Commit 672e5229 authored Mar 05, 2026 by Felix Fietkau Committed by Johannes Berg Mar 06, 2026

mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations



ieee80211_chan_bw_change() iterates all stations and accesses
link->reserved.oper via sta->sdata->link[link_id]. For stations on
AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to
the VLAN sdata, whose link never participates in chanctx reservations.
This leaves link->reserved.oper zero-initialized with chan == NULL,
causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()
when accessing chandef->chan->band during CSA.

Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata()
before accessing link data.

Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://patch.msgid.link/20260305170812.2904208-1-nbd@nbd.name


[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent ac6f24cc

net/mac80211/chan.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -561,14 +561,16 @@ static void ieee80211_chan_bw_change(struct ieee80211_local *local,
		rcu_read_lock();
		list_for_each_entry_rcu(sta, &local->sta_list,
		list) {
		struct ieee80211_sub_if_data *sdata = sta->sdata;
		struct ieee80211_sub_if_data *sdata;
		enum ieee80211_sta_rx_bandwidth new_sta_bw;
		unsigned int link_id;

		if (!ieee80211_sdata_running(sta->sdata))
		continue;

		for (link_id = 0; link_id < ARRAY_SIZE(sta->sdata->link); link_id++) {
		sdata = get_bss_sdata(sta->sdata);

		for (link_id = 0; link_id < ARRAY_SIZE(sdata->link); link_id++) {
		struct ieee80211_link_data *link =
		rcu_dereference(sdata->link[link_id]);
		struct ieee80211_bss_conf *link_conf;