10:43

action

read-patch-diff

Args:

null

Results:

{
  "PatchDiff": "commit 55ca3fe9f2f3ffa21928ee879843264b803925b5\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate:   Tue Jun 23 10:43:18 2026 +0000\n\n    syz-cluster: applied patch under review\n\ndiff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c\nindex af354bef5c0d79..26b46a40458084 100644\n--- a/drivers/net/wireless/ath/ath12k/mac.c\n+++ b/drivers/net/wireless/ath/ath12k/mac.c\n@@ -10117,7 +10117,8 @@ static void ath12k_mac_update_vif_offload(struct ath12k_link_vif *arvif)\n \tif (vif-\u003etype != NL80211_IFTYPE_STATION \u0026\u0026\n \t    vif-\u003etype != NL80211_IFTYPE_AP)\n \t\tvif-\u003eoffload_flags \u0026= ~(IEEE80211_OFFLOAD_ENCAP_ENABLED |\n-\t\t\t\t\tIEEE80211_OFFLOAD_DECAP_ENABLED);\n+\t\t\t\t\tIEEE80211_OFFLOAD_DECAP_ENABLED |\n+\t\t\t\t\tIEEE80211_OFFLOAD_ENCAP_MCAST);\n \n \tif (vif-\u003eoffload_flags \u0026 IEEE80211_OFFLOAD_ENCAP_ENABLED) {\n \t\tahvif-\u003edp_vif.tx_encap_type = ATH12K_HW_TXRX_ETHERNET;\n@@ -10136,6 +10137,9 @@ static void ath12k_mac_update_vif_offload(struct ath12k_link_vif *arvif)\n \t\tvif-\u003eoffload_flags \u0026= ~IEEE80211_OFFLOAD_ENCAP_ENABLED;\n \t}\n \n+\tif (vif-\u003eoffload_flags \u0026 IEEE80211_OFFLOAD_ENCAP_ENABLED)\n+\t\tvif-\u003eoffload_flags |= IEEE80211_OFFLOAD_ENCAP_MCAST;\n+\n \tparam_id = WMI_VDEV_PARAM_RX_DECAP_TYPE;\n \tif (vif-\u003eoffload_flags \u0026 IEEE80211_OFFLOAD_DECAP_ENABLED)\n \t\tparam_value = ATH12K_HW_TXRX_ETHERNET;\ndiff --git a/drivers/net/wireless/ath/ath12k/wifi7/hw.c b/drivers/net/wireless/ath/ath12k/wifi7/hw.c\nindex 3d59fa452ec03d..e5bf9d2181040d 100644\n--- a/drivers/net/wireless/ath/ath12k/wifi7/hw.c\n+++ b/drivers/net/wireless/ath/ath12k/wifi7/hw.c\n@@ -903,6 +903,7 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,\n \tstruct ethhdr *eth;\n \tbool is_prb_rsp;\n \tu16 mcbc_gsn;\n+\tu8 cb_flags;\n \tu8 link_id;\n \tint ret;\n \tstruct ath12k_dp *tmp_dp;\n@@ -996,8 +997,13 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,\n \t    ieee80211_has_protected(hdr-\u003eframe_control))\n \t\tis_dvlan = true;\n \n+\t/*\n+\t * Add a sta pointer check to differentiate multicast encapsulation\n+\t * offload packets, as the ATH12K_SKB_HW_80211_ENCAP flag is also set\n+\t * for such packets.\n+\t */\n \tif (!vif-\u003evalid_links || !is_mcast || is_dvlan ||\n-\t    (skb_cb-\u003eflags \u0026 ATH12K_SKB_HW_80211_ENCAP) ||\n+\t    ((skb_cb-\u003eflags \u0026 ATH12K_SKB_HW_80211_ENCAP) \u0026\u0026 sta) ||\n \t    test_bit(ATH12K_FLAG_RAW_MODE, \u0026ar-\u003eab-\u003edev_flags)) {\n \t\tret = ath12k_wifi7_dp_tx(dp_pdev, arvif, arsta, skb, false, 0, is_mcast);\n \t\tif (unlikely(ret)) {\n@@ -1009,6 +1015,7 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,\n \t\tmcbc_gsn = atomic_inc_return(\u0026ahvif-\u003edp_vif.mcbc_gsn) \u0026 0xfff;\n \n \t\tlinks_map = ahvif-\u003elinks_map;\n+\t\tcb_flags = skb_cb-\u003eflags;\n \t\tfor_each_set_bit(link_id, \u0026links_map,\n \t\t\t\t IEEE80211_MLD_MAX_NUM_LINKS) {\n \t\t\ttmp_arvif = rcu_dereference(ahvif-\u003elink[link_id]);\n@@ -1016,21 +1023,45 