On Wed Jul 2, 2025 at 8:59 AM CEST, Moon Hee Lee wrote: > VHT operating mode notifications must not be processed when the channel > width is 5 MHz or 10 MHz, as the VHT specification does not support these > narrow widths. Hello, Is this really specific for VHT ? or for HE /EHT as well ? > > Without validation, a malformed notification using 10 MHz can reach > ieee80211_chan_width_to_rx_bw(), triggering a WARN_ON due to the invalid > width. This issue was reported by syzbot. > > Reject these widths early in sta_link_apply_parameters() when > opmode_notif is used. > > Reported-by: syzbot+ededba317ddeca8b3f08@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=ededba317ddeca8b3f08 > Fixes: 751e7489c1d7 ("wifi: mac80211: expose ieee80211_chan_width_to_rx_bw() to drivers") > Tested-by: syzbot+ededba317ddeca8b3f08@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Moon Hee Lee <moonhee.lee.ca@xxxxxxxxx> > --- > net/mac80211/cfg.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c > index 56540c3701ed..5a6ae093a8bd 100644 > --- a/net/mac80211/cfg.c > +++ b/net/mac80211/cfg.c > @@ -1981,6 +1981,21 @@ static int sta_link_apply_parameters(struct ieee80211_local *local, > ieee80211_sta_init_nss(link_sta); > > if (params->opmode_notif_used) { > + enum nl80211_chan_width width = link->conf->chanreq.oper.width; > + > + switch (width) { > + case NL80211_CHAN_WIDTH_20_NOHT: Because this seems weird for VHT > + case NL80211_CHAN_WIDTH_20: > + case NL80211_CHAN_WIDTH_40: > + case NL80211_CHAN_WIDTH_80: > + case NL80211_CHAN_WIDTH_160: > + case NL80211_CHAN_WIDTH_80P80: > + case NL80211_CHAN_WIDTH_320: And this did not exist for VHT either > + break; > + default: > + return -EINVAL; > + } > + > /* returned value is only needed for rc update, but the > * rc isn't initialized here yet, so ignore it > */
