new file mode 100644

@@ -0,0 +1,148 @@

+From 34ec80907c239ae294ed85da2958ecf287986009 Mon Sep 17 00:00:00 2001

+From: "Chao Yu Date: Wed, 22 Mar 2017 14:45:05 +0800" <yuchao0@huawei.com>

+Date: Mon, 16 Jul 2018 20:11:52 +0530

+Subject: [PATCH 1/2] f2fs: fix race condition in between free nid

+ allocator/initializer

+

+In below concurrent case, allocated nid can be loaded into free nid cache

+and be allocated again.

+

+Thread A                                Thread B

+- f2fs_create

+ - f2fs_new_inode

+  - alloc_nid

+   - __insert_nid_to_list(ALLOC_NID_LIST)

+                                        - f2fs_balance_fs_bg

+                                         - build_free_nids

+                                          - __build_free_nids

+                                           - scan_nat_page

+                                            - add_free_nid

+                                             - __lookup_nat_cache

+ - f2fs_add_link

+  - init_inode_metadata

+   - new_inode_page

+    - new_node_page

+     - set_node_addr

+ - alloc_nid_done

+  - __remove_nid_from_list(ALLOC_NID_LIST)

+                                             - __insert_nid_to_list(FREE_NID_LIST)

+

+This patch makes nat cache lookup and free nid list operation being atomical

+to avoid this race condition.

+

+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

+Signed-off-by: Chao Yu <yuchao0@huawei.com>

+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

+

+[ Srinidhi Rao : Backported this fix to 4.9 ]

+Signed-off-by: srinidhira0 <srinidhir@vmware.com>

+---

+ fs/f2fs/node.c | 75 ++++++++++++++++++++++++++++++++++++++++++----------------

+ 1 file changed, 54 insertions(+), 21 deletions(-)

+

+diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c

+index 01177ec..653461e 100644

+--- a/fs/f2fs/node.c

+@@ -1702,8 +1702,10 @@ static void __del_from_free_nid_list(struct f2fs_nm_info *nm_i,

+ static int add_free_nid(struct f2fs_sb_info *sbi, nid_t nid, bool build)

+ {

+ 	struct f2fs_nm_info *nm_i = NM_I(sbi);

+-	struct free_nid *i;

++	struct free_nid *i, *e;

+ 	struct nat_entry *ne;

++	int err = -EINVAL;

++	int ret = 0;

+ 

+ 	if (!available_free_memory(sbi, FREE_NIDS))

+ 		return -1;

+@@ -1712,35 +1714,66 @@ static int add_free_nid(struct f2fs_sb_info *sbi, nid_t nid, bool build)

+ 	if (unlikely(nid == 0))

+ 		return 0;

+ 

+-	if (build) {

+-		/* do not add allocated nids */

+-		ne = __lookup_nat_cache(nm_i, nid);

+-		if (ne && (!get_nat_flag(ne, IS_CHECKPOINTED) ||

+-				nat_get_blkaddr(ne) != NULL_ADDR))

+-			return 0;

+-	}

+-

+ 	i = f2fs_kmem_cache_alloc(free_nid_slab, GFP_NOFS);

+ 	i->nid = nid;

+ 	i->state = NID_NEW;

+ 

+-	if (radix_tree_preload(GFP_NOFS)) {

+-		kmem_cache_free(free_nid_slab, i);

+-		return 0;

+-	}

++	if (radix_tree_preload(GFP_NOFS))

++		goto err;

+ 

+ 	spin_lock(&nm_i->free_nid_list_lock);

+-	if (radix_tree_insert(&nm_i->free_nid_root, i->nid, i)) {

+-		spin_unlock(&nm_i->free_nid_list_lock);

+-		radix_tree_preload_end();

+-		kmem_cache_free(free_nid_slab, i);

+-		return 0;

++

++	if (build) {

++

++		/*

++		 *   Thread A             Thread B

++		 *  - f2fs_create

++		 *   - f2fs_new_inode

++		 *    - alloc_nid

++		 *     - __insert_nid_to_list(ALLOC_NID_LIST)

++		 *                     - f2fs_balance_fs_bg

++		 *                      - build_free_nids

++		 *                       - __build_free_nids

++		 *                        - scan_nat_page

++		 *                         - add_free_nid

++		 *                          - __lookup_nat_cache

++		 *  - f2fs_add_link

++		 *   - init_inode_metadata

++		 *    - new_inode_page

++		 *     - new_node_page

++		 *      - set_node_addr

++		 *  - alloc_nid_done

++		 *   - __remove_nid_from_list(ALLOC_NID_LIST)

