diff --git a/kernel.spec b/kernel.spec
index 15b3eef..17b74cb 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -658,6 +658,9 @@ Patch826: HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
 Patch830: posix_acl-Add-set_posix_acl.patch
 Patch831: nfsd-check-permissions-when-setting-ACLs.patch
 
+#CVE-2016-6156 rhbz 1353490 1353491
+Patch832: platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2175,6 +2178,9 @@ fi
 #
 # 
 %changelog
+* Thu Jul 07 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-6156 race condition in chrome chardev driver (rhbz 1353490 1353491)
+
 * Tue Jul 05 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - Linux v4.6.3
 - CVE-2016-6130 s390x race condition in sclp leads to info leak (rhbz 1352558 1352559)
diff --git a/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch b/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch
new file mode 100644
index 0000000..a685ff6
--- /dev/null
+++ b/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch
@@ -0,0 +1,52 @@
+From 096cdc6f52225835ff503f987a0d68ef770bb78e Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 21 Jun 2016 16:58:46 +0300
+Subject: [PATCH] platform/chrome: cros_ec_dev - double fetch bug in ioctl
+
+We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure
+that those values have not changed between the two copy_from_user()
+calls.  Otherwise it could lead to a buffer overflow.
+
+Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value.
+We should use the new smaller value so we don't copy too much data to
+the user.
+
+Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
+Fixes: a841178445bb ('mfd: cros_ec: Use a zero-length array for command data')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Tested-by: Gwendal Grignou <gwendal@chromium.org>
+Cc: <stable@vger.kernel.org> # v4.2+
+Signed-off-by: Olof Johansson <olof@lixom.net>
+---
+ drivers/platform/chrome/cros_ec_dev.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/chrome/cros_ec_dev.c b/drivers/platform/chrome/cros_ec_dev.c
+index 6d8ee3b15872..8abd80dbcbed 100644
+--- a/drivers/platform/chrome/cros_ec_dev.c
++++ b/drivers/platform/chrome/cros_ec_dev.c
+@@ -151,13 +151,19 @@ static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg)
+ 		goto exit;
+ 	}
+ 
++	if (u_cmd.outsize != s_cmd->outsize ||
++	    u_cmd.insize != s_cmd->insize) {
++		ret = -EINVAL;
++		goto exit;
++	}
++
+ 	s_cmd->command += ec->cmd_offset;
+ 	ret = cros_ec_cmd_xfer(ec->ec_dev, s_cmd);
+ 	/* Only copy data to userland if data was received. */
+ 	if (ret < 0)
+ 		goto exit;
+ 
+-	if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + u_cmd.insize))
++	if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + s_cmd->insize))
+ 		ret = -EFAULT;
+ exit:
+ 	kfree(s_cmd);
+-- 
+2.5.5
+