From: Arjan van de Ven Subject: [PATCH] wifi: mac80211_hwsim: fix divide-by-zero on zero beacon interval This patch is based on an Oops as reported by syzbot at https://lore.kernel.org/r/69efb8dd.050a0220.18b4f.0006.GAE@google.com. When ieee80211_offchannel_return() re-enables beaconing after a software scan completes, it sets bss_conf.enable_beacon to true and calls ieee80211_link_info_change_notify() with BSS_CHANGED_BEACON_ENABLED, without updating bss_conf.beacon_int. If the beacon interval was never initialised -- which syzbot can arrange by creating an AP interface without setting it -- info->beacon_int is zero when mac80211_hwsim_link_info_changed() receives the notification. Inside mac80211_hwsim_link_info_changed() the handler sets link_data->beacon_int = info->beacon_int * 1024, then calls do_div(tsf, bcn_int) to compute the time until the next Target Beacon Transmission Time (TBTT). With bcn_int equal to zero the division faults with an x86 #DE (divide error) exception, crashing the kernel. An identical do_div(tsf, bcn_int) in mac80211_hwsim_config() is already protected by a !link_data->beacon_int check that cancels the beacon timer rather than starting it with a zero period. The BSS_CHANGED_BEACON_ENABLED path in mac80211_hwsim_link_info_changed() has no equivalent guard. Add an early return when bcn_int is zero. A zero beacon interval is invalid for timer scheduling; no timer should be armed with a zero period. This mirrors the existing guard in mac80211_hwsim_config(). Reported-by: syzbot+ca7a2759caaa6cd4e3db@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/69efb8dd.050a0220.18b4f.0006.GAE@google.com Oops-Analysis: http://oops.fenrus.org/reports/lkml/69efb8dd.050a0220.18b4f.0006.GAE_google.com/report.html Fixes: c51f878379b1 ("mac80211_hwsim: fix beacon timing") Assisted-by: patcher:claude-sonnet-4.6 linux-kernel-oops-x86. Signed-off-by: Arjan van de Ven Cc: Johannes Berg Cc: linux-wireless@vger.kernel.org Cc: linux-kernel@vger.kernel.org --- drivers/net/wireless/virtual/mac80211_hwsim.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/wireless/virtual/mac80211_hwsim.c +++ b/drivers/net/wireless/virtual/mac80211_hwsim.c @@ -2730,7 +2730,9 @@ static void mac80211_hwsim_link_info_changed(struct ieee80211_hw *hw, u32 bcn_int; link_data->beacon_int = info->beacon_int * 1024; tsf = mac80211_hwsim_get_tsf(hw, vif); bcn_int = link_data->beacon_int; + if (!bcn_int) + return; until_tbtt = bcn_int - do_div(tsf, bcn_int); hrtimer_start(&link_data->beacon_timer,