diff --git a/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch b/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
new file mode 100644
index 0000000..93fce3d
--- /dev/null
+++ b/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
@@ -0,0 +1,38 @@
+Bugzilla: 1096195
+Upstream-status: 3.15 and queued for stable
+
+From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:21 +1200
+Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output
+
+From: Matthew Daley <mattd@bugfuzz.com>
+
+commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.
+
+Do not leak kernel-only floppy_raw_cmd structure members to userspace.
+This includes the linked-list pointer and the pointer to the allocated
+DMA space.
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void
+ 	int ret;
+ 
+ 	while (ptr) {
+-		ret = copy_to_user(param, ptr, sizeof(*ptr));
++		struct floppy_raw_cmd cmd = *ptr;
++		cmd.next = NULL;
++		cmd.kernel_data = NULL;
++		ret = copy_to_user(param, &cmd, sizeof(cmd));
+ 		if (ret)
+ 			return -EFAULT;
+ 		param += sizeof(struct floppy_raw_cmd);
diff --git a/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch b/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
new file mode 100644
index 0000000..712a9e0
--- /dev/null
+++ b/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
@@ -0,0 +1,48 @@
+Bugzilla: 1096195
+Upstream-status: 3.15 and queued for stable
+
+From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:20 +1200
+Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input
+
+From: Matthew Daley <mattd@bugfuzz.com>
+
+commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream.
+
+Always clear out these floppy_raw_cmd struct members after copying the
+entire structure from userspace so that the in-kernel version is always
+valid and never left in an interdeterminate state.
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3107,10 +3107,11 @@ loop:
+ 		return -ENOMEM;
+ 	*rcmd = ptr;
+ 	ret = copy_from_user(ptr, param, sizeof(*ptr));
+-	if (ret)
+-		return -EFAULT;
+ 	ptr->next = NULL;
+ 	ptr->buffer_length = 0;
++	ptr->kernel_data = NULL;
++	if (ret)
++		return -EFAULT;
+ 	param += sizeof(struct floppy_raw_cmd);
+ 	if (ptr->cmd_count > 33)
+ 			/* the command may now also take up the space
+@@ -3126,7 +3127,6 @@ loop:
+ 	for (i = 0; i < 16; i++)
+ 		ptr->reply[i] = 0;
+ 	ptr->resultcode = 0;
+-	ptr->kernel_data = NULL;
+ 
+ 	if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+ 		if (ptr->length <= 0)
diff --git a/kernel.spec b/kernel.spec
index 6591314..355659c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -790,6 +790,10 @@ Patch25086: 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-m
 #rhbz 1082266
 Patch25087: jme-fix-dma-unmap-error.patch
 
+#CVE-2014-1738 CVE-2014-1737 rhbz 1094299 1096195
+Patch25088: floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
+Patch25089: floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1533,6 +1537,10 @@ ApplyPatch 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-me
 #rhbz 1082266
 ApplyPatch jme-fix-dma-unmap-error.patch
 
+#CVE-2014-1738 CVE-2014-1737 rhbz 1094299 1096195
+ApplyPatch floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
+ApplyPatch floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2344,6 +2352,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Fri May 09 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-1738 CVE-2014-1737 floppy: priv esclation (rhbz 1094299 1096195)
+
 * Thu May 08 2014 Neil Horman <nhorman@redhat.com>
 - Fix dma unmap error in jme driver (rhbz 1082266)