From c795794eef8737f6272b2acce9025807af52da81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= Date: Thu, 29 Sep 2016 09:48:09 +0200 Subject: mac80211: use upstream patches for rtl8xxxu MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also improves rtl8188eu support. Signed-off-by: Álvaro Fernández Rojas --- ...x-memory-leak-in-handling-rxdesc16-packet.patch | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 package/kernel/mac80211/patches/657-0056-rtl8xxxu-Fix-memory-leak-in-handling-rxdesc16-packet.patch (limited to 'package/kernel/mac80211/patches/657-0056-rtl8xxxu-Fix-memory-leak-in-handling-rxdesc16-packet.patch') diff --git a/package/kernel/mac80211/patches/657-0056-rtl8xxxu-Fix-memory-leak-in-handling-rxdesc16-packet.patch b/package/kernel/mac80211/patches/657-0056-rtl8xxxu-Fix-memory-leak-in-handling-rxdesc16-packet.patch new file mode 100644 index 0000000000..15371f0477 --- /dev/null +++ b/package/kernel/mac80211/patches/657-0056-rtl8xxxu-Fix-memory-leak-in-handling-rxdesc16-packet.patch @@ -0,0 +1,34 @@ +From 5214760261aead3d3546b594e5b7021514ef76d1 Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Wed, 28 Sep 2016 14:48:51 -0400 +Subject: [PATCH] rtl8xxxu: Fix memory leak in handling rxdesc16 packets + +A device running without RX package aggregation could return more data +in the USB packet than the actual network packet. In this case the +could would clone the skb but then determine that that there was no +packet to handle and exit without freeing the cloned skb first. + +This has so far only been observed with 8188eu devices, but could +affect others. + +Signed-off-by: Jes Sorensen +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5296,7 +5296,12 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8x + pkt_offset = roundup(pkt_len + drvinfo_sz + desc_shift + + sizeof(struct rtl8xxxu_rxdesc16), 128); + +- if (pkt_cnt > 1) ++ /* ++ * Only clone the skb if there's enough data at the end to ++ * at least cover the rx descriptor ++ */ ++ if (pkt_cnt > 1 && ++ urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16))) + next_skb = skb_clone(skb, GFP_ATOMIC); + + rx_status = IEEE80211_SKB_RXCB(skb); -- cgit v1.2.3