AI Trajectory

null

{
  "EnableConfigs": [
    "MAC80211"
  ],
  "FocusSymbols": [
    "ieee80211_rx_mgmt_spectrum_mgmt",
    "ieee80211_rx_bss_info"
  ],
  "Reasoning": "The patch modifies the logic for processing channel switch announcements in mac80211 IBSS mode. This is functional core kernel logic reachable via virtualized hardware (mac80211_hwsim).",
  "WorthFuzzing": true
}

null

{
  "PatchDiff": "commit 574b260a38d330124763c87b0b5a29a74bb26fc8\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate:   Tue Jun 23 09:22:52 2026 +0000\n\n    syz-cluster: applied patch under review\n\ndiff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c\nindex 97292ff51475fd..6440fd915aa56a 100644\n--- a/net/mac80211/ibss.c\n+++ b/net/mac80211/ibss.c\n@@ -895,6 +895,10 @@ ieee80211_rx_mgmt_spectrum_mgmt(struct ieee80211_sub_if_data *sdata,\n \tif (mgmt-\u003eu.action.action_code != WLAN_ACTION_SPCT_CHL_SWITCH)\n \t\treturn;\n \n+\t/* only act on channel switch frames coming from our own IBSS */\n+\tif (!ether_addr_equal(mgmt-\u003ebssid, sdata-\u003eu.ibss.bssid))\n+\t\treturn;\n+\n \tif (!sdata-\u003evif.bss_conf.csa_active)\n \t\tieee80211_ibss_process_chanswitch(sdata, elems, false);\n }\n@@ -1111,14 +1115,21 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,\n \t\t\t\tsdata-\u003eu.ibss.ssid_len))\n \t\tgoto put_bss;\n \n-\t/* process channel switch */\n-\tif (sdata-\u003evif.bss_conf.csa_active ||\n-\t    ieee80211_ibss_process_chanswitch(sdata, elems, true))\n+\t/* don't process beacons while a channel switch is in progress */\n+\tif (sdata-\u003evif.bss_conf.csa_active)\n \t\tgoto put_bss;\n \n \t/* same BSSID */\n-\tif (ether_addr_equal(cbss-\u003ebssid, sdata-\u003eu.ibss.bssid))\n+\tif (ether_addr_equal(cbss-\u003ebssid, sdata-\u003eu.ibss.bssid)) {\n+\t\t/*\n+\t\t * Only act on a channel switch announcement that comes from\n+\t\t * our own IBSS (i.e. matching BSSID). Acting on a CSA from a\n+\t\t * foreign BSSID that merely shares our SSID would let any\n+\t\t * station force us off-channel or tear the cell down.\n+\t\t */\n+\t\tieee80211_ibss_process_chanswitch(sdata, elems, true);\n \t\tgoto put_bss;\n+\t}\n \n \t/* we use a fixed BSSID */\n \tif (sdata-\u003eu.ibss.fixed_bssid)\n"
}

gemini-3.1-pro-preview

null

{
  "EnableConfigs": [
    "MAC80211"
  ],
  "FocusSymbols": [
    "ieee80211_rx_mgmt_spectrum_mgmt",
    "ieee80211_rx_bss_info"
  ],
  "Reasoning": "The patch modifies the logic for processing channel switch announcements in mac80211 IBSS mode. This is functional core kernel logic reachable via virtualized hardware (mac80211_hwsim).",
  "WorthFuzzing": true
}

You are an expert Linux kernel maintainer.
Your job is to review a provided patch series and determine
if it makes functional changes to the kernel that should be fuzzed.

IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in
your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively
use your code access tools to examine the actual source code and confirm any assumptions.

Return WorthFuzzing=false if the patch only contains:
- Modifications to Documentation/, Kconfig files, or code comments.
- Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints.
- Changes to numeric constants or macros that do not functionally alter execution flow.
- Code paths that are impossible to reach in virtualized environments like GCE or QEMU,
even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim).

If it modifies reachable core kernel logic, drivers, or architectures, use your code search
tools to verify the code can be executed, then return WorthFuzzing=true.

