AI Trajectory


Trajectory: (Expand/Collapse All)
Seq Timestamp Type Name Duration
0/0 2026/07/08 16:08 flow patch-triage
0m Args:
null

Results:
{
  "EnableConfigs": [
    "BRCMFMAC",
    "BRCMFMAC_USB",
    "CFG80211"
  ],
  "FocusSymbols": [
    "brcmf_set_key_mgmt",
    "brcmf_cfg80211_connect",
    "brcmf_configure_wpaie",
    "brcmf_p2p_is_pub_action",
    "brcmf_p2p_is_dpp_pub_action",
    "brcmf_p2p_is_p2p_action",
    "brcmf_p2p_abort_action_frame",
    "brcmf_p2p_send_action_frame"
  ],
  "Reasoning": "The patch adds support for DPP authentication and modifies the firmware supplicant logic in the Broadcom FullMAC WLAN driver (brcmfmac). It also updates P2P action frame handling to support DPP public action frames. These are functional changes in the driver's cfg80211 callbacks and P2P logic, which can be reached via netlink commands and USB fuzzing.",
  "WorthFuzzing": true
}

1/1 2026/07/08 16:08 action read-patch-diff
0m Args:
null

Results:
{
  "PatchDiff": "commit 66cbb77f289f5d6f7685f15137bf6ab62ed39ae2\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate:   Wed Jul 8 16:07:59 2026 +0000\n\n    syz-cluster: applied patch under review\n\ndiff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c\nindex 4b70845e1a2643..d61c3e03a106a5 100644\n--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c\n+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c\n@@ -8,6 +8,7 @@\n #include \u003clinux/kernel.h\u003e\n #include \u003clinux/etherdevice.h\u003e\n #include \u003clinux/module.h\u003e\n+#include \u003clinux/unaligned.h\u003e\n #include \u003clinux/vmalloc.h\u003e\n #include \u003cnet/cfg80211.h\u003e\n #include \u003cnet/netlink.h\u003e\n@@ -2154,6 +2155,9 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)\n \t\t\tval = WPA2_AUTH_PSK | WPA2_AUTH_FT;\n \t\t\tprofile-\u003eis_ft = true;\n \t\t\tbreak;\n+\t\tcase WLAN_AKM_SUITE_WFA_DPP:\n+\t\t\tval = WFA_AUTH_DPP;\n+\t\t\tbreak;\n \t\tdefault:\n \t\t\tbphy_err(drvr, \"invalid akm suite (%d)\\n\",\n \t\t\t\t sme-\u003ecrypto.akm_suites[0]);\n@@ -2466,43 +2470,50 @@ brcmf_cfg80211_connect(struct wiphy *wiphy, struct net_device *ndev,\n \t\tgoto done;\n \t}\n \n-\tif (sme-\u003ecrypto.psk \u0026\u0026\n-\t    profile-\u003euse_fwsup != BRCMF_PROFILE_FWSUP_SAE) {\n-\t\tif (WARN_ON(profile-\u003euse_fwsup != BRCMF_PROFILE_FWSUP_NONE)) {\n-\t\t\terr = -EINVAL;\n-\t\t\tgoto done;\n-\t\t}\n-\t\tbrcmf_dbg(INFO, \"using PSK offload\\n\");\n-\t\tprofile-\u003euse_fwsup = BRCMF_PROFILE_FWSUP_PSK;\n-\t}\n-\n-\tif (profile-\u003euse_fwsup != BRCMF_PROFILE_FWSUP_NONE) {\n-\t\t/* enable firmware supplicant for this interface */\n-\t\terr = brcmf_fil_iovar_int_set(ifp, \"sup_wpa\", 1);\n-\t\tif (err \u003c 0) {\n-\t\t\tbphy_err(drvr, \"failed to enable fw supplicant\\n\");\n-\t\t\tgoto done;\n+\tif (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_FWSUP)) {\n+\t\tu32 akm = sme-\u003ecrypto.n_akm_suites ? sme-\u003ecrypto.akm_suites[0] : 0;\n+\t\tbool is_sae_akm = akm == WLAN_AKM_SUITE_SAE ||\n+\t\t\takm == WLAN_AKM_SUITE_FT_OVER_SAE;\n+\n+\t\tif (sme-\u003ecrypto.psk \u0026\u0026 !is_sae_akm \u0026\u0026\n+\t\t    profile-\u003euse_fwsup != BRCMF_PROFILE_FWSUP_SAE) {\n+\t\t\tif (WARN_ON(profile-\u003euse_fwsup !=\n+\t\t\t\t    BRCMF_PROFILE_FWSUP_NONE)) {\n+\t\t\t\terr = -EINVAL;\n+\t\t\t\tgoto done;\n+\t\t\t}\n+\t\t\tbrcmf_dbg(INFO, \"using PSK offload\\n\");\n+\t\t\tprofile-\u003euse_fwsup = BRCMF_PROFILE_FWSUP_PSK;\n \t\t}\n-\t}\n-\n-\tif (profile-\u003euse_fwsup == BRCMF_PROFILE_FWSUP_PSK)\n-\t\terr = brcmf_set_pmk(ifp, sme-\u003ecrypto.psk,\n-\t\t\t\t    BRCMF_WSEC_MAX_PSK_LEN);\n-\telse if (profile-\u003euse_fwsup == BRCMF_PROFILE_FWSUP_SAE) {\n-\t\t/* clean up user-space RSNE */\n-\t\terr = brcmf_fil_iovar_data_set(ifp, \"wpaie\", NULL, 0);\n-\t\tif (err) {\n-\t\t\tbphy_err(drvr, \"failed to clean up user-space RSNE\\n\");\n-\t\t\tgoto done;\n+\t\tif (profile-\u003euse_fwsup != BRCMF_PROFILE_FWSUP_NONE) {\n+\t\t\t/* enable firmware supplicant for this interface */\n+\t\t\terr = brcmf_fil_iovar_int_set(ifp, \"sup_wpa\", 1);\n+\t\t\tif (err \u003c 0) {\n+\t\t\t\tbphy_err(drvr, \"failed to enable fw supplicant\\n\");\n+\t\t\t\tgoto done;\n+\t\t\t}\n+\t\t} else {\n+\t\t\terr = brcmf_fil_iovar_int_set(ifp, \"sup_wpa\", 0);\n \t\t}\n-\t\terr = brcmf_fwvid_set_sae_password(ifp, \u0026sme-\u003ecrypto);\n-\t\tif (!err \u0026\u0026 sme-\u003ecrypto.psk)\n+\t\tif (profile-\u003euse_fwsup == BRCMF_PROFILE_FWSUP_PSK)\n \t\t\terr = brcmf_set_pmk(ifp, sme-\u003ecrypto.psk,\n \t\t\t\t\t    BRCMF_WSEC_MAX_PSK_LEN);\n+\t\telse if (profile-\u003euse_fwsup == BRCMF_PROFILE_FWSUP_SAE \u0026\u0026\n+\t\t\t sme-\u003ecrypto.sae_pwd \u0026\u0026\n+\t\t\t brcmf_feat_is_enabled(ifp, BRCMF_FEAT_SAE)) {\n+\t\t\t/* clean up user-space RSNE */\n+\t\t\tif (brcmf_fil_iovar_data_set(ifp, \"wpaie\", NULL, 0)) {\n+\t\t\t\tbphy_err(drvr, \"failed to clean up user-space RSNE\\n\");\n+\t\t\t\tgoto done;\n+\t\t\t}\n+\t\t\terr = brcmf_fwvid_set_sae_password(ifp, \u0026sme-\u003ecrypto);\n+\t\t\tif (!err \u0026\u0026 sme-\u003ecrypto.psk)\n+\t\t\t\terr = brcmf_set_pmk(ifp, sme-\u003ecrypto.psk,\n+\t\t\t\t\t\t    BRCMF_WSEC_MAX_PSK_LEN);\n+\t\t}\n+\t\tif (err)\n+\t\t\tgoto done;\n \t}\n-\tif (err)\n-\t\tgoto done;\n-\n \t/* Join with specific BSSID and cached SSID\n \t * If SSID is zero join based on BSSID only\n \t */\n@@ -4519,6 +4530,11 @@ static bool brcmf_valid_wpa_oui(u8 *oui, bool is_rsn_ie)\n \treturn (memcmp(oui, WPA_OUI, TLV_OUI_LEN) == 0);\n }\n \n+static bool brcmf_valid_dpp_suite(u8 *oui)\n+{\n+\treturn get_unaligned_be32(oui) == WLAN_AKM_SUITE_WFA_DPP;\n+}\n+\n static s32\n brcmf_configure_wpaie(struct brcmf_if *ifp,\n \t\t      const struct brcmf_vs_tlv *wpa_ie,\n@@ -4632,42 +4648,47 @@ brcmf_configure_wpaie(struct brcmf_if *ifp,\n \t\tgoto exit;\n \t}\n \tfor (i = 0; i \u003c count; i++) {\n-\t\tif (!brcmf_valid_wpa_oui(\u0026data[offset], is_rsn_ie)) {\n+\t\tif (brcmf_valid_dpp_suite(\u0026data[offset])) {\n+\t\t\twpa_auth |= WFA_AUTH_DPP;\n+\t\t\toffset += TLV_OUI_LEN;\n+\t\t} else if (brcmf_valid_wpa_oui(\u0026data[offset], is_rsn_ie)) {\n+\t\t\toffset += TLV_OUI_LEN;\n+\t\t\tswitch (data[offset]) {\n+\t\t\tcase RSN_AKM_NONE:\n+\t\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_NONE\\n\");\n+\t\t\t\twpa_auth |= WPA_AUTH_NONE;\n+\t\t\t\tbreak;\n+\t\t\tcase RSN_AKM_UNSPECIFIED:\n+\t\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_UNSPECIFIED\\n\");\n+\t\t\t\tis_rsn_ie ?\n+\t\t\t\t\t(wpa_auth |= WPA2_AUTH_UNSPECIFIED) :\n+\t\t\t\t\t(wpa_auth |= WPA_AUTH_UNSPECIFIED);\n+\t\t\t\tbreak;\n+\t\t\tcase RSN_AKM_PSK:\n+\t\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_PSK\\n\");\n+\t\t\t\tis_rsn_ie ? (wpa_auth |= WPA2_AUTH_PSK) :\n+\t\t\t\t\t    (wpa_auth |= WPA_AUTH_PSK);\n+\t\t\t\tbreak;\n+\t\t\tcase RSN_AKM_SHA256_PSK:\n+\t\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_MFP_PSK\\n\");\n+\t\t\t\twpa_auth |= WPA2_AUTH_PSK_SHA256;\n+\t\t\t\tbreak;\n+\t\t\tcase RSN_AKM_SHA256_1X:\n+\t\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_MFP_1X\\n\");\n+\t\t\t\twpa_auth |= WPA2_AUTH_1X_SHA256;\n+\t\t\t\tbreak;\n+\t\t\tcase RSN_AKM_SAE:\n+\t\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_SAE\\n\");\n+\t\t\t\twpa_auth |= WPA3_AUTH_SAE_PSK;\n+\t\t\t\tbreak;\n+\t\t\tdefault:\n+\t\t\t\tbphy_err(drvr, \"Invalid key mgmt info\\n\");\n+\t\t\t}\n+\t\t} else {\n \t\t\terr = -EINVAL;\n \t\t\tbphy_err(drvr, \"invalid OUI\\n\");\n \t\t\tgoto exit;\n \t\t}\n-\t\toffset += TLV_OUI_LEN;\n-\t\tswitch (data[offset]) {\n-\t\tcase RSN_AKM_NONE:\n-\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_NONE\\n\");\n-\t\t\twpa_auth |= WPA_AUTH_NONE;\n-\t\t\tbreak;\n-\t\tcase RSN_AKM_UNSPECIFIED:\n-\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_UNSPECIFIED\\n\");\n-\t\t\tis_rsn_ie ? (wpa_auth |= WPA2_AUTH_UNSPECIFIED) :\n-\t\t\t\t    (wpa_auth |= WPA_AUTH_UNSPECIFIED);\n-\t\t\tbreak;\n-\t\tcase RSN_AKM_PSK:\n-\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_PSK\\n\");\n-\t\t\tis_rsn_ie ? (wpa_auth |= WPA2_AUTH_PSK) :\n-\t\t\t\t    (wpa_auth |= WPA_AUTH_PSK);\n-\t\t\tbreak;\n-\t\tcase RSN_AKM_SHA256_PSK:\n-\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_MFP_PSK\\n\");\n-\t\t\twpa_auth |= WPA2_AUTH_PSK_SHA256;\n-\t\t\tbreak;\n-\t\tcase RSN_AKM_SHA256_1X:\n-\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_MFP_1X\\n\");\n-\t\t\twpa_auth |= WPA2_AUTH_1X_SHA256;\n-\t\t\tbreak;\n-\t\tcase RSN_AKM_SAE:\n-\t\t\tbrcmf_dbg(TRACE, \"RSN_AKM_SAE\\n\");\n-\t\t\twpa_auth |= WPA3_AUTH_SAE_PSK;\n-\t\t\tbreak;\n-\t\tdefault:\n-\t\t\tbphy_err(drvr, \"Invalid key mgmt info\\n\");\n-\t\t}\n \t\toffset++;\n \t}\n \n@@ -4687,10 +4708,12 @@ brcmf_configure_wpaie(struct brcmf_if *ifp,\n \t\t\t\t */\n \t\t\t\tif (!(wpa_auth \u0026 (WPA2_AUTH_PSK_SHA256 |\n \t\t\t\t\t\t  WPA2_AUTH_1X_SHA256 |\n+\t\t\t\t\t\t  WFA_AUTH_DPP |\n \t\t\t\t\t\t  WPA3_AUTH_SAE_PSK))) {\n \t\t\t\t\terr = -EINVAL;\n \t\t\t\t\tgoto exit;\n \t\t\t\t}\n+\n \t\t\t\t/* Firmware has requirement that WPA2_AUTH_PSK/\n \t\t\t\t * WPA2_AUTH_UNSPECIFIED be set, if SHA256 OUI\n \t\t\t\t * is to be included in the rsn ie.\ndiff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c\nindex 6e0c90f4718b58..2c1f52ed513800 100644\n--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c\n+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c\n@@ -6,6 +6,7 @@\n #include \u003clinux/netdevice.h\u003e\n #include \u003clinux/etherdevice.h\u003e\n #include \u003clinux/rtnetlink.h\u003e\n+#include \u003clinux/unaligned.h\u003e\n #include \u003cnet/cfg80211.h\u003e\n \n #include \u003cbrcmu_wifi.h\u003e\n@@ -44,9 +45,6 @@\n \n #define BRCMF_SCB_TIMEOUT_VALUE\t20\n \n-#define P2P_VER\t\t\t9\t/* P2P version: 9=WiFi P2P v1.0 */\n-#define P2P_PUB_AF_CATEGORY\t0x04\n-#define P2P_PUB_AF_ACTION\t0x09\n #define P2P_AF_CATEGORY\t\t0x7f\n #define P2P_OUI\t\t\t\"\\x50\\x6F\\x9A\"\t/* P2P OUI */\n #define P2P_OUI_LEN\t\t3\t\t/* P2P OUI length */\n@@ -143,10 +141,10 @@ struct brcmf_p2p_scan_le {\n /**\n  * struct brcmf_p2p_pub_act_frame - WiFi P2P Public Action Frame\n  *\n- * @category: P2P_PUB_AF_CATEGORY\n- * @action: P2P_PUB_AF_ACTION\n+ * @category: WLAN_CATEGORY_PUBLIC\n+ * @action: WLAN_PUB_ACTION_VENDOR_SPECIFIC\n  * @oui: P2P_OUI\n- * @oui_type: OUI type - P2P_VER\n+ * @oui_type: OUI type - WLAN_OUI_TYPE_WFA_P2P\n  * @subtype: OUI subtype - P2P_TYPE_*\n  * @dialog_token: nonzero, identifies req/rsp transaction\n  * @elts: Variable length information elements.