wifi: iwlwifi: mvm: avoid oversized UATS command copy

MCC_ALLOWED_AP_TYPE_CMD exceeds the fixed copied host-command buffer
and triggers warnings in the gen2 enqueue path when command
0xc05 is sent.

Use IWL_HCMD_DFL_NOCOPY as it was done before the offending commit.

Fixes: 078df640ef05 ("wifi: iwlwifi: mld: add support for iwl_mcc_allowed_ap_type_cmd v2")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260529085453.9af349ab459b.I348df3980764c15efce0099a35fe8a88fb2a6ee2@changeid

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
index f05df3a3300e6f2ded8a6f304d007811460fd803..6e507d6dcdd2a1557261409beba0aec2715c016a 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
 /*
- * Copyright (C) 2012-2014, 2018-2025 Intel Corporation
+ * Copyright (C) 2012-2014, 2018-2026 Intel Corporation
  * Copyright (C) 2013-2015 Intel Mobile Communications GmbH
  * Copyright (C) 2016-2017 Intel Deutschland GmbH
  */
@@ -459,9 +459,14 @@ static void iwl_mvm_phy_filter_init(struct iwl_mvm *mvm,
 
 static void iwl_mvm_uats_init(struct iwl_mvm *mvm)
 {
+       struct iwl_mcc_allowed_ap_type_cmd_v1 *cmd __free(kfree) = NULL;
        int cmd_id = WIDE_ID(REGULATORY_AND_NVM_GROUP,
                             MCC_ALLOWED_AP_TYPE_CMD);
-       struct iwl_mcc_allowed_ap_type_cmd_v1 cmd = {};
+       struct iwl_host_cmd hcmd = {
+               .id = cmd_id,
+               .len[0] = sizeof(*cmd),
+               .dataflags[0] = IWL_HCMD_DFL_NOCOPY,
+       };
        u8 cmd_ver;
        int ret;
 
@@ -485,14 +490,25 @@ static void iwl_mvm_uats_init(struct iwl_mvm *mvm)
        if (!mvm->fwrt.ap_type_cmd_valid)
                return;
 
+       /* Since we free the command immediately after iwl_mvm_send_cmd, we
+        * must send this command in SYNC mode.
+        */
+       lockdep_assert_held(&mvm->mutex);
+
+       cmd = kzalloc_obj(*cmd);
+       if (!cmd)
+               return;
+
        BUILD_BUG_ON(sizeof(mvm->fwrt.ap_type_cmd.mcc_to_ap_type_map) !=
-                    sizeof(cmd.mcc_to_ap_type_map));
+                    sizeof(cmd->mcc_to_ap_type_map));
 
-       memcpy(cmd.mcc_to_ap_type_map,
+       memcpy(cmd->mcc_to_ap_type_map,
               mvm->fwrt.ap_type_cmd.mcc_to_ap_type_map,
               sizeof(mvm->fwrt.ap_type_cmd.mcc_to_ap_type_map));
 
-       ret = iwl_mvm_send_cmd_pdu(mvm, cmd_id, 0, sizeof(cmd), &cmd);
+       hcmd.data[0] = cmd;
+
+       ret = iwl_mvm_send_cmd(mvm, &hcmd);
        if (ret < 0)
                IWL_ERR(mvm, "failed to send MCC_ALLOWED_AP_TYPE_CMD (%d)\n",
                        ret);