4.14.6-300.fc27.gnu

30 files changed, 444 insertions, 29 deletions

diff --git a/freed-ora/current/f27/HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch b/freed-ora/current/f27/HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch
new file mode 100644
index 000000000..d6a8e6a52
--- /dev/null
+++ b/freed-ora/current/f27/HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch
@@ -0,0 +1,54 @@
+From ef14a4bf0910d06c7e202552914028d4956809cb Mon Sep 17 00:00:00 2001
+From: Andrew Duggan <aduggan@synaptics.com>
+Date: Tue, 17 Oct 2017 18:37:36 -0700
+Subject: [PATCH] HID: rmi: Check that a device is a RMI device before calling
+ RMI functions
+
+The hid-rmi driver may handle non rmi devices on composite USB devices.
+Callbacks need to make sure that the current device is a RMI device before
+calling RMI specific functions. Most callbacks already have this check, but
+this patch adds checks to the remaining callbacks.
+
+Reported-by: Hendrik Langer <hendrik.langer@gmx.de>
+Tested-by: Hendrik Langer <hendrik.langer@gmx.de>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Andrew Duggan <aduggan@synaptics.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-rmi.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c
+index ef241d66562e..0f43c4292685 100644
+--- a/drivers/hid/hid-rmi.c
++++ b/drivers/hid/hid-rmi.c
+@@ -368,6 +368,11 @@ static int rmi_check_sanity(struct hid_device *hdev, u8 *data, int size)
+ static int rmi_raw_event(struct hid_device *hdev,
+ 		struct hid_report *report, u8 *data, int size)
+ {
++	struct rmi_data *hdata = hid_get_drvdata(hdev);
++
++	if (!(hdata->device_flags & RMI_DEVICE))
++		return 0;
++
+ 	size = rmi_check_sanity(hdev, data, size);
+ 	if (size < 2)
+ 		return 0;
+@@ -713,9 +718,11 @@ static void rmi_remove(struct hid_device *hdev)
+ {
+ 	struct rmi_data *hdata = hid_get_drvdata(hdev);
+ 
+-	clear_bit(RMI_STARTED, &hdata->flags);
+-	cancel_work_sync(&hdata->reset_work);
+-	rmi_unregister_transport_device(&hdata->xport);
++	if (hdata->device_flags & RMI_DEVICE) {
++		clear_bit(RMI_STARTED, &hdata->flags);
++		cancel_work_sync(&hdata->reset_work);
++		rmi_unregister_transport_device(&hdata->xport);
++	}
+ 
+ 	hid_hw_stop(hdev);
+ }
+-- 
+2.14.3
+
diff --git a/freed-ora/current/f27/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch b/freed-ora/current/f27/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch
new file mode 100644
index 000000000..0685f06aa
--- /dev/null
+++ b/freed-ora/current/f27/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch
@@ -0,0 +1,50 @@
+From patchwork Tue Dec 12 19:28:38 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Subject: Revert "exec: avoid RLIMIT_STACK races with prlimit()"
+From: Kees Cook <keescook@chromium.org>
+X-Patchwork-Id: 10108209
+Message-Id: <20171212192838.GA14592@beast>
+To: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Laura Abbott <labbott@redhat.com>,
+ =?utf-8?B?VG9tw6HFoQ==?= Trnka <trnka@scm.com>,
+ linux-kernel@vger.kernel.org
+Date: Tue, 12 Dec 2017 11:28:38 -0800
+
+This reverts commit 04e35f4495dd560db30c25efca4eecae8ec8c375.
+
+SELinux runs with secureexec for all non-"noatsecure" domain transitions,
+which means lots of processes end up hitting the stack hard-limit change
+that was introduced in order to fix a race with prlimit(). That race fix
+will need to be redesigned.
+
+Reported-by: Laura Abbott <labbott@redhat.com>
+Reported-by: Tomáš Trnka <trnka@scm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+---
+ fs/exec.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 6be2aa0ab26f..1d6243d9f2b6 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1340,15 +1340,10 @@ void setup_new_exec(struct linux_binprm * bprm)
+ 		 * avoid bad behavior from the prior rlimits. This has to
+ 		 * happen before arch_pick_mmap_layout(), which examines
+ 		 * RLIMIT_STACK, but after the point of no return to avoid
+-		 * races from other threads changing the limits. This also
+-		 * must be protected from races with prlimit() calls.
++		 * needing to clean up the change on failure.
+ 		 */
+-		task_lock(current->group_leader);
+ 		if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)
+ 			current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;
+-		if (current->signal->rlim[RLIMIT_STACK].rlim_max > _STK_LIM)
+-			current->signal->rlim[RLIMIT_STACK].rlim_max = _STK_LIM;
+-		task_unlock(current->group_leader);
+ 	}
+ 
+ 	arch_pick_mmap_layout(current->mm);
diff --git a/freed-ora/current/f27/USB-core-prevent-malicious-bNumInterfaces-overflow.patch b/freed-ora/current/f27/USB-core-prevent-malicious-bNumInterfaces-overflow.patch
new file mode 100644
index 000000000..d09b25360
--- /dev/null
+++ b/freed-ora/current/f27/USB-core-prevent-malicious-bNumInterfaces-overflow.patch
@@ -0,0 +1,48 @@
+From 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 12 Dec 2017 14:25:13 -0500
+Subject: [PATCH] USB: core: prevent malicious bNumInterfaces overflow
+
+A malicious USB device with crafted descriptors can cause the kernel
+to access unallocated memory by setting the bNumInterfaces value too
+high in a configuration descriptor.  Although the value is adjusted
+during parsing, this adjustment is skipped in one of the error return
+paths.
+
+This patch prevents the problem by setting bNumInterfaces to 0
+initially.  The existing code already sets it to the proper value
+after parsing is complete.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/config.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index 55b198ba629b..78e92d29f8d9 100644
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -555,6 +555,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
+ 	unsigned iad_num = 0;
+ 
+ 	memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
++	nintf = nintf_orig = config->desc.bNumInterfaces;
++	config->desc.bNumInterfaces = 0;	// Adjusted later
++
+ 	if (config->desc.bDescriptorType != USB_DT_CONFIG ||
+ 	    config->desc.bLength < USB_DT_CONFIG_SIZE ||
+ 	    config->desc.bLength > size) {
+@@ -568,7 +571,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
+ 	buffer += config->desc.bLength;
+ 	size -= config->desc.bLength;
+ 
+-	nintf = nintf_orig = config->desc.bNumInterfaces;
+ 	if (nintf > USB_MAXINTERFACES) {
+ 		dev_warn(ddev, "config %d has too many interfaces: %d, "
+ 		    "using maximum allowed: %d\n",
+-- 
+2.14.3
+
diff --git a/freed-ora/current/f27/baseconfig/CONFIG_SND_HDA_POWER_SAVE_DEFAULT b/freed-ora/current/f27/baseconfig/CONFIG_SND_HDA_POWER_SAVE_DEFAULT
index ba018972d..ce02ec981 100644
--- a/freed-ora/current/f27/baseconfig/CONFIG_SND_HDA_POWER_SAVE_DEFAULT
+++ b/freed-ora/current/f27/baseconfig/CONFIG_SND_HDA_POWER_SAVE_DEFAULT
@@ -1 +1 @@
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
diff --git a/freed-ora/current/f27/dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch b/freed-ora/current/f27/dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
new file mode 100644
index 000000000..192e4358f
--- /dev/null
+++ b/freed-ora/current/f27/dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
@@ -0,0 +1,43 @@
+From 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 Mon Sep 17 00:00:00 2001
+Message-Id: <69c64866ce072dea1d1e59a0d61e0f66c0dffb76.1513103764.git.jeremy@jcline.org>
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Tue, 5 Dec 2017 20:58:35 +0000
+Subject: [PATCH] dccp: CVE-2017-8824: use-after-free in DCCP code
+
+Whenever the sock object is in DCCP_CLOSED state,
+dccp_disconnect() must free dccps_hc_tx_ccid and
+dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c
+index b68168fcc06a..9d43c1f40274 100644
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
+ {
+ 	struct inet_connection_sock *icsk = inet_csk(sk);
+ 	struct inet_sock *inet = inet_sk(sk);
++	struct dccp_sock *dp = dccp_sk(sk);
+ 	int err = 0;
+ 	const int old_state = sk->sk_state;
+ 
+@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)
+ 		sk->sk_err = ECONNRESET;
+ 
+ 	dccp_clear_xmit_timers(sk);
++	ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++	ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++	dp->dccps_hc_rx_ccid = NULL;
++	dp->dccps_hc_tx_ccid = NULL;
+ 
+ 	__skb_queue_purge(&sk->sk_receive_queue);
+ 	__skb_queue_purge(&sk->sk_write_queue);
+-- 
+2.14.3
+
diff --git a/freed-ora/current/f27/kernel-aarch64-debug.config b/freed-ora/current/f27/kernel-aarch64-debug.config
index 5e7284a19..b60559133 100644
--- a/freed-ora/current/f27/kernel-aarch64-debug.config
+++ b/freed-ora/current/f27/kernel-aarch64-debug.config
@@ -5153,7 +5153,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-aarch64.config b/freed-ora/current/f27/kernel-aarch64.config
index 969fcfc94..74f41c894 100644
--- a/freed-ora/current/f27/kernel-aarch64.config
+++ b/freed-ora/current/f27/kernel-aarch64.config
@@ -5131,7 +5131,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-armv7hl-debug.config b/freed-ora/current/f27/kernel-armv7hl-debug.config
index 01a5ce238..e66500ba5 100644
--- a/freed-ora/current/f27/kernel-armv7hl-debug.config
+++ b/freed-ora/current/f27/kernel-armv7hl-debug.config
@@ -5541,7 +5541,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-armv7hl-lpae-debug.config b/freed-ora/current/f27/kernel-armv7hl-lpae-debug.config
index a0ab45cf2..eacfaf85e 100644
--- a/freed-ora/current/f27/kernel-armv7hl-lpae-debug.config
+++ b/freed-ora/current/f27/kernel-armv7hl-lpae-debug.config
@@ -5212,7 +5212,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-armv7hl-lpae.config b/freed-ora/current/f27/kernel-armv7hl-lpae.config
index ccf757148..d72d0eeee 100644
--- a/freed-ora/current/f27/kernel-armv7hl-lpae.config
+++ b/freed-ora/current/f27/kernel-armv7hl-lpae.config
@@ -5190,7 +5190,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-armv7hl.config b/freed-ora/current/f27/kernel-armv7hl.config
index 4d48a7cc8..8663e7b1d 100644
--- a/freed-ora/current/f27/kernel-armv7hl.config
+++ b/freed-ora/current/f27/kernel-armv7hl.config
@@ -5519,7 +5519,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-i686-PAE.config b/freed-ora/current/f27/kernel-i686-PAE.config
index cf7b95d93..f3522c8d9 100644
--- a/freed-ora/current/f27/kernel-i686-PAE.config
+++ b/freed-ora/current/f27/kernel-i686-PAE.config
@@ -4870,7 +4870,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-i686-PAEdebug.config b/freed-ora/current/f27/kernel-i686-PAEdebug.config
index 9457710bf..8da31b9e9 100644
--- a/freed-ora/current/f27/kernel-i686-PAEdebug.config
+++ b/freed-ora/current/f27/kernel-i686-PAEdebug.config
@@ -4891,7 +4891,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-i686-debug.config b/freed-ora/current/f27/kernel-i686-debug.config
index 656ba37f4..bd3e838f4 100644
--- a/freed-ora/current/f27/kernel-i686-debug.config
+++ b/freed-ora/current/f27/kernel-i686-debug.config
@@ -4891,7 +4891,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-i686.config b/freed-ora/current/f27/kernel-i686.config
index 75778643b..49ab1d907 100644
--- a/freed-ora/current/f27/kernel-i686.config
+++ b/freed-ora/current/f27/kernel-i686.config
@@ -4870,7 +4870,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-ppc64-debug.config b/freed-ora/current/f27/kernel-ppc64-debug.config
index 61d99a218..cddc87863 100644
--- a/freed-ora/current/f27/kernel-ppc64-debug.config
+++ b/freed-ora/current/f27/kernel-ppc64-debug.config
@@ -4703,7 +4703,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 # CONFIG_SND_HDA_INTEL is not set
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-ppc64.config b/freed-ora/current/f27/kernel-ppc64.config
index 64a382677..929b60b82 100644
--- a/freed-ora/current/f27/kernel-ppc64.config
+++ b/freed-ora/current/f27/kernel-ppc64.config
