new file mode 100644

@@ -0,0 +1,257 @@

+commit 71493b839e294065ba63bd6f8d07263f3afee8c6

+Author: Darrick J. Wong <darrick.wong@oracle.com>

+Date:   Mon Jan 8 10:51:04 2018 -0800

+

+    xfs: move inode fork verifiers to xfs_dinode_verify

+

+    Consolidate the fork size and format verifiers to xfs_dinode_verify so

+    that we can reject bad inodes earlier and in a single place.

+

+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>

+Reviewed-by: Dave Chinner <dchinner@redhat.com>

+

+[ Srinidhi Rao : Backported this change to 4.9 ]

+Signed-off-by: srinidhira0 <srinidhir@vmware.com>

+---

+ fs/xfs/libxfs/xfs_inode_buf.c  | 73 +++++++++++++++++++++++++++++++++--

+ fs/xfs/libxfs/xfs_inode_fork.c | 87 ------------------------------------------

+ 2 files changed, 70 insertions(+), 90 deletions(-)

+

+diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c

+index 37ee7f0..0c1dd97 100644

+--- a/fs/xfs/libxfs/xfs_inode_buf.c

+@@ -390,12 +390,14 @@ xfs_dinode_verify(

+ 	uint16_t		mode;

+ 	uint16_t		flags;

+ 	uint64_t		flags2;

++	uint64_t                di_size;

+ 

+ 	if (dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC))

+ 		return false;

+ 

+ 	/* don't allow invalid i_size */

+-	if (be64_to_cpu(dip->di_size) & (1ULL << 63))

++        di_size = be64_to_cpu(dip->di_size);

++        if (di_size & (1ULL << 63))

+ 		return false;

+ 

+ 	mode = be16_to_cpu(dip->di_mode);

+@@ -403,9 +405,71 @@ xfs_dinode_verify(

+ 		return false;

+ 

+ 	/* No zero-length symlinks/dirs. */

+-	if ((S_ISLNK(mode) || S_ISDIR(mode)) && dip->di_size == 0)

++	if ((S_ISLNK(mode) || S_ISDIR(mode)) && di_size == 0)

+ 		return false;

+ 

++        /* Fork checks carried over from xfs_iformat_fork */

++        if (mode &&

++                be32_to_cpu(dip->di_nextents) + be16_to_cpu(dip->di_anextents) >

++                        be64_to_cpu(dip->di_nblocks))

++                return false;

++

++        if (mode && XFS_DFORK_BOFF(dip) > mp->m_sb.sb_inodesize)

++                return false;

++

++        flags = be16_to_cpu(dip->di_flags);

++

++        if (mode && (flags & XFS_DIFLAG_REALTIME) && !mp->m_rtdev_targp)

++                return false;

++

++        /* Do we have appropriate data fork formats for the mode? */

++        switch (mode & S_IFMT) {

++        case S_IFIFO:

++        case S_IFCHR:

++        case S_IFBLK:

++        case S_IFSOCK:

++                if (dip->di_format != XFS_DINODE_FMT_DEV)

++                        return false;

++                break;

++        case S_IFREG:

++        case S_IFLNK:

++        case S_IFDIR:

++                switch (dip->di_format) {

++                case XFS_DINODE_FMT_LOCAL:

++                        /*

++                         * no local regular files yet

++                         */

++                        if (S_ISREG(mode))

++                                return false;

++                        if (di_size > XFS_DFORK_DSIZE(dip, mp))

++                                return false;

++                /* fall through */

++                case XFS_DINODE_FMT_EXTENTS:

++                case XFS_DINODE_FMT_BTREE:

++                        break;

++                default:

++                        return false;

++                }

++                break;

++        case 0:

++                /* Uninitialized inode ok. */

++                break;

++        default:

++                return false;

++        }

++

++        if (XFS_DFORK_Q(dip)) {

++                switch (dip->di_aformat) {

++                case XFS_DINODE_FMT_LOCAL:

++                case XFS_DINODE_FMT_EXTENTS:

++                case XFS_DINODE_FMT_BTREE:

++                        break;

++                default:

++                        return false;

++                }

++        }

++

++

+ 	/* only version 3 or greater inodes are extensively verified here */

+ 	if (dip->di_version < 3)

+ 		return true;

+@@ -420,7 +484,6 @@ xfs_dinode_verify(

+ 	if (!uuid_equal(&dip->di_uuid, &mp->m_sb.sb_meta_uuid))

+ 		return false;

+ 

+-	flags = be16_to_cpu(dip->di_flags);

+ 	flags2 = be64_to_cpu(dip->di_flags2);

+ 

+ 	/* don't allow reflink/cowextsize if we don't have reflink */

+@@ -428,6 +491,10 @@ xfs_dinode_verify(

+             !xfs_sb_version_hasreflink(&mp->m_sb))

+ 		return false;

+ 

++        /* only regular files get reflink */

++        if ((flags2 & XFS_DIFLAG2_REFLINK) && (mode & S_IFMT) != S_IFREG)

++                return false;

++

+ 	/* don't let reflink and realtime mix */

+ 	if ((flags2 & XFS_DIFLAG2_REFLINK) && (flags & XFS_DIFLAG_REALTIME))

+ 		return false;

+diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c

+index 4e30448..8dd7658 100644

+--- a/fs/xfs/libxfs/xfs_inode_fork.c

+@@ -90,70 +90,11 @@ xfs_iformat_fork(

+ 	int			error = 0;

+ 	xfs_fsize_t             di_size;

+ 

+-	if (unlikely(be32_to_cpu(dip->di_nextents) +

+-		     be16_to_cpu(dip->di_anextents) >

+-		     be64_to_cpu(dip->di_nblocks))) {

+-		xfs_warn(ip->i_mount,

+-			"corrupt dinode %Lu, extent total = %d, nblocks = %Lu.",

+-			(unsigned long long)ip->i_ino,

+-			(int)(be32_to_cpu(dip->di_nextents) +

+-			      be16_to_cpu(dip->di_anextents)),

+-			(unsigned long long)

+-				be64_to_cpu(dip->di_nblocks));

+-		XFS_CORRUPTION_ERROR("xfs_iformat(1)", XFS_ERRLEVEL_LOW,

+-				     ip->i_mount, dip);

+-		return -EFSCORRUPTED;

+-	}

+-

+-	if (unlikely(dip->di_forkoff > ip->i_mount->m_sb.sb_inodesize)) {

+-		xfs_warn(ip->i_mount, "corrupt dinode %Lu, forkoff = 0x%x.",

+-			(unsigned long long)ip->i_ino,

+-			dip->di_forkoff);

+-		XFS_CORRUPTION_ERROR("xfs_iformat(2)", XFS_ERRLEVEL_LOW,

+-				     ip->i_mount, dip);

+-		return -EFSCORRUPTED;

+-	}

+-

+-	if (unlikely((ip->i_d.di_flags & XFS_DIFLAG_REALTIME) &&

+-		     !ip->i_mount->m_rtdev_targp)) {

+-		xfs_warn(ip->i_mount,

+-			"corrupt dinode %Lu, has realtime flag set.",

+-			ip->i_ino);

+-		XFS_CORRUPTION_ERROR("xfs_iformat(realtime)",

+-				     XFS_ERRLEVEL_LOW, ip->i_mount, dip);

+-		return -EFSCORRUPTED;

+-	}

+-

+-	if (unlikely(xfs_is_reflink_inode(ip) &&

+-	    (VFS_I(ip)->i_mode & S_IFMT) != S_IFREG)) {

+-		xfs_warn(ip->i_mount,

+-			"corrupt dinode %llu, wrong file type for reflink.",

+-			ip->i_ino);

+-		XFS_CORRUPTION_ERROR("xfs_iformat(reflink)",

+-				     XFS_ERRLEVEL_LOW, ip->i_mount, dip);

+-		return -EFSCORRUPTED;

+-	}

+-

+-	if (unlikely(xfs_is_reflink_inode(ip) &&

+-	    (ip->i_d.di_flags & XFS_DIFLAG_REALTIME))) {

+-		xfs_warn(ip->i_mount,

+-			"corrupt dinode %llu, has reflink+realtime flag set.",

+-			ip->i_ino);

