ath11k: Fix incorrect tlvs in scan start command

[ Upstream commit f57ad6a9885e8399897daee3249cabccf9c972f8 ]

Currently 6G specific tlvs have duplicate entries which is causing
scan failures. Fix this by removing the duplicate entries of the same
tlv. This also fixes out-of-bound memory writes caused due to
adding tlvs when num_hint_bssid and num_hint_s_ssid are ZEROs.

Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1-01386-QCAHKSWPL_SILICONZ-1

Fixes: 74601ecfef6e ("ath11k: Add support for 6g scan hint")
Reported-by: Carl Huang <cjhuang@codeaurora.org>
Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1607609124-17250-7-git-send-email-kvalo@codeaurora.org
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
index 8eca925..04b8b00 100644 (file)
--- a/drivers/net/wireless/ath/ath11k/wmi.c
+++ b/drivers/net/wireless/ath/ath11k/wmi.c
@@ -2198,37 +2198,6 @@ int ath11k_wmi_send_scan_start_cmd(struct ath11k *ar,
                }
        }
 
-       len = params->num_hint_s_ssid * sizeof(struct hint_short_ssid);
-       tlv = ptr;
-       tlv->header = FIELD_PREP(WMI_TLV_TAG, WMI_TAG_ARRAY_FIXED_STRUCT) |
-                     FIELD_PREP(WMI_TLV_LEN, len);
-       ptr += TLV_HDR_SIZE;
-       if (params->num_hint_s_ssid) {
-               s_ssid = ptr;
-               for (i = 0; i < params->num_hint_s_ssid; ++i) {
-                       s_ssid->freq_flags = params->hint_s_ssid[i].freq_flags;
-                       s_ssid->short_ssid = params->hint_s_ssid[i].short_ssid;
-                       s_ssid++;
-               }
-       }
-       ptr += len;
-
-       len = params->num_hint_bssid * sizeof(struct hint_bssid);
-       tlv = ptr;
-       tlv->header = FIELD_PREP(WMI_TLV_TAG, WMI_TAG_ARRAY_FIXED_STRUCT) |
-                     FIELD_PREP(WMI_TLV_LEN, len);
-       ptr += TLV_HDR_SIZE;
-       if (params->num_hint_bssid) {
-               hint_bssid = ptr;
-               for (i = 0; i < params->num_hint_bssid; ++i) {
-                       hint_bssid->freq_flags =
-                               params->hint_bssid[i].freq_flags;
-                       ether_addr_copy(&params->hint_bssid[i].bssid.addr[0],
-                                       &hint_bssid->bssid.addr[0]);
-                       hint_bssid++;
-               }
-       }
-
        ret = ath11k_wmi_cmd_send(wmi, skb,
                                  WMI_START_SCAN_CMDID);
        if (ret) {