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,\n \t\t\t\tcontinue;\n \n \t\t\ttmp_ar = tmp_arvif-\u003ear;\n-\t\t\ttmp_dp_pdev = ath12k_dp_to_pdev_dp(tmp_ar-\u003eab-\u003edp,\n+\t\t\ttmp_dp = ath12k_ab_to_dp(tmp_ar-\u003eab);\n+\t\t\ttmp_dp_pdev = ath12k_dp_to_pdev_dp(tmp_dp,\n \t\t\t\t\t\t\t   tmp_ar-\u003epdev_idx);\n \t\t\tif (!tmp_dp_pdev)\n \t\t\t\tcontinue;\n-\t\t\tmsdu_copied = skb_copy(skb, GFP_ATOMIC);\n-\t\t\tif (!msdu_copied) {\n-\t\t\t\tath12k_err(ar-\u003eab,\n-\t\t\t\t\t   \"skb copy failure link_id 0x%X vdevid 0x%X\\n\",\n-\t\t\t\t\t   link_id, tmp_arvif-\u003evdev_id);\n-\t\t\t\tcontinue;\n-\t\t\t}\n \n-\t\t\tath12k_mlo_mcast_update_tx_link_address(vif, link_id,\n-\t\t\t\t\t\t\t\tmsdu_copied,\n-\t\t\t\t\t\t\t\tinfo_flags);\n+\t\t\tif (cb_flags \u0026 ATH12K_SKB_HW_80211_ENCAP) {\n+\t\t\t\t/*\n+\t\t\t\t * skb-\u003edata may be modified for the iova_mask devices.\n+\t\t\t\t * It is better to use skb_copy() for such devices\n+\t\t\t\t * to avoid any potential skb corruption related issues.\n+\t\t\t\t */\n+\t\t\t\tif (tmp_dp-\u003ehw_params-\u003eiova_mask)\n+\t\t\t\t\tmsdu_copied = skb_copy(skb, GFP_ATOMIC);\n+\t\t\t\telse\n+\t\t\t\t\t/*\n+\t\t\t\t\t * ath12k_wifi7_dp_tx() should treat cloned HW-encap\n+\t\t\t\t\t * Ethernet multicast frames as read-only.\n+\t\t\t\t\t */\n+\t\t\t\t\tmsdu_copied = skb_clone(skb, GFP_ATOMIC);\n+\t\t\t\tif (!msdu_copied) {\n+\t\t\t\t\tath12k_err(ar-\u003eab,\n+\t\t\t\t\t\t   \"skb copy/clone failure link_id 0x%X vdevid 0x%X\\n\",\n+\t\t\t\t\t\t   link_id, tmp_arvif-\u003evdev_id);\n+\t\t\t\t\tcontinue;\n+\t\t\t\t}\n+\t\t\t} else {\n+\t\t\t\tmsdu_copied = skb_copy(skb, GFP_ATOMIC);\n+\t\t\t\tif (!msdu_copied) {\n+\t\t\t\t\tath12k_err(ar-\u003eab,\n+\t\t\t\t\t\t   \"skb copy failure link_id 0x%X vdevid 0x%X\\n\",\n+\t\t\t\t\t\t   link_id, tmp_arvif-\u003evdev_id);\n+\t\t\t\t\tcontinue;\n+\t\t\t\t}\n+\n+\t\t\t\tath12k_mlo_mcast_update_tx_link_address(vif, link_id,\n+\t\t\t\t\t\t\t\t\tmsdu_copied,\n+\t\t\t\t\t\t\t\t\tinfo_flags);\n+\t\t\t}\n \n \t\t\tskb_cb = ATH12K_SKB_CB(msdu_copied);\n \t\t\tskb_cb-\u003elink_id = link_id;\n@@ -1046,7 +1077,6 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,\n \t\t\tif (unlikely(!ahvif-\u003edp_vif.key_cipher))\n \t\t\t\tgoto skip_peer_find;\n \n-\t\t\ttmp_dp = ath12k_ab_to_dp(tmp_ar-\u003eab);\n \t\t\tspin_lock_bh(\u0026tmp_dp-\u003edp_lock);\n \t\t\tpeer = ath12k_dp_link_peer_find_by_addr(tmp_dp,\n \t\t\t\t\t\t\t\ttmp_arvif-\u003ebssid);\n@@ -1065,11 +1095,16 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,\n \t\t\t\tskb_cb-\u003ecipher = key-\u003ecipher;\n \t\t\t\tskb_cb-\u003eflags |= ATH12K_SKB_CIPHER_SET;\n \n+\t\t\t\tif (skb_cb-\u003eflags \u0026 ATH12K_SKB_HW_80211_ENCAP)\n+\t\t\t\t\tgoto skip_fctl_protected_check;\n+\n \t\t\t\thdr = (struct ieee80211_hdr *)msdu_copied-\u003edata;\n \t\t\t\tif (!ieee80211_has_protected(hdr-\u003eframe_control))\n \t\t\t\t\thdr-\u003eframe_control |=\n \t\t\t\t\t\tcpu_to_le16(IEEE80211_FCTL_PROTECTED);\n \t\t\t}\n+\n+skip_fctl_protected_check:\n \t\t\tspin_unlock_bh(\u0026tmp_dp-\u003edp_lock);\n \n skip_peer_find:\n"
}