+-		XFS_CORRUPTION_ERROR("xfs_iformat(reflink)",

+-				     XFS_ERRLEVEL_LOW, ip->i_mount, dip);

+-		return -EFSCORRUPTED;

+-	}

+-

+ 	switch (VFS_I(ip)->i_mode & S_IFMT) {

+ 	case S_IFIFO:

+ 	case S_IFCHR:

+ 	case S_IFBLK:

+ 	case S_IFSOCK:

+-		if (unlikely(dip->di_format != XFS_DINODE_FMT_DEV)) {

+-			XFS_CORRUPTION_ERROR("xfs_iformat(3)", XFS_ERRLEVEL_LOW,

+-					      ip->i_mount, dip);

+-			return -EFSCORRUPTED;

+-		}

+ 		ip->i_d.di_size = 0;

+ 		ip->i_df.if_u2.if_rdev = xfs_dinode_get_rdev(dip);

+ 		break;

+@@ -163,32 +104,7 @@ xfs_iformat_fork(

+ 	case S_IFDIR:

+ 		switch (dip->di_format) {

+ 		case XFS_DINODE_FMT_LOCAL:

+-			/*

+-			 * no local regular files yet

+-			 */

+-			if (unlikely(S_ISREG(be16_to_cpu(dip->di_mode)))) {

+-				xfs_warn(ip->i_mount,

+-			"corrupt inode %Lu (local format for regular file).",

+-					(unsigned long long) ip->i_ino);

+-				XFS_CORRUPTION_ERROR("xfs_iformat(4)",

+-						     XFS_ERRLEVEL_LOW,

+-						     ip->i_mount, dip);

+-				return -EFSCORRUPTED;

+-			}

+-

+ 			di_size = be64_to_cpu(dip->di_size);

+-			if (unlikely(di_size < 0 ||

+-				     di_size > XFS_DFORK_DSIZE(dip, ip->i_mount))) {

+-				xfs_warn(ip->i_mount,

+-			"corrupt inode %Lu (bad size %Ld for local inode).",

+-					(unsigned long long) ip->i_ino,

+-					(long long) di_size);

+-				XFS_CORRUPTION_ERROR("xfs_iformat(5)",

+-						     XFS_ERRLEVEL_LOW,

+-						     ip->i_mount, dip);

+-				return -EFSCORRUPTED;

+-			}

+-

+ 			size = (int)di_size;

+ 			error = xfs_iformat_local(ip, dip, XFS_DATA_FORK, size);

+ 			break;

+@@ -199,14 +115,11 @@ xfs_iformat_fork(

+ 			error = xfs_iformat_btree(ip, dip, XFS_DATA_FORK);

+ 			break;

+ 		default:

+-			XFS_ERROR_REPORT("xfs_iformat(6)", XFS_ERRLEVEL_LOW,

+-					 ip->i_mount);

+ 			return -EFSCORRUPTED;

+ 		}

+ 		break;

+ 

+ 	default:

+-		XFS_ERROR_REPORT("xfs_iformat(7)", XFS_ERRLEVEL_LOW, ip->i_mount);

+ 		return -EFSCORRUPTED;

+ 	}

+ 	if (error)

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,64 @@

+commit 50aa90ef03007beca2c9108993f5b4f2bb4f0a66

+Author: Darrick J. Wong <darrick.wong@oracle.com>

+Date:   Mon Jan 8 10:51:04 2018 -0800

+

+    xfs: verify dinode header first

+

+    Move the v3 inode integrity information (crc, owner, metauuid) before we

+    look at anything else in the inode so that we don't waste time on a torn

+    write or a totally garbled block.  This makes xfs_dinode_verify more

+    consistent with the other verifiers.