\n@@ -166,7 +164,7 @@ struct brcmf_p2p_pub_act_frame {\n  *\n  * @category: P2P_AF_CATEGORY\n  * @oui: OUI - P2P_OUI\n- * @type: OUI Type - P2P_VER\n+ * @type: OUI Type - WLAN_OUI_TYPE_WFA_P2P\n  * @subtype: OUI Subtype - P2P_AF_*\n  * @dialog_token: nonzero, identifies req/resp tranaction\n  * @elts: Variable length information elements.\n@@ -228,10 +226,38 @@ static bool brcmf_p2p_is_pub_action(void *frame, u32 frame_len)\n \tif (frame_len \u003c sizeof(*pact_frm))\n \t\treturn false;\n \n-\tif (pact_frm-\u003ecategory == P2P_PUB_AF_CATEGORY \u0026\u0026\n-\t    pact_frm-\u003eaction == P2P_PUB_AF_ACTION \u0026\u0026\n-\t    pact_frm-\u003eoui_type == P2P_VER \u0026\u0026\n-\t    memcmp(pact_frm-\u003eoui, P2P_OUI, P2P_OUI_LEN) == 0)\n+\tif (pact_frm-\u003ecategory == WLAN_CATEGORY_PUBLIC \u0026\u0026\n+\t    pact_frm-\u003eaction == WLAN_PUB_ACTION_VENDOR_SPECIFIC \u0026\u0026\n+\t    pact_frm-\u003eoui_type == WLAN_OUI_TYPE_WFA_P2P \u0026\u0026\n+\t    get_unaligned_be24(pact_frm-\u003eoui) == WLAN_OUI_WFA)\n+\t\treturn true;\n+\n+\treturn false;\n+}\n+\n+/**\n+ * brcmf_p2p_is_dpp_pub_action() - true if dpp public type frame.\n+ *\n+ * @frame: action frame data.\n+ * @frame_len: length of action frame data.\n+ *\n+ * Determine if action frame is dpp public action type\n+ */\n+static bool brcmf_p2p_is_dpp_pub_action(void *frame, u32 frame_len)\n+{\n+\tstruct brcmf_p2p_pub_act_frame *pact_frm;\n+\n+\tif (!frame)\n+\t\treturn false;\n+\n+\tpact_frm = (struct brcmf_p2p_pub_act_frame *)frame;\n+\tif (frame_len \u003c sizeof(struct brcmf_p2p_pub_act_frame) - 1)\n+\t\treturn false;\n+\n+\tif (pact_frm-\u003ecategory == WLAN_CATEGORY_PUBLIC \u0026\u0026\n+\t    pact_frm-\u003eaction == WLAN_PUB_ACTION_VENDOR_SPECIFIC \u0026\u0026\n+\t    pact_frm-\u003eoui_type == WLAN_OUI_TYPE_WFA_DPP \u0026\u0026\n+\t    get_unaligned_be24(pact_frm-\u003eoui) == WLAN_OUI_WFA)\n \t\treturn true;\n \n \treturn false;\n@@ -257,7 +283,7 @@ static bool brcmf_p2p_is_p2p_action(void *frame, u32 frame_len)\n \t\treturn false;\n \n \tif (act_frm-\u003ecategory == P2P_AF_CATEGORY \u0026\u0026\n-\t    act_frm-\u003etype  == P2P_VER \u0026\u0026\n+\t    act_frm-\u003etype  == WLAN_OUI_TYPE_WFA_P2P \u0026\u0026\n \t    memcmp(act_frm-\u003eoui, P2P_OUI, P2P_OUI_LEN) == 0)\n \t\treturn true;\n \n@@ -1281,6 +1307,9 @@ static s32 brcmf_p2p_abort_action_frame(struct brcmf_cfg80211_info *cfg)\n \tbrcmf_dbg(TRACE, \"Enter\\n\");\n \n \tvif = p2p-\u003ebss_idx[P2PAPI_BSSCFG_DEVICE].vif;\n+\tif (!vif)\n+\t\tvif = p2p-\u003ebss_idx[P2PAPI_BSSCFG_PRIMARY].vif;\n+\n \terr = brcmf_fil_bsscfg_data_set(vif-\u003eifp, \"actframe_abort\", \u0026int_val,\n \t\t\t\t\tsizeof(s32));\n \tif (err)\n@@ -1789,7 +1818,9 @@ bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg,\n \t\t\tgoto exit;\n \t\t}\n \t} else if (brcmf_p2p_is_p2p_action(action_frame-\u003edata,\n-\t\t\t\t\t   action_frame_len)) {\n+\t\t\t\t\t   action_frame_len) ||\n+\t\t   brcmf_p2p_is_dpp_pub_action(action_frame-\u003edata,\n+\t\t\t\t\t       action_frame_len)) {\n \t\t/* do not configure anything. it will be */\n \t\t/* sent with a default configuration     */\n \t} else {\n@@ -1826,6 +1857,7 @@ bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg,\n \t/* validate channel and p2p ies */\n \tif (config_af_params.search_channel \u0026\u0026\n \t    IS_P2P_SOCIAL_CHANNEL(le32_to_cpu(af_params-\u003echannel)) \u0026\u0026\n+\t    p2p-\u003ebss_idx[P2PAPI_BSSCFG_DEVICE].vif \u0026\u0026\n \t    p2p-\u003ebss_idx[P2PAPI_BSSCFG_DEVICE].vif-\u003esaved_ie.probe_req_ie_len) {\n \t\tafx_hdl = \u0026p2p-\u003eafx_hdl;\n \t\tafx_hdl-\u003epeer_listen_chan = le32_to_cpu(af_params-\u003echannel);\n@@ -2543,4 +2575,3 @@ void brcmf_p2p_detach(struct brcmf_p2p_info *p2p)\n \t/* just set it all to zero */\n \tmemset(p2p, 0, sizeof(*p2p));\n }\n-\ndiff --git a/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h b/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h\nindex 7552bdb91991ce..c465208c433182 100644\n--- a/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h\n+++ b/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h\n@@ -233,6 +233,8 @@ static inline bool ac_bitmap_tst(u8 bitmap, int prec)\n \n #define WPA3_AUTH_SAE_PSK\t0x40000\t/* SAE with 4-way handshake */\n \n+#define WFA_AUTH_DPP\t\t0x200000 /* WFA DPP AUTH */\n+\n #define DOT11_DEFAULT_RTS_LEN\t\t2347\n #define DOT11_DEFAULT_FRAG_LEN\t\t2346\n \n"
}

