From 12a1d01373a0eb8d9e92ebb94d381cceb6d78574 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 3 Oct 2021 14:25:20 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	mac80211-fix-use-after-free-in-ccmp-gcmp-rx.patch
---
 ...1-fix-use-after-free-in-ccmp-gcmp-rx.patch | 54 +++++++++++++++++++
 queue-4.9/series                              |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 queue-4.9/mac80211-fix-use-after-free-in-ccmp-gcmp-rx.patch

diff --git a/queue-4.9/mac80211-fix-use-after-free-in-ccmp-gcmp-rx.patch b/queue-4.9/mac80211-fix-use-after-free-in-ccmp-gcmp-rx.patch
new file mode 100644
index 00000000000..5e9d13bcd0d
--- /dev/null
+++ b/queue-4.9/mac80211-fix-use-after-free-in-ccmp-gcmp-rx.patch
@@ -0,0 +1,54 @@
+From 94513069eb549737bcfc3d988d6ed4da948a2de8 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 27 Sep 2021 11:58:39 +0200
+Subject: mac80211: fix use-after-free in CCMP/GCMP RX
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 94513069eb549737bcfc3d988d6ed4da948a2de8 upstream.
+
+When PN checking is done in mac80211, for fragmentation we need
+to copy the PN to the RX struct so we can later use it to do a
+comparison, since commit bf30ca922a0c ("mac80211: check defrag
+PN against current frame").
+
+Unfortunately, in that commit I used the 'hdr' variable without
+it being necessarily valid, so use-after-free could occur if it
+was necessary to reallocate (parts of) the frame.
+
+Fix this by reloading the variable after the code that results
+in the reallocations, if any.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.
+
+Cc: stable@vger.kernel.org
+Fixes: bf30ca922a0c ("mac80211: check defrag PN against current frame")
+Link: https://lore.kernel.org/r/20210927115838.12b9ac6bb233.I1d066acd5408a662c3b6e828122cd314fcb28cdb@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/wpa.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/mac80211/wpa.c
++++ b/net/mac80211/wpa.c
+@@ -514,6 +514,9 @@ ieee80211_crypto_ccmp_decrypt(struct iee
+ 			return RX_DROP_UNUSABLE;
+ 	}
+ 
++	/* reload hdr - skb might have been reallocated */
++	hdr = (void *)rx->skb->data;
++
+ 	data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
+ 	if (!rx->sta || data_len < 0)
+ 		return RX_DROP_UNUSABLE;
+@@ -744,6 +747,9 @@ ieee80211_crypto_gcmp_decrypt(struct iee
+ 			return RX_DROP_UNUSABLE;
+ 	}
+ 
++	/* reload hdr - skb might have been reallocated */
++	hdr = (void *)rx->skb->data;
++
+ 	data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len;
+ 	if (!rx->sta || data_len < 0)
+ 		return RX_DROP_UNUSABLE;
diff --git a/queue-4.9/series b/queue-4.9/series
index 8532af1a6a2..3002f0cf160 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -32,3 +32,4 @@ qnx4-work-around-gcc-false-positive-warning-bug.patch
 tty-fix-out-of-bound-vmalloc-access-in-imageblit.patch
 cpufreq-schedutil-use-kobject-release-method-to-free.patch
 cpufreq-schedutil-destroy-mutex-before-kobject_put-f.patch
+mac80211-fix-use-after-free-in-ccmp-gcmp-rx.patch
-- 
2.47.3