+

+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>

+Reviewed-by: Dave Chinner <dchinner@redhat.com>

+

+[ Srinidhi Rao : Backported this fix to 4.9]

+Signed-off-by: srinidhira0 <srinidhir@vmware.com>

+---

+ fs/xfs/libxfs/xfs_inode_buf.c | 23 +++++++++++++----------

+ 1 file changed, 13 insertions(+), 10 deletions(-)

+

+diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c

+index 0c1dd97..5872cd9 100644

+--- a/fs/xfs/libxfs/xfs_inode_buf.c

+@@ -395,6 +395,19 @@ xfs_dinode_verify(

+ 	if (dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC))

+ 		return false;

+ 

++	/* Verify v3 integrity information first */

++	if (dip->di_version >= 3) {

++		if (!xfs_sb_version_hascrc(&mp->m_sb))

++			return false;

++		if (!xfs_verify_cksum((char *)dip, mp->m_sb.sb_inodesize,

++					XFS_DINODE_CRC_OFF))

++			return false;

++		if (be64_to_cpu(dip->di_ino) != ip->i_ino)

++			return false;

++		if (!uuid_equal(&dip->di_uuid, &mp->m_sb.sb_meta_uuid))

++			return false;

++	}

++

+ 	/* don't allow invalid i_size */

+         di_size = be64_to_cpu(dip->di_size);

+         if (di_size & (1ULL << 63))

+@@ -474,16 +487,6 @@ xfs_dinode_verify(

+ 	if (dip->di_version < 3)

+ 		return true;

+ 

+-	if (!xfs_sb_version_hascrc(&mp->m_sb))

+-		return false;

+-	if (!xfs_verify_cksum((char *)dip, mp->m_sb.sb_inodesize,

+-			      XFS_DINODE_CRC_OFF))

+-		return false;

+-	if (be64_to_cpu(dip->di_ino) != ip->i_ino)

+-		return false;

+-	if (!uuid_equal(&dip->di_uuid, &mp->m_sb.sb_meta_uuid))

+-		return false;

+-

+ 	flags2 = be64_to_cpu(dip->di_flags2);

+ 

+ 	/* don't allow reflink/cowextsize if we don't have reflink */

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,78 @@

+commit b42db0860e13067fcc7cbfba3966c9e652668bbc

+Author: Eric Sandeen <sandeen@sandeen.net>

+Date:   Mon Apr 16 23:06:53 2018 -0700

+

+    xfs: enhance dinode verifier

+

+    Add several more validations to xfs_dinode_verify:

+

+    - For LOCAL data fork formats, di_nextents must be 0.

+    - For LOCAL attr fork formats, di_anextents must be 0.

+    - For inodes with no attr fork offset,

+      - format must be XFS_DINODE_FMT_EXTENTS if set at all

+      - di_anextents must be 0.

+

+    Thanks to dchinner for pointing out a couple related checks I had

+    forgotten to add.

+

+    Signed-off-by: Eric Sandeen <sandeen@redhat.com>

+    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199377

+    Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>

+    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>

+

+[ Srinidhi Rao : Backported this fix to 4.9 ]

+Signed-off-by: srinidhira0 <srinidhir@vmware.com>

+---

+ fs/xfs/libxfs/xfs_inode_buf.c | 23 ++++++++++++++++++++++-

+ 1 file changed, 22 insertions(+), 1 deletion(-)

+

+diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c

+index 5872cd9..429ee58 100644

+--- a/fs/xfs/libxfs/xfs_inode_buf.c

+@@ -456,6 +456,8 @@ xfs_dinode_verify(

+                                 return false;

+                         if (di_size > XFS_DFORK_DSIZE(dip, mp))

+                                 return false;

++			if (dip->di_nextents)

++				return false;

+                 /* fall through */

+                 case XFS_DINODE_FMT_EXTENTS:

+                 case XFS_DINODE_FMT_BTREE:

+@@ -474,13 +476,32 @@ xfs_dinode_verify(

+         if (XFS_DFORK_Q(dip)) {

+                 switch (dip->di_aformat) {

+                 case XFS_DINODE_FMT_LOCAL:

++			if (dip->di_anextents)

++				return false;

++		/* fall through */

+                 case XFS_DINODE_FMT_EXTENTS:

+                 case XFS_DINODE_FMT_BTREE:

+                         break;

+                 default:

+                         return false;

+                 }

+-        }

++        } else {

++		/*

++		 * If there is no fork offset, this may be a freshly-made inode

++		 * in a new disk cluster, in which case di_aformat is zeroed.

++		 * Otherwise, such an inode must be in EXTENTS format; this goes

++		 * for freed inodes as well.