2/1 2026/07/08 16:08 agent patch-evaluator
0m Model:
gemini-3.1-pro-preview

Args:
null

Results:
{
  "EnableConfigs": [
    "BRCMFMAC",
    "BRCMFMAC_USB",
    "CFG80211"
  ],
  "FocusSymbols": [
    "brcmf_set_key_mgmt",
    "brcmf_cfg80211_connect",
    "brcmf_configure_wpaie",
    "brcmf_p2p_is_pub_action",
    "brcmf_p2p_is_dpp_pub_action",
    "brcmf_p2p_is_p2p_action",
    "brcmf_p2p_abort_action_frame",
    "brcmf_p2p_send_action_frame"
  ],
  "Reasoning": "The patch adds support for DPP authentication and modifies the firmware supplicant logic in the Broadcom FullMAC WLAN driver (brcmfmac). It also updates P2P action frame handling to support DPP public action frames. These are functional changes in the driver's cfg80211 callbacks and P2P logic, which can be reached via netlink commands and USB fuzzing.",
  "WorthFuzzing": true
}

Instruction:
You are an expert Linux kernel maintainer.
Your job is to review a provided patch series and determine
if it makes functional changes to the kernel that should be fuzzed.

IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in
your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively
use your code access tools to examine the actual source code and confirm any assumptions.

Return WorthFuzzing=false if the patch only contains:
- Modifications to Documentation/, Kconfig files, or code comments.
- Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints.
- Changes to numeric constants or macros that do not functionally alter execution flow.
- Code paths that are impossible to reach in virtualized environments like GCE or QEMU,
even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim).

If it modifies reachable core kernel logic, drivers, or architectures, use your code search
tools to verify the code can be executed, then return WorthFuzzing=true.

When returning WorthFuzzing=true, you MUST ALSO:
1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols.
   Avoid listing generic hot-path functions to prevent skewed test distributions.
2. Identify any specific CONFIG_ options required to properly test this new/modified feature.
   Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions.
   Do not list too generic configs (we already have them enabled). Only list those that
   specifically cover the modified code. List them in the EnableConfigs output array,
   and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4").
Prefer calling several tools at the same time to save round-trips.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

Prompt:
For your convenience, here is the diff of the changes:
commit 66cbb77f289f5d6f7685f15137bf6ab62ed39ae2
Author: syz-cluster <triage@syzkaller.com>
Date:   Wed Jul 8 16:07:59 2026 +0000

    syz-cluster: applied patch under review

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 4b70845e1a2643..d61c3e03a106a5 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -8,6 +8,7 @@
 #include <linux/kernel.h>
 #include <linux/etherdevice.h>
 #include <linux/module.h>
+#include <linux/unaligned.h>
 #include <linux/vmalloc.h>
 #include <net/cfg80211.h>
 #include <net/netlink.h>
@@ -2154,6 +2155,9 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
 			val = WPA2_AUTH_PSK | WPA2_AUTH_FT;
 			profile->is_ft = true;
 			break;
+		case WLAN_AKM_SUITE_WFA_DPP:
+			val = WFA_AUTH_DPP;
+			break;
 		default:
 			bphy_err(drvr, "invalid akm suite (%d)\n",
 				 sme->crypto.akm_suites[0]);
@@ -2466,43 +2470,50 @@ brcmf_cfg80211_connect(struct wiphy *wiphy, struct net_device *ndev,
 		goto done;
 	}
 
-	if (sme->crypto.psk &&
-	    profile->use_fwsup != BRCMF_PROFILE_FWSUP_SAE) {
-		if (WARN_ON(profile->use_fwsup != BRCMF_PROFILE_FWSUP_NONE)) {
-			err = -EINVAL;
-			goto done;
-		}
-		brcmf_dbg(INFO, "using PSK offload\n");
-		profile->use_fwsup = BRCMF_PROFILE_FWSUP_PSK;
-	}
-
-	if (profile->use_fwsup != BRCMF_PROFILE_FWSUP_NONE) {
-		/* enable firmware supplicant for this interface */
-		err = brcmf_fil_iovar_int_set(ifp, "sup_wpa", 1);
-		if (err < 0) {
-			bphy_err(drvr, "failed to enable fw supplicant\n");
-			goto done;
+	if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_FWSUP)) {
+		u32 akm = sme->crypto.n_akm_suites ? sme->crypto.akm_suites[0] : 0;
+		bool is_sae_akm = akm == WLAN_AKM_SUITE_SAE ||
+			akm == WLAN_AKM_SUITE_FT_OVER_SAE;
+
+		if (sme->crypto.psk && !is_sae_akm &&
+		    profile->use_fwsup != BRCMF_PROFILE_FWSUP_SAE) {
+			if (WARN_ON(profile->use_fwsup !=
+				    BRCMF_PROFILE_FWSUP_NONE)) {
+				err = -EINVAL;
+				goto done;
+			}
+			brcmf_dbg(INFO, "using PSK offload\n");
+			profile->use_fwsup = BRCMF_PROFILE_FWSUP_PSK;
 		}
-	}
-
-	if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_PSK)
-		err = brcmf_set_pmk(ifp, sme->crypto.psk,
-				    BRCMF_WSEC_MAX_PSK_LEN);
-	else if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_SAE) {
-		/* clean up user-space RSNE */
-		err = brcmf_fil_iovar_data_set(ifp, "wpaie", NULL, 0);
-		if (err) {
-			bphy_err(drvr, "failed to clean up user-space RSNE\n");
-			goto done;
+		if (profile->use_fwsup != BRCMF_PROFILE_FWSUP_NONE) {
+			/* enable firmware supplicant for this interface */
+			err = brcmf_fil_iovar_int_set(ifp, "sup_wpa", 1);
+			if (err < 0) {
+				bphy_err(drvr, "failed to enable fw supplicant\n");
+				goto done;
+			}
+		} else {
+			err = brcmf_fil_iovar_int_set(ifp, "sup_wpa", 0);
 		}
-		err = brcmf_fwvid_set_sae_password(ifp, &sme->crypto);
-		if (!err && sme->crypto.psk)
+		if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_PSK)
 			err = brcmf_set_pmk(ifp, sme->crypto.psk,
 					    BRCMF_WSEC_MAX_PSK_LEN);
+		else if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_SAE &&
+			 sme->crypto.sae_pwd &&
+			 brcmf_feat_is_enabled(ifp, BRCMF_FEAT_SAE)) {
+			/* clean up user-space RSNE */
+			if (brcmf_fil_iovar_data_set(ifp, "wpaie", NULL, 0)) {
+				bphy_err(drvr, "failed to clean up user-space RSNE\n");
+				goto done;
+			}
+			err = brcmf_fwvid_set_sae_password(ifp, &sme->crypto);
+			if (!err && sme->crypto.psk)
+				err = brcmf_set_pmk(ifp, sme->crypto.psk,
+						    BRCMF_WSEC_MAX_PSK_LEN);
+		}
+		if (err)
+			goto done;
 	}
-	if (err)
-		goto done;
-
 	/* Join with specific BSSID and cached SSID
 	 * If SSID is zero join based on BSSID only
 	 */
@@ -4519,6 +4530,11 @@ static bool brcmf_valid_wpa_oui(u8 *oui, bool is_rsn_ie)
 	return (memcmp(oui, WPA_OUI, TLV_OUI_LEN) == 0);
 }
 
