wifi: ath12k: add check max message length while scanning with extraie

Currently the extraie length is directly used to allocate skb buffer. When
the length of skb is greater than the max message length which firmware
supports, error will happen in firmware side.

Hence add check for the skb length and drop extraie when overflow and
print a message.

Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4

Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230809081657.13858-1-quic_wgong@quicinc.com

diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index cc9a377c06fd086910672b691162bf2533665f3b..ef0f3cf35cfd1d3861cb13d07a6b3401a543c3d4 100644 (file)
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -2239,12 +2239,6 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar,
        if (arg->num_bssid)
                len += sizeof(*bssid) * arg->num_bssid;
 
-       len += TLV_HDR_SIZE;
-       if (arg->extraie.len)
-               extraie_len_with_pad =
-                       roundup(arg->extraie.len, sizeof(u32));
-       len += extraie_len_with_pad;
-
        if (arg->num_hint_bssid)
                len += TLV_HDR_SIZE +
                       arg->num_hint_bssid * sizeof(*hint_bssid);
@@ -2253,6 +2247,18 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar,
                len += TLV_HDR_SIZE +
                       arg->num_hint_s_ssid * sizeof(*s_ssid);
 
+       len += TLV_HDR_SIZE;
+       if (arg->extraie.len)
+               extraie_len_with_pad =
+                       roundup(arg->extraie.len, sizeof(u32));
+       if (extraie_len_with_pad <= (wmi->wmi_ab->max_msg_len[ar->pdev_idx] - len)) {
+               len += extraie_len_with_pad;
+       } else {
+               ath12k_warn(ar->ab, "discard large size %d bytes extraie for scan start\n",
+                           arg->extraie.len);
+               extraie_len_with_pad = 0;
+       }
+
        skb = ath12k_wmi_alloc_skb(wmi->wmi_ab, len);
        if (!skb)
                return -ENOMEM;
@@ -2342,7 +2348,7 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar,
        tlv->header = ath12k_wmi_tlv_hdr(WMI_TAG_ARRAY_BYTE, len);
        ptr += TLV_HDR_SIZE;
 
-       if (arg->extraie.len)
+       if (extraie_len_with_pad)
                memcpy(ptr, arg->extraie.ptr,
                       arg->extraie.len);