From ca0bbf698bc9aa54344cddaea34a689be14892be Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 15 Dec 2015 21:25:16 +0000
Subject: [PATCH] tipc: Fix kfree_skb() of uninitialised pointer (regression in
 4.3.3)

---
 debian/changelog                              |  1 +
 ...x-kfree_skb-of-uninitialised-pointer.patch | 29 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 31 insertions(+)
 create mode 100644 debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch

diff --git a/debian/changelog b/debian/changelog
index b8807f8d7..1fe0a7774 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -76,6 +76,7 @@ linux (4.3.3-1) UNRELEASED; urgency=medium
     register_netdevice failure" in 4.3.3
   * net: Ignore ABI changes due to "ipv6: add complete rcu protection around
     np->opt", which don't appear to affect out-of-tree modules
+  * tipc: Fix kfree_skb() of uninitialised pointer (regression in 4.3.3)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Mon, 14 Dec 2015 20:59:37 +0000
 
diff --git a/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch b/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
new file mode 100644
index 000000000..a584e73c5
--- /dev/null
+++ b/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
@@ -0,0 +1,29 @@
+Date: Tue, 15 Dec 2015 21:21:56 +0000
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: tipc: Fix kfree_skb() of uninitialised pointer
+Forwarded: http://mid.gmane.org/20151215212156.GQ28542@decadent.org.uk
+
+Commit 7098356baca7 ("tipc: fix error handling of expanding buffer
+headroom") added a "goto tx_error".  This is fine upstream, but
+when backported to 4.3 it results in attempting to free the clone
+before it has been allocated.  In this early error case, no
+cleanup is needed.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/tipc/udp_media.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index 86f2e7c..73bdf1b 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
+ 	if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
+ 		err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
+ 		if (err)
+-			goto tx_error;
++			return err;
+ 	}
+ 
+ 	clone = skb_clone(skb, GFP_ATOMIC);
diff --git a/debian/patches/series b/debian/patches/series
index 0bb4f4e9b..f46bc86ef 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -103,3 +103,4 @@ features/arm/arm-dts-split-audio-configuration-to-separate-exynos.patch
 features/arm/arm-dts-add-support-odroid-xu4-board-for-exynos5422-.patch
 bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch
 bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch
+bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch