From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Wen Gong <quic_wgong@quicinc.com>,
Jeff Johnson <quic_jjohnson@quicinc.com>,
Kalle Valo <quic_kvalo@quicinc.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, ath12k@lists.infradead.org,
linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.5 42/45] wifi: ath12k: add check max message length while scanning with extraie
Date: Fri, 8 Sep 2023 14:13:23 -0400 [thread overview]
Message-ID: <20230908181327.3459042-42-sashal@kernel.org> (raw)
In-Reply-To: <20230908181327.3459042-1-sashal@kernel.org>
From: Wen Gong <quic_wgong@quicinc.com>
[ Upstream commit 2f5124e86ae74b7ba24c9ae2644107b750cbf38f ]
Currently the extraie length is directly used to allocate skb buffer. When
the length of skb is greater than the max message length which firmware
supports, error will happen in firmware side.
Hence add check for the skb length and drop extraie when overflow and
print a message.
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4
Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230809081657.13858-1-quic_wgong@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/wmi.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index 4f378f06e946e..eebc5a65ce3b4 100644
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -2162,12 +2162,6 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar,
if (arg->num_bssid)
len += sizeof(*bssid) * arg->num_bssid;
- len += TLV_HDR_SIZE;
- if (arg->extraie.len)
- extraie_len_with_pad =
- roundup(arg->extraie.len, sizeof(u32));
- len += extraie_len_with_pad;
-
if (arg->num_hint_bssid)
len += TLV_HDR_SIZE +
arg->num_hint_bssid * sizeof(*hint_bssid);
@@ -2176,6 +2170,18 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar,
len += TLV_HDR_SIZE +
arg->num_hint_s_ssid * sizeof(*s_ssid);
+ len += TLV_HDR_SIZE;
+ if (arg->extraie.len)
+ extraie_len_with_pad =
+ roundup(arg->extraie.len, sizeof(u32));
+ if (extraie_len_with_pad <= (wmi->wmi_ab->max_msg_len[ar->pdev_idx] - len)) {
+ len += extraie_len_with_pad;
+ } else {
+ ath12k_warn(ar->ab, "discard large size %d bytes extraie for scan start\n",
+ arg->extraie.len);
+ extraie_len_with_pad = 0;
+ }
+
skb = ath12k_wmi_alloc_skb(wmi->wmi_ab, len);
if (!skb)
return -ENOMEM;
@@ -2265,7 +2271,7 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar,
tlv->header = ath12k_wmi_tlv_hdr(WMI_TAG_ARRAY_BYTE, len);
ptr += TLV_HDR_SIZE;
- if (arg->extraie.len)
+ if (extraie_len_with_pad)
memcpy(ptr, arg->extraie.ptr,
arg->extraie.len);
--
2.40.1
next prev parent reply other threads:[~2023-09-08 18:18 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230908181327.3459042-1-sashal@kernel.org>
2023-09-08 18:12 ` [PATCH AUTOSEL 6.5 07/45] wifi: ath9k: fix fortify warnings Sasha Levin
2023-09-08 18:12 ` [PATCH AUTOSEL 6.5 08/45] wifi: ath9k: fix printk specifier Sasha Levin
2023-09-08 18:12 ` [PATCH AUTOSEL 6.5 09/45] wifi: rtw88: delete timer and free skb queue when unloading Sasha Levin
2023-09-08 18:12 ` [PATCH AUTOSEL 6.5 10/45] wifi: mwifiex: fix fortify warning Sasha Levin
2023-09-08 18:12 ` [PATCH AUTOSEL 6.5 11/45] mt76: mt7921: don't assume adequate headroom for SDIO headers Sasha Levin
2023-09-08 18:12 ` [PATCH AUTOSEL 6.5 12/45] wifi: wil6210: fix fortify warnings Sasha Levin
2023-09-08 18:12 ` [PATCH AUTOSEL 6.5 16/45] wifi: ath12k: Fix a NULL pointer dereference in ath12k_mac_op_hw_scan() Sasha Levin
2023-09-08 18:12 ` [PATCH AUTOSEL 6.5 17/45] wifi: ath12k: avoid array overflow of hw mode for preferred_hw_mode Sasha Levin
2023-09-08 18:13 ` [PATCH AUTOSEL 6.5 31/45] wifi: iwlwifi: pcie: avoid a warning in case prepare card failed Sasha Levin
2023-09-08 18:13 ` [PATCH AUTOSEL 6.5 32/45] wifi: mac80211: check S1G action frame size Sasha Levin
2023-09-08 18:13 ` [PATCH AUTOSEL 6.5 34/45] wifi: cfg80211: reject auth/assoc to AP with our address Sasha Levin
2023-09-08 18:13 ` [PATCH AUTOSEL 6.5 35/45] wifi: cfg80211: ocb: don't leave if not joined Sasha Levin
2023-09-08 18:13 ` [PATCH AUTOSEL 6.5 36/45] wifi: mac80211: check for station first in client probe Sasha Levin
2023-09-08 18:13 ` [PATCH AUTOSEL 6.5 37/45] wifi: mac80211_hwsim: drop short frames Sasha Levin
2023-09-08 18:13 ` [PATCH AUTOSEL 6.5 38/45] Revert "wifi: mac80211_hwsim: check the return value of nla_put_u32" Sasha Levin
2023-09-08 18:13 ` [PATCH AUTOSEL 6.5 40/45] wifi: ath12k: Fix memory leak in rx_desc and tx_desc Sasha Levin
2023-09-08 18:13 ` Sasha Levin [this message]
2023-09-08 18:13 ` [PATCH AUTOSEL 6.5 43/45] Fix nomenclature for USB and PCI wireless devices Sasha Levin
2023-09-08 19:12 ` Alan Stern
2023-09-08 21:31 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230908181327.3459042-42-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ath12k@lists.infradead.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=quic_jjohnson@quicinc.com \
--cc=quic_kvalo@quicinc.com \
--cc=quic_wgong@quicinc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).