Dear Linux Kernel Maintainers, I hope this message finds you well. I am writing to report a potential vulnerability I encountered during testing of the Linux Kernel version v6.15-rc5. Git Commit: 92a09c47464d040866cf2b4cd052bc60555185fb (tag: v6.15-rc5) Bug Location: ieee80211_handle_queued_frames+0xd9/0x130 net/mac80211/main.c Bug report: https://hastebin.com/share/itequxofas.yaml Complete log: https://hastebin.com/share/opasimohab.perl Entire kernel config: https://hastebin.com/share/padecilimo.ini Root Cause Analysis: This entire chain is triggered indirectly by cfg80211_update_known_bss() from the wireless networking stack, as it tries to update BSS (Basic Service Set) entries for scanned wireless networks. This function uses kvfree_rcu() to deallocate stale BSS data, which in turn invokes kasan_record_aux_stack() and then stack_trace_save() for KASAN quarantine bookkeeping. That leads to complex locking and backtrace operations, especially involving lockdep. The deeper root causes include: Lockdep recursion while handling RCU-related memory free paths (kvfree_rcu) in cfg80211_update_known_bss(). Excessive softirq processing time in tasklet_action_common() and handle_softirqs() due to high BSS update rate or malformed wireless frame processing in a fuzzing context. Potential deadlock or pathological behavior in lock_acquire() due to corrupted lock dependency chains or misused locks in the wireless networking stack. This loop fails to yield CPU time or reschedule, triggering the watchdog soft lockup detector. At present, I have not yet obtained a minimal reproducer for this issue. However, I am actively working on reproducing it, and I will promptly share any additional findings or a working reproducer as soon as it becomes available. Thank you very much for your time and attention to this matter. I truly appreciate the efforts of the Linux kernel community. Best regards, John
