diff --git a/SOURCES/CVE-2021-33034.patch b/SOURCES/CVE-2021-33034.patch
new file mode 100644
index 0000000..90984f8
--- /dev/null
+++ b/SOURCES/CVE-2021-33034.patch
@@ -0,0 +1,200 @@
+Changes since last build:
+[x86_64]:
+hci_event.o: changed function: hci_event_packet
+
+[ppc64le]:
+hci_event.o: changed function: hci_event_packet
+hci_event.o: new function: hci_resolve_name
+
+---------------------------
+
+Kernels:
+4.18.0-305.el8
+4.18.0-305.3.1.el8_4
+
+Modifications:
+- Remove modification of struct hci_chan and add hchan_amp
+  shadow variable as flag instead
+
+commit 418fac0a2503c7e5b310052431cecab67a0efb8f
+Author: Gopal Tiwari <gtiwari@redhat.com>
+Date:   Thu May 20 11:27:10 2021 +0530
+
+    Bluetooth: verify AMP hci_chan before amp_destroy
+
+    Bugzilla: https://bugzilla.redhat.com/1962544
+    CVE: CVE-2021-33034
+    Y-Commit: 162078c99ca2f976692d81b532a9eea80332cf82
+
+    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962546
+
+    O-CVE: CVE-2021-33034
+
+    Testing: Verified by me with the help of reproducer.
+    https://bugzilla.redhat.com/show_bug.cgi?id=1962546#c1
+
+    Upstream: Merged.
+
+    commit 5c4c8c9544099bb9043a10a5318130a943e32fc3
+    Author: Archie Pusaka <apusaka@chromium.org>
+    Date:   Mon Mar 22 14:03:11 2021 +0800
+
+    Bluetooth: verify AMP hci_chan before amp_destroy
+
+    hci_chan can be created in 2 places: hci_loglink_complete_evt() if
+    it is an AMP hci_chan, or l2cap_conn_add() otherwise. In theory,
+    Only AMP hci_chan should be removed by a call to
+    hci_disconn_loglink_complete_evt(). However, the controller might mess
+    up, call that function, and destroy an hci_chan which is not initiated
+    by hci_loglink_complete_evt().
+
+    This patch adds a verification that the destroyed hci_chan must have
+    been init'd by hci_loglink_complete_evt().
+
+    Example crash call trace:
+    Call Trace:
+     __dump_stack lib/dump_stack.c:77 [inline]
+     dump_stack+0xe3/0x144 lib/dump_stack.c:118
+     print_address_description+0x67/0x22a mm/kasan/report.c:256
+     kasan_report_error mm/kasan/report.c:354 [inline]
+     kasan_report mm/kasan/report.c:412 [inline]
+     kasan_report+0x251/0x28f mm/kasan/report.c:396
+     hci_send_acl+0x3b/0x56e net/bluetooth/hci_core.c:4072
+     l2cap_send_cmd+0x5af/0x5c2 net/bluetooth/l2cap_core.c:877
+     l2cap_send_move_chan_cfm_icid+0x8e/0xb1 net/bluetooth/l2cap_core.c:4661
+     l2cap_move_fail net/bluetooth/l2cap_core.c:5146 [inline]
+     l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5185 [inline]
+     l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5464 [inline]
+     l2cap_sig_channel net/bluetooth/l2cap_core.c:5799 [inline]
+     l2cap_recv_frame+0x1d12/0x51aa net/bluetooth/l2cap_core.c:7023
+     l2cap_recv_acldata+0x2ea/0x693 net/bluetooth/l2cap_core.c:7596
+     hci_acldata_packet net/bluetooth/hci_core.c:4606 [inline]
+     hci_rx_work+0x2bd/0x45e net/bluetooth/hci_core.c:4796
+     process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
+     worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
+     kthread+0x2f0/0x304 kernel/kthread.c:253
+     ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
+
+    Allocated by task 38:
+     set_track mm/kasan/kasan.c:460 [inline]
+     kasan_kmalloc+0x8d/0x9a mm/kasan/kasan.c:553
+     kmem_cache_alloc_trace+0x102/0x129 mm/slub.c:2787
+     kmalloc include/linux/slab.h:515 [inline]
+     kzalloc include/linux/slab.h:709 [inline]
+     hci_chan_create+0x86/0x26d net/bluetooth/hci_conn.c:1674
+     l2cap_conn_add.part.0+0x1c/0x814 net/bluetooth/l2cap_core.c:7062
+     l2cap_conn_add net/bluetooth/l2cap_core.c:7059 [inline]
+     l2cap_connect_cfm+0x134/0x852 net/bluetooth/l2cap_core.c:7381
+     hci_connect_cfm+0x9d/0x122 include/net/bluetooth/hci_core.h:1404
+     hci_remote_ext_features_evt net/bluetooth/hci_event.c:4161 [inline]
+     hci_event_packet+0x463f/0x72fa net/bluetooth/hci_event.c:5981
+     hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791
+     process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
+     worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
+     kthread+0x2f0/0x304 kernel/kthread.c:253
+     ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
+
+    Freed by task 1732:
+     set_track mm/kasan/kasan.c:460 [inline]
+     __kasan_slab_free mm/kasan/kasan.c:521 [inline]
+     __kasan_slab_free+0x106/0x128 mm/kasan/kasan.c:493
+     slab_free_hook mm/slub.c:1409 [inline]
+     slab_free_freelist_hook+0xaa/0xf6 mm/slub.c:1436
+     slab_free mm/slub.c:3009 [inline]
+     kfree+0x182/0x21e mm/slub.c:3972
+     hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4891 [inline]
+     hci_event_packet+0x6a1c/0x72fa net/bluetooth/hci_event.c:6050
+     hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791
+     process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
+     worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
+     kthread+0x2f0/0x304 kernel/kthread.c:253
+     ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
+
+    The buggy address belongs to the object at ffff8881d7af9180
+     which belongs to the cache kmalloc-128 of size 128
+    The buggy address is located 24 bytes inside of
+     128-byte region [ffff8881d7af9180, ffff8881d7af9200)
+    The buggy address belongs to the page:
+    page:ffffea00075ebe40 count:1 mapcount:0 mapping:ffff8881da403200 index:0x0
+    flags: 0x8000000000000200(slab)
+    raw: 8000000000000200 dead000000000100 dead000000000200 ffff8881da403200
+    raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
+    page dumped because: kasan: bad access detected
+
+    Memory state around the buggy address:
+     ffff8881d7af9080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+     ffff8881d7af9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+    >ffff8881d7af9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                                ^
+     ffff8881d7af9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+     ffff8881d7af9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+    Signed-off-by: Archie Pusaka <apusaka@chromium.org>
+    Reported-by: syzbot+98228e7407314d2d4ba2@syzkaller.appspotmail.com
+    Reviewed-by: Alain Michaud <alainm@chromium.org>
+    Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+    (cherry picked from commit 5c4c8c9544099bb9043a10a5318130a943e32fc3)
+    Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
+    Signed-off-by: Jan Stancek <jstancek@redhat.com>
+
+Signed-off-by: Joel Savitz <jsavitz@redhat.com> for v1
+Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
+---
+
+v2:
+- minor code cleanup from v1, removed intermediate variables
+- I tried forcing hci_resolve_name() as always_inline on ppc64le, but
+  this cascaded into a series of neverending inline / half inline / etc.
+  compiler decisions that I could never completely eliminate.
+
+Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/692
+
+KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5457381
+for kpatch-patch-4_18_0-193_1_2-1-12.el8_2 scratch build:
+https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37373415
+
+ net/bluetooth/hci_event.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 8a7af33b0a3e..e66687f5b701 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -29,6 +29,9 @@
+ #include <net/bluetooth/bluetooth.h>
+ #include <net/bluetooth/hci_core.h>
+ #include <net/bluetooth/mgmt.h>
++#include <linux/livepatch.h>
++
++#define KLP_CVE_2021_33034_HCHAN_AMP 0x2021330340000000
+ 
+ #include "hci_request.h"
+ #include "hci_debugfs.h"
+@@ -4929,6 +4932,11 @@ static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
+ 		return;
+ 
+ 	hchan->handle = le16_to_cpu(ev->handle);
++	if (!klp_shadow_get_or_alloc(hchan, KLP_CVE_2021_33034_HCHAN_AMP,
++				     0, GFP_KERNEL, NULL, NULL)) {
++		hci_chan_del(hchan);
++		return;
++	}
+ 
+ 	BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
+ 
+@@ -4961,9 +4969,10 @@ static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
+ 	hci_dev_lock(hdev);
+ 
+ 	hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
+-	if (!hchan)
++	if (!hchan || !klp_shadow_get(hchan, KLP_CVE_2021_33034_HCHAN_AMP))
+ 		goto unlock;
+ 
++	klp_shadow_free(hchan, KLP_CVE_2021_33034_HCHAN_AMP, NULL);
+ 	amp_destroy_logical_link(hchan, ev->reason);
+ 
+ unlock:
+-- 
+2.26.3
+
diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec
index 58c2676..9755960 100644
--- a/SPECS/kpatch-patch.spec
+++ b/SPECS/kpatch-patch.spec
@@ -6,13 +6,16 @@
 %define kernel_ver	4.18.0-305.el8
 %define kpatch_ver	0.9.3
 %define rpm_ver		1
-%define rpm_rel		1
+%define rpm_rel		2
 