+static bool brcmf_valid_dpp_suite(u8 *oui)
+{
+	return get_unaligned_be32(oui) == WLAN_AKM_SUITE_WFA_DPP;
+}
+
 static s32
 brcmf_configure_wpaie(struct brcmf_if *ifp,
 		      const struct brcmf_vs_tlv *wpa_ie,
@@ -4632,42 +4648,47 @@ brcmf_configure_wpaie(struct brcmf_if *ifp,
 		goto exit;
 	}
 	for (i = 0; i < count; i++) {
-		if (!brcmf_valid_wpa_oui(&data[offset], is_rsn_ie)) {
+		if (brcmf_valid_dpp_suite(&data[offset])) {
+			wpa_auth |= WFA_AUTH_DPP;
+			offset += TLV_OUI_LEN;
+		} else if (brcmf_valid_wpa_oui(&data[offset], is_rsn_ie)) {
+			offset += TLV_OUI_LEN;
+			switch (data[offset]) {
+			case RSN_AKM_NONE:
+				brcmf_dbg(TRACE, "RSN_AKM_NONE\n");
+				wpa_auth |= WPA_AUTH_NONE;
+				break;
+			case RSN_AKM_UNSPECIFIED:
+				brcmf_dbg(TRACE, "RSN_AKM_UNSPECIFIED\n");
+				is_rsn_ie ?
+					(wpa_auth |= WPA2_AUTH_UNSPECIFIED) :
+					(wpa_auth |= WPA_AUTH_UNSPECIFIED);
+				break;
+			case RSN_AKM_PSK:
+				brcmf_dbg(TRACE, "RSN_AKM_PSK\n");
+				is_rsn_ie ? (wpa_auth |= WPA2_AUTH_PSK) :
+					    (wpa_auth |= WPA_AUTH_PSK);
+				break;
+			case RSN_AKM_SHA256_PSK:
+				brcmf_dbg(TRACE, "RSN_AKM_MFP_PSK\n");
+				wpa_auth |= WPA2_AUTH_PSK_SHA256;
+				break;
+			case RSN_AKM_SHA256_1X:
+				brcmf_dbg(TRACE, "RSN_AKM_MFP_1X\n");
+				wpa_auth |= WPA2_AUTH_1X_SHA256;
+				break;
+			case RSN_AKM_SAE:
+				brcmf_dbg(TRACE, "RSN_AKM_SAE\n");
+				wpa_auth |= WPA3_AUTH_SAE_PSK;
+				break;
+			default:
+				bphy_err(drvr, "Invalid key mgmt info\n");
+			}
+		} else {
 			err = -EINVAL;
 			bphy_err(drvr, "invalid OUI\n");
 			goto exit;
 		}
-		offset += TLV_OUI_LEN;
-		switch (data[offset]) {
-		case RSN_AKM_NONE:
-			brcmf_dbg(TRACE, "RSN_AKM_NONE\n");
-			wpa_auth |= WPA_AUTH_NONE;
-			break;
-		case RSN_AKM_UNSPECIFIED:
-			brcmf_dbg(TRACE, "RSN_AKM_UNSPECIFIED\n");
-			is_rsn_ie ? (wpa_auth |= WPA2_AUTH_UNSPECIFIED) :
-				    (wpa_auth |= WPA_AUTH_UNSPECIFIED);
-			break;
-		case RSN_AKM_PSK:
-			brcmf_dbg(TRACE, "RSN_AKM_PSK\n");
-			is_rsn_ie ? (wpa_auth |= WPA2_AUTH_PSK) :
-				    (wpa_auth |= WPA_AUTH_PSK);
-			break;
-		case RSN_AKM_SHA256_PSK:
-			brcmf_dbg(TRACE, "RSN_AKM_MFP_PSK\n");
-			wpa_auth |= WPA2_AUTH_PSK_SHA256;
-			break;
-		case RSN_AKM_SHA256_1X:
-			brcmf_dbg(TRACE, "RSN_AKM_MFP_1X\n");
-			wpa_auth |= WPA2_AUTH_1X_SHA256;
-			break;
-		case RSN_AKM_SAE:
-			brcmf_dbg(TRACE, "RSN_AKM_SAE\n");
-			wpa_auth |= WPA3_AUTH_SAE_PSK;
-			break;
-		default:
-			bphy_err(drvr, "Invalid key mgmt info\n");
-		}
 		offset++;
 	}
 
@@ -4687,10 +4708,12 @@ brcmf_configure_wpaie(struct brcmf_if *ifp,
 				 */
 				if (!(wpa_auth & (WPA2_AUTH_PSK_SHA256 |
 						  WPA2_AUTH_1X_SHA256 |
+						  WFA_AUTH_DPP |
 						  WPA3_AUTH_SAE_PSK))) {
 					err = -EINVAL;
 					goto exit;
 				}
+
 				/* Firmware has requirement that WPA2_AUTH_PSK/
 				 * WPA2_AUTH_UNSPECIFIED be set, if SHA256 OUI
 				 * is to be included in the rsn ie.
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
index 6e0c90f4718b58..2c1f52ed513800 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
@@ -6,6 +6,7 @@
 #include <linux/netdevice.h>
 #include <linux/etherdevice.h>
 #include <linux/rtnetlink.h>
+#include <linux/unaligned.h>
 #include <net/cfg80211.h>
 
 #include <brcmu_wifi.h>
@@ -44,9 +45,6 @@
 
 #define BRCMF_SCB_TIMEOUT_VALUE	20
 
-#define P2P_VER			9	/* P2P version: 9=WiFi P2P v1.0 */
-#define P2P_PUB_AF_CATEGORY	0x04
-#define P2P_PUB_AF_ACTION	0x09
 #define P2P_AF_CATEGORY		0x7f
 #define P2P_OUI			"\x50\x6F\x9A"	/* P2P OUI */
 #define P2P_OUI_LEN		3		/* P2P OUI length */
@@ -143,10 +141,10 @@ struct brcmf_p2p_scan_le {
 /**
  * struct brcmf_p2p_pub_act_frame - WiFi P2P Public Action Frame
  *
- * @category: P2P_PUB_AF_CATEGORY
- * @action: P2P_PUB_AF_ACTION
+ * @category: WLAN_CATEGORY_PUBLIC
+ * @action: WLAN_PUB_ACTION_VENDOR_SPECIFIC
  * @oui: P2P_OUI
- * @oui_type: OUI type - P2P_VER
+ * @oui_type: OUI type - WLAN_OUI_TYPE_WFA_P2P
  * @subtype: OUI subtype - P2P_TYPE_*
  * @dialog_token: nonzero, identifies req/rsp transaction
  * @elts: Variable length information elements.
@@ -166,7 +164,7 @@ struct brcmf_p2p_pub_act_frame {
  *
  * @category: P2P_AF_CATEGORY
  * @oui: OUI - P2P_OUI
- * @type: OUI Type - P2P_VER
+ * @type: OUI Type - WLAN_OUI_TYPE_WFA_P2P
  * @subtype: OUI Subtype - P2P_AF_*
  * @dialog_token: nonzero, identifies req/resp tranaction
  * @elts: Variable length information elements.
@@ -228,10 +226,38 @@ static bool brcmf_p2p_is_pub_action(void *frame, u32 frame_len)
 	if (frame_len < sizeof(*pact_frm))
 		return false;
 
