From f460a165a44e487d35fe788bccf40cc89b58730d Mon Sep 17 00:00:00 2001
From: David Spinadel <david.spinadel@intel.com>
Date: Fri, 11 May 2012 10:53:15 +0200
Subject: [PATCH] --- yaml --- r: 306815 b: refs/heads/master c:
 0ed462875a7825e89674f3e7ff9d67835feb9f73 h: refs/heads/master i:   306813:
 1e2279213754fbb14c07211b6b77e1073cd81ce6   306811:
 32bc51cd7aab302efb2f30712ab4a4a8715e5ca2   306807:
 76a4f60bec501a25ab5af8dda92befe134da1fbc   306799:
 f2855823c3cd105579cf7abb7451ef5b39581694   306783:
 dcd7b92799863370c8884764f0e2df43435c0034   306751:
 b644fd09d41e48616352b46e0e9ea069051092ef   306687:
 dc273a78d4fef0bceec89f42599a0354f90ebf3b v: v3

---
 [refs]                                          |  2 +-
 .../drivers/net/wireless/iwlwifi/iwl-commands.h |  1 -
 trunk/drivers/net/wireless/iwlwifi/iwl-scan.c   | 17 ++++++++++++-----
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/[refs] b/[refs]
index a98caca65f85..5828f30c0331 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: cd6c65981e72aef9f5cc42ffe64404542162790a
+refs/heads/master: 0ed462875a7825e89674f3e7ff9d67835feb9f73
diff --git a/trunk/drivers/net/wireless/iwlwifi/iwl-commands.h b/trunk/drivers/net/wireless/iwlwifi/iwl-commands.h
index 2813a0a89ed6..9af6a239b384 100644
--- a/trunk/drivers/net/wireless/iwlwifi/iwl-commands.h
+++ b/trunk/drivers/net/wireless/iwlwifi/iwl-commands.h
@@ -2278,7 +2278,6 @@ struct iwl_ssid_ie {
 #define IWL_GOOD_CRC_TH_DISABLED	0
 #define IWL_GOOD_CRC_TH_DEFAULT		cpu_to_le16(1)
 #define IWL_GOOD_CRC_TH_NEVER		cpu_to_le16(0xffff)
-#define IWL_MAX_SCAN_SIZE 1024
 #define IWL_MAX_CMD_SIZE 4096
 
 /*
diff --git a/trunk/drivers/net/wireless/iwlwifi/iwl-scan.c b/trunk/drivers/net/wireless/iwlwifi/iwl-scan.c
index a8437a6bc18e..6f221de5a76a 100644
--- a/trunk/drivers/net/wireless/iwlwifi/iwl-scan.c
+++ b/trunk/drivers/net/wireless/iwlwifi/iwl-scan.c
@@ -52,6 +52,7 @@
 #define IWL_PASSIVE_DWELL_TIME_52   (10)
 #define IWL_PASSIVE_DWELL_BASE      (100)
 #define IWL_CHANNEL_TUNE_TIME       5
+#define MAX_SCAN_CHANNEL	    50
 
 static int iwl_send_scan_abort(struct iwl_priv *priv)
 {
@@ -679,6 +680,13 @@ static int iwlagn_request_scan(struct iwl_priv *priv, struct ieee80211_vif *vif)
 	u8 active_chains;
 	u8 scan_tx_antennas = priv->hw_params.valid_tx_ant;
 	int ret;
+	int scan_cmd_size = sizeof(struct iwl_scan_cmd) +
+			    MAX_SCAN_CHANNEL * sizeof(struct iwl_scan_channel) +
+			    priv->fw->ucode_capa.max_probe_length;
+
+	if (WARN_ON_ONCE(priv->scan_request &&
+			 priv->scan_request->n_channels > MAX_SCAN_CHANNEL))
+		return -EINVAL;
 
 	lockdep_assert_held(&priv->mutex);
 
@@ -686,8 +694,7 @@ static int iwlagn_request_scan(struct iwl_priv *priv, struct ieee80211_vif *vif)
 		ctx = iwl_rxon_ctx_from_vif(vif);
 
 	if (!priv->scan_cmd) {
-		priv->scan_cmd = kmalloc(sizeof(struct iwl_scan_cmd) +
-					 IWL_MAX_SCAN_SIZE, GFP_KERNEL);
+		priv->scan_cmd = kmalloc(scan_cmd_size, GFP_KERNEL);
 		if (!priv->scan_cmd) {
 			IWL_DEBUG_SCAN(priv,
 				       "fail to allocate memory for scan\n");
@@ -695,7 +702,7 @@ static int iwlagn_request_scan(struct iwl_priv *priv, struct ieee80211_vif *vif)
 		}
 	}
 	scan = priv->scan_cmd;
-	memset(scan, 0, sizeof(struct iwl_scan_cmd) + IWL_MAX_SCAN_SIZE);
+	memset(scan, 0, scan_cmd_size);
 
 	scan->quiet_plcp_th = IWL_PLCP_QUIET_THRESH;
 	scan->quiet_time = IWL_ACTIVE_QUIET_TIME;
@@ -883,7 +890,7 @@ static int iwlagn_request_scan(struct iwl_priv *priv, struct ieee80211_vif *vif)
 					vif->addr,
 					priv->scan_request->ie,
 					priv->scan_request->ie_len,
-					IWL_MAX_SCAN_SIZE - sizeof(*scan));
+					scan_cmd_size - sizeof(*scan));
 		break;
 	case IWL_SCAN_RADIO_RESET:
 	case IWL_SCAN_ROC:
@@ -891,7 +898,7 @@ static int iwlagn_request_scan(struct iwl_priv *priv, struct ieee80211_vif *vif)
 		cmd_len = iwl_fill_probe_req(
 					(struct ieee80211_mgmt *)scan->data,
 					iwl_bcast_addr, NULL, 0,
-					IWL_MAX_SCAN_SIZE - sizeof(*scan));
+					scan_cmd_size - sizeof(*scan));
 		break;
 	default:
 		BUG();