add two CAN CVE patches

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

3 files changed, 79 insertions, 0 deletions

diff --git a/queue/can-Add-missing-socket-check-in-can-bcm-release.patch b/queue/can-Add-missing-socket-check-in-can-bcm-release.patch
new file mode 100644
index 0000000..1b7d976
--- /dev/null
+++ b/queue/can-Add-missing-socket-check-in-can-bcm-release.patch
@@ -0,0 +1,37 @@
+From 3acf1e0adee3d409e811762b0b8da99634cb6ec4 Mon Sep 17 00:00:00 2001
+From: Dave Jones <davej@redhat.com>
+Date: Tue, 19 Apr 2011 20:36:59 -0700
+Subject: [PATCH] can: Add missing socket check in can/bcm release.
+
+commit c6914a6f261aca0c9f715f883a353ae7ff51fe83 upstream.
+
+We can get here with a NULL socket argument passed from userspace,
+so we need to handle it accordingly.
+
+Signed-off-by: Dave Jones <davej@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index dd23fb1..a6445fd 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1426,9 +1426,14 @@ static int bcm_init(struct sock *sk)
+ static int bcm_release(struct socket *sock)
+ {
+ 	struct sock *sk = sock->sk;
+-	struct bcm_sock *bo = bcm_sk(sk);
++	struct bcm_sock *bo;
+ 	struct bcm_op *op, *next;
+ 
++	if (sk == NULL)
++		return 0;
++
++	bo = bcm_sk(sk);
++
+ 	/* remove bcm_ops, timer, rx_unregister(), etc. */
+ 
+ 	unregister_netdevice_notifier(&bo->notifier);
+-- 
+1.7.4.4
+
diff --git a/queue/can-add-missing-socket-check-in-can-raw-release.patch b/queue/can-add-missing-socket-check-in-can-raw-release.patch
new file mode 100644
index 0000000..9a2d41a
--- /dev/null
+++ b/queue/can-add-missing-socket-check-in-can-raw-release.patch
@@ -0,0 +1,39 @@
+From 40352df517ac43e9b43bbf380fe55a6198984d71 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Wed, 20 Apr 2011 01:57:15 +0000
+Subject: [PATCH] can: add missing socket check in can/raw release
+
+commit 10022a6c66e199d8f61d9044543f38785713cbbd upstream.
+
+v2: added space after 'if' according code style.
+
+We can get here with a NULL socket argument passed from userspace,
+so we need to handle it accordingly.
+
+Thanks to Dave Jones pointing at this issue in net/can/bcm.c
+
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/net/can/raw.c b/net/can/raw.c
+index da99cf1..9dd45ea 100644
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -281,7 +281,12 @@ static int raw_init(struct sock *sk)
+ static int raw_release(struct socket *sock)
+ {
+ 	struct sock *sk = sock->sk;
+-	struct raw_sock *ro = raw_sk(sk);
++	struct raw_sock *ro;
++
++	if (!sk)
++		return 0;
++
++	ro = raw_sk(sk);
+ 
+ 	unregister_netdevice_notifier(&ro->notifier);
+ 
+-- 
+1.7.4.4
+
diff --git a/queue/series b/queue/series
index 28302b0..edfc310 100644
--- a/queue/series
+++ b/queue/series
@@ -9,3 +9,6 @@ aio-wake-all-waiters-when-destroying-ctx.patch
 # Content taken from v2.6.32.40
 next_pidmap-fix-overflow-condition.patch
 proc-do-proper-range-check-on-readdir-offset.patch
+can-Add-missing-socket-check-in-can-bcm-release.patch
+can-add-missing-socket-check-in-can-raw-release.patch
+