From: Rohit Fule <rohitf@xxxxxxxxxxx> When a user requests scan, driver sends multiple scan requests to firmware, which might be active or passive. Firmware will send channel statistics for each channel in the request. This will be stored in chan_stats array. Few channels might report hidden SSIDs in passive scan results. So, once the original scan request is finished, driver issues an active scan request for all channels which reported hidden SSIDs. This will cause duplicates in the chan_stats array. At worst, every channel will have a hidden SSID, in which case the driver can issue active scan requests for each channel. So the complete scan statistics size will be twice of existing limit. At present maximum number of channels returned in scan statistics is 31(BG) + 14(A) = 45. Clearly there will be an overflow of the chan_stats array in the above mentioned scenario. To fix this double the size of chan_stats array. Signed-off-by: Rohit Fule <rohitf@xxxxxxxxxxx> Signed-off-by: Mangesh Malusare <mmangesh@xxxxxxxxxxx> Signed-off-by: Ganapathi Bhat <gbhat@xxxxxxxxxxx> --- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c index ac01af4..f33ed79 100644 --- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c +++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c @@ -4201,7 +4201,10 @@ int mwifiex_init_channel_scan_gap(struct mwifiex_adapter *adapter) if (adapter->config_bands & BAND_A) n_channels_a = mwifiex_band_5ghz.n_channels; - adapter->num_in_chan_stats = n_channels_bg + n_channels_a; + /* allocate twice the number total channels, since the driver issues an + * additional active scan request for hidden SSIDs on passive channels. + */ + adapter->num_in_chan_stats = 2 * (n_channels_bg + n_channels_a); adapter->chan_stats = vmalloc(sizeof(*adapter->chan_stats) * adapter->num_in_chan_stats); -- 1.9.1
