From af15989919f43e13e027fb698f5fefe4c73eb8de Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Tue, 29 Dec 2015 10:00:18 +0100
Subject: kernel-fs: CVE-2015-5706

Fixes double fput().

References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5706
CVE assignment: http://seclists.org/oss-sec/2015/q3/270

Upstream/original fix:
======================
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=88b4f377466cb673777d27693acf70108a908106

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
 recipes-kernel/linux/files/fs-CVE-2015-5706.patch | 45 +++++++++++++++++++++++
 recipes-kernel/linux/linux-yocto_3.14.bbappend    |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 recipes-kernel/linux/files/fs-CVE-2015-5706.patch

diff --git a/recipes-kernel/linux/files/fs-CVE-2015-5706.patch b/recipes-kernel/linux/files/fs-CVE-2015-5706.patch
new file mode 100644
index 0000000..ef1951f
--- /dev/null
+++ b/recipes-kernel/linux/files/fs-CVE-2015-5706.patch
@@ -0,0 +1,45 @@
+From 88b4f377466cb673777d27693acf70108a908106 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 8 May 2015 22:53:15 -0400
+Subject: path_openat(): fix double fput()
+
+commit f15133df088ecadd141ea1907f2c96df67c729f0 upstream.
+
+path_openat() jumps to the wrong place after do_tmpfile() - it has
+already done path_cleanup() (as part of path_lookupat() called by
+do_tmpfile()), so doing that again can lead to double fput().
+
+Fixes CVE-2015-5706.
+Upstream-Status: Backport
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/namei.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/namei.c b/fs/namei.c
+index ccb8000..c6fa079 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -3171,7 +3171,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+ 
+ 	if (unlikely(file->f_flags & __O_TMPFILE)) {
+ 		error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
+-		goto out;
++		goto out2;
+ 	}
+ 
+ 	error = path_init(dfd, pathname->name, flags | LOOKUP_PARENT, nd, &base);
+@@ -3209,6 +3209,7 @@ out:
+ 		path_put(&nd->root);
+ 	if (base)
+ 		fput(base);
++out2:
+ 	if (!(opened & FILE_OPENED)) {
+ 		BUG_ON(!error);
+ 		put_filp(file);
+-- 
+cgit v0.11.2
+
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 001026f..7078d4e 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -7,4 +7,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
             file://IB-uverbs-CVE-2014-8159.patch \
             file://net-sctp-CVE-2015-1421.patch \
             file://fs-CVE-2015-3339.patch \
+            file://fs-CVE-2015-5706.patch \
            "
-- 
cgit v1.2.3-54-g00ecf