From 7e15834edfd7f1a4bed0555440b7db97c2b1198e Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Tue, 9 Feb 2016 07:12:44 +0100
Subject: vhost driver: CVE-2015-6252

Fixes a flaw in the Linux kernel's vhost driver.
A privileged local user with access to the /dev/vhost-net
files could use this flaw to create a denial-of-service attack.

References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6252
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-6252
http://www.openwall.com/lists/oss-security/2015/08/18/3

Upstream patch:
===============
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=a5b3343b05e58b8f8ce7481426f89c048229b50d

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
 .../linux-qoriq-3.12/vhost-CVE-2015-6252.patch     | 39 ++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq-common.inc        |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-qoriq-3.12/vhost-CVE-2015-6252.patch

diff --git a/recipes-kernel/linux/linux-qoriq-3.12/vhost-CVE-2015-6252.patch b/recipes-kernel/linux/linux-qoriq-3.12/vhost-CVE-2015-6252.patch
new file mode 100644
index 0000000..068b8ad
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq-3.12/vhost-CVE-2015-6252.patch
@@ -0,0 +1,39 @@
+From a5b3343b05e58b8f8ce7481426f89c048229b50d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 17 Jul 2015 15:32:03 +0200
+Subject: vhost: actually track log eventfd file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 upstream.
+
+While reviewing vhost log code, I found out that log_file is never
+set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
+
+Fixes CVE-2015-6252.
+Upstream-Status: Backport
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/vhost/vhost.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 69068e0..384bcc8 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -878,6 +878,7 @@ long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
+ 		}
+ 		if (eventfp != d->log_file) {
+ 			filep = d->log_file;
++			d->log_file = eventfp;
+ 			ctx = d->log_ctx;
+ 			d->log_ctx = eventfp ?
+ 				eventfd_ctx_fileget(eventfp) : NULL;
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc
index 3b4a203..9052358 100644
--- a/recipes-kernel/linux/linux-qoriq-common.inc
+++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -22,6 +22,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
     file://ipc-CVE-2015-7613.patch \
     file://net-rds-CVE-2015-2042.patch \
     file://drivers-scsi-CVE-2015-5707.patch \
+    file://vhost-CVE-2015-6252.patch \
     "
 
 SRC_URI += "file://cfg/00013-localversion.cfg \
-- 
cgit v1.2.3-54-g00ecf