++		 *                         - __insert_nid_to_list(FREE_NID_LIST)

++		 */

++		ne = __lookup_nat_cache(nm_i, nid);

++		if (ne && (!get_nat_flag(ne, IS_CHECKPOINTED) ||

++					nat_get_blkaddr(ne) != NULL_ADDR))

++			goto err_out;

++

++		e = __lookup_free_nid_list(nm_i, nid);

++		if (e) {

++			if (e->state == NID_NEW)

++				ret = 1;

++			goto err_out;

++		}

+ 	}

+-	list_add_tail(&i->list, &nm_i->free_nid_list);

+-	nm_i->fcnt++;

++	ret = 1;

++

++	err = radix_tree_insert(&nm_i->free_nid_root, i->nid, i);

++	if (!err) {

++		list_add_tail(&i->list, &nm_i->free_nid_list);

++		nm_i->fcnt++;

++

++	}

++err_out:

+ 	spin_unlock(&nm_i->free_nid_list_lock);

+ 	radix_tree_preload_end();

+-	return 1;

++err:

++	if (err)

++		kmem_cache_free(free_nid_slab, i);

++

++	return ret;

+ }

+ 

+ static void remove_free_nid(struct f2fs_nm_info *nm_i, nid_t nid)

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,300 @@

+From 0558f33c06bb910e2879e355192227a8e8f0219d Mon Sep 17 00:00:00 2001

+From: Jason Yan <yanaijie@huawei.com>

+Date: Fri, 8 Dec 2017 17:42:09 +0800

+Subject: [PATCH] scsi: libsas: direct call probe and destruct

+

+In commit 87c8331fcf72 ("[SCSI] libsas: prevent domain rediscovery

+competing with ata error handling") introduced disco mutex to prevent

+rediscovery competing with ata error handling and put the whole

+revalidation in the mutex. But the rphy add/remove needs to wait for the

+error handling which also grabs the disco mutex. This may leads to dead

+lock.So the probe and destruct event were introduce to do the rphy

+add/remove asynchronously and out of the lock.

+

+The asynchronously processed workers makes the whole discovery process

+not atomic, the other events may interrupt the process. For example,

+if a loss of signal event inserted before the probe event, the

+sas_deform_port() is called and the port will be deleted.

+

+And sas_port_delete() may run before the destruct event, but the

+port-x:x is the top parent of end device or expander. This leads to

+a kernel WARNING such as:

+

+[   82.042979] sysfs group 'power' not found for kobject 'phy-1:0:22'

+[   82.042983] ------------[ cut here ]------------

+[   82.042986] WARNING: CPU: 54 PID: 1714 at fs/sysfs/group.c:237

+sysfs_remove_group+0x94/0xa0

+[   82.043059] Call trace:

+[   82.043082] [<ffff0000082e7624>] sysfs_remove_group+0x94/0xa0

+[   82.043085] [<ffff00000864e320>] dpm_sysfs_remove+0x60/0x70

+[   82.043086] [<ffff00000863ee10>] device_del+0x138/0x308

+[   82.043089] [<ffff00000869a2d0>] sas_phy_delete+0x38/0x60

+[   82.043091] [<ffff00000869a86c>] do_sas_phy_delete+0x6c/0x80

+[   82.043093] [<ffff00000863dc20>] device_for_each_child+0x58/0xa0

+[   82.043095] [<ffff000008696f80>] sas_remove_children+0x40/0x50

+[   82.043100] [<ffff00000869d1bc>] sas_destruct_devices+0x64/0xa0

+[   82.043102] [<ffff0000080e93bc>] process_one_work+0x1fc/0x4b0

+[   82.043104] [<ffff0000080e96c0>] worker_thread+0x50/0x490

+[   82.043105] [<ffff0000080f0364>] kthread+0xfc/0x128

+[   82.043107] [<ffff0000080836c0>] ret_from_fork+0x10/0x50

+

+Make probe and destruct a direct call in the disco and revalidate function,

+but put them outside the lock. The whole discovery or revalidate won't

+be interrupted by other events. And the DISCE_PROBE and DISCE_DESTRUCT

+event are deleted as a result of the direct call.

