[PATCH] wifi: mac80211_hwsim: handle 5/10 MHz chanctx in rc update
From: meihaipeng
Date: Fri May 29 2026 - 00:11:03 EST
mac80211_hwsim_sta_rc_update() compares ieee80211_sta_rx_bandwidth against
the current channel context width.
The STA bandwidth enum has no sub-20 MHz states, so a normal 20 MHz link
STA falsely trips the warning on 5/10 MHz OCB channel contexts.so
a normal 20 MHz link STA falsely trips the warning on 5/10 MHz OCB
channel contexts.
Treat sub-20 MHz channel contexts as 20 MHz for this validation and use
the actual channel-context width in the warning message.
Fixes: aea9a6088ae46 ("wifi: mac80211_hwsim: do rc update per link")
Reported-by: syzbot+c0472dd80bb8f668625f@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=c0472dd80bb8f668625f
Signed-off-by: meihaipeng <meihaipeng@xxxxxxxxxxxxx>
---
drivers/net/wireless/virtual/mac80211_hwsim.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
index 1fcf5d0d2e13..3d759fb328a8 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
@@ -2793,6 +2793,7 @@ mac80211_hwsim_sta_rc_update(struct ieee80211_hw *hw,
for (link_id = 0;
link_id < ARRAY_SIZE(vif->link_conf);
link_id++) {
+ u32 confbw_mhz = 20;
enum nl80211_chan_width confbw = NL80211_CHAN_WIDTH_20_NOHT;
struct ieee80211_bss_conf *vif_conf;
@@ -2826,10 +2827,17 @@ mac80211_hwsim_sta_rc_update(struct ieee80211_hw *hw,
confbw = chanctx_conf->def.width;
}
- WARN(bw > hwsim_get_chanwidth(confbw),
+ /*
+ * ieee80211_sta_rx_bandwidth does not represent sub-20 MHz
+ * channels, so treat 5/10 MHz channel contexts as 20 MHz when
+ * validating the link bandwidth.
+ */
+ confbw_mhz = max_t(u32, confbw_mhz, hwsim_get_chanwidth(confbw));
+
+ WARN(bw > confbw_mhz,
"intf %pM [link=%d]: bad STA %pM bandwidth %d MHz (%d) > channel config %d MHz (%d)\n",
vif->addr, link_id, sta->addr, bw, sta->deflink.bandwidth,
- hwsim_get_chanwidth(data->bw), data->bw);
+ hwsim_get_chanwidth(confbw), confbw);
}
--
2.20.1