linux: Init 4.18

pkgs/os-specific/linux/kernel/hardened-config.nix

@@ -103,16 +103,17 @@ PAGE_POISONING_ZERO y
 PANIC_ON_OOPS y
 PANIC_TIMEOUT -1
 
-GCC_PLUGINS y # Enable gcc plugin options
+${optionalString (versionOlder version "4.18") ''
+  GCC_PLUGINS y # Enable gcc plugin options
+  # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
+  GCC_PLUGIN_LATENT_ENTROPY y
 
-# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
-GCC_PLUGIN_LATENT_ENTROPY y
-
-${optionalString (versionAtLeast version "4.11") ''
-  GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
-''}
-${optionalString (versionAtLeast version "4.14") ''
-  GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
+  ${optionalString (versionAtLeast version "4.11") ''
+    GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
+  ''}
+  ${optionalString (versionAtLeast version "4.14") ''
+    GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
+  ''}
 ''}
 
 # Disable various dangerous settings
@@ -121,8 +122,10 @@ PROC_KCORE n # Exposes kernel text image layout
 INET_DIAG n # Has been used for heap based attacks in the past
 
 # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
-CC_STACKPROTECTOR_REGULAR n
-CC_STACKPROTECTOR_STRONG y
+${optionalString (versionOlder version "4.18") ''
+  CC_STACKPROTECTOR_REGULAR n
+  CC_STACKPROTECTOR_STRONG y
+''}
 
 # Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
 ${optionalString (versionAtLeast version "4.13") ''

pkgs/os-specific/linux/kernel/linux-4.18.nix

@@ -0,0 +1,18 @@
+{ stdenv, buildPackages, hostPlatform, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+
+with stdenv.lib;
+
+buildLinux (args // rec {
+  version = "4.18";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = concatStrings (intersperse "." (take 2 (splitString "." version)));
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "1wgay4k8wj08fc711j290fvi81x75yib8iaa6r7csc7mkvsbrn0r";
+  };
+} // (args.argsOverride or {}))

pkgs/top-level/all-packages.nix

@@ -13863,6 +13863,16 @@ with pkgs;
       ];
   };
 
+  linux_4_18 = callPackage ../os-specific/linux/kernel/linux-4.18.nix {
+    kernelPatches =
+      [ kernelPatches.bridge_stp_helper
+        # See pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/README.md
+        # when adding a new linux version
+        # kernelPatches.cpu-cgroup-v2."4.11"
+        kernelPatches.modinst_arg_list_too_long
+      ];
+  };
+
   linux_testing = callPackage ../os-specific/linux/kernel/linux-testing.nix {
     kernelPatches = [
       kernelPatches.bridge_stp_helper
@@ -14056,7 +14066,7 @@ with pkgs;
   linux = linuxPackages.kernel;
 
   # Update this when adding the newest kernel major version!
-  linuxPackages_latest = linuxPackages_4_17;
+  linuxPackages_latest = linuxPackages_4_18;
   linux_latest = linuxPackages_latest.kernel;
 
   # Build the kernel modules for the some of the kernels.
@@ -14067,6 +14077,7 @@ with pkgs;
   linuxPackages_4_9 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_9);
   linuxPackages_4_14 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_14);
   linuxPackages_4_17 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_17);
+  linuxPackages_4_18 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_18);
   # Don't forget to update linuxPackages_latest!
 
   # Intentionally lacks recurseIntoAttrs, as -rc kernels will quite likely break out-of-tree modules and cause failed Hydra builds.