2/1

2026/06/23 10:43

agent

patch-evaluator

Model:

gemini-3.1-pro-preview

Args:

null

Results:

{
  "EnableConfigs": null,
  "FocusSymbols": [],
  "Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 devices. There is no software emulation for this specific hardware in virtualized environments like QEMU or GCE, making these code paths unreachable during fuzzing.",
  "WorthFuzzing": false
}

Instruction:

You are an expert Linux kernel maintainer.
Your job is to review a provided patch series and determine
if it makes functional changes to the kernel that should be fuzzed.

IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in
your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively
use your code access tools to examine the actual source code and confirm any assumptions.

Return WorthFuzzing=false if the patch only contains:
- Modifications to Documentation/, Kconfig files, or code comments.
- Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints.
- Changes to numeric constants or macros that do not functionally alter execution flow.
- Code paths that are impossible to reach in virtualized environments like GCE or QEMU,
even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim).

If it modifies reachable core kernel logic, drivers, or architectures, use your code search
tools to verify the code can be executed, then return WorthFuzzing=true.

When returning WorthFuzzing=true, you MUST ALSO:
1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols.
   Avoid listing generic hot-path functions to prevent skewed test distributions.
2. Identify any specific CONFIG_ options required to properly test this new/modified feature.
   Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions.
   Do not list too generic configs (we already have them enabled). Only list those that
   specifically cover the modified code. List them in the EnableConfigs output array,
   and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4").
Prefer calling several tools at the same time to save round-trips.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

Prompt:

For your convenience, here is the diff of the changes:
commit 55ca3fe9f2f3ffa21928ee879843264b803925b5
Author: syz-cluster <triage@syzkaller.com>
Date:   Tue Jun 23 10:43:18 2026 +0000

    syz-cluster: applied patch under review

diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index af354bef5c0d79..26b46a40458084 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -10117,7 +10117,8 @@ static void ath12k_mac_update_vif_offload(struct ath12k_link_vif *arvif)
 	if (vif->type != NL80211_IFTYPE_STATION &&
 	    vif->type != NL80211_IFTYPE_AP)
 		vif->offload_flags &= ~(IEEE80211_OFFLOAD_ENCAP_ENABLED |
-					IEEE80211_OFFLOAD_DECAP_ENABLED);
+					IEEE80211_OFFLOAD_DECAP_ENABLED |
+					IEEE80211_OFFLOAD_ENCAP_MCAST);
 
 	if (vif->offload_flags & IEEE80211_OFFLOAD_ENCAP_ENABLED) {
 		ahvif->dp_vif.tx_encap_type = ATH12K_HW_TXRX_ETHERNET;
@@ -10136,6 +10137,9 @@ static void ath12k_mac_update_vif_offload(struct ath12k_link_vif *arvif)
 		vif->offload_flags &= ~IEEE80211_OFFLOAD_ENCAP_ENABLED;
 	}
 
