diff --git a/kernel.spec b/kernel.spec
index 1a44143fd..4f908544f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -584,6 +584,9 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch
 
 Patch505: 0001-Revert-dm-fix-casting-bug-in-dm_merge_bvec.patch
 
+# CVE-2015-5697 (rhbz 1249011 1249013)
+Patch506: md-use-kzalloc-when-bitmap-is-disabled.patch
+
 Patch904: kdbus.patch
 
 # END OF PATCH DEFINITIONS
@@ -2021,6 +2024,9 @@ fi
 #
 # 
 %changelog
+* Mon Aug 03 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-5697 info leak in md driver (rhbz 1249011 1249013)
+
 * Mon Aug 03 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.2.0-0.rc5.git0.1
 - Linux v4.2-rc5
 - Disable debugging options.
diff --git a/md-use-kzalloc-when-bitmap-is-disabled.patch b/md-use-kzalloc-when-bitmap-is-disabled.patch
new file mode 100644
index 000000000..fded7a2db
--- /dev/null
+++ b/md-use-kzalloc-when-bitmap-is-disabled.patch
@@ -0,0 +1,70 @@
+From 77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4 Mon Sep 17 00:00:00 2001
+From: Benjamin Randazzo <benjamin@randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: md: use kzalloc() when bitmap is disabled
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769         file = kmalloc(sizeof(*file), GFP_NOIO);
+5770         if (!file)
+5771                 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786         if (err == 0 &&
+5787             copy_to_user(arg, file, sizeof(*file)))
+5788                 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775         /* bitmap disabled, zero the first byte and copy out */
+5776         if (!mddev->bitmap_info.file)
+5777                 file->pathname[0] = '\0';
+
+Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
+Signed-off-by: NeilBrown <neilb@suse.com>
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index ce4cb8b..cdc080b 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5765,22 +5765,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
+ 	char *ptr;
+ 	int err;
+ 
+-	file = kmalloc(sizeof(*file), GFP_NOIO);
++	file = kzalloc(sizeof(*file), GFP_NOIO);
+ 	if (!file)
+ 		return -ENOMEM;
+ 
+ 	err = 0;
+ 	spin_lock(&mddev->lock);
+-	/* bitmap disabled, zero the first byte and copy out */
+-	if (!mddev->bitmap_info.file)
+-		file->pathname[0] = '\0';
+-	else if ((ptr = file_path(mddev->bitmap_info.file,
+-			       file->pathname, sizeof(file->pathname))),
+-		 IS_ERR(ptr))
+-		err = PTR_ERR(ptr);
+-	else
+-		memmove(file->pathname, ptr,
+-			sizeof(file->pathname)-(ptr-file->pathname));
++	/* bitmap enabled */
++	if (mddev->bitmap_info.file) {
++		ptr = file_path(mddev->bitmap_info.file, file->pathname,
++				sizeof(file->pathname));
++		if (IS_ERR(ptr))
++			err = PTR_ERR(ptr);
++		else
++			memmove(file->pathname, ptr,
++				sizeof(file->pathname)-(ptr-file->pathname));
++	}
+ 	spin_unlock(&mddev->lock);
+ 
+ 	if (err == 0 &&
+-- 
+cgit v0.10.2
+