Merge remote-tracking branch 'origin/master'kernel-4.10.0-0.rc7.git1.1.vanilla.knurd.1.fc26kernel-4.10.0-0.rc7.git1.1.vanilla.knurd.1.fc25kernel-4.10.0-0.rc7.git1.1.vanilla.knurd.1.fc24

15 files changed, 120 insertions, 16 deletions

diff --git a/debugconfig/CONFIG_DEBUG_KMEMLEAK_EARLY b/debugconfig/CONFIG_DEBUG_KMEMLEAK_EARLY
index dd8763fdd..48732e524 100644
--- a/debugconfig/CONFIG_DEBUG_KMEMLEAK_EARLY
+++ b/debugconfig/CONFIG_DEBUG_KMEMLEAK_EARLY
@@ -1 +1 @@
-CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096
diff --git a/gitrev b/gitrev
index 59232de02..96a03fa2c 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-34e00accf612bc5448ae709245c2b408edf39f46
+8b1b41ee74f9712c355d66dc105bbea663ae0afd
diff --git a/ip6_gre-fix-ip6gre_err-invalid-reads.patch b/ip6_gre-fix-ip6gre_err-invalid-reads.patch
new file mode 100644
index 000000000..756663c11
--- /dev/null
+++ b/ip6_gre-fix-ip6gre_err-invalid-reads.patch
@@ -0,0 +1,91 @@
+From 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 4 Feb 2017 23:18:55 -0800
+Subject: ip6_gre: fix ip6gre_err() invalid reads
+
+Andrey Konovalov reported out of bound accesses in ip6gre_err()
+
+If GRE flags contains GRE_KEY, the following expression
+*(((__be32 *)p) + (grehlen / 4) - 1)
+
+accesses data ~40 bytes after the expected point, since
+grehlen includes the size of IPv6 headers.
+
+Let's use a "struct gre_base_hdr *greh" pointer to make this
+code more readable.
+
+p[1] becomes greh->protocol.
+grhlen is the GRE header length.
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/ip6_gre.c | 40 +++++++++++++++++++++-------------------
+ 1 file changed, 21 insertions(+), 19 deletions(-)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index 5586318..630b73b 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
+ 
+ 
+ static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+-		u8 type, u8 code, int offset, __be32 info)
++		       u8 type, u8 code, int offset, __be32 info)
+ {
+-	const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data;
+-	__be16 *p = (__be16 *)(skb->data + offset);
+-	int grehlen = offset + 4;
++	const struct gre_base_hdr *greh;
++	const struct ipv6hdr *ipv6h;
++	int grehlen = sizeof(*greh);
+ 	struct ip6_tnl *t;
++	int key_off = 0;
+ 	__be16 flags;
++	__be32 key;
+ 
+-	flags = p[0];
+-	if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) {
+-		if (flags&(GRE_VERSION|GRE_ROUTING))
+-			return;
+-		if (flags&GRE_KEY) {
+-			grehlen += 4;
+-			if (flags&GRE_CSUM)
+-				grehlen += 4;
+-		}
++	if (!pskb_may_pull(skb, offset + grehlen))
++		return;
++	greh = (const struct gre_base_hdr *)(skb->data + offset);
++	flags = greh->flags;
++	if (flags & (GRE_VERSION | GRE_ROUTING))
++		return;
++	if (flags & GRE_CSUM)
++		grehlen += 4;
++	if (flags & GRE_KEY) {
++		key_off = grehlen + offset;
++		grehlen += 4;
+ 	}
+ 
+-	/* If only 8 bytes returned, keyed message will be dropped here */
+-	if (!pskb_may_pull(skb, grehlen))
++	if (!pskb_may_pull(skb, offset + grehlen))
+ 		return;
+ 	ipv6h = (const struct ipv6hdr *)skb->data;
+-	p = (__be16 *)(skb->data + offset);
++	greh = (const struct gre_base_hdr *)(skb->data + offset);
++	key = key_off ? *(__be32 *)(skb->data + key_off) : 0;
+ 
+ 	t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr,
+-				flags & GRE_KEY ?
+-				*(((__be32 *)p) + (grehlen / 4) - 1) : 0,
+-				p[1]);
++				 key, greh->protocol);
+ 	if (!t)
+ 		return;
+ 
+-- 
+cgit v0.12
+
diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config
index 986e16c07..7526300f3 100644
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@@ -1072,7 +1072,7 @@ CONFIG_DEBUG_INFO_VTA=y
 CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
-CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KOBJECT is not set
diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config
index dd5648cb7..a346a7938 100644
--- a/kernel-armv7hl-debug.config
+++ b/kernel-armv7hl-debug.config
@@ -1147,7 +1147,7 @@ CONFIG_DEBUG_INFO_VTA=y
 CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
-CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KOBJECT is not set
diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config
index 3e92b7da9..b250ca889 100644
--- a/kernel-armv7hl-lpae-debug.config
+++ b/kernel-armv7hl-lpae-debug.config
@@ -1101,7 +1101,7 @@ CONFIG_DEBUG_INFO_VTA=y
 CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
-CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KOBJECT is not set
diff --git a/kernel-i686-PAEdebug.config b/kernel-i686-PAEdebug.config
index 34a24cdb7..62886b151 100644
--- a/kernel-i686-PAEdebug.config
+++ b/kernel-i686-PAEdebug.config
@@ -958,7 +958,7 @@ CONFIG_DEBUG_INFO_VTA=y
 CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
-CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KOBJECT is not set
diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config
index 0ab2f1adf..6e5a684de 100644
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@@ -958,7 +958,7 @@ CONFIG_DEBUG_INFO_VTA=y
 CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
-CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KOBJECT is not set
diff --git a/kernel-ppc64-debug.config b/kernel-ppc64-debug.config
index a452d7b57..414115223 100644
--- a/kernel-ppc64-debug.config
+++ b/kernel-ppc64-debug.config
@@ -947,7 +947,7 @@ CONFIG_DEBUG_INFO_VTA=y
 CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
-CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KOBJECT is not set
diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config
index 181ad231d..14c3d83c6 100644
--- a/kernel-ppc64le-debug.config
+++ b/kernel-ppc64le-debug.config
@@ -902,7 +902,7 @@ CONFIG_DEBUG_INFO_VTA=y
 CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
-CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KOBJECT is not set
diff --git a/kernel-ppc64p7-debug.config b/kernel-ppc64p7-debug.config
index 21c8b5551..d1cb17fb7 100644
--- a/kernel-ppc64p7-debug.config
+++ b/kernel-ppc64p7-debug.config
@@ -902,7 +902,7 @@ CONFIG_DEBUG_INFO_VTA=y
 CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
-CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KOBJECT is not set
diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config
index cc1ac3673..d040d077d 100644
--- a/kernel-s390x-debug.config
+++ b/kernel-s390x-debug.config
@@ -901,7 +901,7 @@ CONFIG_DEBUG_INFO_VTA=y
 CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
-CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KOBJECT is not set
diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config
index 4a002b8d6..be3f1db20 100644
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@@ -986,7 +986,7 @@ CONFIG_DEBUG_INFO_VTA=y
 CONFIG_DEBUG_INFO=y
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
-CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KOBJECT is not set
diff --git a/kernel.spec b/kernel.spec
index 0950f1b06..97613f308 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -75,9 +75,9 @@ Summary: The Linux kernel
 # The next upstream release sublevel (base_sublevel+1)
 %define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
 # The rc snapshot level
-%global rcrev 6
+%global rcrev 7
 # The git snapshot level
-%define gitrev 3
+%define gitrev 1
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -616,6 +616,10 @@ Patch853: 0001-Work-around-for-gcc7-and-arm64.patch
 #CVE-2017-2596 rhbz 1417812 1417813
 Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
 
