Re: [syzbot] [wireless?] WARNING in ieee80211_sta_current_bw

From: Johannes Berg

Date: Mon May 11 2026 - 04:54:27 EST

Hi Lachlan,

On Mon, 2026-05-11 at 12:22 +1000, Lachlan Hodges wrote:
> > WARNING: ./include/net/mac80211.h:8114 at ieee80211_chan_width_to_rx_bw include/net/mac80211.h:8114 [inline], CPU#1: syz.4.4769/22510
> > WARNING: ./include/net/mac80211.h:8114 at ieee80211_sta_current_bw_tx_to_sta net/mac80211/sta_info.c:3719 [inline], CPU#1: syz.4.4769/22510
> > WARNING: ./include/net/mac80211.h:8114 at ieee80211_sta_current_bw+0x36d/0x510 net/mac80211/sta_info.c:3745, CPU#1: syz.4.4769/22510
> > Modules linked in:
> > CPU: 1 UID: 0 PID: 22510 Comm: syz.4.4769 Not tainted syzkaller #0 PREEMPT(full)
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
> > RIP: 0010:ieee80211_chan_width_to_rx_bw include/net/mac80211.h:8114 [inline]
> > RIP: 0010:ieee80211_sta_current_bw_tx_to_sta net/mac80211/sta_info.c:3719 [inline]
> > RIP: 0010:ieee80211_sta_current_bw+0x36d/0x510 net/mac80211/sta_info.c:3745
> > Code: 00 00 00 eb 49 41 83 fe 05 74 30 41 83 fe 0d 75 13 e8 47 8f af f6 b8 04 00 00 00 eb 31 e8 3b 8f af f6 eb 28 e8 34 8f af f6 90 <0f> 0b 90 eb 1d e8 29 8f af f6 b8 02 00 00 00 eb 13 e8 1d 8f af f6
> > RSP: 0018:ffffc90006f4eed8 EFLAGS: 00010283
> > RAX: ffffffff8b161cfc RBX: 1ffff1100d1da030 RCX: 0000000000080000
> > RDX: ffffc9000e5d2000 RSI: 0000000000000e31 RDI: 0000000000000e32
> > RBP: 0000000000000004 R08: ffff888054ad5c40 R09: 0000000000000007
> > R10: 000000000000000d R11: 0000000000000002 R12: ffff888068ed0180
> > R13: dffffc0000000000 R14: 0000000000000007 R15: 0000000000000000
> > FS: 00007fe58f5f66c0(0000) GS:ffff888125389000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 000000110c2c8823 CR3: 0000000038486000 CR4: 00000000003526f0
>
> This looks to be 10MHz given R14 = 7 which seems to be the operand
> being compared I think. The 2 patches I sent the other week should
> fix this occuring for any S1G bandwidths, not sure about 5 and 10MHz.

Thanks for taking a look at this! I'll apply those soon, seems the test
bot got stuck again.

> Atleast for this situation, it would be the same - we don't wanna
> recalc the mindef for 5 and 10MHz since the mindef isn't recalculated
> for 5/10MHz like S1G. But then I'm not sure the S1G workaround for
> ieee80211_sta_init_nss_bw_capa since maybe nss might be greater than
> 1 for 5/10MHz?

Technically, yes. However, 5/10 is pretty much unreachable in practice.
I had proposed removing it a long time ago, we should probably just do
that...

johannes