4.15.4-200.fc26.gnu

8 files changed, 250 insertions, 250 deletions

diff --git a/freed-ora/current/f26/0001-Bluetooth-btusb-Disable-autosuspend-on-QCA-Rome-devi.patch b/freed-ora/current/f26/0001-Bluetooth-btusb-Disable-autosuspend-on-QCA-Rome-devi.patch
deleted file mode 100644
index cc1af2ceb..000000000
--- a/freed-ora/current/f26/0001-Bluetooth-btusb-Disable-autosuspend-on-QCA-Rome-devi.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From a5ffa27c07e06900fcfc50b08de6d11e45830168 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Wed, 3 Jan 2018 12:49:44 +0100
-Subject: [PATCH v2] Bluetooth: btusb: Disable autosuspend on QCA Rome devices
-
-Commit fd865802c66b ("Bluetooth: btusb: fix QCA Rome suspend/resume") fixes
-a suspend/resume problem on QCA devices by doing a full reset on resume,
-reloading the firmware.
-
-A similar problem happens when using runtime-pm / autosuspend, when this is
-enabled by the user the QCA Rome device stops working. Reloading the
-firmware after a runtime suspend is not really an option since the latency
-caused by this is unacceptable.
-
-To fix the runtime-pm issues, this commit disables runtime-pm on QCA Rome
-HCIs, by getting (and not releasing) an usb autopm reference on the btusb
-interface.
-
-BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1514836
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/bluetooth/btusb.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
-index 808c249845db..6ed3a0e5b8f6 100644
---- a/drivers/bluetooth/btusb.c
-+++ b/drivers/bluetooth/btusb.c
-@@ -3122,8 +3122,15 @@ static int btusb_probe(struct usb_interface *intf,
- 		/* QCA Rome devices lose their updated firmware over suspend,
- 		 * but the USB hub doesn't notice any status change.
- 		 * Explicitly request a device reset on resume.
-+		 * And disable runtime pm by getting a pm reference, the USB
-+		 * core will drop our reference on disconnect.
- 		 */
- 		set_bit(BTUSB_RESET_RESUME, &data->flags);
-+		err = usb_autopm_get_interface(data->intf);
-+		if (err < 0) {
-+			BT_ERR("failed to get pm reference %d", err);
-+			goto out_free_dev;
-+		}
- 	}
- 
- #ifdef CONFIG_BT_HCIBTUSB_RTL
--- 
-2.14.3
-
diff --git a/freed-ora/current/f26/0001-ahci-Annotate-PCI-ids-for-mobile-Intel-chipsets-as-s.patch b/freed-ora/current/f26/0001-ahci-Annotate-PCI-ids-for-mobile-Intel-chipsets-as-s.patch
deleted file mode 100644
index d73ce05c6..000000000
--- a/freed-ora/current/f26/0001-ahci-Annotate-PCI-ids-for-mobile-Intel-chipsets-as-s.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From cb1072f66e72eda65a8f7ac37d32c9f4217af6ba Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Tue, 21 Nov 2017 14:44:15 +0100
-Subject: [PATCH 1/3] ahci: Annotate PCI ids for mobile Intel chipsets as such
-
-Intel uses different SATA PCI ids for the Desktop and Mobile SKUs of their
-chipsets. For older models the comment describing which chipset the PCI id
-is for, aksi indicates when we're dealing with a mobile SKU. Extend the
-comments for recent chipsets to also indicate mobile SKUs.
-
-The information this commit adds comes from Intel's chipset datasheets.
-
-This commit is a preparation patch for allowing a different default
-sata link powermanagement policy for mobile chipsets.
-
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/ata/ahci.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
-diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
-index 5443cb71d7ba..9d842ff6ec51 100644
---- a/drivers/ata/ahci.c
-+++ b/drivers/ata/ahci.c
-@@ -268,9 +268,9 @@ static const struct pci_device_id ahci_pci_tbl[] = {
- 	{ PCI_VDEVICE(INTEL, 0x3b23), board_ahci }, /* PCH AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x3b24), board_ahci }, /* PCH RAID */
- 	{ PCI_VDEVICE(INTEL, 0x3b25), board_ahci }, /* PCH RAID */
--	{ PCI_VDEVICE(INTEL, 0x3b29), board_ahci }, /* PCH AHCI */
-+	{ PCI_VDEVICE(INTEL, 0x3b29), board_ahci }, /* PCH M AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x3b2b), board_ahci }, /* PCH RAID */
--	{ PCI_VDEVICE(INTEL, 0x3b2c), board_ahci }, /* PCH RAID */
-+	{ PCI_VDEVICE(INTEL, 0x3b2c), board_ahci }, /* PCH M RAID */
- 	{ PCI_VDEVICE(INTEL, 0x3b2f), board_ahci }, /* PCH AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x19b0), board_ahci }, /* DNV AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x19b1), board_ahci }, /* DNV AHCI */
-@@ -293,9 +293,9 @@ static const struct pci_device_id ahci_pci_tbl[] = {
- 	{ PCI_VDEVICE(INTEL, 0x19cE), board_ahci }, /* DNV AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x19cF), board_ahci }, /* DNV AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x1c02), board_ahci }, /* CPT AHCI */
--	{ PCI_VDEVICE(INTEL, 0x1c03), board_ahci }, /* CPT AHCI */
-+	{ PCI_VDEVICE(INTEL, 0x1c03), board_ahci }, /* CPT M AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x1c04), board_ahci }, /* CPT RAID */
--	{ PCI_VDEVICE(INTEL, 0x1c05), board_ahci }, /* CPT RAID */
-+	{ PCI_VDEVICE(INTEL, 0x1c05), board_ahci }, /* CPT M RAID */
- 	{ PCI_VDEVICE(INTEL, 0x1c06), board_ahci }, /* CPT RAID */
- 	{ PCI_VDEVICE(INTEL, 0x1c07), board_ahci }, /* CPT RAID */
- 	{ PCI_VDEVICE(INTEL, 0x1d02), board_ahci }, /* PBG AHCI */
-@@ -304,20 +304,20 @@ static const struct pci_device_id ahci_pci_tbl[] = {
- 	{ PCI_VDEVICE(INTEL, 0x2826), board_ahci }, /* PBG RAID */
- 	{ PCI_VDEVICE(INTEL, 0x2323), board_ahci }, /* DH89xxCC AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x1e02), board_ahci }, /* Panther Point AHCI */
--	{ PCI_VDEVICE(INTEL, 0x1e03), board_ahci }, /* Panther Point AHCI */
-+	{ PCI_VDEVICE(INTEL, 0x1e03), board_ahci }, /* Panther Point M AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x1e04), board_ahci }, /* Panther Point RAID */
- 	{ PCI_VDEVICE(INTEL, 0x1e05), board_ahci }, /* Panther Point RAID */
- 	{ PCI_VDEVICE(INTEL, 0x1e06), board_ahci }, /* Panther Point RAID */
--	{ PCI_VDEVICE(INTEL, 0x1e07), board_ahci }, /* Panther Point RAID */
-+	{ PCI_VDEVICE(INTEL, 0x1e07), board_ahci }, /* Panther Point M RAID */
- 	{ PCI_VDEVICE(INTEL, 0x1e0e), board_ahci }, /* Panther Point RAID */
- 	{ PCI_VDEVICE(INTEL, 0x8c02), board_ahci }, /* Lynx Point AHCI */
--	{ PCI_VDEVICE(INTEL, 0x8c03), board_ahci }, /* Lynx Point AHCI */
-+	{ PCI_VDEVICE(INTEL, 0x8c03), board_ahci }, /* Lynx Point M AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x8c04), board_ahci }, /* Lynx Point RAID */
--	{ PCI_VDEVICE(INTEL, 0x8c05), board_ahci }, /* Lynx Point RAID */
-+	{ PCI_VDEVICE(INTEL, 0x8c05), board_ahci }, /* Lynx Point M RAID */
- 	{ PCI_VDEVICE(INTEL, 0x8c06), board_ahci }, /* Lynx Point RAID */
--	{ PCI_VDEVICE(INTEL, 0x8c07), board_ahci }, /* Lynx Point RAID */
-+	{ PCI_VDEVICE(INTEL, 0x8c07), board_ahci }, /* Lynx Point M RAID */
- 	{ PCI_VDEVICE(INTEL, 0x8c0e), board_ahci }, /* Lynx Point RAID */
--	{ PCI_VDEVICE(INTEL, 0x8c0f), board_ahci }, /* Lynx Point RAID */
-+	{ PCI_VDEVICE(INTEL, 0x8c0f), board_ahci }, /* Lynx Point M RAID */
- 	{ PCI_VDEVICE(INTEL, 0x9c02), board_ahci }, /* Lynx Point-LP AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x9c03), board_ahci }, /* Lynx Point-LP AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x9c04), board_ahci }, /* Lynx Point-LP RAID */
-@@ -358,21 +358,21 @@ static const struct pci_device_id ahci_pci_tbl[] = {
- 	{ PCI_VDEVICE(INTEL, 0x9c87), board_ahci }, /* Wildcat Point-LP RAID */
- 	{ PCI_VDEVICE(INTEL, 0x9c8f), board_ahci }, /* Wildcat Point-LP RAID */
- 	{ PCI_VDEVICE(INTEL, 0x8c82), board_ahci }, /* 9 Series AHCI */
--	{ PCI_VDEVICE(INTEL, 0x8c83), board_ahci }, /* 9 Series AHCI */
-+	{ PCI_VDEVICE(INTEL, 0x8c83), board_ahci }, /* 9 Series M AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x8c84), board_ahci }, /* 9 Series RAID */
--	{ PCI_VDEVICE(INTEL, 0x8c85), board_ahci }, /* 9 Series RAID */
-+	{ PCI_VDEVICE(INTEL, 0x8c85), board_ahci }, /* 9 Series M RAID */
- 	{ PCI_VDEVICE(INTEL, 0x8c86), board_ahci }, /* 9 Series RAID */
--	{ PCI_VDEVICE(INTEL, 0x8c87), board_ahci }, /* 9 Series RAID */
-+	{ PCI_VDEVICE(INTEL, 0x8c87), board_ahci }, /* 9 Series M RAID */
- 	{ PCI_VDEVICE(INTEL, 0x8c8e), board_ahci }, /* 9 Series RAID */
--	{ PCI_VDEVICE(INTEL, 0x8c8f), board_ahci }, /* 9 Series RAID */
-+	{ PCI_VDEVICE(INTEL, 0x8c8f), board_ahci }, /* 9 Series M RAID */
- 	{ PCI_VDEVICE(INTEL, 0x9d03), board_ahci }, /* Sunrise Point-LP AHCI */
- 	{ PCI_VDEVICE(INTEL, 0x9d05), board_ahci }, /* Sunrise Point-LP RAID */
- 	{ PCI_VDEVICE(INTEL, 0x9d07), board_ahci }, /* Sunrise Point-LP RAID */
- 	{ PCI_VDEVICE(INTEL, 0xa102), board_ahci }, /* Sunrise Point-H AHCI */
--	{ PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H AHCI */
-+	{ PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H M AHCI */
- 	{ PCI_VDEVICE(INTEL, 0xa105), board_ahci }, /* Sunrise Point-H RAID */
- 	{ PCI_VDEVICE(INTEL, 0xa106), board_ahci }, /* Sunrise Point-H RAID */
--	{ PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H RAID */
-+	{ PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H M RAID */
- 	{ PCI_VDEVICE(INTEL, 0xa10f), board_ahci }, /* Sunrise Point-H RAID */
- 	{ PCI_VDEVICE(INTEL, 0x2822), board_ahci }, /* Lewisburg RAID*/
- 	{ PCI_VDEVICE(INTEL, 0x2823), board_ahci }, /* Lewisburg AHCI*/
--- 
-2.14.3
-
diff --git a/freed-ora/current/f26/0002-ahci-Add-PCI-ids-for-Intel-Bay-Trail-Cherry-Trail-an.patch b/freed-ora/current/f26/0002-ahci-Add-PCI-ids-for-Intel-Bay-Trail-Cherry-Trail-an.patch
deleted file mode 100644
index f27812b85..000000000
--- a/freed-ora/current/f26/0002-ahci-Add-PCI-ids-for-Intel-Bay-Trail-Cherry-Trail-an.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From eab582db4b6c04a20a8bd792faa9ebf7adf1ec17 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Mon, 27 Nov 2017 12:07:34 +0100
-Subject: [PATCH 2/3] ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and
- Apollo Lake AHCI
-
-Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI
-SATA controllers. This commit is a preparation patch for allowing a
-different default sata link powermanagement policy for mobile chipsets.
-
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/ata/ahci.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
-index 9d842ff6ec51..844f697bedbf 100644
---- a/drivers/ata/ahci.c
-+++ b/drivers/ata/ahci.c
-@@ -386,6 +386,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
- 	{ PCI_VDEVICE(INTEL, 0xa206), board_ahci }, /* Lewisburg RAID*/
- 	{ PCI_VDEVICE(INTEL, 0xa252), board_ahci }, /* Lewisburg RAID*/
- 	{ PCI_VDEVICE(INTEL, 0xa256), board_ahci }, /* Lewisburg RAID*/
-+	{ PCI_VDEVICE(INTEL, 0x0f22), board_ahci }, /* Bay Trail AHCI */
-+	{ PCI_VDEVICE(INTEL, 0x0f23), board_ahci }, /* Bay Trail AHCI */
-+	{ PCI_VDEVICE(INTEL, 0x22a3), board_ahci }, /* Cherry Trail AHCI */
-+	{ PCI_VDEVICE(INTEL, 0x5ae3), board_ahci }, /* Apollo Lake AHCI */
- 
- 	/* JMicron 360/1/3/5/6, match class to avoid IDE function */
- 	{ PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
--- 
-2.14.3
-
diff --git a/freed-ora/current/f26/0003-ahci-Allow-setting-a-default-LPM-policy-for-mobile-c.patch b/freed-ora/current/f26/0003-ahci-Allow-setting-a-default-LPM-policy-for-mobile-c.patch
index fe7edde8f..a888a242c 100644
--- a/freed-ora/current/f26/0003-ahci-Allow-setting-a-default-LPM-policy-for-mobile-c.patch
+++ b/freed-ora/current/f26/0003-ahci-Allow-setting-a-default-LPM-policy-for-mobile-c.patch
@@ -1,8 +1,7 @@
-From 262135cf058c28d248b997bd11b2c124e27d8d47 Mon Sep 17 00:00:00 2001
+From 65cca10ce92fb738b183152f1c1096b82e47923d Mon Sep 17 00:00:00 2001
 From: Hans de Goede <hdegoede@redhat.com>
 Date: Mon, 27 Nov 2017 15:32:01 +0100
-Subject: [PATCH 3/3] ahci: Allow setting a default LPM policy for mobile
- chipsets
+Subject: [PATCH] ahci: Allow setting a default LPM policy for mobile chipsets
 
 On many laptops setting a different LPM policy then unknown /
 max_performance can lead to power-savings of 1.0 - 1.5 Watts (when idle).
@@ -28,9 +27,6 @@ trouble-shooting without needing to rebuild the kernel.
 
 Signed-off-by: Hans de Goede <hdegoede@redhat.com>
 ---
-Changes in v2:
--Remove .config changes from the patch
----
  drivers/ata/Kconfig | 19 +++++++++++
  drivers/ata/ahci.c  | 97 +++++++++++++++++++++++++++++++----------------------
  drivers/ata/ahci.h  |  3 ++
@@ -67,7 +63,7 @@ index cb5339166563..b3fad5663aeb 100644
  	tristate "Platform AHCI SATA support"
  	help
 diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
-index 844f697bedbf..8e910fae8892 100644
+index 44a9d630b7ac..355a95a83a34 100644
 --- a/drivers/ata/ahci.c
 +++ b/drivers/ata/ahci.c
 @@ -65,6 +65,7 @@ enum board_ids {
@@ -219,10 +215,10 @@ index 844f697bedbf..8e910fae8892 100644
  	{ PCI_VDEVICE(INTEL, 0xa10f), board_ahci }, /* Sunrise Point-H RAID */
  	{ PCI_VDEVICE(INTEL, 0x2822), board_ahci }, /* Lewisburg RAID*/
  	{ PCI_VDEVICE(INTEL, 0x2823), board_ahci }, /* Lewisburg AHCI*/
-@@ -386,10 +394,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
- 	{ PCI_VDEVICE(INTEL, 0xa206), board_ahci }, /* Lewisburg RAID*/
+@@ -387,10 +395,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
  	{ PCI_VDEVICE(INTEL, 0xa252), board_ahci }, /* Lewisburg RAID*/
  	{ PCI_VDEVICE(INTEL, 0xa256), board_ahci }, /* Lewisburg RAID*/
+ 	{ PCI_VDEVICE(INTEL, 0xa356), board_ahci }, /* Cannon Lake PCH-H RAID */
 -	{ PCI_VDEVICE(INTEL, 0x0f22), board_ahci }, /* Bay Trail AHCI */
 -	{ PCI_VDEVICE(INTEL, 0x0f23), board_ahci }, /* Bay Trail AHCI */
 -	{ PCI_VDEVICE(INTEL, 0x22a3), board_ahci }, /* Cherry Trail AHCI */
@@ -234,7 +230,7 @@ index 844f697bedbf..8e910fae8892 100644
  
  	/* JMicron 360/1/3/5/6, match class to avoid IDE function */
  	{ PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
-@@ -597,6 +605,9 @@ static int marvell_enable = 1;
+@@ -598,6 +606,9 @@ static int marvell_enable = 1;
  module_param(marvell_enable, int, 0644);
  MODULE_PARM_DESC(marvell_enable, "Marvell SATA via AHCI (1 = enabled)");
  
@@ -244,7 +240,7 @@ index 844f697bedbf..8e910fae8892 100644
  
  static void ahci_pci_save_initial_config(struct pci_dev *pdev,
  					 struct ahci_host_priv *hpriv)
-@@ -1732,6 +1743,10 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+@@ -1733,6 +1744,10 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
  		if (ap->flags & ATA_FLAG_EM)
  			ap->em_message_type = hpriv->em_msg_type;
  
diff --git a/freed-ora/current/f26/CVE-2018-1000026.patch b/freed-ora/current/f26/CVE-2018-1000026.patch
new file mode 100644
index 000000000..99e5f64a5
--- /dev/null
+++ b/freed-ora/current/f26/CVE-2018-1000026.patch
@@ -0,0 +1,228 @@
+From 2b16f048729bf35e6c28a40cbfad07239f9dcd90 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 31 Jan 2018 14:15:33 +1100
+Subject: [PATCH] net: create skb_gso_validate_mac_len()
+
+If you take a GSO skb, and split it into packets, will the MAC
+length (L2 + L3 + L4 headers + payload) of those packets be small
+enough to fit within a given length?
+
+Move skb_gso_mac_seglen() to skbuff.h with other related functions
+like skb_gso_network_seglen() so we can use it, and then create
+skb_gso_validate_mac_len to do the full calculation.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/linux/skbuff.h | 16 +++++++++++++
+ net/core/skbuff.c      | 63 +++++++++++++++++++++++++++++++++++++++-----------
+ net/sched/sch_tbf.c    | 10 --------
+ 3 files changed, 66 insertions(+), 23 deletions(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index ac89a93b7c83..5ebc0f869720 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -3287,6 +3287,7 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen);
+ void skb_scrub_packet(struct sk_buff *skb, bool xnet);
+ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb);
+ bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu);
++bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len);
+ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features);
+ struct sk_buff *skb_vlan_untag(struct sk_buff *skb);
+ int skb_ensure_writable(struct sk_buff *skb, int write_len);
+@@ -4120,6 +4121,21 @@ static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
+ 	return hdr_len + skb_gso_transport_seglen(skb);
+ }
+
++/**
++ * skb_gso_mac_seglen - Return length of individual segments of a gso packet
++ *
++ * @skb: GSO skb
++ *
++ * skb_gso_mac_seglen is used to determine the real size of the
++ * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4
++ * headers (TCP/UDP).
++ */
++static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
++{
++	unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
++	return hdr_len + skb_gso_transport_seglen(skb);
++}
++
+ /* Local Checksum Offload.
+  * Compute outer checksum based on the assumption that the
+  * inner checksum will be offloaded later.
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 01e8285aea73..8c61c27c1b28 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4914,37 +4914,74 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
+ EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
+
+ /**
+- * skb_gso_validate_mtu - Return in case such skb fits a given MTU
++ * skb_gso_size_check - check the skb size, considering GSO_BY_FRAGS
+  *
+- * @skb: GSO skb
+- * @mtu: MTU to validate against
++ * There are a couple of instances where we have a GSO skb, and we
++ * want to determine what size it would be after it is segmented.
+  *
+- * skb_gso_validate_mtu validates if a given skb will fit a wanted MTU
+- * once split.
++ * We might want to check:
++ * -    L3+L4+payload size (e.g. IP forwarding)
++ * - L2+L3+L4+payload size (e.g. sanity check before passing to driver)
++ *
++ * This is a helper to do that correctly considering GSO_BY_FRAGS.
++ *
++ * @seg_len: The segmented length (from skb_gso_*_seglen). In the
++ *           GSO_BY_FRAGS case this will be [header sizes + GSO_BY_FRAGS].
++ *
++ * @max_len: The maximum permissible length.
++ *
++ * Returns true if the segmented length <= max length.
+  */
+-bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu)
+-{
++static inline bool skb_gso_size_check(const struct sk_buff *skb,
++				      unsigned int seg_len,
++				      unsigned int max_len) {
+ 	const struct skb_shared_info *shinfo = skb_shinfo(skb);
+ 	const struct sk_buff *iter;
+-	unsigned int hlen;
+-
+-	hlen = skb_gso_network_seglen(skb);
+
+ 	if (shinfo->gso_size != GSO_BY_FRAGS)
+-		return hlen <= mtu;
++		return seg_len <= max_len;
+
+ 	/* Undo this so we can re-use header sizes */
+-	hlen -= GSO_BY_FRAGS;
++	seg_len -= GSO_BY_FRAGS;
+
+ 	skb_walk_frags(skb, iter) {
+-		if (hlen + skb_headlen(iter) > mtu)
++		if (seg_len + skb_headlen(iter) > max_len)
+ 			return false;
+ 	}
+
+ 	return true;
+ }
++
++/**
++ * skb_gso_validate_mtu - Return in case such skb fits a given MTU
++ *
++ * @skb: GSO skb
++ * @mtu: MTU to validate against
++ *
++ * skb_gso_validate_mtu validates if a given skb will fit a wanted MTU
++ * once split.
++ */
++bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu)
++{
++	return skb_gso_size_check(skb, skb_gso_network_seglen(skb), mtu);
++}
+ EXPORT_SYMBOL_GPL(skb_gso_validate_mtu);
+
++/**
++ * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length?
++ *
++ * @skb: GSO skb
++ * @len: length to validate against
++ *
++ * skb_gso_validate_mac_len validates if a given skb will fit a wanted
++ * length once split, including L2, L3 and L4 headers and the payload.
++ */
++bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len)
++{
++	return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len);
++}
++EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
++
+ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
+ {
+ 	if (skb_cow(skb, skb_headroom(skb)) < 0) {
+diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
+index 83e76d046993..229172d509cc 100644
+--- a/net/sched/sch_tbf.c
++++ b/net/sched/sch_tbf.c
+@@ -142,16 +142,6 @@ static u64 psched_ns_t2l(const struct psched_ratecfg *r,
+ 	return len;
+ }
+
+-/*
+- * Return length of individual segments of a gso packet,
+- * including all headers (MAC, IP, TCP/UDP)
+- */
+-static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
+-{
+-	unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
+-	return hdr_len + skb_gso_transport_seglen(skb);
+-}
+-
+ /* GSO packet is too big, segment it so that tbf can transmit
+  * each segment in time
+  */
+-- 
+2.14.3
+
+From 8914a595110a6eca69a5e275b323f5d09e18f4f9 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 31 Jan 2018 14:15:34 +1100
+Subject: [PATCH] bnx2x: disable GSO where gso_size is too big for hardware
+
+If a bnx2x card is passed a GSO packet with a gso_size larger than
+~9700 bytes, it will cause a firmware error that will bring the card
+down:
+
+bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert!
+bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2
+bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052
+bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1
+... (dump of values continues) ...
+
+Detect when the mac length of a GSO packet is greater than the maximum
+packet size (9700 bytes) and disable GSO.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+index 7b08323e3f3d..74fc9af4aadb 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -12934,6 +12934,24 @@ static netdev_features_t bnx2x_features_check(struct sk_buff *skb,
+ 					      struct net_device *dev,
+ 					      netdev_features_t features)
+ {
++	/*
++	 * A skb with gso_size + header length > 9700 will cause a
++	 * firmware panic. Drop GSO support.
++	 *
++	 * Eventually the upper layer should not pass these packets down.
++	 *
++	 * For speed, if the gso_size is <= 9000, assume there will
++	 * not be 700 bytes of headers and pass it through. Only do a
++	 * full (slow) validation if the gso_size is > 9000.
++	 *
++	 * (Due to the way SKB_BY_FRAGS works this will also do a full
++	 * validation in that case.)
++	 */
++	if (unlikely(skb_is_gso(skb) &&
++		     (skb_shinfo(skb)->gso_size > 9000) &&
++		     !skb_gso_validate_mac_len(skb, 9700)))
++		features &= ~NETIF_F_GSO_MASK;
++
+ 	features = vlan_features_check(skb, features);
+ 	return vxlan_features_check(skb, features);
+ }
+-- 
+2.14.3
+
diff --git a/freed-ora/current/f26/kernel.spec b/freed-ora/current/f26/kernel.spec
index bb6ee7312..86cf737c3 100644
--- a/freed-ora/current/f26/kernel.spec
+++ b/freed-ora/current/f26/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 3
+%define stable_update 4
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -664,25 +664,20 @@ Patch632: 0003-HID-multitouch-Combine-all-left-button-events-in-a-f.patch
 # Make SATA link powermanagement policy configurable for:
 # https://fedoraproject.org/wiki/Changes/ImprovedLaptopBatteryLife
 # Queued upstream for merging into 4.16
-Patch636: 0001-ahci-Annotate-PCI-ids-for-mobile-Intel-chipsets-as-s.patch
-Patch637: 0002-ahci-Add-PCI-ids-for-Intel-Bay-Trail-Cherry-Trail-an.patch
 Patch638: 0003-ahci-Allow-setting-a-default-LPM-policy-for-mobile-c.patch
 
 # rhbz1514969, submitted upstream
 Patch640: 0001-platform-x86-dell-laptop-Filter-out-spurious-keyboar.patch
 
-# rhbz1514836, submitted upstream
-Patch641: 0001-Bluetooth-btusb-Disable-autosuspend-on-QCA-Rome-devi.patch
-
 # Fix crash on Xwayland using nouveau
 Patch650: dma-buf-fix-reservation_object_wait_timeout_rcu-once-more-v2.patch
 
-# rhbz 1544821
-Patch651: ssb-Do-not-disable-PCI-host-on-non-Mips.patch
-
 # https://bugzilla.kernel.org/show_bug.cgi?id=198351
 Patch652: iwlwifi-mvn.patch
 
+# CVE-2018-1000026 rhbz 1541846 1546744
+Patch653: CVE-2018-1000026.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2030,10 +2025,19 @@ fi
 #
 #
 %changelog
+* Mon Feb 19 2018 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.15.4-gnu.
