cfg80211: only allow S1G channels on S1G band

As discovered by syzbot, cfg80211 was accepting S1G
channel widths on non-S1G bands. Add a check for this, and
consolidate the 1MHz frequency check as it ends up being a
subset of the others.

Reported-by: syzbot+92715a0eccd6c881bc32@syzkaller.appspotmail.com
Fixes: 11b34737b18a ("nl80211: support setting S1G channels")
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
Link: https://lore.kernel.org/r/20201005165122.17583-1-thomas@adapt-ip.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/chan.c b/net/wireless/chan.c
index 96e24ee4c7e8c1af5d8cb5b994da0049f8ca32fc..22d1779ab2b1bc060ddfddc67605a2385e704792 100644 (file)
--- a/net/wireless/chan.c
+++ b/net/wireless/chan.c
@@ -207,7 +207,6 @@ bool cfg80211_chandef_valid(const struct cfg80211_chan_def *chandef)
        control_freq = chandef->chan->center_freq;
 
        switch (chandef->width) {
-       case NL80211_CHAN_WIDTH_1:
        case NL80211_CHAN_WIDTH_5:
        case NL80211_CHAN_WIDTH_10:
        case NL80211_CHAN_WIDTH_20:
@@ -218,10 +217,14 @@ bool cfg80211_chandef_valid(const struct cfg80211_chan_def *chandef)
                if (chandef->center_freq2)
                        return false;
                break;
+       case NL80211_CHAN_WIDTH_1:
        case NL80211_CHAN_WIDTH_2:
        case NL80211_CHAN_WIDTH_4:
        case NL80211_CHAN_WIDTH_8:
        case NL80211_CHAN_WIDTH_16:
+               if (chandef->chan->band != NL80211_BAND_S1GHZ)
+                       return false;
+
                control_freq = ieee80211_channel_to_khz(chandef->chan);
                oper_freq = ieee80211_chandef_to_khz(chandef);
                control_width = nl80211_chan_width_to_mhz(