When returning WorthFuzzing=true, you MUST ALSO:
1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols.
   Avoid listing generic hot-path functions to prevent skewed test distributions.
2. Identify any specific CONFIG_ options required to properly test this new/modified feature.
   Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions.
   Do not list too generic configs (we already have them enabled). Only list those that
   specifically cover the modified code. List them in the EnableConfigs output array,
   and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4").
Prefer calling several tools at the same time to save round-trips.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

For your convenience, here is the diff of the changes:
commit 574b260a38d330124763c87b0b5a29a74bb26fc8
Author: syz-cluster <triage@syzkaller.com>
Date:   Tue Jun 23 09:22:52 2026 +0000

    syz-cluster: applied patch under review

diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 97292ff51475fd..6440fd915aa56a 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -895,6 +895,10 @@ ieee80211_rx_mgmt_spectrum_mgmt(struct ieee80211_sub_if_data *sdata,
 	if (mgmt->u.action.action_code != WLAN_ACTION_SPCT_CHL_SWITCH)
 		return;
 
+	/* only act on channel switch frames coming from our own IBSS */
+	if (!ether_addr_equal(mgmt->bssid, sdata->u.ibss.bssid))
+		return;
+
 	if (!sdata->vif.bss_conf.csa_active)
 		ieee80211_ibss_process_chanswitch(sdata, elems, false);
 }
@@ -1111,14 +1115,21 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
 				sdata->u.ibss.ssid_len))
 		goto put_bss;
 
-	/* process channel switch */
-	if (sdata->vif.bss_conf.csa_active ||
-	    ieee80211_ibss_process_chanswitch(sdata, elems, true))
+	/* don't process beacons while a channel switch is in progress */
+	if (sdata->vif.bss_conf.csa_active)
 		goto put_bss;
 
 	/* same BSSID */
-	if (ether_addr_equal(cbss->bssid, sdata->u.ibss.bssid))
+	if (ether_addr_equal(cbss->bssid, sdata->u.ibss.bssid)) {
+		/*
+		 * Only act on a channel switch announcement that comes from
+		 * our own IBSS (i.e. matching BSSID). Acting on a CSA from a
+		 * foreign BSSID that merely shares our SSID would let any
+		 * station force us off-channel or tear the cell down.
+		 */
+		ieee80211_ibss_process_chanswitch(sdata, elems, true);
 		goto put_bss;
+	}
 
 	/* we use a fixed BSSID */
 	if (sdata->u.ibss.fixed_bssid)

gemini-3.1-pro-preview

null

null

							input: 2309
							output: 38
							thoughts: 217
						

**Analyzing the mac80211 IBSS Patch**

Okay, so I'm looking at this patch for `net/mac80211/ibss.c`. It's pretty straightforward, functionally speaking. It seems we're adding some crucial checks within the IBSS code. The goal is to make sure we're only responding to channel switch frames – specifically spectrum management action frames and announcements – that originate from *our* IBSS. The patch does this by matching the BSSID, both in `ieee80211_rx_mgmt_spectrum_mgmt` and in `ieee80211_rx_bss_info`.

It appears that a key part of the update is to avoid processing beacons during an active channel switch. This makes sense; we wouldn't want those interrupting the process. The code's clearly designed to handle 802.11 management frames within an IBSS context, which makes it important to review the change.

Given that this affects IBSS management, and is exposed through `mac80211_hwsim`, I need to check how it will be enabled and if anything is affected.

Now, I need to dig into the configuration. Let's start by finding the relevant Kconfig options. I know `CONFIG_MAC80211` is the big one, but I'll need to look at `net/mac80211/Kconfig` or similar files to see the granular options that affect this specific IBSS functionality. I have a feeling there might be a few other things that need to be reviewed to be sure.

{
  "Expression": "config MAC80211",
  "PathPrefix": "net/mac80211/Kconfig"
}

{
  "Output": "net/mac80211/Kconfig-1-# SPDX-License-Identifier: GPL-2.0-only\nnet/mac80211/Kconfig:2:config MAC80211\nnet/mac80211/Kconfig-3-\ttristate \"Generic IEEE 802.11 Networking Stack (mac80211)\"\n--\nnet/mac80211/Kconfig=19=if MAC80211 != n\nnet/mac80211/Kconfig-20-\nnet/mac80211/Kconfig:21:config MAC80211_HAS_RC\nnet/mac80211/Kconfig-22-\tbool\nnet/mac80211/Kconfig-23-\nnet/mac80211/Kconfig:24:config MAC80211_RC_MINSTREL\nnet/mac80211/Kconfig-25-\tbool \"Minstrel\" if EXPERT\n--\nnet/mac80211/Kconfig=31=choice\n--\nnet/mac80211/Kconfig-40-\nnet/mac80211/Kconfig:41:config MAC80211_RC_DEFAULT_MINSTREL\nnet/mac80211/Kconfig-42-\tbool \"Minstrel\"\n--\nnet/mac80211/Kconfig=48=endchoice\nnet/mac80211/Kconfig-49-\nnet/mac80211/Kconfig:50:config MAC80211_RC_DEFAULT\nnet/mac80211/Kconfig-51-\tstring\n--\nnet/mac80211/Kconfig=57=comment \"Some wireless drivers require a rate control algorithm\"\n--\nnet/mac80211/Kconfig-59-\nnet/mac80211/Kconfig:60:config MAC80211_KUNIT_TEST\nnet/mac80211/Kconfig-61-\ttristate \"KUnit tests for mac80211\" if !KUNIT_ALL_TESTS\n--\nnet/mac80211/Kconfig-69-\nnet/mac80211/Kconfig:70:config MAC80211_MESH\nnet/mac80211/Kconfig-71-\tbool \"Enable mac80211 mesh networking support\"\n--\nnet/mac80211/Kconfig-78-\nnet/mac80211/Kconfig:79:config MAC80211_LEDS\nnet/mac80211/Kconfig-80-\tbool \"Enable LED triggers\"\n--\nnet/mac80211/Kconfig-87-\nnet/mac80211/Kconfig:88:config MAC80211_DEBUGFS\nnet/mac80211/Kconfig-89-\tbool \"Export mac80211 internals in DebugFS\"\n--\nnet/mac80211/Kconfig-96-\nnet/mac80211/Kconfig:97:config MAC80211_MESSAGE_TRACING\nnet/mac80211/Kconfig-98-\tbool \"Trace all mac80211 debug messages\"\n--\nnet/mac80211/Kconfig-109-\nnet/mac80211/Kconfig:110:menuconfig MAC80211_DEBUG_MENU\nnet/mac80211/Kconfig-111-\tbool \"Select mac80211 debugging features\"\n--\nnet/mac80211/Kconfig-115-\nnet/mac80211/Kconfig:116:config MAC80211_NOINLINE\nnet/mac80211/Kconfig-117-\tbool \"Do not inline TX/RX handlers\"\n--\nnet/mac80211/Kconfig-131-\nnet/mac80211/Kconfig:132:config MAC80211_VERBOSE_DEBUG\nnet/mac80211/Kconfig-133-\tbool \"Verbose debugging output\"\n--\nnet/mac80211/Kconfig-142-\nnet/mac80211/Kconfig:143:config MAC80211_MLME_DEBUG\nnet/mac80211/Kconfig-144-\tbool \"Verbose managed MLME output\"\n--\nnet/mac80211/Kconfig-153-\nnet/mac80211/Kconfig:154:config MAC80211_STA_DEBUG\nnet/mac80211/Kconfig-155-\tbool \"Verbose station debugging\"\n--\nnet/mac80211/Kconfig-162-\nnet/mac80211/Kconfig:163:config MAC80211_HT_DEBUG\nnet/mac80211/Kconfig-164-\tbool \"Verbose HT debugging\"\n--\nnet/mac80211/Kconfig-174-\nnet/mac80211/Kconfig:175:config MAC80211_OCB_DEBUG\nnet/mac80211/Kconfig-176-\tbool \"Verbose OCB debugging\"\n--\nnet/mac80211/Kconfig-185-\nnet/mac80211/Kconfig:186:config MAC80211_IBSS_DEBUG\nnet/mac80211/Kconfig-187-\tbool \"Verbose IBSS debugging\"\n--\nnet/mac80211/Kconfig-196-\nnet/mac80211/Kconfig:197:config MAC80211_PS_DEBUG\nnet/mac80211/Kconfig-198-\tbool \"Verbose powersave mode debugging\"\n--\nnet/mac80211/Kconfig-208-\nnet/mac80211/Kconfig:209:config MAC80211_MPL_DEBUG\nnet/mac80211/Kconfig-210-\tbool \"Verbose mesh peer link debugging\"\n--\nnet/mac80211/Kconfig-221-\nnet/mac80211/Kconfig:222:config MAC80211_MPATH_DEBUG\nnet/mac80211/Kconfig-223-\tbool \"Verbose mesh path debugging\"\n--\nnet/mac80211/Kconfig-234-\nnet/mac80211/Kconfig:235:config MAC80211_MHWMP_DEBUG\nnet/mac80211/Kconfig-236-\tbool \"Verbose mesh HWMP routing debugging\"\n--\nnet/mac80211/Kconfig-247-\nnet/mac80211/Kconfig:248:config MAC80211_MESH_SYNC_DEBUG\nnet/mac80211/Kconfig-249-\tbool \"Verbose mesh synchronization debugging\"\n--\nnet/mac80211/Kconfig-258-\nnet/mac80211/Kconfig:259:config MAC80211_MESH_CSA_DEBUG\nnet/mac80211/Kconfig-260-\tbool \"Verbose mesh channel switch debugging\"\n--\nnet/mac80211/Kconfig-269-\nnet/mac80211/Kconfig:270:config MAC80211_MESH_PS_DEBUG\nnet/mac80211/Kconfig-271-\tbool \"Verbose mesh powersave debugging\"\n--\nnet/mac80211/Kconfig-280-\nnet/mac80211/Kconfig:281:config MAC80211_TDLS_DEBUG\nnet/mac80211/Kconfig-282-\tbool \"Verbose TDLS debugging\"\n--\nnet/mac80211/Kconfig-292-\nnet/mac80211/Kconfig:293:config MAC80211_DEBUG_COUNTERS\nnet/mac80211/Kconfig-294-\tbool \"Extra statistics for TX/RX debugging\"\n--\nnet/mac80211/Kconfig-307-\nnet/mac80211/Kconfig:308:config MAC80211_STA_HASH_MAX_SIZE\nnet/mac80211/Kconfig-309-\tint \"Station hash table maximum size\" if MAC80211_DEBUG_MENU\n"
}

gemini-3.1-pro-preview

null

null

							input: 5093
							output: 48
							thoughts: 149
						

**Analyzing the mac80211 IBSS Patch**

Okay, let's dive into this patch. It looks like the changes are focused within `net/mac80211/ibss.c`. My first move is always to identify the specific functions that are being touched. I see `ieee80211_rx_mgmt_spectrum_mgmt` and `ieee80211_rx_bss_info` listed. That gives me a good starting point – something related to management frame reception and BSS information.

Now, I need to understand if this patch has any special considerations for IBSS specifically. Let me quickly check the configs. Ah, I see `MAC80211_IBSS_DEBUG` - but I remember that's mainly for debugging purposes. So, the primary configuration in play here is the general `MAC80211` option, nothing IBSS-specific really.

Okay, last step for now: I'm going to scan the code within `net/mac80211/ibss.c` for any conditional compilation (`#ifdef`) that might be surrounding these modified functions. That will tell me if there are any specific compilation paths this patch is targeting, or if it is affecting the default behavior. I'm looking for any clues that could tell me what this patch really does.

{
  "Expression": "ieee80211_rx_mgmt_spectrum_mgmt",
  "PathPrefix": "net/mac80211/ibss.c"
}

{
  "Output": "net/mac80211/ibss.c=885=static void\nnet/mac80211/ibss.c:886:ieee80211_rx_mgmt_spectrum_mgmt(struct ieee80211_sub_if_data *sdata,\nnet/mac80211/ibss.c-887-\t\t\t\tstruct ieee80211_mgmt *mgmt, size_t len,\n--\nnet/mac80211/ibss.c=1585=void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,\n--\nnet/mac80211/ibss.c-1632-\t\t\tif (elems \u0026\u0026 !elems-\u003eparse_error)\nnet/mac80211/ibss.c:1633:\t\t\t\tieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt,\nnet/mac80211/ibss.c-1634-\t\t\t\t\t\t\t\tskb-\u003elen,\n"
}

gemini-3.1-pro-preview

null

null

							input: 5867
							output: 46
							thoughts: 35
						

Okay, let's dive into this. Here's my thought process on the matter:

