git-server-git.apps.pok.os.sepia.ceph.com Git

author	Felix Fietkau <nbd@nbd.name>
	Thu, 5 Mar 2026 17:08:12 +0000 (17:08 +0000)
committer	Johannes Berg <johannes.berg@intel.com>
	Fri, 6 Mar 2026 10:08:43 +0000 (11:08 +0100)
commit	672e5229e1ecfc2a3509b53adcb914d8b024a853
tree	5a4ad76077950da0ccbb19ef8626770e2ebcaf01	tree \| snapshot
parent	ac6f24cc9c0a9aefa55ec9696dcafa971d4d760b	commit \| diff

mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations

ieee80211_chan_bw_change() iterates all stations and accesses
link->reserved.oper via sta->sdata->link[link_id]. For stations on
AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to
the VLAN sdata, whose link never participates in chanctx reservations.
This leaves link->reserved.oper zero-initialized with chan == NULL,
causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()
when accessing chandef->chan->band during CSA.

Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata()
before accessing link data.

Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://patch.msgid.link/20260305170812.2904208-1-nbd@nbd.name
[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>