--- /dev/null
+From 4db561ae4a90c2d0e15996634567559e292dc9e5 Mon Sep 17 00:00:00 2001
+From: Ahmed Zaki <anzaki@gmail.com>
+Date: Sat, 2 Oct 2021 08:53:29 -0600
+Subject: [PATCH] mac80211: fix a memory leak where sta_info is not freed
+
+commit 8f9dcc29566626f683843ccac6113a12208315ca upstream.
+
+The following is from a system that went OOM due to a memory leak:
+
+wlan0: Allocated STA 74:83:c2:64:0b:87
+wlan0: Allocated STA 74:83:c2:64:0b:87
+wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_add_sta)
+wlan0: Adding new IBSS station 74:83:c2:64:0b:87
+wlan0: moving STA 74:83:c2:64:0b:87 to state 2
+wlan0: moving STA 74:83:c2:64:0b:87 to state 3
+wlan0: Inserted STA 74:83:c2:64:0b:87
+wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_work)
+wlan0: Adding new IBSS station 74:83:c2:64:0b:87
+wlan0: moving STA 74:83:c2:64:0b:87 to state 2
+wlan0: moving STA 74:83:c2:64:0b:87 to state 3
+.
+.
+wlan0: expiring inactive not authorized STA 74:83:c2:64:0b:87
+wlan0: moving STA 74:83:c2:64:0b:87 to state 2
+wlan0: moving STA 74:83:c2:64:0b:87 to state 1
+wlan0: Removed STA 74:83:c2:64:0b:87
+wlan0: Destroyed STA 74:83:c2:64:0b:87
+
+The ieee80211_ibss_finish_sta() is called twice on the same STA from 2
+different locations. On the second attempt, the allocated STA is not
+destroyed creating a kernel memory leak.
+
+This is happening because sta_info_insert_finish() does not call
+sta_info_free() the second time when the STA already exists (returns
+-EEXIST). Note that the caller sta_info_insert_rcu() assumes STA is
+destroyed upon errors.
+
+Same fix is applied to -ENOMEM.
+
+Signed-off-by: Ahmed Zaki <anzaki@gmail.com>
+Link: https://lore.kernel.org/r/20211002145329.3125293-1-anzaki@gmail.com
+[change the error path label to use the existing code]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Viacheslav Sablin <sablin@ispras.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/sta_info.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -646,13 +646,13 @@ static int sta_info_insert_finish(struct
+ /* check if STA exists already */
+ if (sta_info_get_bss(sdata, sta->sta.addr)) {
+ err = -EEXIST;
+- goto out_err;
++ goto out_cleanup;
+ }
+
+ sinfo = kzalloc(sizeof(struct station_info), GFP_KERNEL);
+ if (!sinfo) {
+ err = -ENOMEM;
+- goto out_err;
++ goto out_cleanup;
+ }
+
+ local->num_sta++;
+@@ -708,8 +708,8 @@ static int sta_info_insert_finish(struct
+ out_drop_sta:
+ local->num_sta--;
+ synchronize_net();
++ out_cleanup:
+ cleanup_single_sta(sta);
+- out_err:
+ mutex_unlock(&local->sta_mtx);
+ kfree(sinfo);
+ rcu_read_lock();
--- /dev/null
+From 552ba102a6898630a7d16887f29e606d6fabe508 Mon Sep 17 00:00:00 2001
+From: Siddh Raman Pant <code@siddh.me>
+Date: Sun, 14 Aug 2022 20:45:12 +0530
+Subject: [PATCH] wifi: mac80211: Don't finalize CSA in IBSS mode if state is
+ disconnected
+
+commit 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0 upstream.
+
+When we are not connected to a channel, sending channel "switch"
+announcement doesn't make any sense.
+
+The BSS list is empty in that case. This causes the for loop in
+cfg80211_get_bss() to be bypassed, so the function returns NULL
+(check line 1424 of net/wireless/scan.c), causing the WARN_ON()
+in ieee80211_ibss_csa_beacon() to get triggered (check line 500
+of net/mac80211/ibss.c), which was consequently reported on the
+syzkaller dashboard.
+
+Thus, check if we have an existing connection before generating
+the CSA beacon in ieee80211_ibss_finish_csa().
+
+Cc: stable@vger.kernel.org
+Fixes: cd7760e62c2a ("mac80211: add support for CSA in IBSS mode")
+Link: https://syzkaller.appspot.com/bug?id=05603ef4ae8926761b678d2939a3b2ad28ab9ca6
+Reported-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com
+Signed-off-by: Siddh Raman Pant <code@siddh.me>
+Tested-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20220814151512.9985-1-code@siddh.me
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ibss.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -534,6 +534,10 @@ int ieee80211_ibss_finish_csa(struct iee
+
+ sdata_assert_lock(sdata);
+
++ /* When not connected/joined, sending CSA doesn't make sense. */
++ if (ifibss->state != IEEE80211_IBSS_MLME_JOINED)
++ return -ENOLINK;
++
+ /* update cfg80211 bss information with the new channel */
+ if (!is_zero_ether_addr(ifibss->bssid)) {
+ cbss = cfg80211_get_bss(sdata->local->hw.wiphy,
--- /dev/null
+From 5d20c6f932f2758078d0454729129c894fe353e7 Mon Sep 17 00:00:00 2001
+From: Siddh Raman Pant <code@siddh.me>
+Date: Sat, 20 Aug 2022 01:33:40 +0530
+Subject: [PATCH] wifi: mac80211: Fix UAF in ieee80211_scan_rx()
+
+commit 60deb9f10eec5c6a20252ed36238b55d8b614a2c upstream.
+
+ieee80211_scan_rx() tries to access scan_req->flags after a
+null check, but a UAF is observed when the scan is completed
+and __ieee80211_scan_completed() executes, which then calls
+cfg80211_scan_done() leading to the freeing of scan_req.
+
+Since scan_req is rcu_dereference()'d, prevent the racing in
+__ieee80211_scan_completed() by ensuring that from mac80211's
+POV it is no longer accessed from an RCU read critical section
+before we call cfg80211_scan_done().
+
+Cc: stable@vger.kernel.org
+Link: https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d
+Reported-by: syzbot+f9acff9bf08a845f225d@syzkaller.appspotmail.com
+Suggested-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Siddh Raman Pant <code@siddh.me>
+Link: https://lore.kernel.org/r/20220819200340.34826-1-code@siddh.me
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/scan.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/scan.c
++++ b/net/mac80211/scan.c
+@@ -461,16 +461,19 @@ static void __ieee80211_scan_completed(s
+ scan_req = rcu_dereference_protected(local->scan_req,
+ lockdep_is_held(&local->mtx));
+
+- if (scan_req != local->int_scan_req) {
+- local->scan_info.aborted = aborted;
+- cfg80211_scan_done(scan_req, &local->scan_info);
+- }
+ RCU_INIT_POINTER(local->scan_req, NULL);
+ RCU_INIT_POINTER(local->scan_sdata, NULL);
+
+ local->scanning = 0;
+ local->scan_chandef.chan = NULL;
+
++ synchronize_rcu();
++
++ if (scan_req != local->int_scan_req) {
++ local->scan_info.aborted = aborted;
++ cfg80211_scan_done(scan_req, &local->scan_info);
++ }
++
+ /* Set power back to normal operating levels. */
+ ieee80211_hw_config(local, 0);
+