From df55603b24bc48fd765332d71a9ca1f82c1e8e39 Mon Sep 17 00:00:00 2001
From: Zhu Jianmin <jianminz@codeaurora.org>
Date: Tue, 12 Jun 2018 18:18:25 +0800
Subject: [PATCH] nl80211: fix nlmsg allocation in cfg80211_ft_event

Allocation size of nlmsg in cfg80211_ft_event is based on ric_ies_len
and doesn't take into account ies_len. This leads to
NL80211_CMD_FT_EVENT message construction failure in case ft_event
contains large enough ies buffer.
Add ies_len to the nlmsg allocation size.

Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: 1039d08100e58f016a814347baadb77bf8dd21ab
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Change-Id: I224ac6113e4b15958f3b155982ff5cf84ff9ed74
CRs-Fixed: 2207276
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Zhu Jianmin <jianminz@codeaurora.org>
---
 net/wireless/nl80211.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index f08ed375bb91..4490dec28f50 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -13807,7 +13807,8 @@ void cfg80211_ft_event(struct net_device *netdev,
 	if (!ft_event->target_ap)
 		return;
 
-	msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL);
+	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
+			GFP_KERNEL);
 	if (!msg)
 		return;