**Analyzing `ieee80211_rx_bss_info` in `net/mac80211/ibss.c`**

Alright, so the first thing I want to do is navigate to the `net/mac80211/ibss.c` file. This looks like the place to be, given the function name. I'm focusing specifically on `ieee80211_rx_bss_info`. Why? Well, the BSS information is critical in an IBSS environment because it's used for association, reassociation, and generally maintaining synchronization between nodes. From my experience with the 802.11 standards, I would hazard a guess this is a handler for BSS information in the receive path. I expect the code here to be checking fields in beacons and probe responses, verifying capabilities, and potentially managing association state. I'm especially interested in how it's handling the details of IBSS specific elements or flags, given the location of the source file. I need to be sure this function is properly handling various corner cases, perhaps even some obscure or infrequently used BSS elements. That's where I will begin my analysis.

{
  "Expression": "ieee80211_rx_bss_info",
  "PathPrefix": "net/mac80211/ibss.c"
}

{
  "Output": "net/mac80211/ibss.c=951=static void ieee80211_update_sta_info(struct ieee80211_sub_if_data *sdata,\n--\nnet/mac80211/ibss.c-1072-\nnet/mac80211/ibss.c:1073:static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,\nnet/mac80211/ibss.c-1074-\t\t\t\t  struct ieee80211_mgmt *mgmt, size_t len,\n--\nnet/mac80211/ibss.c=1556=void ieee80211_rx_mgmt_probe_beacon(struct ieee80211_sub_if_data *sdata,\n--\nnet/mac80211/ibss.c-1579-\tif (elems) {\nnet/mac80211/ibss.c:1580:\t\tieee80211_rx_bss_info(sdata, mgmt, len, rx_status, elems);\nnet/mac80211/ibss.c-1581-\t\tkfree(elems);\n"
}

gemini-3.1-pro-preview

null

null

							input: 6563
							output: 49
							thoughts: 167
						

**Analyzing the IBSS Management Frame Patch**

Okay, so I'm looking at this patch and it's modifying the `ieee80211_rx_mgmt_spectrum_mgmt` and `ieee80211_rx_bss_info` functions. Hmm, those are definitely functions called when we're dealing with management frames in an IBSS (ad-hoc) network. That makes sense, given the context. And, based on my understanding of the system, this is absolutely functional and reachable through `mac80211_hwsim`, which is the correct approach to testing these sorts of changes. The required configuration for this is `MAC80211`, I can verify that easily.

Now, I need to check for other config dependencies. The patch specifically uses `sdata->vif.bss_conf.csa_active` and `ieee80211_ibss_process_chanswitch`. Let's dig into `ieee80211_ibss_process_chanswitch` and see if *it* has any configuration dependencies. That'll be critical to understanding the full scope of this change.

{
  "Expression": "ieee80211_ibss_process_chanswitch",
  "PathPrefix": "net/mac80211/ibss.c"
}

{
  "Output": "net/mac80211/ibss.c=743=static bool\nnet/mac80211/ibss.c:744:ieee80211_ibss_process_chanswitch(struct ieee80211_sub_if_data *sdata,\nnet/mac80211/ibss.c-745-\t\t\t\t  struct ieee802_11_elems *elems,\n--\nnet/mac80211/ibss.c=886=ieee80211_rx_mgmt_spectrum_mgmt(struct ieee80211_sub_if_data *sdata,\n--\nnet/mac80211/ibss.c-902-\tif (!sdata-\u003evif.bss_conf.csa_active)\nnet/mac80211/ibss.c:903:\t\tieee80211_ibss_process_chanswitch(sdata, elems, false);\nnet/mac80211/ibss.c-904-}\n--\nnet/mac80211/ibss.c=1073=static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,\n--\nnet/mac80211/ibss.c-1129-\t\t */\nnet/mac80211/ibss.c:1130:\t\tieee80211_ibss_process_chanswitch(sdata, elems, true);\nnet/mac80211/ibss.c-1131-\t\tgoto put_bss;\n"
}

gemini-3.1-pro-preview

null

null

							input: 7464
							output: 34
							thoughts: 89
						

Okay, let's see what we've got here.

**Analyzing IBSS Configuration within the mac80211 Framework**

Right, so we're dealing with IBSS and, as far as I can tell, the starting point is just the general `MAC80211` config. No direct, explicit IBSS-specific configurations are immediately jumping out at me. My initial thought is, "Okay, let's confirm that." I'll quickly check for a dedicated `CONFIG_MAC80211_IBSS` option. Nope, that's not present. Interesting. It suggests IBSS support is likely interwoven within the core `mac80211` configuration, which isn't unusual.

Now, I need to understand how the IBSS code is brought into the build. That means delving into the build system itself. Let's look at the `net/mac80211/Makefile`. I'll want to see if the compilation of the `ibss.c` file – or related IBSS modules – is conditional in any way. Are there any specific flags or dependencies that control its inclusion? That's where the real answer lies. I need to trace the build rules to see if we have IBSS support compiled into the kernel.

{
  "Expression": "ibss.o",
  "PathPrefix": "net/mac80211/Makefile"
}

{
  "Output": "net/mac80211/Makefile=5=mac80211-y := \\\n--\nnet/mac80211/Makefile-16-\ts1g.o \\\nnet/mac80211/Makefile:17:\tibss.o \\\nnet/mac80211/Makefile-18-\tiface.o \\\n"
}

gemini-3.1-pro-preview

null

null

							input: 7963
							output: 115
							thoughts: 386
						

**My Analysis of MAC80211 IBSS Frame Handling**

Okay, so this is part of `mac80211-y`, meaning it's unconditionally compiled, which is good. That simplifies the config requirements; it looks like `MAC80211` is the key. No need to worry about additional config options, it seems.

The real focus here is on the functions `ieee80211_rx_mgmt_spectrum_mgmt` and `ieee80211_rx_bss_info`. Initially, I considered that perhaps these functions were considered "hot-path" functions. However, they're not the super critical data-frame processing functions like `mac80211_rx` or `mac80211_tx`. They're specifically tied to management frames, specifically in the IBSS context.

I need to confirm if `ieee80211_rx_bss_info` is actually invoked frequently. It's called for every beacon received in IBSS mode, which is roughly every ~100ms. That's frequent enough to warrant attention, but not as frequent as data frames. That said, it's still a good candidate. `ieee80211_rx_mgmt_spectrum_mgmt`, on the other hand, deals with spectrum management action frames. That's definitely not hot-path.

Let's quickly double-check the dependencies. Does this rely on any other configs like `CFG80211`? Ah, `MAC80211` depends on `CFG80211`, so `MAC80211` is sufficient.

In summary, here's what I've got:

*   **WorthFuzzing:** True - This is definitely a spot worth fuzzing given it is critical core kernel logic.
*   **FocusSymbols:** `ieee80211_rx_mgmt_spectrum_mgmt`, `ieee80211_rx_bss_info` - These are the specific functions to target.
*   **EnableConfigs:** `MAC80211` - This config ensures the necessary code is included.
*   **Reasoning:** The patch is modifying IBSS mode channel switch announcement processing. It's core kernel logic, and fuzzing it is made easier because it's reachable via virtualized hardware (mac80211_hwsim).

{
  "EnableConfigs": [
    "MAC80211"
  ],
  "FocusSymbols": [
    "ieee80211_rx_mgmt_spectrum_mgmt",
    "ieee80211_rx_bss_info"
  ],
  "Reasoning": "The patch modifies the logic for processing channel switch announcements in mac80211 IBSS mode. This is functional core kernel logic reachable via virtualized hardware (mac80211_hwsim).",
  "WorthFuzzing": true
}

{
  "EnableConfigs": [
    "MAC80211"
  ],
  "FocusSymbols": [
    "ieee80211_rx_mgmt_spectrum_mgmt",
    "ieee80211_rx_bss_info"
  ],
  "Reasoning": "The patch modifies the logic for processing channel switch announcements in mac80211 IBSS mode. This is functional core kernel logic reachable via virtualized hardware (mac80211_hwsim).",
  "WorthFuzzing": true
}