wifi: nl80211: disallow setting special AP channel widths

[ Upstream commit 23daf1b4c91db9b26f8425cc7039cf96d22ccbfe ]

Setting the AP channel width is meant for use with the normal
20/40/... MHz channel width progression, and switching around
in S1G or narrow channels isn't supported. Disallow that.

Reported-by: syzbot+bc0f5b92cc7091f45fb6@syzkaller.appspotmail.com
Link: https://msgid.link/20240515141600.d4a9590bfe32.I19a32d60097e81b527eafe6b0924f6c5fbb2dc45@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 0fd075238fc7402579cb5f8de427e42bd01fc078..07538be6805ef5425d1c57615cae0f620d82b209 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3422,6 +3422,33 @@ static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
                        if (chandef.chan != cur_chan)
                                return -EBUSY;
 
+                       /* only allow this for regular channel widths */
+                       switch (wdev->links[link_id].ap.chandef.width) {
+                       case NL80211_CHAN_WIDTH_20_NOHT:
+                       case NL80211_CHAN_WIDTH_20:
+                       case NL80211_CHAN_WIDTH_40:
+                       case NL80211_CHAN_WIDTH_80:
+                       case NL80211_CHAN_WIDTH_80P80:
+                       case NL80211_CHAN_WIDTH_160:
+                       case NL80211_CHAN_WIDTH_320:
+                               break;
+                       default:
+                               return -EINVAL;
+                       }
+
+                       switch (chandef.width) {
+                       case NL80211_CHAN_WIDTH_20_NOHT:
+                       case NL80211_CHAN_WIDTH_20:
+                       case NL80211_CHAN_WIDTH_40:
+                       case NL80211_CHAN_WIDTH_80:
+                       case NL80211_CHAN_WIDTH_80P80:
+                       case NL80211_CHAN_WIDTH_160:
+                       case NL80211_CHAN_WIDTH_320:
+                               break;
+                       default:
+                               return -EINVAL;
+                       }
+
                        result = rdev_set_ap_chanwidth(rdev, dev, link_id,
                                                       &chandef);
                        if (result)