This is a note to let you know that I've just added the patch titled mac80211: fix memory corruption in EAPOL handling to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: mac80211-fix-memory-corruption-in-eapol-handling.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From davis@xxxxxxxxxxxx Thu Jul 15 13:54:04 2021 From: Davis Mosenkovs <davis@xxxxxxxxxxxx> Date: Sat, 10 Jul 2021 21:37:10 +0300 Subject: mac80211: fix memory corruption in EAPOL handling To: johannes@xxxxxxxxxxxxxxxx Cc: linux-wireless@xxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx, Davis Mosenkovs <davis@xxxxxxxxxxxx> Message-ID: <20210710183710.5687-1-davis@xxxxxxxxxxxx> From: Davis Mosenkovs <davis@xxxxxxxxxxxx> Commit e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL frames") uses skb_mac_header() before eth_type_trans() is called leading to incorrect pointer, the pointer gets written to. This issue has appeared during backporting to 4.4, 4.9 and 4.14. Fixes: e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL frames") Link: https://lore.kernel.org/r/CAHQn7pKcyC_jYmGyTcPCdk9xxATwW5QPNph=bsZV8d-HPwNsyA@xxxxxxxxxxxxxx Cc: <stable@xxxxxxxxxxxxxxx> # 4.4.x Signed-off-by: Davis Mosenkovs <davis@xxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/mac80211/rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -2380,7 +2380,7 @@ ieee80211_deliver_skb(struct ieee80211_r #endif if (skb) { - struct ethhdr *ehdr = (void *)skb_mac_header(skb); + struct ethhdr *ehdr = (struct ethhdr *)skb->data; /* deliver to local stack */ skb->protocol = eth_type_trans(skb, dev); Patches currently in stable-queue which might be from davis@xxxxxxxxxxxx are queue-4.9/mac80211-fix-memory-corruption-in-eapol-handling.patch