[PATCH] mac80211_hwsim: fix divide error in mac80211_hwsim_link_info_changed
From: Deepakkumar Karn
Date: Fri Dec 05 2025 - 10:35:58 EST
Prevent a division by zero crash when userspace provides a zero beacon
interval value. The crash occurs in the beacon timer setup code path when
info->beacon_int is 0, causing bcn_int to be 0 and triggering a divide
error in the do_div() macro.The issue can be triggered from userspace via
nl80211/cfg80211 when configuring a virtual interface in AP mode with an
invalid beacon interval.
Fixes: e57f8a489c29 ("wifi: mac80211_hwsim: send a beacon per link")
Reported-by: syzbot+5bb5f06f99924ea0cf86@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=5bb5f06f99924ea0cf86
Signed-off-by: Deepakkumar Karn <dkarn@xxxxxxxxxx>
---
drivers/net/wireless/virtual/mac80211_hwsim.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
index 5903d82e1ab1..e67e2c989ea6 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
@@ -2595,11 +2595,14 @@ static void mac80211_hwsim_link_info_changed(struct ieee80211_hw *hw,
link_data->beacon_int = info->beacon_int * 1024;
tsf = mac80211_hwsim_get_tsf(hw, vif);
bcn_int = link_data->beacon_int;
- until_tbtt = bcn_int - do_div(tsf, bcn_int);
+ /* Proceed only when bcn_int != 0 */
+ if (bcn_int) {
+ until_tbtt = bcn_int - do_div(tsf, bcn_int);
- hrtimer_start(&link_data->beacon_timer,
- ns_to_ktime(until_tbtt * NSEC_PER_USEC),
- HRTIMER_MODE_REL_SOFT);
+ hrtimer_start(&link_data->beacon_timer,
+ ns_to_ktime(until_tbtt * NSEC_PER_USEC),
+ HRTIMER_MODE_REL_SOFT);
+ }
} else if (!info->enable_beacon) {
unsigned int count = 0;
ieee80211_iterate_active_interfaces_atomic(
--
2.51.1