tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

wifi: mac80211: increase scan_ies_len for S1G

Currently the S1G capability element is not taken into account
for the scan_ies_len, which leads to a buffer length validation
failure in ieee80211_prep_hw_scan() and subsequent WARN in
__ieee80211_start_scan(). This prevents hw scanning from functioning.
To fix ensure we accommodate for the S1G capability length.

Signed-off-by: Lachlan Hodges <lachlan.hodges@morsemicro.com>
Link: https://patch.msgid.link/20250826085437.3493-1-lachlan.hodges@morsemicro.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

authored by

Lachlan Hodges and committed by
Johannes Berg 7e2f3213 a33b375a

+6 -1
+6 -1
net/mac80211/main.c
··· 1111 1111 int result, i; 1112 1112 enum nl80211_band band; 1113 1113 int channels, max_bitrates; 1114 - bool supp_ht, supp_vht, supp_he, supp_eht; 1114 + bool supp_ht, supp_vht, supp_he, supp_eht, supp_s1g; 1115 1115 struct cfg80211_chan_def dflt_chandef = {}; 1116 1116 1117 1117 if (ieee80211_hw_check(hw, QUEUE_CONTROL) && ··· 1227 1227 supp_vht = false; 1228 1228 supp_he = false; 1229 1229 supp_eht = false; 1230 + supp_s1g = false; 1230 1231 for (band = 0; band < NUM_NL80211_BANDS; band++) { 1231 1232 const struct ieee80211_sband_iftype_data *iftd; 1232 1233 struct ieee80211_supported_band *sband; ··· 1275 1274 max_bitrates = sband->n_bitrates; 1276 1275 supp_ht = supp_ht || sband->ht_cap.ht_supported; 1277 1276 supp_vht = supp_vht || sband->vht_cap.vht_supported; 1277 + supp_s1g = supp_s1g || sband->s1g_cap.s1g; 1278 1278 1279 1279 for_each_sband_iftype_data(sband, i, iftd) { 1280 1280 u8 he_40_mhz_cap; ··· 1407 1405 if (supp_vht) 1408 1406 local->scan_ies_len += 1409 1407 2 + sizeof(struct ieee80211_vht_cap); 1408 + 1409 + if (supp_s1g) 1410 + local->scan_ies_len += 2 + sizeof(struct ieee80211_s1g_cap); 1410 1411 1411 1412 /* 1412 1413 * HE cap element is variable in size - set len to allow max size */