--- /dev/null
+From ac237c28d5ac1b241d58b1b7b4b9fa10efb22fb5 Mon Sep 17 00:00:00 2001
+From: Alex Stanoev <alex@astanoev.com>
+Date: Sun, 28 Oct 2018 16:55:12 +0000
+Subject: ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
+
+From: Alex Stanoev <alex@astanoev.com>
+
+commit ac237c28d5ac1b241d58b1b7b4b9fa10efb22fb5 upstream.
+
+The Creative Audigy SE (SB0570) card currently exhibits an audible pop
+whenever playback is stopped or resumed, or during silent periods of an
+audio stream. Initialise the IZD bit to the 0 to eliminate these pops.
+
+The Infinite Zero Detection (IZD) feature on the DAC causes the output
+to be shunted to Vcap after 2048 samples of silence. This discharges the
+AC coupling capacitor through the output and causes the aforementioned
+pop/click noise.
+
+The behaviour of the IZD bit is described on page 15 of the WM8768GEDS
+datasheet: "With IZD=1, applying MUTE for 1024 consecutive input samples
+will cause all outputs to be connected directly to VCAP. This also
+happens if 2048 consecutive zero input samples are applied to all 6
+channels, and IZD=0. It will be removed as soon as any channel receives
+a non-zero input". I believe the second sentence might be referring to
+IZD=1 instead of IZD=0 given the observed behaviour of the card.
+
+This change should make the DAC initialisation consistent with
+Creative's Windows driver, as this popping persists when initialising
+the card in Linux and soft rebooting into Windows, but is not present on
+a cold boot to Windows.
+
+Signed-off-by: Alex Stanoev <alex@astanoev.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/ca0106/ca0106.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/ca0106/ca0106.h
++++ b/sound/pci/ca0106/ca0106.h
+@@ -582,7 +582,7 @@
+ #define SPI_PL_BIT_R_R (2<<7) /* right channel = right */
+ #define SPI_PL_BIT_R_C (3<<7) /* right channel = (L+R)/2 */
+ #define SPI_IZD_REG 2
+-#define SPI_IZD_BIT (1<<4) /* infinite zero detect */
++#define SPI_IZD_BIT (0<<4) /* infinite zero detect */
+
+ #define SPI_FMT_REG 3
+ #define SPI_FMT_BIT_RJ (0<<0) /* right justified mode */
--- /dev/null
+From e7bb6ad5685f05685dd8a6a5eda7bfcd14d5f95b Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Thu, 11 Oct 2018 15:49:17 -0400
+Subject: ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)
+
+From: Jeremy Cline <jcline@redhat.com>
+
+commit e7bb6ad5685f05685dd8a6a5eda7bfcd14d5f95b upstream.
+
+The Lenovo G50-30, like other G50 models, has a Conexant codec that
+requires a quirk for its inverted stereo dmic.
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1249364
+Reported-by: Alexander Ploumistos <alex.ploumistos@gmail.com>
+Tested-by: Alexander Ploumistos <alex.ploumistos@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -867,6 +867,7 @@ static const struct snd_pci_quirk cxt506
+ SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410),
+ SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD),
++ SND_PCI_QUIRK(0x17aa, 0x3905, "Lenovo G50-30", CXT_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC),
--- /dev/null
+From 11ba6111160290ccd35562f4e05cec08942a6c4c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 7 Oct 2018 09:44:17 +0200
+Subject: ALSA: hda - Add quirk for ASUS G751 laptop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 11ba6111160290ccd35562f4e05cec08942a6c4c upstream.
+
+ASUS G751 requires the extra COEF initialization to make it microphone
+working properly.
+
+Reported-and-tested-by: Håvard <hovardslill@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6811,6 +6811,7 @@ enum {
+ ALC662_FIXUP_ASUS_Nx50,
+ ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
+ ALC668_FIXUP_ASUS_Nx51,
++ ALC668_FIXUP_ASUS_G751,
+ ALC891_FIXUP_HEADSET_MODE,
+ ALC891_FIXUP_DELL_MIC_NO_PRESENCE,
+ ALC662_FIXUP_ACER_VERITON,
+@@ -7077,6 +7078,14 @@ static const struct hda_fixup alc662_fix
+ .chained = true,
+ .chain_id = ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
+ },
++ [ALC668_FIXUP_ASUS_G751] = {
++ .type = HDA_FIXUP_VERBS,
++ .v.verbs = (const struct hda_verb[]) {
++ { 0x20, AC_VERB_SET_COEF_INDEX, 0xc3 },
++ { 0x20, AC_VERB_SET_PROC_COEF, 0x4000 },
++ {}
++ },
++ },
+ [ALC891_FIXUP_HEADSET_MODE] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc_fixup_headset_mode,
+@@ -7132,6 +7141,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_ASUS_Nx50),
+ SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A),
+ SND_PCI_QUIRK(0x1043, 0x129d, "Asus N750", ALC662_FIXUP_ASUS_Nx50),
++ SND_PCI_QUIRK(0x1043, 0x12ff, "ASUS G751", ALC668_FIXUP_ASUS_G751),
+ SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP),
+ SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16),
+ SND_PCI_QUIRK(0x1043, 0x177d, "ASUS N551", ALC668_FIXUP_ASUS_Nx51),
--- /dev/null
+From 5b7c5e1f4c36b99d0f694f38b9ad910f520cb7ef Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 9 Oct 2018 14:20:17 +0200
+Subject: ALSA: hda - Fix headphone pin config for ASUS G751
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 5b7c5e1f4c36b99d0f694f38b9ad910f520cb7ef upstream.
+
+BIOS on ASUS G751 doesn't seem to map the headphone pin (NID 0x16)
+correctly. Add a quirk to address it, as well as chaining to the
+previous fix for the microphone.
+
+Reported-by: Håvard <hovardslill@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6811,6 +6811,7 @@ enum {
+ ALC662_FIXUP_ASUS_Nx50,
+ ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
+ ALC668_FIXUP_ASUS_Nx51,
++ ALC668_FIXUP_MIC_COEF,
+ ALC668_FIXUP_ASUS_G751,
+ ALC891_FIXUP_HEADSET_MODE,
+ ALC891_FIXUP_DELL_MIC_NO_PRESENCE,
+@@ -7078,7 +7079,7 @@ static const struct hda_fixup alc662_fix
+ .chained = true,
+ .chain_id = ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
+ },
+- [ALC668_FIXUP_ASUS_G751] = {
++ [ALC668_FIXUP_MIC_COEF] = {
+ .type = HDA_FIXUP_VERBS,
+ .v.verbs = (const struct hda_verb[]) {
+ { 0x20, AC_VERB_SET_COEF_INDEX, 0xc3 },
+@@ -7086,6 +7087,15 @@ static const struct hda_fixup alc662_fix
+ {}
+ },
+ },
++ [ALC668_FIXUP_ASUS_G751] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x16, 0x0421101f }, /* HP */
++ {}
++ },
++ .chained = true,
++ .chain_id = ALC668_FIXUP_MIC_COEF
++ },
+ [ALC891_FIXUP_HEADSET_MODE] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc_fixup_headset_mode,
--- /dev/null
+From 1138b6718ff74d2a934459643e3754423d23b5e2 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Sat, 6 Oct 2018 13:11:30 -0400
+Subject: parisc: Fix address in HPMC IVA
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 1138b6718ff74d2a934459643e3754423d23b5e2 upstream.
+
+Helge noticed that the address of the os_hpmc handler was not being
+correctly calculated in the hpmc macro. As a result, PDCE_CHECK would
+fail to call os_hpmc:
+
+<Cpu2> e800009802e00000 0000000000000000 CC_ERR_CHECK_HPMC
+<Cpu2> 37000f7302e00000 8040004000000000 CC_ERR_CPU_CHECK_SUMMARY
+<Cpu2> f600105e02e00000 fffffff0f0c00000 CC_MC_HPMC_MONARCH_SELECTED
+<Cpu2> 140003b202e00000 000000000000000b CC_ERR_HPMC_STATE_ENTRY
+<Cpu2> 5600100b02e00000 00000000000001a0 CC_MC_OS_HPMC_LEN_ERR
+<Cpu2> 5600106402e00000 fffffff0f0438e70 CC_MC_BR_TO_OS_HPMC_FAILED
+<Cpu2> e800009802e00000 0000000000000000 CC_ERR_CHECK_HPMC
+<Cpu2> 37000f7302e00000 8040004000000000 CC_ERR_CPU_CHECK_SUMMARY
+<Cpu2> 4000109f02e00000 0000000000000000 CC_MC_HPMC_INITIATED
+<Cpu2> 4000101902e00000 0000000000000000 CC_MC_MULTIPLE_HPMCS
+<Cpu2> 030010d502e00000 0000000000000000 CC_CPU_STOP
+
+The address problem can be seen by dumping the fault vector:
+
+0000000040159000 <fault_vector_20>:
+ 40159000: 63 6f 77 73 stb r15,-2447(dp)
+ 40159004: 20 63 61 6e ldil L%b747000,r3
+ 40159008: 20 66 6c 79 ldil L%-1c3b3000,r3
+ ...
+ 40159020: 08 00 02 40 nop
+ 40159024: 20 6e 60 02 ldil L%15d000,r3
+ 40159028: 34 63 00 00 ldo 0(r3),r3
+ 4015902c: e8 60 c0 02 bv,n r0(r3)
+ 40159030: 08 00 02 40 nop
+ 40159034: 00 00 00 00 break 0,0
+ 40159038: c0 00 70 00 bb,*< r0,sar,40159840 <fault_vector_20+0x840>
+ 4015903c: 00 00 00 00 break 0,0
+
+Location 40159038 should contain the physical address of os_hpmc:
+
+000000004015d000 <os_hpmc>:
+ 4015d000: 08 1a 02 43 copy r26,r3
+ 4015d004: 01 c0 08 a4 mfctl iva,r4
+ 4015d008: 48 85 00 68 ldw 34(r4),r5
+
+This patch moves the address setup into initialize_ivt to resolve the
+above problem. I tested the change by dumping the HPMC entry after setup:
+
+0000000040209020: 8000240
+0000000040209024: 206a2004
+0000000040209028: 34630ac0
+000000004020902c: e860c002
+0000000040209030: 8000240
+0000000040209034: 1bdddce6
+0000000040209038: 15d000
+000000004020903c: 1a0
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/entry.S | 2 +-
+ arch/parisc/kernel/traps.c | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/kernel/entry.S
++++ b/arch/parisc/kernel/entry.S
+@@ -185,7 +185,7 @@
+ bv,n 0(%r3)
+ nop
+ .word 0 /* checksum (will be patched) */
+- .word PA(os_hpmc) /* address of handler */
++ .word 0 /* address of handler */
+ .word 0 /* length of handler */
+ .endm
+
+--- a/arch/parisc/kernel/traps.c
++++ b/arch/parisc/kernel/traps.c
+@@ -826,7 +826,8 @@ void __init initialize_ivt(const void *i
+ for (i = 0; i < 8; i++)
+ *ivap++ = 0;
+
+- /* Compute Checksum for HPMC handler */
++ /* Setup IVA and compute checksum for HPMC handler */
++ ivap[6] = (u32)__pa(os_hpmc);
+ length = os_hpmc_size;
+ ivap[7] = length;
+
--- /dev/null
+From 3c229b3f2dd8133f61bb81d3cb018be92f4bba39 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 12 Oct 2018 22:37:46 +0200
+Subject: parisc: Fix map_pages() to not overwrite existing pte entries
+
+From: Helge Deller <deller@gmx.de>
+
+commit 3c229b3f2dd8133f61bb81d3cb018be92f4bba39 upstream.
+
+Fix a long-existing small nasty bug in the map_pages() implementation which
+leads to overwriting already written pte entries with zero, *if* map_pages() is
+called a second time with an end address which isn't aligned on a pmd boundry.
