wifi: ath12k: add check max message length while scanning with extraie

Currently the extraie length is directly used to allocate skb buffer. When
the length of skb is greater than the max message length which firmware
supports, error will happen in firmware side.

Hence add check for the skb length and drop extraie when overflow and
print a message.

Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4

Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230809081657.13858-1-quic_wgong@quicinc.com

diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index cc9a377..ef0f3cf 100644 (file)
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -2239,12 +2239,6 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar,
        if (arg->num_bssid)
                len += sizeof(*bssid) * arg->num_bssid;
 
-       len += TLV_HDR_SIZE;
-       if (arg->extraie.len)
-               extraie_len_with_pad =
-                       roundup(arg->extraie.len, sizeof(u32));
-       len += extraie_len_with_pad;
-
        if (arg->num_hint_bssid)
                len += TLV_HDR_SIZE +
                       arg->num_hint_bssid * sizeof(*hint_bssid);
@@ -2253,6 +2247,18 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar,
                len += TLV_HDR_SIZE +
                       arg->num_hint_s_ssid * sizeof(*s_ssid);
 
+       len += TLV_HDR_SIZE;
+       if (arg->extraie.len)
+               extraie_len_with_pad =
+                       roundup(arg->extraie.len, sizeof(u32));
+       if (extraie_len_with_pad <= (wmi->wmi_ab->max_msg_len[ar->pdev_idx] - len)) {
+               len += extraie_len_with_pad;
+       } else {
+               ath12k_warn(ar->ab, "discard large size %d bytes extraie for scan start\n",
+                           arg->extraie.len);
+               extraie_len_with_pad = 0;
+       }
+
        skb = ath12k_wmi_alloc_skb(wmi->wmi_ab, len);
        if (!skb)
                return -ENOMEM;
@@ -2342,7 +2348,7 @@ int ath12k_wmi_send_scan_start_cmd(struct ath12k *ar,
        tlv->header = ath12k_wmi_tlv_hdr(WMI_TAG_ARRAY_BYTE, len);
        ptr += TLV_HDR_SIZE;
 
-       if (arg->extraie.len)
+       if (extraie_len_with_pad)
                memcpy(ptr, arg->extraie.ptr,
                       arg->extraie.len);