++		 */

++		switch (dip->di_aformat) {

++		case 0:

++		case XFS_DINODE_FMT_EXTENTS:

++			break;

++		default:

++			return false;

++		}

++		if (dip->di_anextents)

++			return false;

++	}

+ 

+ 

+ 	/* only version 3 or greater inodes are extensively verified here */

+-- 

+2.7.4

+

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-aws

 Version:        4.9.111

-Release:        3%{?kat_build:.%kat_build}%{?dist}

+Release:        4%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -65,6 +65,10 @@ Patch43:        0001-scsi-libsas-direct-call-probe-and-destruct.patch

 Patch44:        0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch

 # Fix for CVE-2018-10323

 Patch45:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

+# Fix for CVE-2018-10322

+Patch46:        0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch

+Patch47:        0002-xfs-verify-dinode-header-first.patch

+Patch48:        0003-xfs-enhance-dinode-verifier.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -240,6 +244,9 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch43 -p1

 %patch44 -p1

 %patch45 -p1

+%patch46 -p1

+%patch47 -p1

+%patch48 -p1

 %patch52 -p1

 %patch53 -p1

@@ -460,6 +467,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Thu Jul 17 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-4

+-   Fix CVE-2018-10322

 *   Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-3

 -   Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323

 *   Wed Jul 11 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.111-2

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-esx

 Version:        4.9.111

-Release:        2%{?dist}

+Release:        3%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -62,6 +62,10 @@ Patch43:        0001-scsi-libsas-direct-call-probe-and-destruct.patch

 Patch44:        0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch

 # Fix for CVE-2018-10323

 Patch45:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

+# Fix for CVE-2018-10322

+Patch46:        0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch

+Patch47:        0002-xfs-verify-dinode-header-first.patch

+Patch48:        0003-xfs-enhance-dinode-verifier.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -156,6 +160,9 @@ The Linux package contains the Linux kernel doc files

 %patch43 -p1

 %patch44 -p1

 %patch45 -p1

+%patch46 -p1

+%patch47 -p1

+%patch48 -p1

 %patch52 -p1

 %patch53 -p1

@@ -268,6 +275,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Thu Jul 17 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-3

+-   Fix CVE-2018-10322

 *   Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-2

 -   Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323

 *   Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        4.9.111

-Release:        2%{?kat_build:.%kat_build}%{?dist}

+Release:        3%{?kat_build:.%kat_build}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -71,6 +71,10 @@ Patch45:        0001-scsi-libsas-direct-call-probe-and-destruct.patch

 Patch46:        0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch

 # Fix for CVE-2018-10323

 Patch47:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

+# Fix for CVE-2018-10322

+Patch48:        0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch

+Patch49:        0002-xfs-verify-dinode-header-first.patch

+Patch50:        0003-xfs-enhance-dinode-verifier.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -208,6 +212,9 @@ EOF

 %patch45 -p1

 %patch46 -p1

 %patch47 -p1

+%patch48 -p1

+%patch49 -p1

+%patch50 -p1

 # spectre

 %patch52 -p1

@@ -355,6 +362,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Thu Jul 17 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-3

+-   Fix CVE-2018-10322

 *   Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-2

 -   Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323

 *   Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:        4.9.111

-Release:        3%{?kat_build:.%kat_build}%{?dist}

+Release:        4%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -69,6 +69,11 @@ Patch43:        0001-scsi-libsas-direct-call-probe-and-destruct.patch

 Patch44:        0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch

 # Fix for CVE-2018-10323

 Patch45:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

+# Fix for CVE-2018-10322

+Patch46:        0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch

+Patch47:        0002-xfs-verify-dinode-header-first.patch

+Patch48:        0003-xfs-enhance-dinode-verifier.patch

+

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -199,6 +204,9 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch43 -p1

 %patch44 -p1

 %patch45 -p1

+%patch46 -p1

+%patch47 -p1

+%patch48 -p1

 %patch52 -p1

 %patch53 -p1

@@ -382,6 +390,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Thu Jul 17 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-4

+-   Fix CVE-2018-10322

 *   Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-3

 -   Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323

 *   Wed Jul 11 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.111-2