+This happens for example if we want to remap only the text segment read/write
+in order to run alternative patching on the code. Exiting the loop when we
+reach the end address fixes this.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/mm/init.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/arch/parisc/mm/init.c
++++ b/arch/parisc/mm/init.c
+@@ -491,12 +491,8 @@ static void __init map_pages(unsigned lo
+ pte = pte_mkhuge(pte);
+ }
+
+- if (address >= end_paddr) {
+- if (force)
+- break;
+- else
+- pte_val(pte) = 0;
+- }
++ if (address >= end_paddr)
++ break;
+
+ set_pte(pg_table, pte);
+
pcmcia-implement-clkrun-protocol-disabling-for-ricoh-bridges.patch
acpica-aml-interpreter-add-region-addresses-in-global-list-during-initialization.patch
ipmi-fix-timer-race-with-module-unload.patch
+parisc-fix-address-in-hpmc-iva.patch
+parisc-fix-map_pages-to-not-overwrite-existing-pte-entries.patch
+alsa-hda-add-quirk-for-asus-g751-laptop.patch
+alsa-hda-fix-headphone-pin-config-for-asus-g751.patch
+alsa-hda-add-mic-quirk-for-the-lenovo-g50-30-17aa-3905.patch
+alsa-ca0106-disable-izd-on-sb0570-dac-to-fix-audio-pops.patch
+x86-speculation-enable-cross-hyperthread-spectre-v2-stibp-mitigation.patch
+x86-corruption-check-fix-panic-in-memory_corruption_check-when-boot-option-without-value-is-provided.patch
+x86-speculation-support-enhanced-ibrs-on-future-cpus.patch
--- /dev/null
+From ccde460b9ae5c2bd5e4742af0a7f623c2daad566 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Tue, 14 Aug 2018 23:33:42 +0800
+Subject: x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided
+
+From: He Zhe <zhe.he@windriver.com>
+
+commit ccde460b9ae5c2bd5e4742af0a7f623c2daad566 upstream.
+
+memory_corruption_check[{_period|_size}]()'s handlers do not check input
+argument before passing it to kstrtoul() or simple_strtoull(). The argument
+would be a NULL pointer if each of the kernel parameters, without its
+value, is set in command line and thus cause the following panic.
+
+PANIC: early exception 0xe3 IP 10:ffffffff73587c22 error 0 cr2 0x0
+[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.18-rc8+ #2
+[ 0.000000] RIP: 0010:kstrtoull+0x2/0x10
+...
+[ 0.000000] Call Trace
+[ 0.000000] ? set_corruption_check+0x21/0x49
+[ 0.000000] ? do_early_param+0x4d/0x82
+[ 0.000000] ? parse_args+0x212/0x330
+[ 0.000000] ? rdinit_setup+0x26/0x26
+[ 0.000000] ? parse_early_options+0x20/0x23
+[ 0.000000] ? rdinit_setup+0x26/0x26
+[ 0.000000] ? parse_early_param+0x2d/0x39
+[ 0.000000] ? setup_arch+0x2f7/0xbf4
+[ 0.000000] ? start_kernel+0x5e/0x4c2
+[ 0.000000] ? load_ucode_bsp+0x113/0x12f
+[ 0.000000] ? secondary_startup_64+0xa5/0xb0
+
+This patch adds checks to prevent the panic.
+
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: gregkh@linuxfoundation.org
+Cc: kstewart@linuxfoundation.org
+Cc: pombredanne@nexb.com
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1534260823-87917-1-git-send-email-zhe.he@windriver.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/check.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/arch/x86/kernel/check.c
++++ b/arch/x86/kernel/check.c
+@@ -30,6 +30,11 @@ static __init int set_corruption_check(c
+ ssize_t ret;
+ unsigned long val;
+
++ if (!arg) {
++ pr_err("memory_corruption_check config string not provided\n");
++ return -EINVAL;
++ }
++
+ ret = kstrtoul(arg, 10, &val);
+ if (ret)
+ return ret;
+@@ -44,6 +49,11 @@ static __init int set_corruption_check_p
+ ssize_t ret;
+ unsigned long val;
+
++ if (!arg) {
++ pr_err("memory_corruption_check_period config string not provided\n");
++ return -EINVAL;
++ }
++
+ ret = kstrtoul(arg, 10, &val);
+ if (ret)
+ return ret;
+@@ -58,6 +68,11 @@ static __init int set_corruption_check_s
+ char *end;
+ unsigned size;
+
++ if (!arg) {
++ pr_err("memory_corruption_check_size config string not provided\n");
++ return -EINVAL;
++ }
++
+ size = memparse(arg, &end);
+
+ if (*end == '\0')
--- /dev/null
+From 53c613fe6349994f023245519265999eed75957f Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Tue, 25 Sep 2018 14:38:55 +0200
+Subject: x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit 53c613fe6349994f023245519265999eed75957f upstream.
