4.10.10kernel-4.10.10-100.vanilla.knurd.1.fc24

17 files changed, 500 insertions, 188 deletions

diff --git a/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch b/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
deleted file mode 100644
index d682dcc42..000000000
--- a/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From cc66afea58f858ff6da7f79b8a595a67bbb4f9a9 Mon Sep 17 00:00:00 2001
-From: Andi Kleen <ak@linux.intel.com>
-Date: Mon, 27 Mar 2017 11:32:59 +0200
-Subject: [PATCH] x86/mce: Don't print MCEs when mcelog is active
-
-Since:
-
-  cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers")
-
-all MCEs are printed even when mcelog is running. Fix the regression to
-not print to dmesg when mcelog is running as it is a consumer too.
-
-Signed-off-by: Andi Kleen <ak@linux.intel.com>
-[ Massage commit message. ]
-Signed-off-by: Borislav Petkov <bp@suse.de>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Tony Luck <tony.luck@intel.com>
-Cc: linux-edac <linux-edac@vger.kernel.org>
-Cc: stable@vger.kernel.org # 4.10..
-Fixes: cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers")
-Link: http://lkml.kernel.org/r/20170327093304.10683-2-bp@alien8.de
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
----
- arch/x86/kernel/cpu/mcheck/mce.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
-index 8e9725c..5accfbd 100644
---- a/arch/x86/kernel/cpu/mcheck/mce.c
-+++ b/arch/x86/kernel/cpu/mcheck/mce.c
-@@ -54,6 +54,8 @@
-
- static DEFINE_MUTEX(mce_chrdev_read_mutex);
-
-+static int mce_chrdev_open_count;	/* #times opened */
-+
- #define mce_log_get_idx_check(p) \
- ({ \
- 	RCU_LOCKDEP_WARN(!rcu_read_lock_sched_held() && \
-@@ -598,6 +600,10 @@ static int mce_default_notifier(struct notifier_block *nb, unsigned long val,
- 	if (atomic_read(&num_notifiers) > 2)
- 		return NOTIFY_DONE;
-
-+	/* Don't print when mcelog is running */
-+	if (mce_chrdev_open_count > 0)
-+		return NOTIFY_DONE;
-+
- 	__print_mce(m);
-
- 	return NOTIFY_DONE;
-@@ -1828,7 +1834,6 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c)
-  */
-
- static DEFINE_SPINLOCK(mce_chrdev_state_lock);
--static int mce_chrdev_open_count;	/* #times opened */
- static int mce_chrdev_open_exclu;	/* already open exclusive? */
-
- static int mce_chrdev_open(struct inode *inode, struct file *file)
--- 
-2.9.3
-
diff --git a/1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch b/1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch
new file mode 100644
index 000000000..a3dec80d2
--- /dev/null
+++ b/1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch
@@ -0,0 +1,63 @@
+From patchwork Sun Feb  5 14:57:59 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Subject: [1/2,media] cxusb: Use a dma capable buffer also for reading
+From: =?utf-8?q?Stefan_Br=C3=BCns?= <stefan.bruens@rwth-aachen.de>
+X-Patchwork-Id: 39207
+Message-Id: <b638428812af41e080ccfc7cf7ad6963@rwthex-w2-b.rwth-ad.de>
+To: <linux-media@vger.kernel.org>
+Cc: <linux-kernel@vger.kernel.org>, Mauro Carvalho Chehab <mchehab@kernel.org>,
+ Michael Krufky <mkrufky@linuxtv.org>,
+ =?UTF-8?q?Stefan=20Br=C3=BCns?= <stefan.bruens@rwth-aachen.de>
+Date: Sun, 5 Feb 2017 15:57:59 +0100
+
+Commit 17ce039b4e54 ("[media] cxusb: don't do DMA on stack")
+added a kmalloc'ed bounce buffer for writes, but missed to do the same
+for reads. As the read only happens after the write is finished, we can
+reuse the same buffer.
+
+As dvb_usb_generic_rw handles a read length of 0 by itself, avoid calling
+it using the dvb_usb_generic_read wrapper function.
+
+Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
+---
+ drivers/media/usb/dvb-usb/cxusb.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
+index 9b8c82d94b3f..8f28a63597bd 100644
+--- a/drivers/media/usb/dvb-usb/cxusb.c
++++ b/drivers/media/usb/dvb-usb/cxusb.c
+@@ -59,23 +59,24 @@ static int cxusb_ctrl_msg(struct dvb_usb_device *d,
+ 			  u8 cmd, u8 *wbuf, int wlen, u8 *rbuf, int rlen)
+ {
+ 	struct cxusb_state *st = d->priv;
+-	int ret, wo;
++	int ret;
+ 
+ 	if (1 + wlen > MAX_XFER_SIZE) {
+ 		warn("i2c wr: len=%d is too big!\n", wlen);
+ 		return -EOPNOTSUPP;
+ 	}
+ 
+-	wo = (rbuf == NULL || rlen == 0); /* write-only */
++	if (rlen > MAX_XFER_SIZE) {
++		warn("i2c rd: len=%d is too big!\n", rlen);
++		return -EOPNOTSUPP;
++	}
+ 
+ 	mutex_lock(&d->data_mutex);
+ 	st->data[0] = cmd;
+ 	memcpy(&st->data[1], wbuf, wlen);
+-	if (wo)
+-		ret = dvb_usb_generic_write(d, st->data, 1 + wlen);
+-	else
+-		ret = dvb_usb_generic_rw(d, st->data, 1 + wlen,
+-					 rbuf, rlen, 0);
++	ret = dvb_usb_generic_rw(d, st->data, 1 + wlen, st->data, rlen, 0);
++	if (!ret && rbuf && rlen)
++		memcpy(rbuf, st->data, rlen);
+ 
+ 	mutex_unlock(&d->data_mutex);
+ 	return ret;
diff --git a/Armada-trace-build-fix.patch b/Armada-trace-build-fix.patch
deleted file mode 100644
index f78b121c0..000000000
--- a/Armada-trace-build-fix.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-From: Fedora Kernel Team <kernel-team@fedoraproject.org>
-Date: Wed, 14 Dec 2016 16:53:21 -0600
-Subject: [PATCH] Armada trace build fix
-
----
- drivers/gpu/drm/armada/Makefile | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/gpu/drm/armada/Makefile b/drivers/gpu/drm/armada/Makefile
---- a/drivers/gpu/drm/armada/Makefile
-+++ b/drivers/gpu/drm/armada/Makefile
-@@ -4,3 +4,5 @@ armada-y	+= armada_510.o
- armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o
-
- obj-$(CONFIG_DRM_ARMADA) := armada.o
-+
-+CFLAGS_armada_trace.o := -I$(src)
--- 
-2.9.3
-
diff --git a/CVE-2017-7308.patch b/CVE-2017-7308.patch
new file mode 100644
index 000000000..c257f9564
--- /dev/null
+++ b/CVE-2017-7308.patch
@@ -0,0 +1,107 @@
+From 2b6867c2ce76c596676bec7d2d525af525fdc6e2 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Wed, 29 Mar 2017 16:11:20 +0200
+Subject: [PATCH] net/packet: fix overflow in check for priv area size
+
+Subtracting tp_sizeof_priv from tp_block_size and casting to int
+to check whether one is less then the other doesn't always work
+(both of them are unsigned ints).
+
+Compare them as is instead.
+
+Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
+it can overflow inside BLK_PLUS_PRIV otherwise.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/packet/af_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index a0dbe7c..2323ee3 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4193,8 +4193,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 		if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
+ 			goto out;
+ 		if (po->tp_version >= TPACKET_V3 &&
+-		    (int)(req->tp_block_size -
+-			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
++		    req->tp_block_size <=
++			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+ 			goto out;
+ 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+ 					po->tp_reserve))
+-- 
+2.9.3
+
+From 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Wed, 29 Mar 2017 16:11:21 +0200
+Subject: [PATCH] net/packet: fix overflow in check for tp_frame_nr
+
+When calculating rb->frames_per_block * req->tp_block_nr the result
+can overflow.
+
+Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
+
+Since frames_per_block <= tp_block_size, the expression would
+never overflow.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 2323ee3..3ac286e 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4205,6 +4205,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 		rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
+ 		if (unlikely(rb->frames_per_block == 0))
+ 			goto out;
++		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
++			goto out;
+ 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
+ 					req->tp_frame_nr))
+ 			goto out;
+-- 
+2.9.3
+
+From bcc5364bdcfe131e6379363f089e7b4108d35b70 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Wed, 29 Mar 2017 16:11:22 +0200
+Subject: [PATCH] net/packet: fix overflow in check for tp_reserve
+
+When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
+
+Fix by checking that tp_reserve <= INT_MAX on assign.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 3ac286e..8489bef 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3665,6 +3665,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ 			return -EBUSY;
+ 		if (copy_from_user(&val, optval, sizeof(val)))
+ 			return -EFAULT;
++		if (val > INT_MAX)
++			return -EINVAL;
+ 		po->tp_reserve = val;
+ 		return 0;
+ 	}
+-- 
+2.9.3
+
diff --git a/CVE-2017-7618.patch b/CVE-2017-7618.patch
new file mode 100644
index 000000000..4e06b1d9a
--- /dev/null
+++ b/CVE-2017-7618.patch
@@ -0,0 +1,254 @@
+From:       Herbert Xu <herbert@gondor.apana.org.au>
+Date:       2017-04-10 9:27:57
+Subject:    [PATCH v2] crypto: ahash - Fix EINPROGRESS notification callback
+
+On Mon, Apr 10, 2017 at 11:21:27AM +0200, Sabrina Dubroca wrote:
+>
+> > Cc: <vger@stable.kernel.org>
+> 
+> Should that be stable@vger.kernel.org?
+
+Oops :)
+
+> > Reported-by: Sabrina Dubroca <sdubroca@redhat.com>
+> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+> 
+> The definition of ahash_request_flags() was missing, so I added:
+> 
+>     static inline u32 ahash_request_flags(struct ahash_request *req)
+>     {
+>            return req->base.flags;
+>     }
+> 
+> And with this, my tests seem fine.
+> 
+> Tested-by: Sabrina Dubroca <sd@queasysnail.net>
+> Could also you change the 'Reported-by:' to that email address?
+
+OK, here is v2.
+
+---8<---
+The ahash API modifies the request's callback function in order
+to clean up after itself in some corner cases (unaligned final
+and missing finup).
+
+When the request is complete ahash will restore the original
+callback and everything is fine.  However, when the request gets
+an EBUSY on a full queue, an EINPROGRESS callback is made while
+the request is still ongoing.
+
+In this case the ahash API will incorrectly call its own callback.
+
+This patch fixes the problem by creating a temporary request
+object on the stack which is used to relay EINPROGRESS back to
+the original completion function.
+
+This patch also adds code to preserve the original flags value.
+
+Fixes: ab6bf4e5e5e4 ("crypto: hash - Fix the pointer voodoo in...")
+Cc: <stable@vger.kernel.org>
+Reported-by: Sabrina Dubroca <sd@queasysnail.net>
+Tested-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+
+diff --git a/crypto/ahash.c b/crypto/ahash.c
+index e58c497..1810feb 100644
+--- a/crypto/ahash.c
++++ b/crypto/ahash.c
+@@ -32,6 +32,7 @@ struct ahash_request_priv {
+ 	crypto_completion_t complete;
+ 	void *data;
+ 	u8 *result;
++	u32 flags;
+ 	void *ubuf[] CRYPTO_MINALIGN_ATTR;
+ };
+ 
+@@ -253,6 +254,8 @@ static int ahash_save_req(struct ahash_request *req, crypto_completion_t cplt)
+ 	priv->result = req->result;
+ 	priv->complete = req->base.complete;
+ 	priv->data = req->base.data;
++	priv->flags = req->base.flags;
++
+ 	/*
+ 	 * WARNING: We do not backup req->priv here! The req->priv
+ 	 *          is for internal use of the Crypto API and the
+@@ -267,38 +270,44 @@ static int ahash_save_req(struct ahash_request *req, crypto_completion_t cplt)
+ 	return 0;
+ }
+ 
+-static void ahash_restore_req(struct ahash_request *req)
++static void ahash_restore_req(struct ahash_request *req, int err)
+ {
+ 	struct ahash_request_priv *priv = req->priv;
+ 
++	if (!err)
++		memcpy(priv->result, req->result,
++		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
++
+ 	/* Restore the original crypto request. */
+ 	req->result = priv->result;
+-	req->base.complete = priv->complete;
+-	req->base.data = priv->data;
++
++	ahash_request_set_callback(req, priv->flags,
++				   priv->complete, priv->data);
+ 	req->priv = NULL;
+ 
+ 	/* Free the req->priv.priv from the ADJUSTED request. */
+ 	kzfree(priv);
+ }
+ 
+-static void ahash_op_unaligned_finish(struct ahash_request *req, int err)
++static void ahash_notify_einprogress(struct ahash_request *req)
+ {
+ 	struct ahash_request_priv *priv = req->priv;
++	struct crypto_async_request oreq;
+ 
+-	if (err == -EINPROGRESS)
+-		return;
++	oreq.data = priv->data;
+ 
+-	if (!err)
+-		memcpy(priv->result, req->result,
+-		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
+-
+-	ahash_restore_req(req);
++	priv->complete(&oreq, -EINPROGRESS);
+ }
+ 
+ static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
+ {
+ 	struct ahash_request *areq = req->data;
+ 
++	if (err == -EINPROGRESS) {
++		ahash_notify_einprogress(areq);
++		return;
++	}
++
+ 	/*
+ 	 * Restore the original request, see ahash_op_unaligned() for what
+ 	 * goes where.
+@@ -309,7 +318,7 @@ static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
+ 	 */
+ 
+ 	/* First copy req->result into req->priv.result */
+-	ahash_op_unaligned_finish(areq, err);
++	ahash_restore_req(areq, err);
+ 
+ 	/* Complete the ORIGINAL request. */
+ 	areq->base.complete(&areq->base, err);
+@@ -325,7 +334,12 @@ static int ahash_op_unaligned(struct ahash_request *req,
+ 		return err;
+ 
+ 	err = op(req);
+-	ahash_op_unaligned_finish(req, err);
++	if (err == -EINPROGRESS ||
++	    (err == -EBUSY && (ahash_request_flags(req) &
++			       CRYPTO_TFM_REQ_MAY_BACKLOG)))
++ 		return err;
++
++	ahash_restore_req(req, err);
+ 
+ 	return err;
+ }
+@@ -360,25 +374,14 @@ int crypto_ahash_digest(struct ahash_request *req)
+ }
+ EXPORT_SYMBOL_GPL(crypto_ahash_digest);
+ 
+-static void ahash_def_finup_finish2(struct ahash_request *req, int err)
++static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
+ {
+-	struct ahash_request_priv *priv = req->priv;
++	struct ahash_request *areq = req->data;
+ 
+ 	if (err == -EINPROGRESS)
+ 		return;
+ 
+-	if (!err)
+-		memcpy(priv->result, req->result,
+-		       crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
+-
+-	ahash_restore_req(req);
+-}
+-
+-static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
+-{
+-	struct ahash_request *areq = req->data;
+-
+-	ahash_def_finup_finish2(areq, err);
++	ahash_restore_req(areq, err);
+ 
+ 	areq->base.complete(&areq->base, err);
+ }
+@@ -389,11 +392,15 @@ static int ahash_def_finup_finish1(struct ahash_request *req, int err)
+ 		goto out;
+ 
+ 	req->base.complete = ahash_def_finup_done2;
+-	req->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
++
+ 	err = crypto_ahash_reqtfm(req)->final(req);
++	if (err == -EINPROGRESS ||
++	    (err == -EBUSY && (ahash_request_flags(req) &
++			       CRYPTO_TFM_REQ_MAY_BACKLOG)))
++		return err;
+ 
+ out:
+-	ahash_def_finup_finish2(req, err);
++	ahash_restore_req(req, err);
+ 	return err;
+ }
+ 
+@@ -401,7 +408,16 @@ static void ahash_def_finup_done1(struct crypto_async_request *req, int err)
+ {
+ 	struct ahash_request *areq = req->data;
+ 
++	if (err == -EINPROGRESS) {
++		ahash_notify_einprogress(areq);
++		return;
++	}
++
++	areq->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
++
+ 	err = ahash_def_finup_finish1(areq, err);
++	if (areq->priv)
++		return;
+ 
+ 	areq->base.complete(&areq->base, err);
+ }
+@@ -416,6 +432,11 @@ static int ahash_def_finup(struct ahash_request *req)
+ 		return err;
+ 
+ 	err = tfm->update(req);
++	if (err == -EINPROGRESS ||
++	    (err == -EBUSY && (ahash_request_flags(req) &
++			       CRYPTO_TFM_REQ_MAY_BACKLOG)))
++ 		return err;
++
+ 	return ahash_def_finup_finish1(req, err);
+ }
+ 
+diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
+index 1d4f365..f6d9af3e 100644
+--- a/include/crypto/internal/hash.h
++++ b/include/crypto/internal/hash.h
+@@ -166,6 +166,16 @@ static inline struct ahash_instance *ahash_alloc_instance(
+ 	return crypto_alloc_instance2(name, alg, ahash_instance_headroom());
+ }
+ 
++static inline void ahash_request_complete(struct ahash_request *req, int err)
++{
++	req->base.complete(&req->base, err);
++}
++
++static inline u32 ahash_request_flags(struct ahash_request *req)
++{
++	return req->base.flags;
++}
++
+ static inline struct crypto_ahash *crypto_spawn_ahash(
+ 	struct crypto_ahash_spawn *spawn)
+ {
+-- 
+Email: Herbert Xu <herbert@gondor.apana.org.au>
+Home Page: http://gondor.apana.org.au/~herbert/
+PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
diff --git a/baseconfig/arm/CONFIG_HAMRADIO b/baseconfig/arm/CONFIG_HAMRADIO
deleted file mode 100644
index 477ae40db..000000000
--- a/baseconfig/arm/CONFIG_HAMRADIO
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_HAMRADIO is not set
diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config
index 819c50e8a..7f084c7c2 100644
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@@ -1707,7 +1707,7 @@ CONFIG_GREENASIA_FF=y
 # CONFIG_GS_FPGABOOT is not set
 CONFIG_GTP=m
 CONFIG_HAMACHI=m
-# CONFIG_HAMRADIO is not set
+CONFIG_HAMRADIO=y
 CONFIG_HANGCHECK_TIMER=m
 CONFIG_HAPPYMEAL=m
 CONFIG_HARDENED_USERCOPY=y
diff --git a/kernel-aarch64.config b/kernel-aarch64.config
index a47228fd8..8af5c11d0 100644
--- a/kernel-aarch64.config
+++ b/kernel-aarch64.config
@@ -1690,7 +1690,7 @@ CONFIG_GREENASIA_FF=y
 # CONFIG_GS_FPGABOOT is not set
 CONFIG_GTP=m
 CONFIG_HAMACHI=m
-# CONFIG_HAMRADIO is not set
+CONFIG_HAMRADIO=y
 CONFIG_HANGCHECK_TIMER=m
 CONFIG_HAPPYMEAL=m
 CONFIG_HARDENED_USERCOPY=y
diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config
index ffadf9aea..12c8a4f20 100644
--- a/kernel-armv7hl-debug.config
+++ b/kernel-armv7hl-debug.config
@@ -1865,7 +1865,7 @@ CONFIG_GREENASIA_FF=y
 CONFIG_GS_FPGABOOT=m
 CONFIG_GTP=m
 CONFIG_HAMACHI=m
-# CONFIG_HAMRADIO is not set
+CONFIG_HAMRADIO=y
 CONFIG_HANGCHECK_TIMER=m
 CONFIG_HAPPYMEAL=m
 CONFIG_HARDENED_USERCOPY=y
diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config
index dc6d68dcc..04c6d88f1 100644
--- a/kernel-armv7hl-lpae-debug.config
+++ b/kernel-armv7hl-lpae-debug.config
@@ -1774,7 +1774,7 @@ CONFIG_GREENASIA_FF=y
 # CONFIG_GS_FPGABOOT is not set
 CONFIG_GTP=m
 CONFIG_HAMACHI=m
-# CONFIG_HAMRADIO is not set
+CONFIG_HAMRADIO=y
 CONFIG_HANGCHECK_TIMER=m
 CONFIG_HAPPYMEAL=m
 CONFIG_HARDENED_USERCOPY=y
diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config
index 1d2fa42ef..493546405 100644
--- a/kernel-armv7hl-lpae.config
+++ b/kernel-armv7hl-lpae.config
@@ -1758,7 +1758,7 @@ CONFIG_GREENASIA_FF=y
 # CONFIG_GS_FPGABOOT is not set
 CONFIG_GTP=m
 CONFIG_HAMACHI=m
-# CONFIG_HAMRADIO is not set
+CONFIG_HAMRADIO=y
 CONFIG_HANGCHECK_TIMER=m
 CONFIG_HAPPYMEAL=m
 CONFIG_HARDENED_USERCOPY=y
diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config
index 1aa3356e9..ca72b40df 100644
--- a/kernel-armv7hl.config
+++ b/kernel-armv7hl.config
@@ -1849,7 +1849,7 @@ CONFIG_GREENASIA_FF=y
 CONFIG_GS_FPGABOOT=m
 CONFIG_GTP=m
 CONFIG_HAMACHI=m
-# CONFIG_HAMRADIO is not set
+CONFIG_HAMRADIO=y
 CONFIG_HANGCHECK_TIMER=m
 CONFIG_HAPPYMEAL=m
 CONFIG_HARDENED_USERCOPY=y
diff --git a/kernel.spec b/kernel.spec
index b84794041..16160d78d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -59,7 +59,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 9
+%define stable_update 10
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -614,29 +614,29 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
 #ongoing complaint, full discussion delayed until ksummit/plumbers
 Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch
 
-# Fix build issue with armada_trace
-Patch851: Armada-trace-build-fix.patch
-
 # selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
 Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
 
-#CVE-2017-2596 rhbz 1417812 1417813
-Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
-
-#CVE-2017-7261 rhbz 1435719 1435740
-Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
-
 #CVE-2017-7277 rhbz 1436629 1436661
 Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
 
-# rhbz 1438316
-Patch859: 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
-
 # CVE-2017-2671 rhbz 1436649 1436663
 Patch860: 0001-ping-implement-proper-locking.patch
 
 Patch861: 0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch
 
+#rhbz 1439613
+Patch862: 1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch
+
+#rhbz 1441310
+Patch863: rhbz_1441310.patch
+
+# CVE-2017-7618 rhbz 1441095 1441093
+Patch865: CVE-2017-7618.patch
+
+# CVE-2017-7308 rhbz 1437404 1437406
+Patch866: CVE-2017-7308.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2209,6 +2209,25 @@ fi
 #
 # 
 %changelog
+* Wed Apr 12 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.10-100
+- Linux v4.10.10
+- CVE-2017-7616 (rhbz 1441088 1441093)
+
+* Tue Apr 11 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2017-7618 (rhbz 1441095 1441093)
+- Fix CVE-2017-7308 (rhbz 1437404 1437406)
+- Turn on CONFIG_HAMRADIO for arm (rhbz 1425990)
+
+* Tue Apr 11 2017 Laura Abbott <labbott@fedoraproject.org>
+- Fix for openshift networking (rhbz 1441310)
+
+* Mon Apr 10 2017 Laura Abbott <labbott@fedoraproject.org>
+- Re-add fix for cxusb DMA on stack (rhbz 1439613)
+
+* Mon Apr 10 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.9-100
+- Linux v4.10.9
+- CVE-2017-7187 (rhbz 1434327 1439045)
+
 * Wed Apr 05 2017 Justin M. Forbes <jforbes@fedoraproject.org>
 - Don't print MCEs when mcelog is running (rhbz 1438316)
 - CVE-2017-2671 Fix ping locking (rhbz 1436649 1436663)
diff --git a/kvm-fix-page-struct-leak-in-handle_vmon.patch b/kvm-fix-page-struct-leak-in-handle_vmon.patch
deleted file mode 100644
index b29bcea03..000000000
--- a/kvm-fix-page-struct-leak-in-handle_vmon.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From patchwork Tue Jan 24 10:56:21 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: kvm: fix page struct leak in handle_vmon
-From: Paolo Bonzini <pbonzini@redhat.com>
-X-Patchwork-Id: 9534885
-Message-Id: <1485255381-18069-1-git-send-email-pbonzini@redhat.com>
-To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
-Cc: dvyukov@google.com
-Date: Tue, 24 Jan 2017 11:56:21 +0100
-
-handle_vmon gets a reference on VMXON region page,
-but does not release it. Release the reference.
-
-Found by syzkaller; based on a patch by Dmitry.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
----
- arch/x86/kvm/vmx.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 42cc3d6f4d20..0f7345035210 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -7085,13 +7085,18 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason,
- 		}
- 
- 		page = nested_get_page(vcpu, vmptr);
--		if (page == NULL ||
--		    *(u32 *)kmap(page) != VMCS12_REVISION) {
-+		if (page == NULL) {
- 			nested_vmx_failInvalid(vcpu);
-+			return kvm_skip_emulated_instruction(vcpu);
-+		}
-+		if (*(u32 *)kmap(page) != VMCS12_REVISION) {
- 			kunmap(page);
-+			nested_release_page_clean(page);
-+			nested_vmx_failInvalid(vcpu);
- 			return kvm_skip_emulated_instruction(vcpu);
- 		}
- 		kunmap(page);
-+		nested_release_page_clean(page);
- 		vmx->nested.vmxon_ptr = vmptr;
- 		break;
- 	case EXIT_REASON_VMCLEAR:
diff --git a/rhbz_1441310.patch b/rhbz_1441310.patch
new file mode 100644
index 000000000..63a404ec6
--- /dev/null
+++ b/rhbz_1441310.patch
@@ -0,0 +1,37 @@
+From 425df17ce3a26d98f76e2b6b0af2acf4aeb0b026 Mon Sep 17 00:00:00 2001
+From: Jarno Rajahalme <jarno@ovn.org>
+Date: Tue, 14 Feb 2017 21:16:28 -0800
+Subject: openvswitch: Set internal device max mtu to ETH_MAX_MTU.
+
+Commit 91572088e3fd ("net: use core MTU range checking in core net
+infra") changed the openvswitch internal device to use the core net
+infra for controlling the MTU range, but failed to actually set the
+max_mtu as described in the commit message, which now defaults to
+ETH_DATA_LEN.
+
+This patch fixes this by setting max_mtu to ETH_MAX_MTU after
+ether_setup() call.
+
+Fixes: 91572088e3fd ("net: use core MTU range checking in core net infra")
+Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/openvswitch/vport-internal_dev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c
+index 09141a1..89193a6 100644
+--- a/net/openvswitch/vport-internal_dev.c
++++ b/net/openvswitch/vport-internal_dev.c
+@@ -149,6 +149,8 @@ static void do_setup(struct net_device *netdev)
+ {
+ 	ether_setup(netdev);
+ 
++	netdev->max_mtu = ETH_MAX_MTU;
++
+ 	netdev->netdev_ops = &internal_dev_netdev_ops;
+ 
+ 	netdev->priv_flags &= ~IFF_TX_SKB_SHARING;
+-- 
+cgit v1.1
+
diff --git a/sources b/sources
index 43a3e833f..3e1d074ac 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-4.10.tar.xz) = c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90
 SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8
-SHA512 (patch-4.10.8.xz) = 9760254a63fea330e33b514dda457a3bf33da6f8e06c281fc3fb36ba4c022df8200d2a04d49f4acc9ce0c9f86cbfda7edc724431ed378be3288eb299510add2e
+SHA512 (patch-4.10.10.xz) = 264d156d7a3b1f3b3a80a7a9dc9a358b5cd582d8d894c482f3c9eb5af4eca64439720d5b9b141ae57f7845dfab59563497faae8e6fb666aeec86aab6b8df904a
diff --git a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
deleted file mode 100644
index 1ede96c60..000000000
--- a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From:       Vladis Dronov <vdronov@redhat.com>
-Subject:    [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl()
-Date:       2017-03-24 15:37:10
-
-In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a
-user-controlled value which is not checked for zero. It is used in
-a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR
-is dereferenced which leads to a GPF and possibly to a kernel panic.
-Add the check for zero to avoid this.
-
-Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-index b445ce9..42840cc 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
- 	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
- 		num_sizes += req->mip_levels[i];
- 
--	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
--	    DRM_VMW_MAX_MIP_LEVELS)
-+	if (num_sizes <= 0 ||
-+	    num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS)
- 		return -EINVAL;
- 
- 	size = vmw_user_surface_size + 128 +
--- 
-2.9.3