| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/07/12 08:36 | flow | patch-triage |
0mArgs:null Results: {
"EnableConfigs": [
"MAC80211_HWSIM"
],
"FocusSymbols": [
"hwsim_tx_info_frame_received_nl"
],
"Reasoning": "The patch adds a length check for a netlink attribute in mac80211_hwsim to prevent an out-of-bounds read. This is a functional change in a reachable netlink handler.",
"WorthFuzzing": true
} |
| 1/1 | 2026/07/12 08:36 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit 0b1515173c89dd4e8b91c95a8cf3ee0f8059ef6b\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Sun Jul 12 08:36:13 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/drivers/net/wireless/virtual/mac80211_hwsim_main.c b/drivers/net/wireless/virtual/mac80211_hwsim_main.c\nindex 0dd8a6c8595344..6ef7398ffaaddc 100644\n--- a/drivers/net/wireless/virtual/mac80211_hwsim_main.c\n+++ b/drivers/net/wireless/virtual/mac80211_hwsim_main.c\n@@ -6340,6 +6340,17 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,\n \t !info-\u003eattrs[HWSIM_ATTR_TX_INFO])\n \t\tgoto out;\n \n+\t/*\n+\t * HWSIM_ATTR_TX_INFO is NLA_BINARY with only a maximum length in\n+\t * its policy entry, so nla_validate() accepts any shorter (incl.\n+\t * zero-length) payload. The read loop below unconditionally walks\n+\t * IEEE80211_TX_MAX_RATES entries, so reject undersized attributes\n+\t * here before any data is touched.\n+\t */\n+\tif (nla_len(info-\u003eattrs[HWSIM_ATTR_TX_INFO]) \u003c\n+\t IEEE80211_TX_MAX_RATES * sizeof(struct hwsim_tx_rate))\n+\t\tgoto out;\n+\n \tsrc = (void *)nla_data(info-\u003eattrs[HWSIM_ATTR_ADDR_TRANSMITTER]);\n \thwsim_flags = nla_get_u32(info-\u003eattrs[HWSIM_ATTR_FLAGS]);\n \tret_skb_cookie = nla_get_u64(info-\u003eattrs[HWSIM_ATTR_COOKIE]);\n"
} |
| 2/1 | 2026/07/12 08:36 | agent | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": [
"MAC80211_HWSIM"
],
"FocusSymbols": [
"hwsim_tx_info_frame_received_nl"
],
"Reasoning": "The patch adds a length check for a netlink attribute in mac80211_hwsim to prevent an out-of-bounds read. This is a functional change in a reachable netlink handler.",
"WorthFuzzing": true
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit 0b1515173c89dd4e8b91c95a8cf3ee0f8059ef6b
Author: syz-cluster <triage@syzkaller.com>
Date: Sun Jul 12 08:36:13 2026 +0000
syz-cluster: applied patch under review
diff --git a/drivers/net/wireless/virtual/mac80211_hwsim_main.c b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
index 0dd8a6c8595344..6ef7398ffaaddc 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim_main.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
@@ -6340,6 +6340,17 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,
!info->attrs[HWSIM_ATTR_TX_INFO])
goto out;
+ /*
+ * HWSIM_ATTR_TX_INFO is NLA_BINARY with only a maximum length in
+ * its policy entry, so nla_validate() accepts any shorter (incl.
+ * zero-length) payload. The read loop below unconditionally walks
+ * IEEE80211_TX_MAX_RATES entries, so reject undersized attributes
+ * here before any data is touched.