+
+STIBP is a feature provided by certain Intel ucodes / CPUs. This feature
+(once enabled) prevents cross-hyperthread control of decisions made by
+indirect branch predictors.
+
+Enable this feature if
+
+- the CPU is vulnerable to spectre v2
+- the CPU supports SMT and has SMT siblings online
+- spectre_v2 mitigation autoselection is enabled (default)
+
+After some previous discussion, this leaves STIBP on all the time, as wrmsr
+on crossing kernel boundary is a no-no. This could perhaps later be a bit
+more optimized (like disabling it in NOHZ, experiment with disabling it in
+idle, etc) if needed.
+
+Note that the synchronization of the mask manipulation via newly added
+spec_ctrl_mutex is currently not strictly needed, as the only updater is
+already being serialized by cpu_add_remove_lock, but let's make this a
+little bit more future-proof.
+
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "WoodhouseDavid" <dwmw@amazon.co.uk>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Tim Chen <tim.c.chen@linux.intel.com>
+Cc: "SchauflerCasey" <casey.schaufler@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1809251438240.15880@cbobk.fhfr.pm
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/bugs.c | 57 ++++++++++++++++++++++++++++++++++++++++-----
+ kernel/cpu.c | 11 +++++++-
+ 2 files changed, 61 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -33,12 +33,10 @@ static void __init spectre_v2_select_mit
+ static void __init ssb_select_mitigation(void);
+ static void __init l1tf_select_mitigation(void);
+
+-/*
+- * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
+- * writes to SPEC_CTRL contain whatever reserved bits have been set.
+- */
+-u64 __ro_after_init x86_spec_ctrl_base;
++/* The base value of the SPEC_CTRL MSR that always has to be preserved. */
++u64 x86_spec_ctrl_base;
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
++static DEFINE_MUTEX(spec_ctrl_mutex);
+
+ /*
+ * The vendor and possibly platform specific bits which can be modified in
+@@ -321,6 +319,46 @@ static enum spectre_v2_mitigation_cmd __
+ return cmd;
+ }
+
++static bool stibp_needed(void)
++{
++ if (spectre_v2_enabled == SPECTRE_V2_NONE)
++ return false;
++
++ if (!boot_cpu_has(X86_FEATURE_STIBP))
++ return false;
++
++ return true;
++}
++
++static void update_stibp_msr(void *info)
++{
++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
++}
++
++void arch_smt_update(void)
++{
++ u64 mask;
++
++ if (!stibp_needed())
++ return;
++
++ mutex_lock(&spec_ctrl_mutex);
++ mask = x86_spec_ctrl_base;
++ if (cpu_smt_control == CPU_SMT_ENABLED)
++ mask |= SPEC_CTRL_STIBP;
++ else
++ mask &= ~SPEC_CTRL_STIBP;
++
++ if (mask != x86_spec_ctrl_base) {
++ pr_info("Spectre v2 cross-process SMT mitigation: %s STIBP\n",
++ cpu_smt_control == CPU_SMT_ENABLED ?
++ "Enabling" : "Disabling");
++ x86_spec_ctrl_base = mask;
++ on_each_cpu(update_stibp_msr, NULL, 1);
++ }
++ mutex_unlock(&spec_ctrl_mutex);
++}
++
+ static void __init spectre_v2_select_mitigation(void)
+ {
+ enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
+@@ -405,6 +443,9 @@ retpoline_auto:
+ setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
+ pr_info("Enabling Restricted Speculation for firmware calls\n");
+ }
++
++ /* Enable STIBP if appropriate */
++ arch_smt_update();
+ }
+
+ #undef pr_fmt
+@@ -797,6 +838,8 @@ static ssize_t l1tf_show_state(char *buf
+ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
+ char *buf, unsigned int bug)
+ {
++ int ret;
++
+ if (!boot_cpu_has_bug(bug))
+ return sprintf(buf, "Not affected\n");
+
+@@ -811,10 +854,12 @@ static ssize_t cpu_show_common(struct de
+ return sprintf(buf, "Mitigation: __user pointer sanitization\n");
+
+ case X86_BUG_SPECTRE_V2:
+- return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
++ ret = sprintf(buf, "%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
+ boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
+ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
++ (x86_spec_ctrl_base & SPEC_CTRL_STIBP) ? ", STIBP" : "",
+ spectre_v2_module_string());
++ return ret;
+
+ case X86_BUG_SPEC_STORE_BYPASS:
+ return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -1970,6 +1970,12 @@ static void cpuhp_online_cpu_device(unsi
+ kobject_uevent(&dev->kobj, KOBJ_ONLINE);
+ }
+
++/*
++ * Architectures that need SMT-specific errata handling during SMT hotplug
++ * should override this.
++ */
++void __weak arch_smt_update(void) { };
++
+ static int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval)
+ {
+ int cpu, ret = 0;
+@@ -1996,8 +2002,10 @@ static int cpuhp_smt_disable(enum cpuhp_
+ */
+ cpuhp_offline_cpu_device(cpu);
+ }
+- if (!ret)
++ if (!ret) {
+ cpu_smt_control = ctrlval;
++ arch_smt_update();
++ }
+ cpu_maps_update_done();
+ return ret;
+ }
+@@ -2008,6 +2016,7 @@ static int cpuhp_smt_enable(void)
+
+ cpu_maps_update_begin();
+ cpu_smt_control = CPU_SMT_ENABLED;
++ arch_smt_update();
+ for_each_present_cpu(cpu) {
+ /* Skip online CPUs and CPUs on offline nodes */
+ if (cpu_online(cpu) || !node_online(cpu_to_node(cpu)))
--- /dev/null
+From 706d51681d636a0c4a5ef53395ec3b803e45ed4d Mon Sep 17 00:00:00 2001
+From: Sai Praneeth <sai.praneeth.prakhya@intel.com>
+Date: Wed, 1 Aug 2018 11:42:25 -0700
+Subject: x86/speculation: Support Enhanced IBRS on future CPUs
+
+From: Sai Praneeth <sai.praneeth.prakhya@intel.com>
+
+commit 706d51681d636a0c4a5ef53395ec3b803e45ed4d upstream.
+
+Future Intel processors will support "Enhanced IBRS" which is an "always
+on" mode i.e. IBRS bit in SPEC_CTRL MSR is enabled once and never
+disabled.
+
+From the specification [1]:
+
+ "With enhanced IBRS, the predicted targets of indirect branches
+ executed cannot be controlled by software that was executed in a less
+ privileged predictor mode or on another logical processor. As a
+ result, software operating on a processor with enhanced IBRS need not
+ use WRMSR to set IA32_SPEC_CTRL.IBRS after every transition to a more
+ privileged predictor mode. Software can isolate predictor modes
+ effectively simply by setting the bit once. Software need not disable
+ enhanced IBRS prior to entering a sleep state such as MWAIT or HLT."
+
+If Enhanced IBRS is supported by the processor then use it as the
+preferred spectre v2 mitigation mechanism instead of Retpoline. Intel's
+Retpoline white paper [2] states:
+
+ "Retpoline is known to be an effective branch target injection (Spectre
+ variant 2) mitigation on Intel processors belonging to family 6
+ (enumerated by the CPUID instruction) that do not have support for
+ enhanced IBRS. On processors that support enhanced IBRS, it should be
+ used for mitigation instead of retpoline."
+
+The reason why Enhanced IBRS is the recommended mitigation on processors
+which support it is that these processors also support CET which
+provides a defense against ROP attacks. Retpoline is very similar to ROP
+techniques and might trigger false positives in the CET defense.
+
+If Enhanced IBRS is selected as the mitigation technique for spectre v2,
+the IBRS bit in SPEC_CTRL MSR is set once at boot time and never
+cleared. Kernel also has to make sure that IBRS bit remains set after
+VMEXIT because the guest might have cleared the bit. This is already
+covered by the existing x86_spec_ctrl_set_guest() and
+x86_spec_ctrl_restore_host() speculation control functions.
+
+Enhanced IBRS still requires IBPB for full mitigation.
+
+[1] Speculative-Execution-Side-Channel-Mitigations.pdf
+[2] Retpoline-A-Branch-Target-Injection-Mitigation.pdf
+Both documents are available at:
+https://bugzilla.kernel.org/show_bug.cgi?id=199511
+
+Originally-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tim C Chen <tim.c.chen@intel.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Ravi Shankar <ravi.v.shankar@intel.com>
+Link: https://lkml.kernel.org/r/1533148945-24095-1-git-send-email-sai.praneeth.prakhya@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/cpufeatures.h | 1 +
+ arch/x86/include/asm/nospec-branch.h | 1 +
+ arch/x86/kernel/cpu/bugs.c | 20 ++++++++++++++++++--
+ arch/x86/kernel/cpu/common.c | 3 +++
+ 4 files changed, 23 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -213,6 +213,7 @@
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+ #define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
+ #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
++#define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
+
+ /* Virtualization flags: Linux defined, word 8 */
+ #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -215,6 +215,7 @@ enum spectre_v2_mitigation {
+ SPECTRE_V2_RETPOLINE_GENERIC,
+ SPECTRE_V2_RETPOLINE_AMD,
+ SPECTRE_V2_IBRS,
++ SPECTRE_V2_IBRS_ENHANCED,
+ };
+
+ /* The Speculative Store Bypass disable variants */
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -137,6 +137,7 @@ static const char *spectre_v2_strings[]
+ [SPECTRE_V2_RETPOLINE_MINIMAL_AMD] = "Vulnerable: Minimal AMD ASM retpoline",
+ [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline",
+ [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline",
++ [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS",
+ };
+
+ #undef pr_fmt
+@@ -378,6 +379,13 @@ static void __init spectre_v2_select_mit
+
+ case SPECTRE_V2_CMD_FORCE:
+ case SPECTRE_V2_CMD_AUTO:
++ if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
++ mode = SPECTRE_V2_IBRS_ENHANCED;
++ /* Force it so VMEXIT will restore correctly */
++ x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
++ goto specv2_set_mode;
++ }
+ if (IS_ENABLED(CONFIG_RETPOLINE))
+ goto retpoline_auto;
+ break;
+@@ -415,6 +423,7 @@ retpoline_auto:
+ setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
+ }
+
++specv2_set_mode:
+ spectre_v2_enabled = mode;
+ pr_info("%s\n", spectre_v2_strings[mode]);
+
+@@ -437,9 +446,16 @@ retpoline_auto:
+
+ /*
+ * Retpoline means the kernel is safe because it has no indirect
+- * branches. But firmware isn't, so use IBRS to protect that.
++ * branches. Enhanced IBRS protects firmware too, so, enable restricted
++ * speculation around firmware calls only when Enhanced IBRS isn't
++ * supported.
++ *
++ * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
++ * the user might select retpoline on the kernel command line and if
++ * the CPU supports Enhanced IBRS, kernel might un-intentionally not
++ * enable IBRS around firmware calls.
+ */
+- if (boot_cpu_has(X86_FEATURE_IBRS)) {
++ if (boot_cpu_has(X86_FEATURE_IBRS) && mode != SPECTRE_V2_IBRS_ENHANCED) {
+ setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
+ pr_info("Enabling Restricted Speculation for firmware calls\n");
+ }
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -959,6 +959,9 @@ static void __init cpu_set_bug_bits(stru
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
+
++ if (ia32_cap & ARCH_CAP_IBRS_ALL)
++ setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
++
+ if (x86_match_cpu(cpu_no_meltdown))
+ return;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
