diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata
index 43f7538..6324de1 100644
--- a/.cryptsetup.metadata
+++ b/.cryptsetup.metadata
@@ -1 +1 @@
-2e7a045cc88491df4f08e0f4023c15fcbdf170d6 SOURCES/cryptsetup-1.6.6.tar.xz
+7cb02f1e23ee18cd26391fd856f7644195b4544e SOURCES/cryptsetup-1.6.7.tar.xz
diff --git a/.gitignore b/.gitignore
index 00371b9..d5122fe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/cryptsetup-1.6.6.tar.xz
+SOURCES/cryptsetup-1.6.7.tar.xz
diff --git a/SOURCES/cryptsetup-1.6.7-drop-fips-post.patch b/SOURCES/cryptsetup-1.6.7-drop-fips-post.patch
deleted file mode 100644
index a780383..0000000
--- a/SOURCES/cryptsetup-1.6.7-drop-fips-post.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From 01b2be2b72bc5509e8155982b9dae0bc5914b6c9 Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Thu, 30 Oct 2014 15:21:31 +0100
-Subject: [PATCH 1/2] libcryptsetup: drop FIPS power on self test
-
-- cryptsetup library is not required to be FIPS certified anymore
-  due to fact gcrypt PBKDF2 algorithm can be used instead of
-  cryptsetup internal one.
-
-- check in library constructor is no longer needed and therefore
-  removed.
-
-- all other checks regarding MK extraction or random generator
-  restrictions remain the same
----
- lib/setup.c      |  5 -----
- lib/utils_fips.c | 23 +----------------------
- lib/utils_fips.h |  5 +----
- 3 files changed, 2 insertions(+), 31 deletions(-)
-
-diff --git a/lib/setup.c b/lib/setup.c
-index 8261445..0ca9e11 100644
---- a/lib/setup.c
-+++ b/lib/setup.c
-@@ -2690,8 +2690,3 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
- 
- 	return 0;
- }
--
--static void __attribute__((constructor)) libcryptsetup_ctor(void)
--{
--	crypt_fips_libcryptsetup_check();
--}
-diff --git a/lib/utils_fips.c b/lib/utils_fips.c
-index 9a3caae..1e284f6 100644
---- a/lib/utils_fips.c
-+++ b/lib/utils_fips.c
-@@ -1,7 +1,7 @@
- /*
-  * FIPS mode utilities
-  *
-- * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.
-+ * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or
-  * modify it under the terms of the GNU General Public License
-@@ -18,15 +18,11 @@
-  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-  */
- 
--#include <stdlib.h>
--#include <stdio.h>
- #include <unistd.h>
--#include "nls.h"
- #include "utils_fips.h"
- 
- #if !ENABLE_FIPS
- int crypt_fips_mode(void) { return 0; }
--void crypt_fips_libcryptsetup_check(void) {}
- #else
- #include <fipscheck.h>
- 
-@@ -34,21 +30,4 @@ int crypt_fips_mode(void)
- {
- 	return FIPSCHECK_kernel_fips_mode() && !access(FIPS_MODULE_FILE, F_OK);
- }
--
--static void crypt_fips_verify(const char *name, const char *function)
--{
--	if (access(FIPS_MODULE_FILE, F_OK))
--		return;
--
--	if (!FIPSCHECK_verify(name, function)) {
--		fputs(_("FIPS checksum verification failed.\n"), stderr);
--		if (FIPSCHECK_kernel_fips_mode())
--			_exit(EXIT_FAILURE);
--	}
--}
--
--void crypt_fips_libcryptsetup_check(void)
--{
--	crypt_fips_verify(LIBCRYPTSETUP_VERSION_FIPS, "crypt_init");
--}
- #endif /* ENABLE_FIPS */
-diff --git a/lib/utils_fips.h b/lib/utils_fips.h
-index 59f2339..fc430bd 100644
---- a/lib/utils_fips.h
-+++ b/lib/utils_fips.h
-@@ -1,7 +1,7 @@
- /*
-  * FIPS mode utilities
-  *
-- * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.
-+ * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or
-  * modify it under the terms of the GNU General Public License
-@@ -21,9 +21,6 @@
- #ifndef _UTILS_FIPS_H
- #define _UTILS_FIPS_H
- 
--struct crypt_device;
--
- int crypt_fips_mode(void);
--void crypt_fips_libcryptsetup_check(void);
- 
- #endif /* _UTILS_FIPS_H */
--- 
-1.9.3
-
diff --git a/SOURCES/cryptsetup-1.6.7-use-fsync-isntead-of-odirect.patch b/SOURCES/cryptsetup-1.6.7-use-fsync-isntead-of-odirect.patch
deleted file mode 100644
index 4464cce..0000000
--- a/SOURCES/cryptsetup-1.6.7-use-fsync-isntead-of-odirect.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 3d6bcae84c5f55a82dc0056e3d7da33bee3f00b9 Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Wed, 17 Sep 2014 16:38:39 +0200
-Subject: [PATCH] reencrypt: use fsync instead of O_DIRECT flag
-
-O_DIRECT operations directed towards filesystem are problematic:
-There's no sane way how to detect specific filesystem requirements
-for such operations.
-
-This patch is replacing O_DIRECT flag with O_SYNC flag for all
-open() calls related to reencrypt log. The O_SYNC flag is used
-when --use-fsync option is detected.
-
-Man page is modified accordingly.
----
- man/cryptsetup-reencrypt.8 |  6 ++++--
- src/cryptsetup_reencrypt.c | 12 ++----------
- 2 files changed, 6 insertions(+), 12 deletions(-)
-
-diff --git a/man/cryptsetup-reencrypt.8 b/man/cryptsetup-reencrypt.8
-index b3c374c..e0de656 100644
---- a/man/cryptsetup-reencrypt.8
-+++ b/man/cryptsetup-reencrypt.8
-@@ -158,13 +158,15 @@ WARNING: This is destructive operation and cannot be reverted.
- 
- .TP
- .B "\-\-use-directio"
--Use direct-io (O_DIRECT) for all read/write data operations.
-+Use direct-io (O_DIRECT) for all read/write data operations related
-+to block device undergoing reencryption.
- 
- Useful if direct-io operations perform better than normal buffered
- operations (e.g. in virtual environments).
- .TP
- .B "\-\-use-fsync"
--Use fsync call after every written block.
-+Use fsync call after every written block. This applies for reencryption
-+log files as well.
- .TP
- .B "\-\-write-log"
- Update log file after every block write. This can slow down reencryption
-diff --git a/src/cryptsetup_reencrypt.c b/src/cryptsetup_reencrypt.c
-index 997c388..a1cc51d 100644
---- a/src/cryptsetup_reencrypt.c
-+++ b/src/cryptsetup_reencrypt.c
-@@ -76,7 +76,7 @@ struct reenc_ctx {
- 	char crypt_path_org[PATH_MAX];
- 	char crypt_path_new[PATH_MAX];
- 	int log_fd;
--	char *log_buf;
-+	char log_buf[SECTOR_SIZE];
- 
- 	struct {
- 		char *password;
-@@ -351,13 +351,11 @@ static void close_log(struct reenc_ctx *rc)
- 	log_dbg("Closing LUKS reencryption log file %s.", rc->log_file);
- 	if (rc->log_fd != -1)
- 		close(rc->log_fd);
--	free(rc->log_buf);
--	rc->log_buf = NULL;
- }
- 
- static int open_log(struct reenc_ctx *rc)
- {
--	int flags = opt_directio ? O_DIRECT : 0;
-+	int flags = opt_fsync ? O_SYNC : 0;
- 
- 	rc->log_fd = open(rc->log_file, O_RDWR|O_EXCL|O_CREAT|flags, S_IRUSR|S_IWUSR);
- 	if (rc->log_fd != -1) {
-@@ -371,12 +369,6 @@ static int open_log(struct reenc_ctx *rc)
- 	if (rc->log_fd == -1)
- 		return -EINVAL;
- 
--	if (posix_memalign((void *)&rc->log_buf, alignment(rc->log_fd), SECTOR_SIZE)) {
--		log_err(_("Allocation of aligned memory failed.\n"));
--		close_log(rc);
--		return -ENOMEM;
--	}
--
- 	if (!rc->in_progress && write_log(rc) < 0) {
- 		close_log(rc);
- 		return -EIO;
--- 
-1.9.3
-
diff --git a/SOURCES/cryptsetup-avoid-rh-kernel-bug.patch b/SOURCES/cryptsetup-avoid-rh-kernel-bug.patch
new file mode 100644
index 0000000..0cc7c5a
--- /dev/null
+++ b/SOURCES/cryptsetup-avoid-rh-kernel-bug.patch
@@ -0,0 +1,59 @@
+--- a/lib/crypto_backend/crypto_cipher_kernel.c
++++ b/lib/crypto_backend/crypto_cipher_kernel.c
+@@ -31,6 +31,7 @@
+ #ifdef ENABLE_AF_ALG
+ 
+ #include <linux/if_alg.h>
++#include <sys/utsname.h>
+ 
+ #ifndef AF_ALG
+ #define AF_ALG 38
+@@ -113,6 +114,35 @@ int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *opfd)
+ 	return 0;
+ }
+ 
++static size_t pagesize(size_t defsize)
++{
++	long r = sysconf(_SC_PAGESIZE);
++	return r < 0 ? defsize : (size_t)r;
++}
++
++static int check_rh_kernel_version(void)
++{
++	unsigned maj, mid, min, rel;
++	static struct utsname uts = {{ 0 }};
++	size_t ps = pagesize(32768);
++
++	if (ps < 32768)
++		return 0;
++
++	if (!*uts.release && uname(&uts) < 0)
++		return -ENOTSUP;
++	/*
++	 * RH kernels 3.10.0-185 and lower are affected by a crypto API kernel
++	 * socket bug. The bug only manifests on archs with page size >= 32 KiB.
++	 *
++	 * For reference, see rhbz#1136075
++	 */
++	if (sscanf(uts.release, "%u.%u.%u-%u", &maj, &mid, &min, &rel) == 4)
++		return (maj == 3 && mid == 10 && min == 0 && rel < 186) ? -ENOTSUP : 0;
++
++	return -ENOTSUP;
++}
++
+ /*
+  *ciphers
+  *
+@@ -130,6 +160,9 @@ int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
+ 	};
+ 	int r;
+ 
++	if ((r = check_rh_kernel_version()))
++		return r;
++
+ 	h = malloc(sizeof(*h));
+ 	if (!h)
+ 		return -ENOMEM;
+-- 
+2.4.3
+
diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec
index 4d4c135..89a0db7 100644
--- a/SPECS/cryptsetup.spec
+++ b/SPECS/cryptsetup.spec
@@ -4,8 +4,8 @@
 