+

+Introduce a new list to destruct the sas_port and put the port delete after

+the destruct. This makes sure the right order of destroying the sysfs

+kobject and fix the warning above.

+

+In sas_ex_revalidate_domain() have a loop to find all broadcasted

+device, and sometimes we have a chance to find the same expander twice.

+Because the sas_port will be deleted at the end of the whole revalidate

+process, sas_port with the same name cannot be added before this.

+Otherwise the sysfs will complain of creating duplicate filename. Since

+the LLDD will send broadcast for every device change, we can only

+process one expander's revalidation.

+

+[mkp: kbuild test robot warning]

+

+Signed-off-by: Jason Yan <yanaijie@huawei.com>

+CC: John Garry <john.garry@huawei.com>

+CC: Johannes Thumshirn <jthumshirn@suse.de>

+CC: Ewan Milne <emilne@redhat.com>

+CC: Christoph Hellwig <hch@lst.de>

+CC: Tomas Henzl <thenzl@redhat.com>

+CC: Dan Williams <dan.j.williams@intel.com>

+Reviewed-by: Hannes Reinecke <hare@suse.com>

+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ drivers/scsi/libsas/sas_ata.c      |  1 -

+ drivers/scsi/libsas/sas_discover.c | 32 ++++++++++++++++++--------------

+ drivers/scsi/libsas/sas_expander.c |  8 +++-----

+ drivers/scsi/libsas/sas_internal.h |  1 +

+ drivers/scsi/libsas/sas_port.c     |  3 +++

+ include/scsi/libsas.h              |  3 +--

+ include/scsi/scsi_transport_sas.h  |  1 +

+ 7 files changed, 27 insertions(+), 22 deletions(-)

+

+diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c

+index 6f5e272..e018e76 100644

+--- a/drivers/scsi/libsas/sas_ata.c

+@@ -732,7 +732,6 @@ int sas_discover_sata(struct domain_device *dev)

+ 	if (res)

+ 		return res;

+ 

+-	sas_discover_event(dev->port, DISCE_PROBE);

+ 	return 0;

+ }

+ 

+diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c

+index 60de662..487d734 100644

+--- a/drivers/scsi/libsas/sas_discover.c

+@@ -212,13 +212,9 @@ void sas_notify_lldd_dev_gone(struct domain_device *dev)

+ 	}

+ }

+ 

+-static void sas_probe_devices(struct work_struct *work)

++static void sas_probe_devices(struct asd_sas_port *port)

+ {

+ 	struct domain_device *dev, *n;

+-	struct sas_discovery_event *ev = to_sas_discovery_event(work);

+-	struct asd_sas_port *port = ev->port;

+-

+-	clear_bit(DISCE_PROBE, &port->disc.pending);

+ 

+ 	/* devices must be domain members before link recovery and probe */

+ 	list_for_each_entry(dev, &port->disco_list, disco_list_node) {

+@@ -294,7 +290,6 @@ int sas_discover_end_dev(struct domain_device *dev)

+ 	res = sas_notify_lldd_dev_found(dev);

+ 	if (res)

+ 		return res;

+-	sas_discover_event(dev->port, DISCE_PROBE);

+ 

+ 	return 0;

+ }

+@@ -353,13 +348,9 @@ static void sas_unregister_common_dev(struct asd_sas_port *port, struct domain_d

+ 	sas_put_device(dev);

+ }

+ 

+-static void sas_destruct_devices(struct work_struct *work)

++void sas_destruct_devices(struct asd_sas_port *port)

+ {

+ 	struct domain_device *dev, *n;

+-	struct sas_discovery_event *ev = to_sas_discovery_event(work);

+-	struct asd_sas_port *port = ev->port;

+-

+-	clear_bit(DISCE_DESTRUCT, &port->disc.pending);

+ 

+ 	list_for_each_entry_safe(dev, n, &port->destroy_list, disco_list_node) {

+ 		list_del_init(&dev->disco_list_node);

+@@ -370,6 +361,16 @@ static void sas_destruct_devices(struct work_struct *work)

+ 	}

+ }

+ 

++static void sas_destruct_ports(struct asd_sas_port *port)

++{

++	struct sas_port *sas_port, *p;

++

++	list_for_each_entry_safe(sas_port, p, &port->sas_port_del_list, del_list) {

++		list_del_init(&sas_port->del_list);