-	if (pact_frm->category == P2P_PUB_AF_CATEGORY &&
-	    pact_frm->action == P2P_PUB_AF_ACTION &&
-	    pact_frm->oui_type == P2P_VER &&
-	    memcmp(pact_frm->oui, P2P_OUI, P2P_OUI_LEN) == 0)
+	if (pact_frm->category == WLAN_CATEGORY_PUBLIC &&
+	    pact_frm->action == WLAN_PUB_ACTION_VENDOR_SPECIFIC &&
+	    pact_frm->oui_type == WLAN_OUI_TYPE_WFA_P2P &&
+	    get_unaligned_be24(pact_frm->oui) == WLAN_OUI_WFA)
+		return true;
+
+	return false;
+}
+
+/**
+ * brcmf_p2p_is_dpp_pub_action() - true if dpp public type frame.
+ *
+ * @frame: action frame data.
+ * @frame_len: length of action frame data.
+ *
+ * Determine if action frame is dpp public action type
+ */
+static bool brcmf_p2p_is_dpp_pub_action(void *frame, u32 frame_len)
+{
+	struct brcmf_p2p_pub_act_frame *pact_frm;
+
+	if (!frame)
+		return false;
+
+	pact_frm = (struct brcmf_p2p_pub_act_frame *)frame;
+	if (frame_len < sizeof(struct brcmf_p2p_pub_act_frame) - 1)
+		return false;
+
+	if (pact_frm->category == WLAN_CATEGORY_PUBLIC &&
+	    pact_frm->action == WLAN_PUB_ACTION_VENDOR_SPECIFIC &&
+	    pact_frm->oui_type == WLAN_OUI_TYPE_WFA_DPP &&
+	    get_unaligned_be24(pact_frm->oui) == WLAN_OUI_WFA)
 		return true;
 
 	return false;
@@ -257,7 +283,7 @@ static bool brcmf_p2p_is_p2p_action(void *frame, u32 frame_len)
 		return false;
 
 	if (act_frm->category == P2P_AF_CATEGORY &&
-	    act_frm->type  == P2P_VER &&
+	    act_frm->type  == WLAN_OUI_TYPE_WFA_P2P &&
 	    memcmp(act_frm->oui, P2P_OUI, P2P_OUI_LEN) == 0)
 		return true;
 
@@ -1281,6 +1307,9 @@ static s32 brcmf_p2p_abort_action_frame(struct brcmf_cfg80211_info *cfg)
 	brcmf_dbg(TRACE, "Enter\n");
 
 	vif = p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif;
+	if (!vif)
+		vif = p2p->bss_idx[P2PAPI_BSSCFG_PRIMARY].vif;
+
 	err = brcmf_fil_bsscfg_data_set(vif->ifp, "actframe_abort", &int_val,
 					sizeof(s32));
 	if (err)
@@ -1789,7 +1818,9 @@ bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg,
 			goto exit;
 		}
 	} else if (brcmf_p2p_is_p2p_action(action_frame->data,
-					   action_frame_len)) {
+					   action_frame_len) ||
+		   brcmf_p2p_is_dpp_pub_action(action_frame->data,
+					       action_frame_len)) {
 		/* do not configure anything. it will be */
 		/* sent with a default configuration     */
 	} else {
@@ -1826,6 +1857,7 @@ bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg,
 	/* validate channel and p2p ies */
 	if (config_af_params.search_channel &&
 	    IS_P2P_SOCIAL_CHANNEL(le32_to_cpu(af_params->channel)) &&
+	    p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif &&
 	    p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif->saved_ie.probe_req_ie_len) {
 		afx_hdl = &p2p->afx_hdl;
 		afx_hdl->peer_listen_chan = le32_to_cpu(af_params->channel);
@@ -2543,4 +2575,3 @@ void brcmf_p2p_detach(struct brcmf_p2p_info *p2p)
 	/* just set it all to zero */
 	memset(p2p, 0, sizeof(*p2p));
 }
-
diff --git a/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h b/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
index 7552bdb91991ce..c465208c433182 100644
--- a/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
+++ b/drivers/net/wireless/broadcom/brcm80211/include/brcmu_wifi.h
@@ -233,6 +233,8 @@ static inline bool ac_bitmap_tst(u8 bitmap, int prec)
 
 #define WPA3_AUTH_SAE_PSK	0x40000	/* SAE with 4-way handshake */
 
+#define WFA_AUTH_DPP		0x200000 /* WFA DPP AUTH */
+
 #define DOT11_DEFAULT_RTS_LEN		2347
 #define DOT11_DEFAULT_FRAG_LEN		2346
 

3/2 2026/07/08 16:08 llm patch-evaluator
0m Model:
gemini-3.1-pro-preview

Args:
null

Results:
null

Tokens:
							input: 7369
							output: 49
							thoughts: 676
						

Thoughts:
**Reaching and Testing DPP Support in brcmfmac**

Okay, so I've got this patch – it's tweaking `brcmfmac` to support DPP authentication (`WLAN_AKM_SUITE_WFA_DPP`) and related OUI types. Specifically, it touches `cfg80211.c` and `p2p.c`. My immediate concern is, can we actually reach this functionality and test it properly?

The driver in question is `brcmfmac`, the Broadcom WiFi driver. The modifications are in the `cfg80211` interface and P2P action frame handling, meaning we're dealing with interactions that *should* be accessible through netlink and network interfaces.

Now, the real challenge. Can we even fuzz this effectively in a virtualized environment? I'm thinking about fuzzing. `brcmfmac` is a hardware driver, meaning it either needs real hardware or, ideally, some sort of simulation layer. I quickly consider whether there’s a simulator. I know that `mac80211` has `mac80211_hwsim`, but this is a fullmac driver.

Then, I remember syzkaller. Syzkaller's USB fuzzing capabilities are intriguing. They have some support for USB fuzzing (dummy HCD) and PCI fuzzing, which *could* get us past the initial probe, and maybe even further if the driver can be instantiated. And `brcmfmac` has USB, SDIO, and PCIe interfaces. Bingo! USB fuzzing is the most promising route. It's likely we can reach the USB probe, register a wiphy, and then expose those cfg80211 operations to user space.

So, let's nail down what functions we need to hit: `brcmf_cfg80211_connect` and `brcmf_p2p_send_action_frame`. If USB fuzzing works, the driver probes, a wiphy gets registered, and netlink commands can trigger `brcmf_cfg80211_connect`. That's a direct path.

Time to look at the config options. Let me make sure `brcmfmac` is compiled with USB support. Need to check: `CONFIG_BRCMFMAC`, `CONFIG_BRCMFMAC_USB`, `CONFIG_BRCMFMAC_PCIE`, and `CONFIG_BRCMFMAC_SDIO`.

Alright, a quick review of the code confirms the connection. `brcmf_cfg80211_connect` is a `cfg80211` callback specifically for the "connect" operation. `brcmf_p2p_send_action_frame` is called from `brcmf_cfg80211_mgmt_tx`, which is the `mgmt_tx` callback.

Now, let's verify those config options and make sure everything is in place for a proper test.



4/2 2026/07/08 16:08 tool grepper
0m Args:
{
  "Expression": "config BRCMFMAC",
  "PathPrefix": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig"
}

Results:
{
  "Output": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:1:config BRCMFMAC\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-2-\ttristate \"Broadcom FullMAC WLAN driver\"\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-10-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:11:config BRCMFMAC_PROTO_BCDC\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-12-\tbool\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-13-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:14:config BRCMFMAC_PROTO_MSGBUF\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-15-\tbool\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-16-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:17:config BRCMFMAC_SDIO\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-18-\tbool \"SDIO bus interface support for FullMAC driver\"\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-28-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:29:config BRCMFMAC_USB\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-30-\tbool \"USB bus interface support for FullMAC driver\"\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-39-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:40:config BRCMFMAC_PCIE\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-41-\tbool \"PCIE bus interface support for FullMAC driver\"\n"
}

5/2 2026/07/08 16:08 llm patch-evaluator
0m Model:
gemini-3.1-pro-preview

Args:
null

Results:
null

Tokens:
							input: 9350
							output: 52
							thoughts: 132
						

Thoughts:
**Analyzing the Broadcom WiFi Driver for Fuzzing Potential**

Okay, so I'm looking at these configurations: `BRCMFMAC` and `BRCMFMAC_USB`. My first thought is to assess their relevance to fuzzing. I remember `BRCMFMAC` has a dependency on `CFG80211`, which piques my interest. The question is, is this driver worth the effort?

Well, yes, the potential is definitely there. The driver modifies functional logic, which is a key indicator. Plus, I can instantiate the `BRCMFMAC` via USB fuzzing, which is great because Syzkaller has a decent USB fuzzer. That streamlines the fuzzing process significantly.

