From f5cf475edd935f6c7aaa3c012d79b34a4af688d8 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 2 Oct 2017 10:58:19 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	mac80211-flush-hw_roc_start-work-before-cancelling-the-roc.patch
---
 ...start-work-before-cancelling-the-roc.patch | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 queue-4.4/mac80211-flush-hw_roc_start-work-before-cancelling-the-roc.patch

diff --git a/queue-4.4/mac80211-flush-hw_roc_start-work-before-cancelling-the-roc.patch b/queue-4.4/mac80211-flush-hw_roc_start-work-before-cancelling-the-roc.patch
new file mode 100644
index 00000000000..a514d20a818
--- /dev/null
+++ b/queue-4.4/mac80211-flush-hw_roc_start-work-before-cancelling-the-roc.patch
@@ -0,0 +1,45 @@
+From 6e46d8ce894374fc135c96a8d1057c6af1fef237 Mon Sep 17 00:00:00 2001
+From: Avraham Stern <avraham.stern@intel.com>
+Date: Fri, 18 Aug 2017 15:33:57 +0300
+Subject: mac80211: flush hw_roc_start work before cancelling the ROC
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+commit 6e46d8ce894374fc135c96a8d1057c6af1fef237 upstream.
+
+When HW ROC is supported it is possible that after the HW notified
+that the ROC has started, the ROC was cancelled and another ROC was
+added while the hw_roc_start worker is waiting on the mutex (since
+cancelling the ROC and adding another one also holds the same mutex).
+As a result, the hw_roc_start worker will continue to run after the
+new ROC is added but before it is actually started by the HW.
+This may result in notifying userspace that the ROC has started before
+it actually does, or in case of management tx ROC, in an attempt to
+tx while not on the right channel.
+
+In addition, when the driver will notify mac80211 that the second ROC
+has started, mac80211 will warn that this ROC has already been
+notified.
+
+Fix this by flushing the hw_roc_start work before cancelling an ROC.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/offchannel.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/offchannel.c
++++ b/net/mac80211/offchannel.c
+@@ -469,6 +469,8 @@ void ieee80211_roc_purge(struct ieee8021
+ 	struct ieee80211_roc_work *roc, *tmp;
+ 	LIST_HEAD(tmp_list);
+ 
++	flush_work(&local->hw_roc_start);
++
+ 	mutex_lock(&local->mtx);
+ 	list_for_each_entry_safe(roc, tmp, &local->roc_list, list) {
+ 		if (sdata && roc->sdata != sdata)
-- 
2.47.3