Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.5.5-200.vanilla.knurd.1.fc23kernel-4.5.5-200.vanilla.knurd.1.fc22

14 files changed, 167 insertions, 340 deletions

diff --git a/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch b/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
new file mode 100644
index 000000000..957de0977
--- /dev/null
+++ b/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
@@ -0,0 +1,91 @@
+From 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 23 Feb 2016 11:03:12 +0000
+Subject: [PATCH] KEYS: Fix ASN.1 indefinite length object parsing
+
+This fixes CVE-2016-0758.
+
+In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
+it isn't validated against the remaining amount of data before being added
+to the cursor.  With a sufficiently large size indicated, the check:
+
+	datalen - dp < 2
+
+may then fail due to integer overflow.
+
+Fix this by checking the length indicated against the amount of remaining
+data in both places a definite length is determined.
+
+Whilst we're at it, make the following changes:
+
+ (1) Check the maximum size of extended length does not exceed the capacity
+     of the variable it's being stored in (len) rather than the type that
+     variable is assumed to be (size_t).
+
+ (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
+     integer 0.
+
+ (3) To reduce confusion, move the initialisation of len outside of:
+
+	for (len = 0; n > 0; n--) {
+
+     since it doesn't have anything to do with the loop counter n.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Acked-by: David Woodhouse <David.Woodhouse@intel.com>
+Acked-by: Peter Jones <pjones@redhat.com>
+---
+ lib/asn1_decoder.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
+index 2b3f46c049d4..554522934c44 100644
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -74,7 +74,7 @@ next_tag:
+ 
+ 	/* Extract a tag from the data */
+ 	tag = data[dp++];
+-	if (tag == 0) {
++	if (tag == ASN1_EOC) {
+ 		/* It appears to be an EOC. */
+ 		if (data[dp++] != 0)
+ 			goto invalid_eoc;
+@@ -96,10 +96,8 @@ next_tag:
+ 
+ 	/* Extract the length */
+ 	len = data[dp++];
+-	if (len <= 0x7f) {
+-		dp += len;
+-		goto next_tag;
+-	}
++	if (len <= 0x7f)
++		goto check_length;
+ 
+ 	if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
+ 		/* Indefinite length */
+@@ -110,14 +108,18 @@ next_tag:
+ 	}
+ 
+ 	n = len - 0x80;
+-	if (unlikely(n > sizeof(size_t) - 1))
++	if (unlikely(n > sizeof(len) - 1))
+ 		goto length_too_long;
+ 	if (unlikely(n > datalen - dp))
+ 		goto data_overrun_error;
+-	for (len = 0; n > 0; n--) {
++	len = 0;
++	for (; n > 0; n--) {
+ 		len <<= 8;
+ 		len |= data[dp++];
+ 	}
++check_length:
++	if (len > datalen - dp)
++		goto data_overrun_error;
+ 	dp += len;
+ 	goto next_tag;
+ 
+-- 
+2.5.5
+
diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch
new file mode 100644
index 000000000..8066b2e8f
--- /dev/null
+++ b/KVM-MTRR-remove-MSR-0x2f8.patch
@@ -0,0 +1,49 @@
+From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Mon, 16 May 2016 09:45:35 -0400
+Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
+was introduced by 9ba075a664df ("KVM: MTRR support").
+
+0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
+size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
+which made access to index 124 out of bounds.  The surrounding code only
+WARNs in this situation, thus the guest gained a limited read/write
+access to struct kvm_arch_vcpu.
+
+0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
+MTRR MSRs, 0x200-0x20f.  Every VR MTRR is set up using two MSRs, 0x2f8
+was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
+not implemented in KVM, therefore 0x2f8 could never do anything useful
+and getting rid of it is safe.
+
+This fixes CVE-2016-TBD.
+
+Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
+Cc: stable@vger.kernel.org
+Reported-by: David Matlack <dmatlack@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+---
+ arch/x86/kvm/mtrr.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
+index 3f8c732117ec..c146f3c262c3 100644
+--- a/arch/x86/kvm/mtrr.c
++++ b/arch/x86/kvm/mtrr.c
+@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
+ 	case MSR_MTRRdefType:
+ 	case MSR_IA32_CR_PAT:
+ 		return true;
