mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations

ieee80211_chan_bw_change() iterates all stations and accesses
link->reserved.oper via sta->sdata->link[link_id]. For stations on
AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to
the VLAN sdata, whose link never participates in chanctx reservations.
This leaves link->reserved.oper zero-initialized with chan == NULL,
causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()
when accessing chandef->chan->band during CSA.

Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata()
before accessing link data.

Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://patch.msgid.link/20260305170812.2904208-1-nbd@nbd.name
[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 4447cf03c41b9337a528b37244f4c8f79cc76ede..05f45e66999b2dcd7ddb3151f3c50beecb70b56d 100644 (file)
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -561,14 +561,16 @@ static void ieee80211_chan_bw_change(struct ieee80211_local *local,
        rcu_read_lock();
        list_for_each_entry_rcu(sta, &local->sta_list,
                                list) {
-               struct ieee80211_sub_if_data *sdata = sta->sdata;
+               struct ieee80211_sub_if_data *sdata;
                enum ieee80211_sta_rx_bandwidth new_sta_bw;
                unsigned int link_id;
 
                if (!ieee80211_sdata_running(sta->sdata))
                        continue;
 
-               for (link_id = 0; link_id < ARRAY_SIZE(sta->sdata->link); link_id++) {
+               sdata = get_bss_sdata(sta->sdata);
+
+               for (link_id = 0; link_id < ARRAY_SIZE(sdata->link); link_id++) {
                        struct ieee80211_link_data *link =
                                rcu_dereference(sdata->link[link_id]);
                        struct ieee80211_bss_conf *link_conf;