+ */
+ if (nla_len(info->attrs[HWSIM_ATTR_TX_INFO]) <
+ IEEE80211_TX_MAX_RATES * sizeof(struct hwsim_tx_rate))
+ goto out;
+
src = (void *)nla_data(info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER]);
hwsim_flags = nla_get_u32(info->attrs[HWSIM_ATTR_FLAGS]);
ret_skb_cookie = nla_get_u64(info->attrs[HWSIM_ATTR_COOKIE]);
|
| 3/2 | 2026/07/12 08:36 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 2080 output: 53 thoughts: 138 Thoughts: **Analyzing a Wireless Driver Patch** Okay, so I've got this patch affecting `drivers/net/wireless/virtual/mac80211_hwsim_main.c`. It looks like the core of the change is in `hwsim_tx_info_frame_received_nl`, where they've added a length check for `HWSIM_ATTR_TX_INFO`. Sounds like a standard defensive programming measure to prevent an out-of-bounds read, potentially a critical bug fix, though the specific issue isn't mentioned. We need to figure out the exact bounds, and what the attack vector is. Since we're dealing with `MAC80211_HWSIM`, it's clear this relates to the hardware simulator. Makes sense. Now, let's dive deeper and thoroughly examine `hwsim_tx_info_frame_received_nl`. I'll want to see how this function is *called* too – the call chain is crucial for understanding the impact and the potential exploit surface. I need to understand what's passing data into this function, how it's being used, and the context in which this length check becomes significant. Time to pull up the code and get into it. |
| 4/2 | 2026/07/12 08:36 | tool | grepper |
0mArgs:{
"Expression": "hwsim_tx_info_frame_received_nl",
"PathPrefix": "drivers/net/wireless/virtual/mac80211_hwsim_main.c"
}Results: {
"Output": "drivers/net/wireless/virtual/mac80211_hwsim_main.c=6306=static void hwsim_register_wmediumd(struct net *net, u32 portid)\n--\ndrivers/net/wireless/virtual/mac80211_hwsim_main.c-6319-\ndrivers/net/wireless/virtual/mac80211_hwsim_main.c:6320:static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,\ndrivers/net/wireless/virtual/mac80211_hwsim_main.c-6321-\t\t\t\t\t struct genl_info *info)\n--\ndrivers/net/wireless/virtual/mac80211_hwsim_main.c=7052=static const struct genl_small_ops hwsim_ops[] = {\n--\ndrivers/net/wireless/virtual/mac80211_hwsim_main.c-7066-\t\t.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,\ndrivers/net/wireless/virtual/mac80211_hwsim_main.c:7067:\t\t.doit = hwsim_tx_info_frame_received_nl,\ndrivers/net/wireless/virtual/mac80211_hwsim_main.c-7068-\t},\n--\ndrivers/net/wireless/virtual/mac80211_hwsim_main.c=7243=static int hwsim_virtio_handle_cmd(struct sk_buff *skb)\n--\ndrivers/net/wireless/virtual/mac80211_hwsim_main.c-7270-\tcase HWSIM_CMD_TX_INFO_FRAME:\ndrivers/net/wireless/virtual/mac80211_hwsim_main.c:7271:\t\thwsim_tx_info_frame_received_nl(skb, \u0026info);\ndrivers/net/wireless/virtual/mac80211_hwsim_main.c-7272-\t\tbreak;\n"
} |
| 5/2 | 2026/07/12 08:36 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 3068 output: 41 thoughts: 66 Thoughts: Here's my summary, as though I'm thinking through this process: **Analyzing the HWSIM_CMD_TX_INFO_FRAME Netlink Handler** Alright, let's take a look at this `hwsim_tx_info_frame_received_nl` function. Based on the name, it's pretty clear that it's handling the `HWSIM_CMD_TX_INFO_FRAME` netlink command. My initial impression is that this is *definitely* a prime candidate for fuzzing. Netlink handlers, especially those dealing with potentially complex data structures, are often fertile ground for finding vulnerabilities. First, I should confirm that this functionality is actually compiled into the kernel. The presence of `MAC80211_HWSIM` in the configuration suggests it, but let's quickly double-check that this is indeed the case. A quick check of the Kconfig options will settle this and save a wild goose chase. Then I can continue. |
| 6/2 | 2026/07/12 08:36 | tool | grepper |
0mArgs:{
"Expression": "config MAC80211_HWSIM",
"PathPrefix": "drivers/net/wireless/virtual/Kconfig"
}Results: {
"Output": "drivers/net/wireless/virtual/Kconfig:1:config MAC80211_HWSIM\ndrivers/net/wireless/virtual/Kconfig-2-\ttristate \"Simulated radio testing tool for mac80211\"\n"
} |
| 7/2 | 2026/07/12 08:36 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 3454 output: 100 thoughts: 46 Thoughts: Here's my take on those thoughts: **Analyzing the HWSIM TX Frame Reception** Okay, so I'm looking at this and confirming that `MAC80211_HWSIM` is the relevant config here. That tells me we're dealing with the hardware simulation environment, which is good. The function I'm focusing on is `hwsim_tx_info_frame_received_nl`. This is the one where the information about transmitted frames is received and processed from the netlink socket within the hwsim environment. Now, I think the next logical step here is to call `set-results`. I want to use this to capture the result of the frame transmission and its associated information. This might involve marking the completion of a transaction, tracking success or failures, or providing statistics, depending on how this function has been setup. I'm going to need to look at what `set-results` does in that context so that I have a better understanding of the overall hwsim data flow. |
| 8/2 | 2026/07/12 08:36 | tool | set-results |
0mArgs:{
"EnableConfigs": [
"MAC80211_HWSIM"
],
"FocusSymbols": [
"hwsim_tx_info_frame_received_nl"
],
"Reasoning": "The patch adds a length check for a netlink attribute in mac80211_hwsim to prevent an out-of-bounds read. This is a functional change in a reachable netlink handler.",
"WorthFuzzing": true
}Results: {
"EnableConfigs": [
"MAC80211_HWSIM"
],
"FocusSymbols": [
"hwsim_tx_info_frame_received_nl"
],
"Reasoning": "The patch adds a length check for a netlink attribute in mac80211_hwsim to prevent an out-of-bounds read. This is a functional change in a reachable netlink handler.",
"WorthFuzzing": true
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|