From 6780f4872d60415bbf262bc84fab1ad80991d1e4 Mon Sep 17 00:00:00 2001
From: Moon Hee Lee <moonhee.lee.ca@gmail.com>
Date: Tue, 1 Jul 2025 12:36:48 -0700
Subject: [PATCH] mac80211: reject opmode notification for unsupported channel
 widths

VHT operating mode notification should not be applied when the channel
width is 5 MHz or 10 MHz, as VHT does not support those widths.

Without this check, a malformed opmode notification with 10 MHz width
can reach ieee80211_chan_width_to_rx_bw(), triggering a WARN_ON due to
invalid channel width. This issue was reported by syzbot.

Reject unsupported channel widths early in sta_link_apply_parameters()
when opmode notification is used.

Signed-off-by: Moon Hee Lee <moonhee.lee.ca@gmail.com>
---
 net/mac80211/cfg.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 56540c3701ed..5a6ae093a8bd 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1981,6 +1981,21 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
 	ieee80211_sta_init_nss(link_sta);
 
 	if (params->opmode_notif_used) {
+		enum nl80211_chan_width width = link->conf->chanreq.oper.width;
+
+		switch (width) {
+		case NL80211_CHAN_WIDTH_20_NOHT:
+		case NL80211_CHAN_WIDTH_20:
+		case NL80211_CHAN_WIDTH_40:
+		case NL80211_CHAN_WIDTH_80:
+		case NL80211_CHAN_WIDTH_160:
+		case NL80211_CHAN_WIDTH_80P80:
+		case NL80211_CHAN_WIDTH_320:
+			break;
+		default:
+			return -EINVAL;
+		}
+
 		/* returned value is only needed for rc update, but the
 		 * rc isn't initialized here yet, so ignore it
 		 */
-- 
2.43.0