From 05ab1225e55cdb2674b00e04d5aa08f052575acc Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Mon, 10 Oct 2016 09:43:17 +0200
Subject: kernel: CVE-2016-4951

Fixes null pointer dereference in tipc_nl_publ_dump.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4951

Reference to upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=49956430d3d55b47e4a2d2f5f777d641cae137d6

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
---
 recipes-kernel/linux/files/CVE-2016-4951.patch | 43 ++++++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq_4.1.bbappend  |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 recipes-kernel/linux/files/CVE-2016-4951.patch

diff --git a/recipes-kernel/linux/files/CVE-2016-4951.patch b/recipes-kernel/linux/files/CVE-2016-4951.patch
new file mode 100644
index 0000000..e4807b3
--- /dev/null
+++ b/recipes-kernel/linux/files/CVE-2016-4951.patch
@@ -0,0 +1,43 @@
+From 49956430d3d55b47e4a2d2f5f777d641cae137d6 Mon Sep 17 00:00:00 2001
+From: Richard Alpe <richard.alpe@ericsson.com>
+Date: Mon, 16 May 2016 11:14:54 +0200
+Subject: tipc: check nl sock before parsing nested attributes
+
+[ Upstream commit 45e093ae2830cd1264677d47ff9a95a71f5d9f9c ]
+
+Make sure the socket for which the user is listing publication exists
+before parsing the socket netlink attributes.
+
+Prior to this patch a call without any socket caused a NULL pointer
+dereference in tipc_nl_publ_dump().
+
+Upstream-Status: Backport
+CVE: CVE-2016-4951
+
+Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.cm>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/tipc/socket.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 20cc6df..d41d424 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2804,6 +2804,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ 		if (err)
+ 			return err;
+ 
++		if (!attrs[TIPC_NLA_SOCK])
++			return -EINVAL;
++
+ 		err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
+ 				       attrs[TIPC_NLA_SOCK],
+ 				       tipc_nl_sock_policy);
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bbappend b/recipes-kernel/linux/linux-qoriq_4.1.bbappend
index 17b288a..39e23cb 100644
--- a/recipes-kernel/linux/linux-qoriq_4.1.bbappend
+++ b/recipes-kernel/linux/linux-qoriq_4.1.bbappend
@@ -3,4 +3,5 @@ require recipes-kernel/linux/linux-qoriq-common.inc
 FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 
 SRC_URI += "file://hid-CVE-2016-5829.patch \
+        file://CVE-2016-4951.patch \
         "
-- 
cgit v1.2.3-54-g00ecf