From: Johannes Berg <johannes.berg@xxxxxxxxx>
When testing some new P2P code, Angie found that the
driver might crash because the beacon command ended
up being bigger than a regular command. This is quite
obvious -- a normal command is limited to roughly 360
bytes but a beacon may be much larger of course.
To fix this, use the huge command buffer.
Reported-by: Angie Chinchilla <angie.v.chinchilla@xxxxxxxxx>
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@xxxxxxxxx>
---
drivers/net/wireless/iwlwifi/iwl-agn.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c
index 0daeded..3cfd7eb 100644
--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
+++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
@@ -253,6 +253,10 @@ int iwlagn_send_beacon_cmd(struct iwl_priv *priv)
struct iwl_frame *frame;
unsigned int frame_size;
int rc;
+ struct iwl_host_cmd cmd = {
+ .id = REPLY_TX_BEACON,
+ .flags = CMD_SIZE_HUGE,
+ };
frame = iwl_get_free_frame(priv);
if (!frame) {
@@ -268,8 +272,10 @@ int iwlagn_send_beacon_cmd(struct iwl_priv *priv)
return -EINVAL;
}
- rc = iwl_send_cmd_pdu(priv, REPLY_TX_BEACON, frame_size,
- &frame->u.cmd[0]);
+ cmd.len = frame_size;
+ cmd.data = &frame->u.cmd[0];
+
+ rc = iwl_send_cmd_sync(priv, &cmd);
iwl_free_frame(priv, frame);
--
1.7.0.4
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
