4.14.14-300.fc27.gnu

author: Alexandre Oliva <lxoliva@fsfla.org> 2018-01-20 09:23:18 +0000
committer: Alexandre Oliva <lxoliva@fsfla.org> 2018-01-20 09:23:18 +0000
commit: b925f623020d921032ce2fc09af8752b3bc469d3 (patch)
tree: 54243499f699943cbdbb0c56e8db5f78713f6f7f
parent: 7a38fe51191195b46183dd0588983d1d6a9d6dc7 (diff)
download: linux-libre-raptor-b925f623020d921032ce2fc09af8752b3bc469d3.tar.gz
linux-libre-raptor-b925f623020d921032ce2fc09af8752b3bc469d3.zip
14 files changed, 1390 insertions, 2278 deletions
diff --git a/freed-ora/current/f27/0001-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch b/freed-ora/current/f27/0001-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch
deleted file mode 100644
index b44c184d9..000000000
--- a/freed-ora/current/f27/0001-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From e4d0e84e490790798691aaa0f2e598637f1867ec Mon Sep 17 00:00:00 2001
-From: Tom Lendacky <thomas.lendacky@amd.com>
-Date: Mon, 8 Jan 2018 16:09:21 -0600
-Subject: [PATCH 1/2] x86/cpu/AMD: Make LFENCE a serializing instruction
-
-To aid in speculation control, make LFENCE a serializing instruction
-since it has less overhead than MFENCE.  This is done by setting bit 1
-of MSR 0xc0011029 (DE_CFG).  Some families that support LFENCE do not
-have this MSR.  For these families, the LFENCE instruction is already
-serializing.
-
-Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Reviewed-by: Borislav Petkov <bp@suse.de>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/20180108220921.12580.71694.stgit@tlendack-t1.amdoffice.net
----
- arch/x86/include/asm/msr-index.h |  2 ++
- arch/x86/kernel/cpu/amd.c        | 10 ++++++++++
- 2 files changed, 12 insertions(+)
-
-diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
-index ab022618a50a..1e7d710fef43 100644
---- a/arch/x86/include/asm/msr-index.h
-+++ b/arch/x86/include/asm/msr-index.h
-@@ -352,6 +352,8 @@
- #define FAM10H_MMIO_CONF_BASE_MASK	0xfffffffULL
- #define FAM10H_MMIO_CONF_BASE_SHIFT	20
- #define MSR_FAM10H_NODE_ID		0xc001100c
-+#define MSR_F10H_DECFG			0xc0011029
-+#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT	1
-
- /* K8 MSRs */
- #define MSR_K8_TOP_MEM1			0xc001001a
-diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index bcb75dc97d44..5b438d81beb2 100644
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -829,6 +829,16 @@ static void init_amd(struct cpuinfo_x86 *c)
- 		set_cpu_cap(c, X86_FEATURE_K8);
-
- 	if (cpu_has(c, X86_FEATURE_XMM2)) {
-+		/*
-+		 * A serializing LFENCE has less overhead than MFENCE, so
-+		 * use it for execution serialization.  On families which
-+		 * don't have that MSR, LFENCE is already serializing.
-+		 * msr_set_bit() uses the safe accessors, too, even if the MSR
-+		 * is not present.
-+		 */
-+		msr_set_bit(MSR_F10H_DECFG,
-+			    MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);
-+
- 		/* MFENCE stops RDTSC speculation */
- 		set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
- 	}
--- 
-2.14.3
-
diff --git a/freed-ora/current/f27/0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch b/freed-ora/current/f27/0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch
deleted file mode 100644
index e358c16f9..000000000
--- a/freed-ora/current/f27/0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 99c6fa2511d8a683e61468be91b83f85452115fa Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Sat, 6 Jan 2018 11:49:23 +0000
-Subject: [PATCH 1/2] x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]
-
-Add the bug bits for spectre v1/2 and force them unconditionally for all
-cpus.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Cc: stable@vger.kernel.org
-Link: https://lkml.kernel.org/r/1515239374-23361-2-git-send-email-dwmw@amazon.co.uk
----
- arch/x86/include/asm/cpufeatures.h | 2 ++
- arch/x86/kernel/cpu/common.c       | 3 +++
- 2 files changed, 5 insertions(+)
-
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index 21ac898df2d8..1641c2f96363 100644
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -342,5 +342,7 @@
- #define X86_BUG_MONITOR			X86_BUG(12) /* IPI required to wake up remote CPU */
- #define X86_BUG_AMD_E400		X86_BUG(13) /* CPU is among the affected by Erratum 400 */
- #define X86_BUG_CPU_MELTDOWN		X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
-+#define X86_BUG_SPECTRE_V1		X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
-+#define X86_BUG_SPECTRE_V2		X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
-
- #endif /* _ASM_X86_CPUFEATURES_H */
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 2d3bd2215e5b..372ba3fb400f 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -902,6 +902,9 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
- 	if (c->x86_vendor != X86_VENDOR_AMD)
- 		setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
-
-+	setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
-+	setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
-+
- 	fpu__init_system(c);
-
- #ifdef CONFIG_X86_32
--- 
-2.14.3
-
diff --git a/freed-ora/current/f27/0002-sysfs-cpu-Add-vulnerability-folder.patch b/freed-ora/current/f27/0002-sysfs-cpu-Add-vulnerability-folder.patch
deleted file mode 100644
index 8f1ae3a6a..000000000
--- a/freed-ora/current/f27/0002-sysfs-cpu-Add-vulnerability-folder.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From 87590ce6e373d1a5401f6539f0c59ef92dd924a9 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Sun, 7 Jan 2018 22:48:00 +0100
-Subject: [PATCH 2/2] sysfs/cpu: Add vulnerability folder
-
-As the meltdown/spectre problem affects several CPU architectures, it makes
-sense to have common way to express whether a system is affected by a
-particular vulnerability or not. If affected the way to express the
-mitigation should be common as well.
-
-Create /sys/devices/system/cpu/vulnerabilities folder and files for
-meltdown, spectre_v1 and spectre_v2.
-
-Allow architectures to override the show function.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Will Deacon <will.deacon@arm.com>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Linus Torvalds <torvalds@linuxfoundation.org>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Link: https://lkml.kernel.org/r/20180107214913.096657732@linutronix.de
----
- Documentation/ABI/testing/sysfs-devices-system-cpu | 16 ++++++++
- drivers/base/Kconfig                               |  3 ++
- drivers/base/cpu.c                                 | 48 ++++++++++++++++++++++
- include/linux/cpu.h                                |  7 ++++
- 4 files changed, 74 insertions(+)
-
-diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
-index f3d5817c4ef0..bd3a88e16d8b 100644
---- a/Documentation/ABI/testing/sysfs-devices-system-cpu
-+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
-@@ -373,3 +373,19 @@ Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
- Description:	information about CPUs heterogeneity.
-
- 		cpu_capacity: capacity of cpu#.
-+
-+What:		/sys/devices/system/cpu/vulnerabilities
-+		/sys/devices/system/cpu/vulnerabilities/meltdown
-+		/sys/devices/system/cpu/vulnerabilities/spectre_v1
-+		/sys/devices/system/cpu/vulnerabilities/spectre_v2
-+Date:		Januar 2018
-+Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
-+Description:	Information about CPU vulnerabilities
-+
-+		The files are named after the code names of CPU
-+		vulnerabilities. The output of those files reflects the
-+		state of the CPUs in the system. Possible output values:
-+
-+		"Not affected"	  CPU is not affected by the vulnerability
-+		"Vulnerable"	  CPU is affected and no mitigation in effect
-+		"Mitigation: $M"  CPU is affetcted and mitigation $M is in effect
-diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
-index 2f6614c9a229..37a71fd9043f 100644
---- a/drivers/base/Kconfig
-+++ b/drivers/base/Kconfig
-@@ -235,6 +235,9 @@ config GENERIC_CPU_DEVICES
- config GENERIC_CPU_AUTOPROBE
- 	bool
-
-+config GENERIC_CPU_VULNERABILITIES
-+	bool
-+
- config SOC_BUS
- 	bool
- 	select GLOB
-diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
-index 321cd7b4d817..825964efda1d 100644
---- a/drivers/base/cpu.c
-+++ b/drivers/base/cpu.c
-@@ -501,10 +501,58 @@ static void __init cpu_dev_register_generic(void)
- #endif
- }
-
-+#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES
-+
-+ssize_t __weak cpu_show_meltdown(struct device *dev,
-+				 struct device_attribute *attr, char *buf)
-+{
-+	return sprintf(buf, "Not affected\n");
-+}
-+
-+ssize_t __weak cpu_show_spectre_v1(struct device *dev,
-+				   struct device_attribute *attr, char *buf)
-+{
-+	return sprintf(buf, "Not affected\n");
-+}
-+
-+ssize_t __weak cpu_show_spectre_v2(struct device *dev,
-+				   struct device_attribute *attr, char *buf)
-+{
-+	return sprintf(buf, "Not affected\n");
-+}
-+
-+static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
-+static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
-+static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
-+
-+static struct attribute *cpu_root_vulnerabilities_attrs[] = {
-+	&dev_attr_meltdown.attr,
-+	&dev_attr_spectre_v1.attr,
-+	&dev_attr_spectre_v2.attr,
-+	NULL
-+};
-+
-+static const struct attribute_group cpu_root_vulnerabilities_group = {
-+	.name  = "vulnerabilities",
-+	.attrs = cpu_root_vulnerabilities_attrs,
-+};
-+
-+static void __init cpu_register_vulnerabilities(void)
-+{
-+	if (sysfs_create_group(&cpu_subsys.dev_root->kobj,
-+			       &cpu_root_vulnerabilities_group))
-+		pr_err("Unable to register CPU vulnerabilities\n");
-+}
-+
-+#else
-+static inline void cpu_register_vulnerabilities(void) { }
-+#endif
-+
- void __init cpu_dev_init(void)
- {
- 	if (subsys_system_register(&cpu_subsys, cpu_root_attr_groups))
- 		panic("Failed to register CPU subsystem");
-
- 	cpu_dev_register_generic();
-+	cpu_register_vulnerabilities();
- }
-diff --git a/include/linux/cpu.h b/include/linux/cpu.h
-index 938ea8ae0ba4..c816e6f2730c 100644
---- a/include/linux/cpu.h
-+++ b/include/linux/cpu.h
-@@ -47,6 +47,13 @@ extern void cpu_remove_dev_attr(struct device_attribute *attr);
- extern int cpu_add_dev_attr_group(struct attribute_group *attrs);
- extern void cpu_remove_dev_attr_group(struct attribute_group *attrs);
-
-+extern ssize_t cpu_show_meltdown(struct device *dev,
-+				 struct device_attribute *attr, char *buf);
-+extern ssize_t cpu_show_spectre_v1(struct device *dev,
-+				   struct device_attribute *attr, char *buf);
-+extern ssize_t cpu_show_spectre_v2(struct device *dev,
-+				   struct device_attribute *attr, char *buf);
-+
- extern __printf(4, 5)
- struct device *cpu_device_create(struct device *parent, void *drvdata,
- 				 const struct attribute_group **groups,
--- 
-2.14.3
-
diff --git a/freed-ora/current/f27/0002-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch b/freed-ora/current/f27/0002-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch
deleted file mode 100644
index 8676c732f..000000000
--- a/freed-ora/current/f27/0002-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 9c6a73c75864ad9fa49e5fa6513e4c4071c0e29f Mon Sep 17 00:00:00 2001
-From: Tom Lendacky <thomas.lendacky@amd.com>
-Date: Mon, 8 Jan 2018 16:09:32 -0600
-Subject: [PATCH 2/2] x86/cpu/AMD: Use LFENCE_RDTSC in preference to
- MFENCE_RDTSC
-
-With LFENCE now a serializing instruction, use LFENCE_RDTSC in preference
-to MFENCE_RDTSC.  However, since the kernel could be running under a
-hypervisor that does not support writing that MSR, read the MSR back and
-verify that the bit has been set successfully.  If the MSR can be read
-and the bit is set, then set the LFENCE_RDTSC feature, otherwise set the
-MFENCE_RDTSC feature.
-
-Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Reviewed-by: Borislav Petkov <bp@suse.de>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/20180108220932.12580.52458.stgit@tlendack-t1.amdoffice.net
----
- arch/x86/include/asm/msr-index.h |  1 +
- arch/x86/kernel/cpu/amd.c        | 18 ++++++++++++++++--
- 2 files changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
-index 1e7d710fef43..fa11fb1fa570 100644
---- a/arch/x86/include/asm/msr-index.h
-+++ b/arch/x86/include/asm/msr-index.h
-@@ -354,6 +354,7 @@
- #define MSR_FAM10H_NODE_ID		0xc001100c
- #define MSR_F10H_DECFG			0xc0011029
- #define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT	1
-+#define MSR_F10H_DECFG_LFENCE_SERIALIZE		BIT_ULL(MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT)
-
- /* K8 MSRs */
- #define MSR_K8_TOP_MEM1			0xc001001a
-diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index 5b438d81beb2..ea831c858195 100644
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -829,6 +829,9 @@ static void init_amd(struct cpuinfo_x86 *c)
- 		set_cpu_cap(c, X86_FEATURE_K8);
-
- 	if (cpu_has(c, X86_FEATURE_XMM2)) {
-+		unsigned long long val;
-+		int ret;
-+
- 		/*
- 		 * A serializing LFENCE has less overhead than MFENCE, so
- 		 * use it for execution serialization.  On families which
-@@ -839,8 +842,19 @@ static void init_amd(struct cpuinfo_x86 *c)
- 		msr_set_bit(MSR_F10H_DECFG,
- 			    MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);
-
--		/* MFENCE stops RDTSC speculation */
--		set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
-+		/*
-+		 * Verify that the MSR write was successful (could be running
-+		 * under a hypervisor) and only then assume that LFENCE is
-+		 * serializing.
-+		 */
-+		ret = rdmsrl_safe(MSR_F10H_DECFG, &val);
-+		if (!ret && (val & MSR_F10H_DECFG_LFENCE_SERIALIZE)) {
-+			/* A serializing LFENCE stops RDTSC speculation */
-+			set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC);
-+		} else {
-+			/* MFENCE stops RDTSC speculation */
-+			set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
-+		}
- 	}
-
- 	/*
--- 
-2.14.3
-
diff --git a/freed-ora/current/f27/cgroup-for-4.15-fixes-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch b/freed-ora/current/f27/cgroup-for-4.15-fixes-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
deleted file mode 100644
index fc84559d0..000000000
--- a/freed-ora/current/f27/cgroup-for-4.15-fixes-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From patchwork Wed Dec 20 15:13:31 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [cgroup/for-4.15-fixes] cgroup: fix css_task_iter crash on
- CSS_TASK_ITER_PROC
-From: Tejun Heo <tj@kernel.org>
-X-Patchwork-Id: 10125801
-Message-Id: <20171220151331.GA3413940@devbig577.frc2.facebook.com>
-To: Laura Abbott <labbott@redhat.com>
-Cc: Zefan Li <lizefan@huawei.com>, linux-kernel@vger.kernel.org,
- cgroups@vger.kernel.org, regressions@leemhuis.info,
- Bronek Kozicki <brok@incorrekt.com>, George Amanakis <gamanakis@gmail.com>
-Date: Wed, 20 Dec 2017 07:13:31 -0800
-
-Hello,
-
-Applied the following to cgroup/for-4.15-fixes.  Will push out to
-linus later this week.  I could reproduce the problem reliably and am
-pretty sure this is the right fix but I'd greatly appreciate if you
-guys can confirm the fix too.
-
-Thank you very much.
-
------- 8< ------
->From 74d0833c659a8a54735e5efdd44f4b225af68586 Mon Sep 17 00:00:00 2001
-From: Tejun Heo <tj@kernel.org>
-Date: Wed, 20 Dec 2017 07:09:19 -0800
-
-While teaching css_task_iter to handle skipping over tasks which
-aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to
-css_task_iter_start() and implement CSS_TASK_ITER_PROCS") introduced a
-silly bug.
-
-CSS_TASK_ITER_PROCS is implemented by repeating
-css_task_iter_advance() while the advanced cursor is pointing to a
-non-leader thread.  However, the cursor variable, @l, wasn't updated
-when the iteration has to advance to the next css_set and the
-following repetition would operate on the terminal @l from the
-previous iteration which isn't pointing to a valid task leading to
-oopses like the following or infinite looping.
-
-  BUG: unable to handle kernel NULL pointer dereference at 0000000000000254
-  IP: __task_pid_nr_ns+0xc7/0xf0
-  PGD 0 P4D 0
-  Oops: 0000 [#1] SMP
-  ...
-  CPU: 2 PID: 1 Comm: systemd Not tainted 4.14.4-200.fc26.x86_64 #1
-  Hardware name: System manufacturer System Product Name/PRIME B350M-A, BIOS 3203 11/09/2017
-  task: ffff88c4baee8000 task.stack: ffff96d5c3158000
-  RIP: 0010:__task_pid_nr_ns+0xc7/0xf0
-  RSP: 0018:ffff96d5c315bd50 EFLAGS: 00010206
-  RAX: 0000000000000000 RBX: ffff88c4b68c6000 RCX: 0000000000000250
-  RDX: ffffffffa5e47960 RSI: 0000000000000000 RDI: ffff88c490f6ab00
-  RBP: ffff96d5c315bd50 R08: 0000000000001000 R09: 0000000000000005
-  R10: ffff88c4be006b80 R11: ffff88c42f1b8004 R12: ffff96d5c315bf18
-  R13: ffff88c42d7dd200 R14: ffff88c490f6a510 R15: ffff88c4b68c6000
-  FS:  00007f9446f8ea00(0000) GS:ffff88c4be680000(0000) knlGS:0000000000000000
-  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-  CR2: 0000000000000254 CR3: 00000007f956f000 CR4: 00000000003406e0
-  Call Trace:
-   cgroup_procs_show+0x19/0x30
-   cgroup_seqfile_show+0x4c/0xb0
-   kernfs_seq_show+0x21/0x30
-   seq_read+0x2ec/0x3f0
-   kernfs_fop_read+0x134/0x180
-   __vfs_read+0x37/0x160
-   ? security_file_permission+0x9b/0xc0
-   vfs_read+0x8e/0x130
-   SyS_read+0x55/0xc0
-   entry_SYSCALL_64_fastpath+0x1a/0xa5
-  RIP: 0033:0x7f94455f942d
-  RSP: 002b:00007ffe81ba2d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
-  RAX: ffffffffffffffda RBX: 00005574e2233f00 RCX: 00007f94455f942d
-  RDX: 0000000000001000 RSI: 00005574e2321a90 RDI: 000000000000002b
-  RBP: 0000000000000000 R08: 00005574e2321a90 R09: 00005574e231de60
-  R10: 00007f94458c8b38 R11: 0000000000000293 R12: 00007f94458c8ae0
-  R13: 00007ffe81ba3800 R14: 0000000000000000 R15: 00005574e2116560
-  Code: 04 74 0e 89 f6 48 8d 04 76 48 8d 04 c5 f0 05 00 00 48 8b bf b8 05 00 00 48 01 c7 31 c0 48 8b 0f 48 85 c9 74 18 8b b2 30 08 00 00 <3b> 71 04 77 0d 48 c1 e6 05 48 01 f1 48 3b 51 38 74 09 5d c3 8b
-  RIP: __task_pid_nr_ns+0xc7/0xf0 RSP: ffff96d5c315bd50
-
-Fix it by moving the initialization of the cursor below the repeat
-label.  While at it, rename it to @next for readability.
-
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Fixes: bc2fb7ed089f ("cgroup: add @flags to css_task_iter_start() and implement CSS_TASK_ITER_PROCS")
-Cc: stable@vger.kernel.org # v4.14+
-Reported-by: Laura Abbott <labbott@redhat.com>
-Reported-by: Bronek Kozicki <brok@incorrekt.com>
-Reported-by: George Amanakis <gamanakis@gmail.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
----
- kernel/cgroup/cgroup.c | 14 ++++++--------
- 1 file changed, 6 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
-index f4c2f8c..2cf06c2 100644
---- a/kernel/cgroup/cgroup.c
-+++ b/kernel/cgroup/cgroup.c
-@@ -4125,26 +4125,24 @@ static void css_task_iter_advance_css_set(struct css_task_iter *it)
- 
- static void css_task_iter_advance(struct css_task_iter *it)
- {
--	struct list_head *l = it->task_pos;
-+	struct list_head *next;
- 
- 	lockdep_assert_held(&css_set_lock);
--	WARN_ON_ONCE(!l);
--
- repeat:
- 	/*
- 	 * Advance iterator to find next entry.  cset->tasks is consumed
- 	 * first and then ->mg_tasks.  After ->mg_tasks, we move onto the
- 	 * next cset.
- 	 */
--	l = l->next;
-+	next = it->task_pos->next;
- 
--	if (l == it->tasks_head)
--		l = it->mg_tasks_head->next;
-+	if (next == it->tasks_head)
-+		next = it->mg_tasks_head->next;
- 
--	if (l == it->mg_tasks_head)
-+	if (next == it->mg_tasks_head)
- 		css_task_iter_advance_css_set(it);
- 	else
--		it->task_pos = l;
-+		it->task_pos = next;
- 
- 	/* if PROCS, skip over tasks which aren't group leaders */
- 	if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&
diff --git a/freed-ora/current/f27/e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch b/freed-ora/current/f27/e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch
deleted file mode 100644
index a31d5d2c5..000000000
--- a/freed-ora/current/f27/e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From patchwork Mon Dec 11 07:26:40 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
-From: Benjamin Poirier <bpoirier@suse.com>
-X-Patchwork-Id: 10104349
-Message-Id: <20171211072640.7935-1-bpoirier@suse.com>
-To: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>,
- Christian Hesse <list@eworm.de>, Gabriel C <nix.or.die@gmail.com>,
- intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
- linux-kernel@vger.kernel.org, stable@vger.kernel.org
-Date: Mon, 11 Dec 2017 16:26:40 +0900
-
-e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
-are the two functions that may be assigned to mac.ops.check_for_link when
-phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
-Separate signaling for link check/link up") changed the meaning of the
-return value of check_for_link for copper media but only adjusted the first
-function. This patch adjusts the second function likewise.
-
-Reported-by: Christian Hesse <list@eworm.de>
-Reported-by: Gabriel C <nix.or.die@gmail.com>
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
-Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
-Tested-by: Christian Hesse <list@eworm.de>
-Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
----
- drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
-index d6d4ed7acf03..31277d3bb7dc 100644
---- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
-+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
-@@ -1367,6 +1367,9 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw *hw, bool force)
-  *  Checks to see of the link status of the hardware has changed.  If a
-  *  change in link status has been detected, then we read the PHY registers
-  *  to get the current speed/duplex if link exists.
-+ *
-+ *  Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
-+ *  up).
-  **/
- static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
- {
-@@ -1382,7 +1385,7 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
- 	 * Change or Rx Sequence Error interrupt.
- 	 */
- 	if (!mac->get_link_status)
--		return 0;
-+		return 1;
- 
- 	/* First we want to see if the MII Status Register reports
- 	 * link.  If so, then we want to get the current speed/duplex
-@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
- 	 * different link partner.
- 	 */
- 	ret_val = e1000e_config_fc_after_link_up(hw);
--	if (ret_val)
-+	if (ret_val) {
- 		e_dbg("Error configuring flow control\n");
-+		return ret_val;
-+	}
- 
--	return ret_val;
-+	return 1;
- }
- 
- static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
diff --git a/freed-ora/current/f27/kernel.spec b/freed-ora/current/f27/kernel.spec
index 44a7939bc..bf17463f0 100644
--- a/freed-ora/current/f27/kernel.spec
+++ b/freed-ora/current/f27/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 13
+%define stable_update 14
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -685,17 +685,12 @@ Patch504: netfilter-xt_osf-Add-missing-permission-checks.patch
 # rhbz 1525768 1525769
 Patch505: netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
 
-# rhbz 1525523
-# https://patchwork.kernel.org/patch/10104349/
-Patch506: e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch
+# CVE-2018-5344 rhbz 1533909 1533911
+Patch507: loop-fix-concurrent-lo_open-lo_release.patch
 
 # 550-600 Meltdown and Spectre Fixes
 Patch550: prevent-bounds-check-bypass-via-speculative-execution.patch
-Patch551: 0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch
-Patch552: 0002-sysfs-cpu-Add-vulnerability-folder.patch
-Patch553: 0001-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch
-Patch554: 0002-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch
-Patch555: retpoline.patch
+Patch551: ppc-mitigations.patch
 
 # 600 - Patches for improved Bay and Cherry Trail device support
 # Below patches are submitted upstream, awaiting review / merging
@@ -721,11 +716,6 @@ Patch627: qxl-fixes.patch
 # rhbz 1462175
 Patch628: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch
 
-# CVE-2017-17741 rhbz 1527112 1527113
-Patch630: v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
-
-Patch631: cgroup-for-4.15-fixes-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
-
 # rhbz1514969
 Patch633: 0001-platform-x86-dell-laptop-Filter-out-spurious-keyboar.patch
 
@@ -2357,6 +2347,21 @@ fi
 #
 #
 %changelog
+* Fri Jan 19 2018 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.14.14-gnu.
+
+* Thu Jan 18 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.14-300
+- Add some ppc mitigations from upstream
+
+* Wed Jan 17 2018 Justin M. Forbes <jforbes@fedoraproject.org>
+- Linux v4.14.14
+- Fixes (rhbz 1532458)
+
+* Fri Jan 12 2018 Jeremy Cline <jeremy@jcline.org>
+- Fix for CVE-2018-5344 (rhbz 1533909 1533911)
+- Fix for CVE-2018-5332 (rhbz 1533890 1533895)
+- Fix for CVE-2018-5333 (rhbz 1533891 1533895)
+
 * Thu Jan 11 2018 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.14.13-gnu.
 
diff --git a/freed-ora/current/f27/loop-fix-concurrent-lo_open-lo_release.patch b/freed-ora/current/f27/loop-fix-concurrent-lo_open-lo_release.patch
new file mode 100644
index 000000000..37131a702
--- /dev/null
+++ b/freed-ora/current/f27/loop-fix-concurrent-lo_open-lo_release.patch
@@ -0,0 +1,55 @@
+From ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 5 Jan 2018 16:26:00 -0800
+Subject: [PATCH] loop: fix concurrent lo_open/lo_release
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
+The reason is due to insufficient serialization in lo_release(), which
+will continue to use the loop device even after it has decremented the
+lo_refcnt to zero.
+
+In the meantime, another process can come in, open the loop device
+again as it is being shut down. Confusion ensues.
+
+Reported-by: 范龙飞 <long7573@126.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+---
+ drivers/block/loop.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index bc8e61506968..d5fe720cf149 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1581,9 +1581,8 @@ static int lo_open(struct block_device *bdev, fmode_t mode)
+ 	return err;
+ }
+ 
+-static void lo_release(struct gendisk *disk, fmode_t mode)
++static void __lo_release(struct loop_device *lo)
+ {
+-	struct loop_device *lo = disk->private_data;
+ 	int err;
+ 
+ 	if (atomic_dec_return(&lo->lo_refcnt))
+@@ -1610,6 +1609,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode)
+ 	mutex_unlock(&lo->lo_ctl_mutex);
+ }
+ 
++static void lo_release(struct gendisk *disk, fmode_t mode)
++{
++	mutex_lock(&loop_index_mutex);
++	__lo_release(disk->private_data);
++	mutex_unlock(&loop_index_mutex);
++}
++
+ static const struct block_device_operations lo_fops = {
+ 	.owner =	THIS_MODULE,
+ 	.open =		lo_open,
+-- 
+2.15.1
+
diff --git a/freed-ora/current/f27/patch-4.14-gnu-4.14.13-gnu.xz.sign b/freed-ora/current/f27/patch-4.14-gnu-4.14.13-gnu.xz.sign
deleted file mode 100644
index 7cb95d688..000000000
--- a/freed-ora/current/f27/patch-4.14-gnu-4.14.13-gnu.xz.sign
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWlZLoQAKCRC8t8+Hfn1H
-p/qlAJ9XbAmVDjiZ4U/Rc0cGjusIbI4L3QCdHwliDTnrvD2Ye48B3VNAAAni8q0=
-=klyt
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f27/patch-4.14-gnu-4.14.14-gnu.xz.sign b/freed-ora/current/f27/patch-4.14-gnu-4.14.14-gnu.xz.sign
new file mode 100644
index 000000000..9a07f5219
--- /dev/null
+++ b/freed-ora/current/f27/patch-4.14-gnu-4.14.14-gnu.xz.sign
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWmA4RQAKCRC8t8+Hfn1H
+p4HvAJ0TuS/VMp/c9ewcEsMrjxn4Dvqi/gCdH5uBaXpNXoWOdbzyhc0F9TA7TBs=
+=QR/k
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f27/ppc-mitigations.patch b/freed-ora/current/f27/ppc-mitigations.patch
new file mode 100644
index 000000000..909485721
--- /dev/null
+++ b/freed-ora/current/f27/ppc-mitigations.patch
@@ -0,0 +1,1309 @@
+From 191eccb1580939fb0d47deb405b82a85b0379070 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Tue, 9 Jan 2018 03:52:05 +1100
+Subject: powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 191eccb1580939fb0d47deb405b82a85b0379070 upstream.
+
+A new hypervisor call has been defined to communicate various
+characteristics of the CPU to guests. Add definitions for the hcall
+number, flags and a wrapper function.
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/hvcall.h         |   17 +++++++++++++++++
+ arch/powerpc/include/asm/plpar_wrappers.h |   14 ++++++++++++++
+ 2 files changed, 31 insertions(+)
+
+--- a/arch/powerpc/include/asm/hvcall.h
++++ b/arch/powerpc/include/asm/hvcall.h
+@@ -241,6 +241,7 @@
+ #define H_GET_HCA_INFO          0x1B8
+ #define H_GET_PERF_COUNT        0x1BC
+ #define H_MANAGE_TRACE          0x1C0
++#define H_GET_CPU_CHARACTERISTICS 0x1C8
+ #define H_FREE_LOGICAL_LAN_BUFFER 0x1D4
+ #define H_QUERY_INT_STATE       0x1E4
+ #define H_POLL_PENDING		0x1D8
+@@ -330,6 +331,17 @@
+ #define H_SIGNAL_SYS_RESET_ALL_OTHERS		-2
+ /* >= 0 values are CPU number */
+ 
++/* H_GET_CPU_CHARACTERISTICS return values */
++#define H_CPU_CHAR_SPEC_BAR_ORI31	(1ull << 63) // IBM bit 0
++#define H_CPU_CHAR_BCCTRL_SERIALISED	(1ull << 62) // IBM bit 1
++#define H_CPU_CHAR_L1D_FLUSH_ORI30	(1ull << 61) // IBM bit 2
++#define H_CPU_CHAR_L1D_FLUSH_TRIG2	(1ull << 60) // IBM bit 3
++#define H_CPU_CHAR_L1D_THREAD_PRIV	(1ull << 59) // IBM bit 4
++
++#define H_CPU_BEHAV_FAVOUR_SECURITY	(1ull << 63) // IBM bit 0
++#define H_CPU_BEHAV_L1D_FLUSH_PR	(1ull << 62) // IBM bit 1
++#define H_CPU_BEHAV_BNDS_CHK_SPEC_BAR	(1ull << 61) // IBM bit 2
++
+ /* Flag values used in H_REGISTER_PROC_TBL hcall */
+ #define PROC_TABLE_OP_MASK	0x18
+ #define PROC_TABLE_DEREG	0x10
+@@ -436,6 +448,11 @@ static inline unsigned int get_longbusy_
+ 	}
+ }
+ 
++struct h_cpu_char_result {
++	u64 character;
++	u64 behaviour;
++};
++
+ #endif /* __ASSEMBLY__ */
+ #endif /* __KERNEL__ */
+ #endif /* _ASM_POWERPC_HVCALL_H */
+--- a/arch/powerpc/include/asm/plpar_wrappers.h
++++ b/arch/powerpc/include/asm/plpar_wrappers.h
+@@ -326,4 +326,18 @@ static inline long plapr_signal_sys_rese
+ 	return plpar_hcall_norets(H_SIGNAL_SYS_RESET, cpu);
+ }
+ 
++static inline long plpar_get_cpu_characteristics(struct h_cpu_char_result *p)
++{
++	unsigned long retbuf[PLPAR_HCALL_BUFSIZE];
++	long rc;
++
++	rc = plpar_hcall(H_GET_CPU_CHARACTERISTICS, retbuf);
++	if (rc == H_SUCCESS) {
++		p->character = retbuf[0];
++		p->behaviour = retbuf[1];
++	}
++
++	return rc;
++}
++
+ #endif /* _ASM_POWERPC_PLPAR_WRAPPERS_H */
+From 50e51c13b3822d14ff6df4279423e4b7b2269bc3 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Wed, 10 Jan 2018 03:07:15 +1100
+Subject: powerpc/64: Add macros for annotating the destination of rfid/hrfid
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 50e51c13b3822d14ff6df4279423e4b7b2269bc3 upstream.
+
+The rfid/hrfid ((Hypervisor) Return From Interrupt) instruction is
+used for switching from the kernel to userspace, and from the
+hypervisor to the guest kernel. However it can and is also used for
+other transitions, eg. from real mode kernel code to virtual mode
+kernel code, and it's not always clear from the code what the
+destination context is.
+
+To make it clearer when reading the code, add macros which encode the
+expected destination context.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/exception-64e.h |    6 ++++++
+ arch/powerpc/include/asm/exception-64s.h |   29 +++++++++++++++++++++++++++++
+ 2 files changed, 35 insertions(+)
+
+--- a/arch/powerpc/include/asm/exception-64e.h
++++ b/arch/powerpc/include/asm/exception-64e.h
+@@ -209,5 +209,11 @@ exc_##label##_book3e:
+ 	ori	r3,r3,vector_offset@l;		\
+ 	mtspr	SPRN_IVOR##vector_number,r3;
+ 
++#define RFI_TO_KERNEL							\
++	rfi
++
++#define RFI_TO_USER							\
++	rfi
++
+ #endif /* _ASM_POWERPC_EXCEPTION_64E_H */
+ 
+--- a/arch/powerpc/include/asm/exception-64s.h
++++ b/arch/powerpc/include/asm/exception-64s.h
+@@ -69,6 +69,35 @@
+  */
+ #define EX_R3		EX_DAR
+ 
++/* Macros for annotating the expected destination of (h)rfid */
++
++#define RFI_TO_KERNEL							\
++	rfid
++
++#define RFI_TO_USER							\
++	rfid
++
++#define RFI_TO_USER_OR_KERNEL						\
++	rfid
++
++#define RFI_TO_GUEST							\
++	rfid
++
++#define HRFI_TO_KERNEL							\
++	hrfid
++
++#define HRFI_TO_USER							\
++	hrfid
++
++#define HRFI_TO_USER_OR_KERNEL						\
++	hrfid
++
++#define HRFI_TO_GUEST							\
++	hrfid
++
++#define HRFI_TO_UNKNOWN							\
++	hrfid
++
+ #ifdef CONFIG_RELOCATABLE
+ #define __EXCEPTION_RELON_PROLOG_PSERIES_1(label, h)			\
+ 	mfspr	r11,SPRN_##h##SRR0;	/* save SRR0 */			\
+From 222f20f140623ef6033491d0103ee0875fe87d35 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Wed, 10 Jan 2018 03:07:15 +1100
+Subject: powerpc/64s: Simple RFI macro conversions
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 222f20f140623ef6033491d0103ee0875fe87d35 upstream.
+
+This commit does simple conversions of rfi/rfid to the new macros that
+include the expected destination context. By simple we mean cases
+where there is a single well known destination context, and it's
+simply a matter of substituting the instruction for the appropriate
+macro.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/powerpc/include/asm/exception-64s.h |    4 ++--
+ arch/powerpc/kernel/entry_64.S           |   14 +++++++++-----
+ arch/powerpc/kernel/exceptions-64s.S     |   22 +++++++++++-----------
+ arch/powerpc/kvm/book3s_hv_rmhandlers.S  |    7 +++----
+ arch/powerpc/kvm/book3s_rmhandlers.S     |    7 +++++--
+ arch/powerpc/kvm/book3s_segment.S        |    4 ++--
+ 6 files changed, 32 insertions(+), 26 deletions(-)
+
+--- a/arch/powerpc/include/asm/exception-64s.h
++++ b/arch/powerpc/include/asm/exception-64s.h
+@@ -242,7 +242,7 @@ END_FTR_SECTION_NESTED(ftr,ftr,943)
+ 	mtspr	SPRN_##h##SRR0,r12;					\
+ 	mfspr	r12,SPRN_##h##SRR1;	/* and SRR1 */			\
+ 	mtspr	SPRN_##h##SRR1,r10;					\
+-	h##rfid;							\
++	h##RFI_TO_KERNEL;						\
+ 	b	.	/* prevent speculative execution */
+ #define EXCEPTION_PROLOG_PSERIES_1(label, h)				\
+ 	__EXCEPTION_PROLOG_PSERIES_1(label, h)
+@@ -256,7 +256,7 @@ END_FTR_SECTION_NESTED(ftr,ftr,943)
+ 	mtspr	SPRN_##h##SRR0,r12;					\
+ 	mfspr	r12,SPRN_##h##SRR1;	/* and SRR1 */			\
+ 	mtspr	SPRN_##h##SRR1,r10;					\
+-	h##rfid;							\
++	h##RFI_TO_KERNEL;						\
+ 	b	.	/* prevent speculative execution */
+ 
+ #define EXCEPTION_PROLOG_PSERIES_1_NORI(label, h)			\
+--- a/arch/powerpc/kernel/entry_64.S
++++ b/arch/powerpc/kernel/entry_64.S
+@@ -37,6 +37,11 @@
+ #include <asm/tm.h>
+ #include <asm/ppc-opcode.h>
+ #include <asm/export.h>
++#ifdef CONFIG_PPC_BOOK3S
++#include <asm/exception-64s.h>
++#else
++#include <asm/exception-64e.h>
++#endif
+ 
+ /*
+  * System calls.
+@@ -397,8 +402,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
+ 	mtmsrd	r10, 1
+ 	mtspr	SPRN_SRR0, r11
+ 	mtspr	SPRN_SRR1, r12
+-
+-	rfid
++	RFI_TO_USER
+ 	b	.	/* prevent speculative execution */
+ #endif
+ _ASM_NOKPROBE_SYMBOL(system_call_common);
+@@ -1073,7 +1077,7 @@ __enter_rtas:
+ 	
+ 	mtspr	SPRN_SRR0,r5
+ 	mtspr	SPRN_SRR1,r6
+-	rfid
++	RFI_TO_KERNEL
+ 	b	.	/* prevent speculative execution */
+ 
+ rtas_return_loc:
+@@ -1098,7 +1102,7 @@ rtas_return_loc:
+ 
+ 	mtspr	SPRN_SRR0,r3
+ 	mtspr	SPRN_SRR1,r4
+-	rfid
++	RFI_TO_KERNEL
+ 	b	.	/* prevent speculative execution */
+ _ASM_NOKPROBE_SYMBOL(__enter_rtas)
+ _ASM_NOKPROBE_SYMBOL(rtas_return_loc)
+@@ -1171,7 +1175,7 @@ _GLOBAL(enter_prom)
+ 	LOAD_REG_IMMEDIATE(r12, MSR_SF | MSR_ISF | MSR_LE)
+ 	andc	r11,r11,r12
+ 	mtsrr1	r11
+-	rfid
++	RFI_TO_KERNEL
+ #endif /* CONFIG_PPC_BOOK3E */
+ 
+ 1:	/* Return from OF */
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -254,7 +254,7 @@ BEGIN_FTR_SECTION
+ 	LOAD_HANDLER(r12, machine_check_handle_early)
+ 1:	mtspr	SPRN_SRR0,r12
+ 	mtspr	SPRN_SRR1,r11
+-	rfid
++	RFI_TO_KERNEL
+ 	b	.	/* prevent speculative execution */
+ 2:
+ 	/* Stack overflow. Stay on emergency stack and panic.
+@@ -443,7 +443,7 @@ EXC_COMMON_BEGIN(machine_check_handle_ea
+ 	li	r3,MSR_ME
+ 	andc	r10,r10,r3		/* Turn off MSR_ME */
+ 	mtspr	SPRN_SRR1,r10
+-	rfid
++	RFI_TO_KERNEL
+ 	b	.
+ 2:
+ 	/*
+@@ -461,7 +461,7 @@ EXC_COMMON_BEGIN(machine_check_handle_ea
+ 	 */
+ 	bl	machine_check_queue_event
+ 	MACHINE_CHECK_HANDLER_WINDUP
+-	rfid
++	RFI_TO_USER_OR_KERNEL
+ 9:
+ 	/* Deliver the machine check to host kernel in V mode. */
+ 	MACHINE_CHECK_HANDLER_WINDUP
+@@ -649,7 +649,7 @@ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_TYPE_R
+ 	mtspr	SPRN_SRR0,r10
+ 	ld	r10,PACAKMSR(r13)
+ 	mtspr	SPRN_SRR1,r10
+-	rfid
++	RFI_TO_KERNEL
+ 	b	.
+ 
+ 8:	std     r3,PACA_EXSLB+EX_DAR(r13)
+@@ -660,7 +660,7 @@ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_TYPE_R
+ 	mtspr	SPRN_SRR0,r10
+ 	ld	r10,PACAKMSR(r13)
+ 	mtspr	SPRN_SRR1,r10
+-	rfid
++	RFI_TO_KERNEL
+ 	b	.
+ 
+ EXC_COMMON_BEGIN(unrecov_slb)
+@@ -905,7 +905,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_REAL_LE)
+ 	mtspr	SPRN_SRR0,r10 ; 				\
+ 	ld	r10,PACAKMSR(r13) ;				\
+ 	mtspr	SPRN_SRR1,r10 ; 				\
+-	rfid ; 							\
++	RFI_TO_KERNEL ;						\
+ 	b	. ;	/* prevent speculative execution */
+ 
+ #define SYSCALL_FASTENDIAN					\
+@@ -914,7 +914,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_REAL_LE)
+ 	xori	r12,r12,MSR_LE ;				\
+ 	mtspr	SPRN_SRR1,r12 ;					\
+ 	mr	r13,r9 ;					\
+-	rfid ;		/* return to userspace */		\
++	RFI_TO_USER ;	/* return to userspace */		\
+ 	b	. ;	/* prevent speculative execution */
+ 
+ #if defined(CONFIG_RELOCATABLE)
+@@ -1299,7 +1299,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_CFAR)
+ 	ld	r11,PACA_EXGEN+EX_R11(r13)
+ 	ld	r12,PACA_EXGEN+EX_R12(r13)
+ 	ld	r13,PACA_EXGEN+EX_R13(r13)
+-	HRFID
++	HRFI_TO_UNKNOWN
+ 	b	.
+ #endif
+ 
+@@ -1403,7 +1403,7 @@ masked_##_H##interrupt:					\
+ 	ld	r10,PACA_EXGEN+EX_R10(r13);		\
+ 	ld	r11,PACA_EXGEN+EX_R11(r13);		\
+ 	/* returns to kernel where r13 must be set up, so don't restore it */ \
+-	##_H##rfid;					\
++	##_H##RFI_TO_KERNEL;				\
+ 	b	.;					\
+ 	MASKED_DEC_HANDLER(_H)
+ 
+@@ -1426,7 +1426,7 @@ TRAMP_REAL_BEGIN(kvmppc_skip_interrupt)
+ 	addi	r13, r13, 4
+ 	mtspr	SPRN_SRR0, r13
+ 	GET_SCRATCH0(r13)
+-	rfid
++	RFI_TO_KERNEL
+ 	b	.
+ 
+ TRAMP_REAL_BEGIN(kvmppc_skip_Hinterrupt)
+@@ -1438,7 +1438,7 @@ TRAMP_REAL_BEGIN(kvmppc_skip_Hinterrupt)
+ 	addi	r13, r13, 4
+ 	mtspr	SPRN_HSRR0, r13
+ 	GET_SCRATCH0(r13)
+-	hrfid
++	HRFI_TO_KERNEL
+ 	b	.
+ #endif
+ 
+--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+@@ -78,7 +78,7 @@ _GLOBAL_TOC(kvmppc_hv_entry_trampoline)
+ 	mtmsrd	r0,1		/* clear RI in MSR */
+ 	mtsrr0	r5
+ 	mtsrr1	r6
+-	RFI
++	RFI_TO_KERNEL
+ 
+ kvmppc_call_hv_entry:
+ 	ld	r4, HSTATE_KVM_VCPU(r13)
+@@ -187,7 +187,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_300)
+ 	mtmsrd	r6, 1			/* Clear RI in MSR */
+ 	mtsrr0	r8
+ 	mtsrr1	r7
+-	RFI
++	RFI_TO_KERNEL
+ 
+ 	/* Virtual-mode return */
+ .Lvirt_return:
+@@ -1131,8 +1131,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
+ 
+ 	ld	r0, VCPU_GPR(R0)(r4)
+ 	ld	r4, VCPU_GPR(R4)(r4)
+-
+-	hrfid
++	HRFI_TO_GUEST
+ 	b	.
+ 
+ secondary_too_late:
+--- a/arch/powerpc/kvm/book3s_rmhandlers.S
++++ b/arch/powerpc/kvm/book3s_rmhandlers.S
+@@ -46,6 +46,9 @@
+ 
+ #define FUNC(name)		name
+ 
++#define RFI_TO_KERNEL	RFI
++#define RFI_TO_GUEST	RFI
++
+ .macro INTERRUPT_TRAMPOLINE intno
+ 
+ .global kvmppc_trampoline_\intno
+@@ -141,7 +144,7 @@ kvmppc_handler_skip_ins:
+ 	GET_SCRATCH0(r13)
+ 
+ 	/* And get back into the code */
+-	RFI
++	RFI_TO_KERNEL
+ #endif
+ 
+ /*
+@@ -164,6 +167,6 @@ _GLOBAL_TOC(kvmppc_entry_trampoline)
+ 	ori	r5, r5, MSR_EE
+ 	mtsrr0	r7
+ 	mtsrr1	r6
+-	RFI
++	RFI_TO_KERNEL
+ 
+ #include "book3s_segment.S"
+--- a/arch/powerpc/kvm/book3s_segment.S
++++ b/arch/powerpc/kvm/book3s_segment.S
+@@ -156,7 +156,7 @@ no_dcbz32_on:
+ 	PPC_LL	r9, SVCPU_R9(r3)
+ 	PPC_LL	r3, (SVCPU_R3)(r3)
+ 
+-	RFI
++	RFI_TO_GUEST
+ kvmppc_handler_trampoline_enter_end:
+ 
+ 
+@@ -407,5 +407,5 @@ END_FTR_SECTION_IFSET(CPU_FTR_HVMODE)
+ 	cmpwi	r12, BOOK3S_INTERRUPT_DOORBELL
+ 	beqa	BOOK3S_INTERRUPT_DOORBELL
+ 
+-	RFI
++	RFI_TO_KERNEL
+ kvmppc_handler_trampoline_exit_end:
+From b8e90cb7bc04a509e821e82ab6ed7a8ef11ba333 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Wed, 10 Jan 2018 03:07:15 +1100
+Subject: powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit b8e90cb7bc04a509e821e82ab6ed7a8ef11ba333 upstream.
+
+In the syscall exit path we may be returning to user or kernel
+context. We already have a test for that, because we conditionally
+restore r13. So use that existing test and branch, and bifurcate the
+return based on that.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/entry_64.S |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/entry_64.S
++++ b/arch/powerpc/kernel/entry_64.S
+@@ -267,13 +267,23 @@ BEGIN_FTR_SECTION
+ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
+ 
+ 	ld	r13,GPR13(r1)	/* only restore r13 if returning to usermode */
++	ld	r2,GPR2(r1)
++	ld	r1,GPR1(r1)
++	mtlr	r4
++	mtcr	r5
++	mtspr	SPRN_SRR0,r7
++	mtspr	SPRN_SRR1,r8
++	RFI_TO_USER
++	b	.	/* prevent speculative execution */
++
++	/* exit to kernel */
+ 1:	ld	r2,GPR2(r1)
+ 	ld	r1,GPR1(r1)
+ 	mtlr	r4
+ 	mtcr	r5
+ 	mtspr	SPRN_SRR0,r7
+ 	mtspr	SPRN_SRR1,r8
+-	RFI
++	RFI_TO_KERNEL
+ 	b	.	/* prevent speculative execution */
+ 
+ .Lsyscall_error:
+From a08f828cf47e6c605af21d2cdec68f84e799c318 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Wed, 10 Jan 2018 03:07:15 +1100
+Subject: powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit a08f828cf47e6c605af21d2cdec68f84e799c318 upstream.
+
+Similar to the syscall return path, in fast_exception_return we may be
+returning to user or kernel context. We already have a test for that,
+because we conditionally restore r13. So use that existing test and
+branch, and bifurcate the return based on that.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/entry_64.S |   18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/entry_64.S
++++ b/arch/powerpc/kernel/entry_64.S
+@@ -892,7 +892,7 @@ BEGIN_FTR_SECTION
+ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
+ 	ACCOUNT_CPU_USER_EXIT(r13, r2, r4)
+ 	REST_GPR(13, r1)
+-1:
++
+ 	mtspr	SPRN_SRR1,r3
+ 
+ 	ld	r2,_CCR(r1)
+@@ -905,8 +905,22 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
+ 	ld	r3,GPR3(r1)
+ 	ld	r4,GPR4(r1)
+ 	ld	r1,GPR1(r1)
++	RFI_TO_USER
++	b	.	/* prevent speculative execution */
+ 
+-	rfid
++1:	mtspr	SPRN_SRR1,r3
++
++	ld	r2,_CCR(r1)
++	mtcrf	0xFF,r2
++	ld	r2,_NIP(r1)
++	mtspr	SPRN_SRR0,r2
++
++	ld	r0,GPR0(r1)
++	ld	r2,GPR2(r1)
++	ld	r3,GPR3(r1)
++	ld	r4,GPR4(r1)
++	ld	r1,GPR1(r1)
++	RFI_TO_KERNEL
+ 	b	.	/* prevent speculative execution */
+ 
+ #endif /* CONFIG_PPC_BOOK3E */
+From c7305645eb0c1621351cfc104038831ae87c0053 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Wed, 10 Jan 2018 03:07:15 +1100
+Subject: powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit c7305645eb0c1621351cfc104038831ae87c0053 upstream.
+
+In the SLB miss handler we may be returning to user or kernel. We need
+to add a check early on and save the result in the cr4 register, and
+then we bifurcate the return path based on that.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/exceptions-64s.S |   29 ++++++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -596,6 +596,9 @@ EXC_COMMON_BEGIN(slb_miss_common)
+ 	stw	r9,PACA_EXSLB+EX_CCR(r13)	/* save CR in exc. frame */
+ 	std	r10,PACA_EXSLB+EX_LR(r13)	/* save LR */
+ 
++	andi.	r9,r11,MSR_PR	// Check for exception from userspace
++	cmpdi	cr4,r9,MSR_PR	// And save the result in CR4 for later
++
+ 	/*
+ 	 * Test MSR_RI before calling slb_allocate_realmode, because the
+ 	 * MSR in r11 gets clobbered. However we still want to allocate
+@@ -622,9 +625,32 @@ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_TYPE_R
+ 
+ 	/* All done -- return from exception. */
+ 
++	bne	cr4,1f		/* returning to kernel */
++
++.machine	push
++.machine	"power4"
++	mtcrf	0x80,r9
++	mtcrf	0x08,r9		/* MSR[PR] indication is in cr4 */
++	mtcrf	0x04,r9		/* MSR[RI] indication is in cr5 */
++	mtcrf	0x02,r9		/* I/D indication is in cr6 */
++	mtcrf	0x01,r9		/* slb_allocate uses cr0 and cr7 */
++.machine	pop
++
++	RESTORE_CTR(r9, PACA_EXSLB)
++	RESTORE_PPR_PACA(PACA_EXSLB, r9)
++	mr	r3,r12
++	ld	r9,PACA_EXSLB+EX_R9(r13)
++	ld	r10,PACA_EXSLB+EX_R10(r13)
++	ld	r11,PACA_EXSLB+EX_R11(r13)
++	ld	r12,PACA_EXSLB+EX_R12(r13)
++	ld	r13,PACA_EXSLB+EX_R13(r13)
++	RFI_TO_USER
++	b	.	/* prevent speculative execution */
++1:
+ .machine	push
+ .machine	"power4"
+ 	mtcrf	0x80,r9
++	mtcrf	0x08,r9		/* MSR[PR] indication is in cr4 */
+ 	mtcrf	0x04,r9		/* MSR[RI] indication is in cr5 */
+ 	mtcrf	0x02,r9		/* I/D indication is in cr6 */
+ 	mtcrf	0x01,r9		/* slb_allocate uses cr0 and cr7 */
+@@ -638,9 +664,10 @@ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_TYPE_R
+ 	ld	r11,PACA_EXSLB+EX_R11(r13)
+ 	ld	r12,PACA_EXSLB+EX_R12(r13)
+ 	ld	r13,PACA_EXSLB+EX_R13(r13)
+-	rfid
++	RFI_TO_KERNEL
+ 	b	.	/* prevent speculative execution */
+ 
++
+ 2:	std     r3,PACA_EXSLB+EX_DAR(r13)
+ 	mr	r3,r12
+ 	mfspr	r11,SPRN_SRR0
+From aa8a5e0062ac940f7659394f4817c948dc8c0667 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Wed, 10 Jan 2018 03:07:15 +1100
+Subject: powerpc/64s: Add support for RFI flush of L1-D cache
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit aa8a5e0062ac940f7659394f4817c948dc8c0667 upstream.
+
+On some CPUs we can prevent the Meltdown vulnerability by flushing the
+L1-D cache on exit from kernel to user mode, and from hypervisor to
+guest.
+
+This is known to be the case on at least Power7, Power8 and Power9. At
+this time we do not know the status of the vulnerability on other CPUs
+such as the 970 (Apple G5), pasemi CPUs (AmigaOne X1000) or Freescale
+CPUs. As more information comes to light we can enable this, or other
+mechanisms on those CPUs.
+
+The vulnerability occurs when the load of an architecturally
+inaccessible memory region (eg. userspace load of kernel memory) is
+speculatively executed to the point where its result can influence the
+address of a subsequent speculatively executed load.
+
+In order for that to happen, the first load must hit in the L1,
+because before the load is sent to the L2 the permission check is
+performed. Therefore if no kernel addresses hit in the L1 the
+vulnerability can not occur. We can ensure that is the case by
+flushing the L1 whenever we return to userspace. Similarly for
+hypervisor vs guest.
+
+In order to flush the L1-D cache on exit, we add a section of nops at
+each (h)rfi location that returns to a lower privileged context, and
+patch that with some sequence. Newer firmwares are able to advertise
+to us that there is a special nop instruction that flushes the L1-D.
+If we do not see that advertised, we fall back to doing a displacement
+flush in software.
+
+For guest kernels we support migration between some CPU versions, and
+different CPUs may use different flush instructions. So that we are
+prepared to migrate to a machine with a different flush instruction
+activated, we may have to patch more than one flush instruction at
+boot if the hypervisor tells us to.
+
+In the end this patch is mostly the work of Nicholas Piggin and
+Michael Ellerman. However a cast of thousands contributed to analysis
+of the issue, earlier versions of the patch, back ports testing etc.
+Many thanks to all of them.
+
+Tested-by: Jon Masters <jcm@redhat.com>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/exception-64s.h  |   40 +++++++++++---
+ arch/powerpc/include/asm/feature-fixups.h |   13 ++++
+ arch/powerpc/include/asm/paca.h           |   10 +++
+ arch/powerpc/include/asm/setup.h          |   13 ++++
+ arch/powerpc/kernel/asm-offsets.c         |    5 +
+ arch/powerpc/kernel/exceptions-64s.S      |   84 ++++++++++++++++++++++++++++++
+ arch/powerpc/kernel/setup_64.c            |   79 ++++++++++++++++++++++++++++
+ arch/powerpc/kernel/vmlinux.lds.S         |    9 +++
+ arch/powerpc/lib/feature-fixups.c         |   41 ++++++++++++++
+ 9 files changed, 286 insertions(+), 8 deletions(-)
+
+--- a/arch/powerpc/include/asm/exception-64s.h
++++ b/arch/powerpc/include/asm/exception-64s.h
+@@ -69,34 +69,58 @@
+  */
+ #define EX_R3		EX_DAR
+ 
+-/* Macros for annotating the expected destination of (h)rfid */
++/*
++ * Macros for annotating the expected destination of (h)rfid
++ *
++ * The nop instructions allow us to insert one or more instructions to flush the
++ * L1-D cache when returning to userspace or a guest.
++ */
++#define RFI_FLUSH_SLOT							\
++	RFI_FLUSH_FIXUP_SECTION;					\
++	nop;								\
++	nop;								\
++	nop
+ 
+ #define RFI_TO_KERNEL							\
+ 	rfid
+ 
+ #define RFI_TO_USER							\
+-	rfid
++	RFI_FLUSH_SLOT;							\
++	rfid;								\
++	b	rfi_flush_fallback
+ 
+ #define RFI_TO_USER_OR_KERNEL						\
+-	rfid
++	RFI_FLUSH_SLOT;							\
++	rfid;								\
++	b	rfi_flush_fallback
+ 
+ #define RFI_TO_GUEST							\
+-	rfid
++	RFI_FLUSH_SLOT;							\
++	rfid;								\
++	b	rfi_flush_fallback
+ 
+ #define HRFI_TO_KERNEL							\
+ 	hrfid
+ 
+ #define HRFI_TO_USER							\
+-	hrfid
++	RFI_FLUSH_SLOT;							\
++	hrfid;								\
++	b	hrfi_flush_fallback
+ 
+ #define HRFI_TO_USER_OR_KERNEL						\
+-	hrfid
++	RFI_FLUSH_SLOT;							\
++	hrfid;								\
++	b	hrfi_flush_fallback
+ 
+ #define HRFI_TO_GUEST							\
+-	hrfid
++	RFI_FLUSH_SLOT;							\
++	hrfid;								\
++	b	hrfi_flush_fallback
+ 
+ #define HRFI_TO_UNKNOWN							\
+-	hrfid
++	RFI_FLUSH_SLOT;							\
++	hrfid;								\
++	b	hrfi_flush_fallback
+ 
+ #ifdef CONFIG_RELOCATABLE
+ #define __EXCEPTION_RELON_PROLOG_PSERIES_1(label, h)			\
+--- a/arch/powerpc/include/asm/feature-fixups.h
++++ b/arch/powerpc/include/asm/feature-fixups.h
+@@ -187,7 +187,20 @@ label##3:					       	\
+ 	FTR_ENTRY_OFFSET label##1b-label##3b;		\
+ 	.popsection;
+ 
++#define RFI_FLUSH_FIXUP_SECTION				\
++951:							\
++	.pushsection __rfi_flush_fixup,"a";		\
++	.align 2;					\
++952:							\
++	FTR_ENTRY_OFFSET 951b-952b;			\
++	.popsection;
++
++
+ #ifndef __ASSEMBLY__
++#include <linux/types.h>
++
++extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup;
++
+ void apply_feature_fixups(void);
+ void setup_feature_keys(void);
+ #endif
+--- a/arch/powerpc/include/asm/paca.h
++++ b/arch/powerpc/include/asm/paca.h
+@@ -231,6 +231,16 @@ struct paca_struct {
+ 	struct sibling_subcore_state *sibling_subcore_state;
+ #endif
+ #endif
++#ifdef CONFIG_PPC_BOOK3S_64
++	/*
++	 * rfi fallback flush must be in its own cacheline to prevent
++	 * other paca data leaking into the L1d
++	 */
++	u64 exrfi[EX_SIZE] __aligned(0x80);
++	void *rfi_flush_fallback_area;
++	u64 l1d_flush_congruence;
++	u64 l1d_flush_sets;
++#endif
+ };
+ 
+ extern void copy_mm_to_paca(struct mm_struct *mm);
+--- a/arch/powerpc/include/asm/setup.h
++++ b/arch/powerpc/include/asm/setup.h
+@@ -39,6 +39,19 @@ static inline void pseries_big_endian_ex
+ static inline void pseries_little_endian_exceptions(void) {}
+ #endif /* CONFIG_PPC_PSERIES */
+ 
++void rfi_flush_enable(bool enable);
++
++/* These are bit flags */
++enum l1d_flush_type {
++	L1D_FLUSH_NONE		= 0x1,
++	L1D_FLUSH_FALLBACK	= 0x2,
++	L1D_FLUSH_ORI		= 0x4,
++	L1D_FLUSH_MTTRIG	= 0x8,
++};
++
++void __init setup_rfi_flush(enum l1d_flush_type, bool enable);
++void do_rfi_flush_fixups(enum l1d_flush_type types);
++
+ #endif /* !__ASSEMBLY__ */
+ 
+ #endif	/* _ASM_POWERPC_SETUP_H */
+--- a/arch/powerpc/kernel/asm-offsets.c
++++ b/arch/powerpc/kernel/asm-offsets.c
+@@ -237,6 +237,11 @@ int main(void)
+ 	OFFSET(PACA_NMI_EMERG_SP, paca_struct, nmi_emergency_sp);
+ 	OFFSET(PACA_IN_MCE, paca_struct, in_mce);
+ 	OFFSET(PACA_IN_NMI, paca_struct, in_nmi);
++	OFFSET(PACA_RFI_FLUSH_FALLBACK_AREA, paca_struct, rfi_flush_fallback_area);
++	OFFSET(PACA_EXRFI, paca_struct, exrfi);
++	OFFSET(PACA_L1D_FLUSH_CONGRUENCE, paca_struct, l1d_flush_congruence);
++	OFFSET(PACA_L1D_FLUSH_SETS, paca_struct, l1d_flush_sets);
++
+ #endif
+ 	OFFSET(PACAHWCPUID, paca_struct, hw_cpu_id);
+ 	OFFSET(PACAKEXECSTATE, paca_struct, kexec_state);
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -1434,6 +1434,90 @@ masked_##_H##interrupt:					\
+ 	b	.;					\
+ 	MASKED_DEC_HANDLER(_H)
+ 
++TRAMP_REAL_BEGIN(rfi_flush_fallback)
++	SET_SCRATCH0(r13);
++	GET_PACA(r13);
++	std	r9,PACA_EXRFI+EX_R9(r13)
++	std	r10,PACA_EXRFI+EX_R10(r13)
++	std	r11,PACA_EXRFI+EX_R11(r13)
++	std	r12,PACA_EXRFI+EX_R12(r13)
++	std	r8,PACA_EXRFI+EX_R13(r13)
++	mfctr	r9
++	ld	r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13)
++	ld	r11,PACA_L1D_FLUSH_SETS(r13)
++	ld	r12,PACA_L1D_FLUSH_CONGRUENCE(r13)
++	/*
++	 * The load adresses are at staggered offsets within cachelines,
++	 * which suits some pipelines better (on others it should not
++	 * hurt).
++	 */
++	addi	r12,r12,8
++	mtctr	r11
++	DCBT_STOP_ALL_STREAM_IDS(r11) /* Stop prefetch streams */
++
++	/* order ld/st prior to dcbt stop all streams with flushing */
++	sync
++1:	li	r8,0
++	.rept	8 /* 8-way set associative */
++	ldx	r11,r10,r8
++	add	r8,r8,r12
++	xor	r11,r11,r11	// Ensure r11 is 0 even if fallback area is not
++	add	r8,r8,r11	// Add 0, this creates a dependency on the ldx
++	.endr
++	addi	r10,r10,128 /* 128 byte cache line */
++	bdnz	1b
++
++	mtctr	r9
++	ld	r9,PACA_EXRFI+EX_R9(r13)
++	ld	r10,PACA_EXRFI+EX_R10(r13)
++	ld	r11,PACA_EXRFI+EX_R11(r13)
++	ld	r12,PACA_EXRFI+EX_R12(r13)
++	ld	r8,PACA_EXRFI+EX_R13(r13)
++	GET_SCRATCH0(r13);
++	rfid
++
++TRAMP_REAL_BEGIN(hrfi_flush_fallback)
++	SET_SCRATCH0(r13);
++	GET_PACA(r13);
++	std	r9,PACA_EXRFI+EX_R9(r13)
++	std	r10,PACA_EXRFI+EX_R10(r13)
++	std	r11,PACA_EXRFI+EX_R11(r13)
++	std	r12,PACA_EXRFI+EX_R12(r13)
++	std	r8,PACA_EXRFI+EX_R13(r13)
++	mfctr	r9
++	ld	r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13)
++	ld	r11,PACA_L1D_FLUSH_SETS(r13)
++	ld	r12,PACA_L1D_FLUSH_CONGRUENCE(r13)
++	/*
++	 * The load adresses are at staggered offsets within cachelines,
++	 * which suits some pipelines better (on others it should not
++	 * hurt).
++	 */
++	addi	r12,r12,8
++	mtctr	r11
++	DCBT_STOP_ALL_STREAM_IDS(r11) /* Stop prefetch streams */
++
++	/* order ld/st prior to dcbt stop all streams with flushing */
++	sync
++1:	li	r8,0
++	.rept	8 /* 8-way set associative */
++	ldx	r11,r10,r8
++	add	r8,r8,r12
++	xor	r11,r11,r11	// Ensure r11 is 0 even if fallback area is not
++	add	r8,r8,r11	// Add 0, this creates a dependency on the ldx
++	.endr
++	addi	r10,r10,128 /* 128 byte cache line */
++	bdnz	1b
++
++	mtctr	r9
++	ld	r9,PACA_EXRFI+EX_R9(r13)
++	ld	r10,PACA_EXRFI+EX_R10(r13)
++	ld	r11,PACA_EXRFI+EX_R11(r13)
++	ld	r12,PACA_EXRFI+EX_R12(r13)
++	ld	r8,PACA_EXRFI+EX_R13(r13)
++	GET_SCRATCH0(r13);
++	hrfid
++
+ /*
+  * Real mode exceptions actually use this too, but alternate
+  * instruction code patches (which end up in the common .text area)
+--- a/arch/powerpc/kernel/setup_64.c
++++ b/arch/powerpc/kernel/setup_64.c
+@@ -784,3 +784,82 @@ static int __init disable_hardlockup_det
+ 	return 0;
+ }
+ early_initcall(disable_hardlockup_detector);
++
++#ifdef CONFIG_PPC_BOOK3S_64
++static enum l1d_flush_type enabled_flush_types;
++static void *l1d_flush_fallback_area;
++bool rfi_flush;
++
++static void do_nothing(void *unused)
++{
++	/*
++	 * We don't need to do the flush explicitly, just enter+exit kernel is
++	 * sufficient, the RFI exit handlers will do the right thing.
++	 */
++}
++
++void rfi_flush_enable(bool enable)
++{
++	if (rfi_flush == enable)
++		return;
++
++	if (enable) {
++		do_rfi_flush_fixups(enabled_flush_types);
++		on_each_cpu(do_nothing, NULL, 1);
++	} else
++		do_rfi_flush_fixups(L1D_FLUSH_NONE);
++
++	rfi_flush = enable;
++}
++
++static void init_fallback_flush(void)
++{
++	u64 l1d_size, limit;
++	int cpu;
++
++	l1d_size = ppc64_caches.l1d.size;
++	limit = min(safe_stack_limit(), ppc64_rma_size);
++
++	/*
++	 * Align to L1d size, and size it at 2x L1d size, to catch possible
++	 * hardware prefetch runoff. We don't have a recipe for load patterns to
++	 * reliably avoid the prefetcher.
++	 */
++	l1d_flush_fallback_area = __va(memblock_alloc_base(l1d_size * 2, l1d_size, limit));
++	memset(l1d_flush_fallback_area, 0, l1d_size * 2);
++
++	for_each_possible_cpu(cpu) {
++		/*
++		 * The fallback flush is currently coded for 8-way
++		 * associativity. Different associativity is possible, but it
++		 * will be treated as 8-way and may not evict the lines as
++		 * effectively.
++		 *
++		 * 128 byte lines are mandatory.
++		 */
++		u64 c = l1d_size / 8;
++
++		paca[cpu].rfi_flush_fallback_area = l1d_flush_fallback_area;
++		paca[cpu].l1d_flush_congruence = c;
++		paca[cpu].l1d_flush_sets = c / 128;
++	}
++}
++
++void __init setup_rfi_flush(enum l1d_flush_type types, bool enable)
++{
++	if (types & L1D_FLUSH_FALLBACK) {
++		pr_info("rfi-flush: Using fallback displacement flush\n");
++		init_fallback_flush();
++	}
++
++	if (types & L1D_FLUSH_ORI)
++		pr_info("rfi-flush: Using ori type flush\n");
++
++	if (types & L1D_FLUSH_MTTRIG)
++		pr_info("rfi-flush: Using mttrig type flush\n");
++
++	enabled_flush_types = types;
++
++	rfi_flush_enable(enable);
++}
++#endif /* CONFIG_PPC_BOOK3S_64 */
+--- a/arch/powerpc/kernel/vmlinux.lds.S
++++ b/arch/powerpc/kernel/vmlinux.lds.S
+@@ -132,6 +132,15 @@ SECTIONS
+ 	/* Read-only data */
+ 	RO_DATA(PAGE_SIZE)
+ 
++#ifdef CONFIG_PPC64
++	. = ALIGN(8);
++	__rfi_flush_fixup : AT(ADDR(__rfi_flush_fixup) - LOAD_OFFSET) {
++		__start___rfi_flush_fixup = .;
++		*(__rfi_flush_fixup)
++		__stop___rfi_flush_fixup = .;
++	}
++#endif
++
+ 	EXCEPTION_TABLE(0)
+ 
+ 	NOTES :kernel :notes
+--- a/arch/powerpc/lib/feature-fixups.c
++++ b/arch/powerpc/lib/feature-fixups.c
+@@ -116,6 +116,47 @@ void do_feature_fixups(unsigned long val
+ 	}
+ }
+ 
++#ifdef CONFIG_PPC_BOOK3S_64
++void do_rfi_flush_fixups(enum l1d_flush_type types)
++{
++	unsigned int instrs[3], *dest;
++	long *start, *end;
++	int i;
++
++	start = PTRRELOC(&__start___rfi_flush_fixup),
++	end = PTRRELOC(&__stop___rfi_flush_fixup);
++
++	instrs[0] = 0x60000000; /* nop */
++	instrs[1] = 0x60000000; /* nop */
++	instrs[2] = 0x60000000; /* nop */
++
++	if (types & L1D_FLUSH_FALLBACK)
++		/* b .+16 to fallback flush */
++		instrs[0] = 0x48000010;
++
++	i = 0;
++	if (types & L1D_FLUSH_ORI) {
++		instrs[i++] = 0x63ff0000; /* ori 31,31,0 speculation barrier */
++		instrs[i++] = 0x63de0000; /* ori 30,30,0 L1d flush*/
++	}
++
++	if (types & L1D_FLUSH_MTTRIG)
++		instrs[i++] = 0x7c12dba6; /* mtspr TRIG2,r0 (SPR #882) */
++
++	for (i = 0; start < end; start++, i++) {
++		dest = (void *)start + *start;
++
++		pr_devel("patching dest %lx\n", (unsigned long)dest);
++
++		patch_instruction(dest, instrs[0]);
++		patch_instruction(dest + 1, instrs[1]);
++		patch_instruction(dest + 2, instrs[2]);
++	}
++
++	printk(KERN_DEBUG "rfi-flush: patched %d locations\n", i);
++}
++#endif /* CONFIG_PPC_BOOK3S_64 */
++
+ void do_lwsync_fixups(unsigned long value, void *fixup_start, void *fixup_end)
+ {
+ 	long *start, *end;
+From bc9c9304a45480797e13a8e1df96ffcf44fb62fe Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Wed, 10 Jan 2018 03:07:15 +1100
+Subject: powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit bc9c9304a45480797e13a8e1df96ffcf44fb62fe upstream.