+#CVE-2017-5897 rhbz 1419848 1419851
+Patch855: ip6_gre-fix-ip6gre_err-invalid-reads.patch
+
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2189,6 +2193,15 @@ fi
 #
 #
 %changelog
+* Tue Feb 07 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc7.git1.1
+- Linux v4.10-rc7-29-g8b1b41e
+- Reenable debugging options.
+- CVE-2017-5897 ip6_gre: Invalid reads in ip6gre_err (rhbz 1419848 1419851)
+
+* Mon Feb 06 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc7.git0.1
+- Disable debugging options.
+- Linux v4.10-rc7
+
 * Fri Feb 03 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc6.git3.1
 - Linux v4.10-rc6-110-g34e00ac
 
diff --git a/sources b/sources
index 405fe1f1c..ad4dec032 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
 SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
 SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
-SHA512 (patch-4.10-rc6.xz) = eb6dfcdcb427d198d955b6c2146abd5c6a74d01ab10855d713f33b9c87df05f20f2688cb354d5881dfb82ebdcf4ecac37b36956ff3645977f967f021b52ad507
-SHA512 (patch-4.10-rc6-git3.xz) = 8a844c3b708926f0451931961128b485db23dac8f40978716675d9fcec5ae9a40b3ef5da50d613c9de4d3c7c15edf4942dd232b1ef7935c373e74e92c145b016
+SHA512 (patch-4.10-rc7.xz) = 206e5e97581bb376141398b6962fbbc4ee0a58b50fae1de83f3f6f3c06502b260f006628aab738d63994a6d1c0276717d49e882a8107b8f9c24d565a2a70ea9b
+SHA512 (patch-4.10-rc7-git1.xz) = 6b71afe5c9bd79e551bcd26798284ce1d77359e8787a1861d2acfeaec7222abf08dd0bf92c842c0fa790271dbcce42c895d50b805e0a868525c8d73ff425d3b1