athk6l: Fix channel list processing in scan requests

Limit the length of the channel list to WMI_MAX_CHANNELS to avoid
rejection of the request in wmi.c. Since there is not really much
point in using a specific list of more than 32 channels, drop the
channel list if more channels are specified and scan all channels.

Fix cfg80211 scan API use: ar->scan_req must be set only if returning
success from scan() handler. The previous version would result in use
of freed memory and likely kernel panic should the scan request fail
to be sent to the target.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

1 files changed, 10 insertions, 4 deletions

diff --git a/drivers/net/wireless/ath/ath6kl/cfg80211.c b/drivers/net/wireless/ath/ath6kl/cfg80211.c
index 7db66589ee0c..1fe55f6f5d17 100644
--- a/drivers/net/wireless/ath/ath6kl/cfg80211.c
+++ b/drivers/net/wireless/ath/ath6kl/cfg80211.c
@@ -793,10 +793,16 @@ static int ath6kl_cfg80211_scan(struct wiphy *wiphy, struct net_device *ndev,
 		}
 	}
 
-	if (request->n_channels > 0) {
+	/*
+	 * Scan only the requested channels if the request specifies a set of
+	 * channels. If the list is longer than the target supports, do not
+	 * configure the list and instead, scan all available channels.
+	 */
+	if (request->n_channels > 0 &&
+	    request->n_channels <= WMI_MAX_CHANNELS) {
 		u8 i;
 
-		n_channels = min(127U, request->n_channels);
+		n_channels = request->n_channels;
 
 		channels = kzalloc(n_channels * sizeof(u16), GFP_KERNEL);
 		if (channels == NULL) {
@@ -813,8 +819,8 @@ static int ath6kl_cfg80211_scan(struct wiphy *wiphy, struct net_device *ndev,
 				       false, 0, 0, n_channels, channels);
 	if (ret)
 		ath6kl_err("wmi_startscan_cmd failed\n");
-
-	ar->scan_req = request;
+	else
+		ar->scan_req = request;
 
 	kfree(channels);