Linux wireless drivers development
 help / color / mirror / Atom feed
* [PATCH] wifi: mac80211_hwsim: handle 5/10 MHz chanctx in rc update
@ 2026-05-29  4:09 meihaipeng
  2026-05-29  5:10 ` Lachlan Hodges
  0 siblings, 1 reply; 3+ messages in thread
From: meihaipeng @ 2026-05-29  4:09 UTC (permalink / raw)
  To: Johannes Berg
  Cc: Andrei Otcheretianski, linux-wireless, linux-kernel, meihaipeng,
	syzbot+c0472dd80bb8f668625f

mac80211_hwsim_sta_rc_update() compares ieee80211_sta_rx_bandwidth against 
the current channel context width. 

The STA bandwidth enum has no sub-20 MHz states, so a normal 20 MHz link 
STA falsely trips the warning on 5/10 MHz OCB channel contexts.so 
a normal 20 MHz link STA falsely trips the warning on 5/10 MHz OCB 
channel contexts.

Treat sub-20 MHz channel contexts as 20 MHz for this validation and use 
the actual channel-context width in the warning message.

Fixes: aea9a6088ae46 ("wifi: mac80211_hwsim: do rc update per link")
Reported-by: syzbot+c0472dd80bb8f668625f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c0472dd80bb8f668625f
Signed-off-by: meihaipeng <meihaipeng@uniontech.com>
---
 drivers/net/wireless/virtual/mac80211_hwsim.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
index 1fcf5d0d2e13..3d759fb328a8 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
@@ -2793,6 +2793,7 @@ mac80211_hwsim_sta_rc_update(struct ieee80211_hw *hw,
 	for (link_id = 0;
 	     link_id < ARRAY_SIZE(vif->link_conf);
 	     link_id++) {
+		u32 confbw_mhz = 20;
 		enum nl80211_chan_width confbw = NL80211_CHAN_WIDTH_20_NOHT;
 		struct ieee80211_bss_conf *vif_conf;
 
@@ -2826,10 +2827,17 @@ mac80211_hwsim_sta_rc_update(struct ieee80211_hw *hw,
 				confbw = chanctx_conf->def.width;
 		}
 
-		WARN(bw > hwsim_get_chanwidth(confbw),
+		/*
+		 * ieee80211_sta_rx_bandwidth does not represent sub-20 MHz
+		 * channels, so treat 5/10 MHz channel contexts as 20 MHz when
+		 * validating the link bandwidth.
+		 */
+		confbw_mhz = max_t(u32, confbw_mhz, hwsim_get_chanwidth(confbw));
+
+		WARN(bw > confbw_mhz,
 		     "intf %pM [link=%d]: bad STA %pM bandwidth %d MHz (%d) > channel config %d MHz (%d)\n",
 		     vif->addr, link_id, sta->addr, bw, sta->deflink.bandwidth,
-		     hwsim_get_chanwidth(data->bw), data->bw);
+		     hwsim_get_chanwidth(confbw), confbw);
 
 
 	}
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] wifi: mac80211_hwsim: handle 5/10 MHz chanctx in rc update
  2026-05-29  4:09 [PATCH] wifi: mac80211_hwsim: handle 5/10 MHz chanctx in rc update meihaipeng
@ 2026-05-29  5:10 ` Lachlan Hodges
  2026-05-29  6:20   ` Johannes Berg
  0 siblings, 1 reply; 3+ messages in thread
From: Lachlan Hodges @ 2026-05-29  5:10 UTC (permalink / raw)
  To: meihaipeng
  Cc: Johannes Berg, Andrei Otcheretianski, linux-wireless,
	linux-kernel, syzbot+c0472dd80bb8f668625f

Hi,

> The STA bandwidth enum has no sub-20 MHz states, so a normal 20 MHz link 
> STA falsely trips the warning on 5/10 MHz OCB channel contexts.so 
> a normal 20 MHz link STA falsely trips the warning on 5/10 MHz OCB 
> channel contexts.

There is also S1G widths :) but that doesn't really matter.

> Treat sub-20 MHz channel contexts as 20 MHz for this validation and use 
> the actual channel-context width in the warning message.
> 
> Fixes: aea9a6088ae46 ("wifi: mac80211_hwsim: do rc update per link")
> Reported-by: syzbot+c0472dd80bb8f668625f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=c0472dd80bb8f668625f
> Signed-off-by: meihaipeng <meihaipeng@uniontech.com>

Looking at the stack trace of this report and a few of the others,
it comes from mac80211_hwsim_sta_add() which calls the rc_update on
the new STA, so it would probably be better to do something similar
to what we did for S1G [1] since I'm pretty sure the rc_update()
path isn't reachable on 5/10MHz (just like S1G).

Though there are also quite a few 5/10MHz syzbot reports for various
things similar so maybe it's not worth it.. but that is up to
Johannes :).

[1] https://lore.kernel.org/linux-wireless/20260527033828.183821-2-lachlan.hodges@morsemicro.com/

lachlan

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] wifi: mac80211_hwsim: handle 5/10 MHz chanctx in rc update
  2026-05-29  5:10 ` Lachlan Hodges
@ 2026-05-29  6:20   ` Johannes Berg
  0 siblings, 0 replies; 3+ messages in thread
From: Johannes Berg @ 2026-05-29  6:20 UTC (permalink / raw)
  To: Lachlan Hodges, meihaipeng
  Cc: Andrei Otcheretianski, linux-wireless, linux-kernel,
	syzbot+c0472dd80bb8f668625f

On Fri, 2026-05-29 at 15:10 +1000, Lachlan Hodges wrote:
> Hi,
> 
> > The STA bandwidth enum has no sub-20 MHz states, so a normal 20 MHz link 
> > STA falsely trips the warning on 5/10 MHz OCB channel contexts.so 
> > a normal 20 MHz link STA falsely trips the warning on 5/10 MHz OCB 
> > channel contexts.
> 
> There is also S1G widths :) but that doesn't really matter.
> 
> > Treat sub-20 MHz channel contexts as 20 MHz for this validation and use 
> > the actual channel-context width in the warning message.
> > 
> > Fixes: aea9a6088ae46 ("wifi: mac80211_hwsim: do rc update per link")
> > Reported-by: syzbot+c0472dd80bb8f668625f@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=c0472dd80bb8f668625f
> > Signed-off-by: meihaipeng <meihaipeng@uniontech.com>
> 
> Looking at the stack trace of this report and a few of the others,
> it comes from mac80211_hwsim_sta_add() which calls the rc_update on
> the new STA, so it would probably be better to do something similar
> to what we did for S1G [1] since I'm pretty sure the rc_update()
> path isn't reachable on 5/10MHz (just like S1G).

I don't know if it is or isn't, but a simpler change like that would
indeed seem preferable.

> Though there are also quite a few 5/10MHz syzbot reports for various
> things similar so maybe it's not worth it.. but that is up to
> Johannes :).

Yeah, I'm still going to rip it out entirely soon.

johannes

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-29  6:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-29  4:09 [PATCH] wifi: mac80211_hwsim: handle 5/10 MHz chanctx in rc update meihaipeng
2026-05-29  5:10 ` Lachlan Hodges
2026-05-29  6:20   ` Johannes Berg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox