10 files changed, 132 insertions, 76 deletions

diff --git a/.SRCINFO b/.SRCINFO
index b99520c60203..3e5f57a392af 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,5 +1,5 @@
 pkgbase = linux-bfq-mq
-	pkgver = 4.14.10
+	pkgver = 4.14.11
 	pkgrel = 1
 	url = https://github.com/Algodev-github/bfq-mq/
 	arch = x86_64
@@ -12,8 +12,8 @@ pkgbase = linux-bfq-mq
 	options = !strip
 	source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.xz
 	source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.sign
-	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.10.xz
-	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.10.sign
+	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.11.xz
+	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.11.sign
 	source = https://raw.githubusercontent.com/sirlucjan/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9+_kernel_v4.13+.patch
 	source = https://gitlab.com/sirlucjan/kernel-patches/raw/master/4.14/4.14-bfq-sq-mq-git-20171228.patch
 	source = https://gitlab.com/tom81094/custom-patches/raw/master/bfq-mq/tentative/T0001-Check-presence-on-tree-of-every-entity-after-every-a.patch
@@ -30,16 +30,17 @@ pkgbase = linux-bfq-mq
 	source = 99-linux.hook
 	source = linux.preset
 	source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
-	source = 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
-	source = 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
-	source = 0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
-	source = 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
-	source = 0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+	source = 0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+	source = 0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+	source = 0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+	source = 0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+	source = 0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+	source = 0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
 	validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
 	validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
 	sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7
 	sha256sums = SKIP
-	sha256sums = 16f560aa713b46c707f04a226f67dc31fdd280aae57dd19e0413d61df5336c74
+	sha256sums = f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9
 	sha256sums = SKIP
 	sha256sums = 8b00041911e67654b0bd9602125853a1a94f6155c5cac4f886507554c8324ee8
 	sha256sums = e04958faa40e3a20f7e7e2bd9580b4c4c45d4d576ea3c6537d2e19de25ae5160
@@ -51,17 +52,18 @@ pkgbase = linux-bfq-mq
 	sha256sums = cfe7d6be0c243bcf6e30f1145991424ad3fa90d43bda214e0df613de007699b6
 	sha256sums = 19dd49fd6c50ac74074b354898d6aaf0c1da30e85c4f5770fdb54195b49277b0
 	sha256sums = 7c51d0053053a3a0f6ed8759a5464ed5a3275a9dd832513a5678c3bcead9e5d5
-	sha256sums = d3c396f2fbfc1a3919c053224757c488ef1af98d52bd5979f792cf963d555998
+	sha256sums = 934c661ba5e19f13d39ded0a353bd4d38404bb1b83b66a6f9243c61933fffcdd
 	sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21
 	sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919
 	sha256sums = 5f6ba52aaa528c4fa4b1dc097e8930fad0470d7ac489afcb13313f289ca32184
 	sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65
-	sha256sums = 37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85
-	sha256sums = c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3
-	sha256sums = 1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2
-	sha256sums = ed3266ab03f836f57de0faf8a10ffd7566c909515c2649de99adaab2fac4aa32
-	sha256sums = 64a014f7e1b4588728b3ea9538beee67ec63fb792d890c7be9cc13ddc2121b00
-	sha256sums = 3d4c41086c077fbd515d04f5e59c0c258f700433c5da3365d960b696c2e56efb
+	sha256sums = 06bc1d8b1cd153c3146a4376d833f5769b980e5ef5eae99ddaaeb48bf514dae2
+	sha256sums = b90bef87574f30ec66c0f10d089bea56a9e974b6d052fee3071b1ff21360724b
+	sha256sums = f38531dee9fd8a59202ce96ac5b40446f1f035b89788ea9ecb2fb3909f703a25
+	sha256sums = 705d5fbfce00ccc20490bdfb5853d67d86ac00c845de6ecb13e414214b48daeb
+	sha256sums = 0a249248534a17f14fab7e14994811ae81fe324668a82ff41f3bcabeeae1460f
+	sha256sums = 8e1b303957ddd829c0c9ad7c012cd32f2354ff3c8c1b85da3d7f8a54524f3711
+	sha256sums = 914a0a019545ad7d14ed8d5c58d417eb0a8ec12a756beec79a545aabda343b31
 
 pkgname = linux-bfq-mq
 	pkgdesc = The Linux-bfq-mq kernel and modules with the BFQ-MQ scheduler
@@ -72,19 +74,19 @@ pkgname = linux-bfq-mq
 	depends = mkinitcpio>=0.7
 	optdepends = crda: to set the correct wireless channels of your country
 	optdepends = modprobed-db: Keeps track of EVERY kernel module that has ever been probed - useful for those of us who make localmodconfig
-	provides = linux-bfq-mq=4.14.10
-	provides = linux=4.14.10
+	provides = linux-bfq-mq=4.14.11
+	provides = linux=4.14.11
 	backup = etc/mkinitcpio.d/linux-bfq-mq.preset
 
 pkgname = linux-bfq-mq-headers
 	pkgdesc = Header files and scripts for building modules for Linux-bfq-mq kernel
-	depends = linux-bfq-mq=4.14.10
-	provides = linux-bfq-mq-headers=4.14.10
-	provides = linux-headers=4.14.10
+	depends = linux-bfq-mq=4.14.11
+	provides = linux-bfq-mq-headers=4.14.11
+	provides = linux-headers=4.14.11
 
 pkgname = linux-bfq-mq-docs
 	pkgdesc = Kernel hackers manual - HTML documentation that comes with the Linux-bfq-mq kernel
-	depends = linux-bfq-mq=4.14.10
-	provides = linux-bfq-mq-docs=4.14.10
-	provides = linux-docs=4.14.10
+	depends = linux-bfq-mq=4.14.11
+	provides = linux-bfq-mq-docs=4.14.11
+	provides = linux-docs=4.14.11
 
diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
index 29582c2bf608..64341b9b7026 100644
--- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+++ b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
@@ -1,8 +1,9 @@
-From 5ec2dd3a095442ec1a21d86042a4994f2ba24e63 Mon Sep 17 00:00:00 2001
-Message-Id: <5ec2dd3a095442ec1a21d86042a4994f2ba24e63.1512651251.git.jan.steffens@gmail.com>
+From fb89d912d5f7289d3a922c77b671e36e1c740f5e Mon Sep 17 00:00:00 2001
+Message-Id: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
 From: Serge Hallyn <serge.hallyn@canonical.com>
 Date: Fri, 31 May 2013 19:12:12 +0100
-Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default
+Subject: [PATCH 1/7] add sysctl to disallow unprivileged CLONE_NEWUSER by
+ default
 
 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
 [bwh: Remove unneeded binary sysctl bits]
@@ -14,7 +15,7 @@ Signed-off-by: Daniel Micay <danielmicay@gmail.com>
  3 files changed, 30 insertions(+)
 
 diff --git a/kernel/fork.c b/kernel/fork.c
-index 07cc743698d3668e..4011d68a8ff9305c 100644
+index 500ce64517d93e68..35f5860958b40e9b 100644
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
 @@ -102,6 +102,11 @@
@@ -29,7 +30,7 @@ index 07cc743698d3668e..4011d68a8ff9305c 100644
  
  /*
   * Minimum number of threads to boot the kernel
-@@ -1555,6 +1560,10 @@ static __latent_entropy struct task_struct *copy_process(
+@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process(
  	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
  		return ERR_PTR(-EINVAL);
  
@@ -40,7 +41,7 @@ index 07cc743698d3668e..4011d68a8ff9305c 100644
  	/*
  	 * Thread groups must share signals as well, and detached threads
  	 * can only be started up within the thread group.
-@@ -2348,6 +2357,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
  	if (unshare_flags & CLONE_NEWNS)
  		unshare_flags |= CLONE_FS;
  
@@ -54,7 +55,7 @@ index 07cc743698d3668e..4011d68a8ff9305c 100644
  	if (err)
  		goto bad_unshare_out;
 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index b86520ed3fb60fbf..f7dab3760839f1a1 100644
+index 56aca862c4f584f5..e8402ba393c1915d 100644
 --- a/kernel/sysctl.c
 +++ b/kernel/sysctl.c
 @@ -105,6 +105,9 @@ extern int core_uses_pid;
diff --git a/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch b/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
index 7e3ecbde40ff..8c23c9a543ba 100644
--- a/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+++ b/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
@@ -1,8 +1,10 @@
-From c3c1af44db713ac6624e729ea4832d0ce70685e0 Mon Sep 17 00:00:00 2001
-Message-Id: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens@gmail.com>
+From 8c6956686606b9c3661e74a410c8cb2fc276c5ee Mon Sep 17 00:00:00 2001
+Message-Id: <8c6956686606b9c3661e74a410c8cb2fc276c5ee.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
 From: Benjamin Poirier <bpoirier@suse.com>
 Date: Mon, 11 Dec 2017 16:26:40 +0900
-Subject: [PATCH 1/2] e1000e: Fix e1000_check_for_copper_link_ich8lan return
+Subject: [PATCH 2/7] e1000e: Fix e1000_check_for_copper_link_ich8lan return
  value.
 
 e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
diff --git a/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch b/0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
index 26311bf3bb54..d7872e2a1cc2 100644
--- a/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+++ b/0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
@@ -1,10 +1,10 @@
-From 80d3e994e0631d9135cadf20a0b5ad483d7e9bbb Mon Sep 17 00:00:00 2001
-Message-Id: <80d3e994e0631d9135cadf20a0b5ad483d7e9bbb.1513282811.git.jan.steffens@gmail.com>
-In-Reply-To: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens@gmail.com>
-References: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens@gmail.com>
+From b81e273fb227373a2951c7256ab11a87d5333a9d Mon Sep 17 00:00:00 2001
+Message-Id: <b81e273fb227373a2951c7256ab11a87d5333a9d.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
 From: Mohamed Ghannam <simo.ghannam@gmail.com>
 Date: Tue, 5 Dec 2017 20:58:35 +0000
-Subject: [PATCH 2/2] dccp: CVE-2017-8824: use-after-free in DCCP code
+Subject: [PATCH 3/7] dccp: CVE-2017-8824: use-after-free in DCCP code
 
 Whenever the sock object is in DCCP_CLOSED state,
 dccp_disconnect() must free dccps_hc_tx_ccid and
diff --git a/0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch b/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
index b44eb2ab8898..4dca618a8c03 100644
--- a/0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+++ b/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
@@ -1,8 +1,10 @@
-From b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4 Mon Sep 17 00:00:00 2001
-Message-Id: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
+From d03c0ef520f40c6de691c37e0f168c87b3423015 Mon Sep 17 00:00:00 2001
+Message-Id: <d03c0ef520f40c6de691c37e0f168c87b3423015.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
 From: Steffen Klassert <steffen.klassert@secunet.com>
 Date: Wed, 15 Nov 2017 06:40:57 +0100
-Subject: [PATCH 1/3] Revert "xfrm: Fix stack-out-of-bounds read in
+Subject: [PATCH 4/7] Revert "xfrm: Fix stack-out-of-bounds read in
  xfrm_state_find."
 
 This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
@@ -16,10 +18,10 @@ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
  1 file changed, 18 insertions(+), 11 deletions(-)
 
 diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index 6eb228a70131069b..a2e531bf4f976308 100644
+index 2a6093840e7e856e..6bc16bb61b5533ef 100644
 --- a/net/xfrm/xfrm_policy.c
 +++ b/net/xfrm/xfrm_policy.c
-@@ -1361,29 +1361,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
+@@ -1362,29 +1362,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
  	struct net *net = xp_net(policy);
  	int nx;
  	int i, error;
diff --git a/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch b/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
index ad4614492736..edd7b24a32d6 100644
--- a/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+++ b/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
@@ -1,10 +1,10 @@
-From 1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f Mon Sep 17 00:00:00 2001
-Message-Id: <1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f.1514245012.git.jan.steffens@gmail.com>
-In-Reply-To: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
-References: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
+From 3721d64246982f91a5bf863fc17ac60ff722e0c4 Mon Sep 17 00:00:00 2001
+Message-Id: <3721d64246982f91a5bf863fc17ac60ff722e0c4.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
 From: Steffen Klassert <steffen.klassert@secunet.com>
 Date: Fri, 22 Dec 2017 10:44:57 +0100
-Subject: [PATCH 2/3] xfrm: Fix stack-out-of-bounds read on socket policy
+Subject: [PATCH 5/7] xfrm: Fix stack-out-of-bounds read on socket policy
  lookup.
 
 When we do tunnel or beet mode, we pass saddr and daddr from the
@@ -24,7 +24,7 @@ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
  1 file changed, 7 insertions(+), 1 deletion(-)
 
 diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index a2e531bf4f976308..c79ed3bed5d4dc2f 100644
+index 6bc16bb61b5533ef..50c5f46b5cca942e 100644
 --- a/net/xfrm/xfrm_policy.c
 +++ b/net/xfrm/xfrm_policy.c
 @@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
diff --git a/0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch b/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
index 80a09f9a5469..0a54ce129b3b 100644
--- a/0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+++ b/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
@@ -1,10 +1,10 @@
-From a3c64fe9d978f3ee8f21fac5b410c63fe7cce725 Mon Sep 17 00:00:00 2001
-Message-Id: <a3c64fe9d978f3ee8f21fac5b410c63fe7cce725.1514245012.git.jan.steffens@gmail.com>
-In-Reply-To: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
-References: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
+From a79cb4d4e540c72a601ca0494e914565c16e2893 Mon Sep 17 00:00:00 2001
+Message-Id: <a79cb4d4e540c72a601ca0494e914565c16e2893.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
 From: Tejun Heo <tj@kernel.org>
 Date: Wed, 20 Dec 2017 07:09:19 -0800
-Subject: [PATCH 3/3] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC
+Subject: [PATCH 6/7] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC
 
 While teaching css_task_iter to handle skipping over tasks which
 aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to
diff --git a/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch b/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
new file mode 100644
index 000000000000..f3af870c7889
--- /dev/null
+++ b/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
@@ -0,0 +1,42 @@
+From 51786b65797aed683ca72293a3cb86a2cab987c0 Mon Sep 17 00:00:00 2001
+Message-Id: <51786b65797aed683ca72293a3cb86a2cab987c0.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Tue, 26 Dec 2017 23:43:54 -0600
+Subject: [PATCH 7/7] x86/cpu, x86/pti: Do not enable PTI on AMD processors
+
+AMD processors are not subject to the types of attacks that the kernel
+page table isolation feature protects against.  The AMD microarchitecture
+does not allow memory references, including speculative references, that
+access higher privileged data when running in a lesser privileged mode
+when that access would result in a page fault.
+
+Disable page table isolation by default on AMD processors by not setting
+the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
+is set.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/cpu/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index f2a94dfb434e9a7c..b1be494ab4e8badf 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
+ 
+ 	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
+ 
+-	/* Assume for now that ALL x86 CPUs are insecure */
+-	setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
++	if (c->x86_vendor != X86_VENDOR_AMD)
++		setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+ 
+ 	fpu__init_system(c);
+ 
+-- 
+2.15.1
+
diff --git a/PKGBUILD b/PKGBUILD
index dc7c153719da..43b87cf20d3f 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -66,7 +66,7 @@ _mq_enable=
 
 pkgbase=linux-bfq-mq
 #pkgbase=linux-custom       # Build kernel with a different name
-pkgver=4.14.10
+pkgver=4.14.11
 _srcpatch="${pkgver##*\.*\.}"
 _srcname="linux-${pkgver%%\.${_srcpatch}}"
 pkgrel=1
@@ -130,15 +130,16 @@ source=(# mainline kernel patches
          # standard config files for mkinitcpio ramdisk
         'linux.preset'
         '0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch'
-        '0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch'
-        '0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch'
-        '0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch'
-        '0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch'
-        '0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch')
+        '0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch'
+        '0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch'
+        '0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch'
+        '0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch'
+        '0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch'
+        '0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch')
 
 sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
             'SKIP'
-            '16f560aa713b46c707f04a226f67dc31fdd280aae57dd19e0413d61df5336c74'
+            'f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9'
             'SKIP'
             '8b00041911e67654b0bd9602125853a1a94f6155c5cac4f886507554c8324ee8'
             'e04958faa40e3a20f7e7e2bd9580b4c4c45d4d576ea3c6537d2e19de25ae5160'
@@ -150,17 +151,18 @@ sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
             'cfe7d6be0c243bcf6e30f1145991424ad3fa90d43bda214e0df613de007699b6'
             '19dd49fd6c50ac74074b354898d6aaf0c1da30e85c4f5770fdb54195b49277b0'
             '7c51d0053053a3a0f6ed8759a5464ed5a3275a9dd832513a5678c3bcead9e5d5'
-            'd3c396f2fbfc1a3919c053224757c488ef1af98d52bd5979f792cf963d555998'
+            '934c661ba5e19f13d39ded0a353bd4d38404bb1b83b66a6f9243c61933fffcdd'
             'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
             '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
             '5f6ba52aaa528c4fa4b1dc097e8930fad0470d7ac489afcb13313f289ca32184'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
-            '37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85'
-            'c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3'
-            '1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2'
-            'ed3266ab03f836f57de0faf8a10ffd7566c909515c2649de99adaab2fac4aa32'
-            '64a014f7e1b4588728b3ea9538beee67ec63fb792d890c7be9cc13ddc2121b00'
-            '3d4c41086c077fbd515d04f5e59c0c258f700433c5da3365d960b696c2e56efb')
+            '06bc1d8b1cd153c3146a4376d833f5769b980e5ef5eae99ddaaeb48bf514dae2'
+            'b90bef87574f30ec66c0f10d089bea56a9e974b6d052fee3071b1ff21360724b'
+            'f38531dee9fd8a59202ce96ac5b40446f1f035b89788ea9ecb2fb3909f703a25'
+            '705d5fbfce00ccc20490bdfb5853d67d86ac00c845de6ecb13e414214b48daeb'
+            '0a249248534a17f14fab7e14994811ae81fe324668a82ff41f3bcabeeae1460f'
+            '8e1b303957ddd829c0c9ad7c012cd32f2354ff3c8c1b85da3d7f8a54524f3711'
+            '914a0a019545ad7d14ed8d5c58d417eb0a8ec12a756beec79a545aabda343b31')
 validpgpkeys=(
               'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
               '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
@@ -181,20 +183,24 @@ prepare() {
   
   ### Fix https://bugs.archlinux.org/task/56575
       msg "Fix #56575" 
-      patch -Np1 -i ../0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+      patch -Np1 -i ../0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
 
   ### Fix https://nvd.nist.gov/vuln/detail/CVE-2017-8824
       msg "Fix CVE-2017-8824"
-      patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+      patch -Np1 -i ../0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
   
   ### Fix https://bugs.archlinux.org/task/56605
       msg "Fix #56605"
-      patch -Np1 -i ../0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
-      patch -Np1 -i ../0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
-
+      patch -Np1 -i ../0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+      patch -Np1 -i ../0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+  
   ### Fix https://bugs.archlinux.org/task/56846
       msg "Fix #56846"
-      patch -Np1 -i ../0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+      patch -Np1 -i ../0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+  
+  ### For AMD processors, keep PTI off by default
+      msg "For AMD processors, keep PTI off by default"
+      patch -Np1 -i ../0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
   
   ### Patch source with BFQ-SQ-MQ
         msg "Fix naming schema in BFQ-SQ-MQ patch"
diff --git a/config b/config
index 73eb5768cc84..31356ca28708 100644
--- a/config
+++ b/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.9-2 Kernel Configuration
+# Linux/x86 4.14.11-1 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -8154,6 +8154,7 @@ CONFIG_SECURITY=y
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set
 CONFIG_SECURITYFS=y
 # CONFIG_SECURITY_NETWORK is not set
+CONFIG_PAGE_TABLE_ISOLATION=y
 # CONFIG_SECURITY_INFINIBAND is not set
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_INTEL_TXT is not set