From acfea0924b4e8e0a1a890d1151de1e3f39264926 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Wed, 9 Mar 2016 07:37:32 +0100
Subject: kernel-ipv4: CVE-2015-3636

Fixes use-after-free leading to local privilege escalation.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3636

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=8a9a51ba2eff62e1a899daad7b623becfed8f3f1

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Huimin She <huimin.she@enea.com>
---
 .../linux/linux-qoriq-3.12/CVE-2015-3636.patch     | 39 ++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq-common.inc        |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-3636.patch

diff --git a/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-3636.patch b/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-3636.patch
new file mode 100644
index 0000000..516017e
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-3636.patch
@@ -0,0 +1,39 @@
+From 8a9a51ba2eff62e1a899daad7b623becfed8f3f1 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Fri, 1 May 2015 22:02:47 -0400
+Subject: ipv4: Missing sk_nulls_node_init() in ping_unhash().
+
+[ Upstream commit a134f083e79fb4c3d0a925691e732c56911b4326 ]
+
+If we don't do that, then the poison value is left in the ->pprev
+backlink.
+
+This can cause crashes if we do a disconnect, followed by a connect().
+
+Fixes CVE-2015-3636
+Upstream-Status: Backport
+
+Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Reported-by: Wen Xu <hotdog3645@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/ipv4/ping.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index a9f8e66..54012b8 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -154,6 +154,7 @@ void ping_unhash(struct sock *sk)
+ 	if (sk_hashed(sk)) {
+ 		write_lock_bh(&ping_table.lock);
+ 		hlist_nulls_del(&sk->sk_nulls_node);
++		sk_nulls_node_init(&sk->sk_nulls_node);
+ 		sock_put(sk);
+ 		isk->inet_num = 0;
+ 		isk->inet_sport = 0;
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc
index 504bbfc..6e77abb 100644
--- a/recipes-kernel/linux/linux-qoriq-common.inc
+++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -24,6 +24,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
     file://drivers-scsi-CVE-2015-5707.patch \
     file://vhost-CVE-2015-6252.patch \
     file://CVE-2015-2922.patch \
+    file://CVE-2015-3636.patch \
     "
 
 SRC_URI += "file://cfg/00013-localversion.cfg \
-- 
cgit v1.2.3-54-g00ecf