 Summary: A utility for setting up encrypted disks
 Name: cryptsetup
-Version: 1.6.6
-Release: 3%{?dist}
+Version: 1.6.7
+Release: 1%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: Applications/System
 URL: http://cryptsetup.googlecode.com/
@@ -15,18 +15,15 @@ BuildRequires: libselinux-devel, python-devel, libpwquality-devel
 %if %{python3_enable}
 BuildRequires: python3-devel
 %endif
-BuildRequires: fipscheck-devel >= 1.3.0
 Provides: cryptsetup-luks = %{version}-%{release}
 Obsoletes: cryptsetup-luks < 1.4.0
 Requires: cryptsetup-libs%{?_isa} = %{version}-%{release}
-Requires: fipscheck-lib%{?_isa} >= 1.3.0
 Requires: libpwquality >= 1.2.0
 
 %define dracutmodulesdir %{_prefix}/lib/dracut/modules.d
 %define upstream_version %{version}
 Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{upstream_version}.tar.xz
-Patch0: %{name}-1.6.7-use-fsync-isntead-of-odirect.patch
-Patch1: %{name}-1.6.7-drop-fips-post.patch
+Patch0: %{name}-avoid-rh-kernel-bug.patch
 
 %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7
 %define configure_cipher --enable-gcrypt-pbkdf2
@@ -57,7 +54,6 @@ Summary: Cryptsetup shared library
 Provides: cryptsetup-luks-libs = %{version}-%{release}
 Obsoletes: cryptsetup-luks-libs < 1.4.0
 Obsoletes: cryptsetup-reencrypt-libs < 1.6.5
-Requires: fipscheck-lib%{?_isa} >= 1.3.0
 # Need support for empty password in gcrypt PBKDF2
 %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7
 Requires: libgcrypt >= 1.5.3-3
@@ -114,7 +110,6 @@ for setting up disk encryption using dm-crypt kernel module.
 %prep
 %setup -q -n cryptsetup-%{upstream_version}
 %patch0 -p1
-%patch1 -p1
 chmod -x python/pycryptsetup-test.py
 
 %if %{python3_enable}
@@ -139,7 +134,6 @@ popd
 %install
 make install DESTDIR=%{buildroot}
 rm -rf %{buildroot}/%{_libdir}/*.la
-install -d %{buildroot}/%{_libdir}/fipscheck
 
 %if %{python3_enable}
 pushd %{py3dir}
@@ -211,6 +205,12 @@ install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesd
 %clean
 
 %changelog
+* Thu Jun 18 2015 Ondrej Kozina <okozina@redhat.com> - 1.6.7-1
+- Update to cryptsetup 1.6.7.
+- patch: avoid use of kernel crypto API socket which is known
+  to be broken in RHEL7.0 kernel (7.1+ is fine).
+- Resolves: #1206170
+
 * Thu Dec 18 2014 Ondrej Kozina <okozina@redhat.com> - 1.6.6-3
 - drop FIPS power on self test and library checksum
 - Resolves: #1158897