mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations - kernel/linux.git

diff options

author	Felix Fietkau <nbd@nbd.name>	2026-03-05 20:08:12 +0300
committer	Johannes Berg <johannes.berg@intel.com>	2026-03-06 13:08:43 +0300
commit	672e5229e1ecfc2a3509b53adcb914d8b024a853 (patch)
tree	5a4ad76077950da0ccbb19ef8626770e2ebcaf01 /scripts
parent	ac6f24cc9c0a9aefa55ec9696dcafa971d4d760b (diff)
download	linux-672e5229e1ecfc2a3509b53adcb914d8b024a853.tar.xz

mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations

ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name> Link: https://patch.msgid.link/20260305170812.2904208-1-nbd@nbd.name [also change sta->sdata in ARRAY_SIZE even if it doesn't matter] Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Diffstat (limited to 'scripts')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: