diff --git a/.gitignore b/.gitignore
index 144b6d7..8ce718b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,4 @@
 SOURCES/kernel-abi-whitelists-693.tar.bz2
-SOURCES/linux-3.10.0-693.11.1.el7.tar.xz
+SOURCES/linux-3.10.0-693.11.6.el7.tar.xz
 SOURCES/rheldup3.x509
 SOURCES/rhelkpatch1.x509
-SOURCES/centos-kpatch.x509
-SOURCES/centos-ldup.x509
-SOURCES/centos.cer
diff --git a/.kernel.metadata b/.kernel.metadata
index 84cc506..4033069 100644
--- a/.kernel.metadata
+++ b/.kernel.metadata
@@ -1,7 +1,4 @@
 4cddbe6531170fad4a6dd31f10512e6bd4298fbd SOURCES/kernel-abi-whitelists-693.tar.bz2
-21a63c4adcc09a688d13d7c2cc35dde9f4bc63e9 SOURCES/linux-3.10.0-693.11.1.el7.tar.xz
+b0cf50a45ee77f54c233f0f8d8f57324e266f3d8 SOURCES/linux-3.10.0-693.11.6.el7.tar.xz
 95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509
 d90885108d225a234a5a9d054fc80893a5bd54d0 SOURCES/rhelkpatch1.x509
-5a7d05a8298cf38d43689470e8e43230d8add0f9 SOURCES/centos-kpatch.x509
-c61172887746663d3bdd9acaa263cbfacf99e8b3 SOURCES/centos-ldup.x509
-6e9105eb51e55a46761838f289a917611cad8091 SOURCES/centos.cer
diff --git a/SOURCES/Makefile.common b/SOURCES/Makefile.common
index 951b4a7..a130368 100644
--- a/SOURCES/Makefile.common
+++ b/SOURCES/Makefile.common
@@ -9,7 +9,7 @@ RPMVERSION:=3.10.0
 # marker is git tag which we base off of for exporting patches
 MARKER:=v3.10
 PREBUILD:=
-BUILD:=693.11.1
+BUILD:=693.11.6
 DIST:=.el7
 SPECFILE:=kernel.spec
 RPM:=$(REDHAT)/rpm
diff --git a/SOURCES/debrand-rh-i686-cpu.patch b/SOURCES/debrand-rh-i686-cpu.patch
deleted file mode 100644
index 739855c..0000000
--- a/SOURCES/debrand-rh-i686-cpu.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/arch/x86/boot/main.c	2014-06-04 10:05:04.000000000 -0700
-+++ b/arch/x86/boot/main.c	2014-07-09 12:54:40.000000000 -0700
-@@ -146,7 +146,7 @@ void main(void)
- 
- 	/* Make sure we have all the proper CPU support */
- 	if (validate_cpu()) {
--		puts("This processor is unsupported in RHEL7.\n");
-+		puts("This processor is unsupported in CentOS 7.\n");
- 		die();
- 	}
- 
diff --git a/SOURCES/debrand-rh_taint.patch b/SOURCES/debrand-rh_taint.patch
deleted file mode 100644
index 8ef4557..0000000
--- a/SOURCES/debrand-rh_taint.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 69c0d42cfa26515196896dea086857c2caccb6eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Thu, 19 Jun 2014 10:05:12 -0500
-Subject: [PATCH] branding patch for rh_taint
-
----
- kernel/rh_taint.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/rh_taint.c b/kernel/rh_taint.c
-index 59a74b0..0708e15 100644
---- a/kernel/rh_taint.c
-+++ b/kernel/rh_taint.c
-@@ -8,7 +8,7 @@
- void mark_hardware_unsupported(const char *msg)
- {
- 	/* Print one single message */
--	pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://hardware.redhat.com for certified hardware.\n", msg);
-+	pr_crit("Warning: %s - this hardware has not undergone upstream testing. Please consult http://wiki.centos.org/FAQ for more information\n", msg);
- }
- EXPORT_SYMBOL(mark_hardware_unsupported);
- 
--- 
-1.8.3.1
-
diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch
deleted file mode 100644
index 9d2e08b..0000000
--- a/SOURCES/debrand-single-cpu.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 66185f5c6f881847776702e3a7956c504400f4f2 Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Thu, 19 Jun 2014 09:53:13 -0500
-Subject: [PATCH] branding patch for single-cpu systems
-
----
- arch/x86/kernel/setup.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index b289118..9d25982 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -846,7 +846,7 @@ static void rh_check_supported(void)
- 	if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) &&
- 	    !x86_hyper && !cpu_has_hypervisor && !is_kdump_kernel()) {
- 		pr_crit("Detected single cpu native boot.\n");
--		pr_crit("Important:  In Red Hat Enterprise Linux 7, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems.");
-+		pr_crit("Important:  In CentOS 7, single threaded, single CPU 64-bit physical systems are unsupported. Please see http://wiki.centos.org/FAQ for more information");
- 	}
- 
- 	/* The RHEL7 kernel does not support this hardware.  The kernel will
--- 
-1.8.3.1
-
diff --git a/SOURCES/kernel-3.10.0-x86_64-debug.config b/SOURCES/kernel-3.10.0-x86_64-debug.config
index cef4d51..84d4d24 100644
--- a/SOURCES/kernel-3.10.0-x86_64-debug.config
+++ b/SOURCES/kernel-3.10.0-x86_64-debug.config
@@ -5683,6 +5683,7 @@ CONFIG_KEYS_DEBUG_PROC_KEYS=y
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
+CONFIG_KAISER=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
 CONFIG_SECURITY_SECURELEVEL=y
diff --git a/SOURCES/kernel-3.10.0-x86_64.config b/SOURCES/kernel-3.10.0-x86_64.config
index 9464afc..c6a4d48 100644
--- a/SOURCES/kernel-3.10.0-x86_64.config
+++ b/SOURCES/kernel-3.10.0-x86_64.config
@@ -5658,6 +5658,7 @@ CONFIG_KEYS_DEBUG_PROC_KEYS=y
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
+CONFIG_KAISER=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
 CONFIG_SECURITY_SECURELEVEL=y
diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey
index d98f8fe..b1bbe38 100644
--- a/SOURCES/x509.genkey
+++ b/SOURCES/x509.genkey
@@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts
 
 [ req_distinguished_name ]
-O = CentOS
-CN = CentOS Linux kernel signing key
-emailAddress = security@centos.org
+O = Red Hat
+CN = Red Hat Enterprise Linux kernel signing key
+emailAddress = secalert@redhat.com
 
 [ myexts ]
 basicConstraints=critical,CA:FALSE
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 1c0e87e..a7478b2 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -12,7 +12,7 @@ Summary: The Linux kernel
 %global distro_build 693
 
 %define rpmversion 3.10.0
-%define pkgrelease 693.11.1.el7
+%define pkgrelease 693.11.6.el7
 
 %define pkg_release %{pkgrelease}%{?buildid}
 
@@ -359,16 +359,16 @@ Source10: sign-modules
 Source11: x509.genkey
 Source12: extra_certificates
 %if %{?released_kernel}
-Source13: centos.cer
+Source13: securebootca.cer
 Source14: secureboot.cer
 %define pesign_name redhatsecureboot301
 %else
-Source13: centos.cer
-Source14: secureboot.cer
+Source13: redhatsecurebootca2.cer
+Source14: redhatsecureboot003.cer
 %define pesign_name redhatsecureboot003
 %endif
-Source15: centos-ldup.x509
-Source16: centos-kpatch.x509
+Source15: rheldup3.x509
+Source16: rhelkpatch1.x509
 
 Source18: check-kabi
 
@@ -406,9 +406,6 @@ Source9999: lastcommit.stat
 
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
-Patch1000: debrand-single-cpu.patch
-Patch1001: debrand-rh_taint.patch
-Patch1002: debrand-rh-i686-cpu.patch
 
 BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
 
@@ -570,11 +567,11 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio
 %endif
 
 %package -n kernel-abi-whitelists
-Summary: The CentOS Linux kernel ABI symbol whitelists
+Summary: The Red Hat Enterprise Linux kernel ABI symbol whitelists
 Group: System Environment/Kernel
 AutoReqProv: no
 %description -n kernel-abi-whitelists
-The kABI package contains information pertaining to the CentOS
+The kABI package contains information pertaining to the Red Hat Enterprise
 Linux kernel ABI, including lists of kernel symbols that are needed by
 external Linux kernel modules, and a yum plugin to aid enforcement.
 
@@ -717,9 +714,6 @@ cd linux-%{KVRA}
 cp $RPM_SOURCE_DIR/kernel-%{version}-*.config .
 
 ApplyOptionalPatch linux-kernel-test.patch
-ApplyOptionalPatch debrand-single-cpu.patch
-ApplyOptionalPatch debrand-rh_taint.patch
-ApplyOptionalPatch debrand-rh-i686-cpu.patch
 
 # Any further pre-build tree manipulations happen here.
 
@@ -878,7 +872,7 @@ BuildKernel() {
     fi
 # EFI SecureBoot signing, x86_64-only
 %ifarch x86_64
-    %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE13}
+    %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE14} -n %{pesign_name}
     mv $KernelImage.signed $KernelImage
 %endif
     $CopyKernel $KernelImage $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
@@ -1588,8 +1582,153 @@ fi
 %kernel_variant_files %{with_kdump} kdump
 
 %changelog
-* Thu Nov 30 2017 CentOS Sources <bugs@centos.org> - 3.10.0-693.11.1.el7
-- Apply debranding changes
+* Thu Dec 28 2017 Denys Vlasenko <dvlasenk@redhat.com> [3.10.0-693.11.6.el7]
+- [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
+- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
+- [x86] kaiser/mm: skip IBRS/CR3 restore when paranoid exception returns to userland (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
+- [x86] kaiser/mm: consider the init_mm.pgd a kaiser pgd (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
+
+* Fri Dec 22 2017 Denys Vlasenko <dvlasenk@redhat.com> [3.10.0-693.11.5.el7]
+- [x86] kaiser/mm: convert userland visible "kpti" name to "pti" (Andrea Arcangeli) [1519795 1519798]
+- Revert "x86/entry: Use retpoline for syscall's indirect calls" (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: set IBRS during resume from RAM if ibrs_enabled is 2 (Andrea Arcangeli) [1519795 1519798]
+- [x86] kaiser/mm: __load_cr3 in resume from RAM after kernel gs has been restored (Andrea Arcangeli) [1519795 1519798]
+
+* Tue Dec 19 2017 Denys Vlasenko <dvlasenk@redhat.com> [3.10.0-693.11.4.el7]
+- [x86] spec_ctrl: allow use_ibp_disable only if both SPEC_CTRL and IBPB_SUPPORT are missing (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: Documentation spec_ctrl.txt (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: remove irqs_disabled() check from intel_idle() (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: use enum when setting ibrs/ibpb_enabled (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: undo speculation barrier for ibrs_enabled and noibrs_cmdline (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: introduce ibpb_enabled = 2 for IBPB instead of IBRS (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: introduce SPEC_CTRL_PCP_ONLY_IBPB (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: cleanup s/flush/sync/ naming when sending IPIs (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: set IBRS during CPU init if in ibrs_enabled == 2 (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: use IBRS_ENABLED instead of 1 (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: allow the IBP disable feature to be toggled at runtime (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: always initialize save_reg in ENABLE_IBRS_SAVE_AND_CLOBBER (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: ibrs_enabled() is expected to return > 1 (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: issue a __spec_ctrl_ibpb if a credential check isn't possible (Andrea Arcangeli) [1519795 1519798]
+- [x86] mm/kaiser: disable global pages by default with KAISER (Andrea Arcangeli) [1519795 1519798]
+- Revert "x86/mm/kaiser: Disable global pages by default with KAISER" (Andrea Arcangeli) [1519795 1519798]
+- ibpb: don't optimize spec_cntrl_ibpb on PREEMPT_RCU (Andrea Arcangeli) [1519795 1519798]
+- [x86] spec_ctrl: clear registers after 32bit syscall stackframe is setup (Andrea Arcangeli) [1519800 1519801]
+- [x86] spec_ctrl: reload spec_ctrl cpuid in all microcode load paths (Andrea Arcangeli) [1519800 1519801]
+- [x86] kaiser/mm: fix pgd freeing in error path (Andrea Arcangeli) [1519800 1519801]
+
+* Wed Dec 13 2017 Denys Vlasenko <dvlasenk@redhat.com> [3.10.0-693.11.3.el7]
+- [x86] spec_ctrl: Prevent unwanted speculation without IBRS (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
+- [x86] entry: Remove trampoline check from paranoid entry path (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
+- [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
+- [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
+- [x86] dumpstack: Remove raw stack dump (Josh Poimboeuf) [1519795 1519798]
+- [x86] spec_ctrl: remove SPEC_CTRL_DEBUG code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: add noibrs noibpb boot options (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] entry: Use retpoline for syscall's indirect calls (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] syscall: Clear unused extra registers on 32-bit compatible syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: cleanup unnecessary ptregscall_common function (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: CLEAR_EXTRA_REGS and extra regs save/restore (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] syscall: Clear unused extra registers on syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: rescan cpuid after a late microcode update (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: add debugfs ibrs_enabled ibpb_enabled (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: consolidate the spec control boot detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] KVM/spec_ctrl: allow IBRS to stay enabled in host userland (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: add debug aid to test the entry code without microcode (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: move stuff_RSB in spec_ctrl.h (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] entry: Stuff RSB for entry to kernel for non-SMEP platform (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] mm: Only set IBPB when the new thread cannot ptrace current thread (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] mm: Set IBPB upon context switch (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] idle: Disable IBRS when offlining cpu and re-enable on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] idle: Disable IBRS entering idle and enable it on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: implement spec ctrl C methods (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: save IBRS MSR value in save_paranoid for NMI (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] enter: Use IBRS on syscall and interrupts (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: swap rdx with rsi for nmi nesting detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: spec_ctrl_pcp and kaiser_enabled_pcp in same cachline (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] spec_ctrl: use per-cpu knob instead of ALTERNATIVES for ibpb and ibrs (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] enter: MACROS to set/clear IBRS and set IBPB (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [kvm] x86: add SPEC_CTRL to MSR and CPUID lists (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [kvm] svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] svm: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [kvm] vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [kvm] vmx: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [kvm] x86: clear registers on VM exit (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] kvm: pad RSB on VM transition (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] cpu/AMD: Control indirect branch predictor when SPEC_CTRL not available (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] feature: Report presence of IBPB and IBRS control (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [x86] feature: Enable the x86 feature to control Speculation (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [tools] objtool: Don't print 'call dest' warnings for ignored functions (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
+- [misc] locking/barriers: prevent speculative execution based on Coverity scan results (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
+- [fs] udf: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
+- [fs] prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
+- [kernel] userns: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
+- [scsi] qla2xxx: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
+- [netdrv] p54: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
+- [netdrv] carl9170: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
+- [media] uvcvideo: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
+- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
+- [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
+- [misc] locking/barriers: introduce new memory barrier gmb() (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
+- [x86] mm/kaiser: Replace kaiser with kpti to sync with upstream (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: add "kaiser" and "nokaiser" boot options (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: map the trace idt tables in userland shadow pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: fix RESTORE_CR3 crash in kaiser_stop_machine (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: use stop_machine for enable/disable knob (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: use atomic ops to poison/unpoison user pagetables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: use invpcid to flush the two kaiser PCID AISD (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: use two PCID ASIDs optimize the TLB during enter/exit kernel (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: stop patching flush_tlb_single (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: use PCID feature to make user and kernel switches faster (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm: If INVPCID is available, use it to flush global mappings (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/64: Fix reboot interaction with CR4.PCIDE (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/64: Initialize CR4.PCIDE early (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm: Add a 'noinvpcid' boot option to turn off INVPCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm: Add the 'nopcid' boot option to turn off PCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: validate trampoline stack (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] entry: Move SYSENTER_stack to the beginning of struct tss_struct (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: isolate the user mapped per cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: enable kaiser in build (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: selective boot time defaults (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: handle call to xen_pv_domain() on PREEMPT_RT (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser/xen: Dynamically disable KAISER when running under Xen PV (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: add Kconfig (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: avoid false positives during non-kaiser pgd updates (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: Respect disabled CPU features (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: trampoline stack comments (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: stack trampoline (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: remove paravirt clock warning (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: re-enable vsyscalls (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: allow to build KAISER with KASRL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: allow KAISER to be enabled/disabled at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: un-poison PGDs at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: add a function to check for KAISER being enabled (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: add debugfs file to turn KAISER on/off at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: disable native VSYSCALL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: map virtually-addressed performance monitoring buffers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: map debug IDT tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: add kprobes text section (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: map trace interrupt entry (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: map entry stack per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: map dynamically-allocated LDTs (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: make sure static PGDs are 8k in size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: allow NX poison to be set in p4d/pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: unmap kernel from userspace page tables (core patch) (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: mark per-cpu data structures required for entry/exit (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: introduce user-mapped per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: add cr3 switches to entry code (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: remove scratch registers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: prepare assembly for entry/exit CR3 switching (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/kaiser: Disable global pages by default with KAISER (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm: Document X86_CR4_PGE toggling behavior (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm/tlb: Make CR4-based TLB flushes more robust (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] mm: Do not set _PAGE_USER for init_mm page tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [x86] increase robusteness of bad_iret fixup handler (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [perf] x86/intel/uncore: Fix memory leaks on allocation failures (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [mm] userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [fs] userfaultfd: non-cooperative: fix fork use after free (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [mm] userfaultfd: hugetlbfs: remove superfluous page unlock in VM_SHARED case (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
+- [mm] fix bad rss-counter if remap_file_pages raced migration (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
 
 * Fri Oct 27 2017 Frantisek Hrbata <fhrbata@hrbata.com> [3.10.0-693.11.1.el7]
 - [powerpc] perf: Fix book3s kernel to userspace backtraces (Gustavo Duarte) [1506143 1492669]