Merge remote-tracking branch 'origin/master' into rawhide-user-thl-vanilla-fedorakernel-4.14.0-0.rc8.git0.1.vanilla.knurd.1.fc28kernel-4.14.0-0.rc8.git0.1.vanilla.knurd.1.fc27kernel-4.14.0-0.rc8.git0.1.vanilla.knurd.1.fc26kernel-4.14.0-0.rc8.git0.1.vanilla.knurd.1.fc25

26 files changed, 407 insertions, 145 deletions

diff --git a/1-2-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-NMI.patch b/1-2-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-NMI.patch
new file mode 100644
index 000000000..ca079af42
--- /dev/null
+++ b/1-2-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-NMI.patch
@@ -0,0 +1,296 @@
+From patchwork Mon Nov  6 12:31:12 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [1/2] kvm: vmx: Reinstate support for CPUs without virtual NMI
+From: Paolo Bonzini <pbonzini@redhat.com>
+X-Patchwork-Id: 10043403
+Message-Id: <1509971473-74491-2-git-send-email-pbonzini@redhat.com>
+To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
+Cc: rkrcmar@redhat.com, stable@vger.kernel.org
+Date: Mon,  6 Nov 2017 13:31:12 +0100
+
+This is more or less a revert of commit 2c82878b0cb3 ("KVM: VMX: require
+virtual NMI support", 2017-03-27); it turns out that Core 2 Duo machines
+only had virtual NMIs in some SKUs.
+
+The revert is not trivial because in the meanwhile there have been several
+fixes to nested NMI injection.  Therefore, the entire vNMI state is moved
+to struct loaded_vmcs.
+
+Another change compared to before the patch is a simplification here:
+
+       if (unlikely(!cpu_has_virtual_nmis() && vmx->soft_vnmi_blocked &&
+           !(is_guest_mode(vcpu) && nested_cpu_has_virtual_nmis(
+                                       get_vmcs12(vcpu))))) {
+
+The final condition here is always true (because nested_cpu_has_virtual_nmis
+is always false) and is removed.
+
+Fixes: 2c82878b0cb38fd516fd612c67852a6bbf282003
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1490803
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/vmx.c | 150 +++++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 106 insertions(+), 44 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index e6c8ffa84968..d6b3b12ae1e2 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -202,6 +202,10 @@ struct loaded_vmcs {
+ 	bool nmi_known_unmasked;
+ 	unsigned long vmcs_host_cr3;	/* May not match real cr3 */
+ 	unsigned long vmcs_host_cr4;	/* May not match real cr4 */
++	/* Support for vnmi-less CPUs */
++	int soft_vnmi_blocked;
++	ktime_t entry_time;
++	s64 vnmi_blocked_time;
+ 	struct list_head loaded_vmcss_on_cpu_link;
+ };
+ 
+@@ -1291,6 +1295,11 @@ static inline bool cpu_has_vmx_invpcid(void)
+ 		SECONDARY_EXEC_ENABLE_INVPCID;
+ }
+ 
++static inline bool cpu_has_virtual_nmis(void)
++{
++	return vmcs_config.pin_based_exec_ctrl & PIN_BASED_VIRTUAL_NMIS;
++}
++
+ static inline bool cpu_has_vmx_wbinvd_exit(void)
+ {
+ 	return vmcs_config.cpu_based_2nd_exec_ctrl &
+@@ -1348,11 +1357,6 @@ static inline bool nested_cpu_has2(struct vmcs12 *vmcs12, u32 bit)
+ 		(vmcs12->secondary_vm_exec_control & bit);
+ }
+ 
+-static inline bool nested_cpu_has_virtual_nmis(struct vmcs12 *vmcs12)
+-{
+-	return vmcs12->pin_based_vm_exec_control & PIN_BASED_VIRTUAL_NMIS;
+-}
+-
+ static inline bool nested_cpu_has_preemption_timer(struct vmcs12 *vmcs12)
+ {
+ 	return vmcs12->pin_based_vm_exec_control &
+@@ -3712,9 +3716,9 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
+ 				&_vmexit_control) < 0)
+ 		return -EIO;
+ 
+-	min = PIN_BASED_EXT_INTR_MASK | PIN_BASED_NMI_EXITING |
+-		PIN_BASED_VIRTUAL_NMIS;
+-	opt = PIN_BASED_POSTED_INTR | PIN_BASED_VMX_PREEMPTION_TIMER;
++	min = PIN_BASED_EXT_INTR_MASK | PIN_BASED_NMI_EXITING;
++	opt = PIN_BASED_VIRTUAL_NMIS | PIN_BASED_POSTED_INTR |
++		 PIN_BASED_VMX_PREEMPTION_TIMER;
+ 	if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_PINBASED_CTLS,
+ 				&_pin_based_exec_control) < 0)
+ 		return -EIO;
+@@ -5669,7 +5673,8 @@ static void enable_irq_window(struct kvm_vcpu *vcpu)
+ 
+ static void enable_nmi_window(struct kvm_vcpu *vcpu)
+ {
+-	if (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_STI) {
++	if (!cpu_has_virtual_nmis() ||
++	    vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_STI) {
+ 		enable_irq_window(vcpu);
+ 		return;
+ 	}
+@@ -5709,6 +5714,19 @@ static void vmx_inject_nmi(struct kvm_vcpu *vcpu)
+ {
+ 	struct vcpu_vmx *vmx = to_vmx(vcpu);
+ 
++	if (!cpu_has_virtual_nmis()) {
++		/*
++		 * Tracking the NMI-blocked state in software is built upon
++		 * finding the next open IRQ window. This, in turn, depends on
++		 * well-behaving guests: They have to keep IRQs disabled at
++		 * least as long as the NMI handler runs. Otherwise we may
++		 * cause NMI nesting, maybe breaking the guest. But as this is
++		 * highly unlikely, we can live with the residual risk.
++		 */
++		vmx->loaded_vmcs->soft_vnmi_blocked = 1;
++		vmx->loaded_vmcs->vnmi_blocked_time = 0;
++	}
++
+ 	++vcpu->stat.nmi_injections;
+ 	vmx->loaded_vmcs->nmi_known_unmasked = false;
+ 
+@@ -5727,6 +5745,8 @@ static bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu)
+ 	struct vcpu_vmx *vmx = to_vmx(vcpu);
+ 	bool masked;
+ 
++	if (!cpu_has_virtual_nmis())
++		return vmx->loaded_vmcs->soft_vnmi_blocked;
+ 	if (vmx->loaded_vmcs->nmi_known_unmasked)
+ 		return false;
+ 	masked = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_NMI;
+@@ -5738,13 +5758,20 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
+ {
+ 	struct vcpu_vmx *vmx = to_vmx(vcpu);
+ 
+-	vmx->loaded_vmcs->nmi_known_unmasked = !masked;
+-	if (masked)
+-		vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
+-			      GUEST_INTR_STATE_NMI);
+-	else
+-		vmcs_clear_bits(GUEST_INTERRUPTIBILITY_INFO,
+-				GUEST_INTR_STATE_NMI);
++	if (!cpu_has_virtual_nmis()) {
++		if (vmx->loaded_vmcs->soft_vnmi_blocked != masked) {
++			vmx->loaded_vmcs->soft_vnmi_blocked = masked;
++			vmx->loaded_vmcs->vnmi_blocked_time = 0;
++		}
++	} else {
++		vmx->loaded_vmcs->nmi_known_unmasked = !masked;
++		if (masked)
++			vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
++				      GUEST_INTR_STATE_NMI);
++		else
++			vmcs_clear_bits(GUEST_INTERRUPTIBILITY_INFO,
++					GUEST_INTR_STATE_NMI);
++	}
+ }
+ 
+ static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
+@@ -5752,6 +5779,10 @@ static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
+ 	if (to_vmx(vcpu)->nested.nested_run_pending)
+ 		return 0;
+ 
++	if (!cpu_has_virtual_nmis() &&
++	    to_vmx(vcpu)->loaded_vmcs->soft_vnmi_blocked)
++		return 0;
++
+ 	return	!(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) &
+ 		  (GUEST_INTR_STATE_MOV_SS | GUEST_INTR_STATE_STI
+ 		   | GUEST_INTR_STATE_NMI));
+@@ -6479,6 +6510,7 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu)
+ 	 * AAK134, BY25.
+ 	 */
+ 	if (!(to_vmx(vcpu)->idt_vectoring_info & VECTORING_INFO_VALID_MASK) &&
++			cpu_has_virtual_nmis() &&
+ 			(exit_qualification & INTR_INFO_UNBLOCK_NMI))
+ 		vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, GUEST_INTR_STATE_NMI);
+ 
+@@ -6965,7 +6997,7 @@ static struct loaded_vmcs *nested_get_current_vmcs02(struct vcpu_vmx *vmx)
+ 	}
+ 
+ 	/* Create a new VMCS */
+-	item = kmalloc(sizeof(struct vmcs02_list), GFP_KERNEL);
++	item = kzalloc(sizeof(struct vmcs02_list), GFP_KERNEL);
+ 	if (!item)
+ 		return NULL;
+ 	item->vmcs02.vmcs = alloc_vmcs();
+@@ -7982,6 +8014,7 @@ static int handle_pml_full(struct kvm_vcpu *vcpu)
+ 	 * "blocked by NMI" bit has to be set before next VM entry.
+ 	 */
+ 	if (!(to_vmx(vcpu)->idt_vectoring_info & VECTORING_INFO_VALID_MASK) &&
++			cpu_has_virtual_nmis() &&
+ 			(exit_qualification & INTR_INFO_UNBLOCK_NMI))
+ 		vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
+ 				GUEST_INTR_STATE_NMI);
+@@ -8826,6 +8859,25 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu)
+ 		return 0;
+ 	}
+ 
++	if (unlikely(!cpu_has_virtual_nmis() &&
++		     vmx->loaded_vmcs->soft_vnmi_blocked)) {
++		if (vmx_interrupt_allowed(vcpu)) {
++			vmx->loaded_vmcs->soft_vnmi_blocked = 0;
++		} else if (vmx->loaded_vmcs->vnmi_blocked_time > 1000000000LL &&
++			   vcpu->arch.nmi_pending) {
++			/*
++			 * This CPU don't support us in finding the end of an
++			 * NMI-blocked window if the guest runs with IRQs
++			 * disabled. So we pull the trigger after 1 s of
++			 * futile waiting, but inform the user about this.
++			 */
++			printk(KERN_WARNING "%s: Breaking out of NMI-blocked "
++			       "state on VCPU %d after 1 s timeout\n",
++			       __func__, vcpu->vcpu_id);
++			vmx->loaded_vmcs->soft_vnmi_blocked = 0;
++		}
++	}
++
+ 	if (exit_reason < kvm_vmx_max_exit_handlers
+ 	    && kvm_vmx_exit_handlers[exit_reason])
+ 		return kvm_vmx_exit_handlers[exit_reason](vcpu);
+@@ -9108,33 +9160,38 @@ static void vmx_recover_nmi_blocking(struct vcpu_vmx *vmx)
+ 
+ 	idtv_info_valid = vmx->idt_vectoring_info & VECTORING_INFO_VALID_MASK;
+ 
+-	if (vmx->loaded_vmcs->nmi_known_unmasked)
+-		return;
+-	/*
+-	 * Can't use vmx->exit_intr_info since we're not sure what
+-	 * the exit reason is.
+-	 */
+-	exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
+-	unblock_nmi = (exit_intr_info & INTR_INFO_UNBLOCK_NMI) != 0;
+-	vector = exit_intr_info & INTR_INFO_VECTOR_MASK;
+-	/*
+-	 * SDM 3: 27.7.1.2 (September 2008)
+-	 * Re-set bit "block by NMI" before VM entry if vmexit caused by
+-	 * a guest IRET fault.
+-	 * SDM 3: 23.2.2 (September 2008)
+-	 * Bit 12 is undefined in any of the following cases:
+-	 *  If the VM exit sets the valid bit in the IDT-vectoring
+-	 *   information field.
+-	 *  If the VM exit is due to a double fault.
+-	 */
+-	if ((exit_intr_info & INTR_INFO_VALID_MASK) && unblock_nmi &&
+-	    vector != DF_VECTOR && !idtv_info_valid)
+-		vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
+-			      GUEST_INTR_STATE_NMI);
+-	else
+-		vmx->loaded_vmcs->nmi_known_unmasked =
+-			!(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO)
+-			  & GUEST_INTR_STATE_NMI);
++	if (cpu_has_virtual_nmis()) {
++		if (vmx->loaded_vmcs->nmi_known_unmasked)
++			return;
++		/*
++		 * Can't use vmx->exit_intr_info since we're not sure what
++		 * the exit reason is.
++		 */
++		exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
++		unblock_nmi = (exit_intr_info & INTR_INFO_UNBLOCK_NMI) != 0;
++		vector = exit_intr_info & INTR_INFO_VECTOR_MASK;
++		/*
++		 * SDM 3: 27.7.1.2 (September 2008)
++		 * Re-set bit "block by NMI" before VM entry if vmexit caused by
++		 * a guest IRET fault.
++		 * SDM 3: 23.2.2 (September 2008)
++		 * Bit 12 is undefined in any of the following cases:
++		 *  If the VM exit sets the valid bit in the IDT-vectoring
++		 *   information field.
++		 *  If the VM exit is due to a double fault.
++		 */
++		if ((exit_intr_info & INTR_INFO_VALID_MASK) && unblock_nmi &&
++		    vector != DF_VECTOR && !idtv_info_valid)
++			vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
++				      GUEST_INTR_STATE_NMI);
++		else
++			vmx->loaded_vmcs->nmi_known_unmasked =
++				!(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO)
++				  & GUEST_INTR_STATE_NMI);
++	} else if (unlikely(vmx->loaded_vmcs->soft_vnmi_blocked))
++		vmx->loaded_vmcs->vnmi_blocked_time +=
++			ktime_to_ns(ktime_sub(ktime_get(),
++					      vmx->loaded_vmcs->entry_time));
+ }
+ 
+ static void __vmx_complete_interrupts(struct kvm_vcpu *vcpu,
+@@ -9251,6 +9308,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+ 	struct vcpu_vmx *vmx = to_vmx(vcpu);
+ 	unsigned long debugctlmsr, cr3, cr4;
+ 
++	/* Record the guest's net vcpu time for enforced NMI injections. */
++	if (unlikely(!cpu_has_virtual_nmis() &&
++		     vmx->loaded_vmcs->soft_vnmi_blocked))
++		vmx->loaded_vmcs->entry_time = ktime_get();
++
+ 	/* Don't enter VMX if guest state is invalid, let the exit handler
+ 	   start emulation until we arrive back to a valid state */
+ 	if (vmx->emulation_required)
diff --git a/CVE-2017-7477.patch b/CVE-2017-7477.patch
deleted file mode 100644
index 6405614cc..000000000
--- a/CVE-2017-7477.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Fri, 21 Apr 2017 23:14:48 +0200
-Subject: macsec: avoid heap overflow in skb_to_sgvec
-
-While this may appear as a humdrum one line change, it's actually quite
-important. An sk_buff stores data in three places:
-
-1. A linear chunk of allocated memory in skb->data. This is the easiest
-   one to work with, but it precludes using scatterdata since the memory
-   must be linear.
-2. The array skb_shinfo(skb)->frags, which is of maximum length
-   MAX_SKB_FRAGS. This is nice for scattergather, since these fragments
-   can point to different pages.
-3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff,
-   which in turn can have data in either (1) or (2).
-
-The first two are rather easy to deal with, since they're of a fixed
-maximum length, while the third one is not, since there can be
-potentially limitless chains of fragments. Fortunately dealing with
-frag_list is opt-in for drivers, so drivers don't actually have to deal
-with this mess. For whatever reason, macsec decided it wanted pain, and
-so it explicitly specified NETIF_F_FRAGLIST.
-
-Because dealing with (1), (2), and (3) is insane, most users of sk_buff
-doing any sort of crypto or paging operation calls a convenient function
-called skb_to_sgvec (which happens to be recursive if (3) is in use!).
-This takes a sk_buff as input, and writes into its output pointer an
-array of scattergather list items. Sometimes people like to declare a
-fixed size scattergather list on the stack; othertimes people like to
-allocate a fixed size scattergather list on the heap. However, if you're
-doing it in a fixed-size fashion, you really shouldn't be using
-NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its
-frag_list children arent't shared and then you check the number of
-fragments in total required.)
-
-Macsec specifically does this:
-
-        size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
-        tmp = kmalloc(size, GFP_ATOMIC);
-        *sg = (struct scatterlist *)(tmp + sg_offset);
-	...
-        sg_init_table(sg, MAX_SKB_FRAGS + 1);
-        skb_to_sgvec(skb, sg, 0, skb->len);
-
-Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're
-using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will
-overflow the heap, and disaster ensues.
-
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Cc: stable@vger.kernel.org
-Cc: security@kernel.org
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/macsec.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
-index ff0a5ed..dbab05a 100644
---- a/drivers/net/macsec.c
-+++ b/drivers/net/macsec.c
-@@ -2716,7 +2716,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
- }
- 
- #define MACSEC_FEATURES \
--	(NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
-+	(NETIF_F_SG | NETIF_F_HIGHDMA)
- static struct lock_class_key macsec_netdev_addr_lock_key;
- 
- static int macsec_dev_init(struct net_device *dev)
--- 
-cgit v1.1
-
diff --git a/baseconfig/CONFIG_LEDS_IS31FL32XX b/baseconfig/CONFIG_LEDS_IS31FL32XX
index bc726f797..343dc4dd8 100644
--- a/baseconfig/CONFIG_LEDS_IS31FL32XX
+++ b/baseconfig/CONFIG_LEDS_IS31FL32XX
@@ -1 +1 @@
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
diff --git a/bcm283x-vc4-Fix-OOPSes-from-trying-to-cache-a-partially-constructed-BO..patch b/bcm283x-vc4-Fix-OOPSes-from-trying-to-cache-a-partially-constructed-BO..patch
deleted file mode 100644
index 70a528253..000000000
--- a/bcm283x-vc4-Fix-OOPSes-from-trying-to-cache-a-partially-constructed-BO..patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From patchwork Thu Feb  9 18:16:00 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: drm/vc4: Fix OOPSes from trying to cache a partially constructed BO.
-From: Eric Anholt <eric@anholt.net>
-X-Patchwork-Id: 138087
-Message-Id: <20170209181600.24048-1-eric@anholt.net>
-To: dri-devel@lists.freedesktop.org
-Cc: linux-kernel@vger.kernel.org, pbrobinson@gmail.com
-Date: Thu,  9 Feb 2017 10:16:00 -0800
-
-If a CMA allocation failed, the partially constructed BO would be
-unreferenced through the normal path, and we might choose to put it in
-the BO cache.  If we then reused it before it expired from the cache,
-the kernel would OOPS.
-
-Signed-off-by: Eric Anholt <eric@anholt.net>
-Fixes: c826a6e10644 ("drm/vc4: Add a BO cache.")
----
- drivers/gpu/drm/vc4/vc4_bo.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
-index 5ec14f25625d..fd83a2807656 100644
---- a/drivers/gpu/drm/vc4/vc4_bo.c
-+++ b/drivers/gpu/drm/vc4/vc4_bo.c
-@@ -314,6 +314,14 @@ void vc4_free_object(struct drm_gem_object *gem_bo)
- 		goto out;
- 	}
- 
-+	/* If this object was partially constructed but CMA allocation
-+	 * had failed, just free it.
