6 files changed, 40 insertions, 19 deletions

diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
index 7e277617b61..309b5f6c74e 100644
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -103,16 +103,17 @@ PAGE_POISONING_ZERO y
 PANIC_ON_OOPS y
 PANIC_TIMEOUT -1
 
-GCC_PLUGINS y # Enable gcc plugin options
+${optionalString (versionOlder version "4.18") ''
+  GCC_PLUGINS y # Enable gcc plugin options
+  # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
+  GCC_PLUGIN_LATENT_ENTROPY y
 
-# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
-GCC_PLUGIN_LATENT_ENTROPY y
-
-${optionalString (versionAtLeast version "4.11") ''
-  GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
-''}
-${optionalString (versionAtLeast version "4.14") ''
-  GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
+  ${optionalString (versionAtLeast version "4.11") ''
+    GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
+  ''}
+  ${optionalString (versionAtLeast version "4.14") ''
+    GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
+  ''}
 ''}
 
 # Disable various dangerous settings
@@ -121,8 +122,10 @@ PROC_KCORE n # Exposes kernel text image layout
 INET_DIAG n # Has been used for heap based attacks in the past
 
 # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
-CC_STACKPROTECTOR_REGULAR n
-CC_STACKPROTECTOR_STRONG y
+${optionalString (versionOlder version "4.18") ''
+  CC_STACKPROTECTOR_REGULAR n
+  CC_STACKPROTECTOR_STRONG y
+''}
 
 # Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
 ${optionalString (versionAtLeast version "4.13") ''
diff --git a/pkgs/os-specific/linux/kernel/linux-4.14.nix b/pkgs/os-specific/linux/kernel/linux-4.14.nix
index 9c9957d2193..400574a3144 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.14.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.14.nix
@@ -3,7 +3,7 @@
 with stdenv.lib;
 
 buildLinux (args // rec {
-  version = "4.14.61";
+  version = "4.14.62";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1s3h3js073h4ww2dryip91d2lvmgv439ly2vya9x7rvilwhwa3hd";
+    sha256 = "1ar29ikway5im17iw9ag1fxivr7sbj8nhxxw347xqmp1irz4vjji";
   };
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.17.nix b/pkgs/os-specific/linux/kernel/linux-4.17.nix
index b98cf98904e..fda3b77c0a8 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.17.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.17.nix
@@ -3,7 +3,7 @@
 with stdenv.lib;
 
 buildLinux (args // rec {
-  version = "4.17.13";
+  version = "4.17.14";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0x1zas3jwvhjkifh20cwpd2g0glgr8m7h8lqng7awrd116xkw2w2";
+    sha256 = "1bxsiishhw6ichifqglkbcmgc0518ih396yi23clvrsfyj6h6in8";
   };
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.18.nix b/pkgs/os-specific/linux/kernel/linux-4.18.nix
new file mode 100644
index 00000000000..4f183b696cc
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-4.18.nix
@@ -0,0 +1,18 @@
+{ stdenv, buildPackages, hostPlatform, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+
+with stdenv.lib;
+
+buildLinux (args // rec {
+  version = "4.18";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = concatStrings (intersperse "." (take 2 (splitString "." version)));
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "1wgay4k8wj08fc711j290fvi81x75yib8iaa6r7csc7mkvsbrn0r";
+  };
+} // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix
index 60a4d5a76ed..60113959665 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix
@@ -1,11 +1,11 @@
 { stdenv, buildPackages, hostPlatform, fetchurl, perl, buildLinux, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.4.146";
+  version = "4.4.147";
   extraMeta.branch = "4.4";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1xbxw6yvbjam0xj8j44h730dpf5v94pcf9j7iivcmasgjp61120z";
+    sha256 = "06mcilxd5qi8snycb5bhy52icbbwfl056xwmra66yknmpycyad67";
   };
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.9.nix b/pkgs/os-specific/linux/kernel/linux-4.9.nix
index 1863aadf8f1..d29855a093e 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.9.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix
@@ -1,11 +1,11 @@
 { stdenv, buildPackages, hostPlatform, fetchurl, perl, buildLinux, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.9.118";
+  version = "4.9.119";
   extraMeta.branch = "4.9";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0myx79rmxgjbr87r815vybmbg6iqgd3nycildrpwsh301kj8kxvx";
+    sha256 = "0d8bwsma9j7dhgymcfbchr8k3503w5vp3p18mfqv81x6l40pzqa9";
   };
 } // (args.argsOverride or {}))