From 66ebda285ac57d8f60c47029a3bb44ce43e90ed7 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 18 Nov 2014 11:06:39 -0800
Subject: [PATCH] 3.10-stable patches

added patches:
	mac80211-fix-use-after-free-in-defragmentation.patch
---
 ...ix-use-after-free-in-defragmentation.patch | 58 +++++++++++++++++++
 queue-3.10/series                             |  1 +
 2 files changed, 59 insertions(+)
 create mode 100644 queue-3.10/mac80211-fix-use-after-free-in-defragmentation.patch

diff --git a/queue-3.10/mac80211-fix-use-after-free-in-defragmentation.patch b/queue-3.10/mac80211-fix-use-after-free-in-defragmentation.patch
new file mode 100644
index 00000000000..7b87b2b507b
--- /dev/null
+++ b/queue-3.10/mac80211-fix-use-after-free-in-defragmentation.patch
@@ -0,0 +1,58 @@
+From b8fff407a180286aa683d543d878d98d9fc57b13 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 3 Nov 2014 13:57:46 +0100
+Subject: mac80211: fix use-after-free in defragmentation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit b8fff407a180286aa683d543d878d98d9fc57b13 upstream.
+
+Upon receiving the last fragment, all but the first fragment
+are freed, but the multicast check for statistics at the end
+of the function refers to the current skb (the last fragment)
+causing a use-after-free bug.
+
+Since multicast frames cannot be fragmented and we check for
+this early in the function, just modify that check to also
+do the accounting to fix the issue.
+
+Reported-by: Yosef Khyal <yosefx.khyal@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1585,11 +1585,14 @@ ieee80211_rx_h_defragment(struct ieee802
+ 	sc = le16_to_cpu(hdr->seq_ctrl);
+ 	frag = sc & IEEE80211_SCTL_FRAG;
+ 
+-	if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
+-		   is_multicast_ether_addr(hdr->addr1))) {
+-		/* not fragmented */
++	if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
++		goto out;
++
++	if (is_multicast_ether_addr(hdr->addr1)) {
++		rx->local->dot11MulticastReceivedFrameCount++;
+ 		goto out;
+ 	}
++
+ 	I802_DEBUG_INC(rx->local->rx_handlers_fragments);
+ 
+ 	if (skb_linearize(rx->skb))
+@@ -1682,10 +1685,7 @@ ieee80211_rx_h_defragment(struct ieee802
+  out:
+ 	if (rx->sta)
+ 		rx->sta->rx_packets++;
+-	if (is_multicast_ether_addr(hdr->addr1))
+-		rx->local->dot11MulticastReceivedFrameCount++;
+-	else
+-		ieee80211_led_rx(rx->local);
++	ieee80211_led_rx(rx->local);
+ 	return RX_CONTINUE;
+ }
+ 
diff --git a/queue-3.10/series b/queue-3.10/series
index fc2c12f6cc5..8659bec96a4 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -19,3 +19,4 @@ xtensa-re-wire-umount-syscall-to-sys_oldumount.patch
 libceph-do-not-crash-on-large-auth-tickets.patch
 iwlwifi-configure-the-ltr.patch
 macvtap-fix-csum_start-when-vlan-tags-are-present.patch
+mac80211-fix-use-after-free-in-defragmentation.patch
-- 
2.47.3