CVE-2026-31394

In the Linux kernel, the following vulnerability has been resolved:

mac80211: fix crash in ieee80211 chan bw change for AP VLAN stations

ieee80211 chan bw change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link id]. For stations on AP VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in ieee80211 sta cap rx bw() when accessing chandef->chan->band during CSA.

Resolve the VLAN sdata to its parent AP sdata using get bss sdata() before accessing link data.

[also change sta->sdata in ARRAY SIZE even if it doesn't matter]