From af6fbf7683f430273fe3fd53d5c7ca701aea58fe Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 8 Feb 2018 18:24:01 +0100
Subject: [PATCH] 4.4-stable patches

added patches:
	x86-microcode-amd-do-not-load-when-running-on-a-hypervisor.patch
	x86-microcode-do-the-family-check-first.patch
---
 queue-4.4/series                              |   2 +
 ...ot-load-when-running-on-a-hypervisor.patch | 103 ++++++++++++++++++
 ...-microcode-do-the-family-check-first.patch |  92 ++++++++++++++++
 3 files changed, 197 insertions(+)
 create mode 100644 queue-4.4/x86-microcode-amd-do-not-load-when-running-on-a-hypervisor.patch
 create mode 100644 queue-4.4/x86-microcode-do-the-family-check-first.patch

diff --git a/queue-4.4/series b/queue-4.4/series
index 02b0d530269..9bda97cc5c3 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -34,3 +34,5 @@ media-soc_camera-soc_scale_crop-add-missing-module_description-author-license.pa
 keys-encrypted-fix-buffer-overread-in-valid_master_desc.patch
 don-t-put-symlink-bodies-in-pagecache-into-highmem.patch
 crypto-tcrypt-fix-s-g-table-for-test_aead_speed.patch
+x86-microcode-amd-do-not-load-when-running-on-a-hypervisor.patch
+x86-microcode-do-the-family-check-first.patch
diff --git a/queue-4.4/x86-microcode-amd-do-not-load-when-running-on-a-hypervisor.patch b/queue-4.4/x86-microcode-amd-do-not-load-when-running-on-a-hypervisor.patch
new file mode 100644
index 00000000000..bf133875158
--- /dev/null
+++ b/queue-4.4/x86-microcode-amd-do-not-load-when-running-on-a-hypervisor.patch
@@ -0,0 +1,103 @@
+From a15a753539eca8ba243d576f02e7ca9c4b7d7042 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Sun, 18 Dec 2016 17:44:13 +0100
+Subject: x86/microcode/AMD: Do not load when running on a hypervisor
+
+From: Borislav Petkov <bp@suse.de>
+
+commit a15a753539eca8ba243d576f02e7ca9c4b7d7042 upstream with minor
+adjustments.
+
+Doing so is completely void of sense for multiple reasons so prevent
+it. Set dis_ucode_ldr to true and thus disable the microcode loader by
+default to address xen pv guests which execute the AP path but not the
+BSP path.
+
+By having it turned off by default, the APs won't run into the loader
+either.
+
+Also, check CPUID(1).ECX[31] which hypervisors set. Well almost, not the
+xen pv one. That one gets the aforementioned "fix".
+
+Also, improve the detection method by caching the final decision whether
+to continue loading in dis_ucode_ldr and do it once on the BSP. The APs
+then simply test that value.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Tested-by: Juergen Gross <jgross@suse.com>
+Tested-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Acked-by: Juergen Gross <jgross@suse.com>
+Link: http://lkml.kernel.org/r/20161218164414.9649-4-bp@alien8.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/microcode/core.c |   28 +++++++++++++++++++---------
+ 1 file changed, 19 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -44,7 +44,7 @@
+ 
+ static struct microcode_ops	*microcode_ops;
+ 
+-static bool dis_ucode_ldr;
++static bool dis_ucode_ldr = true;
+ 
+ static int __init disable_loader(char *str)
+ {
+@@ -81,6 +81,7 @@ struct cpu_info_ctx {
+ 
+ static bool __init check_loader_disabled_bsp(void)
+ {
++	u32 a, b, c, d;
+ #ifdef CONFIG_X86_32
+ 	const char *cmdline = (const char *)__pa_nodebug(boot_command_line);
+ 	const char *opt	    = "dis_ucode_ldr";
+@@ -93,8 +94,23 @@ static bool __init check_loader_disabled
+ 	bool *res = &dis_ucode_ldr;
+ #endif
+ 
+-	if (cmdline_find_option_bool(cmdline, option))
+-		*res = true;
++	if (!have_cpuid_p())
++		return *res;
++
++	a = 1;
++	c = 0;
++	native_cpuid(&a, &b, &c, &d);
++
++	/*
++	 * CPUID(1).ECX[31]: reserved for hypervisor use. This is still not
++	 * completely accurate as xen pv guests don't see that CPUID bit set but
++	 * that's good enough as they don't land on the BSP path anyway.
++	 */
++	if (c & BIT(31))
++		return *res;
++
++	if (cmdline_find_option_bool(cmdline, option) <= 0)
++		*res = false;
+ 
+ 	return *res;
+ }
+@@ -126,9 +142,6 @@ void __init load_ucode_bsp(void)
+ 	if (check_loader_disabled_bsp())
+ 		return;
+ 
+-	if (!have_cpuid_p())
+-		return;
+-
+ 	vendor = x86_vendor();
+ 	family = x86_family();
+ 
+@@ -162,9 +175,6 @@ void load_ucode_ap(void)
+ 	if (check_loader_disabled_ap())
+ 		return;
+ 
+-	if (!have_cpuid_p())
+-		return;
+-
+ 	vendor = x86_vendor();
+ 	family = x86_family();
+ 
diff --git a/queue-4.4/x86-microcode-do-the-family-check-first.patch b/queue-4.4/x86-microcode-do-the-family-check-first.patch
new file mode 100644
index 00000000000..404077ba9fb
--- /dev/null
+++ b/queue-4.4/x86-microcode-do-the-family-check-first.patch
@@ -0,0 +1,92 @@
+From 1f161f67a272cc4f29f27934dd3f74cb657eb5c4 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Thu, 12 Oct 2017 13:23:16 +0200
+Subject: x86/microcode: Do the family check first
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 1f161f67a272cc4f29f27934dd3f74cb657eb5c4 upstream with adjustments.
+
+On CPUs like AMD's Geode, for example, we shouldn't even try to load
+microcode because they do not support the modern microcode loading
+interface.
+
+However, we do the family check *after* the other checks whether the
+loader has been disabled on the command line or whether we're running in
+a guest.
+
+So move the family checks first in order to exit early if we're being
+loaded on an unsupported family.
+
+Reported-and-tested-by: Sven Glodowski <glodi1@arcor.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org> # 4.11..
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://bugzilla.suse.com/show_bug.cgi?id=1061396
+Link: http://lkml.kernel.org/r/20171012112316.977-1-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/microcode/core.c |   27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -94,9 +94,6 @@ static bool __init check_loader_disabled
+ 	bool *res = &dis_ucode_ldr;
+ #endif
+ 
+-	if (!have_cpuid_p())
+-		return *res;
+-
+ 	a = 1;
+ 	c = 0;
+ 	native_cpuid(&a, &b, &c, &d);
+@@ -138,8 +135,9 @@ void __init load_ucode_bsp(void)
+ {
+ 	int vendor;
+ 	unsigned int family;
++	bool intel = true;
+ 
+-	if (check_loader_disabled_bsp())
++	if (!have_cpuid_p())
+ 		return;
+ 
+ 	vendor = x86_vendor();
+@@ -147,16 +145,27 @@ void __init load_ucode_bsp(void)
+ 
+ 	switch (vendor) {
+ 	case X86_VENDOR_INTEL:
+-		if (family >= 6)
+-			load_ucode_intel_bsp();
++		if (family < 6)
++			return;
+ 		break;
++
+ 	case X86_VENDOR_AMD:
+-		if (family >= 0x10)
+-			load_ucode_amd_bsp(family);
++		if (family < 0x10)
++			return;
++		intel = false;
+ 		break;
++
+ 	default:
+-		break;
++		return;
+ 	}
++
++	if (check_loader_disabled_bsp())
++		return;
++
++	if (intel)
++		load_ucode_intel_bsp();
++	else
++		load_ucode_amd_bsp(family);
+ }
+ 
+ static bool check_loader_disabled_ap(void)
-- 
2.47.2