diff --git a/debian/changelog b/debian/changelog
index 639802ab5..ec92e8f25 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -122,6 +122,7 @@ linux (4.5.4-1) UNRELEASED; urgency=medium
   * isofs: get_rock_ridge_filename(): handle malformed NM entries
   * uapi glibc compat: fix compile errors when glibc net/if.h included
     before linux/if.h (Closes: #822393)
+  * videobuf2-core: Fix crash after fixing CVE-2016-4568
 
  -- Aurelien Jarno <aurel32@debian.org>  Tue, 10 May 2016 23:58:07 +0200
 
diff --git a/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch b/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
new file mode 100644
index 000000000..8c80f98ef
--- /dev/null
+++ b/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
@@ -0,0 +1,25 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 16 May 2016 03:26:30 +0100
+Subject: videobuf2-core: Fix crash after fixing CVE-2016-4568
+
+Commit 2c1f6951a8a8 "[media] videobuf2-v4l2: Verify planes array in buffer
+dequeueing" was reverted upstream by commit 93f0750dcdae.
+
+It's obvious from the log in the revert commit message that pb == NULL
+in __verify_planes_array().  We should treat this case as successful
+because vb2_core_dqbuf() won't attempt to copy anything to user
+buffers.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -1665,7 +1665,7 @@ static int __vb2_get_done_vb(struct vb2_
+ 	 * Only remove the buffer from done_list if v4l2_buffer can handle all
+ 	 * the planes.
+ 	 */
+-	ret = call_bufop(q, verify_planes_array, *vb, pb);
++	ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
+ 	if (!ret)
+ 		list_del(&(*vb)->done_entry);
+ 	spin_unlock_irqrestore(&q->done_lock, flags);
diff --git a/debian/patches/debian/v4l2-fix-abi-changes-in-4.5.3.patch b/debian/patches/debian/v4l2-fix-abi-changes-in-4.5.3.patch
index 4c63bff48..be324fdf1 100644
--- a/debian/patches/debian/v4l2-fix-abi-changes-in-4.5.3.patch
+++ b/debian/patches/debian/v4l2-fix-abi-changes-in-4.5.3.patch
@@ -17,8 +17,8 @@ genksyms.  Set and check the flag as necessary.
  	 * Only remove the buffer from done_list if v4l2_buffer can handle all
  	 * the planes.
  	 */
--	ret = call_bufop(q, verify_planes_array, *vb, pb);
-+	ret = q->have_verify_planes_array ?
+-	ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
++	ret = (pb && q->have_verify_planes_array) ?
 +		call_bufop(q, verify_planes_array, *vb, pb) : 0;
  	if (!ret)
  		list_del(&(*vb)->done_entry);
diff --git a/debian/patches/series b/debian/patches/series
index 488677b9d..bf28b482e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -86,6 +86,7 @@ bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch
 bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
 bugfix/all/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
 bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch
+bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
 
 # Miscellaneous features
 features/all/mm-exclude-zone_device-from-gfp_zone_table.patch