-+	 */
-+	if (!bo->base.vaddr) {
-+		vc4_bo_destroy(bo);
-+		goto out;
-+	}
-+
- 	cache_list = vc4_get_cache_list_for_size(dev, gem_bo->size);
- 	if (!cache_list) {
- 		vc4_bo_destroy(bo);
diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config
index 838ad823f..1e35231c2 100644
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@@ -2703,7 +2703,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 CONFIG_LEDS_GPIO=m
 CONFIG_LEDS_GPIO_REGISTER=y
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-aarch64.config b/kernel-aarch64.config
index 1f85f4851..355143eaf 100644
--- a/kernel-aarch64.config
+++ b/kernel-aarch64.config
@@ -2684,7 +2684,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 CONFIG_LEDS_GPIO=m
 CONFIG_LEDS_GPIO_REGISTER=y
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config
index 29987d790..4656caba8 100644
--- a/kernel-armv7hl-debug.config
+++ b/kernel-armv7hl-debug.config
@@ -2881,7 +2881,7 @@ CONFIG_LEDS_DAC124S085=m
 CONFIG_LEDS_GPIO=m
 CONFIG_LEDS_GPIO_REGISTER=y
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config
index 946d0035e..d1dd32b16 100644
--- a/kernel-armv7hl-lpae-debug.config
+++ b/kernel-armv7hl-lpae-debug.config
@@ -2745,7 +2745,7 @@ CONFIG_LEDS_DAC124S085=m
 CONFIG_LEDS_GPIO=m
 CONFIG_LEDS_GPIO_REGISTER=y
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config
index 81fe7d85c..0160a3634 100644
--- a/kernel-armv7hl-lpae.config
+++ b/kernel-armv7hl-lpae.config
@@ -2726,7 +2726,7 @@ CONFIG_LEDS_DAC124S085=m
 CONFIG_LEDS_GPIO=m
 CONFIG_LEDS_GPIO_REGISTER=y
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config
index a3b4ddbde..b7d0628e4 100644
--- a/kernel-armv7hl.config
+++ b/kernel-armv7hl.config
@@ -2862,7 +2862,7 @@ CONFIG_LEDS_DAC124S085=m
 CONFIG_LEDS_GPIO=m
 CONFIG_LEDS_GPIO_REGISTER=y
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-i686-PAE.config b/kernel-i686-PAE.config
index 08a4414fe..45918b967 100644
--- a/kernel-i686-PAE.config
+++ b/kernel-i686-PAE.config
@@ -2598,7 +2598,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_GPIO is not set
 CONFIG_LEDS_INTEL_SS4200=m
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-i686-PAEdebug.config b/kernel-i686-PAEdebug.config
index f8c4c5980..9bb1564fc 100644
--- a/kernel-i686-PAEdebug.config
+++ b/kernel-i686-PAEdebug.config
@@ -2618,7 +2618,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_GPIO is not set
 CONFIG_LEDS_INTEL_SS4200=m
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config
index 1e7ab60da..1a81d84c1 100644
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@@ -2618,7 +2618,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_GPIO is not set
 CONFIG_LEDS_INTEL_SS4200=m
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-i686.config b/kernel-i686.config
index 476caaeb6..6549136f6 100644
--- a/kernel-i686.config
+++ b/kernel-i686.config
@@ -2598,7 +2598,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_GPIO is not set
 CONFIG_LEDS_INTEL_SS4200=m
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-ppc64-debug.config b/kernel-ppc64-debug.config
index e88c9e582..06bb87cad 100644
--- a/kernel-ppc64-debug.config
+++ b/kernel-ppc64-debug.config
@@ -2467,7 +2467,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_DAC124S085 is not set
 # CONFIG_LEDS_GPIO is not set
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-ppc64.config b/kernel-ppc64.config
index a8d5aaece..e6e9c4e43 100644
--- a/kernel-ppc64.config
+++ b/kernel-ppc64.config
@@ -2447,7 +2447,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_DAC124S085 is not set
 # CONFIG_LEDS_GPIO is not set
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config
index f90463686..66c67d2c5 100644
--- a/kernel-ppc64le-debug.config
+++ b/kernel-ppc64le-debug.config
@@ -2412,7 +2412,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_DAC124S085 is not set
 # CONFIG_LEDS_GPIO is not set
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config
index b2925caf4..0d18af253 100644
--- a/kernel-ppc64le.config
+++ b/kernel-ppc64le.config
@@ -2392,7 +2392,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_DAC124S085 is not set
 # CONFIG_LEDS_GPIO is not set
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config
index 0b1a5a7d3..acca1bb10 100644
--- a/kernel-s390x-debug.config
+++ b/kernel-s390x-debug.config
@@ -2356,7 +2356,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_DAC124S085 is not set
 # CONFIG_LEDS_GPIO is not set
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-s390x.config b/kernel-s390x.config
index 34e545320..b5c7f851f 100644
--- a/kernel-s390x.config
+++ b/kernel-s390x.config
@@ -2336,7 +2336,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_DAC124S085 is not set
 # CONFIG_LEDS_GPIO is not set
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config
index 9f1c3424b..99f92b549 100644
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@@ -2673,7 +2673,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_GPIO is not set
 CONFIG_LEDS_INTEL_SS4200=m
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel-x86_64.config b/kernel-x86_64.config
index 097da4394..7f94bd96e 100644
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@@ -2653,7 +2653,7 @@ CONFIG_LEDS_CLEVO_MAIL=m
 # CONFIG_LEDS_GPIO is not set
 CONFIG_LEDS_INTEL_SS4200=m
 # CONFIG_LEDS_IS31FL319X is not set
-# CONFIG_LEDS_IS31FL32XX is not set
+CONFIG_LEDS_IS31FL32XX=m
 # CONFIG_LEDS_KTD2692 is not set
 CONFIG_LEDS_LM3530=m
 # CONFIG_LEDS_LM355x is not set
diff --git a/kernel.spec b/kernel.spec
index 1b2de2c30..c8d1e77e2 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -75,9 +75,9 @@ Summary: The Linux kernel
 # The next upstream release sublevel (base_sublevel+1)
 %define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
 # The rc snapshot level
-%global rcrev 7
+%global rcrev 8
 # The git snapshot level
-%define gitrev 4
+%define gitrev 0
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -133,7 +133,7 @@ Summary: The Linux kernel
 # Set debugbuildsenabled to 1 for production (build separate debug kernels)
 #  and 0 for rawhide (all kernels are debug kernels).
 # See also 'make debug' and 'make release'.
-%define debugbuildsenabled 0
+%define debugbuildsenabled 1
 
 # Want to build a vanilla kernel build without any non-upstream patches?
 %define with_vanilla %{?_without_vanilla: 0} %{?!_without_vanilla: 1}
@@ -628,9 +628,6 @@ Patch310: qcom-msm89xx-fixes.patch
 # https://patchwork.kernel.org/patch/9831825/
 # https://patchwork.kernel.org/patch/9833721/
 
-# http://www.spinics.net/lists/dri-devel/msg132235.html
-Patch320: bcm283x-vc4-Fix-OOPSes-from-trying-to-cache-a-partially-constructed-BO..patch
-
 # Fix USB on the RPi https://patchwork.kernel.org/patch/9879371/
 Patch321: bcm283x-dma-mapping-skip-USB-devices-when-configuring-DMA-during-probe.patch
 
@@ -651,9 +648,6 @@ Patch335: arm-exynos-fix-usb3.patch
 
 # 500 - Temp fixes/CVEs etc
 
-# CVE-2017-7477 rhbz 1445207 1445208
-Patch502: CVE-2017-7477.patch
-
 # rhbz 1498016 1498017
 #Patch503: KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch
 
@@ -680,6 +674,13 @@ Patch622: 0001-platform-x86-peaq-wmi-Add-DMI-check-before-binding-t.patch
 
 Patch623: 0001-PATCH-staging-rtl8822be-fix-wrong-dma-unmap-len.patch
 
+# rhbz 1509461
+Patch624: v3-1-2-Input-synaptics-rmi4---RMI4-can-also-use-SMBUS-version-3.patch
+Patch625: v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch
+
+# rhbz 1490803
+Patch626: 1-2-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-NMI.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2237,6 +2238,16 @@ fi
 #
 #
 %changelog
+* Mon Nov 06 2017 Laura Abbott <labbott@redhat.com>
+- Patches for ThinkPad X1 Carbon Gen5 Touchpad (rhbz 1509461)
+- Fix for KVM regression on some machines (rhbz 1490803)
+
+* Mon Nov 06 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.0-0.rc8.git0.1
+- Linux v4.14-rc8
+
+* Mon Nov 06 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- Disable debugging options.
