ath10k: fix scan crash due to incorrect length calculation

[android-x86/kernel.git] / drivers / net / wireless / ath / ath10k / wmi-tlv.c

diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
index 2e34a1f..bdaad6e 100644 (file)
--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
@@ -155,7 +155,7 @@ ath10k_wmi_tlv_parse_alloc(struct ath10k *ar, const void *ptr,
        const void **tb;
        int ret;
 
-       tb = kzalloc(sizeof(*tb) * WMI_TLV_TAG_MAX, gfp);
+       tb = kcalloc(WMI_TLV_TAG_MAX, sizeof(*tb), gfp);
        if (!tb)
                return ERR_PTR(-ENOMEM);
 
@@ -1584,6 +1584,11 @@ static struct sk_buff *ath10k_wmi_tlv_op_gen_init(struct ath10k *ar)
        cfg->keep_alive_pattern_size = __cpu_to_le32(0);
        cfg->max_tdls_concurrent_sleep_sta = __cpu_to_le32(1);
        cfg->max_tdls_concurrent_buffer_sta = __cpu_to_le32(1);
+       cfg->wmi_send_separate = __cpu_to_le32(0);
+       cfg->num_ocb_vdevs = __cpu_to_le32(0);
+       cfg->num_ocb_channels = __cpu_to_le32(0);
+       cfg->num_ocb_schedules = __cpu_to_le32(0);
+       cfg->host_capab = __cpu_to_le32(0);
 
        ath10k_wmi_put_host_mem_chunks(ar, chunks);
 
@@ -1614,10 +1619,10 @@ ath10k_wmi_tlv_op_gen_start_scan(struct ath10k *ar,
        bssid_len = arg->n_bssids * sizeof(struct wmi_mac_addr);
        ie_len = roundup(arg->ie_len, 4);
        len = (sizeof(*tlv) + sizeof(*cmd)) +
-             (arg->n_channels ? sizeof(*tlv) + chan_len : 0) +
-             (arg->n_ssids ? sizeof(*tlv) + ssid_len : 0) +
-             (arg->n_bssids ? sizeof(*tlv) + bssid_len : 0) +
-             (arg->ie_len ? sizeof(*tlv) + ie_len : 0);
+             sizeof(*tlv) + chan_len +
+             sizeof(*tlv) + ssid_len +
+             sizeof(*tlv) + bssid_len +
+             sizeof(*tlv) + ie_len;
 
        skb = ath10k_wmi_alloc_skb(ar, len);
        if (!skb)