From 337fba5c8242da698b087eece4dba8ba4fd6fb73 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 25 Apr 2018 10:32:47 +0200
Subject: [PATCH] 4.14-stable patches

added patches:
	mac80211_hwsim-fix-use-after-free-bug-in-hwsim_exit_net.patch
---
 ...use-after-free-bug-in-hwsim_exit_net.patch | 41 +++++++++++++++++++
 queue-4.14/series                             |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 queue-4.14/mac80211_hwsim-fix-use-after-free-bug-in-hwsim_exit_net.patch

diff --git a/queue-4.14/mac80211_hwsim-fix-use-after-free-bug-in-hwsim_exit_net.patch b/queue-4.14/mac80211_hwsim-fix-use-after-free-bug-in-hwsim_exit_net.patch
new file mode 100644
index 00000000000..cd75d76d80e
--- /dev/null
+++ b/queue-4.14/mac80211_hwsim-fix-use-after-free-bug-in-hwsim_exit_net.patch
@@ -0,0 +1,41 @@
+From 8cfd36a0b53aeb4ec21d81eb79706697b84dfc3d Mon Sep 17 00:00:00 2001
+From: Benjamin Beichler <benjamin.beichler@uni-rostock.de>
+Date: Wed, 7 Mar 2018 18:11:07 +0100
+Subject: mac80211_hwsim: fix use-after-free bug in hwsim_exit_net
+
+From: Benjamin Beichler <benjamin.beichler@uni-rostock.de>
+
+commit 8cfd36a0b53aeb4ec21d81eb79706697b84dfc3d upstream.
+
+When destroying a net namespace, all hwsim interfaces, which are not
+created in default namespace are deleted. But the async deletion of the
+interfaces could last longer than the actual destruction of the
+namespace, which results to an use after free bug. Therefore use
+synchronous deletion in this case.
+
+Fixes: 100cb9ff40e0 ("mac80211_hwsim: Allow managing radios from non-initial namespaces")
+Reported-by: syzbot+70ce058e01259de7bb1d@syzkaller.appspotmail.com
+Signed-off-by: Benjamin Beichler <benjamin.beichler@uni-rostock.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mac80211_hwsim.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3427,8 +3427,11 @@ static void __net_exit hwsim_exit_net(st
+ 			continue;
+ 
+ 		list_del(&data->list);
+-		INIT_WORK(&data->destroy_work, destroy_radio);
+-		schedule_work(&data->destroy_work);
++		spin_unlock_bh(&hwsim_radio_lock);
++		mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy),
++					 NULL);
++		spin_lock_bh(&hwsim_radio_lock);
++
+ 	}
+ 	spin_unlock_bh(&hwsim_radio_lock);
+ }
diff --git a/queue-4.14/series b/queue-4.14/series
index 6806f0a2522..e88bce91262 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -180,3 +180,4 @@ perf-fix-sample_max_stack-maximum-check.patch
 perf-return-proper-values-for-user-stack-errors.patch
 rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch
 revert-kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch
+mac80211_hwsim-fix-use-after-free-bug-in-hwsim_exit_net.patch
-- 
2.47.3