+
+Because there may be some performance overhead of the RFI flush, add
+kernel command line options to disable it.
+
+We add a sensibly named 'no_rfi_flush' option, but we also hijack the
+x86 option 'nopti'. The RFI flush is not the same as KPTI, but if we
+see 'nopti' we can guess that the user is trying to avoid any overhead
+of Meltdown mitigations, and it means we don't have to educate every
+one about a different command line option.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/setup_64.c |   24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/setup_64.c
++++ b/arch/powerpc/kernel/setup_64.c
+@@ -788,8 +788,29 @@ early_initcall(disable_hardlockup_detect
+ #ifdef CONFIG_PPC_BOOK3S_64
+ static enum l1d_flush_type enabled_flush_types;
+ static void *l1d_flush_fallback_area;
++static bool no_rfi_flush;
+ bool rfi_flush;
+ 
++static int __init handle_no_rfi_flush(char *p)
++{
++	pr_info("rfi-flush: disabled on command line.");
++	no_rfi_flush = true;
++	return 0;
++}
++early_param("no_rfi_flush", handle_no_rfi_flush);
++
++/*
++ * The RFI flush is not KPTI, but because users will see doco that says to use
++ * nopti we hijack that option here to also disable the RFI flush.
++ */
++static int __init handle_no_pti(char *p)
++{
++	pr_info("rfi-flush: disabling due to 'nopti' on command line.\n");
++	handle_no_rfi_flush(NULL);
++	return 0;
++}
++early_param("nopti", handle_no_pti);
++
+ static void do_nothing(void *unused)
+ {
+ 	/*
+@@ -860,6 +881,7 @@ void __init setup_rfi_flush(enum l1d_flu
+ 
+ 	enabled_flush_types = types;
+ 
+-	rfi_flush_enable(enable);
++	if (!no_rfi_flush)
++		rfi_flush_enable(enable);
+ }
+ #endif /* CONFIG_PPC_BOOK3S_64 */
+From 8989d56878a7735dfdb234707a2fee6faf631085 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Wed, 10 Jan 2018 03:07:15 +1100
+Subject: powerpc/pseries: Query hypervisor for RFI flush settings
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 8989d56878a7735dfdb234707a2fee6faf631085 upstream.
+
+A new hypervisor call is available which tells the guest settings
+related to the RFI flush. Use it to query the appropriate flush
+instruction(s), and whether the flush is required.
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/setup.c |   35 +++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+--- a/arch/powerpc/platforms/pseries/setup.c
++++ b/arch/powerpc/platforms/pseries/setup.c
+@@ -459,6 +459,39 @@ static void __init find_and_init_phbs(vo
+ 	of_pci_check_probe_only();
+ }
+ 
++static void pseries_setup_rfi_flush(void)
++{
++	struct h_cpu_char_result result;
++	enum l1d_flush_type types;
++	bool enable;
++	long rc;
++
++	/* Enable by default */
++	enable = true;
++
++	rc = plpar_get_cpu_characteristics(&result);
++	if (rc == H_SUCCESS) {
++		types = L1D_FLUSH_NONE;
++
++		if (result.character & H_CPU_CHAR_L1D_FLUSH_TRIG2)
++			types |= L1D_FLUSH_MTTRIG;
++		if (result.character & H_CPU_CHAR_L1D_FLUSH_ORI30)
++			types |= L1D_FLUSH_ORI;
++
++		/* Use fallback if nothing set in hcall */
++		if (types == L1D_FLUSH_NONE)
++			types = L1D_FLUSH_FALLBACK;
++
++		if (!(result.behaviour & H_CPU_BEHAV_L1D_FLUSH_PR))
++			enable = false;
++	} else {
++		/* Default to fallback if case hcall is not available */
++		types = L1D_FLUSH_FALLBACK;
++	}
++
++	setup_rfi_flush(types, enable);
++}
++
+ static void __init pSeries_setup_arch(void)
+ {
+ 	set_arch_panic_timeout(10, ARCH_PANIC_TIMEOUT);
+@@ -476,6 +509,8 @@ static void __init pSeries_setup_arch(vo
+ 
+ 	fwnmi_init();
+ 
++	pseries_setup_rfi_flush();
++
+ 	/* By default, only probe PCI (can be overridden by rtas_pci) */
+ 	pci_add_flags(PCI_PROBE_ONLY);
+ 
+From 6e032b350cd1fdb830f18f8320ef0e13b4e24094 Mon Sep 17 00:00:00 2001
+From: Oliver O'Halloran <oohall@gmail.com>
+Date: Wed, 10 Jan 2018 03:07:15 +1100
+Subject: powerpc/powernv: Check device-tree for RFI flush settings
+
+From: Oliver O'Halloran <oohall@gmail.com>
+
+commit 6e032b350cd1fdb830f18f8320ef0e13b4e24094 upstream.
+
+New device-tree properties are available which tell the hypervisor
+settings related to the RFI flush. Use them to determine the
+appropriate flush instruction to use, and whether the flush is
+required.
+
+Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/setup.c |   49 +++++++++++++++++++++++++++++++++
+ 1 file changed, 49 insertions(+)
+
+--- a/arch/powerpc/platforms/powernv/setup.c
++++ b/arch/powerpc/platforms/powernv/setup.c
+@@ -36,13 +36,62 @@
+ #include <asm/opal.h>
+ #include <asm/kexec.h>
+ #include <asm/smp.h>
++#include <asm/setup.h>
+ 
+ #include "powernv.h"
+ 
++static void pnv_setup_rfi_flush(void)
++{
++	struct device_node *np, *fw_features;
++	enum l1d_flush_type type;
++	int enable;
++
++	/* Default to fallback in case fw-features are not available */
++	type = L1D_FLUSH_FALLBACK;
++	enable = 1;
++
++	np = of_find_node_by_name(NULL, "ibm,opal");
++	fw_features = of_get_child_by_name(np, "fw-features");
++	of_node_put(np);
++
++	if (fw_features) {
++		np = of_get_child_by_name(fw_features, "inst-l1d-flush-trig2");
++		if (np && of_property_read_bool(np, "enabled"))
++			type = L1D_FLUSH_MTTRIG;
++
++		of_node_put(np);
++
++		np = of_get_child_by_name(fw_features, "inst-l1d-flush-ori30,30,0");
++		if (np && of_property_read_bool(np, "enabled"))
++			type = L1D_FLUSH_ORI;
++
++		of_node_put(np);
++
++		/* Enable unless firmware says NOT to */
++		enable = 2;
++		np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-hv-1-to-0");
++		if (np && of_property_read_bool(np, "disabled"))
++			enable--;
++
++		of_node_put(np);
++
++		np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-pr-0-to-1");
++		if (np && of_property_read_bool(np, "disabled"))
++			enable--;
++
++		of_node_put(np);
++		of_node_put(fw_features);
++	}
++
++	setup_rfi_flush(type, enable > 0);
++}
++
+ static void __init pnv_setup_arch(void)
+ {
+ 	set_arch_panic_timeout(10, ARCH_PANIC_TIMEOUT);
+ 
++	pnv_setup_rfi_flush();
++
+ 	/* Initialize SMP */
+ 	pnv_smp_init();
+ 
diff --git a/freed-ora/current/f27/retpoline.patch b/freed-ora/current/f27/retpoline.patch
deleted file mode 100644
index 88c78fd0e..000000000
--- a/freed-ora/current/f27/retpoline.patch
+++ /dev/null
@@ -1,1480 +0,0 @@
-From 61dc0f555b5c761cdafb0ba5bd41ecf22d68a4c4 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Sun, 7 Jan 2018 22:48:01 +0100
-Subject: [PATCH] x86/cpu: Implement CPU vulnerabilites sysfs functions
-
-Implement the CPU vulnerabilty show functions for meltdown, spectre_v1 and
-spectre_v2.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Will Deacon <will.deacon@arm.com>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Linus Torvalds <torvalds@linuxfoundation.org>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Link: https://lkml.kernel.org/r/20180107214913.177414879@linutronix.de
----
- arch/x86/Kconfig           |  1 +
- arch/x86/kernel/cpu/bugs.c | 29 +++++++++++++++++++++++++++++
- 2 files changed, 30 insertions(+)
-
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index cd5199de231e..e23d21ac745a 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -89,6 +89,7 @@ config X86
- 	select GENERIC_CLOCKEVENTS_MIN_ADJUST
- 	select GENERIC_CMOS_UPDATE
- 	select GENERIC_CPU_AUTOPROBE
-+	select GENERIC_CPU_VULNERABILITIES
- 	select GENERIC_EARLY_IOREMAP
- 	select GENERIC_FIND_FIRST_BIT
- 	select GENERIC_IOMAP
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index ba0b2424c9b0..76ad6cb44b40 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -10,6 +10,7 @@
-  */
- #include <linux/init.h>
- #include <linux/utsname.h>
-+#include <linux/cpu.h>
- #include <asm/bugs.h>
- #include <asm/processor.h>
- #include <asm/processor-flags.h>
-@@ -60,3 +61,31 @@ void __init check_bugs(void)
- 		set_memory_4k((unsigned long)__va(0), 1);
- #endif
- }
-+
-+#ifdef CONFIG_SYSFS
-+ssize_t cpu_show_meltdown(struct device *dev,
-+			  struct device_attribute *attr, char *buf)
-+{
-+	if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
-+		return sprintf(buf, "Not affected\n");
-+	if (boot_cpu_has(X86_FEATURE_PTI))
-+		return sprintf(buf, "Mitigation: PTI\n");
-+	return sprintf(buf, "Vulnerable\n");
-+}
-+
-+ssize_t cpu_show_spectre_v1(struct device *dev,
-+			    struct device_attribute *attr, char *buf)
-+{
-+	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1))
-+		return sprintf(buf, "Not affected\n");
-+	return sprintf(buf, "Vulnerable\n");
-+}
-+
-+ssize_t cpu_show_spectre_v2(struct device *dev,
-+			    struct device_attribute *attr, char *buf)
-+{
-+	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
-+		return sprintf(buf, "Not affected\n");
-+	return sprintf(buf, "Vulnerable\n");
-+}
-+#endif
--- 
-2.14.3
-
-From d46717c610dcfa2cba5c87500c928993371ef1ad Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Tue, 9 Jan 2018 14:43:07 +0000
-Subject: [PATCH 01/10] x86/retpoline: Add initial retpoline support
-
-Enable the use of -mindirect-branch=thunk-extern in newer GCC, and provide
-the corresponding thunks. Provide assembler macros for invoking the thunks
-in the same way that GCC does, from native and inline assembler.
-
-This adds X86_FEATURE_RETPOLINE and sets it by default on all CPUs. In
-some circumstances, IBRS microcode features may be used instead, and the
-retpoline can be disabled.
-
-On AMD CPUs if lfence is serialising, the retpoline can be dramatically
-simplified to a simple "lfence; jmp *\reg". A future patch, after it has
-been verified that lfence really is serialising in all circumstances, can
-enable this by setting the X86_FEATURE_RETPOLINE_AMD feature bit in addition
-to X86_FEATURE_RETPOLINE.
-
-Do not align the retpoline in the altinstr section, because there is no
-guarantee that it stays aligned when it's copied over the oldinstr during
-alternative patching.
-
-[ Andi Kleen: Rename the macros, add CONFIG_RETPOLINE option, export thunks]
-[ tglx: Put actual function CALL/JMP in front of the macros, convert to
-  	symbolic labels ]
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Arjan van de Ven <arjan@linux.intel.com>
-Acked-by: Ingo Molnar <mingo@kernel.org>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/1515508997-6154-2-git-send-email-dwmw@amazon.co.uk
----
- arch/x86/Kconfig                      |  13 ++++
- arch/x86/Makefile                     |  10 ++++
- arch/x86/include/asm/asm-prototypes.h |  25 ++++++++
- arch/x86/include/asm/cpufeatures.h    |   2 +
- arch/x86/include/asm/nospec-branch.h  | 109 ++++++++++++++++++++++++++++++++++
- arch/x86/kernel/cpu/common.c          |   4 ++
- arch/x86/lib/Makefile                 |   1 +
- arch/x86/lib/retpoline.S              |  48 +++++++++++++++
- 8 files changed, 212 insertions(+)
- create mode 100644 arch/x86/include/asm/nospec-branch.h
- create mode 100644 arch/x86/lib/retpoline.S
-
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index e23d21ac745a..d1819161cc6c 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -429,6 +429,19 @@ config GOLDFISH
-        def_bool y
-        depends on X86_GOLDFISH
-
-+config RETPOLINE
-+	bool "Avoid speculative indirect branches in kernel"
-+	default y
-+	help
-+	  Compile kernel with the retpoline compiler options to guard against
-+	  kernel-to-user data leaks by avoiding speculative indirect
-+	  branches. Requires a compiler with -mindirect-branch=thunk-extern
-+	  support for full protection. The kernel may run slower.
-+
-+	  Without compiler support, at least indirect branches in assembler
-+	  code are eliminated. Since this includes the syscall entry path,
-+	  it is not entirely pointless.
-+
- config INTEL_RDT
- 	bool "Intel Resource Director Technology support"
- 	default n
-diff --git a/arch/x86/Makefile b/arch/x86/Makefile
-index a20eacd9c7e9..974c61864978 100644
---- a/arch/x86/Makefile
-+++ b/arch/x86/Makefile
-@@ -235,6 +235,16 @@ KBUILD_CFLAGS += -Wno-sign-compare
- #
- KBUILD_CFLAGS += -fno-asynchronous-unwind-tables
-
-+# Avoid indirect branches in kernel to deal with Spectre
-+ifdef CONFIG_RETPOLINE
-+    RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register)
-+    ifneq ($(RETPOLINE_CFLAGS),)
-+        KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE
-+    else
-+        $(warning CONFIG_RETPOLINE=y, but not supported by the compiler. Toolchain update recommended.)
-+    endif
-+endif
-+
- archscripts: scripts_basic
- 	$(Q)$(MAKE) $(build)=arch/x86/tools relocs
-
-diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h
-index ff700d81e91e..0927cdc4f946 100644
---- a/arch/x86/include/asm/asm-prototypes.h
-+++ b/arch/x86/include/asm/asm-prototypes.h
-@@ -11,7 +11,32 @@
- #include <asm/pgtable.h>
- #include <asm/special_insns.h>
- #include <asm/preempt.h>
-+#include <asm/asm.h>
-
- #ifndef CONFIG_X86_CMPXCHG64
- extern void cmpxchg8b_emu(void);
- #endif
-+
-+#ifdef CONFIG_RETPOLINE
-+#ifdef CONFIG_X86_32
-+#define INDIRECT_THUNK(reg) extern asmlinkage void __x86_indirect_thunk_e ## reg(void);
-+#else
-+#define INDIRECT_THUNK(reg) extern asmlinkage void __x86_indirect_thunk_r ## reg(void);
-+INDIRECT_THUNK(8)
-+INDIRECT_THUNK(9)
-+INDIRECT_THUNK(10)
-+INDIRECT_THUNK(11)
-+INDIRECT_THUNK(12)
-+INDIRECT_THUNK(13)
-+INDIRECT_THUNK(14)
-+INDIRECT_THUNK(15)
-+#endif
-+INDIRECT_THUNK(ax)
-+INDIRECT_THUNK(bx)
-+INDIRECT_THUNK(cx)
-+INDIRECT_THUNK(dx)
-+INDIRECT_THUNK(si)
-+INDIRECT_THUNK(di)
-+INDIRECT_THUNK(bp)
-+INDIRECT_THUNK(sp)
-+#endif /* CONFIG_RETPOLINE */
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index 1641c2f96363..f275447862f4 100644
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -203,6 +203,8 @@
- #define X86_FEATURE_PROC_FEEDBACK	( 7*32+ 9) /* AMD ProcFeedbackInterface */
- #define X86_FEATURE_SME			( 7*32+10) /* AMD Secure Memory Encryption */
- #define X86_FEATURE_PTI			( 7*32+11) /* Kernel Page Table Isolation enabled */
-+#define X86_FEATURE_RETPOLINE		( 7*32+12) /* Generic Retpoline mitigation for Spectre variant 2 */
-+#define X86_FEATURE_RETPOLINE_AMD	( 7*32+13) /* AMD Retpoline mitigation for Spectre variant 2 */
- #define X86_FEATURE_INTEL_PPIN		( 7*32+14) /* Intel Processor Inventory Number */
- #define X86_FEATURE_INTEL_PT		( 7*32+15) /* Intel Processor Trace */
- #define X86_FEATURE_AVX512_4VNNIW	( 7*32+16) /* AVX-512 Neural Network Instructions */
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-new file mode 100644
-index 000000000000..7f58713b27c4
---- /dev/null
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -0,0 +1,109 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+
-+#ifndef __NOSPEC_BRANCH_H__
-+#define __NOSPEC_BRANCH_H__
-+
-+#include <asm/alternative.h>
-+#include <asm/alternative-asm.h>
-+#include <asm/cpufeatures.h>
-+
-+#ifdef __ASSEMBLY__
-+
-+/*
-+ * These are the bare retpoline primitives for indirect jmp and call.
-+ * Do not use these directly; they only exist to make the ALTERNATIVE
-+ * invocation below less ugly.
-+ */
-+.macro RETPOLINE_JMP reg:req
-+	call	.Ldo_rop_\@
-+.Lspec_trap_\@:
-+	pause
-+	jmp	.Lspec_trap_\@
-+.Ldo_rop_\@:
-+	mov	\reg, (%_ASM_SP)
-+	ret
-+.endm
-+
-+/*
-+ * This is a wrapper around RETPOLINE_JMP so the called function in reg
-+ * returns to the instruction after the macro.
-+ */
-+.macro RETPOLINE_CALL reg:req
-+	jmp	.Ldo_call_\@
-+.Ldo_retpoline_jmp_\@:
-+	RETPOLINE_JMP \reg
-+.Ldo_call_\@:
-+	call	.Ldo_retpoline_jmp_\@
-+.endm
-+
-+/*
-+ * JMP_NOSPEC and CALL_NOSPEC macros can be used instead of a simple
-+ * indirect jmp/call which may be susceptible to the Spectre variant 2
-+ * attack.
-+ */
-+.macro JMP_NOSPEC reg:req
-+#ifdef CONFIG_RETPOLINE
-+	ALTERNATIVE_2 __stringify(jmp *\reg),				\
-+		__stringify(RETPOLINE_JMP \reg), X86_FEATURE_RETPOLINE,	\
-+		__stringify(lfence; jmp *\reg), X86_FEATURE_RETPOLINE_AMD
-+#else
-+	jmp	*\reg
-+#endif
-+.endm
-+
-+.macro CALL_NOSPEC reg:req
-+#ifdef CONFIG_RETPOLINE
-+	ALTERNATIVE_2 __stringify(call *\reg),				\
-+		__stringify(RETPOLINE_CALL \reg), X86_FEATURE_RETPOLINE,\
-+		__stringify(lfence; call *\reg), X86_FEATURE_RETPOLINE_AMD
-+#else
-+	call	*\reg
-+#endif
-+.endm
-+
-+#else /* __ASSEMBLY__ */
-+
-+#if defined(CONFIG_X86_64) && defined(RETPOLINE)
-+/*
-+ * Since the inline asm uses the %V modifier which is only in newer GCC,
-+ * the 64-bit one is dependent on RETPOLINE not CONFIG_RETPOLINE.
-+ */
-+# define CALL_NOSPEC ALTERNATIVE(				\
-+	"call *%[thunk_target]\n",				\
-+	"call __x86_indirect_thunk_%V[thunk_target]\n",		\
-+	X86_FEATURE_RETPOLINE)
-+# define THUNK_TARGET(addr) [thunk_target] "r" (addr)
-+#elif defined(CONFIG_X86_32) && defined(CONFIG_RETPOLINE)
-+/*
-+ * For i386 we use the original ret-equivalent retpoline, because
-+ * otherwise we'll run out of registers. We don't care about CET
-+ * here, anyway.
-+ */
-+# define CALL_NOSPEC ALTERNATIVE(				\
-+	"call	*%[thunk_target]\n",				\
-+	""							\
-+	"       jmp    do_call%=;\n"				\
-+	"       .align 16\n"					\
-+	"do_retpoline%=:\n"					\
-+	"	call   do_rop%=;\n"				\
-+	"spec_trap%=:\n"					\
-+	"	pause;\n"					\
-+	"       jmp    spec_trap%=;\n"				\
-+	"       .align 16\n"					\
-+	"do_rop%=:\n"						\
-+	"	addl   $4, %%esp;\n"				\
-+	"       pushl  %[thunk_target];\n"			\
-+	"       ret;\n"						\
-+	"       .align 16\n"					\
-+	"do_call%=:\n"						\
-+	"	call   do_retpoline%=;\n",			\
-+	X86_FEATURE_RETPOLINE)
-+
-+# define THUNK_TARGET(addr) [thunk_target] "rm" (addr)
-+#else /* No retpoline */
-+# define CALL_NOSPEC "call *%[thunk_target]\n"
-+# define THUNK_TARGET(addr) [thunk_target] "rm" (addr)
-+#endif
-+
-+#endif /* __ASSEMBLY__ */
-+#endif /* __NOSPEC_BRANCH_H__ */
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 372ba3fb400f..7a671d1ae3cb 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -905,6 +905,10 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
- 	setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
- 	setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
-
-+#ifdef CONFIG_RETPOLINE
-+	setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
-+#endif
-+
- 	fpu__init_system(c);
-
- #ifdef CONFIG_X86_32
-diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile
-index 457f681ef379..d435c89875c1 100644
---- a/arch/x86/lib/Makefile
-+++ b/arch/x86/lib/Makefile
-@@ -26,6 +26,7 @@ lib-y += memcpy_$(BITS).o
- lib-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += rwsem.o
- lib-$(CONFIG_INSTRUCTION_DECODER) += insn.o inat.o
- lib-$(CONFIG_RANDOMIZE_BASE) += kaslr.o
-+lib-$(CONFIG_RETPOLINE) += retpoline.o
-
- obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o
-
-diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S
-new file mode 100644
-index 000000000000..cb45c6cb465f
---- /dev/null
-+++ b/arch/x86/lib/retpoline.S
-@@ -0,0 +1,48 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+
-+#include <linux/stringify.h>
-+#include <linux/linkage.h>
-+#include <asm/dwarf2.h>
-+#include <asm/cpufeatures.h>
-+#include <asm/alternative-asm.h>
-+#include <asm/export.h>
-+#include <asm/nospec-branch.h>
-+
-+.macro THUNK reg
-+	.section .text.__x86.indirect_thunk.\reg
-+
-+ENTRY(__x86_indirect_thunk_\reg)
-+	CFI_STARTPROC
-+	JMP_NOSPEC %\reg
-+	CFI_ENDPROC
-+ENDPROC(__x86_indirect_thunk_\reg)
-+.endm
-+
-+/*
-+ * Despite being an assembler file we can't just use .irp here
-+ * because __KSYM_DEPS__ only uses the C preprocessor and would
-+ * only see one instance of "__x86_indirect_thunk_\reg" rather
-+ * than one per register with the correct names. So we do it
-+ * the simple and nasty way...
-+ */
-+#define EXPORT_THUNK(reg) EXPORT_SYMBOL(__x86_indirect_thunk_ ## reg)
-+#define GENERATE_THUNK(reg) THUNK reg ; EXPORT_THUNK(reg)
-+
-+GENERATE_THUNK(_ASM_AX)
-+GENERATE_THUNK(_ASM_BX)
-+GENERATE_THUNK(_ASM_CX)
-+GENERATE_THUNK(_ASM_DX)
-+GENERATE_THUNK(_ASM_SI)
-+GENERATE_THUNK(_ASM_DI)
-+GENERATE_THUNK(_ASM_BP)
-+GENERATE_THUNK(_ASM_SP)
-+#ifdef CONFIG_64BIT
-+GENERATE_THUNK(r8)
-+GENERATE_THUNK(r9)
-+GENERATE_THUNK(r10)
-+GENERATE_THUNK(r11)
-+GENERATE_THUNK(r12)
-+GENERATE_THUNK(r13)
-+GENERATE_THUNK(r14)
-+GENERATE_THUNK(r15)
-+#endif
--- 
-2.14.3
-
-From 59b6e22f92f9a86dbd0798db72adc97bdb831f86 Mon Sep 17 00:00:00 2001
-From: Andi Kleen <ak@linux.intel.com>
-Date: Tue, 9 Jan 2018 14:43:08 +0000
-Subject: [PATCH 02/10] x86/retpoline: Temporarily disable objtool when
- CONFIG_RETPOLINE=y
-
-objtool's assembler currently cannot deal with the code generated by the
-retpoline compiler and throws hundreds of warnings, mostly because it sees
-calls that don't have a symbolic target.
-
-Exclude all the options that rely on objtool when RETPOLINE is active.
-
-This mainly means that the kernel has to fallback to use the frame pointer
-unwinder and livepatch is not supported.
-
-Josh is looking into resolving the issue.
-
-Signed-off-by: Andi Kleen <ak@linux.intel.com>
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Arjan van de Ven <arjan@linux.intel.com>
-Acked-by: Ingo Molnar <mingo@kernel.org>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/1515508997-6154-3-git-send-email-dwmw@amazon.co.uk
----
- arch/x86/Kconfig       | 4 ++--
- arch/x86/Kconfig.debug | 6 +++---
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index d1819161cc6c..abeac4b80b74 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -172,8 +172,8 @@ config X86
- 	select HAVE_PERF_USER_STACK_DUMP
- 	select HAVE_RCU_TABLE_FREE
- 	select HAVE_REGS_AND_STACK_ACCESS_API
--	select HAVE_RELIABLE_STACKTRACE		if X86_64 && UNWINDER_FRAME_POINTER && STACK_VALIDATION
--	select HAVE_STACK_VALIDATION		if X86_64
-+	select HAVE_RELIABLE_STACKTRACE		if X86_64 && UNWINDER_FRAME_POINTER && STACK_VALIDATION && !RETPOLINE
-+	select HAVE_STACK_VALIDATION		if X86_64 && !RETPOLINE
- 	select HAVE_SYSCALL_TRACEPOINTS
- 	select HAVE_UNSTABLE_SCHED_CLOCK
- 	select HAVE_USER_RETURN_NOTIFIER
-diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
-index 6293a8768a91..9f3928d744bc 100644
---- a/arch/x86/Kconfig.debug
-+++ b/arch/x86/Kconfig.debug
-@@ -359,8 +359,8 @@ config PUNIT_ATOM_DEBUG
-
- choice
- 	prompt "Choose kernel unwinder"
--	default UNWINDER_ORC if X86_64
--	default UNWINDER_FRAME_POINTER if X86_32
-+	default UNWINDER_ORC if X86_64 && !RETPOLINE
-+	default UNWINDER_FRAME_POINTER if X86_32 || RETPOLINE
- 	---help---
- 	  This determines which method will be used for unwinding kernel stack
- 	  traces for panics, oopses, bugs, warnings, perf, /proc/<pid>/stack,
-@@ -368,7 +368,7 @@ choice
-
- config UNWINDER_ORC
- 	bool "ORC unwinder"
--	depends on X86_64
-+	depends on X86_64 && !RETPOLINE
- 	select STACK_VALIDATION
- 	---help---
- 	  This option enables the ORC (Oops Rewind Capability) unwinder for
--- 
-2.14.3
-
-From 86d057614112971f7d5bbac45f67869adca79852 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Tue, 9 Jan 2018 14:43:09 +0000
-Subject: [PATCH 03/10] x86/spectre: Add boot time option to select Spectre v2
- mitigation
-
-Add a spectre_v2= option to select the mitigation used for the indirect
-branch speculation vulnerability.
-
-Currently, the only option available is retpoline, in its various forms.
-This will be expanded to cover the new IBRS/IBPB microcode features.
-
-The RETPOLINE_AMD feature relies on a serializing LFENCE for speculation
-control. For AMD hardware, only set RETPOLINE_AMD if LFENCE is a
-serializing instruction, which is indicated by the LFENCE_RDTSC feature.
-
-[ tglx: Folded back the LFENCE/AMD fixes and reworked it so IBRS
-  	integration becomes simple ]
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Cc: Tom Lendacky <thomas.lendacky@amd.com>
-Link: https://lkml.kernel.org/r/1515508997-6154-4-git-send-email-dwmw@amazon.co.uk
----
- Documentation/admin-guide/kernel-parameters.txt |  28 +++++
- arch/x86/include/asm/nospec-branch.h            |  10 ++
- arch/x86/kernel/cpu/bugs.c                      | 158 +++++++++++++++++++++++-
- arch/x86/kernel/cpu/common.c                    |   4 -
- 4 files changed, 195 insertions(+), 5 deletions(-)
-
-diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index 905991745d26..8122b5f98ea1 100644
---- a/Documentation/admin-guide/kernel-parameters.txt
-+++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -2599,6 +2599,11 @@
- 	nosmt		[KNL,S390] Disable symmetric multithreading (SMT).
- 			Equivalent to smt=1.
-
-+	nospectre_v2	[X86] Disable all mitigations for the Spectre variant 2
-+			(indirect branch prediction) vulnerability. System may
-+			allow data leaks with this option, which is equivalent
-+			to spectre_v2=off.
-+
- 	noxsave		[BUGS=X86] Disables x86 extended register state save
- 			and restore using xsave. The kernel will fallback to
- 			enabling legacy floating-point and sse state.
-@@ -3908,6 +3913,29 @@
- 	sonypi.*=	[HW] Sony Programmable I/O Control Device driver
- 			See Documentation/laptops/sonypi.txt
-
-+	spectre_v2=	[X86] Control mitigation of Spectre variant 2
-+			(indirect branch speculation) vulnerability.
-+
-+			on   - unconditionally enable
-+			off  - unconditionally disable
-+			auto - kernel detects whether your CPU model is
-+			       vulnerable
-+
-+			Selecting 'on' will, and 'auto' may, choose a
-+			mitigation method at run time according to the
-+			CPU, the available microcode, the setting of the
-+			CONFIG_RETPOLINE configuration option, and the
-+			compiler with which the kernel was built.
-+
-+			Specific mitigations can also be selected manually:
-+
-+			retpoline	  - replace indirect branches
-+			retpoline,generic - google's original retpoline
-+			retpoline,amd     - AMD-specific minimal thunk
-+
-+			Not specifying this option is equivalent to
-+			spectre_v2=auto.
-+
- 	spia_io_base=	[HW,MTD]
- 	spia_fio_base=
- 	spia_pedr=
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index 7f58713b27c4..7d70ea977fbe 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -105,5 +105,15 @@
- # define THUNK_TARGET(addr) [thunk_target] "rm" (addr)
- #endif
-
-+/* The Spectre V2 mitigation variants */
-+enum spectre_v2_mitigation {
-+	SPECTRE_V2_NONE,
-+	SPECTRE_V2_RETPOLINE_MINIMAL,
-+	SPECTRE_V2_RETPOLINE_MINIMAL_AMD,
-+	SPECTRE_V2_RETPOLINE_GENERIC,
-+	SPECTRE_V2_RETPOLINE_AMD,
-+	SPECTRE_V2_IBRS,
-+};
-+
- #endif /* __ASSEMBLY__ */
- #endif /* __NOSPEC_BRANCH_H__ */
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 76ad6cb44b40..e4dc26185aa7 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -11,6 +11,9 @@
- #include <linux/init.h>
- #include <linux/utsname.h>
- #include <linux/cpu.h>
-+
-+#include <asm/nospec-branch.h>
-+#include <asm/cmdline.h>
- #include <asm/bugs.h>
- #include <asm/processor.h>
- #include <asm/processor-flags.h>
-@@ -21,6 +24,8 @@
- #include <asm/pgtable.h>
- #include <asm/set_memory.h>
-
-+static void __init spectre_v2_select_mitigation(void);
-+
- void __init check_bugs(void)
- {
- 	identify_boot_cpu();
-@@ -30,6 +35,9 @@ void __init check_bugs(void)
- 		print_cpu_info(&boot_cpu_data);
- 	}
-
-+	/* Select the proper spectre mitigation before patching alternatives */
-+	spectre_v2_select_mitigation();
-+
- #ifdef CONFIG_X86_32
- 	/*
- 	 * Check whether we are able to run this kernel safely on SMP.
-@@ -62,6 +70,153 @@ void __init check_bugs(void)
- #endif
- }
-
-+/* The kernel command line selection */
-+enum spectre_v2_mitigation_cmd {
-+	SPECTRE_V2_CMD_NONE,
-+	SPECTRE_V2_CMD_AUTO,
-+	SPECTRE_V2_CMD_FORCE,
-+	SPECTRE_V2_CMD_RETPOLINE,
-+	SPECTRE_V2_CMD_RETPOLINE_GENERIC,
-+	SPECTRE_V2_CMD_RETPOLINE_AMD,
-+};
-+
-+static const char *spectre_v2_strings[] = {
-+	[SPECTRE_V2_NONE]			= "Vulnerable",
-+	[SPECTRE_V2_RETPOLINE_MINIMAL]		= "Vulnerable: Minimal generic ASM retpoline",
-+	[SPECTRE_V2_RETPOLINE_MINIMAL_AMD]	= "Vulnerable: Minimal AMD ASM retpoline",
-+	[SPECTRE_V2_RETPOLINE_GENERIC]		= "Mitigation: Full generic retpoline",
-+	[SPECTRE_V2_RETPOLINE_AMD]		= "Mitigation: Full AMD retpoline",
-+};
-+
-+#undef pr_fmt
-+#define pr_fmt(fmt)     "Spectre V2 mitigation: " fmt
-+
-+static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
-+
-+static void __init spec2_print_if_insecure(const char *reason)
-+{
-+	if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
-+		pr_info("%s\n", reason);
-+}
-+
-+static void __init spec2_print_if_secure(const char *reason)
-+{
-+	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
-+		pr_info("%s\n", reason);
-+}
-+
-+static inline bool retp_compiler(void)
-+{
-+	return __is_defined(RETPOLINE);
-+}
-+
-+static inline bool match_option(const char *arg, int arglen, const char *opt)
-+{
-+	int len = strlen(opt);
-+
-+	return len == arglen && !strncmp(arg, opt, len);
-+}
-+
-+static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
-+{
-+	char arg[20];
-+	int ret;
-+
-+	ret = cmdline_find_option(boot_command_line, "spectre_v2", arg,
-+				  sizeof(arg));
-+	if (ret > 0)  {
-+		if (match_option(arg, ret, "off")) {
-+			goto disable;
-+		} else if (match_option(arg, ret, "on")) {
-+			spec2_print_if_secure("force enabled on command line.");
-+			return SPECTRE_V2_CMD_FORCE;
-+		} else if (match_option(arg, ret, "retpoline")) {
-+			spec2_print_if_insecure("retpoline selected on command line.");
-+			return SPECTRE_V2_CMD_RETPOLINE;
-+		} else if (match_option(arg, ret, "retpoline,amd")) {
-+			if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) {
-+				pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n");
-+				return SPECTRE_V2_CMD_AUTO;
-+			}
-+			spec2_print_if_insecure("AMD retpoline selected on command line.");
-+			return SPECTRE_V2_CMD_RETPOLINE_AMD;
-+		} else if (match_option(arg, ret, "retpoline,generic")) {
-+			spec2_print_if_insecure("generic retpoline selected on command line.");
-+			return SPECTRE_V2_CMD_RETPOLINE_GENERIC;
-+		} else if (match_option(arg, ret, "auto")) {
-+			return SPECTRE_V2_CMD_AUTO;
-+		}
-+	}
-+
-+	if (!cmdline_find_option_bool(boot_command_line, "nospectre_v2"))
-+		return SPECTRE_V2_CMD_AUTO;
-+disable:
-+	spec2_print_if_insecure("disabled on command line.");
-+	return SPECTRE_V2_CMD_NONE;
-+}
-+
-+static void __init spectre_v2_select_mitigation(void)
-+{
-+	enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
-+	enum spectre_v2_mitigation mode = SPECTRE_V2_NONE;
-+
-+	/*
-+	 * If the CPU is not affected and the command line mode is NONE or AUTO
-+	 * then nothing to do.
-+	 */
-+	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
-+	    (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO))
-+		return;
-+
-+	switch (cmd) {
-+	case SPECTRE_V2_CMD_NONE:
-+		return;
-+
-+	case SPECTRE_V2_CMD_FORCE:
-+		/* FALLTRHU */
-+	case SPECTRE_V2_CMD_AUTO:
-+		goto retpoline_auto;
-+
-+	case SPECTRE_V2_CMD_RETPOLINE_AMD:
-+		if (IS_ENABLED(CONFIG_RETPOLINE))
-+			goto retpoline_amd;
-+		break;
-+	case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
-+		if (IS_ENABLED(CONFIG_RETPOLINE))
-+			goto retpoline_generic;
-+		break;
-+	case SPECTRE_V2_CMD_RETPOLINE:
-+		if (IS_ENABLED(CONFIG_RETPOLINE))
-+			goto retpoline_auto;
-+		break;
-+	}
-+	pr_err("kernel not compiled with retpoline; no mitigation available!");
-+	return;
-+
-+retpoline_auto:
-+	if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) {
-+	retpoline_amd:
-+		if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
-+			pr_err("LFENCE not serializing. Switching to generic retpoline\n");
-+			goto retpoline_generic;
-+		}
-+		mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_AMD :
-+					 SPECTRE_V2_RETPOLINE_MINIMAL_AMD;
-+		setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD);
-+		setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
-+	} else {
-+	retpoline_generic:
-+		mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_GENERIC :
-+					 SPECTRE_V2_RETPOLINE_MINIMAL;
-+		setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
-+	}
-+
-+	spectre_v2_enabled = mode;
-+	pr_info("%s\n", spectre_v2_strings[mode]);
-+}
-+
-+#undef pr_fmt
-+
- #ifdef CONFIG_SYSFS
- ssize_t cpu_show_meltdown(struct device *dev,
- 			  struct device_attribute *attr, char *buf)
-@@ -86,6 +241,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
- {
- 	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
- 		return sprintf(buf, "Not affected\n");
--	return sprintf(buf, "Vulnerable\n");
-+
-+	return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]);
- }
- #endif
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 7a671d1ae3cb..372ba3fb400f 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -905,10 +905,6 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
- 	setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
- 	setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
-
--#ifdef CONFIG_RETPOLINE
--	setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
--#endif
--
- 	fpu__init_system(c);
-
- #ifdef CONFIG_X86_32
--- 
-2.14.3
-
-From b3a96862283e68914d1f74f160ab980dacf811ee Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Tue, 9 Jan 2018 14:43:10 +0000
-Subject: [PATCH 04/10] x86/retpoline/crypto: Convert crypto assembler indirect
- jumps
-
-Convert all indirect jumps in crypto assembler code to use non-speculative
-sequences when CONFIG_RETPOLINE is enabled.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Arjan van de Ven <arjan@linux.intel.com>
-Acked-by: Ingo Molnar <mingo@kernel.org>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/1515508997-6154-5-git-send-email-dwmw@amazon.co.uk
----
- arch/x86/crypto/aesni-intel_asm.S            | 5 +++--
- arch/x86/crypto/camellia-aesni-avx-asm_64.S  | 3 ++-
- arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 3 ++-
- arch/x86/crypto/crc32c-pcl-intel-asm_64.S    | 3 ++-
- 4 files changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S
-index 16627fec80b2..3d09e3aca18d 100644
---- a/arch/x86/crypto/aesni-intel_asm.S
-+++ b/arch/x86/crypto/aesni-intel_asm.S
-@@ -32,6 +32,7 @@
- #include <linux/linkage.h>
- #include <asm/inst.h>
- #include <asm/frame.h>
-+#include <asm/nospec-branch.h>
-
- /*
-  * The following macros are used to move an (un)aligned 16 byte value to/from
-@@ -2884,7 +2885,7 @@ ENTRY(aesni_xts_crypt8)
- 	pxor INC, STATE4
- 	movdqu IV, 0x30(OUTP)
-
--	call *%r11
-+	CALL_NOSPEC %r11
-
- 	movdqu 0x00(OUTP), INC
- 	pxor INC, STATE1
-@@ -2929,7 +2930,7 @@ ENTRY(aesni_xts_crypt8)
- 	_aesni_gf128mul_x_ble()
- 	movups IV, (IVP)
-
--	call *%r11
-+	CALL_NOSPEC %r11
-
- 	movdqu 0x40(OUTP), INC
- 	pxor INC, STATE1
-diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
-index f7c495e2863c..a14af6eb09cb 100644
---- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S
-+++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
-@@ -17,6 +17,7 @@
-
- #include <linux/linkage.h>
- #include <asm/frame.h>
-+#include <asm/nospec-branch.h>
-
- #define CAMELLIA_TABLE_BYTE_LEN 272
-
-@@ -1227,7 +1228,7 @@ camellia_xts_crypt_16way:
- 	vpxor 14 * 16(%rax), %xmm15, %xmm14;
- 	vpxor 15 * 16(%rax), %xmm15, %xmm15;
-
--	call *%r9;
-+	CALL_NOSPEC %r9;
-
- 	addq $(16 * 16), %rsp;
-
-diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
-index eee5b3982cfd..b66bbfa62f50 100644
---- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
-+++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
-@@ -12,6 +12,7 @@
-
- #include <linux/linkage.h>
- #include <asm/frame.h>
-+#include <asm/nospec-branch.h>
-
- #define CAMELLIA_TABLE_BYTE_LEN 272
-
-@@ -1343,7 +1344,7 @@ camellia_xts_crypt_32way:
- 	vpxor 14 * 32(%rax), %ymm15, %ymm14;
- 	vpxor 15 * 32(%rax), %ymm15, %ymm15;
-
--	call *%r9;
-+	CALL_NOSPEC %r9;
-
- 	addq $(16 * 32), %rsp;
-
-diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
-index 7a7de27c6f41..d9b734d0c8cc 100644
---- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
-+++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
-@@ -45,6 +45,7 @@
-
- #include <asm/inst.h>
- #include <linux/linkage.h>
-+#include <asm/nospec-branch.h>
-
- ## ISCSI CRC 32 Implementation with crc32 and pclmulqdq Instruction
-
-@@ -172,7 +173,7 @@ continue_block:
- 	movzxw  (bufp, %rax, 2), len
- 	lea	crc_array(%rip), bufp
- 	lea     (bufp, len, 1), bufp
--	jmp     *bufp
-+	JMP_NOSPEC bufp
-
- 	################################################################
- 	## 2a) PROCESS FULL BLOCKS:
--- 
-2.14.3
-
-From 2558106c7a47e16968a10fa66eea78a096fabfe6 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Tue, 9 Jan 2018 14:43:11 +0000
-Subject: [PATCH 05/10] x86/retpoline/entry: Convert entry assembler indirect
- jumps
-
-Convert indirect jumps in core 32/64bit entry assembler code to use
-non-speculative sequences when CONFIG_RETPOLINE is enabled.
-
-Don't use CALL_NOSPEC in entry_SYSCALL_64_fastpath because the return
-address after the 'call' instruction must be *precisely* at the
-.Lentry_SYSCALL_64_after_fastpath label for stub_ptregs_64 to work,
-and the use of alternatives will mess that up unless we play horrid
-games to prepend with NOPs and make the variants the same length. It's
-not worth it; in the case where we ALTERNATIVE out the retpoline, the
-first instruction at __x86.indirect_thunk.rax is going to be a bare
-jmp *%rax anyway.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Ingo Molnar <mingo@kernel.org>
-Acked-by: Arjan van de Ven <arjan@linux.intel.com>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/1515508997-6154-6-git-send-email-dwmw@amazon.co.uk
----
- arch/x86/entry/entry_32.S |  5 +++--
- arch/x86/entry/entry_64.S | 12 +++++++++---
- 2 files changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
-index ace8f321a5a1..a1f28a54f23a 100644
---- a/arch/x86/entry/entry_32.S
-+++ b/arch/x86/entry/entry_32.S
-@@ -44,6 +44,7 @@
- #include <asm/asm.h>
- #include <asm/smap.h>
- #include <asm/frame.h>
-+#include <asm/nospec-branch.h>
-
- 	.section .entry.text, "ax"
-
-@@ -290,7 +291,7 @@ ENTRY(ret_from_fork)
-
- 	/* kernel thread */
- 1:	movl	%edi, %eax
--	call	*%ebx
-+	CALL_NOSPEC %ebx
- 	/*
- 	 * A kernel thread is allowed to return here after successfully
- 	 * calling do_execve().  Exit to userspace to complete the execve()
-@@ -919,7 +920,7 @@ common_exception:
- 	movl	%ecx, %es
- 	TRACE_IRQS_OFF
- 	movl	%esp, %eax			# pt_regs pointer
--	call	*%edi
-+	CALL_NOSPEC %edi
- 	jmp	ret_from_exception
- END(common_exception)
-
-diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
-index ed31d00dc5ee..59874bc1aed2 100644
---- a/arch/x86/entry/entry_64.S
-+++ b/arch/x86/entry/entry_64.S
-@@ -37,6 +37,7 @@
- #include <asm/pgtable_types.h>
- #include <asm/export.h>
- #include <asm/frame.h>
-+#include <asm/nospec-branch.h>
- #include <linux/err.h>
-
- #include "calling.h"
-@@ -187,7 +188,7 @@ ENTRY(entry_SYSCALL_64_trampoline)
- 	 */
- 	pushq	%rdi
- 	movq	$entry_SYSCALL_64_stage2, %rdi
--	jmp	*%rdi
-+	JMP_NOSPEC %rdi
- END(entry_SYSCALL_64_trampoline)
-
- 	.popsection
-@@ -266,7 +267,12 @@ entry_SYSCALL_64_fastpath:
- 	 * It might end up jumping to the slow path.  If it jumps, RAX
- 	 * and all argument registers are clobbered.
- 	 */
-+#ifdef CONFIG_RETPOLINE
-+	movq	sys_call_table(, %rax, 8), %rax
-+	call	__x86_indirect_thunk_rax
-+#else
- 	call	*sys_call_table(, %rax, 8)
-+#endif
- .Lentry_SYSCALL_64_after_fastpath_call:
-
- 	movq	%rax, RAX(%rsp)
-@@ -438,7 +444,7 @@ ENTRY(stub_ptregs_64)
- 	jmp	entry_SYSCALL64_slow_path
-
- 1:
--	jmp	*%rax				/* Called from C */
-+	JMP_NOSPEC %rax				/* Called from C */
- END(stub_ptregs_64)
-
- .macro ptregs_stub func
-@@ -517,7 +523,7 @@ ENTRY(ret_from_fork)
- 1:
- 	/* kernel thread */
- 	movq	%r12, %rdi
--	call	*%rbx
-+	CALL_NOSPEC %rbx
- 	/*
- 	 * A kernel thread is allowed to return here after successfully
- 	 * calling do_execve().  Exit to userspace to complete the execve()
--- 
-2.14.3
-
-From 42f7c812022441ffba2d5ccca3acf6380201f19e Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Tue, 9 Jan 2018 14:43:12 +0000
-Subject: [PATCH 06/10] x86/retpoline/ftrace: Convert ftrace assembler indirect
- jumps
-
-Convert all indirect jumps in ftrace assembler code to use non-speculative
-sequences when CONFIG_RETPOLINE is enabled.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Arjan van de Ven <arjan@linux.intel.com>
-Acked-by: Ingo Molnar <mingo@kernel.org>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/1515508997-6154-7-git-send-email-dwmw@amazon.co.uk
----
- arch/x86/kernel/ftrace_32.S | 6 ++++--
- arch/x86/kernel/ftrace_64.S | 8 ++++----
- 2 files changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/arch/x86/kernel/ftrace_32.S b/arch/x86/kernel/ftrace_32.S
-index b6c6468e10bc..4c8440de3355 100644
---- a/arch/x86/kernel/ftrace_32.S
-+++ b/arch/x86/kernel/ftrace_32.S
-@@ -8,6 +8,7 @@
- #include <asm/segment.h>
- #include <asm/export.h>
- #include <asm/ftrace.h>
-+#include <asm/nospec-branch.h>
-
- #ifdef CC_USING_FENTRY
- # define function_hook	__fentry__
-@@ -197,7 +198,8 @@ ftrace_stub:
- 	movl	0x4(%ebp), %edx
- 	subl	$MCOUNT_INSN_SIZE, %eax
-
--	call	*ftrace_trace_function
-+	movl	ftrace_trace_function, %ecx
-+	CALL_NOSPEC %ecx
-
- 	popl	%edx
- 	popl	%ecx
-@@ -241,5 +243,5 @@ return_to_handler:
- 	movl	%eax, %ecx
- 	popl	%edx
- 	popl	%eax
--	jmp	*%ecx
-+	JMP_NOSPEC %ecx
- #endif
-diff --git a/arch/x86/kernel/ftrace_64.S b/arch/x86/kernel/ftrace_64.S
-index c832291d948a..7cb8ba08beb9 100644
---- a/arch/x86/kernel/ftrace_64.S
-+++ b/arch/x86/kernel/ftrace_64.S
-@@ -7,7 +7,7 @@
- #include <asm/ptrace.h>
- #include <asm/ftrace.h>
- #include <asm/export.h>
--
-+#include <asm/nospec-branch.h>
-
- 	.code64
- 	.section .entry.text, "ax"
-@@ -286,8 +286,8 @@ trace:
- 	 * ip and parent ip are used and the list function is called when
- 	 * function tracing is enabled.
