From nobody Mon Jun  8 08:28:17 2026
Received: from mail-oo1-f69.google.com (mail-oo1-f69.google.com
 [209.85.161.69])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C0B43221D96
	for <linux-kernel@vger.kernel.org>; Sun, 31 May 2026 00:33:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.69
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780187625; cv=none;
 b=GmW4fsme9duW7fWPioJzzldMgBvVPy8j2YW9MV52cfAu22Vk9fEHg+kWZJhp+W72c9fT9BemP0or8t5olvWTpyTrqiiR+1CpcEoWMTypCWSt6Pz+XL2OSYtDXGz2LGRI+of5jI02wxfjcS8bOm3nFzSJr978YzqxON/ESnPvyDg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780187625; c=relaxed/simple;
	bh=fgU6ycSxoAM9PLpmZoG+NLkMSgM+vi34Xi0HHfsiAjI=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type;
 b=kPtXtrGQhQBa8EfE748hvMgeHpQgzUI6ZlPtb0n3WudfAL5mlnMAg/ultXQPP69/Eu0huUbr6zSP746ft1yFfkMurzjBJ5Ly34BxZSdtW/c8zo6Nwh/WS+8GO8PIGYJcb/19bSgiblYv+Lsf8Gz8IUOmqXGK5HcIIRZbm+U1Rfc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com;
 arc=none smtp.client-ip=209.85.161.69
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f69.google.com with SMTP id
 006d021491bc7-69dffd47a37so2532425eaf.0
        for <linux-kernel@vger.kernel.org>;
 Sat, 30 May 2026 17:33:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780187623; x=1780792423;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=0bVD9nMdXYkWzioTKruNR0Vyjk9jTIqhaXPFmjO4ULg=;
        b=l8kQ+bTMF5+BIj3hRFhiU4Z5ILINKe1sK88Lf/a09KTtICMT4COfQlEU5m7oi2QwZn
         N5W8g99McM1BknUssgJUjeyK87wvH0oPG1dWtPDxC141gpFGXxXFFdR0uymsW9lMeEer
         PbDEKwEVUXZ2Q97TOauDsQ/umU8bYhFqwayjlDAGUlQX9RzB4vgiP4u+WzLq9O/5FVvO
         p0+NduQidK1nYuuWWL65LkKP1kXLvtr71fn7i3l7V9ZqTnO3wpHUJihQoT7jedH/XnZJ
         YLLCu/vyidklO2jDMpExHfVTK3c8e3LLkZOT6xMuaeGFuXMYARFML8kV/waNuxflWh6B
         b4Xg==
X-Gm-Message-State: AOJu0YybwLI9vLm1lcfAhUH/F1fB7bNjFWEvuXqwQpMvrtoAbaFYhE4l
	5U1IKM5AHFoDh6375F/B5BK1TnSgcO4U8BGmkH3tXR9jDLScBFdIMe+jx8hwitsFS1/sChxPHmX
	Dmx36uXz67UILAKmaNPhsAW3mVKqmQ90YDXirYG2BYknerEfwq1iGgdhftB8=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:4c85:b0:694:9861:ec4d with SMTP id
 006d021491bc7-69e103c288dmr2554880eaf.29.1780187622756; Sat, 30 May 2026
 17:33:42 -0700 (PDT)
Date: Sat, 30 May 2026 17:33:42 -0700
In-Reply-To: <6a1b4f33.fbc46276.d3ed.0459.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <6a1b81e6.323e8352.141b09.0005.GAE@google.com>
Subject: Forwarded: [PATCH] wifi: mac80211: limit injected antenna index in
 ieee80211_parse_tx_radiotap
From: syzbot <syzbot+8e0622f6d9446420271f@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] wifi: mac80211: limit injected antenna index in ieee80211_=
parse_tx_radiotap
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git=
 master


When parsing the radiotap header of an injected frame,
ieee80211_parse_tx_radiotap() uses the IEEE80211_RADIOTAP_ANTENNA value
directly as a shift count:

	info->control.antennas |=3D BIT(*iterator.this_arg);

*iterator.this_arg is an 8-bit value taken straight from the frame
supplied by userspace, so BIT() can be asked to shift by up to 255. That
is undefined behaviour on the unsigned long and is reported by UBSAN:

  UBSAN: shift-out-of-bounds in net/mac80211/tx.c:2174:30
  shift exponent 235 is too large for 64-bit type 'unsigned long'
  Call Trace:
   ieee80211_parse_tx_radiotap+0xadb/0x1950 net/mac80211/tx.c:2174
   ieee80211_monitor_start_xmit+0xb1f/0x1250 net/mac80211/tx.c:2451
   ...
   packet_sendmsg+0x3eb6/0x50f0 net/packet/af_packet.c:3109

info->control.antennas is a 2-bit bitmap (u8 antennas:2), so only antenna
indices 0 and 1 can ever be represented. Ignore any larger value instead
of shifting out of bounds.

Reported-by: syzbot+8e0622f6d9446420271f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D8e0622f6d9446420271f
Fixes: ef246a1480cc ("wifi: mac80211: support antenna control in injection")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/mac80211/tx.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index b487d2330f25..ea7f63e1fc17 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2181,7 +2181,9 @@ bool ieee80211_parse_tx_radiotap(struct sk_buff *skb,
=20
 		case IEEE80211_RADIOTAP_ANTENNA:
 			/* this can appear multiple times, keep a bitmap */
-			info->control.antennas |=3D BIT(*iterator.this_arg);
+			/* control.antennas is only a 2-bit bitmap */
+			if (*iterator.this_arg < 2)
+				info->control.antennas |=3D BIT(*iterator.this_arg);
 			break;
=20
 		case IEEE80211_RADIOTAP_DATA_RETRIES:
--=20
2.43.0