wifi: mac80211: increase scan_ies_len for S1G

Currently the S1G capability element is not taken into account
for the scan_ies_len, which leads to a buffer length validation
failure in ieee80211_prep_hw_scan() and subsequent WARN in
__ieee80211_start_scan(). This prevents hw scanning from functioning.
To fix ensure we accommodate for the S1G capability length.

Signed-off-by: Lachlan Hodges <lachlan.hodges@morsemicro.com>
Link: https://patch.msgid.link/20250826085437.3493-1-lachlan.hodges@morsemicro.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 9c8f18b258a68c2c92981aaab68032931c6144b9..3ae6104e5cb20164ba0ed1e6a12aa5cfb0825834 100644 (file)
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1111,7 +1111,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
        int result, i;
        enum nl80211_band band;
        int channels, max_bitrates;
-       bool supp_ht, supp_vht, supp_he, supp_eht;
+       bool supp_ht, supp_vht, supp_he, supp_eht, supp_s1g;
        struct cfg80211_chan_def dflt_chandef = {};
 
        if (ieee80211_hw_check(hw, QUEUE_CONTROL) &&
@@ -1227,6 +1227,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
        supp_vht = false;
        supp_he = false;
        supp_eht = false;
+       supp_s1g = false;
        for (band = 0; band < NUM_NL80211_BANDS; band++) {
                const struct ieee80211_sband_iftype_data *iftd;
                struct ieee80211_supported_band *sband;
@@ -1274,6 +1275,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                        max_bitrates = sband->n_bitrates;
                supp_ht = supp_ht || sband->ht_cap.ht_supported;
                supp_vht = supp_vht || sband->vht_cap.vht_supported;
+               supp_s1g = supp_s1g || sband->s1g_cap.s1g;
 
                for_each_sband_iftype_data(sband, i, iftd) {
                        u8 he_40_mhz_cap;
@@ -1406,6 +1408,9 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                local->scan_ies_len +=
                        2 + sizeof(struct ieee80211_vht_cap);
 
+       if (supp_s1g)
+               local->scan_ies_len += 2 + sizeof(struct ieee80211_s1g_cap);
+
        /*
         * HE cap element is variable in size - set len to allow max size */
        if (supp_he) {