new file mode 100644

@@ -0,0 +1,53 @@

+From	Quentin Casasnovas <>

+Subject	[PATCH] RDS: fix race condition when sending a message on unbound socket.

+Date	Fri, 16 Oct 2015 17:11:42 +0200

+	

+

+Sasha's found a NULL pointer dereference in the RDS connection code when

+sending a message to an apparently unbound socket.  The problem is caused

+by the code checking if the socket is bound in rds_sendmsg(), which checks

+the rs_bound_addr field without taking a lock on the socket.  This opens a

+race where rs_bound_addr is temporarily set but where the transport is not

+in rds_bind(), leading to a NULL pointer dereference when trying to

+dereference 'trans' in __rds_conn_create().

+

+Vegard wrote a reproducer for this issue, so kindly ask him to share if

+you're interested.

+

+I cannot reproduce the NULL pointer dereference using Vegard's reproducer

+with this patch, whereas I could without.

+

+Complete earlier incomplete fix to CVE-2015-6937:

+

+  74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")

+

+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>

+Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>

+Reviewed-by: Sasha Levin <sasha.levin@oracle.com>

+Cc: Vegard Nossum <vegard.nossum@oracle.com>

+Cc: Sasha Levin <sasha.levin@oracle.com>

+Cc: Chien Yen <chien.yen@oracle.com>

+Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>

+Cc: David S. Miller <davem@davemloft.net>

+Cc: stable@vger.kernel.org

+---

+diff -ru a/net/rds/send.c b/net/rds/send.c

+--- a/net/rds/send.c	2015-08-30 11:34:09.000000000 -0700

+@@ -986,11 +986,13 @@

+ 		release_sock(sk);

+ 	}

+ 

+-	/* racing with another thread binding seems ok here */

++        lock_sock(sk);

+ 	if (daddr == 0 || rs->rs_bound_addr == 0) {

++                release_sock(sk);

+ 		ret = -ENOTCONN; /* XXX not a great errno */

+ 		goto out;

+ 	}

++        release_sock(sk);

+ 

+ 	/* size of rm including all sgs */

+ 	ret = rds_rm_size(msg, payload_len);

+-- 

+2.4.9

@@ -2,7 +2,7 @@

 Summary:       Kernel

 Name:          linux-esx

 Version:       4.2.0

-Release:       13%{?dist}

+Release:       14%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

 Group:         System Environment/Kernel

@@ -11,12 +11,14 @@ Distribution:  Photon

 Source0:       http://www.kernel.org/pub/linux/kernel/v4.x/linux-4.2.tar.xz

 %define sha1 linux=5e65d0dc94298527726fcd7458b6126e60fb2a8a

 Source1:       config-esx-%{version}

-patch1:        KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch

-patch2:        01-clear-linux.patch

-patch3:        02-pci-probe.patch

-patch4:        03-poweroff.patch

-patch5:        04-quiet-boot.patch

-patch6:        05-pv-ops.patch

+Patch0:        RDS-race-condition-on-unbound-socket-null-deref.patch

+Patch1:        KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch

+Patch2:        01-clear-linux.patch

+Patch3:        02-pci-probe.patch

+Patch4:        03-poweroff.patch

+Patch5:        04-quiet-boot.patch

+Patch6:        05-pv-ops.patch

+Patch7:        ovl-fix-permission-checking-for-setattr.patch

 BuildRequires: bc 

 BuildRequires: kbd

 BuildRequires: kmod

@@ -51,12 +53,14 @@ The Linux package contains the Linux kernel doc files

 %prep

 %setup -q -n linux-4.2

+%patch0 -p1

 %patch1 -p1

 %patch2 -p1

 %patch3 -p1

 %patch4 -p1

 %patch5 -p1

 %patch6 -p1

+%patch7 -p1

 %build

 make mrproper

@@ -122,6 +126,8 @@ ln -sf %{name}-%{version}-%{release}.cfg /boot/photon.cfg

 /usr/src/%{name}-headers-%{version}-%{release}

 %changelog

+*   Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com>  4.2.0-14

+-   Fixes for CVE-2015-7990/6937 and CVE-2015-8660.

 *   Fri Jan 22 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-13

 -   Fix for CVE-2016-0728

 *   Wed Jan 13 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-12

@@ -1,29 +1,31 @@

 %global security_hardening none

 Summary:        Kernel

-Name:        linux

-Version:    4.2.0

-Release:    11%{?dist}

-License:    GPLv2

-URL:        http://www.kernel.org/

-Group:        System Environment/Kernel

-Vendor:        VMware, Inc.

-Distribution: Photon

-Source0:    http://www.kernel.org/pub/linux/kernel/v4.x/linux-4.2.tar.xz

+Name:           linux

+Version:    	4.2.0

+Release:    	12%{?dist}

+License:    	GPLv2

+URL:        	http://www.kernel.org/

+Group:        	System Environment/Kernel

+Vendor:         VMware, Inc.

+Distribution: 	Photon

+Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/linux-4.2.tar.xz

 %define sha1 linux=5e65d0dc94298527726fcd7458b6126e60fb2a8a

 Source1:	config-%{version}

-patch1:        KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch

-BuildRequires:    bc

-BuildRequires:    kbd

-BuildRequires:    kmod

-BuildRequires:     glib-devel

-BuildRequires:     xerces-c-devel

-BuildRequires:     xml-security-c-devel

-BuildRequires:     libdnet

-BuildRequires:     libmspack

-BuildRequires:    Linux-PAM

-BuildRequires:    openssl-devel

-BuildRequires:    procps-ng-devel

-Requires:         filesystem kmod coreutils

+Patch0:         KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch

+Patch1:         RDS-race-condition-on-unbound-socket-null-deref.patch

+Patch2:         ovl-fix-permission-checking-for-setattr.patch

+BuildRequires:  bc

+BuildRequires:  kbd

+BuildRequires:  kmod

+BuildRequires:  glib-devel

+BuildRequires:  xerces-c-devel

+BuildRequires:  xml-security-c-devel

+BuildRequires:  libdnet

+BuildRequires:  libmspack

+BuildRequires:  Linux-PAM

+BuildRequires:  openssl-devel

+BuildRequires:  procps-ng-devel

+Requires:       filesystem kmod coreutils

 %description

 The Linux package contains the Linux kernel. 

@@ -67,7 +69,9 @@ Kernel driver for oprofile, a statistical profiler for Linux systems

 %prep

 %setup -q -n linux-4.2

+%patch0 -p1

 %patch1 -p1

+%patch2 -p1

 %build

 make mrproper

@@ -155,6 +159,8 @@ ln -sf %{name}-%{version}-%{release}.cfg /boot/photon.cfg

 /lib/modules/%{version}/kernel/arch/x86/oprofile/

 %changelog

+*   Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com>  4.2.0-12

+-   Fixes for CVE-2015-7990/6937 and CVE-2015-8660.

 *   Tue Jan 26 2016 Anish Swaminathan <anishs@vmware.com> 4.2.0-11

 -   Revert CONFIG_HZ=250

 *   Fri Jan 22 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-10

new file mode 100644

@@ -0,0 +1,43 @@

+From acff81ec2c79492b180fade3c2894425cd35a545 Mon Sep 17 00:00:00 2001

+From: Miklos Szeredi <miklos@szeredi.hu>

+Date: Fri, 4 Dec 2015 19:18:48 +0100

+Subject: [PATCH] ovl: fix permission checking for setattr

+

+[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr()

+away - instead of "copy verbatim with metadata" + "chmod/chown/utimes"

+(with the former being always safe and the latter failing in case of

+insufficient permissions) it tries to combine these two.  Note that copyup

+itself will have to do ->setattr() anyway; _that_ is where the elevated

+capabilities are right.  Having these two ->setattr() (one to set verbatim

+copy of metadata, another to do what overlayfs ->setattr() had been asked

+to do in the first place) combined is where it breaks.

+

+Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>

+Cc: <stable@vger.kernel.org>

+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

+---

+ fs/overlayfs/inode.c | 8 ++++----

+ 1 file changed, 4 insertions(+), 4 deletions(-)

+

+diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c

+index ec0c2a050..9612849 100644

+--- a/fs/overlayfs/inode.c

+@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr)

+ 	if (err)

+ 		goto out;

+ 

+-	upperdentry = ovl_dentry_upper(dentry);

+-	if (upperdentry) {

++	err = ovl_copy_up(dentry);

++	if (!err) {

++		upperdentry = ovl_dentry_upper(dentry);

++

+ 		mutex_lock(&upperdentry->d_inode->i_mutex);

+ 		err = notify_change(upperdentry, attr, NULL);

+ 		mutex_unlock(&upperdentry->d_inode->i_mutex);

+-	} else {

+-		err = ovl_copy_up_last(dentry, attr, false);

+ 	}

+ 	ovl_drop_write(dentry);

+ out: