diff --git a/.gitignore b/.gitignore
index 861ce91..f4a8cdf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,8 +1,5 @@
 SOURCES/kernel-abi-whitelists-862.tar.bz2
 SOURCES/kernel-kabi-dw-862.tar.bz2
-SOURCES/linux-3.10.0-862.9.1.el7.tar.xz
+SOURCES/linux-3.10.0-862.11.6.el7.tar.xz
 SOURCES/rheldup3.x509
 SOURCES/rhelkpatch1.x509
-SOURCES/centos-kpatch.x509
-SOURCES/centos-ldup.x509
-SOURCES/centos.cer
diff --git a/.kernel.metadata b/.kernel.metadata
index a9d5b74..4a2ff1d 100644
--- a/.kernel.metadata
+++ b/.kernel.metadata
@@ -1,8 +1,5 @@
 efae741a95554670fad7c6d32e88b36f15d86070 SOURCES/kernel-abi-whitelists-862.tar.bz2
 7c40338fd3fdbcfba2675aa360301bd578cd1a88 SOURCES/kernel-kabi-dw-862.tar.bz2
-4948958fda4da97b118363131fdea00965c78438 SOURCES/linux-3.10.0-862.9.1.el7.tar.xz
+0a7923d35d52a99f15155cc344f7a5cf1aa7f474 SOURCES/linux-3.10.0-862.11.6.el7.tar.xz
 95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509
 d90885108d225a234a5a9d054fc80893a5bd54d0 SOURCES/rhelkpatch1.x509
-5a7d05a8298cf38d43689470e8e43230d8add0f9 SOURCES/centos-kpatch.x509
-c61172887746663d3bdd9acaa263cbfacf99e8b3 SOURCES/centos-ldup.x509
-6e9105eb51e55a46761838f289a917611cad8091 SOURCES/centos.cer
diff --git a/SOURCES/Makefile.common b/SOURCES/Makefile.common
index ae97ebb..f732cc4 100644
--- a/SOURCES/Makefile.common
+++ b/SOURCES/Makefile.common
@@ -9,7 +9,7 @@ RPMVERSION:=3.10.0
 # marker is git tag which we base off of for exporting patches
 MARKER:=v3.10
 PREBUILD:=
-BUILD:=862.9.1
+BUILD:=862.11.6
 DIST:=.el7
 SPECFILE:=kernel.spec
 RPM:=$(REDHAT)/rpm
diff --git a/SOURCES/debrand-rh-i686-cpu.patch b/SOURCES/debrand-rh-i686-cpu.patch
deleted file mode 100644
index 739855c..0000000
--- a/SOURCES/debrand-rh-i686-cpu.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/arch/x86/boot/main.c	2014-06-04 10:05:04.000000000 -0700
-+++ b/arch/x86/boot/main.c	2014-07-09 12:54:40.000000000 -0700
-@@ -146,7 +146,7 @@ void main(void)
- 
- 	/* Make sure we have all the proper CPU support */
- 	if (validate_cpu()) {
--		puts("This processor is unsupported in RHEL7.\n");
-+		puts("This processor is unsupported in CentOS 7.\n");
- 		die();
- 	}
- 
diff --git a/SOURCES/debrand-rh_taint.patch b/SOURCES/debrand-rh_taint.patch
deleted file mode 100644
index 8ef4557..0000000
--- a/SOURCES/debrand-rh_taint.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 69c0d42cfa26515196896dea086857c2caccb6eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Thu, 19 Jun 2014 10:05:12 -0500
-Subject: [PATCH] branding patch for rh_taint
-
----
- kernel/rh_taint.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/rh_taint.c b/kernel/rh_taint.c
-index 59a74b0..0708e15 100644
---- a/kernel/rh_taint.c
-+++ b/kernel/rh_taint.c
-@@ -8,7 +8,7 @@
- void mark_hardware_unsupported(const char *msg)
- {
- 	/* Print one single message */
--	pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://hardware.redhat.com for certified hardware.\n", msg);
-+	pr_crit("Warning: %s - this hardware has not undergone upstream testing. Please consult http://wiki.centos.org/FAQ for more information\n", msg);
- }
- EXPORT_SYMBOL(mark_hardware_unsupported);
- 
--- 
-1.8.3.1
-
diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch
deleted file mode 100644
index 9d2e08b..0000000
--- a/SOURCES/debrand-single-cpu.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 66185f5c6f881847776702e3a7956c504400f4f2 Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Thu, 19 Jun 2014 09:53:13 -0500
-Subject: [PATCH] branding patch for single-cpu systems
-
----
- arch/x86/kernel/setup.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index b289118..9d25982 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -846,7 +846,7 @@ static void rh_check_supported(void)
- 	if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) &&
- 	    !x86_hyper && !cpu_has_hypervisor && !is_kdump_kernel()) {
- 		pr_crit("Detected single cpu native boot.\n");
--		pr_crit("Important:  In Red Hat Enterprise Linux 7, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems.");
-+		pr_crit("Important:  In CentOS 7, single threaded, single CPU 64-bit physical systems are unsupported. Please see http://wiki.centos.org/FAQ for more information");
- 	}
- 
- 	/* The RHEL7 kernel does not support this hardware.  The kernel will
--- 
-1.8.3.1
-
diff --git a/SOURCES/kernel-3.10.0-x86_64-debug.config b/SOURCES/kernel-3.10.0-x86_64-debug.config
index 60fb8e4..94f5852 100644
--- a/SOURCES/kernel-3.10.0-x86_64-debug.config
+++ b/SOURCES/kernel-3.10.0-x86_64-debug.config
@@ -237,6 +237,7 @@ CONFIG_PROFILING=y
 CONFIG_TRACEPOINTS=y
 CONFIG_CRASH_CORE=y
 CONFIG_KEXEC_CORE=y
+CONFIG_HOTPLUG_SMT=y
 CONFIG_OPROFILE=m
 CONFIG_OPROFILE_EVENT_MULTIPLEX=y
 CONFIG_HAVE_OPROFILE=y
diff --git a/SOURCES/kernel-3.10.0-x86_64.config b/SOURCES/kernel-3.10.0-x86_64.config
index 6bd20a1..03e6cb8 100644
--- a/SOURCES/kernel-3.10.0-x86_64.config
+++ b/SOURCES/kernel-3.10.0-x86_64.config
@@ -237,6 +237,7 @@ CONFIG_PROFILING=y
 CONFIG_TRACEPOINTS=y
 CONFIG_CRASH_CORE=y
 CONFIG_KEXEC_CORE=y
+CONFIG_HOTPLUG_SMT=y
 CONFIG_OPROFILE=m
 CONFIG_OPROFILE_EVENT_MULTIPLEX=y
 CONFIG_HAVE_OPROFILE=y
diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey
index d98f8fe..b1bbe38 100644
--- a/SOURCES/x509.genkey
+++ b/SOURCES/x509.genkey
@@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts
 
 [ req_distinguished_name ]
-O = CentOS
-CN = CentOS Linux kernel signing key
-emailAddress = security@centos.org
+O = Red Hat
+CN = Red Hat Enterprise Linux kernel signing key
+emailAddress = secalert@redhat.com
 
 [ myexts ]
 basicConstraints=critical,CA:FALSE
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 4907987..bdd808f 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -14,10 +14,10 @@ Summary: The Linux kernel
 %global distro_build 862
 
 %define rpmversion 3.10.0
-%define pkgrelease 862.9.1.el7
+%define pkgrelease 862.11.6.el7
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 862.9.1%{?dist}
+%define specrelease 862.11.6%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -380,16 +380,16 @@ Source10: sign-modules
 Source11: x509.genkey
 Source12: extra_certificates
 %if %{?released_kernel}
-Source13: centos.cer
+Source13: securebootca.cer
 Source14: secureboot.cer
 %define pesign_name redhatsecureboot301
 %else
-Source13: centos.cer
-Source14: secureboot.cer
+Source13: redhatsecurebootca2.cer
+Source14: redhatsecureboot003.cer
 %define pesign_name redhatsecureboot003
 %endif
-Source15: centos-ldup.x509
-Source16: centos-kpatch.x509
+Source15: rheldup3.x509
+Source16: rhelkpatch1.x509
 
 Source18: check-kabi
 
@@ -431,9 +431,6 @@ Source9999: lastcommit.stat
 
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
-Patch1000: debrand-single-cpu.patch
-Patch1001: debrand-rh_taint.patch
-Patch1002: debrand-rh-i686-cpu.patch
 
 BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
 
@@ -595,11 +592,11 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio
 %endif
 
 %package -n kernel-abi-whitelists
-Summary: The CentOS Linux kernel ABI symbol whitelists
+Summary: The Red Hat Enterprise Linux kernel ABI symbol whitelists
 Group: System Environment/Kernel
 AutoReqProv: no
 %description -n kernel-abi-whitelists
-The kABI package contains information pertaining to the CentOS
+The kABI package contains information pertaining to the Red Hat Enterprise
 Linux kernel ABI, including lists of kernel symbols that are needed by
 external Linux kernel modules, and a yum plugin to aid enforcement.
 
@@ -752,9 +749,6 @@ cd linux-%{KVRA}
 cp $RPM_SOURCE_DIR/kernel-%{version}-*.config .
 
 ApplyOptionalPatch linux-kernel-test.patch
-ApplyOptionalPatch debrand-single-cpu.patch
-ApplyOptionalPatch debrand-rh_taint.patch
-ApplyOptionalPatch debrand-rh-i686-cpu.patch
 
 # Any further pre-build tree manipulations happen here.
 
@@ -913,7 +907,7 @@ BuildKernel() {
     fi
 # EFI SecureBoot signing, x86_64-only
 %ifarch x86_64
-    %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE13}
+    %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE14} -n %{pesign_name}
     mv $KernelImage.signed $KernelImage
 %endif
     $CopyKernel $KernelImage $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
@@ -1698,8 +1692,193 @@ fi
 %kernel_variant_files %{with_kdump} kdump
 
 %changelog
-* Mon Jul 16 2018 CentOS Sources <bugs@centos.org> - 3.10.0-862.9.1.el7
-- Apply debranding changes
+* Fri Aug 10 2018 Jan Stancek <jstancek@redhat.com> [3.10.0-862.11.6.el7]
+- [kernel] cpu/hotplug: Fix 'online' sysfs entry with 'nosmt' (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+
+* Thu Aug 09 2018 Frantisek Hrbata <fhrbata@hrbata.com> [3.10.0-862.11.5.el7]
+- [kernel] cpu/hotplug: Enable 'nosmt' as late as possible (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+
+* Tue Aug 07 2018 Jan Stancek <jstancek@redhat.com> [3.10.0-862.11.4.el7]
+- [net] ipv6: fix nospec-related regression in ipv6_addr_prefix() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3693}
+
+* Mon Aug 06 2018 Jan Stancek <jstancek@redhat.com> [3.10.0-862.11.3.el7]
+- [net] tcp: add tcp_ooo_try_coalesce() helper (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
+- [net] tcp: call tcp_drop() from tcp_data_queue_ofo() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
+- [net] tcp: detect malicious patterns in tcp_collapse_ofo_queue() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
+- [net] tcp: avoid collapses in tcp_prune_queue() if possible (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
+- [net] tcp: free batches of packets in tcp_prune_ofo_queue() (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
+- [net] net: add rb_to_skb() and other rb tree helpers (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
+- [net] tcp: fix a stale ooo_last_skb after a replace (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
+- [net] tcp: use an RB tree for ooo receive queue (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
+- [net] tcp: refine tcp_prune_ofo_queue() to not drop all packets (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
+- [net] tcp: increment sk_drops for dropped rx packets (Paolo Abeni) [1611368 1611369] {CVE-2018-5390}
+- [x86] x86/syscall: Fix regression when using the last syscall (pkey_free) (Lauro Ramos Venancio) [1589033 1589035] {CVE-2018-3693}
+
+* Thu Jul 26 2018 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.11.2.el7]
+- [kernel] cpu: hotplug: detect SMT disabled by BIOS (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [documentation] l1tf: Fix typos (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: Remove extra newline in vmentry_l1d_flush sysfs file (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: vmx: Initialize the vmx_l1d_flush_pages' content (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] speculation: l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [documentation] Add section about CPU vulnerabilities (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] bugs, kvm: introduce boot-time control of L1TF mitigations (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [kernel] cpu: hotplug: Set CPU_SMT_NOT_SUPPORTED early (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [kernel] cpu: hotplug: Expose SMT control init function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: Allow runtime control of L1D flush (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: Serialize L1D flush parameter setter (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: Add static key for flush always (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: Move l1tf setup function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: Handle EPT disabled state proper (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: Drop L1TF MSR list approach (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] litf: Introduce vmx status variable (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] bugs: Make cpu_show_common() static (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] bugs: Concentrate bug reporting into a separate function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [kernel] cpu: hotplug: Online siblings when SMT control is turned on (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: vmx: Use MSR save list for IA32_FLUSH_CMD if required (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: vmx: Extend add_atomic_switch_msr() to allow VMENTER only MSRs (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: vmx: Separate the VMX AUTOLOAD guest/host number accounting (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: vmx: Add find_msr() helper function (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: vmx: Split the VMX MSR LOAD structures to have an host/guest numbers (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: mitigation for L1 cache terminal fault vulnerabilities, part 3 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: Warn user if KVM is loaded SMT and L1TF CPU bug being present (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [kernel] cpu: hotplug: Boot HT siblings at least once, part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] speculation/l1tf: fix typo in l1tf mitigation string (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: protect _PAGE_FILE PTEs against speculation (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: mitigation for L1 cache terminal fault vulnerabilities, part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [kernel] cpu/hotplug: Boot HT siblings at least once (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- Revert "x86/apic: Ignore secondary threads if nosmt=force" (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] speculation/l1tf: Fix up pte->pfn conversion for PAE (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] speculation/l1tf: Protect PAE swap entries against L1TF (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] speculation/l1tf: Extend 64bit swap file size limit (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] cpu/AMD: Remove the pointless detect_ht() call (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] bugs: Move the l1tf function and define pr_fmt properly (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [kernel] cpu/hotplug: Provide knobs to control SMT, part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] topology: Provide topology_smt_supported() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] smp: Provide topology_is_primary_thread(), part 2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] apic: Ignore secondary threads if nosmt=force (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] cpu/AMD: Evaluate smp_num_siblings early (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] CPU/AMD: Do not check CPUID max ext level before parsing SMP info (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] cpu/intel: Evaluate smp_num_siblings early (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] cpu/topology: Provide detect_extended_topology_early() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] cpu/common: Provide detect_ht_early() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] cpu: Remove the pointless CPU printout (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [kernel] cpu/hotplug: Provide knobs to control SMT (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [kernel] cpu/hotplug: Split do_cpu_down() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] smp: Provide topology_is_primary_thread() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] CPU: Modify detect_extended_topology() to return result (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: fix build for CONFIG_NUMA_BALANCING=n (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: sync with latest L1TF patches (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: protect _PAGE_NUMA PTEs and PMDs against speculation (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [mm] l1tf: Disallow non privileged high MMIO PROT_NONE mappings (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: Report if too much memory for L1TF workaround (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: Limit swap file size to MAX_PA/2 (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: Add sysfs reporting for l1tf (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: Make sure the first page is always reserved (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: Protect PROT_NONE PTEs against speculation (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: Protect swap entries against L1TF (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] l1tf: Increase 32bit PAE __PHYSICAL_PAGE_MASK (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] mm: Fix swap entry comment and macro (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] spec_ctrl: sync with upstream cpu_set_bug_bits() (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86]  add support for L1D flush MSR (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+- [x86] kvm: mitigation for L1 cache terminal fault vulnerabilities (Josh Poimboeuf) [1593383 1593384] {CVE-2018-3620}
+
+* Fri Jul 20 2018 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.11.1.el7]
+- [tcmu] allow userspace to reset ring (Xiubo Li) [1599669 1562587]
+- [tcmu] remove commands_lock (Xiubo Li) [1599669 1562587]
+- [tcmu] move expired command completion to unmap thread (Xiubo Li) [1599669 1562587]
+- [tcmu] add cmd timeout handling wq (Xiubo Li) [1599669 1562587]
+- [tcmu] don't block submitting context for block waits (Xiubo Li) [1599669 1562587]
+- [tcmu] fix double se_cmd completion (Xiubo Li) [1599669 1562587]
+- [tcmu] replace spin lock with mutex (Xiubo Li) [1599669 1562587]
+- [target] add SAM_STAT_BUSY sense reason (Xiubo Li) [1599669 1562587]
+- [target] core: add device action configfs files (Xiubo Li) [1599669 1562587]
+- [target] Avoid mappedlun symlink creation during lun shutdown (Xiubo Li) [1599656 1585081]
+- [spectre] update Spectre v1 mitigation string (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [spectre] fix hiddev nospec issues (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] syscall: clarify clobbered registers in entry code (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [powerpc] add missing barrier_nospec() in __get_user64_nocheck() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [spectre] fix gadgets found by smatch scanner (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [alsa] rme9652: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [alsa] hdspm: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [alsa] asihpi: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [alsa] opl3: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [alsa] hda: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [alsa] seq: oss: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [alsa] seq: oss: Fix unbalanced use lock for synth MIDI device (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [net] atm: Fix potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [kernel] time: Protect posix clock array access against speculation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [kernel] sys.c: fix potential Spectre v1 issue (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [sched] autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [perf] core: Fix possible Spectre-v1 indexing for ->aux_pages[] (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [sysvipc] sem: mitigate semnum index against spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [alsa] control: Hardening for potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [usbip] vhci_sysfs: fix potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [media] dvb_ca_en50221: prevent using slot_info for Spectre attacs (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [media] dvb_ca_en50221: sanity check slot number from userspace (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [atm] zatm: Fix potential Spectre v1 (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] kvm: Update spectre-v1 mitigation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] kvm: Add memory barrier on vmcs field lookup (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] perf/msr: Fix possible Spectre-v1 indexing in the MSR driver (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] perf: Fix possible Spectre-v1 indexing for x86_pmu::event_map() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] perf: Fix possible Spectre-v1 indexing for hw_perf_event cache_* (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [net] nl80211: Sanitize array index in parse_txq_params (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [include] vfs, fdtable: Prevent bounds-check bypass via speculative execution (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] syscall: Sanitize syscall table de-references under speculation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [powerpc] Use barrier_nospec in copy_from_user() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [include] nospec: Introduce barrier_nospec for other arches (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] Introduce barrier_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] spectre_v1: Disable compiler optimizations over array_index_mask_nospec() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] Implement array_index_mask_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [documentation] Document array_index_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [include] nospec: Include <asm/barrier.h> dependency (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [include] nospec: Allow index argument to have const-qualified type (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [include] nospec: Kill array_index_nospec_mask_check() (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [include] nospec: Move array_index_nospec() parameter checking into separate macro (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [include] array_index_nospec: Sanitize speculative array de-references (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] get_user: Use pointer masking to limit speculation (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] Introduce __uaccess_begin_nospec() and uaccess_try_nospec (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] usercopy: Replace open coded stac/clac with __uaccess_{begin, end} (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] reorganize SMAP handling in user space accesses (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] uaccess: Tell the compiler that uaccess is unlikely to fault (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+- [x86] uaccess: fix sparse errors (Josh Poimboeuf) [1589033 1589035] {CVE-2018-3690}
+
+* Wed Jul 04 2018 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-862.10.1.el7]
+- [x86] add _TIF_UPROBE to _TIF_DO_NOTIFY_MASK (Oleg Nesterov) [1595155 1579521]
+- [x86] spec_ctrl: Always clear SPEC_CTRL MSRs when disabling IBRS (Radomir Vrbovsky) [1586150 1574730]
+- [sound] alsa: hda/realtek - Add headset mode support for Dell laptop (Jaroslav Kysela) [1588946 1528587]
+- [sound] alsa: hda/realtek - Support headset mode for ALC215/ALC285/ALC289 (Jaroslav Kysela) [1593586 1535427]
+- [mm] compaction: release zone irqlock in isolate_freepages_block (Andrea Arcangeli) [1596283 1582793]
+- [mm] compaction: change the timing to check to drop the spinlock (Andrea Arcangeli) [1596283 1582793]
+- [fs] dcache.c: add cond_resched() in shrink_dentry_list() (Aaron Tomlin) [1596184 1584693]
+- [misc] vmware balloon: Treat init like reset (Cathy Avery) [1595601 1540110]
+- [netdrv] qede: Fix ref-cnt usage count (Chad Dupuis) [1594700 1574847]
+- [x86] kvm: fix LAPIC timer drift when guest uses periodic mode ("Dr. David Alan Gilbert") [1594292 1584775]
+- [x86] kvm: remove APIC Timer periodic/oneshot spikes ("Dr. David Alan Gilbert") [1594292 1584775]
+- [netdrv] mlx4_en: Increase number of default RX rings (Erez Alfasi) [1594127 1520295]
+- [netdrv] mlx4_en: Limit the number of RX rings (Erez Alfasi) [1594127 1520295]
+- [netdrv] mlx4_en: Limit the number of TX rings (Erez Alfasi) [1594127 1520295]
+- [fs] ceph: don't set read_ahead_kb to 0 by default (Ilya Dryomov) [1590825 1579539]
+- [scsi] qla2xxx: Remove stale debug value for login_retry flag (Himanshu Madhani) [1588937 1578880]
+- [x86] topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations (Prarit Bhargava) [1588563 1582023]
+- [acpi] osi: Add OEM _OSI strings to disable NVidia RTD3 (Jaroslav Kysela) [1584685 1581391]
+- [hv] vmbus: Fix a rescind issue (Eduardo Otubo) [1582124 1518498]
+- [linux] libata: enable host-wide tags (Ewan Milne) [1581728 1491014]
+- [ata] libata: remove ATA_FLAG_LOWTAG (Ewan Milne) [1581728 1491014]
+- [ata] Add a new flag to destinguish sas controller (Ewan Milne) [1581728 1491014]
+- [ata] libata: make sata_sil24 use fifo tag allocator (Ewan Milne) [1581728 1491014]
+- [ata] libata: move sas ata tag allocation to libata-scsi.c (Ewan Milne) [1581728 1491014]
+- [ata] libata: use blk taging (Ewan Milne) [1581728 1491014]
+- [nvme] rdma: Use mr pool (David Milburn) [1581347 1547273]
+- [nvme] rdma: Check remotely invalidated rkey matches our expected rkey (David Milburn) [1581347 1547273]
+- [nvme] rdma: wait for local invalidation before completing a request (David Milburn) [1581347 1547273]
+- [nvme] rdma: don't complete requests before a send work request has completed (David Milburn) [1581347 1547273]
+- [nvme] rdma: don't suppress send completions (David Milburn) [1581347 1547273]
+- [x86] kvm: Fix loss of pending INIT due to race (Radim Krcmar) [1580467 1569473]
+- [mm] mempolicy: fix use after free when calling get_mempolicy (Augusto Caringi) [1576759 1576755] {CVE-2018-10675}
+- [sound] alsa: seq: Fix racy pool initializations (Jaroslav Kysela) [1550171 1593586 1550169 1535427] {CVE-2018-7566}
+- [crypto] algif_skcipher: Load TX SG list after waiting (Bruno Eduardo de Oliveira Meneguele) [1541870 1541875] {CVE-2017-13215}
 
 * Wed Jun 27 2018 Frantisek Hrbata <fhrbata@hrbata.com> [3.10.0-862.9.1.el7]
 - [iscsi-target] Fix iscsi_np reset hung task during parallel delete (Maurizio Lombardi) [1583593 1579217]