+
+* Mon Feb 19 2018 Laura Abbott <labbott@redhat.com> - 4.15.4-200
+- Linux v4.15.4
+
+* Mon Feb 19 2018 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2018-1000026 (rhbz 1541846 1546744)
+
 * Thu Feb 15 2018 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.15.3-gnu.
 
-* Tue Feb 13 2018 Laura Abbott <labbott@redhat.com> - 4.15.3-300
+* Tue Feb 13 2018 Laura Abbott <labbott@redhat.com> - 4.15.3-200
 - Linux v4.15.3 rebase
 
 * Thu Feb  8 2018 Alexandre Oliva <lxoliva@fsfla.org> -libre
diff --git a/freed-ora/current/f26/sources b/freed-ora/current/f26/sources
index 6fbf2371a..1137091e3 100644
--- a/freed-ora/current/f26/sources
+++ b/freed-ora/current/f26/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-libre-4.15-gnu.tar.xz) = a55cc663c6fb1e1cfa7905282b368b5d5888bc2398f0acf37e5bb9a232ded04fd566b1980e654da26aaec005332e458581495184d6bd4cec669181085d4d78a5
-SHA512 (patch-4.15.3.xz) = e82ccc4829353458b77e6261b7793221ece82430727b5bd38f79fa637cb920648b50fc5abedf0a9690eca926d8adb4454dd41bd64442ccc7573a4c13ce007277
+SHA512 (patch-4.15.4.xz) = e903b02631f5fa261db44ea2da69b6edc3afbbbbb4da5eca6abf2972b9f5aeb032d6b4b22c1313eef7763bc91987ec793b05c00c04a0ec592f61cb5a82cea296
diff --git a/freed-ora/current/f26/ssb-Do-not-disable-PCI-host-on-non-Mips.patch b/freed-ora/current/f26/ssb-Do-not-disable-PCI-host-on-non-Mips.patch
deleted file mode 100644
index 207584940..000000000
--- a/freed-ora/current/f26/ssb-Do-not-disable-PCI-host-on-non-Mips.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From patchwork Fri Jan 26 09:38:01 2018
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: ssb: Do not disable PCI host on non-Mips
-From: Sven Joachim <svenjoac@gmx.de>
-X-Patchwork-Id: 10185397
-Message-Id: <87vafpq7t2.fsf@turtle.gmx.de>
-To: Michael Buesch <m@bues.ch>, linux-wireless@vger.kernel.org
-Cc: James Hogan <jhogan@kernel.org>, linux-mips@linux-mips.org,
- Ralf Baechle <ralf@linux-mips.org>, James Hogan <jhogan@kernel.org>,
- Paul Burton <paul.burton@mips.com>,
- Matt Redfearn <matt.redfearn@imgtec.com>,
- Guenter Roeck <linux@roeck-us.net>
-Date: Fri, 26 Jan 2018 10:38:01 +0100
-
-After upgrading an old laptop to 4.15-rc9, I found that the eth0 and
-wlan0 interfaces had disappeared.  It turns out that the b43 and b44
-drivers require SSB_PCIHOST_POSSIBLE which depends on
-PCI_DRIVERS_LEGACY, a config option that only exists on Mips.
-
-Fixes: 58eae1416b80 ("ssb: Disable PCI host for PCI_DRIVERS_GENERIC")
-Cc: stable@vger.org
-Signed-off-by: Sven Joachim <svenjoac@gmx.de>
-Reviewed-by: James Hogan <jhogan@kernel.org>
----
- drivers/ssb/Kconfig | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/ssb/Kconfig b/drivers/ssb/Kconfig
-index 71c73766ee22..65af12c3bdb2 100644
---- a/drivers/ssb/Kconfig
-+++ b/drivers/ssb/Kconfig
-@@ -32,7 +32,7 @@ config SSB_BLOCKIO
- 
- config SSB_PCIHOST_POSSIBLE
- 	bool
--	depends on SSB && (PCI = y || PCI = SSB) && PCI_DRIVERS_LEGACY
-+	depends on SSB && (PCI = y || PCI = SSB) && (PCI_DRIVERS_LEGACY || !MIPS)
- 	default y
- 
- config SSB_PCIHOST