wifi: mac80211: fix AP chandef capturing in CSA

When the CSA is announced with only HT elements, the AP
chandef isn't captured correctly, leading to crashes in
the later code that checks for TPE changes during CSA.

Capture the AP chandef correctly in both cases to fix
this.

Reported-by: Jouni Malinen <j@w1.fi>
Fixes: 4540568136fe ("wifi: mac80211: handle TPE element during CSA")
Link: https://patch.msgid.link/20240709160851.47805f24624d.I024091f701447f7921e93bb23b46e01c2f46347d@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

1 files changed, 6 insertions, 3 deletions

diff --git a/net/mac80211/spectmgmt.c b/net/mac80211/spectmgmt.c
index e91ca4ccdd37..073ff9e0f397 100644
--- a/net/mac80211/spectmgmt.c
+++ b/net/mac80211/spectmgmt.c
@@ -343,6 +343,9 @@ int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
 		break;
 	}
 
+	/* capture the AP configuration */
+	csa_ie->chanreq.ap = csa_ie->chanreq.oper;
+
 	/* parse one of the Elements to build a new chandef */
 	memset(&new_chandef, 0, sizeof(new_chandef));
 	new_chandef.chan = new_chan;
@@ -369,11 +372,11 @@ int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
 		validate_chandef_by_ht_vht_oper(sdata, conn, vht_cap_info,
 						&new_chandef);
 
-	/* capture the AP chandef before (potential) downgrading */
-	csa_ie->chanreq.ap = new_chandef;
-
 	/* if data is there validate the bandwidth & use it */
 	if (new_chandef.chan) {
+		/* capture the AP chandef before (potential) downgrading */
+		csa_ie->chanreq.ap = new_chandef;
+
 		if (conn->bw_limit < IEEE80211_CONN_BW_LIMIT_320 &&
 		    new_chandef.width == NL80211_CHAN_WIDTH_320)
 			ieee80211_chandef_downgrade(&new_chandef, NULL);