From 0dc5484cfa7e58065c9577c4baf02a9ff5fc037b Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Mon, 15 May 2017 07:13:29 -0500
Subject: Linux v4.10.16

---
 0001-ipx-call-ipxitf_put-in-ioctl-error-path.patch | 38 ++++++++++++++++++++++
 kernel.spec                                        | 12 ++++---
 rhbz_1441310.patch                                 | 37 ---------------------
 sources                                            |  2 +-
 4 files changed, 47 insertions(+), 42 deletions(-)
 create mode 100644 0001-ipx-call-ipxitf_put-in-ioctl-error-path.patch
 delete mode 100644 rhbz_1441310.patch

diff --git a/0001-ipx-call-ipxitf_put-in-ioctl-error-path.patch b/0001-ipx-call-ipxitf_put-in-ioctl-error-path.patch
new file mode 100644
index 000000000..ca809297a
--- /dev/null
+++ b/0001-ipx-call-ipxitf_put-in-ioctl-error-path.patch
@@ -0,0 +1,38 @@
+From ee0d8d8482345ff97a75a7d747efc309f13b0d80 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 2 May 2017 13:58:53 +0300
+Subject: [PATCH] ipx: call ipxitf_put() in ioctl error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We should call ipxitf_put() if the copy_to_user() fails.
+
+Reported-by: 李强 <liqiang6-s@360.cn>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipx/af_ipx.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
+index 8a9219f..fa31ef2 100644
+--- a/net/ipx/af_ipx.c
++++ b/net/ipx/af_ipx.c
+@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg)
+ 		sipx->sipx_network	= ipxif->if_netnum;
+ 		memcpy(sipx->sipx_node, ipxif->if_node,
+ 			sizeof(sipx->sipx_node));
+-		rc = -EFAULT;
++		rc = 0;
+ 		if (copy_to_user(arg, &ifr, sizeof(ifr)))
+-			break;
++			rc = -EFAULT;
+ 		ipxitf_put(ipxif);
+-		rc = 0;
+ 		break;
+ 	}
+ 	case SIOCAIPXITFCRT:
+-- 
+2.9.3
+
diff --git a/kernel.spec b/kernel.spec
index 022d343c4..03bed2d2e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 15
+%define stable_update 16
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -601,12 +601,12 @@ Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
 
 Patch861: 0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch
 
-#rhbz 1441310
-Patch863: rhbz_1441310.patch
-
 #rhbz 1436686
 Patch864: dell-laptop-Adds-support-for-keyboard-backlight-timeout-AC-settings.patch
 
+#CVE-2017-7487 rhbz 1447734 1450417
+Patch865: 0001-ipx-call-ipxitf_put-in-ioctl-error-path.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2176,6 +2176,10 @@ fi
 #
 #
 %changelog
+* Mon May 15 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.16-200
+- Linux v4.10.16
+- Fix CVE-2017-7487 (rhbz 1447734 1450417)
+
 * Mon May 08 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.15-200
 - Linux v4.10.15
 
diff --git a/rhbz_1441310.patch b/rhbz_1441310.patch
deleted file mode 100644
index 63a404ec6..000000000
--- a/rhbz_1441310.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 425df17ce3a26d98f76e2b6b0af2acf4aeb0b026 Mon Sep 17 00:00:00 2001
-From: Jarno Rajahalme <jarno@ovn.org>
-Date: Tue, 14 Feb 2017 21:16:28 -0800
-Subject: openvswitch: Set internal device max mtu to ETH_MAX_MTU.
-
-Commit 91572088e3fd ("net: use core MTU range checking in core net
-infra") changed the openvswitch internal device to use the core net
-infra for controlling the MTU range, but failed to actually set the
-max_mtu as described in the commit message, which now defaults to
-ETH_DATA_LEN.
-
-This patch fixes this by setting max_mtu to ETH_MAX_MTU after
-ether_setup() call.
-
-Fixes: 91572088e3fd ("net: use core MTU range checking in core net infra")
-Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/openvswitch/vport-internal_dev.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c
-index 09141a1..89193a6 100644
---- a/net/openvswitch/vport-internal_dev.c
-+++ b/net/openvswitch/vport-internal_dev.c
-@@ -149,6 +149,8 @@ static void do_setup(struct net_device *netdev)
- {
- 	ether_setup(netdev);
- 
-+	netdev->max_mtu = ETH_MAX_MTU;
-+
- 	netdev->netdev_ops = &internal_dev_netdev_ops;
- 
- 	netdev->priv_flags &= ~IFF_TX_SKB_SHARING;
--- 
-cgit v1.1
-
diff --git a/sources b/sources
index d67839a22..296b822c5 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-4.10.tar.xz) = c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90
 SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8
-SHA512 (patch-4.10.15.xz) = 4e9a399bdeeacb36429465b98accd06723d79c99400f57449e1711e089260af4925156fc3bbb3787d21c98afde41dfa03b903a976a0e5d3dcbc1a78578b14a7e
+SHA512 (patch-4.10.16.xz) = 636a7e81490d3053be3e6a042ce6f861308669de57988611cd2f6a7541491a3f0cf0ababa27a229e39105f3a60c2044f64ef61bab6d8ebcd68bb1275a7eed83c
-- 
cgit