 %if !%{empty_package}
 # Patch sources below. DO NOT REMOVE THIS LINE.
 #
 # https://bugzilla.redhat.com/1954230
 Source100: KVM-VMX-Don-t-use-vcpu-run-internal.ndata-as-an-arra.patch
+#
+# https://bugzilla.redhat.com/1962521
+Source101: CVE-2021-33034.patch
 # End of patch sources. DO NOT REMOVE THIS LINE.
 %endif
 
@@ -32,7 +35,7 @@ Summary:	Live kernel patching module for kernel-%{kernel_ver_arch}
 
 Group:		System Environment/Kernel
 License:	GPLv2
-ExclusiveArch:	x86_64
+ExclusiveArch:	x86_64 ppc64le
 
 Conflicts:	%{name} < %{version}-%{release}
 
@@ -151,6 +154,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
 %endif
 
 %changelog
+* Thu Jun 17 2021 Yannick Cote <ycote@redhat.com> [1-2.el8]
+- kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan [1962521] {CVE-2021-33034}
+
 * Tue May 11 2021 Artem Savkov <asavkov@redhat.com> [1-1.el8]
 - serspace applications can misuse the KVM API to cause a write of 16 bytes at an offset up to 32 GB from vcpu->run [1954230] {CVE-2021-3501}