wifi: nl80211: disallow setting special AP channel widths

Setting the AP channel width is meant for use with the normal
20/40/... MHz channel width progression, and switching around
in S1G or narrow channels isn't supported. Disallow that.

Reported-by: syzbot+bc0f5b92cc7091f45fb6@syzkaller.appspotmail.com
Link: https://msgid.link/20240515141600.d4a9590bfe32.I19a32d60097e81b527eafe6b0924f6c5fbb2dc45@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 3c0bca4238d357c01b6fe92bb0f2b2b8a2917725..93c313149f571bba9babd926a8b55b02cdcbf737 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3415,6 +3415,33 @@ static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
                        if (chandef.chan != cur_chan)
                                return -EBUSY;
 
+                       /* only allow this for regular channel widths */
+                       switch (wdev->links[link_id].ap.chandef.width) {
+                       case NL80211_CHAN_WIDTH_20_NOHT:
+                       case NL80211_CHAN_WIDTH_20:
+                       case NL80211_CHAN_WIDTH_40:
+                       case NL80211_CHAN_WIDTH_80:
+                       case NL80211_CHAN_WIDTH_80P80:
+                       case NL80211_CHAN_WIDTH_160:
+                       case NL80211_CHAN_WIDTH_320:
+                               break;
+                       default:
+                               return -EINVAL;
+                       }
+
+                       switch (chandef.width) {
+                       case NL80211_CHAN_WIDTH_20_NOHT:
+                       case NL80211_CHAN_WIDTH_20:
+                       case NL80211_CHAN_WIDTH_40:
+                       case NL80211_CHAN_WIDTH_80:
+                       case NL80211_CHAN_WIDTH_80P80:
+                       case NL80211_CHAN_WIDTH_160:
+                       case NL80211_CHAN_WIDTH_320:
+                               break;
+                       default:
+                               return -EINVAL;
+                       }
+
                        result = rdev_set_ap_chanwidth(rdev, dev, link_id,
                                                       &chandef);
                        if (result)