++		sas_port_delete(sas_port);

++	}

++}

++

+ void sas_unregister_dev(struct asd_sas_port *port, struct domain_device *dev)

+ {

+ 	if (!test_bit(SAS_DEV_DESTROY, &dev->state) &&

+@@ -384,7 +385,6 @@ void sas_unregister_dev(struct asd_sas_port *port, struct domain_device *dev)

+ 	if (!test_and_set_bit(SAS_DEV_DESTROY, &dev->state)) {

+ 		sas_rphy_unlink(dev->rphy);

+ 		list_move_tail(&dev->disco_list_node, &port->destroy_list);

+-		sas_discover_event(dev->port, DISCE_DESTRUCT);

+ 	}

+ }

+ 

+@@ -490,6 +490,8 @@ static void sas_discover_domain(struct work_struct *work)

+ 		port->port_dev = NULL;

+ 	}

+ 

++	sas_probe_devices(port);

++

+ 	SAS_DPRINTK("DONE DISCOVERY on port %d, pid:%d, result:%d\n", port->id,

+ 		    task_pid_nr(current), error);

+ }

+@@ -523,6 +525,10 @@ static void sas_revalidate_domain(struct work_struct *work)

+ 		    port->id, task_pid_nr(current), res);

+  out:

+ 	mutex_unlock(&ha->disco_mutex);

++

++	sas_destruct_devices(port);

++	sas_destruct_ports(port);

++	sas_probe_devices(port);

+ }

+ 

+ /* ---------- Events ---------- */

+@@ -578,10 +584,8 @@ void sas_init_disc(struct sas_discovery *disc, struct asd_sas_port *port)

+ 	static const work_func_t sas_event_fns[DISC_NUM_EVENTS] = {

+ 		[DISCE_DISCOVER_DOMAIN] = sas_discover_domain,

+ 		[DISCE_REVALIDATE_DOMAIN] = sas_revalidate_domain,

+-		[DISCE_PROBE] = sas_probe_devices,

+ 		[DISCE_SUSPEND] = sas_suspend_devices,

+ 		[DISCE_RESUME] = sas_resume_devices,

+-		[DISCE_DESTRUCT] = sas_destruct_devices,

+ 	};

+ 

+ 	disc->pending = 0;

+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c

+index 12886f9..8d7a769 100644

+--- a/drivers/scsi/libsas/sas_expander.c

+@@ -1905,7 +1905,8 @@ static void sas_unregister_devs_sas_addr(struct domain_device *parent,

+ 		sas_port_delete_phy(phy->port, phy->phy);

+ 		sas_device_set_phy(found, phy->port);

+ 		if (phy->port->num_phys == 0)

+-			sas_port_delete(phy->port);

++			list_add_tail(&phy->port->del_list,

++				&parent->port->sas_port_del_list);

+ 		phy->port = NULL;

+ 	}

+ }

+@@ -2113,7 +2114,7 @@ int sas_ex_revalidate_domain(struct domain_device *port_dev)

+ 	struct domain_device *dev = NULL;

+ 

+ 	res = sas_find_bcast_dev(port_dev, &dev);

+-	while (res == 0 && dev) {

++	if (res == 0 && dev) {

+ 		struct expander_device *ex = &dev->ex_dev;

+ 		int i = 0, phy_id;

+ 

+@@ -2125,9 +2126,6 @@ int sas_ex_revalidate_domain(struct domain_device *port_dev)

+ 			res = sas_rediscover(dev, phy_id);

+ 			i = phy_id + 1;

+ 		} while (i < ex->num_phys);

+-

+-		dev = NULL;

+-		res = sas_find_bcast_dev(port_dev, &dev);

+ 	}

+ 	return res;

+ }

+diff --git a/drivers/scsi/libsas/sas_internal.h b/drivers/scsi/libsas/sas_internal.h

+index 9cf0bc2..2cbbd11 100644

+--- a/drivers/scsi/libsas/sas_internal.h

+@@ -98,6 +98,7 @@ int sas_try_ata_reset(struct asd_sas_phy *phy);

+ void sas_hae_reset(struct work_struct *work);

+ 

+ void sas_free_device(struct kref *kref);

++void sas_destruct_devices(struct asd_sas_port *port);

+ 

+ #ifdef CONFIG_SCSI_SAS_HOST_SMP

+ extern int sas_smp_host_handler(struct Scsi_Host *shost, struct request *req,

+diff --git a/drivers/scsi/libsas/sas_port.c b/drivers/scsi/libsas/sas_port.c

+index d3c5297..5d3244c 100644

+--- a/drivers/scsi/libsas/sas_port.c

+@@ -66,6 +66,7 @@ static void sas_resume_port(struct asd_sas_phy *phy)

+ 		rc = sas_notify_lldd_dev_found(dev);

+ 		if (rc) {

+ 			sas_unregister_dev(port, dev);

++			sas_destruct_devices(port);

+ 			continue;

+ 		}

+ 

+@@ -219,6 +220,7 @@ void sas_deform_port(struct asd_sas_phy *phy, int gone)

+ 

+ 	if (port->num_phys == 1) {

+ 		sas_unregister_domain_devices(port, gone);

++		sas_destruct_devices(port);

+ 		sas_port_delete(port->port);

+ 		port->port = NULL;

+ 	} else {

+@@ -323,6 +325,7 @@ static void sas_init_port(struct asd_sas_port *port,

+ 	INIT_LIST_HEAD(&port->dev_list);

+ 	INIT_LIST_HEAD(&port->disco_list);

+ 	INIT_LIST_HEAD(&port->destroy_list);

++	INIT_LIST_HEAD(&port->sas_port_del_list);

+ 	spin_lock_init(&port->phy_list_lock);

+ 	INIT_LIST_HEAD(&port->phy_list);

+ 	port->ha = sas_ha;

+diff --git a/include/scsi/libsas.h b/include/scsi/libsas.h

+index 706a701..8a27e35 100644

+--- a/include/scsi/libsas.h

+@@ -87,10 +87,8 @@ enum discover_event {

+ 	DISCE_DISCOVER_DOMAIN   = 0U,

+ 	DISCE_REVALIDATE_DOMAIN = 1,

+ 	DISCE_PORT_GONE         = 2,

+-	DISCE_PROBE		= 3,

+ 	DISCE_SUSPEND		= 4,

+ 	DISCE_RESUME		= 5,

+-	DISCE_DESTRUCT		= 6,

+ 	DISC_NUM_EVENTS		= 7,

+ };

+ 

+@@ -269,6 +267,7 @@ struct asd_sas_port {

+ 	struct list_head dev_list;

+ 	struct list_head disco_list;

+ 	struct list_head destroy_list;

++	struct list_head sas_port_del_list;

+ 	enum   sas_linkrate linkrate;

+ 

+ 	struct sas_work work;

+diff --git a/include/scsi/scsi_transport_sas.h b/include/scsi/scsi_transport_sas.h

+index 0bd71e2..e6c7ff5 100644

+--- a/include/scsi/scsi_transport_sas.h

+@@ -145,6 +145,7 @@ struct sas_port {

+ 

+ 	struct mutex		phy_list_mutex;

+ 	struct list_head	phy_list;

++	struct list_head	del_list; /* libsas only */

+ };

+ 

+ #define dev_to_sas_port(d) \

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,50 @@

+From ed5525ebec6548b92f7c6f026f5a23001e25f74e Mon Sep 17 00:00:00 2001

+From: "Eric Sandeen Date: Mon, 16 Apr 2018 23:07:27 -0700"

+ <sandeen@redhat.com>

+Date: Mon, 16 Jul 2018 20:13:54 +0530

+Subject: [PATCH] xfs: set format back to extents if xfs_bmap_extents_to_btree

+

+If xfs_bmap_extents_to_btree fails in a mode where we call

+xfs_iroot_realloc(-1) to de-allocate the root, set the

+format back to extents.

+

+Otherwise we can assume we can dereference ifp->if_broot

+based on the XFS_DINODE_FMT_BTREE format, and crash.