- 	 */
--	call   *ftrace_trace_function
--
-+	movq ftrace_trace_function, %r8
-+	CALL_NOSPEC %r8
- 	restore_mcount_regs
-
- 	jmp fgraph_trace
-@@ -329,5 +329,5 @@ GLOBAL(return_to_handler)
- 	movq 8(%rsp), %rdx
- 	movq (%rsp), %rax
- 	addq $24, %rsp
--	jmp *%rdi
-+	JMP_NOSPEC %rdi
- #endif
--- 
-2.14.3
-
-From f14fd95d2f3e611619756ea3c008aee3b4bd4978 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Tue, 9 Jan 2018 14:43:13 +0000
-Subject: [PATCH 07/10] x86/retpoline/hyperv: Convert assembler indirect jumps
-
-Convert all indirect jumps in hyperv inline asm code to use non-speculative
-sequences when CONFIG_RETPOLINE is enabled.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Arjan van de Ven <arjan@linux.intel.com>
-Acked-by: Ingo Molnar <mingo@kernel.org>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/1515508997-6154-8-git-send-email-dwmw@amazon.co.uk
----
- arch/x86/include/asm/mshyperv.h | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/arch/x86/include/asm/mshyperv.h b/arch/x86/include/asm/mshyperv.h
-index 581bb54dd464..5119e4b555cc 100644
---- a/arch/x86/include/asm/mshyperv.h
-+++ b/arch/x86/include/asm/mshyperv.h
-@@ -7,6 +7,7 @@
- #include <linux/nmi.h>
- #include <asm/io.h>
- #include <asm/hyperv.h>
-+#include <asm/nospec-branch.h>
-
- /*
-  * The below CPUID leaves are present if VersionAndFeatures.HypervisorPresent
-@@ -186,10 +187,11 @@ static inline u64 hv_do_hypercall(u64 control, void *input, void *output)
- 		return U64_MAX;
-
- 	__asm__ __volatile__("mov %4, %%r8\n"
--			     "call *%5"
-+			     CALL_NOSPEC
- 			     : "=a" (hv_status), ASM_CALL_CONSTRAINT,
- 			       "+c" (control), "+d" (input_address)
--			     :  "r" (output_address), "m" (hv_hypercall_pg)
-+			     :  "r" (output_address),
-+				THUNK_TARGET(hv_hypercall_pg)
- 			     : "cc", "memory", "r8", "r9", "r10", "r11");
- #else
- 	u32 input_address_hi = upper_32_bits(input_address);
-@@ -200,13 +202,13 @@ static inline u64 hv_do_hypercall(u64 control, void *input, void *output)
- 	if (!hv_hypercall_pg)
- 		return U64_MAX;
-
--	__asm__ __volatile__("call *%7"
-+	__asm__ __volatile__(CALL_NOSPEC
- 			     : "=A" (hv_status),
- 			       "+c" (input_address_lo), ASM_CALL_CONSTRAINT
- 			     : "A" (control),
- 			       "b" (input_address_hi),
- 			       "D"(output_address_hi), "S"(output_address_lo),
--			       "m" (hv_hypercall_pg)
-+			       THUNK_TARGET(hv_hypercall_pg)
- 			     : "cc", "memory");
- #endif /* !x86_64 */
- 	return hv_status;
-@@ -227,10 +229,10 @@ static inline u64 hv_do_fast_hypercall8(u16 code, u64 input1)
-
- #ifdef CONFIG_X86_64
- 	{
--		__asm__ __volatile__("call *%4"
-+		__asm__ __volatile__(CALL_NOSPEC
- 				     : "=a" (hv_status), ASM_CALL_CONSTRAINT,
- 				       "+c" (control), "+d" (input1)
--				     : "m" (hv_hypercall_pg)
-+				     : THUNK_TARGET(hv_hypercall_pg)
- 				     : "cc", "r8", "r9", "r10", "r11");
- 	}
- #else
-@@ -238,13 +240,13 @@ static inline u64 hv_do_fast_hypercall8(u16 code, u64 input1)
- 		u32 input1_hi = upper_32_bits(input1);
- 		u32 input1_lo = lower_32_bits(input1);
-
--		__asm__ __volatile__ ("call *%5"
-+		__asm__ __volatile__ (CALL_NOSPEC
- 				      : "=A"(hv_status),
- 					"+c"(input1_lo),
- 					ASM_CALL_CONSTRAINT
- 				      :	"A" (control),
- 					"b" (input1_hi),
--					"m" (hv_hypercall_pg)
-+					THUNK_TARGET(hv_hypercall_pg)
- 				      : "cc", "edi", "esi");
- 	}
- #endif
--- 
-2.14.3
-
-From b569cb1e72bda00e7e6245519fe7d0d0ab13898e Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Tue, 9 Jan 2018 14:43:14 +0000
-Subject: [PATCH 08/10] x86/retpoline/xen: Convert Xen hypercall indirect jumps
-
-Convert indirect call in Xen hypercall to use non-speculative sequence,
-when CONFIG_RETPOLINE is enabled.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-Acked-by: Arjan van de Ven <arjan@linux.intel.com>
-Acked-by: Ingo Molnar <mingo@kernel.org>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/1515508997-6154-9-git-send-email-dwmw@amazon.co.uk
----
- arch/x86/include/asm/xen/hypercall.h | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
-index 7cb282e9e587..bfd882617613 100644
---- a/arch/x86/include/asm/xen/hypercall.h
-+++ b/arch/x86/include/asm/xen/hypercall.h
-@@ -44,6 +44,7 @@
- #include <asm/page.h>
- #include <asm/pgtable.h>
- #include <asm/smap.h>
-+#include <asm/nospec-branch.h>
-
- #include <xen/interface/xen.h>
- #include <xen/interface/sched.h>
-@@ -217,9 +218,9 @@ privcmd_call(unsigned call,
- 	__HYPERCALL_5ARG(a1, a2, a3, a4, a5);
-
- 	stac();
--	asm volatile("call *%[call]"
-+	asm volatile(CALL_NOSPEC
- 		     : __HYPERCALL_5PARAM
--		     : [call] "a" (&hypercall_page[call])
-+		     : [thunk_target] "a" (&hypercall_page[call])
- 		     : __HYPERCALL_CLOBBER5);
- 	clac();
-
--- 
-2.14.3
-
-From 96f71b3a482e918991d165eb7a6b42eb9a9ef735 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Tue, 9 Jan 2018 14:43:15 +0000
-Subject: [PATCH 09/10] x86/retpoline/checksum32: Convert assembler indirect
- jumps
-
-Convert all indirect jumps in 32bit checksum assembler code to use
-non-speculative sequences when CONFIG_RETPOLINE is enabled.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Arjan van de Ven <arjan@linux.intel.com>
-Acked-by: Ingo Molnar <mingo@kernel.org>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/1515508997-6154-10-git-send-email-dwmw@amazon.co.uk
----
- arch/x86/lib/checksum_32.S | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S
-index 4d34bb548b41..46e71a74e612 100644
---- a/arch/x86/lib/checksum_32.S
-+++ b/arch/x86/lib/checksum_32.S
-@@ -29,7 +29,8 @@
- #include <asm/errno.h>
- #include <asm/asm.h>
- #include <asm/export.h>
--				
-+#include <asm/nospec-branch.h>
-+
- /*
-  * computes a partial checksum, e.g. for TCP/UDP fragments
-  */
-@@ -156,7 +157,7 @@ ENTRY(csum_partial)
- 	negl %ebx
- 	lea 45f(%ebx,%ebx,2), %ebx
- 	testl %esi, %esi
--	jmp *%ebx
-+	JMP_NOSPEC %ebx
-
- 	# Handle 2-byte-aligned regions
- 20:	addw (%esi), %ax
-@@ -439,7 +440,7 @@ ENTRY(csum_partial_copy_generic)
- 	andl $-32,%edx
- 	lea 3f(%ebx,%ebx), %ebx
- 	testl %esi, %esi 
--	jmp *%ebx
-+	JMP_NOSPEC %ebx
- 1:	addl $64,%esi
- 	addl $64,%edi 
- 	SRC(movb -32(%edx),%bl)	; SRC(movb (%edx),%bl)
--- 
-2.14.3
-
-From 9080a45e302772c068f73bc24b3304a416fe2daf Mon Sep 17 00:00:00 2001
-From: Andi Kleen <ak@linux.intel.com>
-Date: Tue, 9 Jan 2018 14:43:16 +0000
-Subject: [PATCH 10/10] x86/retpoline/irq32: Convert assembler indirect jumps
-
-Convert all indirect jumps in 32bit irq inline asm code to use non
-speculative sequences.
-
-Signed-off-by: Andi Kleen <ak@linux.intel.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Arjan van de Ven <arjan@linux.intel.com>
-Acked-by: Ingo Molnar <mingo@kernel.org>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/1515508997-6154-11-git-send-email-dwmw@amazon.co.uk
----
- arch/x86/kernel/irq_32.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
-index a83b3346a0e1..c1bdbd3d3232 100644
---- a/arch/x86/kernel/irq_32.c
-+++ b/arch/x86/kernel/irq_32.c
-@@ -20,6 +20,7 @@
- #include <linux/mm.h>
-
- #include <asm/apic.h>
-+#include <asm/nospec-branch.h>
-
- #ifdef CONFIG_DEBUG_STACKOVERFLOW
-
-@@ -55,11 +56,11 @@ DEFINE_PER_CPU(struct irq_stack *, softirq_stack);
- static void call_on_stack(void *func, void *stack)
- {
- 	asm volatile("xchgl	%%ebx,%%esp	\n"
--		     "call	*%%edi		\n"
-+		     CALL_NOSPEC
- 		     "movl	%%ebx,%%esp	\n"
- 		     : "=b" (stack)
- 		     : "0" (stack),
--		       "D"(func)
-+		       [thunk_target] "D"(func)
- 		     : "memory", "cc", "edx", "ecx", "eax");
- }
-
-@@ -95,11 +96,11 @@ static inline int execute_on_irq_stack(int overflow, struct irq_desc *desc)
- 		call_on_stack(print_stack_overflow, isp);
-
- 	asm volatile("xchgl	%%ebx,%%esp	\n"
--		     "call	*%%edi		\n"
-+		     CALL_NOSPEC
- 		     "movl	%%ebx,%%esp	\n"
- 		     : "=a" (arg1), "=b" (isp)
- 		     :  "0" (desc),   "1" (isp),
--			"D" (desc->handle_irq)
-+			[thunk_target] "D" (desc->handle_irq)
- 		     : "memory", "cc", "ecx");
- 	return 1;
- }
--- 
-2.14.3
-
diff --git a/freed-ora/current/f27/sources b/freed-ora/current/f27/sources
index b0120913b..950f62aa3 100644
--- a/freed-ora/current/f27/sources
+++ b/freed-ora/current/f27/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-libre-4.14-gnu.tar.xz) = 0d4b0b8ec1ffc39c59295adf56f6a2cccf77cad56d8a8bf8072624bbb52ba3e684147ebed91d1528d2685423dd784c5fca0f3650f874f2b93cfc6b7689b9a87f
 SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
-SHA512 (patch-4.14-gnu-4.14.13-gnu.xz) = de1fa0d7cf58d2864dab397c3e8a4f1512a93619c36bacf155084a741d7b048e712c2df87711c2dd4d46d0a556e2c47c796ada76cf7c5eb4c8646e06dcade295
+SHA512 (patch-4.14-gnu-4.14.14-gnu.xz) = 65be470943aa3b3c93d518cf025130d7342c728fb22a9583b6d4b77a359d2c768d13ff60cc374d10411effbf8f89bf1d063c6129931bb4f2caa475954019eae0
diff --git a/freed-ora/current/f27/v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch b/freed-ora/current/f27/v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
deleted file mode 100644
index f3767cda5..000000000
--- a/freed-ora/current/f27/v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-From patchwork Fri Dec 15 01:40:50 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 8bit
-Subject: [v4] KVM: Fix stack-out-of-bounds read in write_mmio
-From: Wanpeng Li <kernellwp@gmail.com>
-X-Patchwork-Id: 10113513
-Message-Id: <1513302050-14253-1-git-send-email-wanpeng.li@hotmail.com>
-To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
-Cc: Paolo Bonzini <pbonzini@redhat.com>,
- =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
- Wanpeng Li <wanpeng.li@hotmail.com>, Marc Zyngier <marc.zyngier@arm.com>,
- Christoffer Dall <christoffer.dall@linaro.org>
-Date: Thu, 14 Dec 2017 17:40:50 -0800
-
-From: Wanpeng Li <wanpeng.li@hotmail.com>
-
-Reported by syzkaller:
-
-  BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
-  Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
-
-  CPU: 6 PID: 32298 Comm: syz-executor Tainted: G           OE    4.15.0-rc2+ #18
-  Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
-  Call Trace:
-   dump_stack+0xab/0xe1
-   print_address_description+0x6b/0x290
-   kasan_report+0x28a/0x370
-   write_mmio+0x11e/0x270 [kvm]
-   emulator_read_write_onepage+0x311/0x600 [kvm]
-   emulator_read_write+0xef/0x240 [kvm]
-   emulator_fix_hypercall+0x105/0x150 [kvm]
-   em_hypercall+0x2b/0x80 [kvm]
-   x86_emulate_insn+0x2b1/0x1640 [kvm]
-   x86_emulate_instruction+0x39a/0xb90 [kvm]
-   handle_exception+0x1b4/0x4d0 [kvm_intel]
-   vcpu_enter_guest+0x15a0/0x2640 [kvm]
-   kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
-   kvm_vcpu_ioctl+0x479/0x880 [kvm]
-   do_vfs_ioctl+0x142/0x9a0
-   SyS_ioctl+0x74/0x80
-   entry_SYSCALL_64_fastpath+0x23/0x9a
-
-The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
-to the guest memory, however, write_mmio tracepoint always prints 8 bytes
-through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
-can result in stack-out-of-bounds read due to access the extra 5 bytes.
-This patch fixes it by just accessing the bytes which we operates on.
-
-Before patch:
-
-syz-executor-5567  [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
-
-After patch:
-
-syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Radim Krčmář <rkrcmar@redhat.com>
-Cc: Marc Zyngier <marc.zyngier@arm.com>
-Cc: Christoffer Dall <christoffer.dall@linaro.org>
-Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
-Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
-Tested-by: Marc Zyngier <marc.zyngier@arm.com>
----
-v3 -> v4:
- * fix the arm tracepoint
-v2 -> v3:
- * fix sparse warning
-v1 -> v2:
- * do the memcpy in kvm_mmio tracepoint
-
- arch/x86/kvm/x86.c         | 8 ++++----
- include/trace/events/kvm.h | 6 ++++--
- virt/kvm/arm/mmio.c        | 6 +++---
- 3 files changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 0f82e2c..c7071e7 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -4456,7 +4456,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v)
- 					 addr, n, v))
- 		    && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v))
- 			break;
--		trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
-+		trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
- 		handled += n;
- 		addr += n;
- 		len -= n;
-@@ -4715,7 +4715,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes)
- {
- 	if (vcpu->mmio_read_completed) {
- 		trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
--			       vcpu->mmio_fragments[0].gpa, *(u64 *)val);
-+			       vcpu->mmio_fragments[0].gpa, val);
- 		vcpu->mmio_read_completed = 0;
- 		return 1;
- 	}
-@@ -4737,14 +4737,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
- 
- static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
- {
--	trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
-+	trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
- 	return vcpu_mmio_write(vcpu, gpa, bytes, val);
- }
- 
- static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
- 			  void *val, int bytes)
- {
--	trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
-+	trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
- 	return X86EMUL_IO_NEEDED;
- }
- 
-diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h
-index e4b0b8e..dfd2170 100644
---- a/include/trace/events/kvm.h
-+++ b/include/trace/events/kvm.h
-@@ -211,7 +211,7 @@ TRACE_EVENT(kvm_ack_irq,
- 	{ KVM_TRACE_MMIO_WRITE, "write" }
- 
- TRACE_EVENT(kvm_mmio,
--	TP_PROTO(int type, int len, u64 gpa, u64 val),
-+	TP_PROTO(int type, int len, u64 gpa, void *val),
- 	TP_ARGS(type, len, gpa, val),
- 
- 	TP_STRUCT__entry(
-@@ -225,7 +225,9 @@ TRACE_EVENT(kvm_mmio,
- 		__entry->type		= type;
- 		__entry->len		= len;
- 		__entry->gpa		= gpa;
--		__entry->val		= val;
-+		__entry->val = 0;
-+		if (val)
-+			memcpy(&__entry->val, val, min(8, len));
- 	),
- 
- 	TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
-diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c
-index b6e715f..dac7ceb 100644
---- a/virt/kvm/arm/mmio.c
-+++ b/virt/kvm/arm/mmio.c
-@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
- 		}
- 
- 		trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
--			       data);
-+			       &data);
- 		data = vcpu_data_host_to_guest(vcpu, data, len);
- 		vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
- 	}
-@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
- 		data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt),
- 					       len);
- 
--		trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data);
-+		trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data);
- 		kvm_mmio_write_buf(data_buf, len, data);
- 
- 		ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len,
- 				       data_buf);
- 	} else {
- 		trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len,
--			       fault_ipa, 0);
-+			       fault_ipa, NULL);
- 
- 		ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len,
- 				      data_buf);
-From patchwork Mon Dec 18 11:55:05 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [v4] KVM: Fix stack-out-of-bounds read in write_mmio
-From: Paolo Bonzini <pbonzini@redhat.com>
-X-Patchwork-Id: 10118879
-Message-Id: <17d27b8d-908b-a740-1d2d-e92a8507f25b@redhat.com>
-To: Marc Zyngier <marc.zyngier@arm.com>,
- Wanpeng Li <kernellwp@gmail.com>, linux-kernel@vger.kernel.org,
- kvm@vger.kernel.org
-Cc: =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
- Wanpeng Li <wanpeng.li@hotmail.com>,
- Christoffer Dall <christoffer.dall@linaro.org>
-Date: Mon, 18 Dec 2017 12:55:05 +0100
-
-On 15/12/2017 12:06, Marc Zyngier wrote:
-> Assuming you address the above:
-> 
-> Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
-> Tested-by: Marc Zyngier <marc.zyngier@arm.com>
-
-Done as follows:
-
-
-Thanks,
-
-Paolo
-
-diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h
-index dfd21708694f..0a016bd14c2d 100644
---- a/include/trace/events/kvm.h
-+++ b/include/trace/events/kvm.h
-@@ -227,7 +227,8 @@
- 		__entry->gpa		= gpa;
- 		__entry->val = 0;
- 		if (val)
--			memcpy(&__entry->val, val, min(8, len));
-+			memcpy(&__entry->val, val,
-+			       min_t(u32, sizeof(__entry->val), len));
- 	),
- 
- 	TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
author	Alexandre Oliva <lxoliva@fsfla.org>	2018-01-20 09:23:18 +0000
committer	Alexandre Oliva <lxoliva@fsfla.org>	2018-01-20 09:23:18 +0000
commit	b925f623020d921032ce2fc09af8752b3bc469d3 (patch)
tree	54243499f699943cbdbb0c56e8db5f78713f6f7f
parent	7a38fe51191195b46183dd0588983d1d6a9d6dc7 (diff)
download	linux-libre-raptor-b925f623020d921032ce2fc09af8752b3bc469d3.tar.gz linux-libre-raptor-b925f623020d921032ce2fc09af8752b3bc469d3.zip