If we're scanning and got the control frame with zero rate mask, drop the frame before '__rate_control_send_low()' getting stuck attempting to select supported rate. Reported-by: syzbot+fdc5123366fb9c3fdc6d@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=fdc5123366fb9c3fdc6d Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx> --- net/mac80211/tx.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index 314998fdb1a5..53a473a2f8dd 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -701,7 +701,12 @@ ieee80211_tx_h_rate_ctrl(struct ieee80211_tx_data *tx) txrc.bss_conf = &tx->sdata->vif.bss_conf; txrc.skb = tx->skb; txrc.reported_rate.idx = -1; - txrc.rate_idx_mask = tx->sdata->rc_rateidx_mask[info->band]; + + if (tx->sdata->rc_rateidx_mask[info->band]) + txrc.rate_idx_mask = tx->sdata->rc_rateidx_mask[info->band]; + else if (test_bit(SCAN_SW_SCANNING, &tx->local->scanning)) + /* we're scanning but have no usable rates */ + return TX_DROP; if (tx->sdata->rc_has_mcs_mask[info->band]) txrc.rate_idx_mcs_mask = -- 2.43.0
