Re: [syzbot] [wireless?] WARNING in ieee80211_sta_current_bw

From: Lachlan Hodges

Date: Sun May 10 2026 - 22:22:58 EST

> WARNING: ./include/net/mac80211.h:8114 at ieee80211_chan_width_to_rx_bw include/net/mac80211.h:8114 [inline], CPU#1: syz.4.4769/22510
> WARNING: ./include/net/mac80211.h:8114 at ieee80211_sta_current_bw_tx_to_sta net/mac80211/sta_info.c:3719 [inline], CPU#1: syz.4.4769/22510
> WARNING: ./include/net/mac80211.h:8114 at ieee80211_sta_current_bw+0x36d/0x510 net/mac80211/sta_info.c:3745, CPU#1: syz.4.4769/22510
> Modules linked in:
> CPU: 1 UID: 0 PID: 22510 Comm: syz.4.4769 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
> RIP: 0010:ieee80211_chan_width_to_rx_bw include/net/mac80211.h:8114 [inline]
> RIP: 0010:ieee80211_sta_current_bw_tx_to_sta net/mac80211/sta_info.c:3719 [inline]
> RIP: 0010:ieee80211_sta_current_bw+0x36d/0x510 net/mac80211/sta_info.c:3745
> Code: 00 00 00 eb 49 41 83 fe 05 74 30 41 83 fe 0d 75 13 e8 47 8f af f6 b8 04 00 00 00 eb 31 e8 3b 8f af f6 eb 28 e8 34 8f af f6 90 <0f> 0b 90 eb 1d e8 29 8f af f6 b8 02 00 00 00 eb 13 e8 1d 8f af f6
> RSP: 0018:ffffc90006f4eed8 EFLAGS: 00010283
> RAX: ffffffff8b161cfc RBX: 1ffff1100d1da030 RCX: 0000000000080000
> RDX: ffffc9000e5d2000 RSI: 0000000000000e31 RDI: 0000000000000e32
> RBP: 0000000000000004 R08: ffff888054ad5c40 R09: 0000000000000007
> R10: 000000000000000d R11: 0000000000000002 R12: ffff888068ed0180
> R13: dffffc0000000000 R14: 0000000000000007 R15: 0000000000000000
> FS: 00007fe58f5f66c0(0000) GS:ffff888125389000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000110c2c8823 CR3: 0000000038486000 CR4: 00000000003526f0

This looks to be 10MHz given R14 = 7 which seems to be the operand
being compared I think. The 2 patches I sent the other week should
fix this occuring for any S1G bandwidths, not sure about 5 and 10MHz.

Atleast for this situation, it would be the same - we don't wanna
recalc the mindef for 5 and 10MHz since the mindef isn't recalculated
for 5/10MHz like S1G. But then I'm not sure the S1G workaround for
ieee80211_sta_init_nss_bw_capa since maybe nss might be greater than
1 for 5/10MHz?

lachlan