@@ -4680,7 +4680,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 # CONFIG_SND_HDA_INTEL is not set
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-ppc64le-debug.config b/freed-ora/current/f27/kernel-ppc64le-debug.config
index a6bf2a467..e97da7456 100644
--- a/freed-ora/current/f27/kernel-ppc64le-debug.config
+++ b/freed-ora/current/f27/kernel-ppc64le-debug.config
@@ -4633,7 +4633,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 # CONFIG_SND_HDA_INTEL is not set
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-ppc64le.config b/freed-ora/current/f27/kernel-ppc64le.config
index 9ce1c5ce1..016a60d96 100644
--- a/freed-ora/current/f27/kernel-ppc64le.config
+++ b/freed-ora/current/f27/kernel-ppc64le.config
@@ -4610,7 +4610,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 # CONFIG_SND_HDA_INTEL is not set
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-s390x-debug.config b/freed-ora/current/f27/kernel-s390x-debug.config
index eeba8adcc..4e76ee793 100644
--- a/freed-ora/current/f27/kernel-s390x-debug.config
+++ b/freed-ora/current/f27/kernel-s390x-debug.config
@@ -4533,7 +4533,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-s390x.config b/freed-ora/current/f27/kernel-s390x.config
index 4ac61488a..76cb3ff52 100644
--- a/freed-ora/current/f27/kernel-s390x.config
+++ b/freed-ora/current/f27/kernel-s390x.config
@@ -4510,7 +4510,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-x86_64-debug.config b/freed-ora/current/f27/kernel-x86_64-debug.config
index d682f2d63..337a6a026 100644
--- a/freed-ora/current/f27/kernel-x86_64-debug.config
+++ b/freed-ora/current/f27/kernel-x86_64-debug.config
@@ -4939,7 +4939,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel-x86_64.config b/freed-ora/current/f27/kernel-x86_64.config
index d60b254f5..6565475bc 100644
--- a/freed-ora/current/f27/kernel-x86_64.config
+++ b/freed-ora/current/f27/kernel-x86_64.config
@@ -4918,7 +4918,7 @@ CONFIG_SND_HDA_INPUT_BEEP_MODE=0
 CONFIG_SND_HDA_INPUT_BEEP=y
 CONFIG_SND_HDA_INTEL=m
 CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 CONFIG_SND_HDA_POWER_SAVE=y
 CONFIG_SND_HDA_PREALLOC_SIZE=4096
 CONFIG_SND_HDA_RECONFIG=y
diff --git a/freed-ora/current/f27/kernel.spec b/freed-ora/current/f27/kernel.spec
index 70f1283ce..d34d81710 100644
--- a/freed-ora/current/f27/kernel.spec
+++ b/freed-ora/current/f27/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 5
+%define stable_update 6
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -671,8 +671,27 @@ Patch399: arm64-thunderX-fix-ipv6-checksum-offload.patch
 
 # 500 - Temp fixes/CVEs etc
 
-# rhbz 1498016 1498017
-#Patch503: KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch
+# rbhz 1519591 1520764
+Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+
+# rhbz 1525474 1525476
+Patch501: USB-core-prevent-malicious-bNumInterfaces-overflow.patch
+
+# https://patchwork.kernel.org/patch/10108209/
+# https://marc.info/?l=linux-kernel&m=151307686618795
+Patch502: Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch
+
+# CVE-2017-17449
+# rhbz 1525762 1525763
+Patch503: netlink-Add-netns-check-on-taps.patch
+
+# CVE-2017-17450
+# rhbz 1525761 1525764
+Patch504: netfilter-xt_osf-Add-missing-permission-checks.patch
+
+# CVE-2017-17448
+# rhbz 1525768 1525769
+Patch505: netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
 
 # 600 - Patches for improved Bay and Cherry Trail device support
 # Below patches are submitted upstream, awaiting review / merging
@@ -695,6 +714,9 @@ Patch625: v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch
 # Fixes for QXL issues
 Patch627: qxl-fixes.patch
 
+# rhbz 1462175
+Patch628: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2318,6 +2340,25 @@ fi
 #
 #
 %changelog
+* Thu Dec 14 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.14.6-gnu.