+
 * Fri Nov 03 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.0-0.rc7.git4.1
 - Linux v4.14-rc7-129-g81ca2caefc6d
 
diff --git a/sources b/sources
index bf8799fb3..b896e7bac 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,3 @@
 SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2
 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03
-SHA512 (patch-4.14-rc7.xz) = 5b078e3c3342f814dc250ac93272262b161b6ec763f76e78314ecff34e047c3db3f10a4764c3d9a15d62938fcdc18a5da76d18caa66ae5c38ae262363f7b73da
-SHA512 (patch-4.14-rc7-git4.xz) = 9be58033e4b4d4b11f3cd8719c59c1dd7b72b51b64e7a3c3209d2fcdf9c4c3aab7ea06c79e5d75a034af51f91b4fe2a64cbe849b902092a5c7a1e5151f807f54
+SHA512 (patch-4.14-rc8.xz) = 073c16c0813087ebdc04fc938d77edd797e630843ed8bb396df261c425e9be385578989df63da07f6861245c8bda84ba0e54019071f8b5e858d0d536baa72e4c
diff --git a/v3-1-2-Input-synaptics-rmi4---RMI4-can-also-use-SMBUS-version-3.patch b/v3-1-2-Input-synaptics-rmi4---RMI4-can-also-use-SMBUS-version-3.patch
new file mode 100644
index 000000000..5a8825793
--- /dev/null
+++ b/v3-1-2-Input-synaptics-rmi4---RMI4-can-also-use-SMBUS-version-3.patch
@@ -0,0 +1,42 @@
+From patchwork Sun Nov  5 17:09:50 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [v3,1/2] Input: synaptics-rmi4 - RMI4 can also use SMBUS version 3
+From: Yiannis Marangos <yiannis.marangos@gmail.com>
+X-Patchwork-Id: 10042385
+Message-Id: <20171105170951.20261-2-yiannis.marangos@gmail.com>
+To: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
+Cc: Yiannis Marangos <yiannis.marangos@gmail.com>
+Date: Sun,  5 Nov 2017 19:09:50 +0200
+
+Some synaptics devices such as LEN0073 use SMBUS version 3.
+
+Signed-off-by: Yiannis Marangos <yiannis.marangos@gmail.com>
+Acked-by: Benjamin Tissoires <benjamion.tissoires@redhat.com>
+---
+ drivers/input/rmi4/rmi_smbus.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/rmi4/rmi_smbus.c b/drivers/input/rmi4/rmi_smbus.c
+index 225025a0940c..b6ccf39c6a7b 100644
+--- a/drivers/input/rmi4/rmi_smbus.c
++++ b/drivers/input/rmi4/rmi_smbus.c
+@@ -312,7 +312,7 @@ static int rmi_smb_probe(struct i2c_client *client,
+ 	rmi_smb->xport.dev = &client->dev;
+ 	rmi_smb->xport.pdata = *pdata;
+ 	rmi_smb->xport.pdata.irq = client->irq;
+-	rmi_smb->xport.proto_name = "smb2";
++	rmi_smb->xport.proto_name = "smb";
+ 	rmi_smb->xport.ops = &rmi_smb_ops;
+ 
+ 	smbus_version = rmi_smb_get_version(rmi_smb);
+@@ -322,7 +322,7 @@ static int rmi_smb_probe(struct i2c_client *client,
+ 	rmi_dbg(RMI_DEBUG_XPORT, &client->dev, "Smbus version is %d",
+ 		smbus_version);
+ 
+-	if (smbus_version != 2) {
++	if (smbus_version != 2 && smbus_version != 3) {
+ 		dev_err(&client->dev, "Unrecognized SMB version %d\n",
+ 				smbus_version);
+ 		return -ENODEV;
diff --git a/v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch b/v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch
new file mode 100644
index 000000000..a37b15ec7
--- /dev/null
+++ b/v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch
@@ -0,0 +1,29 @@
+From patchwork Sun Nov  5 17:09:51 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [v3,2/2] Input: synaptics - Lenovo X1 Carbon 5 should use SMBUS/RMI
+From: Yiannis Marangos <yiannis.marangos@gmail.com>
+X-Patchwork-Id: 10042387
+Message-Id: <20171105170951.20261-3-yiannis.marangos@gmail.com>
+To: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
+Cc: Yiannis Marangos <yiannis.marangos@gmail.com>
+Date: Sun,  5 Nov 2017 19:09:51 +0200
+
+Signed-off-by: Yiannis Marangos <yiannis.marangos@gmail.com>
+---
+ drivers/input/mouse/synaptics.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
+index ee5466a374bf..b3c683a84d3f 100644
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -172,6 +172,7 @@ static const char * const smbus_pnp_ids[] = {
+ 	"LEN0048", /* X1 Carbon 3 */
+ 	"LEN0046", /* X250 */
+ 	"LEN004a", /* W541 */
++	"LEN0073", /* X1 Carbon 5 */
+ 	"LEN200f", /* T450s */
+ 	NULL
+ };