+-	case 0x2f8:
+-		return true;
+ 	}
+ 	return false;
+ }
+-- 
+2.5.5
+
diff --git a/Makefile b/Makefile
index 4f11a034b..128b2ff33 100644
--- a/Makefile
+++ b/Makefile
@@ -37,6 +37,7 @@ debug:
 	@perl -pi -e 's/# CONFIG_PROVE_RCU is not set/CONFIG_PROVE_RCU=y/' config-nodebug
 	@perl -pi -e 's/# CONFIG_DEBUG_SPINLOCK is not set/CONFIG_DEBUG_SPINLOCK=y/' config-nodebug
 	@perl -pi -e 's/# CONFIG_DEBUG_VM is not set/CONFIG_DEBUG_VM=y/' config-nodebug
+	@perl -pi -e 's/# CONFIG_DEBUG_VM_PGFLAGS is not set/CONFIG_DEBUG_VM_PGFLAGS=y/' config-nodebug
 	@perl -pi -e 's/# CONFIG_FAULT_INJECTION is not set/CONFIG_FAULT_INJECTION=y/' config-nodebug
 	@perl -pi -e 's/# CONFIG_FAILSLAB is not set/CONFIG_FAILSLAB=y/' config-nodebug
 	@perl -pi -e 's/# CONFIG_FAIL_PAGE_ALLOC is not set/CONFIG_FAIL_PAGE_ALLOC=y/' config-nodebug
diff --git a/Makefile.release b/Makefile.release
index fcd90814f..da1a2fba3 100644
--- a/Makefile.release
+++ b/Makefile.release
@@ -17,6 +17,7 @@ config-release:
 	@perl -pi -e 's/CONFIG_PROVE_RCU=y/# CONFIG_PROVE_RCU is not set/' config-nodebug
 	@perl -pi -e 's/CONFIG_DEBUG_SPINLOCK=y/# CONFIG_DEBUG_SPINLOCK is not set/' config-nodebug
 	@perl -pi -e 's/CONFIG_DEBUG_VM=y/# CONFIG_DEBUG_VM is not set/' config-nodebug
+	@perl -pi -e 's/CONFIG_DEBUG_VM_PGFLAGS=y/# CONFIG_DEBUG_VM_PGFLAGS is not set/' config-nodebug
 	@perl -pi -e 's/CONFIG_FAULT_INJECTION=y/# CONFIG_FAULT_INJECTION is not set/' config-nodebug
 	@perl -pi -e 's/CONFIG_FAILSLAB=y/# CONFIG_FAILSLAB is not set/' config-nodebug
 	@perl -pi -e 's/CONFIG_FAIL_PAGE_ALLOC=y/# CONFIG_FAIL_PAGE_ALLOC is not set/' config-nodebug
diff --git a/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch b/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
deleted file mode 100644
index 3ba32bae7..000000000
--- a/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001
-From: Jann Horn <jannh@google.com>
-Date: Tue, 26 Apr 2016 22:26:26 +0200
-Subject: [PATCH] bpf: fix double-fdput in replace_map_fd_with_map_ptr()
-
-When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
-references a non-map file descriptor as a map file descriptor, the error
-handling code called fdput() twice instead of once (in __bpf_map_get() and
-in replace_map_fd_with_map_ptr()). If the file descriptor table of the
-current task is shared, this causes f_count to be decremented too much,
-allowing the struct file to be freed while it is still in use
-(use-after-free). This can be exploited to gain root privileges by an
-unprivileged user.
-
-This bug was introduced in
-commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
-exploitable since
-commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
-previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
-
-(posted publicly according to request by maintainer)
-
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Acked-by: Alexei Starovoitov <ast@kernel.org>
-Acked-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- kernel/bpf/verifier.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 618ef77c302a..db2574e7b8b0 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
- 			if (IS_ERR(map)) {
- 				verbose("fd %d is not pointing to valid bpf_map\n",
- 					insn->imm);
--				fdput(f);
- 				return PTR_ERR(map);
- 			}
- 
--- 
-2.5.5
-
diff --git a/bpf-fix-refcnt-overflow.patch b/bpf-fix-refcnt-overflow.patch
deleted file mode 100644
index 1143c8286..000000000
--- a/bpf-fix-refcnt-overflow.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-From 86db8dac9286f8397434184a6b442b6419e54ec0 Mon Sep 17 00:00:00 2001
-From: Alexei Starovoitov <ast@fb.com>
-Date: Wed, 27 Apr 2016 18:56:20 -0700
-Subject: [PATCH] bpf: fix refcnt overflow
-
-On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK,
-the malicious application may overflow 32-bit bpf program refcnt.
-It's also possible to overflow map refcnt on 1Tb system.
-Impose 32k hard limit which means that the same bpf program or
-map cannot be shared by more than 32k processes.
-
-Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
-Reported-by: Jann Horn <jannh@google.com>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Acked-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/linux/bpf.h   |  3 ++-
- kernel/bpf/inode.c    |  7 ++++---
- kernel/bpf/syscall.c  | 24 ++++++++++++++++++++----
- kernel/bpf/verifier.c | 11 +++++++----
- 4 files changed, 33 insertions(+), 12 deletions(-)
-
-diff --git a/include/linux/bpf.h b/include/linux/bpf.h
-index 83d1926c61e4..67bc2da5d233 100644
---- a/include/linux/bpf.h
-+++ b/include/linux/bpf.h
-@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_prog_type_list *tl);
- void bpf_register_map_type(struct bpf_map_type_list *tl);
- 
- struct bpf_prog *bpf_prog_get(u32 ufd);
-+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog);
- void bpf_prog_put(struct bpf_prog *prog);
- void bpf_prog_put_rcu(struct bpf_prog *prog);
- 
- struct bpf_map *bpf_map_get_with_uref(u32 ufd);
- struct bpf_map *__bpf_map_get(struct fd f);
--void bpf_map_inc(struct bpf_map *map, bool uref);
-+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref);
- void bpf_map_put_with_uref(struct bpf_map *map);
- void bpf_map_put(struct bpf_map *map);
- 
-diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
-index 5a8a797d50b7..d1a7646f79c5 100644
---- a/kernel/bpf/inode.c
-+++ b/kernel/bpf/inode.c
-@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum bpf_type type)
- {
- 	switch (type) {
- 	case BPF_TYPE_PROG:
--		atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt);
-+		raw = bpf_prog_inc(raw);
- 		break;
- 	case BPF_TYPE_MAP:
--		bpf_map_inc(raw, true);
-+		raw = bpf_map_inc(raw, true);
- 		break;
- 	default:
- 		WARN_ON_ONCE(1);
-@@ -277,7 +277,8 @@ static void *bpf_obj_do_get(const struct filename *pathname,
- 		goto out;
- 
- 	raw = bpf_any_get(inode->i_private, *type);
--	touch_atime(&path);
-+	if (!IS_ERR(raw))
-+		touch_atime(&path);
- 
- 	path_put(&path);
- 	return raw;
-diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
-index 3b39550d8485..4e32cc94edd9 100644
---- a/kernel/bpf/syscall.c
-+++ b/kernel/bpf/syscall.c
-@@ -181,11 +181,18 @@ struct bpf_map *__bpf_map_get(struct fd f)
- 	return f.file->private_data;
- }
- 
--void bpf_map_inc(struct bpf_map *map, bool uref)
-+/* prog's and map's refcnt limit */
-+#define BPF_MAX_REFCNT 32768
-+
-+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref)
- {
--	atomic_inc(&map->refcnt);
-+	if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) {
-+		atomic_dec(&map->refcnt);
-+		return ERR_PTR(-EBUSY);
-+	}
- 	if (uref)
- 		atomic_inc(&map->usercnt);
-+	return map;
- }
- 
- struct bpf_map *bpf_map_get_with_uref(u32 ufd)
-@@ -197,7 +204,7 @@ struct bpf_map *bpf_map_get_with_uref(u32 ufd)
- 	if (IS_ERR(map))
- 		return map;
- 
--	bpf_map_inc(map, true);
-+	map = bpf_map_inc(map, true);
- 	fdput(f);
- 
- 	return map;
-@@ -580,6 +587,15 @@ static struct bpf_prog *__bpf_prog_get(struct fd f)
- 	return f.file->private_data;
- }
- 
-+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog)
-+{
-+	if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) {
-+		atomic_dec(&prog->aux->refcnt);
-+		return ERR_PTR(-EBUSY);
-+	}
-+	return prog;
-+}
-+
- /* called by sockets/tracing/seccomp before attaching program to an event
-  * pairs with bpf_prog_put()
-  */
-@@ -592,7 +608,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd)
- 	if (IS_ERR(prog))
- 		return prog;
- 
--	atomic_inc(&prog->aux->refcnt);
-+	prog = bpf_prog_inc(prog);
- 	fdput(f);
- 
- 	return prog;
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 2e7f7ab739e4..060e4c4c37ea 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -2023,15 +2023,18 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
- 				return -E2BIG;
- 			}
- 
--			/* remember this map */
--			env->used_maps[env->used_map_cnt++] = map;
--
- 			/* hold the map. If the program is rejected by verifier,
- 			 * the map will be released by release_maps() or it
- 			 * will be used by the valid program until it's unloaded
- 			 * and all maps are released in free_bpf_prog_info()
- 			 */
--			bpf_map_inc(map, false);
-+			map = bpf_map_inc(map, false);
-+			if (IS_ERR(map)) {
-+				fdput(f);
-+				return PTR_ERR(map);
-+			}
-+			env->used_maps[env->used_map_cnt++] = map;
-+
- 			fdput(f);
- next_insn:
- 			insn++;
--- 
-2.5.5
-
diff --git a/config-debug b/config-debug
index fc6505b48..c0b226889 100644
--- a/config-debug
+++ b/config-debug
@@ -128,3 +128,5 @@ CONFIG_EDAC_DEBUG=y
 CONFIG_SPI_DEBUG=y
 
 CONFIG_X86_DEBUG_STATIC_CPU_HAS=y
+
+CONFIG_DEBUG_VM_PGFLAGS=y
diff --git a/config-generic b/config-generic
index ccc53d89a..a62e247a8 100644
--- a/config-generic
+++ b/config-generic
@@ -4822,7 +4822,6 @@ CONFIG_DEBUG_BOOT_PARAMS=y
 CONFIG_DEBUG_VM=y
 # CONFIG_DEBUG_VM_VMACACHE is not set
 # CONFIG_DEBUG_VM_RB is not set # revisit this if performance isn't horrible
-CONFIG_DEBUG_VM_PGFLAGS=y
 # CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
 CONFIG_LOCKUP_DETECTOR=y
 # CONFIG_DEBUG_INFO_REDUCED is not set
diff --git a/config-nodebug b/config-nodebug
index c173637a2..c070f68cf 100644
--- a/config-nodebug
+++ b/config-nodebug
@@ -128,3 +128,5 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
 # CONFIG_SPI_DEBUG is not set
 
 # CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+# CONFIG_DEBUG_VM_PGFLAGS is not set
diff --git a/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch b/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch
deleted file mode 100644
index 9e4cf4e0e..000000000
--- a/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 9f79323a0aebccb9915ab8f4b7dcf531578b9cf9 Mon Sep 17 00:00:00 2001
-From: Paolo Abeni <pabeni@redhat.com>
-Date: Thu, 21 Apr 2016 20:23:31 -0400
-Subject: [PATCH] ipv4/fib: don't warn when primary address is missing if
- in_dev is dead
-
-After commit fbd40ea0180a ("ipv4: Don't do expensive useless work
-during inetdev destroy.") when deleting an interface,
-fib_del_ifaddr() can be executed without any primary address
-present on the dead interface.
-
-The above is safe, but triggers some "bug: prim == NULL" warnings.
-
-This commit avoids warning if the in_dev is dead
-
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
----
- net/ipv4/fib_frontend.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
-index 8a9246deccfe..63566ec54794 100644
---- a/net/ipv4/fib_frontend.c
-+++ b/net/ipv4/fib_frontend.c
-@@ -904,7 +904,11 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
- 	if (ifa->ifa_flags & IFA_F_SECONDARY) {
- 		prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask);
- 		if (!prim) {
--			pr_warn("%s: bug: prim == NULL\n", __func__);
-+			/* if the device has been deleted, we don't perform
-+			 * address promotion
-+			 */
-+			if (!in_dev->dead)
-+				pr_warn("%s: bug: prim == NULL\n", __func__);
- 			return;
- 		}
- 		if (iprim && iprim != prim) {
--- 
-2.5.5
-
diff --git a/kernel.spec b/kernel.spec
index c52549aae..46b0a1da1 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -60,7 +60,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 4
+%define stable_update 5
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -654,9 +654,6 @@ Patch701: antenna_select.patch
 #rhbz 1302071
 Patch702: x86-build-Build-compressed-x86-kernels-as-PIE.patch
 
-# Follow on for CVE-2016-3156
-Patch703: ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch
-
 # Stop splashing crap about broken firmware BGRT
 Patch704: x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch
 
@@ -666,14 +663,6 @@ Patch705: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
 #CVE-2016-4482 rhbz 1332931 1332932
 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
 
-#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321
-Patch707: net-fix-infoleak-in-llc.patch
-Patch708: net-fix-infoleak-in-rtnetlink.patch
-
-#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311
-Patch711: bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
-Patch712: bpf-fix-refcnt-overflow.patch
-
 #rhbz 1328633
 Patch713: sp5100_tco-properly-check-for-new-register-layouts.patch
 
@@ -682,6 +671,12 @@ Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
 Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
 Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
 
+#CVE-2016-0758 rhbz 1300257 1335386
+Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
+
+#CVE-2016-3713 rhbz 1332139 1336410
+Patch718: KVM-MTRR-remove-MSR-0x2f8.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2206,6 +2201,19 @@ fi
 #
 # 
 %changelog
+* Thu May 19 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.5.5-200
+- Linux v4.5.5
+- CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529)
+
+* Mon May 16 2016 Justin M. Forbes <jforbes@fedoraproject.org>
+- Disable CONFIG_DEBUG_VM_PGFLAGS on non debug kernels (rhbz 1335173)
+
+* Mon May 16 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410)
+
+* Fri May 13 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-0758 pointer corruption in asn1 decoder (rhbz 1300257 1335386)
+
 * Wed May 11 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.4-200
 - Linux v4.5.4
 
diff --git a/net-fix-infoleak-in-llc.patch b/net-fix-infoleak-in-llc.patch
deleted file mode 100644
index 38f0d506a..000000000
--- a/net-fix-infoleak-in-llc.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From ec0de35ded8c4a8588290a1b442aa3aa4bdf4de1 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:35:05 -0400
-Subject: [PATCH 2/2] net: fix infoleak in llc
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “info” has a total size of 12 bytes. Its last byte
-is padding which is not initialized and leaked via “put_cmsg”.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/llc/af_llc.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
-index b3c52e3f689a..8ae3ed97d95c 100644
---- a/net/llc/af_llc.c
-+++ b/net/llc/af_llc.c
-@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb)
- 	if (llc->cmsg_flags & LLC_CMSG_PKTINFO) {
- 		struct llc_pktinfo info;
- 
-+		memset(&info, 0, sizeof(info));
- 		info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex;
- 		llc_pdu_decode_dsap(skb, &info.lpi_sap);
- 		llc_pdu_decode_da(skb, info.lpi_mac);
--- 
-2.5.5
-
diff --git a/net-fix-infoleak-in-rtnetlink.patch b/net-fix-infoleak-in-rtnetlink.patch
deleted file mode 100644
index 0da35108d..000000000
--- a/net-fix-infoleak-in-rtnetlink.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 55a8a812d867ec9953bde7d86eef255a1abbf93e Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:46:24 -0400
-Subject: [PATCH 1/2] net: fix infoleak in rtnetlink
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “map” has a total size of 32 bytes. Its last 4
-bytes are padding generated by compiler. These padding bytes are
-not initialized and sent out via “nla_put”.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/rtnetlink.c | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
-index a75f7e94b445..65763c29f845 100644
---- a/net/core/rtnetlink.c
-+++ b/net/core/rtnetlink.c
-@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
- 
- static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
- {
--	struct rtnl_link_ifmap map = {
--		.mem_start   = dev->mem_start,
--		.mem_end     = dev->mem_end,
--		.base_addr   = dev->base_addr,
--		.irq         = dev->irq,
--		.dma         = dev->dma,
--		.port        = dev->if_port,
--	};
-+	struct rtnl_link_ifmap map;
-+
-+	memset(&map, 0, sizeof(map));
-+	map.mem_start   = dev->mem_start;
-+	map.mem_end     = dev->mem_end;
-+	map.base_addr   = dev->base_addr;
-+	map.irq         = dev->irq;
-+	map.dma         = dev->dma;
-+	map.port        = dev->if_port;
-+
- 	if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
- 		return -EMSGSIZE;
- 
--- 
-2.5.5
-
diff --git a/sources b/sources
index 1d6359066..aa475431e 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 a60d48eee08ec0536d5efb17ca819aef  linux-4.5.tar.xz
 6f557fe90b800b615c85c2ca04da6154  perf-man-4.5.tar.gz
-137460a1e32335e2eedc61fcfc2643fa  patch-4.5.4.xz
+fe89010925304f6f07713741f0c8e811  patch-4.5.5.xz