ath10k: fix scan crash due to incorrect length calculation
Length of WMI scan message was not calculated correctly. The allocated buffer was smaller than what we expected. So WMI message corrupted skb_info, which is at the end of skb->data. This fix takes TLV header into account even if the element is zero-length. Crash log: [49.629986] Unhandled kernel unaligned access[#1]: [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180 [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000 [49.646608] $ 0 : 00000000 00000001 80984a80 00000000 [49.652038] $ 4 : 45259e89 8046d484 8046df30 8024ba70 [49.657468] $ 8 : 00000000 804cc4c0 00000001 20306320 [49.662898] $12 : 33322037 000110f2 00000000 31203930 [49.668327] $16 : 82792b40 80984a80 00000001 804207fc [49.673757] $20 : 00000000 0000012c 00000040 80470000 [49.679186] $24 : 00000000 8024af7c [49.684617] $28 : 8329c000 8329db88 00000001 802c58d0 [49.690046] Hi : 00000000 [49.693022] Lo : 453c0000 [49.696013] epc : 800efae4 put_page+0x0/0x58 [49.700615] ra : 802c58d0 skb_release_data+0x148/0x1d4 [49.706184] Status: 1000fc03 KERNEL EXL IE [49.710531] Cause : 00800010 (ExcCode 04) [49.714669] BadVA : 45259e89 [49.717644] PrId : 00019374 (MIPS 24Kc) Signed-off-by: Zhi Chen <zhichen@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
This commit is contained in:
parent
4cf44d5255
commit
c829198880
|
@ -1614,10 +1614,10 @@ ath10k_wmi_tlv_op_gen_start_scan(struct ath10k *ar,
|
||||||
bssid_len = arg->n_bssids * sizeof(struct wmi_mac_addr);
|
bssid_len = arg->n_bssids * sizeof(struct wmi_mac_addr);
|
||||||
ie_len = roundup(arg->ie_len, 4);
|
ie_len = roundup(arg->ie_len, 4);
|
||||||
len = (sizeof(*tlv) + sizeof(*cmd)) +
|
len = (sizeof(*tlv) + sizeof(*cmd)) +
|
||||||
(arg->n_channels ? sizeof(*tlv) + chan_len : 0) +
|
sizeof(*tlv) + chan_len +
|
||||||
(arg->n_ssids ? sizeof(*tlv) + ssid_len : 0) +
|
sizeof(*tlv) + ssid_len +
|
||||||
(arg->n_bssids ? sizeof(*tlv) + bssid_len : 0) +
|
sizeof(*tlv) + bssid_len +
|
||||||
(arg->ie_len ? sizeof(*tlv) + ie_len : 0);
|
sizeof(*tlv) + ie_len;
|
||||||
|
|
||||||
skb = ath10k_wmi_alloc_skb(ar, len);
|
skb = ath10k_wmi_alloc_skb(ar, len);
|
||||||
if (!skb)
|
if (!skb)
|
||||||
|
|
Loading…
Reference in New Issue