--- /dev/null
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 13 Mar 2023 11:42:12 +0100
+Subject: [PATCH] wifi: mac80211: flush queues on STA removal
+
+When we remove a station, we first make it unreachable,
+then we (must) remove its keys, and then remove the
+station itself. Depending on the hardware design, if
+we have hardware crypto at all, frames still sitting
+on hardware queues may then be transmitted without a
+valid key, possibly unencrypted or with a fixed key.
+
+Fix this by flushing the queues when removing stations
+so this cannot happen.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Reviewed-by: Greenman, Gregory <gregory.greenman@intel.com>
+---
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1271,6 +1271,14 @@ static void __sta_info_destroy_part2(str
+ WARN_ON_ONCE(ret);
+ }
+
++ /* Flush queues before removing keys, as that might remove them
++ * from hardware, and then depending on the offload method, any
++ * frames sitting on hardware queues might be sent out without
++ * any encryption at all.
++ */
++ if (local->ops->set_key)
++ ieee80211_flush_queues(local, sta->sdata, false);
++
+ /* now keys can no longer be reached */
+ ieee80211_free_sta_keys(local, sta);
+