+
+* Thu Dec 14 2017 Jeremy Cline <jeremy@jcline.org> - 4.14.6-300
+- Linux v4.14.6
+- Security fix for CVE-2017-17449 (rhbz 1525762 1525763)
+- Security fix for CVE-2017-17450 (rhbz 1525761 1525764)
+- Security fix for CVE-2017-17448 (rhbz 1525768 1525769)
+
+* Wed Dec 13 2017 Jeremy Cline <jeremy@jcline.org>
+- Fix CVE-2017-17558 (rhbz 1525474 1525476)
+- Revert exec: avoid RLIMIT_STACK races with prlimit()
+
+* Tue Dec 12 2017 Jeremy Cline <jeremy@jcline.org>
+- Fix CVE-2017-8824 (rhbz 1519591 1520764)
+
+* Mon Dec 11 2017 Jeremy Cline <jeremy@jcline.org>
+- Re-fix USB null pointer dereference on ThinkPad X1 (rhbz 1462175)
+
 * Mon Dec 11 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.14.5-gnu.
 
diff --git a/freed-ora/current/f27/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch b/freed-ora/current/f27/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
new file mode 100644
index 000000000..d7d795d00
--- /dev/null
+++ b/freed-ora/current/f27/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
@@ -0,0 +1,78 @@
+From 56ae5f7c9230c0aa474eef638cf9bf8ae6a79ab1 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sun, 3 Dec 2017 12:12:45 -0800
+Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission
+ checks
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, nfnl_cthelper_list is shared by all net namespaces on the
+system.  An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+    $ nfct helper list
+    nfct v1.4.4: netlink error: Operation not permitted
+    $ vpnns -- nfct helper list
+    {
+            .name = ftp,
+            .queuenum = 0,
+            .l3protonum = 2,
+            .l4protonum = 6,
+            .priv_data_len = 24,
+            .status = enabled,
+    };
+
+Add capable() checks in nfnetlink_cthelper, as this is cleaner than
+trying to generalize the solution.
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
+index 41628b393673..d33ce6d5ebce 100644
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -17,6 +17,7 @@
+ #include <linux/types.h>
+ #include <linux/list.h>
+ #include <linux/errno.h>
++#include <linux/capability.h>
+ #include <net/netlink.h>
+ #include <net/sock.h>
+ 
+@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
+ 	struct nfnl_cthelper *nlcth;
+ 	int ret = 0;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
+ 		return -EINVAL;
+ 
+@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
+ 	struct nfnl_cthelper *nlcth;
+ 	bool tuple_set = false;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ 		struct netlink_dump_control c = {
+ 			.dump = nfnl_cthelper_dump_table,
+@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
+ 	struct nfnl_cthelper *nlcth, *n;
+ 	int j = 0, ret;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (tb[NFCTH_NAME])
+ 		helper_name = nla_data(tb[NFCTH_NAME]);
+ 
+-- 
+2.14.3
+
diff --git a/freed-ora/current/f27/netfilter-xt_osf-Add-missing-permission-checks.patch b/freed-ora/current/f27/netfilter-xt_osf-Add-missing-permission-checks.patch
new file mode 100644
index 000000000..80cd60847
--- /dev/null
+++ b/freed-ora/current/f27/netfilter-xt_osf-Add-missing-permission-checks.patch
@@ -0,0 +1,59 @@
+From 2af0d441c8b1151a5d8bb46ec9c58ab575fe7d6f Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Tue, 5 Dec 2017 15:42:41 -0800
+Subject: [PATCH] netfilter: xt_osf: Add missing permission checks
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, xt_osf_fingers is shared by all net namespaces on the
+system.  An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+    vpnns -- nfnl_osf -f /tmp/pf.os
+
+    vpnns -- nfnl_osf -f /tmp/pf.os -d
+
+These non-root operations successfully modify the systemwide OS
+fingerprint list.  Add new capable() checks so that they can't.
