@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:       Kernel

 Name:          linux-esx

-Version:       4.4.77

+Version:       4.4.79

 Release:       1%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:         System Environment/Kernel

 Vendor:        VMware, Inc.

 Distribution:  Photon

 Source0:       http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=19dc4c74fbf09f5fe5f88c32a9524bd94af0ec44

+%define sha1 linux=5b249aa3410b464515178df8f9a1ff0e3ba3f67e

 Source1:       config-esx

 Patch0:        double-tcp_mem-limits.patch

 Patch1:        linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch

@@ -34,6 +34,7 @@ Patch19:       serial-8250-do-not-probe-U6-16550A-fifo-size.patch

 Patch20:       vmci-1.1.4.0-use-32bit-atomics-for-queue-headers.patch

 Patch21:       vmci-1.1.5.0-doorbell-create-and-destroy-fixes.patch

 Patch22:       net-9p-vsock.patch

+Patch23:       p9fs_dir_readdir-offset-support.patch

 BuildRequires: bc

 BuildRequires: kbd

 BuildRequires: kmod

@@ -92,6 +93,7 @@ The Linux package contains the Linux kernel doc files

 %patch20 -p1

 %patch21 -p1

 %patch22 -p1

+%patch23 -p1

 %build

 # patch vmw_balloon driver

@@ -180,6 +182,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Fri Jul 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.79-1

+-   [feature] p9fs_dir_readdir() offset support

+-   Fix CVE-2017-11473

 *   Mon Jul 17 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.77-1

 -   [feature] IP tunneling support (CONFIG_NET_IPIP=m)

 -   Fix CVE-2017-11176

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:    	4.4.77

-Release:    	2%{?dist}

+Version:    	4.4.79

+Release:    	1%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz

-%define sha1 linux=19dc4c74fbf09f5fe5f88c32a9524bd94af0ec44

+%define sha1 linux=5b249aa3410b464515178df8f9a1ff0e3ba3f67e

 Source1:	config

 %define ena_version 1.1.3

 Source2:    	https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz

@@ -277,6 +277,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Wed Aug 02 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.79-1

+-   Fix CVE-2017-11473

 *   Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> 4.4.77-2

 -   Allow some algorithms in FIPS mode

 -   Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports

new file mode 100644

@@ -0,0 +1,69 @@

+From 83adb57ec7ca18b9c5d1290e88b1fe139b280f66 Mon Sep 17 00:00:00 2001

+From: Wenguang Wang <wenguangw@vmware.com>

+Date: Fri, 28 Jul 2017 16:19:44 -0700

+Subject: [PATCH] p9fs_dir_readdir offset support

+

+In the linux 9p client fs module, in readdir implementation, we do not check

+for current offset position (which could have been changed by a seek call), and

+keep returning (now incorrect) data from the already read and remaining buffer.

+---

+ fs/9p/vfs_dir.c | 8 ++++++--

+ 1 file changed, 6 insertions(+), 2 deletions(-)

+

+diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c

+index 5cc00e56206e..a876cc9a473a 100644

+--- a/fs/9p/vfs_dir.c

+@@ -45,6 +45,7 @@

+  * struct p9_rdir - readdir accounting

+  * @head: start offset of current dirread buffer

+  * @tail: end offset of current dirread buffer

++ * @pos: expected dir offset to read the dirread buffer @head

+  * @buf: dirread buffer

+  *

+  * private structure for keeping track of readdir

+@@ -54,6 +55,7 @@

+ struct p9_rdir {

+ 	int head;

+ 	int tail;

++	off_t pos;

+ 	uint8_t buf[];

+ };

+ 

+@@ -130,7 +132,7 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)

+ 	kvec.iov_len = buflen;

+ 

+ 	while (1) {

+-		if (rdir->tail == rdir->head) {

++		if (rdir->tail == rdir->head || rdir->pos != ctx->pos) {

+ 			struct iov_iter to;

+ 			int n;

+ 			iov_iter_kvec(&to, READ | ITER_KVEC, &kvec, 1, buflen);

+@@ -162,6 +164,7 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)

+ 				return 0;

+ 

+ 			rdir->head += reclen;

++			rdir->pos += reclen;

+ 			ctx->pos += reclen;

+ 		}

+ 	}

+@@ -191,7 +194,7 @@ static int v9fs_dir_readdir_dotl(struct file *file, struct dir_context *ctx)

+ 		return -ENOMEM;

+ 

+ 	while (1) {

+-		if (rdir->tail == rdir->head) {

++		if (rdir->tail == rdir->head || rdir->pos != ctx->pos) {

+ 			err = p9_client_readdir(fid, rdir->buf, buflen,

+ 						ctx->pos);

+ 			if (err <= 0)

+@@ -218,6 +221,7 @@ static int v9fs_dir_readdir_dotl(struct file *file, struct dir_context *ctx)

+ 				return 0;

+ 

+ 			ctx->pos = curdirent.d_off;

++			rdir->pos = curdirent.d_off;

+ 			rdir->head += err;

+ 		}

+ 	}

+-- 

+2.11.0

+