Now, a critical point I need to verify: does `brcmfmac` need any firmware for initialization? This is crucial for avoiding any false positives. To make sure, I should check the `brcmf_usb_probe` function located in `drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c`. That's the logical starting point to determine if firmware is required and how the USB interface interacts.



6/2 2026/07/08 16:08 tool grepper
0m Args:
{
  "Expression": "brcmf_usb_probe",
  "PathPrefix": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c"
}

Results:
{
  "Output": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c=1157=static const struct brcmf_bus_ops brcmf_usb_bus_ops = {\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1167-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c:1168:static void brcmf_usb_probe_phase2(struct device *dev, int ret,\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1169-\t\t\t\t   struct brcmf_fw_request *fwreq)\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c=1216=brcmf_usb_prepare_fw_request(struct brcmf_usbdev_info *devinfo)\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1235-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c:1236:static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo,\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1237-\t\t\t      enum brcmf_fwvendor fwvid)\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1299-\t/* request firmware here */\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c:1300:\tret = brcmf_fw_get_firmwares(dev, fwreq, brcmf_usb_probe_phase2);\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1301-\tif (ret) {\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c=1333=static int\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c:1334:brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1335-{\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1434-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c:1435:\tret = brcmf_usb_probe_cb(devinfo, id-\u003edriver_info);\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1436-\tif (ret)\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c=1503=static int brcmf_usb_reset_resume(struct usb_interface *intf)\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1515-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c:1516:\tret = brcmf_fw_get_firmwares(\u0026usb-\u003edev, fwreq, brcmf_usb_probe_phase2);\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1517-\tif (ret \u003c 0)\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c=1557=static struct usb_driver brcmf_usbdrvr = {\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1558-\t.name = KBUILD_MODNAME,\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c:1559:\t.probe = brcmf_usb_probe,\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c-1560-\t.disconnect = brcmf_usb_disconnect,\n"
}

7/2 2026/07/08 16:08 llm patch-evaluator
0m Model:
gemini-3.1-pro-preview

Args:
null

Results:
null

Tokens:
							input: 10941
							output: 62
							thoughts: 374
						

Thoughts:
**My Assessment of the brcmfmac Driver for Fuzzing**

Okay, so I'm looking at this `brcmfmac` driver, and the immediate concern is firmware availability. The code calls `brcmf_fw_get_firmwares`, and if the firmware's missing, the probe could fail right there. Syzkaller throws some dummy firmware images into the mix, but it's not a guarantee that the `brcmfmac` driver will initialize properly. It could be trying to parse the firmware or talk to the device, so we need to account for those possibilities.

Wait, Syzkaller has pretty extensive coverage for `brcmfmac`, doesn't it? Let me just double check if `brcmf_cfg80211_connect` is actually reachable via the fuzzing.

But, hang on, it doesn't need to be *perfectly* reachable, right? It's really about whether there are *functional* changes in the driver, and, even if the coverage isn't perfect, if it's reachable *in theory* (e.g., through USB fuzzing or netlink if the device is around), I should just mark it as `WorthFuzzing=true`.

The instructions state, explicitly, that if a change modifies reachable core kernel logic, drivers, or architectures, I need to verify that the code *can* be executed with my code search tools, and then mark it `WorthFuzzing=true`. It's specifically a problem if the code paths are impossible to reach in virtualized environments like GCE or QEMU, especially when using software-emulated hardware.

So, is `brcmfmac` impossible to reach? Absolutely not.

With USB fuzzing, which can be done with a dummy HCD, we can emulate the USB device. The driver will probe, it *might* ask for firmware. That's where Syzkaller's fault injection and the dummy files come in handy. If the driver actually parses the firmware and initializes the device, it might register the wiphy.

Let's quickly check if `brcmf_cfg80211_connect` is the best function to focus on in this case.



8/2 2026/07/08 16:08 tool grepper
0m Args:
{
  "Expression": "brcmf_cfg80211_connect",
  "PathPrefix": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c"
}

Results:
{
  "Output": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c=2363=static s32\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:2364:brcmf_cfg80211_connect(struct wiphy *wiphy, struct net_device *ndev,\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c-2365-\t\t       struct cfg80211_connect_params *sme)\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c=5957=static struct cfg80211_ops brcmf_cfg80211_ops = {\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c-5974-\t.set_power_mgmt = brcmf_cfg80211_set_power_mgmt,\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:5975:\t.connect = brcmf_cfg80211_connect,\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c-5976-\t.disconnect = brcmf_cfg80211_disconnect,\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c=6146=static void brcmf_clear_assoc_ies(struct brcmf_cfg80211_info *cfg)\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c-6147-{\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:6148:\tstruct brcmf_cfg80211_connect_info *conn_info = cfg_to_conn(cfg);\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c-6149-\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c=6296=static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c-6300-\tstruct brcmf_cfg80211_assoc_ielen_le *assoc_info;\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:6301:\tstruct brcmf_cfg80211_connect_info *conn_info = cfg_to_conn(cfg);\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c-6302-\tstruct brcmf_cfg80211_edcf_acparam edcf_acparam_info[EDCF_AC_COUNT];\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c=6378=brcmf_bss_roaming_done(struct brcmf_cfg80211_info *cfg,\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c-6383-\tstruct brcmf_cfg80211_profile *profile = \u0026ifp-\u003evif-\u003eprofile;\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:6384:\tstruct brcmf_cfg80211_connect_info *conn_info = cfg_to_conn(cfg);\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c-6385-\tstruct wiphy *wiphy = cfg_to_wiphy(cfg);\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c=6451=brcmf_bss_connect_done(struct brcmf_cfg80211_info *cfg,\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c-6456-\tstruct brcmf_cfg80211_profile *profile = \u0026ifp-\u003evif-\u003eprofile;\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:6457:\tstruct brcmf_cfg80211_connect_info *conn_info = cfg_to_conn(cfg);\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c-6458-\tstruct cfg80211_connect_resp_params conn_params;\n"
}

9/2 2026/07/08 16:08 llm patch-evaluator
0m Model:
gemini-3.1-pro-preview

Args:
null

Results:
null

Tokens:
							input: 13236
							output: 49
							thoughts: 406
						

Thoughts:
**Fuzzing Target Identification and Configuration**

Okay, so I've got a patch here affecting several key functions: `brcmf_cfg80211_connect`, `brcmf_configure_wpaie`, `brcmf_p2p_is_dpp_pub_action`, and `brcmf_p2p_send_action_frame`. These are functional modifications, so I'm definitely going to flag this as `WorthFuzzing=true`.

Now, let's pull out the specific symbols to focus on. Looks like we've got: `brcmf_cfg80211_connect`, `brcmf_configure_wpaie`, `brcmf_p2p_send_action_frame`, `brcmf_p2p_is_dpp_pub_action`. Additionally, there are a few modified functions to note: `brcmf_p2p_is_pub_action`, `brcmf_p2p_is_p2p_action`, and `brcmf_p2p_abort_action_frame`.

Next, I need to figure out the right kernel configurations. Let's see... `BRCMFMAC`, `BRCMFMAC_USB`, `BRCMFMAC_PCIE`, and `BRCMFMAC_SDIO`. Do I need all of them? No, that's inefficient. `BRCMFMAC_USB` is the most likely candidate for syzkaller, so let's just stick with `BRCMFMAC` and `BRCMFMAC_USB` for now.

Just to be sure, I should check for any other relevant configurations. Let's see about `WLAN_AKM_SUITE_WFA_DPP`. Nope, it looks like it's defined in the header file, so that's good. Alright, let me just double-check the `brcmfmac/Kconfig` file one more time...



10/2 2026/07/08 16:08 tool grepper
0m Args:
{
  "Expression": "config BRCMFMAC",
  "PathPrefix": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig"
}

Results:
{
  "Output": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:1:config BRCMFMAC\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-2-\ttristate \"Broadcom FullMAC WLAN driver\"\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-10-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:11:config BRCMFMAC_PROTO_BCDC\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-12-\tbool\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-13-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:14:config BRCMFMAC_PROTO_MSGBUF\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-15-\tbool\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-16-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:17:config BRCMFMAC_SDIO\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-18-\tbool \"SDIO bus interface support for FullMAC driver\"\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-28-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:29:config BRCMFMAC_USB\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-30-\tbool \"USB bus interface support for FullMAC driver\"\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-39-\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig:40:config BRCMFMAC_PCIE\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig-41-\tbool \"PCIE bus interface support for FullMAC driver\"\n"
}

11/2 2026/07/08 16:08 llm patch-evaluator
0m Model:
gemini-3.1-pro-preview

Args:
null

Results:
null

Tokens:
							input: 14737
							output: 48
							thoughts: 121
						

Thoughts:
Okay, here's my summary, considering my expertise:

**Checking P2P Implementation within BRCMFMAC**

Alright, let's get down to brass tacks. I'm going to make sure that I'm covering everything related to P2P within the BRCMFMAC framework, and that includes both `BRCMFMAC` and `BRCMFMAC_USB` builds. I know those are key components.

My next step is to drill down into the core function calls. I want to specifically examine `brcmf_p2p_send_action_frame` and `brcmf_p2p_abort_action_frame`. They're likely in `p2p.c`, and I need to verify their implementation and interactions.

Now, a critical point: is there a specific, dedicated configuration flag or setting within brcmfmac that governs P2P functionality? I need to know if there's a distinct enable/disable switch, or maybe a set of configurable parameters that might affect the behavior. To clarify the build and its settings, let's do a quick `grep` for `p2p.c` within the `drivers/net/wireless/broadcom/brcm80211/brcmfmac/Makefile` file. This will give me a clear picture of how this component is incorporated within the build system and any potential conditional compilation options.



12/2 2026/07/08 16:08 tool grepper
0m Args:
{
  "Expression": "p2p\\.o",
  "PathPrefix": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/Makefile"
}

Results:
{
  "Output": "drivers/net/wireless/broadcom/brcm80211/brcmfmac/Makefile=13=brcmfmac-objs += \\\n--\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Makefile-17-\t\tfweh.o \\\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Makefile:18:\t\tp2p.o \\\ndrivers/net/wireless/broadcom/brcm80211/brcmfmac/Makefile-19-\t\tproto.o \\\n"
}

13/2 2026/07/08 16:08 llm patch-evaluator
0m Model:
gemini-3.1-pro-preview

Args:
null

Results:
null

Tokens:
							input: 15358
							output: 258
							thoughts: 653
						

Thoughts:
**My Analysis of the Broadcom FullMAC WLAN Driver Changes**

Okay, so the `BRCMFMAC` driver has been updated, and this patch seems focused on adding support for DPP authentication. This is going to involve changes to the firmware supplicant logic within the driver. Since `BRCMFMAC` is enabled by default, I need to understand which specific functions are most likely to be impacted and, therefore, potential targets for fuzzing.

My initial review suggests a few functions are critical: `brcmf_set_key_mgmt`, `brcmf_cfg80211_connect`, `brcmf_configure_wpaie`, `brcmf_p2p_is_pub_action`, `brcmf_p2p_is_dpp_pub_action`, `brcmf_p2p_is_p2p_action`, `brcmf_p2p_abort_action_frame`, and `brcmf_p2p_send_action_frame`. I'll skim over `brcmf_valid_dpp_suite` since it's probably simple, but the others look promising. `brcmf_cfg80211_connect` and `brcmf_configure_wpaie` stand out as important. `brcmf_p2p_send_action_frame` is also critical.

I'll double-check for any configuration dependencies. Ah, `CFG80211` is required for `BRCMFMAC`, so I'll be sure to include that in my configuration. A quick check of `brcmf_cfg80211_connect` in `cfg80211.c` reveals it's a callback for the `cfg80211_ops.connect` function, and `brcmf_p2p_send_action_frame` gets called from `brcmf_cfg80211_mgmt_tx`. The important thing is that these functions are accessible from userspace via netlink, which means I can directly target them with fuzzing.

Based on this analysis, I've compiled the following list of functions to focus on, and the required configurations. My reasoning is that this patch introduces new functionality around DPP and modifies existing P2P logic in a driver that's accessible via netlink and USB, making it a good target for fuzzing.

Here is the data:

`WorthFuzzing: true`

`FocusSymbols:`
- `brcmf_set_key_mgmt`
- `brcmf_cfg80211_connect`
- `brcmf_configure_wpaie`
- `brcmf_p2p_is_pub_action`
- `brcmf_p2p_is_dpp_pub_action`
- `brcmf_p2p_is_p2p_action`
- `brcmf_p2p_abort_action_frame`
- `brcmf_p2p_send_action_frame`

`EnableConfigs:`
- `BRCMFMAC`
- `BRCMFMAC_USB`
- `CFG80211`

`Reasoning:` The patch adds support for DPP authentication and modifies the firmware supplicant logic in the Broadcom FullMAC WLAN driver (brcmfmac). It also updates P2P action frame handling to support DPP public action frames. These are functional changes in the driver's cfg80211 callbacks and P2P logic, which can be reached via netlink commands and USB fuzzing.



14/2 2026/07/08 16:08 tool set-results
0m Args:
{
  "EnableConfigs": [
    "BRCMFMAC",
    "BRCMFMAC_USB",
    "CFG80211"
  ],
  "FocusSymbols": [
    "brcmf_set_key_mgmt",
    "brcmf_cfg80211_connect",
    "brcmf_configure_wpaie",
    "brcmf_p2p_is_pub_action",
    "brcmf_p2p_is_dpp_pub_action",
    "brcmf_p2p_is_p2p_action",
    "brcmf_p2p_abort_action_frame",
    "brcmf_p2p_send_action_frame"
  ],
  "Reasoning": "The patch adds support for DPP authentication and modifies the firmware supplicant logic in the Broadcom FullMAC WLAN driver (brcmfmac). It also updates P2P action frame handling to support DPP public action frames. These are functional changes in the driver's cfg80211 callbacks and P2P logic, which can be reached via netlink commands and USB fuzzing.",
  "WorthFuzzing": true
}

Results:
{
  "EnableConfigs": [
    "BRCMFMAC",
    "BRCMFMAC_USB",
    "CFG80211"
  ],
  "FocusSymbols": [
    "brcmf_set_key_mgmt",
    "brcmf_cfg80211_connect",
    "brcmf_configure_wpaie",
    "brcmf_p2p_is_pub_action",
    "brcmf_p2p_is_dpp_pub_action",
    "brcmf_p2p_is_p2p_action",
    "brcmf_p2p_abort_action_frame",
    "brcmf_p2p_send_action_frame"
  ],
  "Reasoning": "The patch adds support for DPP authentication and modifies the firmware supplicant logic in the Broadcom FullMAC WLAN driver (brcmfmac). It also updates P2P action frame handling to support DPP public action frames. These are functional changes in the driver's cfg80211 callbacks and P2P logic, which can be reached via netlink commands and USB fuzzing.",
  "WorthFuzzing": true
}

LLM Calls Summary:
Total Calls Total Tokens Avg Tokens Total Duration (Seconds) Avg Duration (Seconds)
Tool Calls Summary:
Total Calls Total Duration (Seconds) Avg Duration (Seconds)