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+---
+ net/netfilter/xt_osf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
+index 36e14b1f061d..a34f314a8c23 100644
+--- a/net/netfilter/xt_osf.c
++++ b/net/netfilter/xt_osf.c
+@@ -19,6 +19,7 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ 
++#include <linux/capability.h>
+ #include <linux/if.h>
+ #include <linux/inetdevice.h>
+ #include <linux/ip.h>
+@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,
+ 	struct xt_osf_finger *kf = NULL, *sf;
+ 	int err = 0;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (!osf_attrs[OSF_ATTR_FINGER])
+ 		return -EINVAL;
+ 
+@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,
+ 	struct xt_osf_finger *sf;
+ 	int err = -ENOENT;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (!osf_attrs[OSF_ATTR_FINGER])
+ 		return -EINVAL;
+ 
+-- 
+2.14.3
+
diff --git a/freed-ora/current/f27/netlink-Add-netns-check-on-taps.patch b/freed-ora/current/f27/netlink-Add-netns-check-on-taps.patch
new file mode 100644
index 000000000..8595cf80d
--- /dev/null
+++ b/freed-ora/current/f27/netlink-Add-netns-check-on-taps.patch
@@ -0,0 +1,42 @@
+From 5af86b090e2f17b97c02d0bf9098f6edc3195935 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Wed, 6 Dec 2017 12:12:27 -0800
+Subject: [PATCH] netlink: Add netns check on taps
+
+Currently, a nlmon link inside a child namespace can observe systemwide
+netlink activity.  Filter the traffic so that nlmon can only sniff
+netlink messages from its own netns.
+
+Test case:
+
+    vpnns -- bash -c "ip link add nlmon0 type nlmon; \
+                      ip link set nlmon0 up; \
+                      tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
+    sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
+        spi 0x1 mode transport \
+        auth sha1 0x6162633132330000000000000000000000000000 \
+        enc aes 0x00000000000000000000000000000000
+    grep --binary abc123 /tmp/nlmon.pcap
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+---
+ net/netlink/af_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 15c99dfa3d72..aac9d68b4636 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
+ 	struct sock *sk = skb->sk;
+ 	int ret = -ENOMEM;
+ 
++	if (!net_eq(dev_net(dev), sock_net(sk)))
++		return 0;
++
+ 	dev_hold(dev);
+ 
+ 	if (is_vmalloc_addr(skb->head))
+-- 
+2.14.3
+
diff --git a/freed-ora/current/f27/patch-4.14-gnu-4.14.5-gnu.xz.sign b/freed-ora/current/f27/patch-4.14-gnu-4.14.5-gnu.xz.sign
deleted file mode 100644
index d6ca05a99..000000000
--- a/freed-ora/current/f27/patch-4.14-gnu-4.14.5-gnu.xz.sign
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWi2ABgAKCRC8t8+Hfn1H
-p6VjAJ9s7pMM/nIR/qw/pKrLZh9Vk9szEwCfSDnlR/IMcahRHYFysnzpBvFKDz4=
-=PF5i
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f27/patch-4.14-gnu-4.14.6-gnu.xz.sign b/freed-ora/current/f27/patch-4.14-gnu-4.14.6-gnu.xz.sign
new file mode 100644
index 000000000..bfb9aeb82
--- /dev/null
+++ b/freed-ora/current/f27/patch-4.14-gnu-4.14.6-gnu.xz.sign
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWjLLkAAKCRC8t8+Hfn1H
+p9puAKCMEyft0oBT/Znro2qBdLFXg/yDIACgiRBoUECbjRjjrrL7gFTcFkPSPFw=
+=1Cmj
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f27/sources b/freed-ora/current/f27/sources
index 16717c07e..c91cdfdfb 100644
--- a/freed-ora/current/f27/sources
+++ b/freed-ora/current/f27/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-libre-4.14-gnu.tar.xz) = 0d4b0b8ec1ffc39c59295adf56f6a2cccf77cad56d8a8bf8072624bbb52ba3e684147ebed91d1528d2685423dd784c5fca0f3650f874f2b93cfc6b7689b9a87f
 SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
-SHA512 (patch-4.14-gnu-4.14.5-gnu.xz) = aaafecfa3f93c5162e63e872a4bb9345d86cfa1f6690ebd8031ea0b88388a92417d0c70bed7e243cf5e4ef7a58cc9e8279d88b452b75a5fd59766569c38abbdd
+SHA512 (patch-4.14-gnu-4.14.6-gnu.xz) = 8a4dfb2433faf9f0e9ca26825f3e198dd8c75d5a343e9145c0f655336333c838b1534efc4a54697d40e29cbf8c61ca2affa042bd5a35ba38df19cbb0f4ec4f44