+

+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423

+Signed-off-by: Eric Sandeen <sandeen@redhat.com>

+Reviewed-by: Christoph Hellwig <hch@lst.de>

+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>

+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>

+[ Srinidhi Rao : Backported this fix to 4.9 ]

+Signed-off-by: srinidhira0 <srinidhir@vmware.com>

+

+---

+ fs/xfs/libxfs/xfs_bmap.c | 4 ++++

+ 1 file changed, 4 insertions(+)

+

+diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c

+index 8ad65d4..356385f 100644

+--- a/fs/xfs/libxfs/xfs_bmap.c

+@@ -781,6 +781,8 @@ xfs_bmap_extents_to_btree(

+ 	*logflagsp = 0;

+ 	if ((error = xfs_alloc_vextent(&args))) {

+ 		xfs_iroot_realloc(ip, -1, whichfork);

++		ASSERT(ifp->if_broot == NULL);

++		XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);

+ 		xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);

+ 		return error;

+ 	}

+@@ -801,6 +803,8 @@ xfs_bmap_extents_to_btree(

+ 	}

+ 	if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {

+ 		xfs_iroot_realloc(ip, -1, whichfork);

++		ASSERT(ifp->if_broot == NULL);

++		XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);

+ 		xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);

+ 		return -ENOSPC;

+ 	}

+-- 

+2.7.4

+

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-aws

 Version:        4.9.111

-Release:        2%{?kat_build:.%kat_build}%{?dist}

+Release:        3%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -59,6 +59,12 @@ Patch40:        0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

 # Fix for CVE-2017-18224

 Patch41:        0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch

 Patch42:        0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch

+# Fix for CVE-2017-18232

+Patch43:        0001-scsi-libsas-direct-call-probe-and-destruct.patch

+# Fix for CVE-2017-18249

+Patch44:        0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch

+# Fix for CVE-2018-10323

+Patch45:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -231,6 +237,9 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch40 -p1

 %patch41 -p1

 %patch42 -p1

+%patch43 -p1

+%patch44 -p1

+%patch45 -p1

 %patch52 -p1

 %patch53 -p1

@@ -451,6 +460,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-3

+-   Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323

 *   Wed Jul 11 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.111-2

 -   Enable and use AppArmor security module by default.

 *   Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-esx

 Version:        4.9.111

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -56,6 +56,12 @@ Patch40:        0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

 # Fix for CVE-2017-18224

 Patch41:        0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch

 Patch42:        0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch

+# Fix for CVE-2017-18232

+Patch43:        0001-scsi-libsas-direct-call-probe-and-destruct.patch

+# Fix for CVE-2017-18249

+Patch44:        0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch

+# Fix for CVE-2018-10323

+Patch45:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -147,6 +153,9 @@ The Linux package contains the Linux kernel doc files

 %patch40 -p1

 %patch41 -p1

 %patch42 -p1

+%patch43 -p1

+%patch44 -p1

+%patch45 -p1

 %patch52 -p1

 %patch53 -p1

@@ -259,6 +268,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-2

+-   Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323

 *   Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1

 -   Update to version 4.9.111.

 -   .config: use =y for vmxnet3 instead of =m, use lz4 for bzImage.

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        4.9.111

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -65,6 +65,12 @@ Patch42:        0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

 # Fix for CVE-2017-18224

 Patch43:        0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch

 Patch44:        0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch

+# Fix for CVE-2017-18232

+Patch45:        0001-scsi-libsas-direct-call-probe-and-destruct.patch

+# Fix for CVE-2017-18249

+Patch46:        0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch

+# Fix for CVE-2018-10323

+Patch47:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -199,6 +205,9 @@ EOF

 %patch42 -p1

 %patch43 -p1

 %patch44 -p1

+%patch45 -p1

+%patch46 -p1

+%patch47 -p1

 # spectre

 %patch52 -p1

@@ -346,6 +355,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-2

+-   Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323

 *   Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1

 -   Update to version 4.9.111

 *   Wed Jun 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.109-2

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:        4.9.111

-Release:        2%{?kat_build:.%kat_build}%{?dist}

+Release:        3%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -63,6 +63,12 @@ Patch40:        0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

 # Fix for CVE-2017-18224

 Patch41:        0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch

 Patch42:        0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch

+# Fix for CVE-2017-18232

+Patch43:        0001-scsi-libsas-direct-call-probe-and-destruct.patch

+# Fix for CVE-2017-18249

+Patch44:        0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch

+# Fix for CVE-2018-10323

+Patch45:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -190,6 +196,9 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch40 -p1

 %patch41 -p1

 %patch42 -p1

+%patch43 -p1

+%patch44 -p1

+%patch45 -p1

 %patch52 -p1

 %patch53 -p1

@@ -373,6 +382,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-3

+-   Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323

 *   Wed Jul 11 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.111-2

 -   Enable and use AppArmor security module by default.

 *   Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1