> >
> > > - Remove WARN_ON and early return in ieee80211_report_disconnect()
> > > - Change the return type of ieee80211_set_disassoc(). If
> > > ieee80211_report_disconnect() uses the frame_buf initialized by
> > > ieee80211_set_disassoc(), its invocation is now conditional based
> > > on the return value of ieee80211_set_disassoc().
> >
> > I don't understand this change ... surely syzbot couldn't have run into
> > an uninitialized buffer after the WARN_ON since it has panic_on_warn. So
> > why all these changes:
>
> yes, syzbot couldn't have run into an uninitialized buffer after the
> WARN_ON on **patch v2** such as:
>
> --- a/net/mac80211/mlme.c
> +++ b/net/mac80211/mlme.c
> @@ -4433,6 +4433,10 @@ static void ieee80211_report_disconnect(struct
> ieee80211_sub_if_data *sdata,
> .u.mlme.data = tx ? DEAUTH_TX_EVENT : DEAUTH_RX_EVENT,
> .u.mlme.reason = reason,
> };
> + struct sta_info *ap_sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
> +
> + if (WARN_ON(!ap_sta))
> + return;
I think you misunderstood ... We have this WARN_ON since 687a7c8a7227
("wifi: mac80211: change disassoc sequence a bit"). Therefore, !ap_sta
cannot be the cause of syzbot complaints, since WARN_ON would panic it
before it ever gets to the uninitialized memory use.
> "You're adding a WARN_ON() that's now guaranteed to trigger, no
so now it's no longer your WARN_ON, I guess, but how did it trigger? I
really think we need to figure out how it triggered and fix _that_.
johannes