+	if (vif->offload_flags & IEEE80211_OFFLOAD_ENCAP_ENABLED)
+		vif->offload_flags |= IEEE80211_OFFLOAD_ENCAP_MCAST;
+
 	param_id = WMI_VDEV_PARAM_RX_DECAP_TYPE;
 	if (vif->offload_flags & IEEE80211_OFFLOAD_DECAP_ENABLED)
 		param_value = ATH12K_HW_TXRX_ETHERNET;
diff --git a/drivers/net/wireless/ath/ath12k/wifi7/hw.c b/drivers/net/wireless/ath/ath12k/wifi7/hw.c
index 3d59fa452ec03d..e5bf9d2181040d 100644
--- a/drivers/net/wireless/ath/ath12k/wifi7/hw.c
+++ b/drivers/net/wireless/ath/ath12k/wifi7/hw.c
@@ -903,6 +903,7 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,
 	struct ethhdr *eth;
 	bool is_prb_rsp;
 	u16 mcbc_gsn;
+	u8 cb_flags;
 	u8 link_id;
 	int ret;
 	struct ath12k_dp *tmp_dp;
@@ -996,8 +997,13 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,
 	    ieee80211_has_protected(hdr->frame_control))
 		is_dvlan = true;
 
+	/*
+	 * Add a sta pointer check to differentiate multicast encapsulation
+	 * offload packets, as the ATH12K_SKB_HW_80211_ENCAP flag is also set
+	 * for such packets.
+	 */
 	if (!vif->valid_links || !is_mcast || is_dvlan ||
-	    (skb_cb->flags & ATH12K_SKB_HW_80211_ENCAP) ||
+	    ((skb_cb->flags & ATH12K_SKB_HW_80211_ENCAP) && sta) ||
 	    test_bit(ATH12K_FLAG_RAW_MODE, &ar->ab->dev_flags)) {
 		ret = ath12k_wifi7_dp_tx(dp_pdev, arvif, arsta, skb, false, 0, is_mcast);
 		if (unlikely(ret)) {
@@ -1009,6 +1015,7 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,
 		mcbc_gsn = atomic_inc_return(&ahvif->dp_vif.mcbc_gsn) & 0xfff;
 
 		links_map = ahvif->links_map;
+		cb_flags = skb_cb->flags;
 		for_each_set_bit(link_id, &links_map,
 				 IEEE80211_MLD_MAX_NUM_LINKS) {
 			tmp_arvif = rcu_dereference(ahvif->link[link_id]);
@@ -1016,21 +1023,45 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,
 				continue;
 
 			tmp_ar = tmp_arvif->ar;
-			tmp_dp_pdev = ath12k_dp_to_pdev_dp(tmp_ar->ab->dp,
+			tmp_dp = ath12k_ab_to_dp(tmp_ar->ab);
+			tmp_dp_pdev = ath12k_dp_to_pdev_dp(tmp_dp,
 							   tmp_ar->pdev_idx);
 			if (!tmp_dp_pdev)
 				continue;
-			msdu_copied = skb_copy(skb, GFP_ATOMIC);
-			if (!msdu_copied) {
-				ath12k_err(ar->ab,
-					   "skb copy failure link_id 0x%X vdevid 0x%X\n",
-					   link_id, tmp_arvif->vdev_id);
-				continue;
-			}
 
-			ath12k_mlo_mcast_update_tx_link_address(vif, link_id,
-								msdu_copied,
-								info_flags);
+			if (cb_flags & ATH12K_SKB_HW_80211_ENCAP) {
+				/*
+				 * skb->data may be modified for the iova_mask devices.
+				 * It is better to use skb_copy() for such devices
+				 * to avoid any potential skb corruption related issues.
+				 */
+				if (tmp_dp->hw_params->iova_mask)
+					msdu_copied = skb_copy(skb, GFP_ATOMIC);
+				else
+					/*
+					 * ath12k_wifi7_dp_tx() should treat cloned HW-encap
+					 * Ethernet multicast frames as read-only.
+					 */
+					msdu_copied = skb_clone(skb, GFP_ATOMIC);
+				if (!msdu_copied) {
+					ath12k_err(ar->ab,
+						   "skb copy/clone failure link_id 0x%X vdevid 0x%X\n",
+						   link_id, tmp_arvif->vdev_id);
+					continue;
+				}
+			} else {
+				msdu_copied = skb_copy(skb, GFP_ATOMIC);
+				if (!msdu_copied) {
+					ath12k_err(ar->ab,
+						   "skb copy failure link_id 0x%X vdevid 0x%X\n",
+						   link_id, tmp_arvif->vdev_id);
+					continue;
+				}
+
+				ath12k_mlo_mcast_update_tx_link_address(vif, link_id,
+									msdu_copied,
+									info_flags);
+			}
 
 			skb_cb = ATH12K_SKB_CB(msdu_copied);
 			skb_cb->link_id = link_id;
@@ -1046,7 +1077,6 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,
 			if (unlikely(!ahvif->dp_vif.key_cipher))
 				goto skip_peer_find;
 
-			tmp_dp = ath12k_ab_to_dp(tmp_ar->ab);
 			spin_lock_bh(&tmp_dp->dp_lock);
 			peer = ath12k_dp_link_peer_find_by_addr(tmp_dp,
 								tmp_arvif->bssid);
@@ -1065,11 +1095,16 @@ static void ath12k_wifi7_mac_op_tx(struct ieee80211_hw *hw,
 				skb_cb->cipher = key->cipher;
 				skb_cb->flags |= ATH12K_SKB_CIPHER_SET;
 
+				if (skb_cb->flags & ATH12K_SKB_HW_80211_ENCAP)
+					goto skip_fctl_protected_check;
+
 				hdr = (struct ieee80211_hdr *)msdu_copied->data;
 				if (!ieee80211_has_protected(hdr->frame_control))
 					hdr->frame_control |=
 						cpu_to_le16(IEEE80211_FCTL_PROTECTED);
 			}
+
+skip_fctl_protected_check:
 			spin_unlock_bh(&tmp_dp->dp_lock);
 
 skip_peer_find:

3/2

2026/06/23 10:43

llm

patch-evaluator

Model:

gemini-3.1-pro-preview

Args:

null

Results:

null

Tokens:

							input: 4144
							output: 39
							thoughts: 323

Thoughts:

**Analyzing the Reachability of This Multicast Encapsulation Offload Patch**

Okay, so I've got this patch that touches `ath12k/mac.c` and `ath12k/wifi7/hw.c`. This is about enabling multicast encapsulation offload, which is interesting. It's tweaking `ath12k_mac_update_vif_offload` and `ath12k_wifi7_mac_op_tx`, specifically around setting `IEEE80211_OFFLOAD_ENCAP_MCAST`. Right, standard stuff for offload.

Now, my immediate concern, as always with these kinds of driver changes, is reachability. Can I *actually* trigger this code in a testing environment?  `ath12k` is Qualcomm's Wi-Fi 7 driver, a hardware driver. That makes things immediately tricky.  Can I fuzz this thing?  Hardware drivers are usually a pain to fuzz directly in a virtualized setting.  Unless there's a software emulator... like `mac80211_hwsim`, but that's generic, not specifically for `ath12k`.

Wait a minute, does syzkaller even support this driver? I need to check if there are specific configurations that syzkaller uses for ath12k. Otherwise, if it's just a raw hardware driver without an emulation layer, this patch might be essentially unreachable in a typical test setup. It's a waste of time and effort to review. Need to check if it's PCI or AHB, or some other bus interface, in the ath12k code, to determine what's possible.

4/2

2026/06/23 10:43

tool

grepper

Args:

{
  "Expression": "ath12k",
  "PathPrefix": "drivers/net/wireless/ath/ath12k/Kconfig"
}

Results:

{
  "Output": "drivers/net/wireless/ath/ath12k/Kconfig=2=config ATH12K\ndrivers/net/wireless/ath/ath12k/Kconfig:3:\ttristate \"Qualcomm Wi-Fi 7 support (ath12k)\"\ndrivers/net/wireless/ath/ath12k/Kconfig-4-\tdepends on MAC80211 \u0026\u0026 HAS_DMA \u0026\u0026 PCI\n--\ndrivers/net/wireless/ath/ath12k/Kconfig-14-\ndrivers/net/wireless/ath/ath12k/Kconfig:15:\t  If you choose to build a module, it'll be called ath12k.\ndrivers/net/wireless/ath/ath12k/Kconfig-16-\ndrivers/net/wireless/ath/ath12k/Kconfig=17=config ATH12K_AHB\ndrivers/net/wireless/ath/ath12k/Kconfig:18:\tbool \"Qualcomm ath12k AHB support\"\ndrivers/net/wireless/ath/ath12k/Kconfig-19-\tdepends on ATH12K \u0026\u0026 REMOTEPROC\n--\ndrivers/net/wireless/ath/ath12k/Kconfig=25=config ATH12K_DEBUG\ndrivers/net/wireless/ath/ath12k/Kconfig:26:\tbool \"ath12k debugging\"\ndrivers/net/wireless/ath/ath12k/Kconfig-27-\tdepends on ATH12K\n--\ndrivers/net/wireless/ath/ath12k/Kconfig=35=config ATH12K_DEBUGFS\ndrivers/net/wireless/ath/ath12k/Kconfig:36:\tbool \"Qualcomm ath12k debugfs support\"\ndrivers/net/wireless/ath/ath12k/Kconfig-37-\tdepends on ATH12K \u0026\u0026 MAC80211_DEBUGFS\ndrivers/net/wireless/ath/ath12k/Kconfig-38-\thelp\ndrivers/net/wireless/ath/ath12k/Kconfig:39:\t  Enable ath12k debugfs support\ndrivers/net/wireless/ath/ath12k/Kconfig-40-\n--\ndrivers/net/wireless/ath/ath12k/Kconfig=44=config ATH12K_TRACING\ndrivers/net/wireless/ath/ath12k/Kconfig:45:\tbool \"ath12k tracing support\"\ndrivers/net/wireless/ath/ath12k/Kconfig-46-\tdepends on ATH12K \u0026\u0026 EVENT_TRACING\ndrivers/net/wireless/ath/ath12k/Kconfig-47-\thelp\ndrivers/net/wireless/ath/ath12k/Kconfig:48:\t  Enable ath12k tracing infrastructure.\ndrivers/net/wireless/ath/ath12k/Kconfig-49-\n--\ndrivers/net/wireless/ath/ath12k/Kconfig=53=config ATH12K_COREDUMP\ndrivers/net/wireless/ath/ath12k/Kconfig:54:\tbool \"ath12k coredump\"\ndrivers/net/wireless/ath/ath12k/Kconfig-55-\tdepends on ATH12K\n--\ndrivers/net/wireless/ath/ath12k/Kconfig-57-\thelp\ndrivers/net/wireless/ath/ath12k/Kconfig:58:\t  Enable ath12k coredump collection\ndrivers/net/wireless/ath/ath12k/Kconfig-59-\n"
}

5/2

2026/06/23 10:43

llm

patch-evaluator

Model:

gemini-3.1-pro-preview

Args:

null

Results:

null

Tokens:

							input: 5727
							output: 35
							thoughts: 62

Thoughts:

**Analyzing the ATH12K Driver Dependency**

Okay, so I'm looking at this `ATH12K` driver, and immediately my mind goes to dependencies. It looks like it's built on top of `MAC80211`, which is standard, and then requires either `HAS_DMA && PCI` *or* `ATH12K_AHB`. That's a key distinction right there. I need to keep that in mind when considering different hardware configurations.

The next question that pops up, given I know a bit about the space and the potential challenges of hardware support, is whether there's any software emulation layer or virtual device interface for `ath12k`. It's always useful to know if I can test or simulate the functionality without needing the *exact* hardware. This helps with debugging and development if I can test things without a physical setup. I need to check the codebase for any hints of that. Is there a virtual device model in the kernel, or some sort of userspace emulation that's been put together? Let me dive in and see what's there.

6/2

2026/06/23 10:43

tool

grepper

Error:

no matches

Args:

{
  "Expression": "hwsim",
  "PathPrefix": "drivers/net/wireless/ath/ath12k/"
}

Results:

{
  "error": "no matches"
}

7/2

2026/06/23 10:43

llm

patch-evaluator

Model:

gemini-3.1-pro-preview

Args:

null

Results:

null

Tokens:

							input: 6072
							output: 36
							thoughts: 283

Thoughts:

**Fuzzing Ath12k: A Virtualization Conundrum**

Okay, so there's no hwsim for ath12k. That's a problem. I need to figure out if there's *any* other viable path for fuzzing this driver. I usually look to PCI devices, and if syzkaller has a PCI fuzzer, that can be a good starting point. But, ath12k is a specific hardware driver; it's not some generic, software-emulated hardware. Wait, syzkaller does have a PCI fuzzer, but it's very limited, and frankly, we usually don't bother fuzzing drivers for *specific* hardware. We tend to focus on generic subsystems or those with software emulation, like vhci, mac80211_hwsim, or netdevsim.

Hold on, I need to go back and check the instructions again. I remember something about virtualized environments. Right, the instructions say to return WorthFuzzing=false if the patch only affects code that's impossible to hit in virtualized environments like GCE or QEMU. That's key. And I know that ath12k is a specific driver for Qualcomm Wi-Fi 7 devices. There's no software emulation like mac80211_hwsim, which emulates *generic* mac80211 hardware – not ath12k specifically. Therefore, any new code would be inaccessible in a virtualized environment.

Just to be absolutely sure, I'm going to double-check my resources one last time. I want to make sure I haven't missed any hidden emulation of ath12k.

8/2

2026/06/23 10:43

tool

grepper

Error:

no matches

Args:

{
  "Expression": "QEMU",
  "PathPrefix": "drivers/net/wireless/ath/ath12k/"
}

Results:

{
  "error": "no matches"
}

9/2

2026/06/23 10:43

llm

patch-evaluator

Model:

gemini-3.1-pro-preview

Args:

null

Results:

null

Tokens:

							input: 6765
							output: 35
							thoughts: 21

Thoughts:

Okay, here's my summary, presented as a stream of thought:

**Checking for Fuzzing and Emulation within ath12k**

Alright, let's dive in. I need to quickly assess the landscape of the ath12k driver. My primary interest right now revolves around the presence or absence of fuzzing and/or emulation techniques being utilized within its development, testing, or security analysis. I need to quickly find out if anyone is specifically using fuzzing to find bugs, or emulation for more rigorous testing and analysis of its behaviour. I'll need to check the codebase directly for mentions, any related documentation, maybe even discussions on mailing lists if I can find them. The goal is to see how robust the design is, and how carefully they are checking their work.

10/2

2026/06/23 10:43

tool

grepper

Error:

no matches

Args:

{
  "Expression": "fuzz",
  "PathPrefix": "drivers/net/wireless/ath/ath12k/"
}

Results:

{
  "error": "no matches"
}

11/2

2026/06/23 10:43

llm

patch-evaluator

Model:

gemini-3.1-pro-preview

Args:

null

Results:

null

Tokens:

							input: 6999
							output: 87
							thoughts: 81

Thoughts:

**My Assessment of the Patch's Fuzzing Suitability**

Okay, so I'm looking at this patch and immediately see it's dealing with the `ath12k` driver. That clicks – that's a *hardware-specific* driver. Specifically, it's for Qualcomm's Wi-Fi 7 silicon. Given my experience, I know there's no realistic way to emulate this hardware properly in virtualized environments like QEMU or Google Compute Engine. The code paths this patch touches simply won't be exercised by any fuzzing I'd throw at it.

Therefore, from a practical standpoint, this patch's fuzzing worthiness is essentially zero. I'm going to set `WorthFuzzing = false`. No point in wasting resources on something that's fundamentally unreachable under standard fuzzing setups.

12/2

2026/06/23 10:43

tool

set-results

Args:

{
  "EnableConfigs": [],
  "FocusSymbols": [],
  "Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 devices. There is no software emulation for this specific hardware in virtualized environments like QEMU or GCE, making these code paths unreachable during fuzzing.",
  "WorthFuzzing": false
}

Results:

{
  "EnableConfigs": null,
  "FocusSymbols": [],
  "Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 devices. There is no software emulation for this specific hardware in virtualized environments like QEMU or GCE, making these code paths unreachable during fuzzing.",
  "WorthFuzzing": false
}

LLM Calls Summary:
Total Calls	Total Tokens	Avg Tokens	Total Duration (Seconds)	Avg Duration (Seconds)

Tool Calls Summary:
Total Calls	Total Duration (Seconds)	Avg Duration (Seconds)