mac80211: update to wireless-testing 2016-10-08

Signed-off-by: Felix Fietkau <nbd@nbd.name>

1 files changed, 34 insertions, 0 deletions

diff --git a/package/kernel/mac80211/patches/650-0001-rtl8xxxu-Fix-memory-leak-in-handling-rxdesc16-packet.patch b/package/kernel/mac80211/patches/650-0001-rtl8xxxu-Fix-memory-leak-in-handling-rxdesc16-packet.patch
new file mode 100644
index 0000000000..31604b6264
--- /dev/null
+++ b/package/kernel/mac80211/patches/650-0001-rtl8xxxu-Fix-memory-leak-in-handling-rxdesc16-packet.patch
@@ -0,0 +1,34 @@
+From 51be39337a10a8bf9d8ec65419e78b76bf5adf60 Mon Sep 17 00:00:00 2001
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+Date: Wed, 28 Sep 2016 14:48:51 -0400
+Subject: [PATCH] rtl8xxxu: Fix memory leak in handling rxdesc16 packets
+
+A device running without RX package aggregation could return more data
+in the USB packet than the actual network packet. In this case the
+could would clone the skb but then determine that that there was no
+packet to handle and exit without freeing the cloned skb first.
+
+This has so far only been observed with 8188eu devices, but could
+affect others.
+
+Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5197,7 +5197,12 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8x
+ 		pkt_offset = roundup(pkt_len + drvinfo_sz + desc_shift +
+ 				     sizeof(struct rtl8xxxu_rxdesc16), 128);
+ 
+-		if (pkt_cnt > 1)
++		/*
++		 * Only clone the skb if there's enough data at the end to
++		 * at least cover the rx descriptor
++		 */
++		if (pkt_cnt > 1 &&
++		    urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16)))
+ 			next_skb = skb_clone(skb, GFP_ATOMIC);
+ 
+ 		rx_status = IEEE80211_SKB_RXCB(skb);