--- /dev/null
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Mon, 24 Nov 2014 18:09:03 +0100
+Subject: [PATCH] mac80211: copy chandef from AP vif to VLANs
+
+Fixes a crash in nl80211_send_chandef, introduced in
+
+commit c12bc4885f4b3bab0ed779c69d5d7e3223fa5003
+"mac80211: return the vif's chandef in ieee80211_cfg_get_channel()"
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+---
+
+--- a/net/mac80211/chan.c
++++ b/net/mac80211/chan.c
+@@ -932,6 +932,21 @@ ieee80211_vif_chanctx_reservation_comple
+ }
+ }
+
++static void
++ieee80211_vif_update_chandef(struct ieee80211_sub_if_data *sdata,
++ const struct cfg80211_chan_def *chandef)
++{
++ struct ieee80211_sub_if_data *vlan;
++
++ sdata->vif.bss_conf.chandef = *chandef;
++
++ if (sdata->vif.type != NL80211_IFTYPE_AP)
++ return;
++
++ list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
++ vlan->vif.bss_conf.chandef = *chandef;
++}
++
+ static int
+ ieee80211_vif_use_reserved_reassign(struct ieee80211_sub_if_data *sdata)
+ {
+@@ -994,7 +1009,7 @@ ieee80211_vif_use_reserved_reassign(stru
+ if (sdata->vif.bss_conf.chandef.width != sdata->reserved_chandef.width)
+ changed = BSS_CHANGED_BANDWIDTH;
+
+- sdata->vif.bss_conf.chandef = sdata->reserved_chandef;
++ ieee80211_vif_update_chandef(sdata, &sdata->reserved_chandef);
+
+ if (changed)
+ ieee80211_bss_info_change_notify(sdata, changed);
+@@ -1336,7 +1351,7 @@ static int ieee80211_vif_use_reserved_sw
+ sdata->reserved_chandef.width)
+ changed = BSS_CHANGED_BANDWIDTH;
+
+- sdata->vif.bss_conf.chandef = sdata->reserved_chandef;
++ ieee80211_vif_update_chandef(sdata, &sdata->reserved_chandef);
+ if (changed)
+ ieee80211_bss_info_change_notify(sdata,
+ changed);
+@@ -1507,7 +1522,7 @@ int ieee80211_vif_use_channel(struct iee
+ goto out;
+ }
+
+- sdata->vif.bss_conf.chandef = *chandef;
++ ieee80211_vif_update_chandef(sdata, chandef);
+
+ ret = ieee80211_assign_vif_chanctx(sdata, ctx);
+ if (ret) {
+@@ -1649,7 +1664,7 @@ int ieee80211_vif_change_bandwidth(struc
+ break;
+ }
+
+- sdata->vif.bss_conf.chandef = *chandef;
++ ieee80211_vif_update_chandef(sdata, chandef);
+
+ ieee80211_recalc_chanctx_chantype(local, ctx);
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -520,6 +520,7 @@ int ieee80211_do_open(struct wireless_de
+ sdata->vif.cab_queue = master->vif.cab_queue;
+ memcpy(sdata->vif.hw_queue, master->vif.hw_queue,
+ sizeof(sdata->vif.hw_queue));
++ sdata->vif.bss_conf.chandef = master->vif.bss_conf.chandef;
+ break;
+ }
+ case NL80211_IFTYPE_AP: