ath10k: fix scan crash due to incorrect length calculation
BugLink: https://bugs.launchpad.net/bugs/1836426
commit
c8291988806407e02a01b4b15b4504eafbcc04e0 upstream.
Length of WMI scan message was not calculated correctly. The allocated
buffer was smaller than what we expected. So WMI message corrupted
skb_info, which is at the end of skb->data. This fix takes TLV header
into account even if the element is zero-length.
Crash log:
[49.629986] Unhandled kernel unaligned access[#1]:
[49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
[49.641040] task:
83051460 ti:
8329c000 task.ti:
8329c000
[49.646608] $ 0 :
00000000 00000001 80984a80 00000000
[49.652038] $ 4 :
45259e89 8046d484 8046df30 8024ba70
[49.657468] $ 8 :
00000000 804cc4c0 00000001 20306320
[49.662898] $12 :
33322037 000110f2 00000000 31203930
[49.668327] $16 :
82792b40 80984a80 00000001 804207fc
[49.673757] $20 :
00000000 0000012c 00000040 80470000
[49.679186] $24 :
00000000 8024af7c
[49.684617] $28 :
8329c000 8329db88 00000001 802c58d0
[49.690046] Hi :
00000000
[49.693022] Lo :
453c0000
[49.696013] epc :
800efae4 put_page+0x0/0x58
[49.700615] ra :
802c58d0 skb_release_data+0x148/0x1d4
[49.706184] Status:
1000fc03 KERNEL EXL IE
[49.710531] Cause :
00800010 (ExcCode 04)
[49.714669] BadVA :
45259e89
[49.717644] PrId :
00019374 (MIPS 24Kc)
Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Cc: Brian Norris <briannorris@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>