From 6bd3003700131922f377e92a4cfa9eedf2e9f3cb Mon Sep 17 00:00:00 2001
From: Ben Hutchings <benh@debian.org>
Date: Sun, 3 May 2015 15:24:53 +0000
Subject: [PATCH] ipv4: Missing sk_nulls_node_init() in ping_unhash()
 (CVE-2015-3636)

svn path=/dists/trunk/linux/; revision=22553
---
 debian/changelog                              |  1 +
 ...ng-sk_nulls_node_init-in-ping_unhash.patch | 29 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 31 insertions(+)
 create mode 100644 debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch

diff --git a/debian/changelog b/debian/changelog
index 831db97e0..5c5ce3017 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,7 @@ linux (4.0.1-1~exp1) UNRELEASED; urgency=medium
   [ Ben Hutchings ]
   * debian.py,gencontrol.py: Fix the version sanity checks for backports and
     security/LTS uploads
+  * ipv4: Missing sk_nulls_node_init() in ping_unhash() (CVE-2015-3636)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Mon, 27 Apr 2015 20:48:43 +0100
 
diff --git a/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch b/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch
new file mode 100644
index 000000000..27efadd96
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch
@@ -0,0 +1,29 @@
+From: "David S. Miller" <davem@davemloft.net>
+Date: Fri, 1 May 2015 22:02:47 -0400
+Subject: ipv4: Missing sk_nulls_node_init() in ping_unhash().
+Origin: https://git.kernel.org/linus/a134f083e79fb4c3d0a925691e732c56911b4326
+
+If we don't do that, then the poison value is left in the ->pprev
+backlink.
+
+This can cause crashes if we do a disconnect, followed by a connect().
+
+Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Reported-by: Wen Xu <hotdog3645@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv4/ping.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index a93f260..05ff44b 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -158,6 +158,7 @@ void ping_unhash(struct sock *sk)
+ 	if (sk_hashed(sk)) {
+ 		write_lock_bh(&ping_table.lock);
+ 		hlist_nulls_del(&sk->sk_nulls_node);
++		sk_nulls_node_init(&sk->sk_nulls_node);
+ 		sock_put(sk);
+ 		isk->inet_num = 0;
+ 		isk->inet_sport = 0;
diff --git a/debian/patches/series b/debian/patches/series
index 610558d3e..92f0dc9f1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -64,3 +64,4 @@ debian/emmc-don-t-initialize-partitions-on-rpmb-flagged-areas.patch
 
 # Miscellaneous features
 features/all/efi-autoload-efi-pstore.patch
+bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch