Dear Linux Kernel Maintainers, I hope this message finds you well. I am writing to report a potential vulnerability I encountered during testing of the Linux Kernel version v6.14. Git Commit: 38fec10eb60d687e30c8c6b5420d86e8149f7557 (tag: v6.14) Bug Location: 0010:__ieee80211_beacon_update_cntdwn.isra.0.part.0+0x6/0x10 net/mac80211/tx.c:5040 Bug report: https://pastebin.com/8BAbTqUc Complete log: https://pastebin.com/YgXnKSiP Entire kernel config: https://pastebin.com/MRWGr3nv Root Cause Analysis: The kernel warning originates from __ieee80211_beacon_update_cntdwn() in net/mac80211/tx.c, where the countdown field for Channel Switch Announcement (CSA) elements in beacon frames is updated. The warning is triggered due to an invalid internal state, likely caused by malformed netlink input. The user-space process syz.0.238 sent a netlink message with an invalid attribute length, and the simulated driver mac80211_hwsim attempted to process it. This resulted in invalid countdown offset handling, leading to a WARN_ON() in beacon generation. This is indicative of missing sanity checks on user-provided parameters in the beacon update logic of mac80211. At present, I have not yet obtained a minimal reproducer for this issue. However, I am actively working on reproducing it, and I will promptly share any additional findings or a working reproducer as soon as it becomes available. Thank you very much for your time and attention to this matter. I truly appreciate the efforts of the Linux kernel community. Best regards, John
