aboutsummaryrefslogtreecommitdiffstats
path: root/common/recipes-kernel/linux/linux-yocto-4.9.21
diff options
context:
space:
mode:
authorAwais Belal <awais_belal@mentor.com>2018-11-14 14:44:19 +0500
committerAwais Belal <awais_belal@mentor.com>2018-11-14 14:44:22 +0500
commitbc139f16bfe8bc885b1505706faa9a4564c77ff2 (patch)
tree71fc44d89877e81f7b77f13db4b08980a32df2a7 /common/recipes-kernel/linux/linux-yocto-4.9.21
parent972275e4accf161f73fab3bbc7eb24fa95356e95 (diff)
downloadmeta-amd-bc139f16bfe8bc885b1505706faa9a4564c77ff2.tar.gz
meta-amd-bc139f16bfe8bc885b1505706faa9a4564c77ff2.tar.bz2
meta-amd-bc139f16bfe8bc885b1505706faa9a4564c77ff2.zip
common: drop all the 4.9 kernel metadata
None of the BSPs are currently based on the 4.9 kernel so drop the common metadata as well. Signed-off-by: Awais Belal <awais_belal@mentor.com>
Diffstat (limited to 'common/recipes-kernel/linux/linux-yocto-4.9.21')
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0001-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch165
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0001-KVM-VMX-Expose-SSBD-properly-to-guests-4.9-supplemen.patch39
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0001-kaiser-fix-compile-error-without-vsyscall.patch50
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0001-kaiser-fix-intel_bts-perf-crashes.patch135
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-boot-Add-early-cmdline-parsing-for-options-with-.patch183
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-mm-Remove-flush_tlb-and-flush_tlb_current_task.patch105
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-paravirt-objtool-Annotate-indirect-calls.patch129
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0002-complete-e390f9a-port-for-v4.9.106.patch69
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0002-kvm-vmx-Scrub-hardware-GPRs-at-VM-exit.patch97
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-entry-64-compat-Clear-registers-for-compat-sysca.patch117
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-mm-Add-the-nopcid-boot-option-to-turn-off-PCID.patch77
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-mm-Make-flush_tlb_mm_range-more-predictable.patch83
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-module-Detect-and-skip-invalid-relocations.patch77
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-pti-Make-unpoison-of-pgd-for-trusted-boot-work-f.patch74
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0003-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch45
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0003-KVM-x86-introduce-linear_-read-write-_system.patch187
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0003-kaiser-allocate-pgd-with-order-0-when-pti-off.patch69
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0003-kvm-svm-Setup-MCG_CAP-on-AMD-properly.patch54
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-mm-Enable-CR4.PCIDE-on-supported-systems.patch114
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-mm-Reimplement-flush_tlb_page-using-flush_tlb_mm.patch109
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-speculation-Update-Speculation-Control-microcode.patch69
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KAISER-Kernel-Address-Isolation.patch1025
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KVM-x86-emulator-Return-to-user-mode-on-L1-CPL-0-emu.patch48
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KVM-x86-pass-kvm_vcpu-to-kvm_read_guest_virt-and-kvm.patch200
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0004-kvm-nVMX-Disallow-userspace-injected-exceptions-in-g.patch71
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-asm-Fix-inline-asm-call-constraints-for-GCC-4.4.patch87
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-mm-Remove-the-UP-asm-tlbflush.h-code-always-use-.patch314
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-speculation-Correct-Speculation-Control-microcod.patch78
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0005-KVM-x86-Don-t-re-execute-instruction-when-not-passin.patch63
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kaiser-merged-update.patch1327
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kvm-x86-use-correct-privilege-level-for-sgdt-sidt-fx.patch156
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-cpufeatures-Add-Intel-PCONFIG-cpufeature.patch39
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-microcode-AMD-Do-not-load-when-running-on-a-hype.patch105
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-mm-Give-each-mm-TLB-flush-generation-a-unique-ID.patch117
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-speculation-Clean-up-various-Spectre-related-det.patch148
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0006-KVM-X86-Fix-operand-address-size-during-instruction-.patch67
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0006-kaiser-do-not-set-_PAGE_NX-on-pgd_none.patch212
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-retpoline-Remove-the-esp-rsp-thunk.patch63
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-spectre_v1-Disable-compiler-optimizations-over-a.patch84
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch39
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-Use-Indirect-Branch-Prediction-Barri.patch129
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-objtool-Annotate-indirect-calls-jump.patch57
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0007-KVM-x86-ioapic-Fix-level-triggered-EOI-and-IOAPIC-re.patch72
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0007-bpf-x64-implement-retpoline-for-tail-call.patch183
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0007-kaiser-stack-map-PAGE_SIZE-at-THREAD_SIZE-PAGE_SIZE.patch145
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0007-module-retpoline-Warn-about-missing-retpoline-in-mod.patch159
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-mce-Improve-error-message-when-kernel-cannot-rec.patch59
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-speculation-Add-asm-msr-index.h-dependency.patch50
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-speculation-Remove-Skylake-C2-from-Speculation-C.patch48
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0008-KVM-x86-ioapic-Clear-Remote-IRR-when-entry-is-switch.patch64
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0008-kaiser-fix-build-and-FIXME-in-alloc_ldt_struct.patch55
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-cpu-Rename-cpu_data.x86_mask-to-cpu_data.x86_ste.patch760
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-cpufeatures-Add-CPUID_7_EDX-CPUID-leaf.patch162
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-mce-Check-for-alternate-indication-of-machine-ch.patch60
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-reboot-Turn-off-KVM-when-halting-a-CPU.patch62
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-spectre_v2-Don-t-check-microcode-versions-when-r.patch60
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0009-KVM-x86-ioapic-Preserve-read-only-values-in-the-redi.patch61
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0009-Revert-x86-retpoline-Simplify-vmexit_fill_RSB.patch263
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0009-kaiser-KAISER-depends-on-SMP.patch56
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-KASLR-Fix-kexec-kernel-boot-crash-when-KASLR-ran.patch79
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-cpufeatures-Add-Intel-feature-bits-for-Speculati.patch51
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-mce-Fix-incorrect-Machine-check-from-unknown-sou.patch103
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-spectre-Fix-an-error-message.patch44
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0010-KVM-VMX-Fix-rflags-cache-during-vCPU-reset.patch103
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0010-kaiser-fix-regs-to-do_nmi-ifndef-CONFIG_KAISER.patch74
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0010-kvm-x86-fix-icebp-instruction-handling.patch88
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-cpu-Change-type-of-x86_cache_size-variable-to-un.patch72
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-cpufeatures-Add-AMD-feature-bits-for-Speculation.patch51
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-mce-Do-not-overwrite-MCi_STATUS-in-mce_no_way_ou.patch81
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-speculation-Use-IBRS-if-available-before-calling.patch232
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0011-KVM-x86-Make-indirect-calls-in-emulator-speculation-.patch82
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0011-bpf-x64-increase-number-of-passes.patch56
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0011-kaiser-fix-perf-crashes.patch152
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-microcode-AMD-Change-load_microcode_amd-s-param-.patch133
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-msr-Add-definitions-for-new-speculation-control-.patch67
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-retpoline-Support-retpoline-builds-with-Clang.patch103
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0012-KVM-VMX-Make-indirect-call-speculation-safe.patch60
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0012-kaiser-ENOMEM-if-kaiser_pagetable_walk-NULL.patch54
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-entry-64-Clear-extra-registers-beyond-syscall-ar.patch79
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-mm-kaslr-Use-the-_ASM_MUL-macro-for-multiplicati.patch75
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-pti-Do-not-enable-PTI-on-CPUs-which-are-not-vuln.patch116
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-speculation-objtool-Annotate-indirect-calls-jump.patch101
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0013-KVM-X86-Fix-preempt-the-preemption-timer-cancel.patch93
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0013-kaiser-tidied-up-asm-kaiser.h-somewhat.patch107
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-boot-objtool-Annotate-indirect-jump-in-secondary.patch54
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-cpufeature-Blacklist-SPEC_CTRL-PRED_CMD-on-early.patch173
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-kvm-Update-spectre-v1-mitigation.patch72
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0014-KVM-nVMX-Fix-handling-of-lmsw-instruction.patch63
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0014-KVM-nVMX-kmap-can-t-fail.patch47
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0014-kaiser-tidied-up-kaiser_add-remove_mapping-slightly.patch52
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0014-x86-speculation-Add-basic-IBPB-Indirect-Branch-Predi.patch102
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0014-x86-speculation-Move-firmware_restrict_branch_specul.patch76
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0015-KVM-SVM-do-not-zero-out-segment-attributes-if-segmen.patch95
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0015-KVM-nVMX-vmx_complete_nested_posted_interrupt-can-t-.patch69
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0015-kaiser-align-addition-to-x86-mm-Makefile.patch28
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0015-x86-nospec-Fix-header-guards-names.patch56
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0016-KVM-nVMX-Update-vmcs12-guest_linear_address-on-neste.patch42
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0016-KVM-nVMX-mark-vmcs12-pages-dirty-on-L2-exit.patch119
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0016-kaiser-cleanups-while-trying-for-gold-link.patch141
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0016-x86-bugs-Drop-one-mitigation-from-dmesg.patch55
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0017-KVM-nVMX-Eliminate-vmcs02-pool.patch295
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0017-kaiser-name-that-0x1000-KAISER_SHADOW_PGD_OFFSET.patch70
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0017-perf-x86-Fix-possible-Spectre-v1-indexing-for-hw_per.patch62
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0017-x86-cpu-bugs-Make-retpoline-module-warning-condition.patch72
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0018-KVM-VMX-introduce-alloc_loaded_vmcs.patch104
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0018-kaiser-delete-KAISER_REAL_SWITCH-option.patch85
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0018-perf-x86-cstate-Fix-possible-Spectre-v1-indexing-for.patch53
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0018-x86-cpufeatures-Clean-up-Spectre-v2-related-CPUID-fl.patch181
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0019-KVM-VMX-make-MSR-bitmaps-per-VCPU.patch585
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0019-kaiser-vmstat-show-NR_KAISERTABLE-as-nr_overhead.patch122
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0019-perf-x86-msr-Fix-possible-Spectre-v1-indexing-in-the.patch65
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0019-x86-retpoline-Simplify-vmexit_fill_RSB.patch261
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0020-KVM-x86-Add-IBPB-support.patch352
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0020-kaiser-enhanced-by-kernel-and-user-PCIDs.patch424
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0020-perf-x86-Fix-possible-Spectre-v1-indexing-for-x86_pm.patch59
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0020-x86-spectre-Check-CONFIG_RETPOLINE-in-command-line-p.patch53
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0021-KVM-VMX-Emulate-MSR_IA32_ARCH_CAPABILITIES.patch156
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0021-kaiser-load_new_mm_cr3-let-SWITCH_USER_CR3-flush-use.patch403
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0021-x86-amd-don-t-set-X86_BUG_SYSRET_SS_ATTRS-when-runni.patch66
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0021-x86-entry-64-Remove-the-SYSCALL64-fast-path.patch207
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0022-KVM-VMX-Allow-direct-access-to-MSR_IA32_SPEC_CTRL.patch305
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0022-kaiser-PCID-0-for-kernel-and-128-for-user.patch135
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0022-x86-entry-64-Push-extra-regs-right-away.patch49
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0022-x86-nospec-Simplify-alternative_msr_write.patch71
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0023-KVM-SVM-Allow-direct-access-to-MSR_IA32_SPEC_CTRL.patch192
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0023-kaiser-x86_cr3_pcid_noflush-and-x86_cr3_pcid_user.patch147
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0023-x86-bugs-Concentrate-bug-detection-into-a-separate-f.patch75
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0024-Documentation-Document-array_index_nospec.patch128
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0024-KVM-nVMX-Fix-races-when-sending-nested-PI-while-dest.patch100
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0024-kaiser-paranoid_entry-pass-cr3-need-to-paranoid_exit.patch172
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0024-x86-bugs-Concentrate-bug-reporting-into-a-separate-f.patch92
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0025-KVM-x86-Reduce-retpoline-performance-impact-in-slot_.patch103
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0025-array_index_nospec-Sanitize-speculative-array-de-ref.patch121
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0025-kaiser-kaiser_remove_mapping-move-along-the-pgd.patch52
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0025-x86-bugs-Read-SPEC_CTRL-MSR-during-boot-and-re-use-r.patch143
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0026-KVM-x86-fix-escape-of-guest-dr6-to-the-host.patch70
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0026-kaiser-fix-unlikely-error-in-alloc_ldt_struct.patch35
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0026-x86-Implement-array_index_mask_nospec.patch68
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0026-x86-bugs-KVM-Support-the-combination-of-guest-and-ho.patch137
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0027-kaiser-add-nokaiser-boot-option-using-ALTERNATIVE.patch686
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0027-x86-Introduce-barrier_nospec.patch70
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0027-x86-add-MULTIUSER-dependency-for-KVM.patch37
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0027-x86-bugs-Expose-sys-.-spec_store_bypass.patch148
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0028-KVM-add-X86_LOCAL_APIC-dependency.patch41
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0028-x86-Introduce-__uaccess_begin_nospec-and-uaccess_try.patch83
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0028-x86-cpufeatures-Add-X86_FEATURE_RDS.patch36
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0028-x86-kaiser-Rename-and-simplify-X86_FEATURE_KAISER-ha.patch104
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0029-KVM-async_pf-Fix-DF-due-to-inject-Page-not-Present-a.patch105
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0029-x86-bugs-Provide-boot-parameters-for-the-spec_store_.patch272
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0029-x86-kaiser-Check-boottime-cmdline-params.patch127
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0029-x86-usercopy-Replace-open-coded-stac-clac-with-__uac.patch73
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0030-KVM-VMX-clean-up-declaration-of-VPID-EPT-invalidatio.patch57
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0030-kaiser-use-ALTERNATIVE-instead-of-x86_cr3_pcid_noflu.patch137
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0030-x86-bugs-intel-Set-proper-CPU-features-and-setup-RDS.patch183
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0030-x86-uaccess-Use-__uaccess_begin_nospec-and-uaccess_t.patch196
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0031-KVM-nVMX-invvpid-handling-improvements.patch102
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0031-kaiser-drop-is_atomic-arg-to-kaiser_pagetable_walk.patch55
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0031-x86-bugs-Whitelist-allowed-SPEC_CTRL-MSR-values.patch70
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0031-x86-get_user-Use-pointer-masking-to-limit-speculatio.patch100
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0032-KVM-x86-Remove-indirect-MSR-op-calls-from-SPEC_CTRL.patch105
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0032-kaiser-asm-tlbflush.h-handle-noPGE-at-lower-level.patch88
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0032-x86-bugs-AMD-Add-support-to-disable-RDS-on-Fam-15-16.patch200
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0032-x86-syscall-Sanitize-syscall-table-de-references-und.patch64
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0033-KVM-VMX-Optimize-vmx_vcpu_run-and-svm_vcpu_run-by-ma.patch65
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0033-kaiser-kaiser_flush_tlb_on_return_to_user-check-PCID.patch93
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0033-vfs-fdtable-Prevent-bounds-check-bypass-via-speculat.patch57
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0033-x86-KVM-VMX-Expose-SPEC_CTRL-Bit-2-to-the-guest.patch120
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0034-x86-paravirt-Dont-patch-flush_tlb_single.patch71
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0034-x86-spectre-Report-get_user-mitigation-for-spectre_v.patch43
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0034-x86-speculation-Create-spec-ctrl.h-to-avoid-include-.patch141
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0035-x86-kaiser-Reenable-PARAVIRT.patch30
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0035-x86-process-Optimize-TIF-checks-in-__switch_to_xtra.patch125
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0035-x86-spectre-Fix-spelling-mistake-vunerable-vulnerabl.patch41
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0036-kaiser-disabled-on-Xen-PV.patch44
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0036-x86-cpuid-Fix-up-virtual-IBRS-IBPB-STIBP-feature-bit.patch127
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0036-x86-process-Correct-and-optimize-TIF_BLOCKSTEP-switc.patch84
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0037-x86-kaiser-Move-feature-detection-up.patch85
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0037-x86-process-Optimize-TIF_NOTSC-switch.patch112
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0037-x86-retpoline-Avoid-retpolines-for-built-in-__init-f.patch54
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0038-KPTI-Rename-to-PAGE_TABLE_ISOLATION.patch359
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0038-x86-process-Allow-runtime-control-of-Speculative-Sto.patch229
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0038-x86-spectre-Simplify-spectre_v2-command-line-parsing.patch141
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0039-KPTI-Report-when-enabled.patch48
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0039-x86-pti-Mark-constant-arrays-as-__initconst.patch55
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0039-x86-speculation-Add-prctl-for-Speculative-Store-Bypa.patch222
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0040-kaiser-Set-_PAGE_NX-only-if-supported.patch121
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0040-nospec-Move-array_index_nospec-parameter-checking-in.patch92
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0040-x86-speculation-Fix-typo-IBRS_ATT-which-should-be-IB.patch41
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0041-kaiser-Set-_PAGE_NX-only-if-supported.patch34
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0041-nospec-Allow-index-argument-to-have-const-qualified-.patch68
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0041-x86-microcode-Do-the-family-check-first.patch94
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0042-bpf-adjust-insn_aux_data-when-patching-insns.patch103
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0042-nospec-Kill-array_index_nospec_mask_check.patch85
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0043-bpf-move-fixup_bpf_calls-function.patch169
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0043-nospec-Include-asm-barrier.h-dependency.patch51
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0044-bpf-refactor-fixup_bpf_calls.patch125
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0044-prctl-Add-speculation-control-prctls.patch239
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0045-bpf-prevent-out-of-bounds-speculation.patch274
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0045-nospec-Allow-getting-setting-on-non-current-task.patch162
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0046-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch83
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0046-x86-bugs-Make-boot-modes-__ro_after_init.patch43
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0047-fs-proc-Report-eip-esp-in-prod-PID-stat-for-coredump.patch77
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0047-x86-Documentation-Add-PTI-description.patch267
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0048-proc-fix-coredump-vs-read-proc-stat-race.patch105
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0048-x86-cpu-Factor-out-application-of-forced-CPU-caps.patch81
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0049-proc-Provide-details-on-speculation-flaw-mitigations.patch64
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0049-x86-cpufeatures-Make-CPU-bugs-sticky.patch102
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0050-prctl-Add-force-disable-speculation.patch218
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0050-x86-cpufeatures-Add-X86_BUG_CPU_INSECURE.patch78
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0051-seccomp-fix-the-usage-of-get-put_seccomp_filter-in-s.patch94
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0051-x86-pti-Rename-BUG_CPU_INSECURE-to-BUG_CPU_MELTDOWN.patch61
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0052-seccomp-Enable-speculation-flaw-mitigations.patch64
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0052-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch62
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0053-seccomp-Use-PR_SPEC_FORCE_DISABLE.patch33
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0053-x86-cpu-Merge-bugs.c-and-bugs_64.c.patch141
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0054-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch222
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0054-sysfs-cpu-Add-vulnerability-folder.patch157
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0055-seccomp-Move-speculation-migitation-control-to-arch-.patch121
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0055-x86-cpu-Implement-CPU-vulnerabilites-sysfs-functions.patch86
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0056-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch70
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0056-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch166
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0057-x86-bugs-Rename-_RDS-to-_SSBD.patch405
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0057-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch86
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0058-sysfs-cpu-Fix-typos-in-vulnerability-documentation.patch37
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0058-x86-bugs-Fix-__ssb_select_mitigation-return-type.patch35
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0059-x86-alternatives-Fix-optimize_nops-checking.patch56
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0059-x86-bugs-Make-cpu_show_common-static.patch34
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0060-x86-alternatives-Add-missing-n-at-end-of-ALTERNATIVE.patch59
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0060-x86-bugs-Fix-the-parameters-alignment-and-missing-vo.patch42
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0061-x86-cpu-Make-alternative_msr_write-work-for-32-bit-c.patch42
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0061-x86-mm-32-Move-setup_clear_cpu_cap-X86_FEATURE_PCID-.patch48
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0062-KVM-SVM-Move-spec-control-call-after-restore-of-GS.patch70
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0062-objtool-modules-Discard-objtool-annotation-sections-.patch94
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0063-objtool-Detect-jumps-to-retpoline-thunks.patch64
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0063-x86-speculation-Use-synthetic-bits-for-IBRS-IBPB-STI.patch156
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0064-objtool-Allow-alternatives-to-be-ignored.patch166
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0064-x86-cpufeatures-Disentangle-MSR_SPEC_CTRL-enumeratio.patch155
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0065-x86-asm-Use-register-variable-to-get-stack-pointer-v.patch150
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0065-x86-cpufeatures-Disentangle-SSBD-enumeration.patch163
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0066-x86-cpu-AMD-Fix-erratum-1076-CPB-bit.patch55
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0066-x86-retpoline-Add-initial-retpoline-support.patch378
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0067-x86-cpufeatures-Add-FEATURE_ZEN.patch48
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0067-x86-spectre-Add-boot-time-option-to-select-Spectre-v.patch327
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0068-x86-retpoline-crypto-Convert-crypto-assembler-indire.patch135
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0068-x86-speculation-Handle-HT-correctly-on-AMD.patch240
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0069-x86-bugs-KVM-Extend-speculation-control-for-VIRT_SPE.patch163
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0069-x86-retpoline-entry-Convert-entry-assembler-indirect.patch122
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0070-x86-retpoline-ftrace-Convert-ftrace-assembler-indire.patch94
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0070-x86-speculation-Add-virtualized-speculative-store-by.patch104
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0071-x86-retpoline-hyperv-Convert-assembler-indirect-jump.patch79
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0071-x86-speculation-Rework-speculative_store_bypass_upda.patch75
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0072-x86-bugs-Unify-x86_spec_ctrl_-set_guest-restore_host.patch145
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0072-x86-retpoline-xen-Convert-Xen-hypercall-indirect-jum.patch64
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0073-x86-bugs-Expose-x86_spec_ctrl_base-directly.patch120
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0073-x86-retpoline-checksum32-Convert-assembler-indirect-.patch70
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0074-x86-bugs-Remove-x86_spec_ctrl_set.patch76
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0074-x86-retpoline-irq32-Convert-assembler-indirect-jumps.patch77
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0075-x86-bugs-Rework-spec_ctrl-base-and-mask-logic.patch95
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0075-x86-retpoline-Fill-return-stack-buffer-on-vmexit.patch195
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0076-x86-retpoline-Remove-compile-time-warning.patch62
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0076-x86-speculation-KVM-Implement-support-for-VIRT_SPEC_.patch84
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0077-KVM-SVM-Implement-VIRT_SPEC_CTRL-support-for-SSBD.patch241
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0077-objtool-Fix-retpoline-support-for-pre-ORC-objtool.patch44
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0078-x86-bugs-Rename-SSBD_NO-to-SSB_NO.patch48
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0078-x86-pti-efi-broken-conversion-from-efi-to-kernel-pag.patch79
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0079-x86-kexec-Avoid-double-free_page-upon-do_kexec_load-.patch106
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0079-x86-retpoline-Fill-RSB-on-context-switch-for-affecte.patch179
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0080-KVM-VMX-Expose-SSBD-properly-to-guests.patch44
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0080-x86-retpoline-Add-LFENCE-to-the-retpoline-RSB-fillin.patch94
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0081-KVM-x86-Update-cpuid-properly-when-CR4.OSXAVE-or-CR4.patch63
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0081-objtool-Improve-error-message-for-bad-file-argument.patch53
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0082-kvm-x86-IA32_ARCH_CAPABILITIES-is-always-supported.patch54
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0082-x86-cpufeature-Move-processor-tracing-out-of-scatter.patch73
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0083-kvm-x86-fix-KVM_XEN_HVM_CONFIG-ioctl.patch57
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0083-module-Add-retpoline-tag-to-VERMAGIC.patch55
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0084-KVM-VMX-raise-internal-error-for-exception-during-in.patch90
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0084-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch48
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0085-KVM-lapic-stop-advertising-DIRECTED_EOI-when-in-kern.patch56
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0085-x86-mce-Make-machine-check-speculation-protected.patch69
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0086-objtool-Improve-detection-of-BUG-and-other-dead-ends.patch217
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0086-retpoline-Introduce-start-end-markers-of-indirect-th.patch78
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0087-kprobes-x86-Blacklist-indirect-thunk-functions-for-k.patch43
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0087-objtool-Move-checking-code-to-check.c.patch2802
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0088-kprobes-x86-Disable-optimizing-on-the-function-jumps.patch83
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0088-objtool-sync-up-with-the-4.14.47-version-of-objtool.patch9906
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0089-objtool-x86-Add-several-functions-and-files-to-the-o.patch316
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0089-x86-pti-Document-fix-wrong-index.patch34
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0090-x86-retpoline-Optimize-inline-assembler-for-vmexit_f.patch61
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0090-x86-xen-Add-unwind-hint-annotations-to-xen_setup_gdt.patch47
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0091-Revert-module-Add-retpoline-tag-to-VERMAGIC.patch53
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0091-x86-amd-revert-commit-944e0fc51a89c9827b9.patch51
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0092-Map-the-vsyscall-page-with-_PAGE_USER.patch151
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0092-xen-set-cpu-capabilities-from-xen_start_kernel.patch72
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0093-vsyscall-Fix-permissions-for-emulate-mode-with-KAISE.patch75
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0093-x86-amd-don-t-set-X86_BUG_SYSRET_SS_ATTRS-when-runni.patch65
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0094-bpf-fix-mixed-signed-unsigned-derived-min-max-value-.patch463
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0095-bpf-prevent-leaking-pointer-via-xadd-on-unpriviledge.patch83
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0096-x86-bpf_jit-small-optimization-in-emit_bpf_tail_call.patch71
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0097-bpf-fix-bpf_tail_call-x64-JIT.patch62
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0098-bpf-introduce-BPF_JIT_ALWAYS_ON-config.patch222
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0099-bpf-arsh-is-not-supported-in-32-bit-alu-thus-reject-.patch50
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0100-bpf-avoid-false-sharing-of-map-refcount-with-max_ent.patch128
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0101-bpf-fix-divides-by-zero.patch46
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0102-bpf-fix-32-bit-divide-by-zero.patch69
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/0103-bpf-reject-stores-into-ctx-via-st-and-xadd.patch72
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/upstream-backports.scc305
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/x86-asm-Move-status-from-thread_struct-to-thread_inf-linux-yocto-rt.patch186
-rw-r--r--common/recipes-kernel/linux/linux-yocto-4.9.21/x86-asm-Move-status-from-thread_struct-to-thread_inf-linux-yocto.patch187
308 files changed, 0 insertions, 49824 deletions
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
deleted file mode 100644
index 9772c5f8..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-From af0e9ccc133f03f5150a7afba349a9f50897f793 Mon Sep 17 00:00:00 2001
-From: Wanpeng Li <wanpeng.li@hotmail.com>
-Date: Thu, 14 Dec 2017 17:40:50 -0800
-Subject: [PATCH 01/33] KVM: Fix stack-out-of-bounds read in write_mmio
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit e39d200fa5bf5b94a0948db0dae44c1b73b84a56 upstream.
-
-Reported by syzkaller:
-
- BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
- Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
-
- CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18
- Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
- Call Trace:
- dump_stack+0xab/0xe1
- print_address_description+0x6b/0x290
- kasan_report+0x28a/0x370
- write_mmio+0x11e/0x270 [kvm]
- emulator_read_write_onepage+0x311/0x600 [kvm]
- emulator_read_write+0xef/0x240 [kvm]
- emulator_fix_hypercall+0x105/0x150 [kvm]
- em_hypercall+0x2b/0x80 [kvm]
- x86_emulate_insn+0x2b1/0x1640 [kvm]
- x86_emulate_instruction+0x39a/0xb90 [kvm]
- handle_exception+0x1b4/0x4d0 [kvm_intel]
- vcpu_enter_guest+0x15a0/0x2640 [kvm]
- kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
- kvm_vcpu_ioctl+0x479/0x880 [kvm]
- do_vfs_ioctl+0x142/0x9a0
- SyS_ioctl+0x74/0x80
- entry_SYSCALL_64_fastpath+0x23/0x9a
-
-The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
-to the guest memory, however, write_mmio tracepoint always prints 8 bytes
-through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
-leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes
-it by just accessing the bytes which we operate on.
-
-Before patch:
-
-syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
-
-After patch:
-
-syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
-Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
-Tested-by: Marc Zyngier <marc.zyngier@arm.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Radim Krčmář <rkrcmar@redhat.com>
-Cc: Marc Zyngier <marc.zyngier@arm.com>
-Cc: Christoffer Dall <christoffer.dall@linaro.org>
-Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/kvm/mmio.c | 6 +++---
- arch/x86/kvm/x86.c | 8 ++++----
- include/trace/events/kvm.h | 7 +++++--
- 3 files changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c
-index b6e715f..dac7ceb 100644
---- a/arch/arm/kvm/mmio.c
-+++ b/arch/arm/kvm/mmio.c
-@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
- }
-
- trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
-- data);
-+ &data);
- data = vcpu_data_host_to_guest(vcpu, data, len);
- vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
- }
-@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
- data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt),
- len);
-
-- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data);
-+ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data);
- kvm_mmio_write_buf(data_buf, len, data);
-
- ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len,
- data_buf);
- } else {
- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len,
-- fault_ipa, 0);
-+ fault_ipa, NULL);
-
- ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len,
- data_buf);
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 51a700a..9cc9117 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -4242,7 +4242,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v)
- addr, n, v))
- && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v))
- break;
-- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
-+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
- handled += n;
- addr += n;
- len -= n;
-@@ -4495,7 +4495,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes)
- {
- if (vcpu->mmio_read_completed) {
- trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
-- vcpu->mmio_fragments[0].gpa, *(u64 *)val);
-+ vcpu->mmio_fragments[0].gpa, val);
- vcpu->mmio_read_completed = 0;
- return 1;
- }
-@@ -4517,14 +4517,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
-
- static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
- {
-- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
-+ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
- return vcpu_mmio_write(vcpu, gpa, bytes, val);
- }
-
- static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
- void *val, int bytes)
- {
-- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
-+ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
- return X86EMUL_IO_NEEDED;
- }
-
-diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h
-index 8ade3eb..90fce4d 100644
---- a/include/trace/events/kvm.h
-+++ b/include/trace/events/kvm.h
-@@ -208,7 +208,7 @@ TRACE_EVENT(kvm_ack_irq,
- { KVM_TRACE_MMIO_WRITE, "write" }
-
- TRACE_EVENT(kvm_mmio,
-- TP_PROTO(int type, int len, u64 gpa, u64 val),
-+ TP_PROTO(int type, int len, u64 gpa, void *val),
- TP_ARGS(type, len, gpa, val),
-
- TP_STRUCT__entry(
-@@ -222,7 +222,10 @@ TRACE_EVENT(kvm_mmio,
- __entry->type = type;
- __entry->len = len;
- __entry->gpa = gpa;
-- __entry->val = val;
-+ __entry->val = 0;
-+ if (val)
-+ memcpy(&__entry->val, val,
-+ min_t(u32, sizeof(__entry->val), len));
- ),
-
- TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-KVM-VMX-Expose-SSBD-properly-to-guests-4.9-supplemen.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-KVM-VMX-Expose-SSBD-properly-to-guests-4.9-supplemen.patch
deleted file mode 100644
index 64e0004b..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-KVM-VMX-Expose-SSBD-properly-to-guests-4.9-supplemen.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 122fd9dfb506c08b0a3093d6da080983cdf91e32 Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Tue, 12 Jun 2018 01:14:34 +0100
-Subject: [PATCH 01/10] KVM: VMX: Expose SSBD properly to guests, 4.9
- supplement
-
-Fix an additional misuse of X86_FEATURE_SSBD in
-guest_cpuid_has_spec_ctrl(). This function was introduced in the
-backport of SSBD support to 4.9 and is not present upstream, so it was
-not fixed by commit 43462d908821 "KVM: VMX: Expose SSBD properly to
-guests."
-
-Fixes: 52817587e706 ("x86/cpufeatures: Disentangle SSBD enumeration")
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Cc: kvm@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/cpuid.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
-index d22695c..cf503df 100644
---- a/arch/x86/kvm/cpuid.h
-+++ b/arch/x86/kvm/cpuid.h
-@@ -171,7 +171,7 @@ static inline bool guest_cpuid_has_spec_ctrl(struct kvm_vcpu *vcpu)
- if (best && (best->ebx & bit(X86_FEATURE_AMD_IBRS)))
- return true;
- best = kvm_find_cpuid_entry(vcpu, 7, 0);
-- return best && (best->edx & (bit(X86_FEATURE_SPEC_CTRL) | bit(X86_FEATURE_SSBD)));
-+ return best && (best->edx & (bit(X86_FEATURE_SPEC_CTRL) | bit(X86_FEATURE_SPEC_CTRL_SSBD)));
- }
-
- static inline bool guest_cpuid_has_arch_capabilities(struct kvm_vcpu *vcpu)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-kaiser-fix-compile-error-without-vsyscall.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-kaiser-fix-compile-error-without-vsyscall.patch
deleted file mode 100644
index bb09930a..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-kaiser-fix-compile-error-without-vsyscall.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 0f1e01960c3e082feac098be5b754ad3e06c820a Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Tue, 13 Feb 2018 16:45:20 +0100
-Subject: [PATCH 01/12] kaiser: fix compile error without vsyscall
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Tobias noticed a compile error on 4.4.115, and it's the same on 4.9.80:
-arch/x86/mm/kaiser.c: In function ‘kaiser_init’:
-arch/x86/mm/kaiser.c:348:8: error: ‘vsyscall_pgprot’ undeclared
- (first use in this function)
-
-It seems like his combination of kernel options doesn't work for KAISER.
-X86_VSYSCALL_EMULATION is not set on his system, while LEGACY_VSYSCALL
-is set to NONE (LEGACY_VSYSCALL_NONE=y). He managed to get things
-compiling again, by moving the 'extern unsigned long vsyscall_pgprot'
-outside of the preprocessor statement. This works because the optimizer
-removes that code (vsyscall_enabled() is always false) - and that's how
-it was done in some older backports.
-
-Reported-by: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/vsyscall.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/include/asm/vsyscall.h b/arch/x86/include/asm/vsyscall.h
-index 9ee8506..62210da 100644
---- a/arch/x86/include/asm/vsyscall.h
-+++ b/arch/x86/include/asm/vsyscall.h
-@@ -13,7 +13,6 @@ extern void map_vsyscall(void);
- */
- extern bool emulate_vsyscall(struct pt_regs *regs, unsigned long address);
- extern bool vsyscall_enabled(void);
--extern unsigned long vsyscall_pgprot;
- #else
- static inline void map_vsyscall(void) {}
- static inline bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
-@@ -22,5 +21,6 @@ static inline bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
- }
- static inline bool vsyscall_enabled(void) { return false; }
- #endif
-+extern unsigned long vsyscall_pgprot;
-
- #endif /* _ASM_X86_VSYSCALL_H */
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-kaiser-fix-intel_bts-perf-crashes.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-kaiser-fix-intel_bts-perf-crashes.patch
deleted file mode 100644
index 3e53e978..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-kaiser-fix-intel_bts-perf-crashes.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From f07b0b948b09b02e7386560ad509d1afdbd6ef0b Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Mon, 29 Jan 2018 18:16:55 -0800
-Subject: [PATCH 01/42] kaiser: fix intel_bts perf crashes
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Vince reported perf_fuzzer quickly locks up on 4.15-rc7 with PTI;
-Robert reported Bad RIP with KPTI and Intel BTS also on 4.15-rc7:
-honggfuzz -f /tmp/somedirectorywithatleastonefile \
- --linux_perf_bts_edge -s -- /bin/true
-(honggfuzz from https://github.com/google/honggfuzz) crashed with
-BUG: unable to handle kernel paging request at ffff9d3215100000
-(then narrowed it down to
-perf record --per-thread -e intel_bts//u -- /bin/ls).
-
-The intel_bts driver does not use the 'normal' BTS buffer which is
-exposed through kaiser_add_mapping(), but instead uses the memory
-allocated for the perf AUX buffer.
-
-This obviously comes apart when using PTI, because then the kernel
-mapping, which includes that AUX buffer memory, disappears while
-switched to user page tables.
-
-Easily fixed in old-Kaiser backports, by applying kaiser_add_mapping()
-to those pages; perhaps not so easy for upstream, where 4.15-rc8 commit
-99a9dc98ba52 ("x86,perf: Disable intel_bts when PTI") disables for now.
-
-Slightly reorganized surrounding code in bts_buffer_setup_aux(),
-so it can better match bts_buffer_free_aux(): free_aux with an #ifdef
-to avoid the loop when PTI is off, but setup_aux needs to loop anyway
-(and kaiser_add_mapping() is cheap when PTI config is off or "pti=off").
-
-Reported-by: Vince Weaver <vincent.weaver@maine.edu>
-Reported-by: Robert Święcki <robert@swiecki.net>
-Analyzed-by: Peter Zijlstra <peterz@infradead.org>
-Analyzed-by: Stephane Eranian <eranian@google.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Ingo Molnar <mingo@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Vince Weaver <vince@deater.net>
-Cc: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/events/intel/bts.c | 44 +++++++++++++++++++++++++++++++++-----------
- 1 file changed, 33 insertions(+), 11 deletions(-)
-
-diff --git a/arch/x86/events/intel/bts.c b/arch/x86/events/intel/bts.c
-index 982c9e3..21298c1 100644
---- a/arch/x86/events/intel/bts.c
-+++ b/arch/x86/events/intel/bts.c
-@@ -22,6 +22,7 @@
- #include <linux/debugfs.h>
- #include <linux/device.h>
- #include <linux/coredump.h>
-+#include <linux/kaiser.h>
-
- #include <asm-generic/sizes.h>
- #include <asm/perf_event.h>
-@@ -77,6 +78,23 @@ static size_t buf_size(struct page *page)
- return 1 << (PAGE_SHIFT + page_private(page));
- }
-
-+static void bts_buffer_free_aux(void *data)
-+{
-+#ifdef CONFIG_PAGE_TABLE_ISOLATION
-+ struct bts_buffer *buf = data;
-+ int nbuf;
-+
-+ for (nbuf = 0; nbuf < buf->nr_bufs; nbuf++) {
-+ struct page *page = buf->buf[nbuf].page;
-+ void *kaddr = page_address(page);
-+ size_t page_size = buf_size(page);
-+
-+ kaiser_remove_mapping((unsigned long)kaddr, page_size);
-+ }
-+#endif
-+ kfree(data);
-+}
-+
- static void *
- bts_buffer_setup_aux(int cpu, void **pages, int nr_pages, bool overwrite)
- {
-@@ -113,29 +131,33 @@ bts_buffer_setup_aux(int cpu, void **pages, int nr_pages, bool overwrite)
- buf->real_size = size - size % BTS_RECORD_SIZE;
-
- for (pg = 0, nbuf = 0, offset = 0, pad = 0; nbuf < buf->nr_bufs; nbuf++) {
-- unsigned int __nr_pages;
-+ void *kaddr = pages[pg];
-+ size_t page_size;
-+
-+ page = virt_to_page(kaddr);
-+ page_size = buf_size(page);
-+
-+ if (kaiser_add_mapping((unsigned long)kaddr,
-+ page_size, __PAGE_KERNEL) < 0) {
-+ buf->nr_bufs = nbuf;
-+ bts_buffer_free_aux(buf);
-+ return NULL;
-+ }
-
-- page = virt_to_page(pages[pg]);
-- __nr_pages = PagePrivate(page) ? 1 << page_private(page) : 1;
- buf->buf[nbuf].page = page;
- buf->buf[nbuf].offset = offset;
- buf->buf[nbuf].displacement = (pad ? BTS_RECORD_SIZE - pad : 0);
-- buf->buf[nbuf].size = buf_size(page) - buf->buf[nbuf].displacement;
-+ buf->buf[nbuf].size = page_size - buf->buf[nbuf].displacement;
- pad = buf->buf[nbuf].size % BTS_RECORD_SIZE;
- buf->buf[nbuf].size -= pad;
-
-- pg += __nr_pages;
-- offset += __nr_pages << PAGE_SHIFT;
-+ pg += page_size >> PAGE_SHIFT;
-+ offset += page_size;
- }
-
- return buf;
- }
-
--static void bts_buffer_free_aux(void *data)
--{
-- kfree(data);
--}
--
- static unsigned long bts_buffer_offset(struct bts_buffer *buf, unsigned int idx)
- {
- return buf->buf[idx].offset + buf->buf[idx].displacement;
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-boot-Add-early-cmdline-parsing-for-options-with-.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-boot-Add-early-cmdline-parsing-for-options-with-.patch
deleted file mode 100644
index 50c1ddb6..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-boot-Add-early-cmdline-parsing-for-options-with-.patch
+++ /dev/null
@@ -1,183 +0,0 @@
-From 97be262ca58e09fd46568b01a7643a244903ae21 Mon Sep 17 00:00:00 2001
-From: Tom Lendacky <thomas.lendacky@amd.com>
-Date: Mon, 17 Jul 2017 16:10:33 -0500
-Subject: [PATCH 001/103] x86/boot: Add early cmdline parsing for options with
- arguments
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit e505371dd83963caae1a37ead9524e8d997341be upstream.
-
-Add a cmdline_find_option() function to look for cmdline options that
-take arguments. The argument is returned in a supplied buffer and the
-argument length (regardless of whether it fits in the supplied buffer)
-is returned, with -1 indicating not found.
-
-Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Alexander Potapenko <glider@google.com>
-Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Arnd Bergmann <arnd@arndb.de>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Brijesh Singh <brijesh.singh@amd.com>
-Cc: Dave Young <dyoung@redhat.com>
-Cc: Dmitry Vyukov <dvyukov@google.com>
-Cc: Jonathan Corbet <corbet@lwn.net>
-Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Cc: Larry Woodman <lwoodman@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Matt Fleming <matt@codeblueprint.co.uk>
-Cc: Michael S. Tsirkin <mst@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Radim Krčmář <rkrcmar@redhat.com>
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Toshimitsu Kani <toshi.kani@hpe.com>
-Cc: kasan-dev@googlegroups.com
-Cc: kvm@vger.kernel.org
-Cc: linux-arch@vger.kernel.org
-Cc: linux-doc@vger.kernel.org
-Cc: linux-efi@vger.kernel.org
-Cc: linux-mm@kvack.org
-Link: http://lkml.kernel.org/r/36b5f97492a9745dce27682305f990fc20e5cf8a.1500319216.git.thomas.lendacky@amd.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cmdline.h | 2 +
- arch/x86/lib/cmdline.c | 105 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 107 insertions(+)
-
-diff --git a/arch/x86/include/asm/cmdline.h b/arch/x86/include/asm/cmdline.h
-index e01f7f7..84ae170 100644
---- a/arch/x86/include/asm/cmdline.h
-+++ b/arch/x86/include/asm/cmdline.h
-@@ -2,5 +2,7 @@
- #define _ASM_X86_CMDLINE_H
-
- int cmdline_find_option_bool(const char *cmdline_ptr, const char *option);
-+int cmdline_find_option(const char *cmdline_ptr, const char *option,
-+ char *buffer, int bufsize);
-
- #endif /* _ASM_X86_CMDLINE_H */
-diff --git a/arch/x86/lib/cmdline.c b/arch/x86/lib/cmdline.c
-index 5cc78bf..3261abb 100644
---- a/arch/x86/lib/cmdline.c
-+++ b/arch/x86/lib/cmdline.c
-@@ -104,7 +104,112 @@ __cmdline_find_option_bool(const char *cmdline, int max_cmdline_size,
- return 0; /* Buffer overrun */
- }
-
-+/*
-+ * Find a non-boolean option (i.e. option=argument). In accordance with
-+ * standard Linux practice, if this option is repeated, this returns the
-+ * last instance on the command line.
-+ *
-+ * @cmdline: the cmdline string
-+ * @max_cmdline_size: the maximum size of cmdline
-+ * @option: option string to look for
-+ * @buffer: memory buffer to return the option argument
-+ * @bufsize: size of the supplied memory buffer
-+ *
-+ * Returns the length of the argument (regardless of if it was
-+ * truncated to fit in the buffer), or -1 on not found.
-+ */
-+static int
-+__cmdline_find_option(const char *cmdline, int max_cmdline_size,
-+ const char *option, char *buffer, int bufsize)
-+{
-+ char c;
-+ int pos = 0, len = -1;
-+ const char *opptr = NULL;
-+ char *bufptr = buffer;
-+ enum {
-+ st_wordstart = 0, /* Start of word/after whitespace */
-+ st_wordcmp, /* Comparing this word */
-+ st_wordskip, /* Miscompare, skip */
-+ st_bufcpy, /* Copying this to buffer */
-+ } state = st_wordstart;
-+
-+ if (!cmdline)
-+ return -1; /* No command line */
-+
-+ /*
-+ * This 'pos' check ensures we do not overrun
-+ * a non-NULL-terminated 'cmdline'
-+ */
-+ while (pos++ < max_cmdline_size) {
-+ c = *(char *)cmdline++;
-+ if (!c)
-+ break;
-+
-+ switch (state) {
-+ case st_wordstart:
-+ if (myisspace(c))
-+ break;
-+
-+ state = st_wordcmp;
-+ opptr = option;
-+ /* fall through */
-+
-+ case st_wordcmp:
-+ if ((c == '=') && !*opptr) {
-+ /*
-+ * We matched all the way to the end of the
-+ * option we were looking for, prepare to
-+ * copy the argument.
-+ */
-+ len = 0;
-+ bufptr = buffer;
-+ state = st_bufcpy;
-+ break;
-+ } else if (c == *opptr++) {
-+ /*
-+ * We are currently matching, so continue
-+ * to the next character on the cmdline.
-+ */
-+ break;
-+ }
-+ state = st_wordskip;
-+ /* fall through */
-+
-+ case st_wordskip:
-+ if (myisspace(c))
-+ state = st_wordstart;
-+ break;
-+
-+ case st_bufcpy:
-+ if (myisspace(c)) {
-+ state = st_wordstart;
-+ } else {
-+ /*
-+ * Increment len, but don't overrun the
-+ * supplied buffer and leave room for the
-+ * NULL terminator.
-+ */
-+ if (++len < bufsize)
-+ *bufptr++ = c;
-+ }
-+ break;
-+ }
-+ }
-+
-+ if (bufsize)
-+ *bufptr = '\0';
-+
-+ return len;
-+}
-+
- int cmdline_find_option_bool(const char *cmdline, const char *option)
- {
- return __cmdline_find_option_bool(cmdline, COMMAND_LINE_SIZE, option);
- }
-+
-+int cmdline_find_option(const char *cmdline, const char *option, char *buffer,
-+ int bufsize)
-+{
-+ return __cmdline_find_option(cmdline, COMMAND_LINE_SIZE, option,
-+ buffer, bufsize);
-+}
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-mm-Remove-flush_tlb-and-flush_tlb_current_task.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-mm-Remove-flush_tlb-and-flush_tlb_current_task.patch
deleted file mode 100644
index db1a2245..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-mm-Remove-flush_tlb-and-flush_tlb_current_task.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 0b113edb84e5133f4844eeec2889faced402a41c Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Sat, 22 Apr 2017 00:01:20 -0700
-Subject: [PATCH 01/14] x86/mm: Remove flush_tlb() and flush_tlb_current_task()
-
-commit 29961b59a51f8c6838a26a45e871a7ed6771809b upstream.
-
-I was trying to figure out what how flush_tlb_current_task() would
-possibly work correctly if current->mm != current->active_mm, but I
-realized I could spare myself the effort: it has no callers except
-the unused flush_tlb() macro.
-
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Brian Gerst <brgerst@gmail.com>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Denys Vlasenko <dvlasenk@redhat.com>
-Cc: H. Peter Anvin <hpa@zytor.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Michal Hocko <mhocko@suse.com>
-Cc: Nadav Amit <namit@vmware.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Link: http://lkml.kernel.org/r/e52d64c11690f85e9f1d69d7b48cc2269cd2e94b.1492844372.git.luto@kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Cc: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/tlbflush.h | 9 ---------
- arch/x86/mm/tlb.c | 17 -----------------
- 2 files changed, 26 deletions(-)
-
-diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
-index 183af59..db8952a 100644
---- a/arch/x86/include/asm/tlbflush.h
-+++ b/arch/x86/include/asm/tlbflush.h
-@@ -261,7 +261,6 @@ static inline void __flush_tlb_one(unsigned long addr)
- /*
- * TLB flushing:
- *
-- * - flush_tlb() flushes the current mm struct TLBs
- * - flush_tlb_all() flushes all processes TLBs
- * - flush_tlb_mm(mm) flushes the specified mm context TLB's
- * - flush_tlb_page(vma, vmaddr) flushes one page
-@@ -293,11 +292,6 @@ static inline void flush_tlb_all(void)
- __flush_tlb_all();
- }
-
--static inline void flush_tlb(void)
--{
-- __flush_tlb_up();
--}
--
- static inline void local_flush_tlb(void)
- {
- __flush_tlb_up();
-@@ -359,14 +353,11 @@ static inline void flush_tlb_kernel_range(unsigned long start,
- flush_tlb_mm_range(vma->vm_mm, start, end, vma->vm_flags)
-
- extern void flush_tlb_all(void);
--extern void flush_tlb_current_task(void);
- extern void flush_tlb_page(struct vm_area_struct *, unsigned long);
- extern void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
- unsigned long end, unsigned long vmflag);
- extern void flush_tlb_kernel_range(unsigned long start, unsigned long end);
-
--#define flush_tlb() flush_tlb_current_task()
--
- void native_flush_tlb_others(const struct cpumask *cpumask,
- struct mm_struct *mm,
- unsigned long start, unsigned long end);
-diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
-index 0cf44ac..c045051 100644
---- a/arch/x86/mm/tlb.c
-+++ b/arch/x86/mm/tlb.c
-@@ -320,23 +320,6 @@ void native_flush_tlb_others(const struct cpumask *cpumask,
- smp_call_function_many(cpumask, flush_tlb_func, &info, 1);
- }
-
--void flush_tlb_current_task(void)
--{
-- struct mm_struct *mm = current->mm;
--
-- preempt_disable();
--
-- count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
--
-- /* This is an implicit full barrier that synchronizes with switch_mm. */
-- local_flush_tlb();
--
-- trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL);
-- if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
-- flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL);
-- preempt_enable();
--}
--
- /*
- * See Documentation/x86/tlb.txt for details. We choose 33
- * because it is large enough to cover the vast majority (at
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-paravirt-objtool-Annotate-indirect-calls.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-paravirt-objtool-Annotate-indirect-calls.patch
deleted file mode 100644
index fddb3346..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0001-x86-paravirt-objtool-Annotate-indirect-calls.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From 8b18def6a2da1b716f49fad6744a41c94d31a2c5 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Wed, 17 Jan 2018 16:58:11 +0100
-Subject: [PATCH 01/93] x86/paravirt, objtool: Annotate indirect calls
-
-commit 3010a0663fd949d122eca0561b06b0a9453f7866 upstream.
-
-Paravirt emits indirect calls which get flagged by objtool retpoline
-checks, annotate it away because all these indirect calls will be
-patched out before we start userspace.
-
-This patching happens through alternative_instructions() ->
-apply_paravirt() -> pv_init_ops.patch() which will eventually end up
-in paravirt_patch_default(). This function _will_ write direct
-alternatives.
-
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Dave Hansen <dave.hansen@linux.intel.com>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/paravirt.h | 16 ++++++++++++----
- arch/x86/include/asm/paravirt_types.h | 5 ++++-
- 2 files changed, 16 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
-index ce93281..24af8b1 100644
---- a/arch/x86/include/asm/paravirt.h
-+++ b/arch/x86/include/asm/paravirt.h
-@@ -6,6 +6,7 @@
- #ifdef CONFIG_PARAVIRT
- #include <asm/pgtable_types.h>
- #include <asm/asm.h>
-+#include <asm/nospec-branch.h>
-
- #include <asm/paravirt_types.h>
-
-@@ -869,23 +870,27 @@ extern void default_banner(void);
-
- #define INTERRUPT_RETURN \
- PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_iret), CLBR_NONE, \
-- jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_iret))
-+ ANNOTATE_RETPOLINE_SAFE; \
-+ jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_iret);)
-
- #define DISABLE_INTERRUPTS(clobbers) \
- PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_irq_disable), clobbers, \
- PV_SAVE_REGS(clobbers | CLBR_CALLEE_SAVE); \
-+ ANNOTATE_RETPOLINE_SAFE; \
- call PARA_INDIRECT(pv_irq_ops+PV_IRQ_irq_disable); \
- PV_RESTORE_REGS(clobbers | CLBR_CALLEE_SAVE);)
-
- #define ENABLE_INTERRUPTS(clobbers) \
- PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_irq_enable), clobbers, \
- PV_SAVE_REGS(clobbers | CLBR_CALLEE_SAVE); \
-+ ANNOTATE_RETPOLINE_SAFE; \
- call PARA_INDIRECT(pv_irq_ops+PV_IRQ_irq_enable); \
- PV_RESTORE_REGS(clobbers | CLBR_CALLEE_SAVE);)
-
- #ifdef CONFIG_X86_32
- #define GET_CR0_INTO_EAX \
- push %ecx; push %edx; \
-+ ANNOTATE_RETPOLINE_SAFE; \
- call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
- pop %edx; pop %ecx
- #else /* !CONFIG_X86_32 */
-@@ -907,11 +912,13 @@ extern void default_banner(void);
- */
- #define SWAPGS \
- PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_swapgs), CLBR_NONE, \
-- call PARA_INDIRECT(pv_cpu_ops+PV_CPU_swapgs) \
-+ ANNOTATE_RETPOLINE_SAFE; \
-+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_swapgs); \
- )
-
- #define GET_CR2_INTO_RAX \
-- call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr2)
-+ ANNOTATE_RETPOLINE_SAFE; \
-+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr2);
-
- #define PARAVIRT_ADJUST_EXCEPTION_FRAME \
- PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_adjust_exception_frame), \
-@@ -921,7 +928,8 @@ extern void default_banner(void);
- #define USERGS_SYSRET64 \
- PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_usergs_sysret64), \
- CLBR_NONE, \
-- jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_usergs_sysret64))
-+ ANNOTATE_RETPOLINE_SAFE; \
-+ jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_usergs_sysret64);)
- #endif /* CONFIG_X86_32 */
-
- #endif /* __ASSEMBLY__ */
-diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h
-index 0f400c0..04b7971 100644
---- a/arch/x86/include/asm/paravirt_types.h
-+++ b/arch/x86/include/asm/paravirt_types.h
-@@ -42,6 +42,7 @@
- #include <asm/desc_defs.h>
- #include <asm/kmap_types.h>
- #include <asm/pgtable_types.h>
-+#include <asm/nospec-branch.h>
-
- struct page;
- struct thread_struct;
-@@ -391,7 +392,9 @@ int paravirt_disable_iospace(void);
- * offset into the paravirt_patch_template structure, and can therefore be
- * freely converted back into a structure offset.
- */
--#define PARAVIRT_CALL "call *%c[paravirt_opptr];"
-+#define PARAVIRT_CALL \
-+ ANNOTATE_RETPOLINE_SAFE \
-+ "call *%c[paravirt_opptr];"
-
- /*
- * These macros are intended to wrap calls through one of the paravirt
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-complete-e390f9a-port-for-v4.9.106.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-complete-e390f9a-port-for-v4.9.106.patch
deleted file mode 100644
index dbde0c07..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-complete-e390f9a-port-for-v4.9.106.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 22510b00481d95adc62292797fe98fbfe215a649 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philip=20M=C3=BCller?= <philm@manjaro.org>
-Date: Sat, 9 Jun 2018 13:42:05 +0200
-Subject: [PATCH 02/10] complete e390f9a port for v4.9.106
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-objtool ports introduced in v4.9.106 were not totally complete. Therefore
-they resulted in issues like:
-
- module: overflow in relocation type 10 val XXXXXXXXXXX
- ‘usbcore’ likely not compiled with -mcmodel=kernel
- module: overflow in relocation type 10 val XXXXXXXXXXX
- ‘scsi_mod’ likely not compiled with -mcmodel=kernel
-
-Missing part was the complete backport of commit e390f9a.
-
-Original notes by Josh Poimboeuf:
-
-The '__unreachable' and '__func_stack_frame_non_standard' sections are
-only used at compile time. They're discarded for vmlinux but they
-should also be discarded for modules.
-
-Since this is a recurring pattern, prefix the section names with
-".discard.". It's a nice convention and vmlinux.lds.h already discards
-such sections.
-
-Also remove the 'a' (allocatable) flag from the __unreachable section
-since it doesn't make sense for a discarded section.
-
-Signed-off-by: Philip Müller <philm@manjaro.org>
-Fixes: d1091c7fa3d5 ("objtool: Improve detection of BUG() and other dead ends")
-Link: https://gitlab.manjaro.org/packages/core/linux49/issues/2
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/vmlinux.lds.S | 2 --
- include/linux/compiler-gcc.h | 2 +-
- 2 files changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
-index 4ef267f..e783a5d 100644
---- a/arch/x86/kernel/vmlinux.lds.S
-+++ b/arch/x86/kernel/vmlinux.lds.S
-@@ -352,8 +352,6 @@ SECTIONS
- DISCARDS
- /DISCARD/ : {
- *(.eh_frame)
-- *(__func_stack_frame_non_standard)
-- *(__unreachable)
- }
- }
-
-diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
-index b69d102..b62cfb9 100644
---- a/include/linux/compiler-gcc.h
-+++ b/include/linux/compiler-gcc.h
-@@ -202,7 +202,7 @@
- #ifdef CONFIG_STACK_VALIDATION
- #define annotate_unreachable() ({ \
- asm("1:\t\n" \
-- ".pushsection __unreachable, \"a\"\t\n" \
-+ ".pushsection .discard.unreachable\t\n" \
- ".long 1b\t\n" \
- ".popsection\t\n"); \
- })
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-kvm-vmx-Scrub-hardware-GPRs-at-VM-exit.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-kvm-vmx-Scrub-hardware-GPRs-at-VM-exit.patch
deleted file mode 100644
index 406a79d3..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-kvm-vmx-Scrub-hardware-GPRs-at-VM-exit.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 1cd771013c357075c745f99419bdaf31503c5a51 Mon Sep 17 00:00:00 2001
-From: Jim Mattson <jmattson@google.com>
-Date: Wed, 3 Jan 2018 14:31:38 -0800
-Subject: [PATCH 02/33] kvm: vmx: Scrub hardware GPRs at VM-exit
-
-commit 0cb5b30698fdc8f6b4646012e3acb4ddce430788 upstream.
-
-Guest GPR values are live in the hardware GPRs at VM-exit. Do not
-leave any guest values in hardware GPRs after the guest GPR values are
-saved to the vcpu_vmx structure.
-
-This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
-Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
-
-Suggested-by: Eric Northup <digitaleric@google.com>
-Signed-off-by: Jim Mattson <jmattson@google.com>
-Reviewed-by: Eric Northup <digitaleric@google.com>
-Reviewed-by: Benjamin Serebrin <serebrin@google.com>
-Reviewed-by: Andrew Honig <ahonig@google.com>
-[Paolo: Add AMD bits, Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>]
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/svm.c | 19 +++++++++++++++++++
- arch/x86/kvm/vmx.c | 14 +++++++++++++-
- 2 files changed, 32 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 975ea99..491f077 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -4858,6 +4858,25 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
- "mov %%r14, %c[r14](%[svm]) \n\t"
- "mov %%r15, %c[r15](%[svm]) \n\t"
- #endif
-+ /*
-+ * Clear host registers marked as clobbered to prevent
-+ * speculative use.
-+ */
-+ "xor %%" _ASM_BX ", %%" _ASM_BX " \n\t"
-+ "xor %%" _ASM_CX ", %%" _ASM_CX " \n\t"
-+ "xor %%" _ASM_DX ", %%" _ASM_DX " \n\t"
-+ "xor %%" _ASM_SI ", %%" _ASM_SI " \n\t"
-+ "xor %%" _ASM_DI ", %%" _ASM_DI " \n\t"
-+#ifdef CONFIG_X86_64
-+ "xor %%r8, %%r8 \n\t"
-+ "xor %%r9, %%r9 \n\t"
-+ "xor %%r10, %%r10 \n\t"
-+ "xor %%r11, %%r11 \n\t"
-+ "xor %%r12, %%r12 \n\t"
-+ "xor %%r13, %%r13 \n\t"
-+ "xor %%r14, %%r14 \n\t"
-+ "xor %%r15, %%r15 \n\t"
-+#endif
- "pop %%" _ASM_BP
- :
- : [svm]"a"(svm),
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 4ead27f..91ae4e2 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -8932,6 +8932,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
- /* Save guest registers, load host registers, keep flags */
- "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
- "pop %0 \n\t"
-+ "setbe %c[fail](%0)\n\t"
- "mov %%" _ASM_AX ", %c[rax](%0) \n\t"
- "mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
- __ASM_SIZE(pop) " %c[rcx](%0) \n\t"
-@@ -8948,12 +8949,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
- "mov %%r13, %c[r13](%0) \n\t"
- "mov %%r14, %c[r14](%0) \n\t"
- "mov %%r15, %c[r15](%0) \n\t"
-+ "xor %%r8d, %%r8d \n\t"
-+ "xor %%r9d, %%r9d \n\t"
-+ "xor %%r10d, %%r10d \n\t"
-+ "xor %%r11d, %%r11d \n\t"
-+ "xor %%r12d, %%r12d \n\t"
-+ "xor %%r13d, %%r13d \n\t"
-+ "xor %%r14d, %%r14d \n\t"
-+ "xor %%r15d, %%r15d \n\t"
- #endif
- "mov %%cr2, %%" _ASM_AX " \n\t"
- "mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
-
-+ "xor %%eax, %%eax \n\t"
-+ "xor %%ebx, %%ebx \n\t"
-+ "xor %%esi, %%esi \n\t"
-+ "xor %%edi, %%edi \n\t"
- "pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
-- "setbe %c[fail](%0) \n\t"
- ".pushsection .rodata \n\t"
- ".global vmx_return \n\t"
- "vmx_return: " _ASM_PTR " 2b \n\t"
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-entry-64-compat-Clear-registers-for-compat-sysca.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-entry-64-compat-Clear-registers-for-compat-sysca.patch
deleted file mode 100644
index 1006a947..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-entry-64-compat-Clear-registers-for-compat-sysca.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 5b4a083e3f13f1bbea53075da6dc33b1e9dc3b62 Mon Sep 17 00:00:00 2001
-From: Dan Williams <dan.j.williams@intel.com>
-Date: Mon, 5 Feb 2018 17:18:17 -0800
-Subject: [PATCH 02/12] x86/entry/64/compat: Clear registers for compat
- syscalls, to reduce speculation attack surface
-
-commit 6b8cf5cc9965673951f1ab3f0e3cf23d06e3e2ee upstream.
-
-At entry userspace may have populated registers with values that could
-otherwise be useful in a speculative execution attack. Clear them to
-minimize the kernel's attack surface.
-
-Originally-From: Andi Kleen <ak@linux.intel.com>
-Signed-off-by: Dan Williams <dan.j.williams@intel.com>
-Cc: <stable@vger.kernel.org>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Brian Gerst <brgerst@gmail.com>
-Cc: Denys Vlasenko <dvlasenk@redhat.com>
-Cc: H. Peter Anvin <hpa@zytor.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Link: http://lkml.kernel.org/r/151787989697.7847.4083702787288600552.stgit@dwillia2-desk3.amr.corp.intel.com
-[ Made small improvements to the changelog. ]
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/entry/entry_64_compat.S | 30 ++++++++++++++++++++++++++++++
- 1 file changed, 30 insertions(+)
-
-diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
-index d76a976..92c5573 100644
---- a/arch/x86/entry/entry_64_compat.S
-+++ b/arch/x86/entry/entry_64_compat.S
-@@ -83,15 +83,25 @@ ENTRY(entry_SYSENTER_compat)
- pushq %rcx /* pt_regs->cx */
- pushq $-ENOSYS /* pt_regs->ax */
- pushq $0 /* pt_regs->r8 = 0 */
-+ xorq %r8, %r8 /* nospec r8 */
- pushq $0 /* pt_regs->r9 = 0 */
-+ xorq %r9, %r9 /* nospec r9 */
- pushq $0 /* pt_regs->r10 = 0 */
-+ xorq %r10, %r10 /* nospec r10 */
- pushq $0 /* pt_regs->r11 = 0 */
-+ xorq %r11, %r11 /* nospec r11 */
- pushq %rbx /* pt_regs->rbx */
-+ xorl %ebx, %ebx /* nospec rbx */
- pushq %rbp /* pt_regs->rbp (will be overwritten) */
-+ xorl %ebp, %ebp /* nospec rbp */
- pushq $0 /* pt_regs->r12 = 0 */
-+ xorq %r12, %r12 /* nospec r12 */
- pushq $0 /* pt_regs->r13 = 0 */
-+ xorq %r13, %r13 /* nospec r13 */
- pushq $0 /* pt_regs->r14 = 0 */
-+ xorq %r14, %r14 /* nospec r14 */
- pushq $0 /* pt_regs->r15 = 0 */
-+ xorq %r15, %r15 /* nospec r15 */
- cld
-
- /*
-@@ -209,15 +219,25 @@ ENTRY(entry_SYSCALL_compat)
- pushq %rbp /* pt_regs->cx (stashed in bp) */
- pushq $-ENOSYS /* pt_regs->ax */
- pushq $0 /* pt_regs->r8 = 0 */
-+ xorq %r8, %r8 /* nospec r8 */
- pushq $0 /* pt_regs->r9 = 0 */
-+ xorq %r9, %r9 /* nospec r9 */
- pushq $0 /* pt_regs->r10 = 0 */
-+ xorq %r10, %r10 /* nospec r10 */
- pushq $0 /* pt_regs->r11 = 0 */
-+ xorq %r11, %r11 /* nospec r11 */
- pushq %rbx /* pt_regs->rbx */
-+ xorl %ebx, %ebx /* nospec rbx */
- pushq %rbp /* pt_regs->rbp (will be overwritten) */
-+ xorl %ebp, %ebp /* nospec rbp */
- pushq $0 /* pt_regs->r12 = 0 */
-+ xorq %r12, %r12 /* nospec r12 */
- pushq $0 /* pt_regs->r13 = 0 */
-+ xorq %r13, %r13 /* nospec r13 */
- pushq $0 /* pt_regs->r14 = 0 */
-+ xorq %r14, %r14 /* nospec r14 */
- pushq $0 /* pt_regs->r15 = 0 */
-+ xorq %r15, %r15 /* nospec r15 */
-
- /*
- * User mode is traced as though IRQs are on, and SYSENTER
-@@ -320,15 +340,25 @@ ENTRY(entry_INT80_compat)
- pushq %rcx /* pt_regs->cx */
- pushq $-ENOSYS /* pt_regs->ax */
- pushq $0 /* pt_regs->r8 = 0 */
-+ xorq %r8, %r8 /* nospec r8 */
- pushq $0 /* pt_regs->r9 = 0 */
-+ xorq %r9, %r9 /* nospec r9 */
- pushq $0 /* pt_regs->r10 = 0 */
-+ xorq %r10, %r10 /* nospec r10 */
- pushq $0 /* pt_regs->r11 = 0 */
-+ xorq %r11, %r11 /* nospec r11 */
- pushq %rbx /* pt_regs->rbx */
-+ xorl %ebx, %ebx /* nospec rbx */
- pushq %rbp /* pt_regs->rbp */
-+ xorl %ebp, %ebp /* nospec rbp */
- pushq %r12 /* pt_regs->r12 */
-+ xorq %r12, %r12 /* nospec r12 */
- pushq %r13 /* pt_regs->r13 */
-+ xorq %r13, %r13 /* nospec r13 */
- pushq %r14 /* pt_regs->r14 */
-+ xorq %r14, %r14 /* nospec r14 */
- pushq %r15 /* pt_regs->r15 */
-+ xorq %r15, %r15 /* nospec r15 */
- cld
-
- /*
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-mm-Add-the-nopcid-boot-option-to-turn-off-PCID.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-mm-Add-the-nopcid-boot-option-to-turn-off-PCID.patch
deleted file mode 100644
index 545ec3ea..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-mm-Add-the-nopcid-boot-option-to-turn-off-PCID.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From ec0d53f307bb0f6155e68ff262e9eb773dc99975 Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Thu, 29 Jun 2017 08:53:20 -0700
-Subject: [PATCH 002/103] x86/mm: Add the 'nopcid' boot option to turn off PCID
-
-commit 0790c9aad84901ca1bdc14746175549c8b5da215 upstream.
-
-The parameter is only present on x86_64 systems to save a few bytes,
-as PCID is always disabled on x86_32.
-
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Reviewed-by: Nadav Amit <nadav.amit@gmail.com>
-Reviewed-by: Borislav Petkov <bp@suse.de>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Rik van Riel <riel@redhat.com>
-Cc: linux-mm@kvack.org
-Link: http://lkml.kernel.org/r/8bbb2e65bcd249a5f18bfb8128b4689f08ac2b60.1498751203.git.luto@kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Cc: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- Documentation/kernel-parameters.txt | 2 ++
- arch/x86/kernel/cpu/common.c | 18 ++++++++++++++++++
- 2 files changed, 20 insertions(+)
-
-diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 65b05ba..a303387 100644
---- a/Documentation/kernel-parameters.txt
-+++ b/Documentation/kernel-parameters.txt
-@@ -2785,6 +2785,8 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
- nopat [X86] Disable PAT (page attribute table extension of
- pagetables) support.
-
-+ nopcid [X86-64] Disable the PCID cpu feature.
-+
- norandmaps Don't use address space randomization. Equivalent to
- echo 0 > /proc/sys/kernel/randomize_va_space
-
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 4eece91..81c8a53 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -163,6 +163,24 @@ static int __init x86_mpx_setup(char *s)
- }
- __setup("nompx", x86_mpx_setup);
-
-+#ifdef CONFIG_X86_64
-+static int __init x86_pcid_setup(char *s)
-+{
-+ /* require an exact match without trailing characters */
-+ if (strlen(s))
-+ return 0;
-+
-+ /* do not emit a message if the feature is not present */
-+ if (!boot_cpu_has(X86_FEATURE_PCID))
-+ return 1;
-+
-+ setup_clear_cpu_cap(X86_FEATURE_PCID);
-+ pr_info("nopcid: PCID feature disabled\n");
-+ return 1;
-+}
-+__setup("nopcid", x86_pcid_setup);
-+#endif
-+
- static int __init x86_noinvpcid_setup(char *s)
- {
- /* noinvpcid doesn't accept parameters */
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-mm-Make-flush_tlb_mm_range-more-predictable.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-mm-Make-flush_tlb_mm_range-more-predictable.patch
deleted file mode 100644
index 125c9159..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-mm-Make-flush_tlb_mm_range-more-predictable.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From d7185b4bc1a4bb697f514e447697bd535979dac3 Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Sat, 22 Apr 2017 00:01:21 -0700
-Subject: [PATCH 02/14] x86/mm: Make flush_tlb_mm_range() more predictable
-
-commit ce27374fabf553153c3f53efcaa9bfab9216bd8c upstream.
-
-I'm about to rewrite the function almost completely, but first I
-want to get a functional change out of the way. Currently, if
-flush_tlb_mm_range() does not flush the local TLB at all, it will
-never do individual page flushes on remote CPUs. This seems to be
-an accident, and preserving it will be awkward. Let's change it
-first so that any regressions in the rewrite will be easier to
-bisect and so that the rewrite can attempt to change no visible
-behavior at all.
-
-The fix is simple: we can simply avoid short-circuiting the
-calculation of base_pages_to_flush.
-
-As a side effect, this also eliminates a potential corner case: if
-tlb_single_page_flush_ceiling == TLB_FLUSH_ALL, flush_tlb_mm_range()
-could have ended up flushing the entire address space one page at a
-time.
-
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Acked-by: Dave Hansen <dave.hansen@intel.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Brian Gerst <brgerst@gmail.com>
-Cc: Denys Vlasenko <dvlasenk@redhat.com>
-Cc: H. Peter Anvin <hpa@zytor.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Michal Hocko <mhocko@suse.com>
-Cc: Nadav Amit <namit@vmware.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Link: http://lkml.kernel.org/r/4b29b771d9975aad7154c314534fec235618175a.1492844372.git.luto@kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Cc: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/mm/tlb.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
-index c045051..2f9d41f 100644
---- a/arch/x86/mm/tlb.c
-+++ b/arch/x86/mm/tlb.c
-@@ -340,6 +340,12 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
- unsigned long base_pages_to_flush = TLB_FLUSH_ALL;
-
- preempt_disable();
-+
-+ if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB))
-+ base_pages_to_flush = (end - start) >> PAGE_SHIFT;
-+ if (base_pages_to_flush > tlb_single_page_flush_ceiling)
-+ base_pages_to_flush = TLB_FLUSH_ALL;
-+
- if (current->active_mm != mm) {
- /* Synchronize with switch_mm. */
- smp_mb();
-@@ -356,15 +362,11 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
- goto out;
- }
-
-- if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB))
-- base_pages_to_flush = (end - start) >> PAGE_SHIFT;
--
- /*
- * Both branches below are implicit full barriers (MOV to CR or
- * INVLPG) that synchronize with switch_mm.
- */
-- if (base_pages_to_flush > tlb_single_page_flush_ceiling) {
-- base_pages_to_flush = TLB_FLUSH_ALL;
-+ if (base_pages_to_flush == TLB_FLUSH_ALL) {
- count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
- local_flush_tlb();
- } else {
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-module-Detect-and-skip-invalid-relocations.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-module-Detect-and-skip-invalid-relocations.patch
deleted file mode 100644
index 3035344f..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-module-Detect-and-skip-invalid-relocations.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 23f4b6492ade30e2f7fc21acfb162e46851cf0f0 Mon Sep 17 00:00:00 2001
-From: Josh Poimboeuf <jpoimboe@redhat.com>
-Date: Fri, 3 Nov 2017 07:58:54 -0500
-Subject: [PATCH 02/93] x86/module: Detect and skip invalid relocations
-
-commit eda9cec4c9a12208a6f69fbe68f72a6311d50032 upstream.
-
-There have been some cases where external tooling (e.g., kpatch-build)
-creates a corrupt relocation which targets the wrong address. This is a
-silent failure which can corrupt memory in unexpected places.
-
-On x86, the bytes of data being overwritten by relocations are always
-initialized to zero beforehand. Use that knowledge to add sanity checks
-to detect such cases before they corrupt memory.
-
-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: jeyu@kernel.org
-Cc: live-patching@vger.kernel.org
-Link: http://lkml.kernel.org/r/37450d6c6225e54db107fba447ce9e56e5f758e9.1509713553.git.jpoimboe@redhat.com
-[ Restructured the messages, as it's unclear whether the relocation or the target is corrupted. ]
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Cc: Matthias Kaehlcke <mka@chromium.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/module.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
-index 477ae80..87f30a8 100644
---- a/arch/x86/kernel/module.c
-+++ b/arch/x86/kernel/module.c
-@@ -171,19 +171,27 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
- case R_X86_64_NONE:
- break;
- case R_X86_64_64:
-+ if (*(u64 *)loc != 0)
-+ goto invalid_relocation;
- *(u64 *)loc = val;
- break;
- case R_X86_64_32:
-+ if (*(u32 *)loc != 0)
-+ goto invalid_relocation;
- *(u32 *)loc = val;
- if (val != *(u32 *)loc)
- goto overflow;
- break;
- case R_X86_64_32S:
-+ if (*(s32 *)loc != 0)
-+ goto invalid_relocation;
- *(s32 *)loc = val;
- if ((s64)val != *(s32 *)loc)
- goto overflow;
- break;
- case R_X86_64_PC32:
-+ if (*(u32 *)loc != 0)
-+ goto invalid_relocation;
- val -= (u64)loc;
- *(u32 *)loc = val;
- #if 0
-@@ -199,6 +207,11 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
- }
- return 0;
-
-+invalid_relocation:
-+ pr_err("x86/modules: Skipping invalid relocation target, existing value is nonzero for type %d, loc %p, val %Lx\n",
-+ (int)ELF64_R_TYPE(rel[i].r_info), loc, val);
-+ return -ENOEXEC;
-+
- overflow:
- pr_err("overflow in relocation type %d val %Lx\n",
- (int)ELF64_R_TYPE(rel[i].r_info), val);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-pti-Make-unpoison-of-pgd-for-trusted-boot-work-f.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-pti-Make-unpoison-of-pgd-for-trusted-boot-work-f.patch
deleted file mode 100644
index 730dc7cc..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0002-x86-pti-Make-unpoison-of-pgd-for-trusted-boot-work-f.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 3474ee0a656102dc872ccffc8a80eeb87a9ce502 Mon Sep 17 00:00:00 2001
-From: Dave Hansen <dave.hansen@linux.intel.com>
-Date: Mon, 29 Jan 2018 18:17:26 -0800
-Subject: [PATCH 02/42] x86/pti: Make unpoison of pgd for trusted boot work for
- real
-
-commit 445b69e3b75e42362a5bdc13c8b8f61599e2228a upstream
-
-The inital fix for trusted boot and PTI potentially misses the pgd clearing
-if pud_alloc() sets a PGD. It probably works in *practice* because for two
-adjacent calls to map_tboot_page() that share a PGD entry, the first will
-clear NX, *then* allocate and set the PGD (without NX clear). The second
-call will *not* allocate but will clear the NX bit.
-
-Defer the NX clearing to a point after it is known that all top-level
-allocations have occurred. Add a comment to clarify why.
-
-[ tglx: Massaged changelog ]
-
-[ hughd notes: I have not tested tboot, but this looks to me as necessary
-and as safe in old-Kaiser backports as it is upstream; I'm not submitting
-the commit-to-be-fixed 262b6b30087, since it was undone by 445b69e3b75e,
-and makes conflict trouble because of 5-level's p4d versus 4-level's pgd.]
-
-Fixes: 262b6b30087 ("x86/tboot: Unbreak tboot with PTI enabled")
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
-Cc: Jon Masters <jcm@redhat.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: peterz@infradead.org
-Cc: ning.sun@intel.com
-Cc: tboot-devel@lists.sourceforge.net
-Cc: andi@firstfloor.org
-Cc: luto@kernel.org
-Cc: law@redhat.com
-Cc: pbonzini@redhat.com
-Cc: torvalds@linux-foundation.org
-Cc: gregkh@linux-foundation.org
-Cc: dwmw@amazon.co.uk
-Cc: nickc@redhat.com
-Link: https://lkml.kernel.org/r/20180110224939.2695CD47@viggo.jf.intel.com
-Cc: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/tboot.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
-index 8402907..21454e2 100644
---- a/arch/x86/kernel/tboot.c
-+++ b/arch/x86/kernel/tboot.c
-@@ -134,6 +134,16 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn,
- return -1;
- set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
- pte_unmap(pte);
-+
-+ /*
-+ * PTI poisons low addresses in the kernel page tables in the
-+ * name of making them unusable for userspace. To execute
-+ * code at such a low address, the poison must be cleared.
-+ *
-+ * Note: 'pgd' actually gets set in pud_alloc().
-+ */
-+ pgd->pgd &= ~_PAGE_NX;
-+
- return 0;
- }
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch
deleted file mode 100644
index b53db2f4..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From ab442dfc820b6ebdbb1c135e6fad66130d44e5a8 Mon Sep 17 00:00:00 2001
-From: Andrew Honig <ahonig@google.com>
-Date: Wed, 10 Jan 2018 10:12:03 -0800
-Subject: [PATCH 03/33] KVM: x86: Add memory barrier on vmcs field lookup
-
-commit 75f139aaf896d6fdeec2e468ddfa4b2fe469bf40 upstream.
-
-This adds a memory barrier when performing a lookup into
-the vmcs_field_to_offset_table. This is related to
-CVE-2017-5753.
-
-Signed-off-by: Andrew Honig <ahonig@google.com>
-Reviewed-by: Jim Mattson <jmattson@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 91ae4e2..ee766c2 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -858,8 +858,16 @@ static inline short vmcs_field_to_offset(unsigned long field)
- {
- BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);
-
-- if (field >= ARRAY_SIZE(vmcs_field_to_offset_table) ||
-- vmcs_field_to_offset_table[field] == 0)
-+ if (field >= ARRAY_SIZE(vmcs_field_to_offset_table))
-+ return -ENOENT;
-+
-+ /*
-+ * FIXME: Mitigation for CVE-2017-5753. To be replaced with a
-+ * generic mechanism.
-+ */
-+ asm("lfence");
-+
-+ if (vmcs_field_to_offset_table[field] == 0)
- return -ENOENT;
-
- return vmcs_field_to_offset_table[field];
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-KVM-x86-introduce-linear_-read-write-_system.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-KVM-x86-introduce-linear_-read-write-_system.patch
deleted file mode 100644
index cb9af0b2..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-KVM-x86-introduce-linear_-read-write-_system.patch
+++ /dev/null
@@ -1,187 +0,0 @@
-From 9dd58f6cbef90d8a962b6365db32391f4a6ac4f9 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Wed, 6 Jun 2018 16:43:02 +0200
-Subject: [PATCH 03/10] KVM: x86: introduce linear_{read,write}_system
-
-commit 79367a65743975e5cac8d24d08eccc7fdae832b0 upstream.
-
-Wrap the common invocation of ctxt->ops->read_std and ctxt->ops->write_std, so
-as to have a smaller patch when the functions grow another argument.
-
-Fixes: 129a72a0d3c8 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
-Cc: stable@vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/emulate.c | 64 +++++++++++++++++++++++++-------------------------
- 1 file changed, 32 insertions(+), 32 deletions(-)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 6faac71..b6ec3e9 100644
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -802,6 +802,19 @@ static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
- return assign_eip_near(ctxt, ctxt->_eip + rel);
- }
-
-+static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear,
-+ void *data, unsigned size)
-+{
-+ return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
-+}
-+
-+static int linear_write_system(struct x86_emulate_ctxt *ctxt,
-+ ulong linear, void *data,
-+ unsigned int size)
-+{
-+ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
-+}
-+
- static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
- struct segmented_address addr,
- void *data,
-@@ -1500,8 +1513,7 @@ static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
- return emulate_gp(ctxt, index << 3 | 0x2);
-
- addr = dt.address + index * 8;
-- return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
-- &ctxt->exception);
-+ return linear_read_system(ctxt, addr, desc, sizeof *desc);
- }
-
- static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
-@@ -1564,8 +1576,7 @@ static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
- if (rc != X86EMUL_CONTINUE)
- return rc;
-
-- return ctxt->ops->read_std(ctxt, *desc_addr_p, desc, sizeof(*desc),
-- &ctxt->exception);
-+ return linear_read_system(ctxt, *desc_addr_p, desc, sizeof(*desc));
- }
-
- /* allowed just for 8 bytes segments */
-@@ -1579,8 +1590,7 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
- if (rc != X86EMUL_CONTINUE)
- return rc;
-
-- return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
-- &ctxt->exception);
-+ return linear_write_system(ctxt, addr, desc, sizeof *desc);
- }
-
- static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
-@@ -1741,8 +1751,7 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
- return ret;
- }
- } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
-- ret = ctxt->ops->read_std(ctxt, desc_addr+8, &base3,
-- sizeof(base3), &ctxt->exception);
-+ ret = linear_read_system(ctxt, desc_addr+8, &base3, sizeof(base3));
- if (ret != X86EMUL_CONTINUE)
- return ret;
- if (is_noncanonical_address(get_desc_base(&seg_desc) |
-@@ -2055,11 +2064,11 @@ static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
- eip_addr = dt.address + (irq << 2);
- cs_addr = dt.address + (irq << 2) + 2;
-
-- rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
-+ rc = linear_read_system(ctxt, cs_addr, &cs, 2);
- if (rc != X86EMUL_CONTINUE)
- return rc;
-
-- rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
-+ rc = linear_read_system(ctxt, eip_addr, &eip, 2);
- if (rc != X86EMUL_CONTINUE)
- return rc;
-
-@@ -3018,35 +3027,30 @@ static int task_switch_16(struct x86_emulate_ctxt *ctxt,
- u16 tss_selector, u16 old_tss_sel,
- ulong old_tss_base, struct desc_struct *new_desc)
- {
-- const struct x86_emulate_ops *ops = ctxt->ops;
- struct tss_segment_16 tss_seg;
- int ret;
- u32 new_tss_base = get_desc_base(new_desc);
-
-- ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
-- &ctxt->exception);
-+ ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
- if (ret != X86EMUL_CONTINUE)
- return ret;
-
- save_state_to_tss16(ctxt, &tss_seg);
-
-- ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
-- &ctxt->exception);
-+ ret = linear_write_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
- if (ret != X86EMUL_CONTINUE)
- return ret;
-
-- ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
-- &ctxt->exception);
-+ ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg);
- if (ret != X86EMUL_CONTINUE)
- return ret;
-
- if (old_tss_sel != 0xffff) {
- tss_seg.prev_task_link = old_tss_sel;
-
-- ret = ops->write_std(ctxt, new_tss_base,
-- &tss_seg.prev_task_link,
-- sizeof tss_seg.prev_task_link,
-- &ctxt->exception);
-+ ret = linear_write_system(ctxt, new_tss_base,
-+ &tss_seg.prev_task_link,
-+ sizeof tss_seg.prev_task_link);
- if (ret != X86EMUL_CONTINUE)
- return ret;
- }
-@@ -3162,38 +3166,34 @@ static int task_switch_32(struct x86_emulate_ctxt *ctxt,
- u16 tss_selector, u16 old_tss_sel,
- ulong old_tss_base, struct desc_struct *new_desc)
- {
-- const struct x86_emulate_ops *ops = ctxt->ops;
- struct tss_segment_32 tss_seg;
- int ret;
- u32 new_tss_base = get_desc_base(new_desc);
- u32 eip_offset = offsetof(struct tss_segment_32, eip);
- u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
-
-- ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
-- &ctxt->exception);
-+ ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
- if (ret != X86EMUL_CONTINUE)
- return ret;
-
- save_state_to_tss32(ctxt, &tss_seg);
-
- /* Only GP registers and segment selectors are saved */
-- ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
-- ldt_sel_offset - eip_offset, &ctxt->exception);
-+ ret = linear_write_system(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
-+ ldt_sel_offset - eip_offset);
- if (ret != X86EMUL_CONTINUE)
- return ret;
-
-- ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
-- &ctxt->exception);
-+ ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg);
- if (ret != X86EMUL_CONTINUE)
- return ret;
-
- if (old_tss_sel != 0xffff) {
- tss_seg.prev_task_link = old_tss_sel;
-
-- ret = ops->write_std(ctxt, new_tss_base,
-- &tss_seg.prev_task_link,
-- sizeof tss_seg.prev_task_link,
-- &ctxt->exception);
-+ ret = linear_write_system(ctxt, new_tss_base,
-+ &tss_seg.prev_task_link,
-+ sizeof tss_seg.prev_task_link);
- if (ret != X86EMUL_CONTINUE)
- return ret;
- }
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-kaiser-allocate-pgd-with-order-0-when-pti-off.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-kaiser-allocate-pgd-with-order-0-when-pti-off.patch
deleted file mode 100644
index df60ee58..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-kaiser-allocate-pgd-with-order-0-when-pti-off.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From cff1c9cfd81b8a7cc350a02d37668b1e3896287e Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Mon, 29 Jan 2018 18:17:58 -0800
-Subject: [PATCH 03/42] kaiser: allocate pgd with order 0 when pti=off
-
-The 4.9.77 version of "x86/pti/efi: broken conversion from efi to kernel
-page table" looked nicer than the 4.4.112 version, but was suboptimal on
-machines booted with "pti=off" (or on AMD machines): it allocated pgd
-with an order 1 page whatever the setting of kaiser_enabled.
-
-Fix that by moving the definition of PGD_ALLOCATION_ORDER from
-asm/pgalloc.h to asm/pgtable.h, which already defines kaiser_enabled.
-
-Fixes: 1b92c48a2eeb ("x86/pti/efi: broken conversion from efi to kernel page table")
-Reviewed-by: Pavel Tatashin <pasha.tatashin@oracle.com>
-Cc: Steven Sistare <steven.sistare@oracle.com>
-Cc: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/pgalloc.h | 11 -----------
- arch/x86/include/asm/pgtable.h | 6 ++++++
- 2 files changed, 6 insertions(+), 11 deletions(-)
-
-diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h
-index 1178a51..b6d4259 100644
---- a/arch/x86/include/asm/pgalloc.h
-+++ b/arch/x86/include/asm/pgalloc.h
-@@ -27,17 +27,6 @@ static inline void paravirt_release_pud(unsigned long pfn) {}
- */
- extern gfp_t __userpte_alloc_gfp;
-
--#ifdef CONFIG_PAGE_TABLE_ISOLATION
--/*
-- * Instead of one PGD, we acquire two PGDs. Being order-1, it is
-- * both 8k in size and 8k-aligned. That lets us just flip bit 12
-- * in a pointer to swap between the two 4k halves.
-- */
--#define PGD_ALLOCATION_ORDER 1
--#else
--#define PGD_ALLOCATION_ORDER 0
--#endif
--
- /*
- * Allocate and free page tables.
- */
-diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
-index 2536f90..5af0401 100644
---- a/arch/x86/include/asm/pgtable.h
-+++ b/arch/x86/include/asm/pgtable.h
-@@ -20,9 +20,15 @@
-
- #ifdef CONFIG_PAGE_TABLE_ISOLATION
- extern int kaiser_enabled;
-+/*
-+ * Instead of one PGD, we acquire two PGDs. Being order-1, it is
-+ * both 8k in size and 8k-aligned. That lets us just flip bit 12
-+ * in a pointer to swap between the two 4k halves.
-+ */
- #else
- #define kaiser_enabled 0
- #endif
-+#define PGD_ALLOCATION_ORDER kaiser_enabled
-
- void ptdump_walk_pgd_level(struct seq_file *m, pgd_t *pgd);
- void ptdump_walk_pgd_level_checkwx(void);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-kvm-svm-Setup-MCG_CAP-on-AMD-properly.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-kvm-svm-Setup-MCG_CAP-on-AMD-properly.patch
deleted file mode 100644
index d1b9f3df..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-kvm-svm-Setup-MCG_CAP-on-AMD-properly.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From de05b6da8c54ed0aa2158ad3112ac582c88f0676 Mon Sep 17 00:00:00 2001
-From: Borislav Petkov <bp@suse.de>
-Date: Sun, 26 Mar 2017 23:51:24 +0200
-Subject: [PATCH 03/93] kvm/svm: Setup MCG_CAP on AMD properly
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit 74f169090b6f36b867c9df0454366dd9af6f62d1 ]
-
-MCG_CAP[63:9] bits are reserved on AMD. However, on an AMD guest, this
-MSR returns 0x100010a. More specifically, bit 24 is set, which is simply
-wrong. That bit is MCG_SER_P and is present only on Intel. Thus, clean
-up the reserved bits in order not to confuse guests.
-
-Signed-off-by: Borislav Petkov <bp@suse.de>
-Cc: Joerg Roedel <joro@8bytes.org>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/svm.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index b82bb66..2d96e30 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -5437,6 +5437,12 @@ static inline void avic_post_state_restore(struct kvm_vcpu *vcpu)
- avic_handle_ldr_update(vcpu);
- }
-
-+static void svm_setup_mce(struct kvm_vcpu *vcpu)
-+{
-+ /* [63:9] are reserved. */
-+ vcpu->arch.mcg_cap &= 0x1ff;
-+}
-+
- static struct kvm_x86_ops svm_x86_ops __ro_after_init = {
- .cpu_has_kvm_support = has_svm,
- .disabled_by_bios = is_disabled,
-@@ -5552,6 +5558,7 @@ static struct kvm_x86_ops svm_x86_ops __ro_after_init = {
- .pmu_ops = &amd_pmu_ops,
- .deliver_posted_interrupt = svm_deliver_avic_intr,
- .update_pi_irte = svm_update_pi_irte,
-+ .setup_mce = svm_setup_mce,
- };
-
- static int __init svm_init(void)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-mm-Enable-CR4.PCIDE-on-supported-systems.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-mm-Enable-CR4.PCIDE-on-supported-systems.patch
deleted file mode 100644
index 78e29b3c..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-mm-Enable-CR4.PCIDE-on-supported-systems.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-From 387470df93a2da429be36b0f31af62bf38cd17bc Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Thu, 29 Jun 2017 08:53:21 -0700
-Subject: [PATCH 003/103] x86/mm: Enable CR4.PCIDE on supported systems
-
-commit 660da7c9228f685b2ebe664f9fd69aaddcc420b5 upstream.
-
-We can use PCID if the CPU has PCID and PGE and we're not on Xen.
-
-By itself, this has no effect. A followup patch will start using PCID.
-
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Reviewed-by: Nadav Amit <nadav.amit@gmail.com>
-Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Juergen Gross <jgross@suse.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Rik van Riel <riel@redhat.com>
-Cc: linux-mm@kvack.org
-Link: http://lkml.kernel.org/r/6327ecd907b32f79d5aa0d466f04503bbec5df88.1498751203.git.luto@kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Cc: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/tlbflush.h | 8 ++++++++
- arch/x86/kernel/cpu/common.c | 22 ++++++++++++++++++++++
- arch/x86/xen/enlighten.c | 6 ++++++
- 3 files changed, 36 insertions(+)
-
-diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
-index fc5abff..c13041e 100644
---- a/arch/x86/include/asm/tlbflush.h
-+++ b/arch/x86/include/asm/tlbflush.h
-@@ -192,6 +192,14 @@ static inline void __flush_tlb_all(void)
- __flush_tlb_global();
- else
- __flush_tlb();
-+
-+ /*
-+ * Note: if we somehow had PCID but not PGE, then this wouldn't work --
-+ * we'd end up flushing kernel translations for the current ASID but
-+ * we might fail to flush kernel translations for other cached ASIDs.
-+ *
-+ * To avoid this issue, we force PCID off if PGE is off.
-+ */
- }
-
- static inline void __flush_tlb_one(unsigned long addr)
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 81c8a53..91588be 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -324,6 +324,25 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
- }
- }
-
-+static void setup_pcid(struct cpuinfo_x86 *c)
-+{
-+ if (cpu_has(c, X86_FEATURE_PCID)) {
-+ if (cpu_has(c, X86_FEATURE_PGE)) {
-+ cr4_set_bits(X86_CR4_PCIDE);
-+ } else {
-+ /*
-+ * flush_tlb_all(), as currently implemented, won't
-+ * work if PCID is on but PGE is not. Since that
-+ * combination doesn't exist on real hardware, there's
-+ * no reason to try to fully support it, but it's
-+ * polite to avoid corrupting data if we're on
-+ * an improperly configured VM.
-+ */
-+ clear_cpu_cap(c, X86_FEATURE_PCID);
-+ }
-+ }
-+}
-+
- /*
- * Protection Keys are not available in 32-bit mode.
- */
-@@ -1082,6 +1101,9 @@ static void identify_cpu(struct cpuinfo_x86 *c)
- setup_smep(c);
- setup_smap(c);
-
-+ /* Set up PCID */
-+ setup_pcid(c);
-+
- /*
- * The vendor-specific functions might have changed features.
- * Now we do "generic changes."
-diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index bdd8556..5226379 100644
---- a/arch/x86/xen/enlighten.c
-+++ b/arch/x86/xen/enlighten.c
-@@ -442,6 +442,12 @@ static void __init xen_init_cpuid_mask(void)
- ~((1 << X86_FEATURE_MTRR) | /* disable MTRR */
- (1 << X86_FEATURE_ACC)); /* thermal monitoring */
-
-+ /*
-+ * Xen PV would need some work to support PCID: CR3 handling as well
-+ * as xen_flush_tlb_others() would need updating.
-+ */
-+ cpuid_leaf1_ecx_mask &= ~(1 << (X86_FEATURE_PCID % 32)); /* disable PCID */
-+
- if (!xen_initial_domain())
- cpuid_leaf1_edx_mask &=
- ~((1 << X86_FEATURE_ACPI)); /* disable ACPI */
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-mm-Reimplement-flush_tlb_page-using-flush_tlb_mm.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-mm-Reimplement-flush_tlb_page-using-flush_tlb_mm.patch
deleted file mode 100644
index 07dd1bf0..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-mm-Reimplement-flush_tlb_page-using-flush_tlb_mm.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From f34570e1f6c56f5557b9a3acd73fce47f5727479 Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Mon, 22 May 2017 15:30:01 -0700
-Subject: [PATCH 03/14] x86/mm: Reimplement flush_tlb_page() using
- flush_tlb_mm_range()
-
-commit ca6c99c0794875c6d1db6e22f246699691ab7e6b upstream.
-
-flush_tlb_page() was very similar to flush_tlb_mm_range() except that
-it had a couple of issues:
-
- - It was missing an smp_mb() in the case where
- current->active_mm != mm. (This is a longstanding bug reported by Nadav Amit)
-
- - It was missing tracepoints and vm counter updates.
-
-The only reason that I can see for keeping it at as a separate
-function is that it could avoid a few branches that
-flush_tlb_mm_range() needs to decide to flush just one page. This
-hardly seems worthwhile. If we decide we want to get rid of those
-branches again, a better way would be to introduce an
-__flush_tlb_mm_range() helper and make both flush_tlb_page() and
-flush_tlb_mm_range() use it.
-
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Acked-by: Kees Cook <keescook@chromium.org>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Borislav Petkov <bpetkov@suse.de>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Michal Hocko <mhocko@suse.com>
-Cc: Nadav Amit <nadav.amit@gmail.com>
-Cc: Nadav Amit <namit@vmware.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: linux-mm@kvack.org
-Link: http://lkml.kernel.org/r/3cc3847cf888d8907577569b8bac3f01992ef8f9.1495492063.git.luto@kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Cc: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/tlbflush.h | 6 +++++-
- arch/x86/mm/tlb.c | 27 ---------------------------
- 2 files changed, 5 insertions(+), 28 deletions(-)
-
-diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
-index db8952a..eb5b512 100644
---- a/arch/x86/include/asm/tlbflush.h
-+++ b/arch/x86/include/asm/tlbflush.h
-@@ -353,11 +353,15 @@ static inline void flush_tlb_kernel_range(unsigned long start,
- flush_tlb_mm_range(vma->vm_mm, start, end, vma->vm_flags)
-
- extern void flush_tlb_all(void);
--extern void flush_tlb_page(struct vm_area_struct *, unsigned long);
- extern void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
- unsigned long end, unsigned long vmflag);
- extern void flush_tlb_kernel_range(unsigned long start, unsigned long end);
-
-+static inline void flush_tlb_page(struct vm_area_struct *vma, unsigned long a)
-+{
-+ flush_tlb_mm_range(vma->vm_mm, a, a + PAGE_SIZE, VM_NONE);
-+}
-+
- void native_flush_tlb_others(const struct cpumask *cpumask,
- struct mm_struct *mm,
- unsigned long start, unsigned long end);
-diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
-index 2f9d41f..6884228 100644
---- a/arch/x86/mm/tlb.c
-+++ b/arch/x86/mm/tlb.c
-@@ -387,33 +387,6 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
- preempt_enable();
- }
-
--void flush_tlb_page(struct vm_area_struct *vma, unsigned long start)
--{
-- struct mm_struct *mm = vma->vm_mm;
--
-- preempt_disable();
--
-- if (current->active_mm == mm) {
-- if (current->mm) {
-- /*
-- * Implicit full barrier (INVLPG) that synchronizes
-- * with switch_mm.
-- */
-- __flush_tlb_one(start);
-- } else {
-- leave_mm(smp_processor_id());
--
-- /* Synchronize with switch_mm. */
-- smp_mb();
-- }
-- }
--
-- if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
-- flush_tlb_others(mm_cpumask(mm), mm, start, 0UL);
--
-- preempt_enable();
--}
--
- static void do_flush_tlb_all(void *info)
- {
- count_vm_tlb_event(NR_TLB_REMOTE_FLUSH_RECEIVED);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-speculation-Update-Speculation-Control-microcode.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-speculation-Update-Speculation-Control-microcode.patch
deleted file mode 100644
index c78b3e80..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0003-x86-speculation-Update-Speculation-Control-microcode.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From f01ffef1901eda027651aba518686d44ed9fccf3 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Sat, 10 Feb 2018 23:39:22 +0000
-Subject: [PATCH 03/12] x86/speculation: Update Speculation Control microcode
- blacklist
-
-commit 1751342095f0d2b36fa8114d8e12c5688c455ac4 upstream.
-
-Intel have retroactively blessed the 0xc2 microcode on Skylake mobile
-and desktop parts, and the Gemini Lake 0x22 microcode is apparently fine
-too. We blacklisted the latter purely because it was present with all
-the other problematic ones in the 2018-01-08 release, but now it's
-explicitly listed as OK.
-
-We still list 0x84 for the various Kaby Lake / Coffee Lake parts, as
-that appeared in one version of the blacklist and then reverted to
-0x80 again. We can change it if 0x84 is actually announced to be safe.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Dave Hansen <dave.hansen@linux.intel.com>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: arjan.van.de.ven@intel.com
-Cc: jmattson@google.com
-Cc: karahmed@amazon.de
-Cc: kvm@vger.kernel.org
-Cc: pbonzini@redhat.com
-Cc: rkrcmar@redhat.com
-Cc: sironi@amazon.de
-Link: http://lkml.kernel.org/r/1518305967-31356-2-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/intel.c | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
-index 4097b43..e3b00ac 100644
---- a/arch/x86/kernel/cpu/intel.c
-+++ b/arch/x86/kernel/cpu/intel.c
-@@ -82,8 +82,6 @@ static const struct sku_microcode spectre_bad_microcodes[] = {
- { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x84 },
- { INTEL_FAM6_SKYLAKE_X, 0x03, 0x0100013e },
- { INTEL_FAM6_SKYLAKE_X, 0x04, 0x0200003c },
-- { INTEL_FAM6_SKYLAKE_MOBILE, 0x03, 0xc2 },
-- { INTEL_FAM6_SKYLAKE_DESKTOP, 0x03, 0xc2 },
- { INTEL_FAM6_BROADWELL_CORE, 0x04, 0x28 },
- { INTEL_FAM6_BROADWELL_GT3E, 0x01, 0x1b },
- { INTEL_FAM6_BROADWELL_XEON_D, 0x02, 0x14 },
-@@ -95,8 +93,6 @@ static const struct sku_microcode spectre_bad_microcodes[] = {
- { INTEL_FAM6_HASWELL_X, 0x02, 0x3b },
- { INTEL_FAM6_HASWELL_X, 0x04, 0x10 },
- { INTEL_FAM6_IVYBRIDGE_X, 0x04, 0x42a },
-- /* Updated in the 20180108 release; blacklist until we know otherwise */
-- { INTEL_FAM6_ATOM_GEMINI_LAKE, 0x01, 0x22 },
- /* Observed in the wild */
- { INTEL_FAM6_SANDYBRIDGE_X, 0x06, 0x61b },
- { INTEL_FAM6_SANDYBRIDGE_X, 0x07, 0x712 },
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KAISER-Kernel-Address-Isolation.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KAISER-Kernel-Address-Isolation.patch
deleted file mode 100644
index d61b397e..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KAISER-Kernel-Address-Isolation.patch
+++ /dev/null
@@ -1,1025 +0,0 @@
-From ff1ce9f00432d65859fd923ce7eb86d605386f17 Mon Sep 17 00:00:00 2001
-From: Richard Fellner <richard.fellner@student.tugraz.at>
-Date: Thu, 4 May 2017 14:26:50 +0200
-Subject: [PATCH 004/103] KAISER: Kernel Address Isolation
-
-This patch introduces our implementation of KAISER (Kernel Address Isolation to
-have Side-channels Efficiently Removed), a kernel isolation technique to close
-hardware side channels on kernel address information.
-
-More information about the patch can be found on:
-
- https://github.com/IAIK/KAISER
-
-From: Richard Fellner <richard.fellner@student.tugraz.at>
-From: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
-Subject: [RFC, PATCH] x86_64: KAISER - do not map kernel in user mode
-Date: Thu, 4 May 2017 14:26:50 +0200
-Link: http://marc.info/?l=linux-kernel&m=149390087310405&w=2
-Kaiser-4.10-SHA1: c4b1831d44c6144d3762ccc72f0c4e71a0c713e5
-
-To: <linux-kernel@vger.kernel.org>
-To: <kernel-hardening@lists.openwall.com>
-Cc: <clementine.maurice@iaik.tugraz.at>
-Cc: <moritz.lipp@iaik.tugraz.at>
-Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
-Cc: Richard Fellner <richard.fellner@student.tugraz.at>
-Cc: Ingo Molnar <mingo@kernel.org>
-Cc: <kirill.shutemov@linux.intel.com>
-Cc: <anders.fogh@gdata-adan.de>
-
-After several recent works [1,2,3] KASLR on x86_64 was basically
-considered dead by many researchers. We have been working on an
-efficient but effective fix for this problem and found that not mapping
-the kernel space when running in user mode is the solution to this
-problem [4] (the corresponding paper [5] will be presented at ESSoS17).
-
-With this RFC patch we allow anybody to configure their kernel with the
-flag CONFIG_KAISER to add our defense mechanism.
-
-If there are any questions we would love to answer them.
-We also appreciate any comments!
-
-Cheers,
-Daniel (+ the KAISER team from Graz University of Technology)
-
-[1] http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
-[2] https://www.blackhat.com/docs/us-16/materials/us-16-Fogh-Using-Undocumented-CPU-Behaviour-To-See-Into-Kernel-Mode-And-Break-KASLR-In-The-Process.pdf
-[3] https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX.pdf
-[4] https://github.com/IAIK/KAISER
-[5] https://gruss.cc/files/kaiser.pdf
-
-[patch based also on
-https://raw.githubusercontent.com/IAIK/KAISER/master/KAISER/0001-KAISER-Kernel-Address-Isolation.patch]
-
-Signed-off-by: Richard Fellner <richard.fellner@student.tugraz.at>
-Signed-off-by: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
-Signed-off-by: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
-Signed-off-by: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
-Acked-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/entry/entry_64.S | 17 ++++
- arch/x86/entry/entry_64_compat.S | 7 +-
- arch/x86/include/asm/hw_irq.h | 2 +-
- arch/x86/include/asm/kaiser.h | 113 +++++++++++++++++++++++++
- arch/x86/include/asm/pgtable.h | 4 +
- arch/x86/include/asm/pgtable_64.h | 21 +++++
- arch/x86/include/asm/pgtable_types.h | 12 ++-
- arch/x86/include/asm/processor.h | 7 +-
- arch/x86/kernel/cpu/common.c | 4 +-
- arch/x86/kernel/espfix_64.c | 6 ++
- arch/x86/kernel/head_64.S | 16 +++-
- arch/x86/kernel/irqinit.c | 2 +-
- arch/x86/kernel/process.c | 2 +-
- arch/x86/mm/Makefile | 2 +-
- arch/x86/mm/kaiser.c | 160 +++++++++++++++++++++++++++++++++++
- arch/x86/mm/pageattr.c | 2 +-
- arch/x86/mm/pgtable.c | 26 ++++++
- include/asm-generic/vmlinux.lds.h | 11 ++-
- include/linux/percpu-defs.h | 30 +++++++
- init/main.c | 6 ++
- kernel/fork.c | 8 ++
- security/Kconfig | 7 ++
- 22 files changed, 449 insertions(+), 16 deletions(-)
- create mode 100644 arch/x86/include/asm/kaiser.h
- create mode 100644 arch/x86/mm/kaiser.c
-
-diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
-index ef766a3..6c880dc 100644
---- a/arch/x86/entry/entry_64.S
-+++ b/arch/x86/entry/entry_64.S
-@@ -36,6 +36,7 @@
- #include <asm/smap.h>
- #include <asm/pgtable_types.h>
- #include <asm/export.h>
-+#include <asm/kaiser.h>
- #include <linux/err.h>
-
- /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
-@@ -146,6 +147,7 @@ ENTRY(entry_SYSCALL_64)
- * it is too small to ever cause noticeable irq latency.
- */
- SWAPGS_UNSAFE_STACK
-+ SWITCH_KERNEL_CR3_NO_STACK
- /*
- * A hypervisor implementation might want to use a label
- * after the swapgs, so that it can do the swapgs
-@@ -228,6 +230,7 @@ entry_SYSCALL_64_fastpath:
- movq RIP(%rsp), %rcx
- movq EFLAGS(%rsp), %r11
- RESTORE_C_REGS_EXCEPT_RCX_R11
-+ SWITCH_USER_CR3
- movq RSP(%rsp), %rsp
- USERGS_SYSRET64
-
-@@ -323,10 +326,12 @@ return_from_SYSCALL_64:
- syscall_return_via_sysret:
- /* rcx and r11 are already restored (see code above) */
- RESTORE_C_REGS_EXCEPT_RCX_R11
-+ SWITCH_USER_CR3
- movq RSP(%rsp), %rsp
- USERGS_SYSRET64
-
- opportunistic_sysret_failed:
-+ SWITCH_USER_CR3
- SWAPGS
- jmp restore_c_regs_and_iret
- END(entry_SYSCALL_64)
-@@ -424,6 +429,7 @@ ENTRY(ret_from_fork)
- movq %rsp, %rdi
- call syscall_return_slowpath /* returns with IRQs disabled */
- TRACE_IRQS_ON /* user mode is traced as IRQS on */
-+ SWITCH_USER_CR3
- SWAPGS
- jmp restore_regs_and_iret
-
-@@ -478,6 +484,7 @@ END(irq_entries_start)
- * tracking that we're in kernel mode.
- */
- SWAPGS
-+ SWITCH_KERNEL_CR3
-
- /*
- * We need to tell lockdep that IRQs are off. We can't do this until
-@@ -535,6 +542,7 @@ GLOBAL(retint_user)
- mov %rsp,%rdi
- call prepare_exit_to_usermode
- TRACE_IRQS_IRETQ
-+ SWITCH_USER_CR3
- SWAPGS
- jmp restore_regs_and_iret
-
-@@ -612,6 +620,7 @@ native_irq_return_ldt:
-
- pushq %rdi /* Stash user RDI */
- SWAPGS
-+ SWITCH_KERNEL_CR3
- movq PER_CPU_VAR(espfix_waddr), %rdi
- movq %rax, (0*8)(%rdi) /* user RAX */
- movq (1*8)(%rsp), %rax /* user RIP */
-@@ -638,6 +647,7 @@ native_irq_return_ldt:
- * still points to an RO alias of the ESPFIX stack.
- */
- orq PER_CPU_VAR(espfix_stack), %rax
-+ SWITCH_USER_CR3
- SWAPGS
- movq %rax, %rsp
-
-@@ -1034,6 +1044,7 @@ ENTRY(paranoid_entry)
- testl %edx, %edx
- js 1f /* negative -> in kernel */
- SWAPGS
-+ SWITCH_KERNEL_CR3
- xorl %ebx, %ebx
- 1: ret
- END(paranoid_entry)
-@@ -1056,6 +1067,7 @@ ENTRY(paranoid_exit)
- testl %ebx, %ebx /* swapgs needed? */
- jnz paranoid_exit_no_swapgs
- TRACE_IRQS_IRETQ
-+ SWITCH_USER_CR3_NO_STACK
- SWAPGS_UNSAFE_STACK
- jmp paranoid_exit_restore
- paranoid_exit_no_swapgs:
-@@ -1084,6 +1096,7 @@ ENTRY(error_entry)
- * from user mode due to an IRET fault.
- */
- SWAPGS
-+ SWITCH_KERNEL_CR3
-
- .Lerror_entry_from_usermode_after_swapgs:
- /*
-@@ -1135,6 +1148,7 @@ ENTRY(error_entry)
- * Switch to kernel gsbase:
- */
- SWAPGS
-+ SWITCH_KERNEL_CR3
-
- /*
- * Pretend that the exception came from user mode: set up pt_regs
-@@ -1233,6 +1247,7 @@ ENTRY(nmi)
- */
-
- SWAPGS_UNSAFE_STACK
-+ SWITCH_KERNEL_CR3_NO_STACK
- cld
- movq %rsp, %rdx
- movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
-@@ -1273,6 +1288,7 @@ ENTRY(nmi)
- * work, because we don't want to enable interrupts. Fortunately,
- * do_nmi doesn't modify pt_regs.
- */
-+ SWITCH_USER_CR3
- SWAPGS
- jmp restore_c_regs_and_iret
-
-@@ -1484,6 +1500,7 @@ end_repeat_nmi:
- testl %ebx, %ebx /* swapgs needed? */
- jnz nmi_restore
- nmi_swapgs:
-+ SWITCH_USER_CR3_NO_STACK
- SWAPGS_UNSAFE_STACK
- nmi_restore:
- RESTORE_EXTRA_REGS
-diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
-index e1721da..f0e384e 100644
---- a/arch/x86/entry/entry_64_compat.S
-+++ b/arch/x86/entry/entry_64_compat.S
-@@ -13,6 +13,7 @@
- #include <asm/irqflags.h>
- #include <asm/asm.h>
- #include <asm/smap.h>
-+#include <asm/kaiser.h>
- #include <linux/linkage.h>
- #include <linux/err.h>
-
-@@ -48,6 +49,7 @@
- ENTRY(entry_SYSENTER_compat)
- /* Interrupts are off on entry. */
- SWAPGS_UNSAFE_STACK
-+ SWITCH_KERNEL_CR3_NO_STACK
- movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
-
- /*
-@@ -184,6 +186,7 @@ ENDPROC(entry_SYSENTER_compat)
- ENTRY(entry_SYSCALL_compat)
- /* Interrupts are off on entry. */
- SWAPGS_UNSAFE_STACK
-+ SWITCH_KERNEL_CR3_NO_STACK
-
- /* Stash user ESP and switch to the kernel stack. */
- movl %esp, %r8d
-@@ -259,6 +262,7 @@ sysret32_from_system_call:
- xorq %r8, %r8
- xorq %r9, %r9
- xorq %r10, %r10
-+ SWITCH_USER_CR3
- movq RSP-ORIG_RAX(%rsp), %rsp
- swapgs
- sysretl
-@@ -297,7 +301,7 @@ ENTRY(entry_INT80_compat)
- PARAVIRT_ADJUST_EXCEPTION_FRAME
- ASM_CLAC /* Do this early to minimize exposure */
- SWAPGS
--
-+ SWITCH_KERNEL_CR3_NO_STACK
- /*
- * User tracing code (ptrace or signal handlers) might assume that
- * the saved RAX contains a 32-bit number when we're invoking a 32-bit
-@@ -338,6 +342,7 @@ ENTRY(entry_INT80_compat)
-
- /* Go back to user mode. */
- TRACE_IRQS_ON
-+ SWITCH_USER_CR3_NO_STACK
- SWAPGS
- jmp restore_regs_and_iret
- END(entry_INT80_compat)
-diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h
-index b90e105..0817d63 100644
---- a/arch/x86/include/asm/hw_irq.h
-+++ b/arch/x86/include/asm/hw_irq.h
-@@ -178,7 +178,7 @@ extern char irq_entries_start[];
- #define VECTOR_RETRIGGERED ((void *)~0UL)
-
- typedef struct irq_desc* vector_irq_t[NR_VECTORS];
--DECLARE_PER_CPU(vector_irq_t, vector_irq);
-+DECLARE_PER_CPU_USER_MAPPED(vector_irq_t, vector_irq);
-
- #endif /* !ASSEMBLY_ */
-
-diff --git a/arch/x86/include/asm/kaiser.h b/arch/x86/include/asm/kaiser.h
-new file mode 100644
-index 0000000..63ee830
---- /dev/null
-+++ b/arch/x86/include/asm/kaiser.h
-@@ -0,0 +1,113 @@
-+#ifndef _ASM_X86_KAISER_H
-+#define _ASM_X86_KAISER_H
-+
-+/* This file includes the definitions for the KAISER feature.
-+ * KAISER is a counter measure against x86_64 side channel attacks on the kernel virtual memory.
-+ * It has a shodow-pgd for every process. the shadow-pgd has a minimalistic kernel-set mapped,
-+ * but includes the whole user memory. Within a kernel context switch, or when an interrupt is handled,
-+ * the pgd is switched to the normal one. When the system switches to user mode, the shadow pgd is enabled.
-+ * By this, the virtual memory chaches are freed, and the user may not attack the whole kernel memory.
-+ *
-+ * A minimalistic kernel mapping holds the parts needed to be mapped in user mode, as the entry/exit functions
-+ * of the user space, or the stacks.
-+ */
-+#ifdef __ASSEMBLY__
-+#ifdef CONFIG_KAISER
-+
-+.macro _SWITCH_TO_KERNEL_CR3 reg
-+movq %cr3, \reg
-+andq $(~0x1000), \reg
-+movq \reg, %cr3
-+.endm
-+
-+.macro _SWITCH_TO_USER_CR3 reg
-+movq %cr3, \reg
-+orq $(0x1000), \reg
-+movq \reg, %cr3
-+.endm
-+
-+.macro SWITCH_KERNEL_CR3
-+pushq %rax
-+_SWITCH_TO_KERNEL_CR3 %rax
-+popq %rax
-+.endm
-+
-+.macro SWITCH_USER_CR3
-+pushq %rax
-+_SWITCH_TO_USER_CR3 %rax
-+popq %rax
-+.endm
-+
-+.macro SWITCH_KERNEL_CR3_NO_STACK
-+movq %rax, PER_CPU_VAR(unsafe_stack_register_backup)
-+_SWITCH_TO_KERNEL_CR3 %rax
-+movq PER_CPU_VAR(unsafe_stack_register_backup), %rax
-+.endm
-+
-+
-+.macro SWITCH_USER_CR3_NO_STACK
-+
-+movq %rax, PER_CPU_VAR(unsafe_stack_register_backup)
-+_SWITCH_TO_USER_CR3 %rax
-+movq PER_CPU_VAR(unsafe_stack_register_backup), %rax
-+
-+.endm
-+
-+#else /* CONFIG_KAISER */
-+
-+.macro SWITCH_KERNEL_CR3 reg
-+.endm
-+.macro SWITCH_USER_CR3 reg
-+.endm
-+.macro SWITCH_USER_CR3_NO_STACK
-+.endm
-+.macro SWITCH_KERNEL_CR3_NO_STACK
-+.endm
-+
-+#endif /* CONFIG_KAISER */
-+#else /* __ASSEMBLY__ */
-+
-+
-+#ifdef CONFIG_KAISER
-+// Upon kernel/user mode switch, it may happen that
-+// the address space has to be switched before the registers have been stored.
-+// To change the address space, another register is needed.
-+// A register therefore has to be stored/restored.
-+//
-+DECLARE_PER_CPU_USER_MAPPED(unsigned long, unsafe_stack_register_backup);
-+
-+#endif /* CONFIG_KAISER */
-+
-+/**
-+ * shadowmem_add_mapping - map a virtual memory part to the shadow mapping
-+ * @addr: the start address of the range
-+ * @size: the size of the range
-+ * @flags: The mapping flags of the pages
-+ *
-+ * the mapping is done on a global scope, so no bigger synchronization has to be done.
-+ * the pages have to be manually unmapped again when they are not needed any longer.
-+ */
-+extern void kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags);
-+
-+
-+/**
-+ * shadowmem_remove_mapping - unmap a virtual memory part of the shadow mapping
-+ * @addr: the start address of the range
-+ * @size: the size of the range
-+ */
-+extern void kaiser_remove_mapping(unsigned long start, unsigned long size);
-+
-+/**
-+ * shadowmem_initialize_mapping - Initalize the shadow mapping
-+ *
-+ * most parts of the shadow mapping can be mapped upon boot time.
-+ * only the thread stacks have to be mapped on runtime.
-+ * the mapped regions are not unmapped at all.
-+ */
-+extern void kaiser_init(void);
-+
-+#endif
-+
-+
-+
-+#endif /* _ASM_X86_KAISER_H */
-diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
-index 437feb4..4b479c9 100644
---- a/arch/x86/include/asm/pgtable.h
-+++ b/arch/x86/include/asm/pgtable.h
-@@ -904,6 +904,10 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm,
- static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
- {
- memcpy(dst, src, count * sizeof(pgd_t));
-+#ifdef CONFIG_KAISER
-+ // clone the shadow pgd part as well
-+ memcpy(native_get_shadow_pgd(dst), native_get_shadow_pgd(src), count * sizeof(pgd_t));
-+#endif
- }
-
- #define PTE_SHIFT ilog2(PTRS_PER_PTE)
-diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
-index 1cc82ec..e6ea39f 100644
---- a/arch/x86/include/asm/pgtable_64.h
-+++ b/arch/x86/include/asm/pgtable_64.h
-@@ -106,9 +106,30 @@ static inline void native_pud_clear(pud_t *pud)
- native_set_pud(pud, native_make_pud(0));
- }
-
-+#ifdef CONFIG_KAISER
-+static inline pgd_t * native_get_shadow_pgd(pgd_t *pgdp) {
-+ return (pgd_t *)(void*)((unsigned long)(void*)pgdp | (unsigned long)PAGE_SIZE);
-+}
-+
-+static inline pgd_t * native_get_normal_pgd(pgd_t *pgdp) {
-+ return (pgd_t *)(void*)((unsigned long)(void*)pgdp & ~(unsigned long)PAGE_SIZE);
-+}
-+#endif /* CONFIG_KAISER */
-+
- static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
- {
-+#ifdef CONFIG_KAISER
-+ // We know that a pgd is page aligned.
-+ // Therefore the lower indices have to be mapped to user space.
-+ // These pages are mapped to the shadow mapping.
-+ if ((((unsigned long)pgdp) % PAGE_SIZE) < (PAGE_SIZE / 2)) {
-+ native_get_shadow_pgd(pgdp)->pgd = pgd.pgd;
-+ }
-+
-+ pgdp->pgd = pgd.pgd & ~_PAGE_USER;
-+#else /* CONFIG_KAISER */
- *pgdp = pgd;
-+#endif
- }
-
- static inline void native_pgd_clear(pgd_t *pgd)
-diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h
-index 8b4de22..00fecbb 100644
---- a/arch/x86/include/asm/pgtable_types.h
-+++ b/arch/x86/include/asm/pgtable_types.h
-@@ -45,7 +45,11 @@
- #define _PAGE_ACCESSED (_AT(pteval_t, 1) << _PAGE_BIT_ACCESSED)
- #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
- #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
--#define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
-+#ifdef CONFIG_KAISER
-+#define _PAGE_GLOBAL (_AT(pteval_t, 0))
-+#else
-+#define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
-+#endif
- #define _PAGE_SOFTW1 (_AT(pteval_t, 1) << _PAGE_BIT_SOFTW1)
- #define _PAGE_SOFTW2 (_AT(pteval_t, 1) << _PAGE_BIT_SOFTW2)
- #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
-@@ -119,7 +123,11 @@
- #define _PAGE_DEVMAP (_AT(pteval_t, 0))
- #endif
-
--#define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE)
-+#ifdef CONFIG_KAISER
-+#define _PAGE_PROTNONE (_AT(pteval_t, 0))
-+#else
-+#define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE)
-+#endif
-
- #define _PAGE_TABLE (_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | \
- _PAGE_ACCESSED | _PAGE_DIRTY)
-diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
-index 83db0ea..3d4784e2 100644
---- a/arch/x86/include/asm/processor.h
-+++ b/arch/x86/include/asm/processor.h
-@@ -308,7 +308,7 @@ struct tss_struct {
-
- } ____cacheline_aligned;
-
--DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss);
-+DECLARE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(struct tss_struct, cpu_tss);
-
- #ifdef CONFIG_X86_32
- DECLARE_PER_CPU(unsigned long, cpu_current_top_of_stack);
-@@ -335,6 +335,11 @@ union irq_stack_union {
- char gs_base[40];
- unsigned long stack_canary;
- };
-+
-+ struct {
-+ char irq_stack_pointer[64];
-+ char unused[IRQ_STACK_SIZE - 64];
-+ };
- };
-
- DECLARE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __visible;
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 91588be..3efde13 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -93,7 +93,7 @@ static const struct cpu_dev default_cpu = {
-
- static const struct cpu_dev *this_cpu = &default_cpu;
-
--DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
-+DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(struct gdt_page, gdt_page) = { .gdt = {
- #ifdef CONFIG_X86_64
- /*
- * We need valid kernel segments for data and code in long mode too
-@@ -1365,7 +1365,7 @@ static const unsigned int exception_stack_sizes[N_EXCEPTION_STACKS] = {
- [DEBUG_STACK - 1] = DEBUG_STKSZ
- };
-
--static DEFINE_PER_CPU_PAGE_ALIGNED(char, exception_stacks
-+DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(char, exception_stacks
- [(N_EXCEPTION_STACKS - 1) * EXCEPTION_STKSZ + DEBUG_STKSZ]);
-
- /* May not be marked __init: used by software suspend */
-diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
-index 04f89ca..9ff875a 100644
---- a/arch/x86/kernel/espfix_64.c
-+++ b/arch/x86/kernel/espfix_64.c
-@@ -41,6 +41,7 @@
- #include <asm/pgalloc.h>
- #include <asm/setup.h>
- #include <asm/espfix.h>
-+#include <asm/kaiser.h>
-
- /*
- * Note: we only need 6*8 = 48 bytes for the espfix stack, but round
-@@ -126,6 +127,11 @@ void __init init_espfix_bsp(void)
- /* Install the espfix pud into the kernel page directory */
- pgd_p = &init_level4_pgt[pgd_index(ESPFIX_BASE_ADDR)];
- pgd_populate(&init_mm, pgd_p, (pud_t *)espfix_pud_page);
-+#ifdef CONFIG_KAISER
-+ // add the esp stack pud to the shadow mapping here.
-+ // This can be done directly, because the fixup stack has its own pud
-+ set_pgd(native_get_shadow_pgd(pgd_p), __pgd(_PAGE_TABLE | __pa((pud_t *)espfix_pud_page)));
-+#endif
-
- /* Randomize the locations */
- init_espfix_random();
-diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index b4421cc..9e849b5 100644
---- a/arch/x86/kernel/head_64.S
-+++ b/arch/x86/kernel/head_64.S
-@@ -405,6 +405,14 @@ GLOBAL(early_recursion_flag)
- .balign PAGE_SIZE; \
- GLOBAL(name)
-
-+#ifdef CONFIG_KAISER
-+#define NEXT_PGD_PAGE(name) \
-+ .balign 2 * PAGE_SIZE; \
-+GLOBAL(name)
-+#else
-+#define NEXT_PGD_PAGE(name) NEXT_PAGE(name)
-+#endif
-+
- /* Automate the creation of 1 to 1 mapping pmd entries */
- #define PMDS(START, PERM, COUNT) \
- i = 0 ; \
-@@ -414,7 +422,7 @@ GLOBAL(name)
- .endr
-
- __INITDATA
--NEXT_PAGE(early_level4_pgt)
-+NEXT_PGD_PAGE(early_level4_pgt)
- .fill 511,8,0
- .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
-
-@@ -424,10 +432,10 @@ NEXT_PAGE(early_dynamic_pgts)
- .data
-
- #ifndef CONFIG_XEN
--NEXT_PAGE(init_level4_pgt)
-- .fill 512,8,0
-+NEXT_PGD_PAGE(init_level4_pgt)
-+ .fill 2*512,8,0
- #else
--NEXT_PAGE(init_level4_pgt)
-+NEXT_PGD_PAGE(init_level4_pgt)
- .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
- .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
- .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
-diff --git a/arch/x86/kernel/irqinit.c b/arch/x86/kernel/irqinit.c
-index 1423ab1..f480b38 100644
---- a/arch/x86/kernel/irqinit.c
-+++ b/arch/x86/kernel/irqinit.c
-@@ -51,7 +51,7 @@ static struct irqaction irq2 = {
- .flags = IRQF_NO_THREAD,
- };
-
--DEFINE_PER_CPU(vector_irq_t, vector_irq) = {
-+DEFINE_PER_CPU_USER_MAPPED(vector_irq_t, vector_irq) = {
- [0 ... NR_VECTORS - 1] = VECTOR_UNUSED,
- };
-
-diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
-index 8e10e72..a55b320 100644
---- a/arch/x86/kernel/process.c
-+++ b/arch/x86/kernel/process.c
-@@ -41,7 +41,7 @@
- * section. Since TSS's are completely CPU-local, we want them
- * on exact cacheline boundaries, to eliminate cacheline ping-pong.
- */
--__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
-+__visible DEFINE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(struct tss_struct, cpu_tss) = {
- .x86_tss = {
- .sp0 = TOP_OF_INIT_STACK,
- #ifdef CONFIG_X86_32
-diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
-index 96d2b84..682c162 100644
---- a/arch/x86/mm/Makefile
-+++ b/arch/x86/mm/Makefile
-@@ -38,4 +38,4 @@ obj-$(CONFIG_NUMA_EMU) += numa_emulation.o
- obj-$(CONFIG_X86_INTEL_MPX) += mpx.o
- obj-$(CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS) += pkeys.o
- obj-$(CONFIG_RANDOMIZE_MEMORY) += kaslr.o
--
-+obj-$(CONFIG_KAISER) += kaiser.o
-diff --git a/arch/x86/mm/kaiser.c b/arch/x86/mm/kaiser.c
-new file mode 100644
-index 0000000..cf1bb92
---- /dev/null
-+++ b/arch/x86/mm/kaiser.c
-@@ -0,0 +1,160 @@
-+
-+
-+#include <linux/kernel.h>
-+#include <linux/errno.h>
-+#include <linux/string.h>
-+#include <linux/types.h>
-+#include <linux/bug.h>
-+#include <linux/init.h>
-+#include <linux/spinlock.h>
-+#include <linux/mm.h>
-+
-+#include <linux/uaccess.h>
-+#include <asm/pgtable.h>
-+#include <asm/pgalloc.h>
-+#include <asm/desc.h>
-+#ifdef CONFIG_KAISER
-+
-+__visible DEFINE_PER_CPU_USER_MAPPED(unsigned long, unsafe_stack_register_backup);
-+
-+/**
-+ * Get the real ppn from a address in kernel mapping.
-+ * @param address The virtual adrress
-+ * @return the physical address
-+ */
-+static inline unsigned long get_pa_from_mapping (unsigned long address)
-+{
-+ pgd_t *pgd;
-+ pud_t *pud;
-+ pmd_t *pmd;
-+ pte_t *pte;
-+
-+ pgd = pgd_offset_k(address);
-+ BUG_ON(pgd_none(*pgd) || pgd_large(*pgd));
-+
-+ pud = pud_offset(pgd, address);
-+ BUG_ON(pud_none(*pud));
-+
-+ if (pud_large(*pud)) {
-+ return (pud_pfn(*pud) << PAGE_SHIFT) | (address & ~PUD_PAGE_MASK);
-+ }
-+
-+ pmd = pmd_offset(pud, address);
-+ BUG_ON(pmd_none(*pmd));
-+
-+ if (pmd_large(*pmd)) {
-+ return (pmd_pfn(*pmd) << PAGE_SHIFT) | (address & ~PMD_PAGE_MASK);
-+ }
-+
-+ pte = pte_offset_kernel(pmd, address);
-+ BUG_ON(pte_none(*pte));
-+
-+ return (pte_pfn(*pte) << PAGE_SHIFT) | (address & ~PAGE_MASK);
-+}
-+
-+void _kaiser_copy (unsigned long start_addr, unsigned long size,
-+ unsigned long flags)
-+{
-+ pgd_t *pgd;
-+ pud_t *pud;
-+ pmd_t *pmd;
-+ pte_t *pte;
-+ unsigned long address;
-+ unsigned long end_addr = start_addr + size;
-+ unsigned long target_address;
-+
-+ for (address = PAGE_ALIGN(start_addr - (PAGE_SIZE - 1));
-+ address < PAGE_ALIGN(end_addr); address += PAGE_SIZE) {
-+ target_address = get_pa_from_mapping(address);
-+
-+ pgd = native_get_shadow_pgd(pgd_offset_k(address));
-+
-+ BUG_ON(pgd_none(*pgd) && "All shadow pgds should be mapped at this time\n");
-+ BUG_ON(pgd_large(*pgd));
-+
-+ pud = pud_offset(pgd, address);
-+ if (pud_none(*pud)) {
-+ set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd_alloc_one(0, address))));
-+ }
-+ BUG_ON(pud_large(*pud));
-+
-+ pmd = pmd_offset(pud, address);
-+ if (pmd_none(*pmd)) {
-+ set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte_alloc_one_kernel(0, address))));
-+ }
-+ BUG_ON(pmd_large(*pmd));
-+
-+ pte = pte_offset_kernel(pmd, address);
-+ if (pte_none(*pte)) {
-+ set_pte(pte, __pte(flags | target_address));
-+ } else {
-+ BUG_ON(__pa(pte_page(*pte)) != target_address);
-+ }
-+ }
-+}
-+
-+// at first, add a pmd for every pgd entry in the shadowmem-kernel-part of the kernel mapping
-+static inline void __init _kaiser_init(void)
-+{
-+ pgd_t *pgd;
-+ int i = 0;
-+
-+ pgd = native_get_shadow_pgd(pgd_offset_k((unsigned long )0));
-+ for (i = PTRS_PER_PGD / 2; i < PTRS_PER_PGD; i++) {
-+ set_pgd(pgd + i, __pgd(_PAGE_TABLE |__pa(pud_alloc_one(0, 0))));
-+ }
-+}
-+
-+extern char __per_cpu_user_mapped_start[], __per_cpu_user_mapped_end[];
-+spinlock_t shadow_table_lock;
-+void __init kaiser_init(void)
-+{
-+ int cpu;
-+ spin_lock_init(&shadow_table_lock);
-+
-+ spin_lock(&shadow_table_lock);
-+
-+ _kaiser_init();
-+
-+ for_each_possible_cpu(cpu) {
-+ // map the per cpu user variables
-+ _kaiser_copy(
-+ (unsigned long) (__per_cpu_user_mapped_start + per_cpu_offset(cpu)),
-+ (unsigned long) __per_cpu_user_mapped_end - (unsigned long) __per_cpu_user_mapped_start,
-+ __PAGE_KERNEL);
-+ }
-+
-+ // map the entry/exit text section, which is responsible to switch between user- and kernel mode
-+ _kaiser_copy(
-+ (unsigned long) __entry_text_start,
-+ (unsigned long) __entry_text_end - (unsigned long) __entry_text_start,
-+ __PAGE_KERNEL_RX);
-+
-+ // the fixed map address of the idt_table
-+ _kaiser_copy(
-+ (unsigned long) idt_descr.address,
-+ sizeof(gate_desc) * NR_VECTORS,
-+ __PAGE_KERNEL_RO);
-+
-+ spin_unlock(&shadow_table_lock);
-+}
-+
-+// add a mapping to the shadow-mapping, and synchronize the mappings
-+void kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags)
-+{
-+ spin_lock(&shadow_table_lock);
-+ _kaiser_copy(addr, size, flags);
-+ spin_unlock(&shadow_table_lock);
-+}
-+
-+extern void unmap_pud_range(pgd_t *pgd, unsigned long start, unsigned long end);
-+void kaiser_remove_mapping(unsigned long start, unsigned long size)
-+{
-+ pgd_t *pgd = native_get_shadow_pgd(pgd_offset_k(start));
-+ spin_lock(&shadow_table_lock);
-+ do {
-+ unmap_pud_range(pgd, start, start + size);
-+ } while (pgd++ != native_get_shadow_pgd(pgd_offset_k(start + size)));
-+ spin_unlock(&shadow_table_lock);
-+}
-+#endif /* CONFIG_KAISER */
-diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
-index e3353c9..c17412f 100644
---- a/arch/x86/mm/pageattr.c
-+++ b/arch/x86/mm/pageattr.c
-@@ -823,7 +823,7 @@ static void unmap_pmd_range(pud_t *pud, unsigned long start, unsigned long end)
- pud_clear(pud);
- }
-
--static void unmap_pud_range(pgd_t *pgd, unsigned long start, unsigned long end)
-+void unmap_pud_range(pgd_t *pgd, unsigned long start, unsigned long end)
- {
- pud_t *pud = pud_offset(pgd, start);
-
-diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
-index 3feec5a..27d218b 100644
---- a/arch/x86/mm/pgtable.c
-+++ b/arch/x86/mm/pgtable.c
-@@ -346,12 +346,38 @@ static inline void _pgd_free(pgd_t *pgd)
- #else
- static inline pgd_t *_pgd_alloc(void)
- {
-+#ifdef CONFIG_KAISER
-+ // Instead of one PML4, we aquire two PML4s and, thus, an 8kb-aligned memory
-+ // block. Therefore, we have to allocate at least 3 pages. However, the
-+ // __get_free_pages returns us 4 pages. Hence, we store the base pointer at
-+ // the beginning of the page of our 8kb-aligned memory block in order to
-+ // correctly free it afterwars.
-+
-+ unsigned long pages = __get_free_pages(PGALLOC_GFP, get_order(4*PAGE_SIZE));
-+
-+ if(native_get_normal_pgd((pgd_t*) pages) == (pgd_t*) pages)
-+ {
-+ *((unsigned long*)(pages + 2 * PAGE_SIZE)) = pages;
-+ return (pgd_t *) pages;
-+ }
-+ else
-+ {
-+ *((unsigned long*)(pages + 3 * PAGE_SIZE)) = pages;
-+ return (pgd_t *) (pages + PAGE_SIZE);
-+ }
-+#else
- return (pgd_t *)__get_free_page(PGALLOC_GFP);
-+#endif
- }
-
- static inline void _pgd_free(pgd_t *pgd)
- {
-+#ifdef CONFIG_KAISER
-+ unsigned long pages = *((unsigned long*) ((char*) pgd + 2 * PAGE_SIZE));
-+ free_pages(pages, get_order(4*PAGE_SIZE));
-+#else
- free_page((unsigned long)pgd);
-+#endif
- }
- #endif /* CONFIG_X86_PAE */
-
-diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
-index 31e1d63..0b16b5d 100644
---- a/include/asm-generic/vmlinux.lds.h
-+++ b/include/asm-generic/vmlinux.lds.h
-@@ -764,7 +764,16 @@
- */
- #define PERCPU_INPUT(cacheline) \
- VMLINUX_SYMBOL(__per_cpu_start) = .; \
-- *(.data..percpu..first) \
-+ \
-+ VMLINUX_SYMBOL(__per_cpu_user_mapped_start) = .; \
-+ *(.data..percpu..first) \
-+ . = ALIGN(cacheline); \
-+ *(.data..percpu..user_mapped) \
-+ *(.data..percpu..user_mapped..shared_aligned) \
-+ . = ALIGN(PAGE_SIZE); \
-+ *(.data..percpu..user_mapped..page_aligned) \
-+ VMLINUX_SYMBOL(__per_cpu_user_mapped_end) = .; \
-+ \
- . = ALIGN(PAGE_SIZE); \
- *(.data..percpu..page_aligned) \
- . = ALIGN(cacheline); \
-diff --git a/include/linux/percpu-defs.h b/include/linux/percpu-defs.h
-index 8f16299..8ea945f 100644
---- a/include/linux/percpu-defs.h
-+++ b/include/linux/percpu-defs.h
-@@ -35,6 +35,12 @@
-
- #endif
-
-+#ifdef CONFIG_KAISER
-+#define USER_MAPPED_SECTION "..user_mapped"
-+#else
-+#define USER_MAPPED_SECTION ""
-+#endif
-+
- /*
- * Base implementations of per-CPU variable declarations and definitions, where
- * the section in which the variable is to be placed is provided by the
-@@ -115,6 +121,12 @@
- #define DEFINE_PER_CPU(type, name) \
- DEFINE_PER_CPU_SECTION(type, name, "")
-
-+#define DECLARE_PER_CPU_USER_MAPPED(type, name) \
-+ DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION)
-+
-+#define DEFINE_PER_CPU_USER_MAPPED(type, name) \
-+ DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION)
-+
- /*
- * Declaration/definition used for per-CPU variables that must come first in
- * the set of variables.
-@@ -144,6 +156,14 @@
- DEFINE_PER_CPU_SECTION(type, name, PER_CPU_SHARED_ALIGNED_SECTION) \
- ____cacheline_aligned_in_smp
-
-+#define DECLARE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(type, name) \
-+ DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION PER_CPU_SHARED_ALIGNED_SECTION) \
-+ ____cacheline_aligned_in_smp
-+
-+#define DEFINE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(type, name) \
-+ DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION PER_CPU_SHARED_ALIGNED_SECTION) \
-+ ____cacheline_aligned_in_smp
-+
- #define DECLARE_PER_CPU_ALIGNED(type, name) \
- DECLARE_PER_CPU_SECTION(type, name, PER_CPU_ALIGNED_SECTION) \
- ____cacheline_aligned
-@@ -162,6 +182,16 @@
- #define DEFINE_PER_CPU_PAGE_ALIGNED(type, name) \
- DEFINE_PER_CPU_SECTION(type, name, "..page_aligned") \
- __aligned(PAGE_SIZE)
-+/*
-+ * Declaration/definition used for per-CPU variables that must be page aligned and need to be mapped in user mode.
-+ */
-+#define DECLARE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(type, name) \
-+ DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION"..page_aligned") \
-+ __aligned(PAGE_SIZE)
-+
-+#define DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(type, name) \
-+ DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION"..page_aligned") \
-+ __aligned(PAGE_SIZE)
-
- /*
- * Declaration/definition used for per-CPU variables that must be read mostly.
-diff --git a/init/main.c b/init/main.c
-index f23b7fa..d2c8c23 100644
---- a/init/main.c
-+++ b/init/main.c
-@@ -87,6 +87,9 @@
- #include <asm/setup.h>
- #include <asm/sections.h>
- #include <asm/cacheflush.h>
-+#ifdef CONFIG_KAISER
-+#include <asm/kaiser.h>
-+#endif
-
- static int kernel_init(void *);
-
-@@ -474,6 +477,9 @@ static void __init mm_init(void)
- pgtable_init();
- vmalloc_init();
- ioremap_huge_init();
-+#ifdef CONFIG_KAISER
-+ kaiser_init();
-+#endif
- }
-
- asmlinkage __visible void __init start_kernel(void)
-diff --git a/kernel/fork.c b/kernel/fork.c
-index f1751cb..61748d1 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -211,8 +211,12 @@ static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node)
- #endif
- }
-
-+extern void kaiser_remove_mapping(unsigned long start_addr, unsigned long size);
- static inline void free_thread_stack(struct task_struct *tsk)
- {
-+#ifdef CONFIG_KAISER
-+ kaiser_remove_mapping((unsigned long)tsk->stack, THREAD_SIZE);
-+#endif
- #ifdef CONFIG_VMAP_STACK
- if (task_stack_vm_area(tsk)) {
- unsigned long flags;
-@@ -468,6 +472,7 @@ void set_task_stack_end_magic(struct task_struct *tsk)
- *stackend = STACK_END_MAGIC; /* for overflow detection */
- }
-
-+extern void kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags);
- static struct task_struct *dup_task_struct(struct task_struct *orig, int node)
- {
- struct task_struct *tsk;
-@@ -495,6 +500,9 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node)
- * functions again.
- */
- tsk->stack = stack;
-+#ifdef CONFIG_KAISER
-+ kaiser_add_mapping((unsigned long)tsk->stack, THREAD_SIZE, __PAGE_KERNEL);
-+#endif
- #ifdef CONFIG_VMAP_STACK
- tsk->stack_vm_area = stack_vm_area;
- #endif
-diff --git a/security/Kconfig b/security/Kconfig
-index 118f454..f515ac3 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -30,6 +30,13 @@ config SECURITY
- model will be used.
-
- If you are unsure how to answer this question, answer N.
-+config KAISER
-+ bool "Remove the kernel mapping in user mode"
-+ depends on X86_64
-+ depends on !PARAVIRT
-+ help
-+ This enforces a strict kernel and user space isolation in order to close
-+ hardware side channels on kernel address information.
-
- config SECURITYFS
- bool "Enable the securityfs filesystem"
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KVM-x86-emulator-Return-to-user-mode-on-L1-CPL-0-emu.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KVM-x86-emulator-Return-to-user-mode-on-L1-CPL-0-emu.patch
deleted file mode 100644
index dd1f4c29..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KVM-x86-emulator-Return-to-user-mode-on-L1-CPL-0-emu.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From ce7bea11dfe01825a2ced79b5bcc04b7e781e63b Mon Sep 17 00:00:00 2001
-From: Liran Alon <liran.alon@oracle.com>
-Date: Sun, 5 Nov 2017 16:56:33 +0200
-Subject: [PATCH 04/33] KVM: x86: emulator: Return to user-mode on L1 CPL=0
- emulation failure
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit 1f4dcb3b213235e642088709a1c54964d23365e9 ]
-
-On this case, handle_emulation_failure() fills kvm_run with
-internal-error information which it expects to be delivered
-to user-mode for further processing.
-However, the code reports a wrong return-value which makes KVM to never
-return to user-mode on this scenario.
-
-Fixes: 6d77dbfc88e3 ("KVM: inject #UD if instruction emulation fails and exit to
-userspace")
-
-Signed-off-by: Liran Alon <liran.alon@oracle.com>
-Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/x86.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 9cc9117..abbb37a 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -5265,7 +5265,7 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu)
- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
- vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
- vcpu->run->internal.ndata = 0;
-- r = EMULATE_FAIL;
-+ r = EMULATE_USER_EXIT;
- }
- kvm_queue_exception(vcpu, UD_VECTOR);
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KVM-x86-pass-kvm_vcpu-to-kvm_read_guest_virt-and-kvm.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KVM-x86-pass-kvm_vcpu-to-kvm_read_guest_virt-and-kvm.patch
deleted file mode 100644
index b1c3c02d..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-KVM-x86-pass-kvm_vcpu-to-kvm_read_guest_virt-and-kvm.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From 1ea42745a9e721d08413cd0c6728934da385010b Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Wed, 6 Jun 2018 17:37:49 +0200
-Subject: [PATCH 04/10] KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and
- kvm_write_guest_virt_system
-
-commit ce14e868a54edeb2e30cb7a7b104a2fc4b9d76ca upstream.
-
-Int the next patch the emulator's .read_std and .write_std callbacks will
-grow another argument, which is not needed in kvm_read_guest_virt and
-kvm_write_guest_virt_system's callers. Since we have to make separate
-functions, let's give the currently existing names a nicer interface, too.
-
-Fixes: 129a72a0d3c8 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
-Cc: stable@vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 23 ++++++++++-------------
- arch/x86/kvm/x86.c | 39 ++++++++++++++++++++++++++-------------
- arch/x86/kvm/x86.h | 4 ++--
- 3 files changed, 38 insertions(+), 28 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index d39062c..a81463d 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -6906,8 +6906,7 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason,
- vmcs_read32(VMX_INSTRUCTION_INFO), false, &gva))
- return 1;
-
-- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &vmptr,
-- sizeof(vmptr), &e)) {
-+ if (kvm_read_guest_virt(vcpu, gva, &vmptr, sizeof(vmptr), &e)) {
- kvm_inject_page_fault(vcpu, &e);
- return 1;
- }
-@@ -7455,8 +7454,8 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
- vmx_instruction_info, true, &gva))
- return 1;
- /* _system ok, as nested_vmx_check_permission verified cpl=0 */
-- kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
-- &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
-+ kvm_write_guest_virt_system(vcpu, gva, &field_value,
-+ (is_long_mode(vcpu) ? 8 : 4), NULL);
- }
-
- nested_vmx_succeed(vcpu);
-@@ -7491,8 +7490,8 @@ static int handle_vmwrite(struct kvm_vcpu *vcpu)
- if (get_vmx_mem_address(vcpu, exit_qualification,
- vmx_instruction_info, false, &gva))
- return 1;
-- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva,
-- &field_value, (is_64_bit_mode(vcpu) ? 8 : 4), &e)) {
-+ if (kvm_read_guest_virt(vcpu, gva, &field_value,
-+ (is_64_bit_mode(vcpu) ? 8 : 4), &e)) {
- kvm_inject_page_fault(vcpu, &e);
- return 1;
- }
-@@ -7589,9 +7588,9 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu)
- vmx_instruction_info, true, &vmcs_gva))
- return 1;
- /* ok to use *_system, as nested_vmx_check_permission verified cpl=0 */
-- if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
-- (void *)&to_vmx(vcpu)->nested.current_vmptr,
-- sizeof(u64), &e)) {
-+ if (kvm_write_guest_virt_system(vcpu, vmcs_gva,
-+ (void *)&to_vmx(vcpu)->nested.current_vmptr,
-+ sizeof(u64), &e)) {
- kvm_inject_page_fault(vcpu, &e);
- return 1;
- }
-@@ -7645,8 +7644,7 @@ static int handle_invept(struct kvm_vcpu *vcpu)
- if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION),
- vmx_instruction_info, false, &gva))
- return 1;
-- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &operand,
-- sizeof(operand), &e)) {
-+ if (kvm_read_guest_virt(vcpu, gva, &operand, sizeof(operand), &e)) {
- kvm_inject_page_fault(vcpu, &e);
- return 1;
- }
-@@ -7709,8 +7707,7 @@ static int handle_invvpid(struct kvm_vcpu *vcpu)
- if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION),
- vmx_instruction_info, false, &gva))
- return 1;
-- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &vpid,
-- sizeof(u32), &e)) {
-+ if (kvm_read_guest_virt(vcpu, gva, &vpid, sizeof(u32), &e)) {
- kvm_inject_page_fault(vcpu, &e);
- return 1;
- }
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index d7974fc..af8e120 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -4370,11 +4370,10 @@ static int kvm_fetch_guest_virt(struct x86_emulate_ctxt *ctxt,
- return X86EMUL_CONTINUE;
- }
-
--int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt,
-+int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
- gva_t addr, void *val, unsigned int bytes,
- struct x86_exception *exception)
- {
-- struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
- u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
-
- return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
-@@ -4382,9 +4381,9 @@ int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt,
- }
- EXPORT_SYMBOL_GPL(kvm_read_guest_virt);
-
--static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt,
-- gva_t addr, void *val, unsigned int bytes,
-- struct x86_exception *exception)
-+static int emulator_read_std(struct x86_emulate_ctxt *ctxt,
-+ gva_t addr, void *val, unsigned int bytes,
-+ struct x86_exception *exception)
- {
- struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
- return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception);
-@@ -4399,18 +4398,16 @@ static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt,
- return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE;
- }
-
--int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
-- gva_t addr, void *val,
-- unsigned int bytes,
-- struct x86_exception *exception)
-+static int kvm_write_guest_virt_helper(gva_t addr, void *val, unsigned int bytes,
-+ struct kvm_vcpu *vcpu, u32 access,
-+ struct x86_exception *exception)
- {
-- struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
- void *data = val;
- int r = X86EMUL_CONTINUE;
-
- while (bytes) {
- gpa_t gpa = vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr,
-- PFERR_WRITE_MASK,
-+ access,
- exception);
- unsigned offset = addr & (PAGE_SIZE-1);
- unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset);
-@@ -4431,6 +4428,22 @@ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
- out:
- return r;
- }
-+
-+static int emulator_write_std(struct x86_emulate_ctxt *ctxt, gva_t addr, void *val,
-+ unsigned int bytes, struct x86_exception *exception)
-+{
-+ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
-+
-+ return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
-+ PFERR_WRITE_MASK, exception);
-+}
-+
-+int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val,
-+ unsigned int bytes, struct x86_exception *exception)
-+{
-+ return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
-+ PFERR_WRITE_MASK, exception);
-+}
- EXPORT_SYMBOL_GPL(kvm_write_guest_virt_system);
-
- static int vcpu_mmio_gva_to_gpa(struct kvm_vcpu *vcpu, unsigned long gva,
-@@ -5137,8 +5150,8 @@ static void emulator_set_nmi_mask(struct x86_emulate_ctxt *ctxt, bool masked)
- static const struct x86_emulate_ops emulate_ops = {
- .read_gpr = emulator_read_gpr,
- .write_gpr = emulator_write_gpr,
-- .read_std = kvm_read_guest_virt_system,
-- .write_std = kvm_write_guest_virt_system,
-+ .read_std = emulator_read_std,
-+ .write_std = emulator_write_std,
- .read_phys = kvm_read_guest_phys_system,
- .fetch = kvm_fetch_guest_virt,
- .read_emulated = emulator_read_emulated,
-diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
-index e8ff3e4..2133a18 100644
---- a/arch/x86/kvm/x86.h
-+++ b/arch/x86/kvm/x86.h
-@@ -161,11 +161,11 @@ int kvm_inject_realmode_interrupt(struct kvm_vcpu *vcpu, int irq, int inc_eip);
- void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr);
- u64 get_kvmclock_ns(struct kvm *kvm);
-
--int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt,
-+int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
- gva_t addr, void *val, unsigned int bytes,
- struct x86_exception *exception);
-
--int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
-+int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu,
- gva_t addr, void *val, unsigned int bytes,
- struct x86_exception *exception);
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-kvm-nVMX-Disallow-userspace-injected-exceptions-in-g.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-kvm-nVMX-Disallow-userspace-injected-exceptions-in-g.patch
deleted file mode 100644
index 3d7259ab..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-kvm-nVMX-Disallow-userspace-injected-exceptions-in-g.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 230ca3c5a44c752650e6bac9a4fe0eefc5ff0758 Mon Sep 17 00:00:00 2001
-From: Jim Mattson <jmattson@google.com>
-Date: Wed, 5 Apr 2017 09:14:40 -0700
-Subject: [PATCH 04/93] kvm: nVMX: Disallow userspace-injected exceptions in
- guest mode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit 28d06353881939703c34d82a1465136af176c620 ]
-
-The userspace exception injection API and code path are entirely
-unprepared for exceptions that might cause a VM-exit from L2 to L1, so
-the best course of action may be to simply disallow this for now.
-
-1. The API provides no mechanism for userspace to specify the new DR6
-bits for a #DB exception or the new CR2 value for a #PF
-exception. Presumably, userspace is expected to modify these registers
-directly with KVM_SET_SREGS before the next KVM_RUN ioctl. However, in
-the event that L1 intercepts the exception, these registers should not
-be changed. Instead, the new values should be provided in the
-exit_qualification field of vmcs12 (Intel SDM vol 3, section 27.1).
-
-2. In the case of a userspace-injected #DB, inject_pending_event()
-clears DR7.GD before calling vmx_queue_exception(). However, in the
-event that L1 intercepts the exception, this is too early, because
-DR7.GD should not be modified by a #DB that causes a VM-exit directly
-(Intel SDM vol 3, section 27.1).
-
-3. If the injected exception is a #PF, nested_vmx_check_exception()
-doesn't properly check whether or not L1 is interested in the
-associated error code (using the #PF error code mask and match fields
-from vmcs12). It may either return 0 when it should call
-nested_vmx_vmexit() or vice versa.
-
-4. nested_vmx_check_exception() assumes that it is dealing with a
-hardware-generated exception intercept from L2, with some of the
-relevant details (the VM-exit interruption-information and the exit
-qualification) live in vmcs02. For userspace-injected exceptions, this
-is not the case.
-
-5. prepare_vmcs12() assumes that when its exit_intr_info argument
-specifies valid information with a valid error code that it can VMREAD
-the VM-exit interruption error code from vmcs02. For
-userspace-injected exceptions, this is not the case.
-
-Signed-off-by: Jim Mattson <jmattson@google.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/x86.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 9f0f7e2..b27b93d 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -3056,7 +3056,8 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
- return -EINVAL;
-
- if (events->exception.injected &&
-- (events->exception.nr > 31 || events->exception.nr == NMI_VECTOR))
-+ (events->exception.nr > 31 || events->exception.nr == NMI_VECTOR ||
-+ is_guest_mode(vcpu)))
- return -EINVAL;
-
- process_nmi(vcpu);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-asm-Fix-inline-asm-call-constraints-for-GCC-4.4.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-asm-Fix-inline-asm-call-constraints-for-GCC-4.4.patch
deleted file mode 100644
index 990cb048..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-asm-Fix-inline-asm-call-constraints-for-GCC-4.4.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 06424642a3712e54821ac22bba000779c0004faa Mon Sep 17 00:00:00 2001
-From: Josh Poimboeuf <jpoimboe@redhat.com>
-Date: Thu, 28 Sep 2017 16:58:26 -0500
-Subject: [PATCH 04/42] x86/asm: Fix inline asm call constraints for GCC 4.4
-
-commit 520a13c530aeb5f63e011d668c42db1af19ed349 upstream.
-
-The kernel test bot (run by Xiaolong Ye) reported that the following commit:
-
- f5caf621ee35 ("x86/asm: Fix inline asm call constraints for Clang")
-
-is causing double faults in a kernel compiled with GCC 4.4.
-
-Linus subsequently diagnosed the crash pattern and the buggy commit and found that
-the issue is with this code:
-
- register unsigned int __asm_call_sp asm("esp");
- #define ASM_CALL_CONSTRAINT "+r" (__asm_call_sp)
-
-Even on a 64-bit kernel, it's using ESP instead of RSP. That causes GCC
-to produce the following bogus code:
-
- ffffffff8147461d: 89 e0 mov %esp,%eax
- ffffffff8147461f: 4c 89 f7 mov %r14,%rdi
- ffffffff81474622: 4c 89 fe mov %r15,%rsi
- ffffffff81474625: ba 20 00 00 00 mov $0x20,%edx
- ffffffff8147462a: 89 c4 mov %eax,%esp
- ffffffff8147462c: e8 bf 52 05 00 callq ffffffff814c98f0 <copy_user_generic_unrolled>
-
-Despite the absurdity of it backing up and restoring the stack pointer
-for no reason, the bug is actually the fact that it's only backing up
-and restoring the lower 32 bits of the stack pointer. The upper 32 bits
-are getting cleared out, corrupting the stack pointer.
-
-So change the '__asm_call_sp' register variable to be associated with
-the actual full-size stack pointer.
-
-This also requires changing the __ASM_SEL() macro to be based on the
-actual compiled arch size, rather than the CONFIG value, because
-CONFIG_X86_64 compiles some files with '-m32' (e.g., realmode and vdso).
-Otherwise Clang fails to build the kernel because it complains about the
-use of a 64-bit register (RSP) in a 32-bit file.
-
-Reported-and-Bisected-and-Tested-by: kernel test robot <xiaolong.ye@intel.com>
-Diagnosed-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Alexander Potapenko <glider@google.com>
-Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Arnd Bergmann <arnd@arndb.de>
-Cc: Dmitriy Vyukov <dvyukov@google.com>
-Cc: LKP <lkp@01.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Matthias Kaehlcke <mka@chromium.org>
-Cc: Miguel Bernal Marin <miguel.bernal.marin@linux.intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Fixes: f5caf621ee35 ("x86/asm: Fix inline asm call constraints for Clang")
-Link: http://lkml.kernel.org/r/20170928215826.6sdpmwtkiydiytim@treble
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Cc: Matthias Kaehlcke <mka@chromium.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/asm.h | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h
-index 0052352..7bb29a4 100644
---- a/arch/x86/include/asm/asm.h
-+++ b/arch/x86/include/asm/asm.h
-@@ -11,10 +11,12 @@
- # define __ASM_FORM_COMMA(x) " " #x ","
- #endif
-
--#ifdef CONFIG_X86_32
-+#ifndef __x86_64__
-+/* 32 bit */
- # define __ASM_SEL(a,b) __ASM_FORM(a)
- # define __ASM_SEL_RAW(a,b) __ASM_FORM_RAW(a)
- #else
-+/* 64 bit */
- # define __ASM_SEL(a,b) __ASM_FORM(b)
- # define __ASM_SEL_RAW(a,b) __ASM_FORM_RAW(b)
- #endif
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-mm-Remove-the-UP-asm-tlbflush.h-code-always-use-.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-mm-Remove-the-UP-asm-tlbflush.h-code-always-use-.patch
deleted file mode 100644
index 24b7bdc8..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-mm-Remove-the-UP-asm-tlbflush.h-code-always-use-.patch
+++ /dev/null
@@ -1,314 +0,0 @@
-From e55eb19b04f78aa3343a6eae99fd557f613ccd99 Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Sun, 28 May 2017 10:00:14 -0700
-Subject: [PATCH 04/14] x86/mm: Remove the UP asm/tlbflush.h code, always use
- the (formerly) SMP code
-
-commit ce4a4e565f5264909a18c733b864c3f74467f69e upstream.
-
-The UP asm/tlbflush.h generates somewhat nicer code than the SMP version.
-Aside from that, it's fallen quite a bit behind the SMP code:
-
- - flush_tlb_mm_range() didn't flush individual pages if the range
- was small.
-
- - The lazy TLB code was much weaker. This usually wouldn't matter,
- but, if a kernel thread flushed its lazy "active_mm" more than
- once (due to reclaim or similar), it wouldn't be unlazied and
- would instead pointlessly flush repeatedly.
-
- - Tracepoints were missing.
-
-Aside from that, simply having the UP code around was a maintanence
-burden, since it means that any change to the TLB flush code had to
-make sure not to break it.
-
-Simplify everything by deleting the UP code.
-
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bpetkov@suse.de>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Michal Hocko <mhocko@suse.com>
-Cc: Nadav Amit <nadav.amit@gmail.com>
-Cc: Nadav Amit <namit@vmware.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: linux-mm@kvack.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Cc: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/Kconfig | 2 +-
- arch/x86/include/asm/hardirq.h | 2 +-
- arch/x86/include/asm/mmu.h | 6 ---
- arch/x86/include/asm/mmu_context.h | 2 -
- arch/x86/include/asm/tlbflush.h | 78 +-------------------------------------
- arch/x86/mm/init.c | 2 -
- arch/x86/mm/tlb.c | 17 +--------
- 7 files changed, 5 insertions(+), 104 deletions(-)
-
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 7132252..f0bcf23 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -45,7 +45,7 @@ config X86
- select ARCH_USE_CMPXCHG_LOCKREF if X86_64
- select ARCH_USE_QUEUED_RWLOCKS
- select ARCH_USE_QUEUED_SPINLOCKS
-- select ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH if SMP
-+ select ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH
- select ARCH_WANTS_DYNAMIC_TASK_STRUCT
- select ARCH_WANT_FRAME_POINTERS
- select ARCH_WANT_IPC_PARSE_VERSION if X86_32
-diff --git a/arch/x86/include/asm/hardirq.h b/arch/x86/include/asm/hardirq.h
-index 59405a2..9b76cd3 100644
---- a/arch/x86/include/asm/hardirq.h
-+++ b/arch/x86/include/asm/hardirq.h
-@@ -22,8 +22,8 @@ typedef struct {
- #ifdef CONFIG_SMP
- unsigned int irq_resched_count;
- unsigned int irq_call_count;
-- unsigned int irq_tlb_count;
- #endif
-+ unsigned int irq_tlb_count;
- #ifdef CONFIG_X86_THERMAL_VECTOR
- unsigned int irq_thermal_count;
- #endif
-diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
-index 72198c6..8b272a0 100644
---- a/arch/x86/include/asm/mmu.h
-+++ b/arch/x86/include/asm/mmu.h
-@@ -33,12 +33,6 @@ typedef struct {
- #endif
- } mm_context_t;
-
--#ifdef CONFIG_SMP
- void leave_mm(int cpu);
--#else
--static inline void leave_mm(int cpu)
--{
--}
--#endif
-
- #endif /* _ASM_X86_MMU_H */
-diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index 8e0a9fe..762d6c6 100644
---- a/arch/x86/include/asm/mmu_context.h
-+++ b/arch/x86/include/asm/mmu_context.h
-@@ -99,10 +99,8 @@ static inline void load_mm_ldt(struct mm_struct *mm)
-
- static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
- {
--#ifdef CONFIG_SMP
- if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
- this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
--#endif
- }
-
- static inline int init_new_context(struct task_struct *tsk,
-diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
-index eb5b512..94146f6 100644
---- a/arch/x86/include/asm/tlbflush.h
-+++ b/arch/x86/include/asm/tlbflush.h
-@@ -7,6 +7,7 @@
- #include <asm/processor.h>
- #include <asm/cpufeature.h>
- #include <asm/special_insns.h>
-+#include <asm/smp.h>
-
- static inline void __invpcid(unsigned long pcid, unsigned long addr,
- unsigned long type)
-@@ -65,10 +66,8 @@ static inline void invpcid_flush_all_nonglobals(void)
- #endif
-
- struct tlb_state {
--#ifdef CONFIG_SMP
- struct mm_struct *active_mm;
- int state;
--#endif
-
- /*
- * Access to this CR4 shadow and to H/W CR4 is protected by
-@@ -272,79 +271,6 @@ static inline void __flush_tlb_one(unsigned long addr)
- * and page-granular flushes are available only on i486 and up.
- */
-
--#ifndef CONFIG_SMP
--
--/* "_up" is for UniProcessor.
-- *
-- * This is a helper for other header functions. *Not* intended to be called
-- * directly. All global TLB flushes need to either call this, or to bump the
-- * vm statistics themselves.
-- */
--static inline void __flush_tlb_up(void)
--{
-- count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
-- __flush_tlb();
--}
--
--static inline void flush_tlb_all(void)
--{
-- count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
-- __flush_tlb_all();
--}
--
--static inline void local_flush_tlb(void)
--{
-- __flush_tlb_up();
--}
--
--static inline void flush_tlb_mm(struct mm_struct *mm)
--{
-- if (mm == current->active_mm)
-- __flush_tlb_up();
--}
--
--static inline void flush_tlb_page(struct vm_area_struct *vma,
-- unsigned long addr)
--{
-- if (vma->vm_mm == current->active_mm)
-- __flush_tlb_one(addr);
--}
--
--static inline void flush_tlb_range(struct vm_area_struct *vma,
-- unsigned long start, unsigned long end)
--{
-- if (vma->vm_mm == current->active_mm)
-- __flush_tlb_up();
--}
--
--static inline void flush_tlb_mm_range(struct mm_struct *mm,
-- unsigned long start, unsigned long end, unsigned long vmflag)
--{
-- if (mm == current->active_mm)
-- __flush_tlb_up();
--}
--
--static inline void native_flush_tlb_others(const struct cpumask *cpumask,
-- struct mm_struct *mm,
-- unsigned long start,
-- unsigned long end)
--{
--}
--
--static inline void reset_lazy_tlbstate(void)
--{
--}
--
--static inline void flush_tlb_kernel_range(unsigned long start,
-- unsigned long end)
--{
-- flush_tlb_all();
--}
--
--#else /* SMP */
--
--#include <asm/smp.h>
--
- #define local_flush_tlb() __flush_tlb()
-
- #define flush_tlb_mm(mm) flush_tlb_mm_range(mm, 0UL, TLB_FLUSH_ALL, 0UL)
-@@ -375,8 +301,6 @@ static inline void reset_lazy_tlbstate(void)
- this_cpu_write(cpu_tlbstate.active_mm, &init_mm);
- }
-
--#endif /* SMP */
--
- #ifndef CONFIG_PARAVIRT
- #define flush_tlb_others(mask, mm, start, end) \
- native_flush_tlb_others(mask, mm, start, end)
-diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
-index 05a9855..a5e79b4 100644
---- a/arch/x86/mm/init.c
-+++ b/arch/x86/mm/init.c
-@@ -745,10 +745,8 @@ void __init zone_sizes_init(void)
- }
-
- DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate) = {
--#ifdef CONFIG_SMP
- .active_mm = &init_mm,
- .state = 0,
--#endif
- .cr4 = ~0UL, /* fail hard if we screw up cr4 shadow initialization */
- };
- EXPORT_SYMBOL_GPL(cpu_tlbstate);
-diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
-index 6884228..613d07e 100644
---- a/arch/x86/mm/tlb.c
-+++ b/arch/x86/mm/tlb.c
-@@ -16,7 +16,7 @@
- #include <asm/kaiser.h>
-
- /*
-- * Smarter SMP flushing macros.
-+ * TLB flushing, formerly SMP-only
- * c/o Linus Torvalds.
- *
- * These mean you can really definitely utterly forget about
-@@ -29,8 +29,6 @@
- * Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi
- */
-
--#ifdef CONFIG_SMP
--
- struct flush_tlb_info {
- struct mm_struct *flush_mm;
- unsigned long flush_start;
-@@ -90,8 +88,6 @@ void leave_mm(int cpu)
- }
- EXPORT_SYMBOL_GPL(leave_mm);
-
--#endif /* CONFIG_SMP */
--
- void switch_mm(struct mm_struct *prev, struct mm_struct *next,
- struct task_struct *tsk)
- {
-@@ -122,10 +118,8 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
- set_pgd(pgd, init_mm.pgd[stack_pgd_index]);
- }
-
--#ifdef CONFIG_SMP
- this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
- this_cpu_write(cpu_tlbstate.active_mm, next);
--#endif
-
- cpumask_set_cpu(cpu, mm_cpumask(next));
-
-@@ -183,9 +177,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
- if (unlikely(prev->context.ldt != next->context.ldt))
- load_mm_ldt(next);
- #endif
-- }
--#ifdef CONFIG_SMP
-- else {
-+ } else {
- this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
- BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
-
-@@ -212,11 +204,8 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
- load_mm_ldt(next);
- }
- }
--#endif
- }
-
--#ifdef CONFIG_SMP
--
- /*
- * The flush IPI assumes that a thread switch happens in this order:
- * [cpu0: the cpu that switches]
-@@ -471,5 +460,3 @@ static int __init create_tlb_single_page_flush_ceiling(void)
- return 0;
- }
- late_initcall(create_tlb_single_page_flush_ceiling);
--
--#endif /* CONFIG_SMP */
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-speculation-Correct-Speculation-Control-microcod.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-speculation-Correct-Speculation-Control-microcod.patch
deleted file mode 100644
index 20c32ab8..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0004-x86-speculation-Correct-Speculation-Control-microcod.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From d0ed9c041b4312a7245912bee08d0c6e7631c9a1 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Mon, 12 Feb 2018 15:27:34 +0000
-Subject: [PATCH 04/12] x86/speculation: Correct Speculation Control microcode
- blacklist again
-
-commit d37fc6d360a404b208547ba112e7dabb6533c7fc upstream.
-
-Arjan points out that the Intel document only clears the 0xc2 microcode
-on *some* parts with CPUID 506E3 (INTEL_FAM6_SKYLAKE_DESKTOP stepping 3).
-For the Skylake H/S platform it's OK but for Skylake E3 which has the
-same CPUID it isn't (yet) cleared.
-
-So removing it from the blacklist was premature. Put it back for now.
-
-Also, Arjan assures me that the 0x84 microcode for Kaby Lake which was
-featured in one of the early revisions of the Intel document was never
-released to the public, and won't be until/unless it is also validated
-as safe. So those can change to 0x80 which is what all *other* versions
-of the doc have identified.
-
-Once the retrospective testing of existing public microcodes is done, we
-should be back into a mode where new microcodes are only released in
-batches and we shouldn't even need to update the blacklist for those
-anyway, so this tweaking of the list isn't expected to be a thing which
-keeps happening.
-
-Requested-by: Arjan van de Ven <arjan.van.de.ven@intel.com>
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Dave Hansen <dave.hansen@linux.intel.com>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: arjan.van.de.ven@intel.com
-Cc: dave.hansen@intel.com
-Cc: kvm@vger.kernel.org
-Cc: pbonzini@redhat.com
-Link: http://lkml.kernel.org/r/1518449255-2182-1-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/intel.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
-index e3b00ac..02cb2e3 100644
---- a/arch/x86/kernel/cpu/intel.c
-+++ b/arch/x86/kernel/cpu/intel.c
-@@ -75,13 +75,14 @@ struct sku_microcode {
- u32 microcode;
- };
- static const struct sku_microcode spectre_bad_microcodes[] = {
-- { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0B, 0x84 },
-- { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0A, 0x84 },
-- { INTEL_FAM6_KABYLAKE_DESKTOP, 0x09, 0x84 },
-- { INTEL_FAM6_KABYLAKE_MOBILE, 0x0A, 0x84 },
-- { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x84 },
-+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0B, 0x80 },
-+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0A, 0x80 },
-+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x09, 0x80 },
-+ { INTEL_FAM6_KABYLAKE_MOBILE, 0x0A, 0x80 },
-+ { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x80 },
- { INTEL_FAM6_SKYLAKE_X, 0x03, 0x0100013e },
- { INTEL_FAM6_SKYLAKE_X, 0x04, 0x0200003c },
-+ { INTEL_FAM6_SKYLAKE_DESKTOP, 0x03, 0xc2 },
- { INTEL_FAM6_BROADWELL_CORE, 0x04, 0x28 },
- { INTEL_FAM6_BROADWELL_GT3E, 0x01, 0x1b },
- { INTEL_FAM6_BROADWELL_XEON_D, 0x02, 0x14 },
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-KVM-x86-Don-t-re-execute-instruction-when-not-passin.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-KVM-x86-Don-t-re-execute-instruction-when-not-passin.patch
deleted file mode 100644
index 49770e88..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-KVM-x86-Don-t-re-execute-instruction-when-not-passin.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 585df9100649b5038250e1c33cf8af019a77844c Mon Sep 17 00:00:00 2001
-From: Liran Alon <liran.alon@oracle.com>
-Date: Sun, 5 Nov 2017 16:56:34 +0200
-Subject: [PATCH 05/33] KVM: x86: Don't re-execute instruction when not passing
- CR2 value
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit 9b8ae63798cb97e785a667ff27e43fa6220cb734 ]
-
-In case of instruction-decode failure or emulation failure,
-x86_emulate_instruction() will call reexecute_instruction() which will
-attempt to use the cr2 value passed to x86_emulate_instruction().
-However, when x86_emulate_instruction() is called from
-emulate_instruction(), cr2 is not passed (passed as 0) and therefore
-it doesn't make sense to execute reexecute_instruction() logic at all.
-
-Fixes: 51d8b66199e9 ("KVM: cleanup emulate_instruction")
-
-Signed-off-by: Liran Alon <liran.alon@oracle.com>
-Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/kvm_host.h | 3 ++-
- arch/x86/kvm/vmx.c | 2 +-
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index bdde807..6f6ee68 100644
---- a/arch/x86/include/asm/kvm_host.h
-+++ b/arch/x86/include/asm/kvm_host.h
-@@ -1113,7 +1113,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, unsigned long cr2,
- static inline int emulate_instruction(struct kvm_vcpu *vcpu,
- int emulation_type)
- {
-- return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0);
-+ return x86_emulate_instruction(vcpu, 0,
-+ emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0);
- }
-
- void kvm_enable_efer_bits(u64);
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index ee766c2..8e5001d 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -6232,7 +6232,7 @@ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu)
- if (test_bit(KVM_REQ_EVENT, &vcpu->requests))
- return 1;
-
-- err = emulate_instruction(vcpu, EMULTYPE_NO_REEXECUTE);
-+ err = emulate_instruction(vcpu, 0);
-
- if (err == EMULATE_USER_EXIT) {
- ++vcpu->stat.mmio_exits;
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kaiser-merged-update.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kaiser-merged-update.patch
deleted file mode 100644
index 0a554805..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kaiser-merged-update.patch
+++ /dev/null
@@ -1,1327 +0,0 @@
-From 63e6d8f6f8a48f02da9fbd55819b1154efad82ba Mon Sep 17 00:00:00 2001
-From: Dave Hansen <dave.hansen@linux.intel.com>
-Date: Wed, 30 Aug 2017 16:23:00 -0700
-Subject: [PATCH 005/103] kaiser: merged update
-
-Merged fixes and cleanups, rebased to 4.9.51 tree (no 5-level paging).
-
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/entry/entry_64.S | 105 ++++++++++--
- arch/x86/include/asm/kaiser.h | 43 +++--
- arch/x86/include/asm/pgtable.h | 18 +-
- arch/x86/include/asm/pgtable_64.h | 48 +++++-
- arch/x86/include/asm/pgtable_types.h | 6 +-
- arch/x86/kernel/espfix_64.c | 13 +-
- arch/x86/kernel/head_64.S | 19 ++-
- arch/x86/kernel/ldt.c | 27 ++-
- arch/x86/kernel/tracepoint.c | 2 +
- arch/x86/mm/kaiser.c | 313 +++++++++++++++++++++++++----------
- arch/x86/mm/pageattr.c | 63 +++++--
- arch/x86/mm/pgtable.c | 40 ++---
- include/linux/kaiser.h | 26 +++
- kernel/fork.c | 9 +-
- security/Kconfig | 5 +
- 15 files changed, 549 insertions(+), 188 deletions(-)
- create mode 100644 include/linux/kaiser.h
-
-diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
-index 6c880dc..d84e3a7 100644
---- a/arch/x86/entry/entry_64.S
-+++ b/arch/x86/entry/entry_64.S
-@@ -230,6 +230,13 @@ entry_SYSCALL_64_fastpath:
- movq RIP(%rsp), %rcx
- movq EFLAGS(%rsp), %r11
- RESTORE_C_REGS_EXCEPT_RCX_R11
-+ /*
-+ * This opens a window where we have a user CR3, but are
-+ * running in the kernel. This makes using the CS
-+ * register useless for telling whether or not we need to
-+ * switch CR3 in NMIs. Normal interrupts are OK because
-+ * they are off here.
-+ */
- SWITCH_USER_CR3
- movq RSP(%rsp), %rsp
- USERGS_SYSRET64
-@@ -326,11 +333,25 @@ return_from_SYSCALL_64:
- syscall_return_via_sysret:
- /* rcx and r11 are already restored (see code above) */
- RESTORE_C_REGS_EXCEPT_RCX_R11
-+ /*
-+ * This opens a window where we have a user CR3, but are
-+ * running in the kernel. This makes using the CS
-+ * register useless for telling whether or not we need to
-+ * switch CR3 in NMIs. Normal interrupts are OK because
-+ * they are off here.
-+ */
- SWITCH_USER_CR3
- movq RSP(%rsp), %rsp
- USERGS_SYSRET64
-
- opportunistic_sysret_failed:
-+ /*
-+ * This opens a window where we have a user CR3, but are
-+ * running in the kernel. This makes using the CS
-+ * register useless for telling whether or not we need to
-+ * switch CR3 in NMIs. Normal interrupts are OK because
-+ * they are off here.
-+ */
- SWITCH_USER_CR3
- SWAPGS
- jmp restore_c_regs_and_iret
-@@ -1087,6 +1108,13 @@ ENTRY(error_entry)
- cld
- SAVE_C_REGS 8
- SAVE_EXTRA_REGS 8
-+ /*
-+ * error_entry() always returns with a kernel gsbase and
-+ * CR3. We must also have a kernel CR3/gsbase before
-+ * calling TRACE_IRQS_*. Just unconditionally switch to
-+ * the kernel CR3 here.
-+ */
-+ SWITCH_KERNEL_CR3
- xorl %ebx, %ebx
- testb $3, CS+8(%rsp)
- jz .Lerror_kernelspace
-@@ -1096,7 +1124,6 @@ ENTRY(error_entry)
- * from user mode due to an IRET fault.
- */
- SWAPGS
-- SWITCH_KERNEL_CR3
-
- .Lerror_entry_from_usermode_after_swapgs:
- /*
-@@ -1148,7 +1175,6 @@ ENTRY(error_entry)
- * Switch to kernel gsbase:
- */
- SWAPGS
-- SWITCH_KERNEL_CR3
-
- /*
- * Pretend that the exception came from user mode: set up pt_regs
-@@ -1247,7 +1273,10 @@ ENTRY(nmi)
- */
-
- SWAPGS_UNSAFE_STACK
-- SWITCH_KERNEL_CR3_NO_STACK
-+ /*
-+ * percpu variables are mapped with user CR3, so no need
-+ * to switch CR3 here.
-+ */
- cld
- movq %rsp, %rdx
- movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
-@@ -1281,14 +1310,33 @@ ENTRY(nmi)
-
- movq %rsp, %rdi
- movq $-1, %rsi
-+#ifdef CONFIG_KAISER
-+ /* Unconditionally use kernel CR3 for do_nmi() */
-+ /* %rax is saved above, so OK to clobber here */
-+ movq %cr3, %rax
-+ pushq %rax
-+#ifdef CONFIG_KAISER_REAL_SWITCH
-+ andq $(~0x1000), %rax
-+#endif
-+ movq %rax, %cr3
-+#endif
- call do_nmi
-+ /*
-+ * Unconditionally restore CR3. I know we return to
-+ * kernel code that needs user CR3, but do we ever return
-+ * to "user mode" where we need the kernel CR3?
-+ */
-+#ifdef CONFIG_KAISER
-+ popq %rax
-+ mov %rax, %cr3
-+#endif
-
- /*
- * Return back to user mode. We must *not* do the normal exit
-- * work, because we don't want to enable interrupts. Fortunately,
-- * do_nmi doesn't modify pt_regs.
-+ * work, because we don't want to enable interrupts. Do not
-+ * switch to user CR3: we might be going back to kernel code
-+ * that had a user CR3 set.
- */
-- SWITCH_USER_CR3
- SWAPGS
- jmp restore_c_regs_and_iret
-
-@@ -1484,23 +1532,54 @@ end_repeat_nmi:
- ALLOC_PT_GPREGS_ON_STACK
-
- /*
-- * Use paranoid_entry to handle SWAPGS, but no need to use paranoid_exit
-- * as we should not be calling schedule in NMI context.
-- * Even with normal interrupts enabled. An NMI should not be
-- * setting NEED_RESCHED or anything that normal interrupts and
-- * exceptions might do.
-+ * Use the same approach as paranoid_entry to handle SWAPGS, but
-+ * without CR3 handling since we do that differently in NMIs. No
-+ * need to use paranoid_exit as we should not be calling schedule
-+ * in NMI context. Even with normal interrupts enabled. An NMI
-+ * should not be setting NEED_RESCHED or anything that normal
-+ * interrupts and exceptions might do.
- */
-- call paranoid_entry
-+ cld
-+ SAVE_C_REGS
-+ SAVE_EXTRA_REGS
-+ movl $1, %ebx
-+ movl $MSR_GS_BASE, %ecx
-+ rdmsr
-+ testl %edx, %edx
-+ js 1f /* negative -> in kernel */
-+ SWAPGS
-+ xorl %ebx, %ebx
-+1:
-+#ifdef CONFIG_KAISER
-+ /* Unconditionally use kernel CR3 for do_nmi() */
-+ /* %rax is saved above, so OK to clobber here */
-+ movq %cr3, %rax
-+ pushq %rax
-+#ifdef CONFIG_KAISER_REAL_SWITCH
-+ andq $(~0x1000), %rax
-+#endif
-+ movq %rax, %cr3
-+#endif
-
- /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
- movq %rsp, %rdi
-+ addq $8, %rdi /* point %rdi at ptregs, fixed up for CR3 */
- movq $-1, %rsi
- call do_nmi
-+ /*
-+ * Unconditionally restore CR3. We might be returning to
-+ * kernel code that needs user CR3, like just just before
-+ * a sysret.
-+ */
-+#ifdef CONFIG_KAISER
-+ popq %rax
-+ mov %rax, %cr3
-+#endif
-
- testl %ebx, %ebx /* swapgs needed? */
- jnz nmi_restore
- nmi_swapgs:
-- SWITCH_USER_CR3_NO_STACK
-+ /* We fixed up CR3 above, so no need to switch it here */
- SWAPGS_UNSAFE_STACK
- nmi_restore:
- RESTORE_EXTRA_REGS
-diff --git a/arch/x86/include/asm/kaiser.h b/arch/x86/include/asm/kaiser.h
-index 63ee830..0703f48 100644
---- a/arch/x86/include/asm/kaiser.h
-+++ b/arch/x86/include/asm/kaiser.h
-@@ -16,13 +16,17 @@
-
- .macro _SWITCH_TO_KERNEL_CR3 reg
- movq %cr3, \reg
-+#ifdef CONFIG_KAISER_REAL_SWITCH
- andq $(~0x1000), \reg
-+#endif
- movq \reg, %cr3
- .endm
-
- .macro _SWITCH_TO_USER_CR3 reg
- movq %cr3, \reg
-+#ifdef CONFIG_KAISER_REAL_SWITCH
- orq $(0x1000), \reg
-+#endif
- movq \reg, %cr3
- .endm
-
-@@ -65,48 +69,53 @@ movq PER_CPU_VAR(unsafe_stack_register_backup), %rax
- .endm
-
- #endif /* CONFIG_KAISER */
-+
- #else /* __ASSEMBLY__ */
-
-
- #ifdef CONFIG_KAISER
--// Upon kernel/user mode switch, it may happen that
--// the address space has to be switched before the registers have been stored.
--// To change the address space, another register is needed.
--// A register therefore has to be stored/restored.
--//
--DECLARE_PER_CPU_USER_MAPPED(unsigned long, unsafe_stack_register_backup);
-+/*
-+ * Upon kernel/user mode switch, it may happen that the address
-+ * space has to be switched before the registers have been
-+ * stored. To change the address space, another register is
-+ * needed. A register therefore has to be stored/restored.
-+*/
-
--#endif /* CONFIG_KAISER */
-+DECLARE_PER_CPU_USER_MAPPED(unsigned long, unsafe_stack_register_backup);
-
- /**
-- * shadowmem_add_mapping - map a virtual memory part to the shadow mapping
-+ * kaiser_add_mapping - map a virtual memory part to the shadow (user) mapping
- * @addr: the start address of the range
- * @size: the size of the range
- * @flags: The mapping flags of the pages
- *
-- * the mapping is done on a global scope, so no bigger synchronization has to be done.
-- * the pages have to be manually unmapped again when they are not needed any longer.
-+ * The mapping is done on a global scope, so no bigger
-+ * synchronization has to be done. the pages have to be
-+ * manually unmapped again when they are not needed any longer.
- */
--extern void kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags);
-+extern int kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags);
-
-
- /**
-- * shadowmem_remove_mapping - unmap a virtual memory part of the shadow mapping
-+ * kaiser_remove_mapping - unmap a virtual memory part of the shadow mapping
- * @addr: the start address of the range
- * @size: the size of the range
- */
- extern void kaiser_remove_mapping(unsigned long start, unsigned long size);
-
- /**
-- * shadowmem_initialize_mapping - Initalize the shadow mapping
-+ * kaiser_initialize_mapping - Initalize the shadow mapping
- *
-- * most parts of the shadow mapping can be mapped upon boot time.
-- * only the thread stacks have to be mapped on runtime.
-- * the mapped regions are not unmapped at all.
-+ * Most parts of the shadow mapping can be mapped upon boot
-+ * time. Only per-process things like the thread stacks
-+ * or a new LDT have to be mapped at runtime. These boot-
-+ * time mappings are permanent and nevertunmapped.
- */
- extern void kaiser_init(void);
-
--#endif
-+#endif /* CONFIG_KAISER */
-+
-+#endif /* __ASSEMBLY */
-
-
-
-diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
-index 4b479c9..1cee98e 100644
---- a/arch/x86/include/asm/pgtable.h
-+++ b/arch/x86/include/asm/pgtable.h
-@@ -690,7 +690,17 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address)
-
- static inline int pgd_bad(pgd_t pgd)
- {
-- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
-+ pgdval_t ignore_flags = _PAGE_USER;
-+ /*
-+ * We set NX on KAISER pgds that map userspace memory so
-+ * that userspace can not meaningfully use the kernel
-+ * page table by accident; it will fault on the first
-+ * instruction it tries to run. See native_set_pgd().
-+ */
-+ if (IS_ENABLED(CONFIG_KAISER))
-+ ignore_flags |= _PAGE_NX;
-+
-+ return (pgd_flags(pgd) & ~ignore_flags) != _KERNPG_TABLE;
- }
-
- static inline int pgd_none(pgd_t pgd)
-@@ -905,8 +915,10 @@ static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
- {
- memcpy(dst, src, count * sizeof(pgd_t));
- #ifdef CONFIG_KAISER
-- // clone the shadow pgd part as well
-- memcpy(native_get_shadow_pgd(dst), native_get_shadow_pgd(src), count * sizeof(pgd_t));
-+ /* Clone the shadow pgd part as well */
-+ memcpy(native_get_shadow_pgd(dst),
-+ native_get_shadow_pgd(src),
-+ count * sizeof(pgd_t));
- #endif
- }
-
-diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
-index e6ea39f..000265c 100644
---- a/arch/x86/include/asm/pgtable_64.h
-+++ b/arch/x86/include/asm/pgtable_64.h
-@@ -107,26 +107,58 @@ static inline void native_pud_clear(pud_t *pud)
- }
-
- #ifdef CONFIG_KAISER
--static inline pgd_t * native_get_shadow_pgd(pgd_t *pgdp) {
-+static inline pgd_t * native_get_shadow_pgd(pgd_t *pgdp)
-+{
- return (pgd_t *)(void*)((unsigned long)(void*)pgdp | (unsigned long)PAGE_SIZE);
- }
-
--static inline pgd_t * native_get_normal_pgd(pgd_t *pgdp) {
-+static inline pgd_t * native_get_normal_pgd(pgd_t *pgdp)
-+{
- return (pgd_t *)(void*)((unsigned long)(void*)pgdp & ~(unsigned long)PAGE_SIZE);
- }
-+#else
-+static inline pgd_t * native_get_shadow_pgd(pgd_t *pgdp)
-+{
-+ BUILD_BUG_ON(1);
-+ return NULL;
-+}
-+static inline pgd_t * native_get_normal_pgd(pgd_t *pgdp)
-+{
-+ return pgdp;
-+}
- #endif /* CONFIG_KAISER */
-
-+/*
-+ * Page table pages are page-aligned. The lower half of the top
-+ * level is used for userspace and the top half for the kernel.
-+ * This returns true for user pages that need to get copied into
-+ * both the user and kernel copies of the page tables, and false
-+ * for kernel pages that should only be in the kernel copy.
-+ */
-+static inline bool is_userspace_pgd(void *__ptr)
-+{
-+ unsigned long ptr = (unsigned long)__ptr;
-+
-+ return ((ptr % PAGE_SIZE) < (PAGE_SIZE / 2));
-+}
-+
- static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
- {
- #ifdef CONFIG_KAISER
-- // We know that a pgd is page aligned.
-- // Therefore the lower indices have to be mapped to user space.
-- // These pages are mapped to the shadow mapping.
-- if ((((unsigned long)pgdp) % PAGE_SIZE) < (PAGE_SIZE / 2)) {
-+ pteval_t extra_kern_pgd_flags = 0;
-+ /* Do we need to also populate the shadow pgd? */
-+ if (is_userspace_pgd(pgdp)) {
- native_get_shadow_pgd(pgdp)->pgd = pgd.pgd;
-+ /*
-+ * Even if the entry is *mapping* userspace, ensure
-+ * that userspace can not use it. This way, if we
-+ * get out to userspace running on the kernel CR3,
-+ * userspace will crash instead of running.
-+ */
-+ extra_kern_pgd_flags = _PAGE_NX;
- }
--
-- pgdp->pgd = pgd.pgd & ~_PAGE_USER;
-+ pgdp->pgd = pgd.pgd;
-+ pgdp->pgd |= extra_kern_pgd_flags;
- #else /* CONFIG_KAISER */
- *pgdp = pgd;
- #endif
-diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h
-index 00fecbb..8bc8d02 100644
---- a/arch/x86/include/asm/pgtable_types.h
-+++ b/arch/x86/include/asm/pgtable_types.h
-@@ -48,7 +48,7 @@
- #ifdef CONFIG_KAISER
- #define _PAGE_GLOBAL (_AT(pteval_t, 0))
- #else
--#define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
-+#define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
- #endif
- #define _PAGE_SOFTW1 (_AT(pteval_t, 1) << _PAGE_BIT_SOFTW1)
- #define _PAGE_SOFTW2 (_AT(pteval_t, 1) << _PAGE_BIT_SOFTW2)
-@@ -123,11 +123,7 @@
- #define _PAGE_DEVMAP (_AT(pteval_t, 0))
- #endif
-
--#ifdef CONFIG_KAISER
--#define _PAGE_PROTNONE (_AT(pteval_t, 0))
--#else
- #define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE)
--#endif
-
- #define _PAGE_TABLE (_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | \
- _PAGE_ACCESSED | _PAGE_DIRTY)
-diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
-index 9ff875a..560c2fd 100644
---- a/arch/x86/kernel/espfix_64.c
-+++ b/arch/x86/kernel/espfix_64.c
-@@ -127,11 +127,14 @@ void __init init_espfix_bsp(void)
- /* Install the espfix pud into the kernel page directory */
- pgd_p = &init_level4_pgt[pgd_index(ESPFIX_BASE_ADDR)];
- pgd_populate(&init_mm, pgd_p, (pud_t *)espfix_pud_page);
--#ifdef CONFIG_KAISER
-- // add the esp stack pud to the shadow mapping here.
-- // This can be done directly, because the fixup stack has its own pud
-- set_pgd(native_get_shadow_pgd(pgd_p), __pgd(_PAGE_TABLE | __pa((pud_t *)espfix_pud_page)));
--#endif
-+ /*
-+ * Just copy the top-level PGD that is mapping the espfix
-+ * area to ensure it is mapped into the shadow user page
-+ * tables.
-+ */
-+ if (IS_ENABLED(CONFIG_KAISER))
-+ set_pgd(native_get_shadow_pgd(pgd_p),
-+ __pgd(_KERNPG_TABLE | __pa((pud_t *)espfix_pud_page)));
-
- /* Randomize the locations */
- init_espfix_random();
-diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index 9e849b5..5775379 100644
---- a/arch/x86/kernel/head_64.S
-+++ b/arch/x86/kernel/head_64.S
-@@ -406,11 +406,24 @@ GLOBAL(early_recursion_flag)
- GLOBAL(name)
-
- #ifdef CONFIG_KAISER
-+/*
-+ * Each PGD needs to be 8k long and 8k aligned. We do not
-+ * ever go out to userspace with these, so we do not
-+ * strictly *need* the second page, but this allows us to
-+ * have a single set_pgd() implementation that does not
-+ * need to worry about whether it has 4k or 8k to work
-+ * with.
-+ *
-+ * This ensures PGDs are 8k long:
-+ */
-+#define KAISER_USER_PGD_FILL 512
-+/* This ensures they are 8k-aligned: */
- #define NEXT_PGD_PAGE(name) \
- .balign 2 * PAGE_SIZE; \
- GLOBAL(name)
- #else
- #define NEXT_PGD_PAGE(name) NEXT_PAGE(name)
-+#define KAISER_USER_PGD_FILL 0
- #endif
-
- /* Automate the creation of 1 to 1 mapping pmd entries */
-@@ -425,6 +438,7 @@ GLOBAL(name)
- NEXT_PGD_PAGE(early_level4_pgt)
- .fill 511,8,0
- .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
-+ .fill KAISER_USER_PGD_FILL,8,0
-
- NEXT_PAGE(early_dynamic_pgts)
- .fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0
-@@ -433,7 +447,8 @@ NEXT_PAGE(early_dynamic_pgts)
-
- #ifndef CONFIG_XEN
- NEXT_PGD_PAGE(init_level4_pgt)
-- .fill 2*512,8,0
-+ .fill 512,8,0
-+ .fill KAISER_USER_PGD_FILL,8,0
- #else
- NEXT_PGD_PAGE(init_level4_pgt)
- .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
-@@ -442,6 +457,7 @@ NEXT_PGD_PAGE(init_level4_pgt)
- .org init_level4_pgt + L4_START_KERNEL*8, 0
- /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
- .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
-+ .fill KAISER_USER_PGD_FILL,8,0
-
- NEXT_PAGE(level3_ident_pgt)
- .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
-@@ -452,6 +468,7 @@ NEXT_PAGE(level2_ident_pgt)
- */
- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
- #endif
-+ .fill KAISER_USER_PGD_FILL,8,0
-
- NEXT_PAGE(level3_kernel_pgt)
- .fill L3_START_KERNEL,8,0
-diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index 6707039..3c2d55b 100644
---- a/arch/x86/kernel/ldt.c
-+++ b/arch/x86/kernel/ldt.c
-@@ -17,6 +17,7 @@
- #include <linux/uaccess.h>
-
- #include <asm/ldt.h>
-+#include <asm/kaiser.h>
- #include <asm/desc.h>
- #include <asm/mmu_context.h>
- #include <asm/syscalls.h>
-@@ -33,11 +34,21 @@ static void flush_ldt(void *current_mm)
- set_ldt(pc->ldt->entries, pc->ldt->size);
- }
-
-+static void __free_ldt_struct(struct ldt_struct *ldt)
-+{
-+ if (ldt->size * LDT_ENTRY_SIZE > PAGE_SIZE)
-+ vfree(ldt->entries);
-+ else
-+ free_page((unsigned long)ldt->entries);
-+ kfree(ldt);
-+}
-+
- /* The caller must call finalize_ldt_struct on the result. LDT starts zeroed. */
- static struct ldt_struct *alloc_ldt_struct(int size)
- {
- struct ldt_struct *new_ldt;
- int alloc_size;
-+ int ret = 0;
-
- if (size > LDT_ENTRIES)
- return NULL;
-@@ -65,6 +76,14 @@ static struct ldt_struct *alloc_ldt_struct(int size)
- return NULL;
- }
-
-+ // FIXME: make kaiser_add_mapping() return an error code
-+ // when it fails
-+ kaiser_add_mapping((unsigned long)new_ldt->entries, alloc_size,
-+ __PAGE_KERNEL);
-+ if (ret) {
-+ __free_ldt_struct(new_ldt);
-+ return NULL;
-+ }
- new_ldt->size = size;
- return new_ldt;
- }
-@@ -91,12 +110,10 @@ static void free_ldt_struct(struct ldt_struct *ldt)
- if (likely(!ldt))
- return;
-
-+ kaiser_remove_mapping((unsigned long)ldt->entries,
-+ ldt->size * LDT_ENTRY_SIZE);
- paravirt_free_ldt(ldt->entries, ldt->size);
-- if (ldt->size * LDT_ENTRY_SIZE > PAGE_SIZE)
-- vfree(ldt->entries);
-- else
-- free_page((unsigned long)ldt->entries);
-- kfree(ldt);
-+ __free_ldt_struct(ldt);
- }
-
- /*
-diff --git a/arch/x86/kernel/tracepoint.c b/arch/x86/kernel/tracepoint.c
-index 1c113db..2bb5ee4 100644
---- a/arch/x86/kernel/tracepoint.c
-+++ b/arch/x86/kernel/tracepoint.c
-@@ -9,10 +9,12 @@
- #include <linux/atomic.h>
-
- atomic_t trace_idt_ctr = ATOMIC_INIT(0);
-+__aligned(PAGE_SIZE)
- struct desc_ptr trace_idt_descr = { NR_VECTORS * 16 - 1,
- (unsigned long) trace_idt_table };
-
- /* No need to be aligned, but done to keep all IDTs defined the same way. */
-+__aligned(PAGE_SIZE)
- gate_desc trace_idt_table[NR_VECTORS] __page_aligned_bss;
-
- static int trace_irq_vector_refcount;
-diff --git a/arch/x86/mm/kaiser.c b/arch/x86/mm/kaiser.c
-index cf1bb92..7270a29 100644
---- a/arch/x86/mm/kaiser.c
-+++ b/arch/x86/mm/kaiser.c
-@@ -1,160 +1,305 @@
--
--
-+#include <linux/bug.h>
- #include <linux/kernel.h>
- #include <linux/errno.h>
- #include <linux/string.h>
- #include <linux/types.h>
- #include <linux/bug.h>
- #include <linux/init.h>
-+#include <linux/interrupt.h>
- #include <linux/spinlock.h>
- #include <linux/mm.h>
--
- #include <linux/uaccess.h>
-+
-+#include <asm/kaiser.h>
- #include <asm/pgtable.h>
- #include <asm/pgalloc.h>
- #include <asm/desc.h>
- #ifdef CONFIG_KAISER
-
- __visible DEFINE_PER_CPU_USER_MAPPED(unsigned long, unsafe_stack_register_backup);
-+/*
-+ * At runtime, the only things we map are some things for CPU
-+ * hotplug, and stacks for new processes. No two CPUs will ever
-+ * be populating the same addresses, so we only need to ensure
-+ * that we protect between two CPUs trying to allocate and
-+ * populate the same page table page.
-+ *
-+ * Only take this lock when doing a set_p[4um]d(), but it is not
-+ * needed for doing a set_pte(). We assume that only the *owner*
-+ * of a given allocation will be doing this for _their_
-+ * allocation.
-+ *
-+ * This ensures that once a system has been running for a while
-+ * and there have been stacks all over and these page tables
-+ * are fully populated, there will be no further acquisitions of
-+ * this lock.
-+ */
-+static DEFINE_SPINLOCK(shadow_table_allocation_lock);
-
--/**
-- * Get the real ppn from a address in kernel mapping.
-- * @param address The virtual adrress
-- * @return the physical address
-+/*
-+ * Returns -1 on error.
- */
--static inline unsigned long get_pa_from_mapping (unsigned long address)
-+static inline unsigned long get_pa_from_mapping(unsigned long vaddr)
- {
- pgd_t *pgd;
- pud_t *pud;
- pmd_t *pmd;
- pte_t *pte;
-
-- pgd = pgd_offset_k(address);
-- BUG_ON(pgd_none(*pgd) || pgd_large(*pgd));
--
-- pud = pud_offset(pgd, address);
-- BUG_ON(pud_none(*pud));
-+ pgd = pgd_offset_k(vaddr);
-+ /*
-+ * We made all the kernel PGDs present in kaiser_init().
-+ * We expect them to stay that way.
-+ */
-+ BUG_ON(pgd_none(*pgd));
-+ /*
-+ * PGDs are either 512GB or 128TB on all x86_64
-+ * configurations. We don't handle these.
-+ */
-+ BUG_ON(pgd_large(*pgd));
-
-- if (pud_large(*pud)) {
-- return (pud_pfn(*pud) << PAGE_SHIFT) | (address & ~PUD_PAGE_MASK);
-+ pud = pud_offset(pgd, vaddr);
-+ if (pud_none(*pud)) {
-+ WARN_ON_ONCE(1);
-+ return -1;
- }
-
-- pmd = pmd_offset(pud, address);
-- BUG_ON(pmd_none(*pmd));
-+ if (pud_large(*pud))
-+ return (pud_pfn(*pud) << PAGE_SHIFT) | (vaddr & ~PUD_PAGE_MASK);
-
-- if (pmd_large(*pmd)) {
-- return (pmd_pfn(*pmd) << PAGE_SHIFT) | (address & ~PMD_PAGE_MASK);
-+ pmd = pmd_offset(pud, vaddr);
-+ if (pmd_none(*pmd)) {
-+ WARN_ON_ONCE(1);
-+ return -1;
- }
-
-- pte = pte_offset_kernel(pmd, address);
-- BUG_ON(pte_none(*pte));
-+ if (pmd_large(*pmd))
-+ return (pmd_pfn(*pmd) << PAGE_SHIFT) | (vaddr & ~PMD_PAGE_MASK);
-
-- return (pte_pfn(*pte) << PAGE_SHIFT) | (address & ~PAGE_MASK);
-+ pte = pte_offset_kernel(pmd, vaddr);
-+ if (pte_none(*pte)) {
-+ WARN_ON_ONCE(1);
-+ return -1;
-+ }
-+
-+ return (pte_pfn(*pte) << PAGE_SHIFT) | (vaddr & ~PAGE_MASK);
- }
-
--void _kaiser_copy (unsigned long start_addr, unsigned long size,
-- unsigned long flags)
-+/*
-+ * This is a relatively normal page table walk, except that it
-+ * also tries to allocate page tables pages along the way.
-+ *
-+ * Returns a pointer to a PTE on success, or NULL on failure.
-+ */
-+static pte_t *kaiser_pagetable_walk(unsigned long address, bool is_atomic)
- {
-- pgd_t *pgd;
-- pud_t *pud;
- pmd_t *pmd;
-- pte_t *pte;
-- unsigned long address;
-- unsigned long end_addr = start_addr + size;
-- unsigned long target_address;
-+ pud_t *pud;
-+ pgd_t *pgd = native_get_shadow_pgd(pgd_offset_k(address));
-+ gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO);
-
-- for (address = PAGE_ALIGN(start_addr - (PAGE_SIZE - 1));
-- address < PAGE_ALIGN(end_addr); address += PAGE_SIZE) {
-- target_address = get_pa_from_mapping(address);
-+ might_sleep();
-+ if (is_atomic) {
-+ gfp &= ~GFP_KERNEL;
-+ gfp |= __GFP_HIGH | __GFP_ATOMIC;
-+ }
-
-- pgd = native_get_shadow_pgd(pgd_offset_k(address));
-+ if (pgd_none(*pgd)) {
-+ WARN_ONCE(1, "All shadow pgds should have been populated");
-+ return NULL;
-+ }
-+ BUILD_BUG_ON(pgd_large(*pgd) != 0);
-
-- BUG_ON(pgd_none(*pgd) && "All shadow pgds should be mapped at this time\n");
-- BUG_ON(pgd_large(*pgd));
-+ pud = pud_offset(pgd, address);
-+ /* The shadow page tables do not use large mappings: */
-+ if (pud_large(*pud)) {
-+ WARN_ON(1);
-+ return NULL;
-+ }
-+ if (pud_none(*pud)) {
-+ unsigned long new_pmd_page = __get_free_page(gfp);
-+ if (!new_pmd_page)
-+ return NULL;
-+ spin_lock(&shadow_table_allocation_lock);
-+ if (pud_none(*pud))
-+ set_pud(pud, __pud(_KERNPG_TABLE | __pa(new_pmd_page)));
-+ else
-+ free_page(new_pmd_page);
-+ spin_unlock(&shadow_table_allocation_lock);
-+ }
-
-- pud = pud_offset(pgd, address);
-- if (pud_none(*pud)) {
-- set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd_alloc_one(0, address))));
-- }
-- BUG_ON(pud_large(*pud));
-+ pmd = pmd_offset(pud, address);
-+ /* The shadow page tables do not use large mappings: */
-+ if (pmd_large(*pmd)) {
-+ WARN_ON(1);
-+ return NULL;
-+ }
-+ if (pmd_none(*pmd)) {
-+ unsigned long new_pte_page = __get_free_page(gfp);
-+ if (!new_pte_page)
-+ return NULL;
-+ spin_lock(&shadow_table_allocation_lock);
-+ if (pmd_none(*pmd))
-+ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(new_pte_page)));
-+ else
-+ free_page(new_pte_page);
-+ spin_unlock(&shadow_table_allocation_lock);
-+ }
-
-- pmd = pmd_offset(pud, address);
-- if (pmd_none(*pmd)) {
-- set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte_alloc_one_kernel(0, address))));
-- }
-- BUG_ON(pmd_large(*pmd));
-+ return pte_offset_kernel(pmd, address);
-+}
-
-- pte = pte_offset_kernel(pmd, address);
-+int kaiser_add_user_map(const void *__start_addr, unsigned long size,
-+ unsigned long flags)
-+{
-+ int ret = 0;
-+ pte_t *pte;
-+ unsigned long start_addr = (unsigned long )__start_addr;
-+ unsigned long address = start_addr & PAGE_MASK;
-+ unsigned long end_addr = PAGE_ALIGN(start_addr + size);
-+ unsigned long target_address;
-+
-+ for (;address < end_addr; address += PAGE_SIZE) {
-+ target_address = get_pa_from_mapping(address);
-+ if (target_address == -1) {
-+ ret = -EIO;
-+ break;
-+ }
-+ pte = kaiser_pagetable_walk(address, false);
- if (pte_none(*pte)) {
- set_pte(pte, __pte(flags | target_address));
- } else {
-- BUG_ON(__pa(pte_page(*pte)) != target_address);
-+ pte_t tmp;
-+ set_pte(&tmp, __pte(flags | target_address));
-+ WARN_ON_ONCE(!pte_same(*pte, tmp));
- }
- }
-+ return ret;
-+}
-+
-+static int kaiser_add_user_map_ptrs(const void *start, const void *end, unsigned long flags)
-+{
-+ unsigned long size = end - start;
-+
-+ return kaiser_add_user_map(start, size, flags);
- }
-
--// at first, add a pmd for every pgd entry in the shadowmem-kernel-part of the kernel mapping
--static inline void __init _kaiser_init(void)
-+/*
-+ * Ensure that the top level of the (shadow) page tables are
-+ * entirely populated. This ensures that all processes that get
-+ * forked have the same entries. This way, we do not have to
-+ * ever go set up new entries in older processes.
-+ *
-+ * Note: we never free these, so there are no updates to them
-+ * after this.
-+ */
-+static void __init kaiser_init_all_pgds(void)
- {
- pgd_t *pgd;
- int i = 0;
-
- pgd = native_get_shadow_pgd(pgd_offset_k((unsigned long )0));
- for (i = PTRS_PER_PGD / 2; i < PTRS_PER_PGD; i++) {
-- set_pgd(pgd + i, __pgd(_PAGE_TABLE |__pa(pud_alloc_one(0, 0))));
-+ pgd_t new_pgd;
-+ pud_t *pud = pud_alloc_one(&init_mm, PAGE_OFFSET + i * PGDIR_SIZE);
-+ if (!pud) {
-+ WARN_ON(1);
-+ break;
-+ }
-+ new_pgd = __pgd(_KERNPG_TABLE |__pa(pud));
-+ /*
-+ * Make sure not to stomp on some other pgd entry.
-+ */
-+ if (!pgd_none(pgd[i])) {
-+ WARN_ON(1);
-+ continue;
-+ }
-+ set_pgd(pgd + i, new_pgd);
- }
- }
-
-+#define kaiser_add_user_map_early(start, size, flags) do { \
-+ int __ret = kaiser_add_user_map(start, size, flags); \
-+ WARN_ON(__ret); \
-+} while (0)
-+
-+#define kaiser_add_user_map_ptrs_early(start, end, flags) do { \
-+ int __ret = kaiser_add_user_map_ptrs(start, end, flags); \
-+ WARN_ON(__ret); \
-+} while (0)
-+
- extern char __per_cpu_user_mapped_start[], __per_cpu_user_mapped_end[];
--spinlock_t shadow_table_lock;
-+/*
-+ * If anything in here fails, we will likely die on one of the
-+ * first kernel->user transitions and init will die. But, we
-+ * will have most of the kernel up by then and should be able to
-+ * get a clean warning out of it. If we BUG_ON() here, we run
-+ * the risk of being before we have good console output.
-+ */
- void __init kaiser_init(void)
- {
- int cpu;
-- spin_lock_init(&shadow_table_lock);
--
-- spin_lock(&shadow_table_lock);
-
-- _kaiser_init();
-+ kaiser_init_all_pgds();
-
- for_each_possible_cpu(cpu) {
-- // map the per cpu user variables
-- _kaiser_copy(
-- (unsigned long) (__per_cpu_user_mapped_start + per_cpu_offset(cpu)),
-- (unsigned long) __per_cpu_user_mapped_end - (unsigned long) __per_cpu_user_mapped_start,
-- __PAGE_KERNEL);
-+ void *percpu_vaddr = __per_cpu_user_mapped_start +
-+ per_cpu_offset(cpu);
-+ unsigned long percpu_sz = __per_cpu_user_mapped_end -
-+ __per_cpu_user_mapped_start;
-+ kaiser_add_user_map_early(percpu_vaddr, percpu_sz,
-+ __PAGE_KERNEL);
- }
-
-- // map the entry/exit text section, which is responsible to switch between user- and kernel mode
-- _kaiser_copy(
-- (unsigned long) __entry_text_start,
-- (unsigned long) __entry_text_end - (unsigned long) __entry_text_start,
-- __PAGE_KERNEL_RX);
-+ /*
-+ * Map the entry/exit text section, which is needed at
-+ * switches from user to and from kernel.
-+ */
-+ kaiser_add_user_map_ptrs_early(__entry_text_start, __entry_text_end,
-+ __PAGE_KERNEL_RX);
-
-- // the fixed map address of the idt_table
-- _kaiser_copy(
-- (unsigned long) idt_descr.address,
-- sizeof(gate_desc) * NR_VECTORS,
-- __PAGE_KERNEL_RO);
--
-- spin_unlock(&shadow_table_lock);
-+#if defined(CONFIG_FUNCTION_GRAPH_TRACER) || defined(CONFIG_KASAN)
-+ kaiser_add_user_map_ptrs_early(__irqentry_text_start,
-+ __irqentry_text_end,
-+ __PAGE_KERNEL_RX);
-+#endif
-+ kaiser_add_user_map_early((void *)idt_descr.address,
-+ sizeof(gate_desc) * NR_VECTORS,
-+ __PAGE_KERNEL_RO);
-+#ifdef CONFIG_TRACING
-+ kaiser_add_user_map_early(&trace_idt_descr,
-+ sizeof(trace_idt_descr),
-+ __PAGE_KERNEL);
-+ kaiser_add_user_map_early(&trace_idt_table,
-+ sizeof(gate_desc) * NR_VECTORS,
-+ __PAGE_KERNEL);
-+#endif
-+ kaiser_add_user_map_early(&debug_idt_descr, sizeof(debug_idt_descr),
-+ __PAGE_KERNEL);
-+ kaiser_add_user_map_early(&debug_idt_table,
-+ sizeof(gate_desc) * NR_VECTORS,
-+ __PAGE_KERNEL);
- }
-
-+extern void unmap_pud_range_nofree(pgd_t *pgd, unsigned long start, unsigned long end);
- // add a mapping to the shadow-mapping, and synchronize the mappings
--void kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags)
-+int kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags)
- {
-- spin_lock(&shadow_table_lock);
-- _kaiser_copy(addr, size, flags);
-- spin_unlock(&shadow_table_lock);
-+ return kaiser_add_user_map((const void *)addr, size, flags);
- }
-
--extern void unmap_pud_range(pgd_t *pgd, unsigned long start, unsigned long end);
- void kaiser_remove_mapping(unsigned long start, unsigned long size)
- {
-- pgd_t *pgd = native_get_shadow_pgd(pgd_offset_k(start));
-- spin_lock(&shadow_table_lock);
-- do {
-- unmap_pud_range(pgd, start, start + size);
-- } while (pgd++ != native_get_shadow_pgd(pgd_offset_k(start + size)));
-- spin_unlock(&shadow_table_lock);
-+ unsigned long end = start + size;
-+ unsigned long addr;
-+
-+ for (addr = start; addr < end; addr += PGDIR_SIZE) {
-+ pgd_t *pgd = native_get_shadow_pgd(pgd_offset_k(addr));
-+ /*
-+ * unmap_p4d_range() handles > P4D_SIZE unmaps,
-+ * so no need to trim 'end'.
-+ */
-+ unmap_pud_range_nofree(pgd, addr, end);
-+ }
- }
- #endif /* CONFIG_KAISER */
-diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
-index c17412f..73dcb0e1 100644
---- a/arch/x86/mm/pageattr.c
-+++ b/arch/x86/mm/pageattr.c
-@@ -52,6 +52,7 @@ static DEFINE_SPINLOCK(cpa_lock);
- #define CPA_FLUSHTLB 1
- #define CPA_ARRAY 2
- #define CPA_PAGES_ARRAY 4
-+#define CPA_FREE_PAGETABLES 8
-
- #ifdef CONFIG_PROC_FS
- static unsigned long direct_pages_count[PG_LEVEL_NUM];
-@@ -729,10 +730,13 @@ static int split_large_page(struct cpa_data *cpa, pte_t *kpte,
- return 0;
- }
-
--static bool try_to_free_pte_page(pte_t *pte)
-+static bool try_to_free_pte_page(struct cpa_data *cpa, pte_t *pte)
- {
- int i;
-
-+ if (!(cpa->flags & CPA_FREE_PAGETABLES))
-+ return false;
-+
- for (i = 0; i < PTRS_PER_PTE; i++)
- if (!pte_none(pte[i]))
- return false;
-@@ -741,10 +745,13 @@ static bool try_to_free_pte_page(pte_t *pte)
- return true;
- }
-
--static bool try_to_free_pmd_page(pmd_t *pmd)
-+static bool try_to_free_pmd_page(struct cpa_data *cpa, pmd_t *pmd)
- {
- int i;
-
-+ if (!(cpa->flags & CPA_FREE_PAGETABLES))
-+ return false;
-+
- for (i = 0; i < PTRS_PER_PMD; i++)
- if (!pmd_none(pmd[i]))
- return false;
-@@ -753,7 +760,9 @@ static bool try_to_free_pmd_page(pmd_t *pmd)
- return true;
- }
-
--static bool unmap_pte_range(pmd_t *pmd, unsigned long start, unsigned long end)
-+static bool unmap_pte_range(struct cpa_data *cpa, pmd_t *pmd,
-+ unsigned long start,
-+ unsigned long end)
- {
- pte_t *pte = pte_offset_kernel(pmd, start);
-
-@@ -764,22 +773,23 @@ static bool unmap_pte_range(pmd_t *pmd, unsigned long start, unsigned long end)
- pte++;
- }
-
-- if (try_to_free_pte_page((pte_t *)pmd_page_vaddr(*pmd))) {
-+ if (try_to_free_pte_page(cpa, (pte_t *)pmd_page_vaddr(*pmd))) {
- pmd_clear(pmd);
- return true;
- }
- return false;
- }
-
--static void __unmap_pmd_range(pud_t *pud, pmd_t *pmd,
-+static void __unmap_pmd_range(struct cpa_data *cpa, pud_t *pud, pmd_t *pmd,
- unsigned long start, unsigned long end)
- {
-- if (unmap_pte_range(pmd, start, end))
-- if (try_to_free_pmd_page((pmd_t *)pud_page_vaddr(*pud)))
-+ if (unmap_pte_range(cpa, pmd, start, end))
-+ if (try_to_free_pmd_page(cpa, (pmd_t *)pud_page_vaddr(*pud)))
- pud_clear(pud);
- }
-
--static void unmap_pmd_range(pud_t *pud, unsigned long start, unsigned long end)
-+static void unmap_pmd_range(struct cpa_data *cpa, pud_t *pud,
-+ unsigned long start, unsigned long end)
- {
- pmd_t *pmd = pmd_offset(pud, start);
-
-@@ -790,7 +800,7 @@ static void unmap_pmd_range(pud_t *pud, unsigned long start, unsigned long end)
- unsigned long next_page = (start + PMD_SIZE) & PMD_MASK;
- unsigned long pre_end = min_t(unsigned long, end, next_page);
-
-- __unmap_pmd_range(pud, pmd, start, pre_end);
-+ __unmap_pmd_range(cpa, pud, pmd, start, pre_end);
-
- start = pre_end;
- pmd++;
-@@ -803,7 +813,8 @@ static void unmap_pmd_range(pud_t *pud, unsigned long start, unsigned long end)
- if (pmd_large(*pmd))
- pmd_clear(pmd);
- else
-- __unmap_pmd_range(pud, pmd, start, start + PMD_SIZE);
-+ __unmap_pmd_range(cpa, pud, pmd,
-+ start, start + PMD_SIZE);
-
- start += PMD_SIZE;
- pmd++;
-@@ -813,17 +824,19 @@ static void unmap_pmd_range(pud_t *pud, unsigned long start, unsigned long end)
- * 4K leftovers?
- */
- if (start < end)
-- return __unmap_pmd_range(pud, pmd, start, end);
-+ return __unmap_pmd_range(cpa, pud, pmd, start, end);
-
- /*
- * Try again to free the PMD page if haven't succeeded above.
- */
- if (!pud_none(*pud))
-- if (try_to_free_pmd_page((pmd_t *)pud_page_vaddr(*pud)))
-+ if (try_to_free_pmd_page(cpa, (pmd_t *)pud_page_vaddr(*pud)))
- pud_clear(pud);
- }
-
--void unmap_pud_range(pgd_t *pgd, unsigned long start, unsigned long end)
-+static void __unmap_pud_range(struct cpa_data *cpa, pgd_t *pgd,
-+ unsigned long start,
-+ unsigned long end)
- {
- pud_t *pud = pud_offset(pgd, start);
-
-@@ -834,7 +847,7 @@ void unmap_pud_range(pgd_t *pgd, unsigned long start, unsigned long end)
- unsigned long next_page = (start + PUD_SIZE) & PUD_MASK;
- unsigned long pre_end = min_t(unsigned long, end, next_page);
-
-- unmap_pmd_range(pud, start, pre_end);
-+ unmap_pmd_range(cpa, pud, start, pre_end);
-
- start = pre_end;
- pud++;
-@@ -848,7 +861,7 @@ void unmap_pud_range(pgd_t *pgd, unsigned long start, unsigned long end)
- if (pud_large(*pud))
- pud_clear(pud);
- else
-- unmap_pmd_range(pud, start, start + PUD_SIZE);
-+ unmap_pmd_range(cpa, pud, start, start + PUD_SIZE);
-
- start += PUD_SIZE;
- pud++;
-@@ -858,7 +871,7 @@ void unmap_pud_range(pgd_t *pgd, unsigned long start, unsigned long end)
- * 2M leftovers?
- */
- if (start < end)
-- unmap_pmd_range(pud, start, end);
-+ unmap_pmd_range(cpa, pud, start, end);
-
- /*
- * No need to try to free the PUD page because we'll free it in
-@@ -866,6 +879,24 @@ void unmap_pud_range(pgd_t *pgd, unsigned long start, unsigned long end)
- */
- }
-
-+static void unmap_pud_range(pgd_t *pgd, unsigned long start, unsigned long end)
-+{
-+ struct cpa_data cpa = {
-+ .flags = CPA_FREE_PAGETABLES,
-+ };
-+
-+ __unmap_pud_range(&cpa, pgd, start, end);
-+}
-+
-+void unmap_pud_range_nofree(pgd_t *pgd, unsigned long start, unsigned long end)
-+{
-+ struct cpa_data cpa = {
-+ .flags = 0,
-+ };
-+
-+ __unmap_pud_range(&cpa, pgd, start, end);
-+}
-+
- static int alloc_pte_page(pmd_t *pmd)
- {
- pte_t *pte = (pte_t *)get_zeroed_page(GFP_KERNEL | __GFP_NOTRACK);
-diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
-index 27d218b..352fd01 100644
---- a/arch/x86/mm/pgtable.c
-+++ b/arch/x86/mm/pgtable.c
-@@ -344,40 +344,26 @@ static inline void _pgd_free(pgd_t *pgd)
- kmem_cache_free(pgd_cache, pgd);
- }
- #else
--static inline pgd_t *_pgd_alloc(void)
--{
-+
- #ifdef CONFIG_KAISER
-- // Instead of one PML4, we aquire two PML4s and, thus, an 8kb-aligned memory
-- // block. Therefore, we have to allocate at least 3 pages. However, the
-- // __get_free_pages returns us 4 pages. Hence, we store the base pointer at
-- // the beginning of the page of our 8kb-aligned memory block in order to
-- // correctly free it afterwars.
--
-- unsigned long pages = __get_free_pages(PGALLOC_GFP, get_order(4*PAGE_SIZE));
--
-- if(native_get_normal_pgd((pgd_t*) pages) == (pgd_t*) pages)
-- {
-- *((unsigned long*)(pages + 2 * PAGE_SIZE)) = pages;
-- return (pgd_t *) pages;
-- }
-- else
-- {
-- *((unsigned long*)(pages + 3 * PAGE_SIZE)) = pages;
-- return (pgd_t *) (pages + PAGE_SIZE);
-- }
-+/*
-+ * Instead of one pmd, we aquire two pmds. Being order-1, it is
-+ * both 8k in size and 8k-aligned. That lets us just flip bit 12
-+ * in a pointer to swap between the two 4k halves.
-+ */
-+#define PGD_ALLOCATION_ORDER 1
- #else
-- return (pgd_t *)__get_free_page(PGALLOC_GFP);
-+#define PGD_ALLOCATION_ORDER 0
- #endif
-+
-+static inline pgd_t *_pgd_alloc(void)
-+{
-+ return (pgd_t *)__get_free_pages(PGALLOC_GFP, PGD_ALLOCATION_ORDER);
- }
-
- static inline void _pgd_free(pgd_t *pgd)
- {
--#ifdef CONFIG_KAISER
-- unsigned long pages = *((unsigned long*) ((char*) pgd + 2 * PAGE_SIZE));
-- free_pages(pages, get_order(4*PAGE_SIZE));
--#else
-- free_page((unsigned long)pgd);
--#endif
-+ free_pages((unsigned long)pgd, PGD_ALLOCATION_ORDER);
- }
- #endif /* CONFIG_X86_PAE */
-
-diff --git a/include/linux/kaiser.h b/include/linux/kaiser.h
-new file mode 100644
-index 0000000..9db5433
---- /dev/null
-+++ b/include/linux/kaiser.h
-@@ -0,0 +1,26 @@
-+#ifndef _INCLUDE_KAISER_H
-+#define _INCLUDE_KAISER_H
-+
-+#ifdef CONFIG_KAISER
-+#include <asm/kaiser.h>
-+#else
-+
-+/*
-+ * These stubs are used whenever CONFIG_KAISER is off, which
-+ * includes architectures that support KAISER, but have it
-+ * disabled.
-+ */
-+
-+static inline void kaiser_init(void)
-+{
-+}
-+static inline void kaiser_remove_mapping(unsigned long start, unsigned long size)
-+{
-+}
-+static inline int kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags)
-+{
-+ return 0;
-+}
-+
-+#endif /* !CONFIG_KAISER */
-+#endif /* _INCLUDE_KAISER_H */
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 61748d1..7ba50f1 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -58,6 +58,7 @@
- #include <linux/tsacct_kern.h>
- #include <linux/cn_proc.h>
- #include <linux/freezer.h>
-+#include <linux/kaiser.h>
- #include <linux/delayacct.h>
- #include <linux/taskstats_kern.h>
- #include <linux/random.h>
-@@ -472,7 +473,6 @@ void set_task_stack_end_magic(struct task_struct *tsk)
- *stackend = STACK_END_MAGIC; /* for overflow detection */
- }
-
--extern void kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags);
- static struct task_struct *dup_task_struct(struct task_struct *orig, int node)
- {
- struct task_struct *tsk;
-@@ -500,9 +500,10 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node)
- * functions again.
- */
- tsk->stack = stack;
--#ifdef CONFIG_KAISER
-- kaiser_add_mapping((unsigned long)tsk->stack, THREAD_SIZE, __PAGE_KERNEL);
--#endif
-+
-+ err= kaiser_add_mapping((unsigned long)tsk->stack, THREAD_SIZE, __PAGE_KERNEL);
-+ if (err)
-+ goto free_stack;
- #ifdef CONFIG_VMAP_STACK
- tsk->stack_vm_area = stack_vm_area;
- #endif
-diff --git a/security/Kconfig b/security/Kconfig
-index f515ac3..334d2e8 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -32,12 +32,17 @@ config SECURITY
- If you are unsure how to answer this question, answer N.
- config KAISER
- bool "Remove the kernel mapping in user mode"
-+ default y
- depends on X86_64
- depends on !PARAVIRT
- help
- This enforces a strict kernel and user space isolation in order to close
- hardware side channels on kernel address information.
-
-+config KAISER_REAL_SWITCH
-+ bool "KAISER: actually switch page tables"
-+ default y
-+
- config SECURITYFS
- bool "Enable the securityfs filesystem"
- help
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kvm-x86-use-correct-privilege-level-for-sgdt-sidt-fx.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kvm-x86-use-correct-privilege-level-for-sgdt-sidt-fx.patch
deleted file mode 100644
index 5cff1af9..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kvm-x86-use-correct-privilege-level-for-sgdt-sidt-fx.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From 45e0a2316524254692219fce805e247dc8dadb20 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Wed, 6 Jun 2018 17:38:09 +0200
-Subject: [PATCH 05/10] kvm: x86: use correct privilege level for
- sgdt/sidt/fxsave/fxrstor access
-
-commit 3c9fa24ca7c9c47605672916491f79e8ccacb9e6 upstream.
-
-The functions that were used in the emulation of fxrstor, fxsave, sgdt and
-sidt were originally meant for task switching, and as such they did not
-check privilege levels. This is very bad when the same functions are used
-in the emulation of unprivileged instructions. This is CVE-2018-10853.
-
-The obvious fix is to add a new argument to ops->read_std and ops->write_std,
-which decides whether the access is a "system" access or should use the
-processor's CPL.
-
-Fixes: 129a72a0d3c8 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/kvm_emulate.h | 6 ++++--
- arch/x86/kvm/emulate.c | 12 ++++++------
- arch/x86/kvm/x86.c | 18 ++++++++++++++----
- 3 files changed, 24 insertions(+), 12 deletions(-)
-
-diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
-index e9cd7be..0b7d332 100644
---- a/arch/x86/include/asm/kvm_emulate.h
-+++ b/arch/x86/include/asm/kvm_emulate.h
-@@ -105,11 +105,12 @@ struct x86_emulate_ops {
- * @addr: [IN ] Linear address from which to read.
- * @val: [OUT] Value read from memory, zero-extended to 'u_long'.
- * @bytes: [IN ] Number of bytes to read from memory.
-+ * @system:[IN ] Whether the access is forced to be at CPL0.
- */
- int (*read_std)(struct x86_emulate_ctxt *ctxt,
- unsigned long addr, void *val,
- unsigned int bytes,
-- struct x86_exception *fault);
-+ struct x86_exception *fault, bool system);
-
- /*
- * read_phys: Read bytes of standard (non-emulated/special) memory.
-@@ -127,10 +128,11 @@ struct x86_emulate_ops {
- * @addr: [IN ] Linear address to which to write.
- * @val: [OUT] Value write to memory, zero-extended to 'u_long'.
- * @bytes: [IN ] Number of bytes to write to memory.
-+ * @system:[IN ] Whether the access is forced to be at CPL0.
- */
- int (*write_std)(struct x86_emulate_ctxt *ctxt,
- unsigned long addr, void *val, unsigned int bytes,
-- struct x86_exception *fault);
-+ struct x86_exception *fault, bool system);
- /*
- * fetch: Read bytes of standard (non-emulated/special) memory.
- * Used for instruction fetch.
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index b6ec3e9..1e96a5a 100644
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -805,14 +805,14 @@ static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
- static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear,
- void *data, unsigned size)
- {
-- return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
-+ return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, true);
- }
-
- static int linear_write_system(struct x86_emulate_ctxt *ctxt,
- ulong linear, void *data,
- unsigned int size)
- {
-- return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
-+ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, true);
- }
-
- static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
-@@ -826,7 +826,7 @@ static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
- rc = linearize(ctxt, addr, size, false, &linear);
- if (rc != X86EMUL_CONTINUE)
- return rc;
-- return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
-+ return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, false);
- }
-
- static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
-@@ -840,7 +840,7 @@ static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
- rc = linearize(ctxt, addr, size, true, &linear);
- if (rc != X86EMUL_CONTINUE)
- return rc;
-- return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
-+ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, false);
- }
-
- /*
-@@ -2893,12 +2893,12 @@ static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
- #ifdef CONFIG_X86_64
- base |= ((u64)base3) << 32;
- #endif
-- r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
-+ r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL, true);
- if (r != X86EMUL_CONTINUE)
- return false;
- if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
- return false;
-- r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
-+ r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL, true);
- if (r != X86EMUL_CONTINUE)
- return false;
- if ((perm >> bit_idx) & mask)
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index af8e120..2c4d91e 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -4383,10 +4383,15 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_virt);
-
- static int emulator_read_std(struct x86_emulate_ctxt *ctxt,
- gva_t addr, void *val, unsigned int bytes,
-- struct x86_exception *exception)
-+ struct x86_exception *exception, bool system)
- {
- struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
-- return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception);
-+ u32 access = 0;
-+
-+ if (!system && kvm_x86_ops->get_cpl(vcpu) == 3)
-+ access |= PFERR_USER_MASK;
-+
-+ return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, exception);
- }
-
- static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt,
-@@ -4430,12 +4435,17 @@ static int kvm_write_guest_virt_helper(gva_t addr, void *val, unsigned int bytes
- }
-
- static int emulator_write_std(struct x86_emulate_ctxt *ctxt, gva_t addr, void *val,
-- unsigned int bytes, struct x86_exception *exception)
-+ unsigned int bytes, struct x86_exception *exception,
-+ bool system)
- {
- struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
-+ u32 access = PFERR_WRITE_MASK;
-+
-+ if (!system && kvm_x86_ops->get_cpl(vcpu) == 3)
-+ access |= PFERR_USER_MASK;
-
- return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
-- PFERR_WRITE_MASK, exception);
-+ access, exception);
- }
-
- int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val,
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-cpufeatures-Add-Intel-PCONFIG-cpufeature.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-cpufeatures-Add-Intel-PCONFIG-cpufeature.patch
deleted file mode 100644
index 1e33e521..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-cpufeatures-Add-Intel-PCONFIG-cpufeature.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From a3032e35007a8178f448e471acb6bc6c972c087a Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Mon, 5 Mar 2018 19:25:51 +0300
-Subject: [PATCH 05/93] x86/cpufeatures: Add Intel PCONFIG cpufeature
-
-commit 7958b2246fadf54b7ff820a2a5a2c5ca1554716f upstream.
-
-CPUID.0x7.0x0:EDX[18] indicates whether Intel CPU support PCONFIG instruction.
-
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Kai Huang <kai.huang@linux.intel.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Tom Lendacky <thomas.lendacky@amd.com>
-Cc: linux-mm@kvack.org
-Link: http://lkml.kernel.org/r/20180305162610.37510-4-kirill.shutemov@linux.intel.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeatures.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index ed7a1d2..a248531 100644
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -302,6 +302,7 @@
- /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
- #define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */
- #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */
-+#define X86_FEATURE_PCONFIG (18*32+18) /* Intel PCONFIG */
- #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */
- #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */
- #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-microcode-AMD-Do-not-load-when-running-on-a-hype.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-microcode-AMD-Do-not-load-when-running-on-a-hype.patch
deleted file mode 100644
index bbb98553..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-microcode-AMD-Do-not-load-when-running-on-a-hype.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 56f0eb24f5e9ff1faf0818a928a6c4a1004aeef1 Mon Sep 17 00:00:00 2001
-From: Borislav Petkov <bp@suse.de>
-Date: Sun, 18 Dec 2016 17:44:13 +0100
-Subject: [PATCH 05/42] x86/microcode/AMD: Do not load when running on a
- hypervisor
-
-commit a15a753539eca8ba243d576f02e7ca9c4b7d7042 upstream.
-
-Doing so is completely void of sense for multiple reasons so prevent
-it. Set dis_ucode_ldr to true and thus disable the microcode loader by
-default to address xen pv guests which execute the AP path but not the
-BSP path.
-
-By having it turned off by default, the APs won't run into the loader
-either.
-
-Also, check CPUID(1).ECX[31] which hypervisors set. Well almost, not the
-xen pv one. That one gets the aforementioned "fix".
-
-Also, improve the detection method by caching the final decision whether
-to continue loading in dis_ucode_ldr and do it once on the BSP. The APs
-then simply test that value.
-
-Signed-off-by: Borislav Petkov <bp@suse.de>
-Tested-by: Juergen Gross <jgross@suse.com>
-Tested-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Acked-by: Juergen Gross <jgross@suse.com>
-Link: http://lkml.kernel.org/r/20161218164414.9649-4-bp@alien8.de
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Rolf Neugebauer <rolf.neugebauer@docker.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/microcode/core.c | 28 +++++++++++++++++++---------
- 1 file changed, 19 insertions(+), 9 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
-index 5ce5155..dc0b9f8 100644
---- a/arch/x86/kernel/cpu/microcode/core.c
-+++ b/arch/x86/kernel/cpu/microcode/core.c
-@@ -43,7 +43,7 @@
- #define MICROCODE_VERSION "2.01"
-
- static struct microcode_ops *microcode_ops;
--static bool dis_ucode_ldr;
-+static bool dis_ucode_ldr = true;
-
- /*
- * Synchronization.
-@@ -73,6 +73,7 @@ struct cpu_info_ctx {
- static bool __init check_loader_disabled_bsp(void)
- {
- static const char *__dis_opt_str = "dis_ucode_ldr";
-+ u32 a, b, c, d;
-
- #ifdef CONFIG_X86_32
- const char *cmdline = (const char *)__pa_nodebug(boot_command_line);
-@@ -85,8 +86,23 @@ static bool __init check_loader_disabled_bsp(void)
- bool *res = &dis_ucode_ldr;
- #endif
-
-- if (cmdline_find_option_bool(cmdline, option))
-- *res = true;
-+ if (!have_cpuid_p())
-+ return *res;
-+
-+ a = 1;
-+ c = 0;
-+ native_cpuid(&a, &b, &c, &d);
-+
-+ /*
-+ * CPUID(1).ECX[31]: reserved for hypervisor use. This is still not
-+ * completely accurate as xen pv guests don't see that CPUID bit set but
-+ * that's good enough as they don't land on the BSP path anyway.
-+ */
-+ if (c & BIT(31))
-+ return *res;
-+
-+ if (cmdline_find_option_bool(cmdline, option) <= 0)
-+ *res = false;
-
- return *res;
- }
-@@ -118,9 +134,6 @@ void __init load_ucode_bsp(void)
- if (check_loader_disabled_bsp())
- return;
-
-- if (!have_cpuid_p())
-- return;
--
- vendor = x86_cpuid_vendor();
- family = x86_cpuid_family();
-
-@@ -154,9 +167,6 @@ void load_ucode_ap(void)
- if (check_loader_disabled_ap())
- return;
-
-- if (!have_cpuid_p())
-- return;
--
- vendor = x86_cpuid_vendor();
- family = x86_cpuid_family();
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-mm-Give-each-mm-TLB-flush-generation-a-unique-ID.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-mm-Give-each-mm-TLB-flush-generation-a-unique-ID.patch
deleted file mode 100644
index b21b0f41..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-mm-Give-each-mm-TLB-flush-generation-a-unique-ID.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 9c30656e4da86d6c69ad832ed9cb3e549b939566 Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Thu, 29 Jun 2017 08:53:15 -0700
-Subject: [PATCH 05/14] x86/mm: Give each mm TLB flush generation a unique ID
-
-commit f39681ed0f48498b80455095376f11535feea332 upstream.
-
-This adds two new variables to mmu_context_t: ctx_id and tlb_gen.
-ctx_id uniquely identifies the mm_struct and will never be reused.
-For a given mm_struct (and hence ctx_id), tlb_gen is a monotonic
-count of the number of times that a TLB flush has been requested.
-The pair (ctx_id, tlb_gen) can be used as an identifier for TLB
-flush actions and will be used in subsequent patches to reliably
-determine whether all needed TLB flushes have occurred on a given
-CPU.
-
-This patch is split out for ease of review. By itself, it has no
-real effect other than creating and updating the new variables.
-
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Reviewed-by: Nadav Amit <nadav.amit@gmail.com>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Rik van Riel <riel@redhat.com>
-Cc: linux-mm@kvack.org
-Link: http://lkml.kernel.org/r/413a91c24dab3ed0caa5f4e4d017d87b0857f920.1498751203.git.luto@kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/mmu.h | 15 +++++++++++++--
- arch/x86/include/asm/mmu_context.h | 5 +++++
- arch/x86/mm/tlb.c | 2 ++
- 3 files changed, 20 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
-index 8b272a0..e2e0934 100644
---- a/arch/x86/include/asm/mmu.h
-+++ b/arch/x86/include/asm/mmu.h
-@@ -3,12 +3,18 @@
-
- #include <linux/spinlock.h>
- #include <linux/mutex.h>
-+#include <linux/atomic.h>
-
- /*
-- * The x86 doesn't have a mmu context, but
-- * we put the segment information here.
-+ * x86 has arch-specific MMU state beyond what lives in mm_struct.
- */
- typedef struct {
-+ /*
-+ * ctx_id uniquely identifies this mm_struct. A ctx_id will never
-+ * be reused, and zero is not a valid ctx_id.
-+ */
-+ u64 ctx_id;
-+
- #ifdef CONFIG_MODIFY_LDT_SYSCALL
- struct ldt_struct *ldt;
- #endif
-@@ -33,6 +39,11 @@ typedef struct {
- #endif
- } mm_context_t;
-
-+#define INIT_MM_CONTEXT(mm) \
-+ .context = { \
-+ .ctx_id = 1, \
-+ }
-+
- void leave_mm(int cpu);
-
- #endif /* _ASM_X86_MMU_H */
-diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index 762d6c6..1ed17c92 100644
---- a/arch/x86/include/asm/mmu_context.h
-+++ b/arch/x86/include/asm/mmu_context.h
-@@ -12,6 +12,9 @@
- #include <asm/tlbflush.h>
- #include <asm/paravirt.h>
- #include <asm/mpx.h>
-+
-+extern atomic64_t last_mm_ctx_id;
-+
- #ifndef CONFIG_PARAVIRT
- static inline void paravirt_activate_mm(struct mm_struct *prev,
- struct mm_struct *next)
-@@ -106,6 +109,8 @@ static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
- static inline int init_new_context(struct task_struct *tsk,
- struct mm_struct *mm)
- {
-+ mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id);
-+
- #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
- if (cpu_feature_enabled(X86_FEATURE_OSPKE)) {
- /* pkey 0 is the default and always allocated */
-diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
-index 613d07e..146e842 100644
---- a/arch/x86/mm/tlb.c
-+++ b/arch/x86/mm/tlb.c
-@@ -29,6 +29,8 @@
- * Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi
- */
-
-+atomic64_t last_mm_ctx_id = ATOMIC64_INIT(1);
-+
- struct flush_tlb_info {
- struct mm_struct *flush_mm;
- unsigned long flush_start;
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-speculation-Clean-up-various-Spectre-related-det.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-speculation-Clean-up-various-Spectre-related-det.patch
deleted file mode 100644
index e6531584..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-x86-speculation-Clean-up-various-Spectre-related-det.patch
+++ /dev/null
@@ -1,148 +0,0 @@
-From 891112052277801e900b37496ca8c260a5e7e7e1 Mon Sep 17 00:00:00 2001
-From: Ingo Molnar <mingo@kernel.org>
-Date: Tue, 13 Feb 2018 09:03:08 +0100
-Subject: [PATCH 05/12] x86/speculation: Clean up various Spectre related
- details
-
-commit 21e433bdb95bdf3aa48226fd3d33af608437f293 upstream.
-
-Harmonize all the Spectre messages so that a:
-
- dmesg | grep -i spectre
-
-... gives us most Spectre related kernel boot messages.
-
-Also fix a few other details:
-
- - clarify a comment about firmware speculation control
-
- - s/KPTI/PTI
-
- - remove various line-breaks that made the code uglier
-
-Acked-by: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Dave Hansen <dave.hansen@linux.intel.com>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: linux-kernel@vger.kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/bugs.c | 28 +++++++++++-----------------
- 1 file changed, 11 insertions(+), 17 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 957ad44..b83e0c9 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -161,8 +161,7 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
- if (cmdline_find_option_bool(boot_command_line, "nospectre_v2"))
- return SPECTRE_V2_CMD_NONE;
- else {
-- ret = cmdline_find_option(boot_command_line, "spectre_v2", arg,
-- sizeof(arg));
-+ ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
- if (ret < 0)
- return SPECTRE_V2_CMD_AUTO;
-
-@@ -174,8 +173,7 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
- }
-
- if (i >= ARRAY_SIZE(mitigation_options)) {
-- pr_err("unknown option (%s). Switching to AUTO select\n",
-- mitigation_options[i].option);
-+ pr_err("unknown option (%s). Switching to AUTO select\n", mitigation_options[i].option);
- return SPECTRE_V2_CMD_AUTO;
- }
- }
-@@ -184,8 +182,7 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
- cmd == SPECTRE_V2_CMD_RETPOLINE_AMD ||
- cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) &&
- !IS_ENABLED(CONFIG_RETPOLINE)) {
-- pr_err("%s selected but not compiled in. Switching to AUTO select\n",
-- mitigation_options[i].option);
-+ pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option);
- return SPECTRE_V2_CMD_AUTO;
- }
-
-@@ -255,14 +252,14 @@ static void __init spectre_v2_select_mitigation(void)
- goto retpoline_auto;
- break;
- }
-- pr_err("kernel not compiled with retpoline; no mitigation available!");
-+ pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!");
- return;
-
- retpoline_auto:
- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) {
- retpoline_amd:
- if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
-- pr_err("LFENCE not serializing. Switching to generic retpoline\n");
-+ pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n");
- goto retpoline_generic;
- }
- mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_AMD :
-@@ -280,7 +277,7 @@ static void __init spectre_v2_select_mitigation(void)
- pr_info("%s\n", spectre_v2_strings[mode]);
-
- /*
-- * If neither SMEP or KPTI are available, there is a risk of
-+ * If neither SMEP nor PTI are available, there is a risk of
- * hitting userspace addresses in the RSB after a context switch
- * from a shallow call stack to a deeper one. To prevent this fill
- * the entire RSB, even when using IBRS.
-@@ -294,21 +291,20 @@ static void __init spectre_v2_select_mitigation(void)
- if ((!boot_cpu_has(X86_FEATURE_KAISER) &&
- !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) {
- setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
-- pr_info("Filling RSB on context switch\n");
-+ pr_info("Spectre v2 mitigation: Filling RSB on context switch\n");
- }
-
- /* Initialize Indirect Branch Prediction Barrier if supported */
- if (boot_cpu_has(X86_FEATURE_IBPB)) {
- setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
-- pr_info("Enabling Indirect Branch Prediction Barrier\n");
-+ pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
- }
- }
-
- #undef pr_fmt
-
- #ifdef CONFIG_SYSFS
--ssize_t cpu_show_meltdown(struct device *dev,
-- struct device_attribute *attr, char *buf)
-+ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
- {
- if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
- return sprintf(buf, "Not affected\n");
-@@ -317,16 +313,14 @@ ssize_t cpu_show_meltdown(struct device *dev,
- return sprintf(buf, "Vulnerable\n");
- }
-
--ssize_t cpu_show_spectre_v1(struct device *dev,
-- struct device_attribute *attr, char *buf)
-+ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
- {
- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1))
- return sprintf(buf, "Not affected\n");
- return sprintf(buf, "Mitigation: __user pointer sanitization\n");
- }
-
--ssize_t cpu_show_spectre_v2(struct device *dev,
-- struct device_attribute *attr, char *buf)
-+ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
- {
- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
- return sprintf(buf, "Not affected\n");
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-KVM-X86-Fix-operand-address-size-during-instruction-.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-KVM-X86-Fix-operand-address-size-during-instruction-.patch
deleted file mode 100644
index 9430b597..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-KVM-X86-Fix-operand-address-size-during-instruction-.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 399e9dee4411858aa4eb8894f031ff68ab3b5e9f Mon Sep 17 00:00:00 2001
-From: Wanpeng Li <wanpeng.li@hotmail.com>
-Date: Sun, 5 Nov 2017 16:54:47 -0800
-Subject: [PATCH 06/33] KVM: X86: Fix operand/address-size during instruction
- decoding
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit 3853be2603191829b442b64dac6ae8ba0c027bf9 ]
-
-Pedro reported:
- During tests that we conducted on KVM, we noticed that executing a "PUSH %ES"
- instruction under KVM produces different results on both memory and the SP
- register depending on whether EPT support is enabled. With EPT the SP is
- reduced by 4 bytes (and the written value is 0-padded) but without EPT support
- it is only reduced by 2 bytes. The difference can be observed when the CS.DB
- field is 1 (32-bit) but not when it's 0 (16-bit).
-
-The internal segment descriptor cache exist even in real/vm8096 mode. The CS.D
-also should be respected instead of just default operand/address-size/66H
-prefix/67H prefix during instruction decoding. This patch fixes it by also
-adjusting operand/address-size according to CS.D.
-
-Reported-by: Pedro Fonseca <pfonseca@cs.washington.edu>
-Tested-by: Pedro Fonseca <pfonseca@cs.washington.edu>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Radim Krčmář <rkrcmar@redhat.com>
-Cc: Nadav Amit <nadav.amit@gmail.com>
-Cc: Pedro Fonseca <pfonseca@cs.washington.edu>
-Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/emulate.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 9f676ad..9984daf 100644
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -4971,6 +4971,8 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
- bool op_prefix = false;
- bool has_seg_override = false;
- struct opcode opcode;
-+ u16 dummy;
-+ struct desc_struct desc;
-
- ctxt->memop.type = OP_NONE;
- ctxt->memopp = NULL;
-@@ -4989,6 +4991,11 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
- switch (mode) {
- case X86EMUL_MODE_REAL:
- case X86EMUL_MODE_VM86:
-+ def_op_bytes = def_ad_bytes = 2;
-+ ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS);
-+ if (desc.d)
-+ def_op_bytes = def_ad_bytes = 4;
-+ break;
- case X86EMUL_MODE_PROT16:
- def_op_bytes = def_ad_bytes = 2;
- break;
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-kaiser-do-not-set-_PAGE_NX-on-pgd_none.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-kaiser-do-not-set-_PAGE_NX-on-pgd_none.patch
deleted file mode 100644
index 973bd7f6..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-kaiser-do-not-set-_PAGE_NX-on-pgd_none.patch
+++ /dev/null
@@ -1,212 +0,0 @@
-From 495d2eaaa7862a3ad27140ad0876ae931ddd5e80 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Tue, 5 Sep 2017 12:05:01 -0700
-Subject: [PATCH 006/103] kaiser: do not set _PAGE_NX on pgd_none
-
-native_pgd_clear() uses native_set_pgd(), so native_set_pgd() must
-avoid setting the _PAGE_NX bit on an otherwise pgd_none() entry:
-usually that just generated a warning on exit, but sometimes
-more mysterious and damaging failures (our production machines
-could not complete booting).
-
-The original fix to this just avoided adding _PAGE_NX to
-an empty entry; but eventually more problems surfaced with kexec,
-and EFI mapping expected to be a problem too. So now instead
-change native_set_pgd() to update shadow only if _PAGE_USER:
-
-A few places (kernel/machine_kexec_64.c, platform/efi/efi_64.c for sure)
-use set_pgd() to set up a temporary internal virtual address space, with
-physical pages remapped at what Kaiser regards as userspace addresses:
-Kaiser then assumes a shadow pgd follows, which it will try to corrupt.
-
-This appears to be responsible for the recent kexec and kdump failures;
-though it's unclear how those did not manifest as a problem before.
-Ah, the shadow pgd will only be assumed to "follow" if the requested
-pgd is on an even-numbered page: so I suppose it was going wrong 50%
-of the time all along.
-
-What we need is a flag to set_pgd(), to tell it we're dealing with
-userspace. Er, isn't that what the pgd's _PAGE_USER bit is saying?
-Add a test for that. But we cannot do the same for pgd_clear()
-(which may be called to clear corrupted entries - set aside the
-question of "corrupt in which pgd?" until later), so there just
-rely on pgd_clear() not being called in the problematic cases -
-with a WARN_ON_ONCE() which should fire half the time if it is.
-
-But this is getting too big for an inline function: move it into
-arch/x86/mm/kaiser.c (which then demands a boot/compressed mod);
-and de-void and de-space native_get_shadow/normal_pgd() while here.
-
-Also make an unnecessary change to KASLR's init_trampoline(): it was
-using set_pgd() to assign a pgd-value to a global variable (not in a
-pg directory page), which was rather scary given Kaiser's previous
-set_pgd() implementation: not a problem now, but too scary to leave
-as was, it could easily blow up if we have to change set_pgd() again.
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/boot/compressed/misc.h | 1 +
- arch/x86/include/asm/pgtable_64.h | 51 ++++++++++-----------------------------
- arch/x86/mm/kaiser.c | 42 ++++++++++++++++++++++++++++++++
- arch/x86/mm/kaslr.c | 4 +--
- 4 files changed, 58 insertions(+), 40 deletions(-)
-
-diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h
-index 1c8355e..cd80024 100644
---- a/arch/x86/boot/compressed/misc.h
-+++ b/arch/x86/boot/compressed/misc.h
-@@ -9,6 +9,7 @@
- */
- #undef CONFIG_PARAVIRT
- #undef CONFIG_PARAVIRT_SPINLOCKS
-+#undef CONFIG_KAISER
- #undef CONFIG_KASAN
-
- #include <linux/linkage.h>
-diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
-index 000265c..177caf3 100644
---- a/arch/x86/include/asm/pgtable_64.h
-+++ b/arch/x86/include/asm/pgtable_64.h
-@@ -107,61 +107,36 @@ static inline void native_pud_clear(pud_t *pud)
- }
-
- #ifdef CONFIG_KAISER
--static inline pgd_t * native_get_shadow_pgd(pgd_t *pgdp)
-+extern pgd_t kaiser_set_shadow_pgd(pgd_t *pgdp, pgd_t pgd);
-+
-+static inline pgd_t *native_get_shadow_pgd(pgd_t *pgdp)
- {
-- return (pgd_t *)(void*)((unsigned long)(void*)pgdp | (unsigned long)PAGE_SIZE);
-+ return (pgd_t *)((unsigned long)pgdp | (unsigned long)PAGE_SIZE);
- }
-
--static inline pgd_t * native_get_normal_pgd(pgd_t *pgdp)
-+static inline pgd_t *native_get_normal_pgd(pgd_t *pgdp)
- {
-- return (pgd_t *)(void*)((unsigned long)(void*)pgdp & ~(unsigned long)PAGE_SIZE);
-+ return (pgd_t *)((unsigned long)pgdp & ~(unsigned long)PAGE_SIZE);
- }
- #else
--static inline pgd_t * native_get_shadow_pgd(pgd_t *pgdp)
-+static inline pgd_t kaiser_set_shadow_pgd(pgd_t *pgdp, pgd_t pgd)
-+{
-+ return pgd;
-+}
-+static inline pgd_t *native_get_shadow_pgd(pgd_t *pgdp)
- {
- BUILD_BUG_ON(1);
- return NULL;
- }
--static inline pgd_t * native_get_normal_pgd(pgd_t *pgdp)
-+static inline pgd_t *native_get_normal_pgd(pgd_t *pgdp)
- {
- return pgdp;
- }
- #endif /* CONFIG_KAISER */
-
--/*
-- * Page table pages are page-aligned. The lower half of the top
-- * level is used for userspace and the top half for the kernel.
-- * This returns true for user pages that need to get copied into
-- * both the user and kernel copies of the page tables, and false
-- * for kernel pages that should only be in the kernel copy.
-- */
--static inline bool is_userspace_pgd(void *__ptr)
--{
-- unsigned long ptr = (unsigned long)__ptr;
--
-- return ((ptr % PAGE_SIZE) < (PAGE_SIZE / 2));
--}
--
- static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
- {
--#ifdef CONFIG_KAISER
-- pteval_t extra_kern_pgd_flags = 0;
-- /* Do we need to also populate the shadow pgd? */
-- if (is_userspace_pgd(pgdp)) {
-- native_get_shadow_pgd(pgdp)->pgd = pgd.pgd;
-- /*
-- * Even if the entry is *mapping* userspace, ensure
-- * that userspace can not use it. This way, if we
-- * get out to userspace running on the kernel CR3,
-- * userspace will crash instead of running.
-- */
-- extra_kern_pgd_flags = _PAGE_NX;
-- }
-- pgdp->pgd = pgd.pgd;
-- pgdp->pgd |= extra_kern_pgd_flags;
--#else /* CONFIG_KAISER */
-- *pgdp = pgd;
--#endif
-+ *pgdp = kaiser_set_shadow_pgd(pgdp, pgd);
- }
-
- static inline void native_pgd_clear(pgd_t *pgd)
-diff --git a/arch/x86/mm/kaiser.c b/arch/x86/mm/kaiser.c
-index 7270a29..8d6061c 100644
---- a/arch/x86/mm/kaiser.c
-+++ b/arch/x86/mm/kaiser.c
-@@ -302,4 +302,46 @@ void kaiser_remove_mapping(unsigned long start, unsigned long size)
- unmap_pud_range_nofree(pgd, addr, end);
- }
- }
-+
-+/*
-+ * Page table pages are page-aligned. The lower half of the top
-+ * level is used for userspace and the top half for the kernel.
-+ * This returns true for user pages that need to get copied into
-+ * both the user and kernel copies of the page tables, and false
-+ * for kernel pages that should only be in the kernel copy.
-+ */
-+static inline bool is_userspace_pgd(pgd_t *pgdp)
-+{
-+ return ((unsigned long)pgdp % PAGE_SIZE) < (PAGE_SIZE / 2);
-+}
-+
-+pgd_t kaiser_set_shadow_pgd(pgd_t *pgdp, pgd_t pgd)
-+{
-+ /*
-+ * Do we need to also populate the shadow pgd? Check _PAGE_USER to
-+ * skip cases like kexec and EFI which make temporary low mappings.
-+ */
-+ if (pgd.pgd & _PAGE_USER) {
-+ if (is_userspace_pgd(pgdp)) {
-+ native_get_shadow_pgd(pgdp)->pgd = pgd.pgd;
-+ /*
-+ * Even if the entry is *mapping* userspace, ensure
-+ * that userspace can not use it. This way, if we
-+ * get out to userspace running on the kernel CR3,
-+ * userspace will crash instead of running.
-+ */
-+ pgd.pgd |= _PAGE_NX;
-+ }
-+ } else if (!pgd.pgd) {
-+ /*
-+ * pgd_clear() cannot check _PAGE_USER, and is even used to
-+ * clear corrupted pgd entries: so just rely on cases like
-+ * kexec and EFI never to be using pgd_clear().
-+ */
-+ if (!WARN_ON_ONCE((unsigned long)pgdp & PAGE_SIZE) &&
-+ is_userspace_pgd(pgdp))
-+ native_get_shadow_pgd(pgdp)->pgd = pgd.pgd;
-+ }
-+ return pgd;
-+}
- #endif /* CONFIG_KAISER */
-diff --git a/arch/x86/mm/kaslr.c b/arch/x86/mm/kaslr.c
-index aed2064..9284ec1 100644
---- a/arch/x86/mm/kaslr.c
-+++ b/arch/x86/mm/kaslr.c
-@@ -189,6 +189,6 @@ void __meminit init_trampoline(void)
- *pud_tramp = *pud;
- }
-
-- set_pgd(&trampoline_pgd_entry,
-- __pgd(_KERNPG_TABLE | __pa(pud_page_tramp)));
-+ /* Avoid set_pgd(), in case it's complicated by CONFIG_KAISER */
-+ trampoline_pgd_entry = __pgd(_KERNPG_TABLE | __pa(pud_page_tramp));
- }
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-retpoline-Remove-the-esp-rsp-thunk.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-retpoline-Remove-the-esp-rsp-thunk.patch
deleted file mode 100644
index e91992c0..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-retpoline-Remove-the-esp-rsp-thunk.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From bd9bf4f96e31d86d230db1f5243608f3a500123d Mon Sep 17 00:00:00 2001
-From: Waiman Long <longman@redhat.com>
-Date: Mon, 22 Jan 2018 17:09:34 -0500
-Subject: [PATCH 06/42] x86/retpoline: Remove the esp/rsp thunk
-
-(cherry picked from commit 1df37383a8aeabb9b418698f0bcdffea01f4b1b2)
-
-It doesn't make sense to have an indirect call thunk with esp/rsp as
-retpoline code won't work correctly with the stack pointer register.
-Removing it will help compiler writers to catch error in case such
-a thunk call is emitted incorrectly.
-
-Fixes: 76b043848fd2 ("x86/retpoline: Add initial retpoline support")
-Suggested-by: Jeff Law <law@redhat.com>
-Signed-off-by: Waiman Long <longman@redhat.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Tom Lendacky <thomas.lendacky@amd.com>
-Cc: Kees Cook <keescook@google.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Jiri Kosina <jikos@kernel.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
-Cc: Paul Turner <pjt@google.com>
-Link: https://lkml.kernel.org/r/1516658974-27852-1-git-send-email-longman@redhat.com
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/asm-prototypes.h | 1 -
- arch/x86/lib/retpoline.S | 1 -
- 2 files changed, 2 deletions(-)
-
-diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h
-index b15aa40..5a25ada 100644
---- a/arch/x86/include/asm/asm-prototypes.h
-+++ b/arch/x86/include/asm/asm-prototypes.h
-@@ -37,5 +37,4 @@ INDIRECT_THUNK(dx)
- INDIRECT_THUNK(si)
- INDIRECT_THUNK(di)
- INDIRECT_THUNK(bp)
--INDIRECT_THUNK(sp)
- #endif /* CONFIG_RETPOLINE */
-diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S
-index dfb2ba9..c909961 100644
---- a/arch/x86/lib/retpoline.S
-+++ b/arch/x86/lib/retpoline.S
-@@ -36,7 +36,6 @@ GENERATE_THUNK(_ASM_DX)
- GENERATE_THUNK(_ASM_SI)
- GENERATE_THUNK(_ASM_DI)
- GENERATE_THUNK(_ASM_BP)
--GENERATE_THUNK(_ASM_SP)
- #ifdef CONFIG_64BIT
- GENERATE_THUNK(r8)
- GENERATE_THUNK(r9)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-spectre_v1-Disable-compiler-optimizations-over-a.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-spectre_v1-Disable-compiler-optimizations-over-a.patch
deleted file mode 100644
index a8632983..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-spectre_v1-Disable-compiler-optimizations-over-a.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From d98751217028054a791c98512d1ed81d406f55da Mon Sep 17 00:00:00 2001
-From: Dan Williams <dan.j.williams@intel.com>
-Date: Thu, 7 Jun 2018 09:13:48 -0700
-Subject: [PATCH 06/10] x86/spectre_v1: Disable compiler optimizations over
- array_index_mask_nospec()
-
-commit eab6870fee877258122a042bfd99ee7908c40280 upstream.
-
-Mark Rutland noticed that GCC optimization passes have the potential to elide
-necessary invocations of the array_index_mask_nospec() instruction sequence,
-so mark the asm() volatile.
-
-Mark explains:
-
-"The volatile will inhibit *some* cases where the compiler could lift the
- array_index_nospec() call out of a branch, e.g. where there are multiple
- invocations of array_index_nospec() with the same arguments:
-
- if (idx < foo) {
- idx1 = array_idx_nospec(idx, foo)
- do_something(idx1);
- }
-
- < some other code >
-
- if (idx < foo) {
- idx2 = array_idx_nospec(idx, foo);
- do_something_else(idx2);
- }
-
- ... since the compiler can determine that the two invocations yield the same
- result, and reuse the first result (likely the same register as idx was in
- originally) for the second branch, effectively re-writing the above as:
-
- if (idx < foo) {
- idx = array_idx_nospec(idx, foo);
- do_something(idx);
- }
-
- < some other code >
-
- if (idx < foo) {
- do_something_else(idx);
- }
-
- ... if we don't take the first branch, then speculatively take the second, we
- lose the nospec protection.
-
- There's more info on volatile asm in the GCC docs:
-
- https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html#Volatile
- "
-
-Reported-by: Mark Rutland <mark.rutland@arm.com>
-Signed-off-by: Dan Williams <dan.j.williams@intel.com>
-Acked-by: Mark Rutland <mark.rutland@arm.com>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: <stable@vger.kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Fixes: babdde2698d4 ("x86: Implement array_index_mask_nospec")
-Link: https://lkml.kernel.org/lkml/152838798950.14521.4893346294059739135.stgit@dwillia2-desk3.amr.corp.intel.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/barrier.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
-index 78d1c6a..eb53c2c 100644
---- a/arch/x86/include/asm/barrier.h
-+++ b/arch/x86/include/asm/barrier.h
-@@ -37,7 +37,7 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
- {
- unsigned long mask;
-
-- asm ("cmp %1,%2; sbb %0,%0;"
-+ asm volatile ("cmp %1,%2; sbb %0,%0;"
- :"=r" (mask)
- :"g"(size),"r" (index)
- :"cc");
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch
deleted file mode 100644
index 8f996720..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From eeedd09281a09c8f0470c638939a5121ca753461 Mon Sep 17 00:00:00 2001
-From: Dan Williams <dan.j.williams@intel.com>
-Date: Tue, 6 Feb 2018 18:22:40 -0800
-Subject: [PATCH 06/12] x86/speculation: Fix up array_index_nospec_mask() asm
- constraint
-
-commit be3233fbfcb8f5acb6e3bcd0895c3ef9e100d470 upstream.
-
-Allow the compiler to handle @size as an immediate value or memory
-directly rather than allocating a register.
-
-Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Dan Williams <dan.j.williams@intel.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Link: http://lkml.kernel.org/r/151797010204.1289.1510000292250184993.stgit@dwillia2-desk3.amr.corp.intel.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/barrier.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
-index 8575903..78d1c6a 100644
---- a/arch/x86/include/asm/barrier.h
-+++ b/arch/x86/include/asm/barrier.h
-@@ -39,7 +39,7 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
-
- asm ("cmp %1,%2; sbb %0,%0;"
- :"=r" (mask)
-- :"r"(size),"r" (index)
-+ :"g"(size),"r" (index)
- :"cc");
- return mask;
- }
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-Use-Indirect-Branch-Prediction-Barri.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-Use-Indirect-Branch-Prediction-Barri.patch
deleted file mode 100644
index 90877ac8..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-Use-Indirect-Branch-Prediction-Barri.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From b3ad1b7521b3f4aaddc02e93ce3835bcac48da35 Mon Sep 17 00:00:00 2001
-From: Tim Chen <tim.c.chen@linux.intel.com>
-Date: Mon, 29 Jan 2018 22:04:47 +0000
-Subject: [PATCH 06/14] x86/speculation: Use Indirect Branch Prediction Barrier
- in context switch
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 18bf3c3ea8ece8f03b6fc58508f2dfd23c7711c7 upstream.
-
-Flush indirect branches when switching into a process that marked itself
-non dumpable. This protects high value processes like gpg better,
-without having too high performance overhead.
-
-If done naïvely, we could switch to a kernel idle thread and then back
-to the original process, such as:
-
- process A -> idle -> process A
-
-In such scenario, we do not have to do IBPB here even though the process
-is non-dumpable, as we are switching back to the same process after a
-hiatus.
-
-To avoid the redundant IBPB, which is expensive, we track the last mm
-user context ID. The cost is to have an extra u64 mm context id to track
-the last mm we were using before switching to the init_mm used by idle.
-Avoiding the extra IBPB is probably worth the extra memory for this
-common scenario.
-
-For those cases where tlb_defer_switch_to_init_mm() returns true (non
-PCID), lazy tlb will defer switch to init_mm, so we will not be changing
-the mm for the process A -> idle -> process A switch. So IBPB will be
-skipped for this case.
-
-Thanks to the reviewers and Andy Lutomirski for the suggestion of
-using ctx_id which got rid of the problem of mm pointer recycling.
-
-Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: ak@linux.intel.com
-Cc: karahmed@amazon.de
-Cc: arjan@linux.intel.com
-Cc: torvalds@linux-foundation.org
-Cc: linux@dominikbrodowski.net
-Cc: peterz@infradead.org
-Cc: bp@alien8.de
-Cc: luto@kernel.org
-Cc: pbonzini@redhat.com
-Link: https://lkml.kernel.org/r/1517263487-3708-1-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/tlbflush.h | 2 ++
- arch/x86/mm/tlb.c | 31 +++++++++++++++++++++++++++++++
- 2 files changed, 33 insertions(+)
-
-diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
-index 94146f6..99185a0 100644
---- a/arch/x86/include/asm/tlbflush.h
-+++ b/arch/x86/include/asm/tlbflush.h
-@@ -68,6 +68,8 @@ static inline void invpcid_flush_all_nonglobals(void)
- struct tlb_state {
- struct mm_struct *active_mm;
- int state;
-+ /* last user mm's ctx id */
-+ u64 last_ctx_id;
-
- /*
- * Access to this CR4 shadow and to H/W CR4 is protected by
-diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
-index 146e842..b1bf41b 100644
---- a/arch/x86/mm/tlb.c
-+++ b/arch/x86/mm/tlb.c
-@@ -10,6 +10,7 @@
-
- #include <asm/tlbflush.h>
- #include <asm/mmu_context.h>
-+#include <asm/nospec-branch.h>
- #include <asm/cache.h>
- #include <asm/apic.h>
- #include <asm/uv/uv.h>
-@@ -106,6 +107,28 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
- unsigned cpu = smp_processor_id();
-
- if (likely(prev != next)) {
-+ u64 last_ctx_id = this_cpu_read(cpu_tlbstate.last_ctx_id);
-+
-+ /*
-+ * Avoid user/user BTB poisoning by flushing the branch
-+ * predictor when switching between processes. This stops
-+ * one process from doing Spectre-v2 attacks on another.
-+ *
-+ * As an optimization, flush indirect branches only when
-+ * switching into processes that disable dumping. This
-+ * protects high value processes like gpg, without having
-+ * too high performance overhead. IBPB is *expensive*!
-+ *
-+ * This will not flush branches when switching into kernel
-+ * threads. It will also not flush if we switch to idle
-+ * thread and back to the same process. It will flush if we
-+ * switch to a different non-dumpable process.
-+ */
-+ if (tsk && tsk->mm &&
-+ tsk->mm->context.ctx_id != last_ctx_id &&
-+ get_dumpable(tsk->mm) != SUID_DUMP_USER)
-+ indirect_branch_prediction_barrier();
-+
- if (IS_ENABLED(CONFIG_VMAP_STACK)) {
- /*
- * If our current stack is in vmalloc space and isn't
-@@ -120,6 +143,14 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
- set_pgd(pgd, init_mm.pgd[stack_pgd_index]);
- }
-
-+ /*
-+ * Record last user mm's context id, so we can avoid
-+ * flushing branch buffer with IBPB if we switch back
-+ * to the same user.
-+ */
-+ if (next != &init_mm)
-+ this_cpu_write(cpu_tlbstate.last_ctx_id, next->context.ctx_id);
-+
- this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
- this_cpu_write(cpu_tlbstate.active_mm, next);
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-objtool-Annotate-indirect-calls-jump.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-objtool-Annotate-indirect-calls-jump.patch
deleted file mode 100644
index ecb1cdd3..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0006-x86-speculation-objtool-Annotate-indirect-calls-jump.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From b4f699a49be9bbfa6bb5408e7f54c89b9bdc8919 Mon Sep 17 00:00:00 2001
-From: Andy Whitcroft <apw@canonical.com>
-Date: Wed, 14 Mar 2018 11:24:27 +0000
-Subject: [PATCH 06/93] x86/speculation, objtool: Annotate indirect calls/jumps
- for objtool on 32-bit kernels
-
-commit a14bff131108faf50cc0cf864589fd71ee216c96 upstream.
-
-In the following commit:
-
- 9e0e3c5130e9 ("x86/speculation, objtool: Annotate indirect calls/jumps for objtool")
-
-... we added annotations for CALL_NOSPEC/JMP_NOSPEC on 64-bit x86 kernels,
-but we did not annotate the 32-bit path.
-
-Annotate it similarly.
-
-Signed-off-by: Andy Whitcroft <apw@canonical.com>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Dave Hansen <dave.hansen@linux.intel.com>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Link: http://lkml.kernel.org/r/20180314112427.22351-1-apw@canonical.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/nospec-branch.h | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index d0dabea..f928ad9 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -183,7 +183,10 @@
- * otherwise we'll run out of registers. We don't care about CET
- * here, anyway.
- */
--# define CALL_NOSPEC ALTERNATIVE("call *%[thunk_target]\n", \
-+# define CALL_NOSPEC \
-+ ALTERNATIVE( \
-+ ANNOTATE_RETPOLINE_SAFE \
-+ "call *%[thunk_target]\n", \
- " jmp 904f;\n" \
- " .align 16\n" \
- "901: call 903f;\n" \
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-KVM-x86-ioapic-Fix-level-triggered-EOI-and-IOAPIC-re.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-KVM-x86-ioapic-Fix-level-triggered-EOI-and-IOAPIC-re.patch
deleted file mode 100644
index 2ca432cf..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-KVM-x86-ioapic-Fix-level-triggered-EOI-and-IOAPIC-re.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 34cbfb000e9bd72eb48fb3d1e61be034053f743f Mon Sep 17 00:00:00 2001
-From: Nikita Leshenko <nikita.leshchenko@oracle.com>
-Date: Sun, 5 Nov 2017 15:52:29 +0200
-Subject: [PATCH 07/33] KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC
- reconfigure race
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit 0fc5a36dd6b345eb0d251a65c236e53bead3eef7 ]
-
-KVM uses ioapic_handled_vectors to track vectors that need to notify the
-IOAPIC on EOI. The problem is that IOAPIC can be reconfigured while an
-interrupt with old configuration is pending or running and
-ioapic_handled_vectors only remembers the newest configuration;
-thus EOI from the old interrupt is not delievered to the IOAPIC.
-
-A previous commit db2bdcbbbd32
-("KVM: x86: fix edge EOI and IOAPIC reconfig race")
-addressed this issue by adding pending edge-triggered interrupts to
-ioapic_handled_vectors, fixing this race for edge-triggered interrupts.
-The commit explicitly ignored level-triggered interrupts,
-but this race applies to them as well:
-
-1) IOAPIC sends a level triggered interrupt vector to VCPU0
-2) VCPU0's handler deasserts the irq line and reconfigures the IOAPIC
- to route the vector to VCPU1. The reconfiguration rewrites only the
- upper 32 bits of the IOREDTBLn register. (Causes KVM to update
- ioapic_handled_vectors for VCPU0 and it no longer includes the vector.)
-3) VCPU0 sends EOI for the vector, but it's not delievered to the
- IOAPIC because the ioapic_handled_vectors doesn't include the vector.
-4) New interrupts are not delievered to VCPU1 because remote_irr bit
- is set forever.
-
-Therefore, the correct behavior is to add all pending and running
-interrupts to ioapic_handled_vectors.
-
-This commit introduces a slight performance hit similar to
-commit db2bdcbbbd32 ("KVM: x86: fix edge EOI and IOAPIC reconfig race")
-for the rare case that the vector is reused by a non-IOAPIC source on
-VCPU0. We prefer to keep solution simple and not handle this case just
-as the original commit does.
-
-Fixes: db2bdcbbbd32 ("KVM: x86: fix edge EOI and IOAPIC reconfig race")
-
-Signed-off-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
-Reviewed-by: Liran Alon <liran.alon@oracle.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/ioapic.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
-index 6e219e5..a7ac868 100644
---- a/arch/x86/kvm/ioapic.c
-+++ b/arch/x86/kvm/ioapic.c
-@@ -257,8 +257,7 @@ void kvm_ioapic_scan_entry(struct kvm_vcpu *vcpu, ulong *ioapic_handled_vectors)
- index == RTC_GSI) {
- if (kvm_apic_match_dest(vcpu, NULL, 0,
- e->fields.dest_id, e->fields.dest_mode) ||
-- (e->fields.trig_mode == IOAPIC_EDGE_TRIG &&
-- kvm_apic_pending_eoi(vcpu, e->fields.vector)))
-+ kvm_apic_pending_eoi(vcpu, e->fields.vector))
- __set_bit(e->fields.vector,
- ioapic_handled_vectors);
- }
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-bpf-x64-implement-retpoline-for-tail-call.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-bpf-x64-implement-retpoline-for-tail-call.patch
deleted file mode 100644
index 69809c28..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-bpf-x64-implement-retpoline-for-tail-call.patch
+++ /dev/null
@@ -1,183 +0,0 @@
-From 8dfc905d7d2e3c68f31eca0178b6137b2e1fc7f9 Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <daniel@iogearbox.net>
-Date: Thu, 8 Mar 2018 16:17:34 +0100
-Subject: [PATCH 07/14] bpf, x64: implement retpoline for tail call
-
-[ upstream commit a493a87f38cfa48caaa95c9347be2d914c6fdf29 ]
-
-Implement a retpoline [0] for the BPF tail call JIT'ing that converts
-the indirect jump via jmp %rax that is used to make the long jump into
-another JITed BPF image. Since this is subject to speculative execution,
-we need to control the transient instruction sequence here as well
-when CONFIG_RETPOLINE is set, and direct it into a pause + lfence loop.
-The latter aligns also with what gcc / clang emits (e.g. [1]).
-
-JIT dump after patch:
-
- # bpftool p d x i 1
- 0: (18) r2 = map[id:1]
- 2: (b7) r3 = 0
- 3: (85) call bpf_tail_call#12
- 4: (b7) r0 = 2
- 5: (95) exit
-
-With CONFIG_RETPOLINE:
-
- # bpftool p d j i 1
- [...]
- 33: cmp %edx,0x24(%rsi)
- 36: jbe 0x0000000000000072 |*
- 38: mov 0x24(%rbp),%eax
- 3e: cmp $0x20,%eax
- 41: ja 0x0000000000000072 |
- 43: add $0x1,%eax
- 46: mov %eax,0x24(%rbp)
- 4c: mov 0x90(%rsi,%rdx,8),%rax
- 54: test %rax,%rax
- 57: je 0x0000000000000072 |
- 59: mov 0x28(%rax),%rax
- 5d: add $0x25,%rax
- 61: callq 0x000000000000006d |+
- 66: pause |
- 68: lfence |
- 6b: jmp 0x0000000000000066 |
- 6d: mov %rax,(%rsp) |
- 71: retq |
- 72: mov $0x2,%eax
- [...]
-
- * relative fall-through jumps in error case
- + retpoline for indirect jump
-
-Without CONFIG_RETPOLINE:
-
- # bpftool p d j i 1
- [...]
- 33: cmp %edx,0x24(%rsi)
- 36: jbe 0x0000000000000063 |*
- 38: mov 0x24(%rbp),%eax
- 3e: cmp $0x20,%eax
- 41: ja 0x0000000000000063 |
- 43: add $0x1,%eax
- 46: mov %eax,0x24(%rbp)
- 4c: mov 0x90(%rsi,%rdx,8),%rax
- 54: test %rax,%rax
- 57: je 0x0000000000000063 |
- 59: mov 0x28(%rax),%rax
- 5d: add $0x25,%rax
- 61: jmpq *%rax |-
- 63: mov $0x2,%eax
- [...]
-
- * relative fall-through jumps in error case
- - plain indirect jump as before
-
- [0] https://support.google.com/faqs/answer/7625886
- [1] https://github.com/gcc-mirror/gcc/commit/a31e654fa107be968b802786d747e962c2fcdb2b
-
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/nospec-branch.h | 37 ++++++++++++++++++++++++++++++++++++
- arch/x86/net/bpf_jit_comp.c | 9 +++++----
- 2 files changed, 42 insertions(+), 4 deletions(-)
-
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index 76b0585..81a1be3 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -177,4 +177,41 @@ static inline void indirect_branch_prediction_barrier(void)
- }
-
- #endif /* __ASSEMBLY__ */
-+
-+/*
-+ * Below is used in the eBPF JIT compiler and emits the byte sequence
-+ * for the following assembly:
-+ *
-+ * With retpolines configured:
-+ *
-+ * callq do_rop
-+ * spec_trap:
-+ * pause
-+ * lfence
-+ * jmp spec_trap
-+ * do_rop:
-+ * mov %rax,(%rsp)
-+ * retq
-+ *
-+ * Without retpolines configured:
-+ *
-+ * jmp *%rax
-+ */
-+#ifdef CONFIG_RETPOLINE
-+# define RETPOLINE_RAX_BPF_JIT_SIZE 17
-+# define RETPOLINE_RAX_BPF_JIT() \
-+ EMIT1_off32(0xE8, 7); /* callq do_rop */ \
-+ /* spec_trap: */ \
-+ EMIT2(0xF3, 0x90); /* pause */ \
-+ EMIT3(0x0F, 0xAE, 0xE8); /* lfence */ \
-+ EMIT2(0xEB, 0xF9); /* jmp spec_trap */ \
-+ /* do_rop: */ \
-+ EMIT4(0x48, 0x89, 0x04, 0x24); /* mov %rax,(%rsp) */ \
-+ EMIT1(0xC3); /* retq */
-+#else
-+# define RETPOLINE_RAX_BPF_JIT_SIZE 2
-+# define RETPOLINE_RAX_BPF_JIT() \
-+ EMIT2(0xFF, 0xE0); /* jmp *%rax */
-+#endif
-+
- #endif /* _ASM_X86_NOSPEC_BRANCH_H_ */
-diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
-index 7840331..1f7ed2e 100644
---- a/arch/x86/net/bpf_jit_comp.c
-+++ b/arch/x86/net/bpf_jit_comp.c
-@@ -12,6 +12,7 @@
- #include <linux/filter.h>
- #include <linux/if_vlan.h>
- #include <asm/cacheflush.h>
-+#include <asm/nospec-branch.h>
- #include <linux/bpf.h>
-
- int bpf_jit_enable __read_mostly;
-@@ -281,7 +282,7 @@ static void emit_bpf_tail_call(u8 **pprog)
- EMIT2(0x89, 0xD2); /* mov edx, edx */
- EMIT3(0x39, 0x56, /* cmp dword ptr [rsi + 16], edx */
- offsetof(struct bpf_array, map.max_entries));
--#define OFFSET1 43 /* number of bytes to jump */
-+#define OFFSET1 (41 + RETPOLINE_RAX_BPF_JIT_SIZE) /* number of bytes to jump */
- EMIT2(X86_JBE, OFFSET1); /* jbe out */
- label1 = cnt;
-
-@@ -290,7 +291,7 @@ static void emit_bpf_tail_call(u8 **pprog)
- */
- EMIT2_off32(0x8B, 0x85, -STACKSIZE + 36); /* mov eax, dword ptr [rbp - 516] */
- EMIT3(0x83, 0xF8, MAX_TAIL_CALL_CNT); /* cmp eax, MAX_TAIL_CALL_CNT */
--#define OFFSET2 32
-+#define OFFSET2 (30 + RETPOLINE_RAX_BPF_JIT_SIZE)
- EMIT2(X86_JA, OFFSET2); /* ja out */
- label2 = cnt;
- EMIT3(0x83, 0xC0, 0x01); /* add eax, 1 */
-@@ -304,7 +305,7 @@ static void emit_bpf_tail_call(u8 **pprog)
- * goto out;
- */
- EMIT3(0x48, 0x85, 0xC0); /* test rax,rax */
--#define OFFSET3 10
-+#define OFFSET3 (8 + RETPOLINE_RAX_BPF_JIT_SIZE)
- EMIT2(X86_JE, OFFSET3); /* je out */
- label3 = cnt;
-
-@@ -317,7 +318,7 @@ static void emit_bpf_tail_call(u8 **pprog)
- * rdi == ctx (1st arg)
- * rax == prog->bpf_func + prologue_size
- */
-- EMIT2(0xFF, 0xE0); /* jmp rax */
-+ RETPOLINE_RAX_BPF_JIT();
-
- /* out: */
- BUILD_BUG_ON(cnt - label1 != OFFSET1);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-kaiser-stack-map-PAGE_SIZE-at-THREAD_SIZE-PAGE_SIZE.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-kaiser-stack-map-PAGE_SIZE-at-THREAD_SIZE-PAGE_SIZE.patch
deleted file mode 100644
index 2fb277eb..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-kaiser-stack-map-PAGE_SIZE-at-THREAD_SIZE-PAGE_SIZE.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From bdfb218abe244fde0b09b65dc9648b72e7d4579b Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Sun, 3 Sep 2017 18:57:03 -0700
-Subject: [PATCH 007/103] kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE
-
-Kaiser only needs to map one page of the stack; and
-kernel/fork.c did not build on powerpc (no __PAGE_KERNEL).
-It's all cleaner if linux/kaiser.h provides kaiser_map_thread_stack()
-and kaiser_unmap_thread_stack() wrappers around asm/kaiser.h's
-kaiser_add_mapping() and kaiser_remove_mapping(). And use
-linux/kaiser.h in init/main.c to avoid the #ifdefs there.
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/kaiser.h | 40 +++++++++++++++++++++++++++++++++-------
- init/main.c | 6 +-----
- kernel/fork.c | 7 ++-----
- 3 files changed, 36 insertions(+), 17 deletions(-)
-
-diff --git a/include/linux/kaiser.h b/include/linux/kaiser.h
-index 9db5433..4a4d6d9 100644
---- a/include/linux/kaiser.h
-+++ b/include/linux/kaiser.h
-@@ -1,26 +1,52 @@
--#ifndef _INCLUDE_KAISER_H
--#define _INCLUDE_KAISER_H
-+#ifndef _LINUX_KAISER_H
-+#define _LINUX_KAISER_H
-
- #ifdef CONFIG_KAISER
- #include <asm/kaiser.h>
-+
-+static inline int kaiser_map_thread_stack(void *stack)
-+{
-+ /*
-+ * Map that page of kernel stack on which we enter from user context.
-+ */
-+ return kaiser_add_mapping((unsigned long)stack +
-+ THREAD_SIZE - PAGE_SIZE, PAGE_SIZE, __PAGE_KERNEL);
-+}
-+
-+static inline void kaiser_unmap_thread_stack(void *stack)
-+{
-+ /*
-+ * Note: may be called even when kaiser_map_thread_stack() failed.
-+ */
-+ kaiser_remove_mapping((unsigned long)stack +
-+ THREAD_SIZE - PAGE_SIZE, PAGE_SIZE);
-+}
- #else
-
- /*
- * These stubs are used whenever CONFIG_KAISER is off, which
-- * includes architectures that support KAISER, but have it
-- * disabled.
-+ * includes architectures that support KAISER, but have it disabled.
- */
-
- static inline void kaiser_init(void)
- {
- }
--static inline void kaiser_remove_mapping(unsigned long start, unsigned long size)
-+static inline int kaiser_add_mapping(unsigned long addr,
-+ unsigned long size, unsigned long flags)
-+{
-+ return 0;
-+}
-+static inline void kaiser_remove_mapping(unsigned long start,
-+ unsigned long size)
- {
- }
--static inline int kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags)
-+static inline int kaiser_map_thread_stack(void *stack)
- {
- return 0;
- }
-+static inline void kaiser_unmap_thread_stack(void *stack)
-+{
-+}
-
- #endif /* !CONFIG_KAISER */
--#endif /* _INCLUDE_KAISER_H */
-+#endif /* _LINUX_KAISER_H */
-diff --git a/init/main.c b/init/main.c
-index d2c8c23..eb47369 100644
---- a/init/main.c
-+++ b/init/main.c
-@@ -81,15 +81,13 @@
- #include <linux/integrity.h>
- #include <linux/proc_ns.h>
- #include <linux/io.h>
-+#include <linux/kaiser.h>
-
- #include <asm/io.h>
- #include <asm/bugs.h>
- #include <asm/setup.h>
- #include <asm/sections.h>
- #include <asm/cacheflush.h>
--#ifdef CONFIG_KAISER
--#include <asm/kaiser.h>
--#endif
-
- static int kernel_init(void *);
-
-@@ -477,9 +475,7 @@ static void __init mm_init(void)
- pgtable_init();
- vmalloc_init();
- ioremap_huge_init();
--#ifdef CONFIG_KAISER
- kaiser_init();
--#endif
- }
-
- asmlinkage __visible void __init start_kernel(void)
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 7ba50f1..2bddd1d 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -212,12 +212,9 @@ static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node)
- #endif
- }
-
--extern void kaiser_remove_mapping(unsigned long start_addr, unsigned long size);
- static inline void free_thread_stack(struct task_struct *tsk)
- {
--#ifdef CONFIG_KAISER
-- kaiser_remove_mapping((unsigned long)tsk->stack, THREAD_SIZE);
--#endif
-+ kaiser_unmap_thread_stack(tsk->stack);
- #ifdef CONFIG_VMAP_STACK
- if (task_stack_vm_area(tsk)) {
- unsigned long flags;
-@@ -501,7 +498,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node)
- */
- tsk->stack = stack;
-
-- err= kaiser_add_mapping((unsigned long)tsk->stack, THREAD_SIZE, __PAGE_KERNEL);
-+ err= kaiser_map_thread_stack(tsk->stack);
- if (err)
- goto free_stack;
- #ifdef CONFIG_VMAP_STACK
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-module-retpoline-Warn-about-missing-retpoline-in-mod.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-module-retpoline-Warn-about-missing-retpoline-in-mod.patch
deleted file mode 100644
index be5712b6..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-module-retpoline-Warn-about-missing-retpoline-in-mod.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From dabd9b2a92eda21c93aeee9f7bf8f369fed15833 Mon Sep 17 00:00:00 2001
-From: Andi Kleen <ak@linux.intel.com>
-Date: Thu, 25 Jan 2018 15:50:28 -0800
-Subject: [PATCH 07/42] module/retpoline: Warn about missing retpoline in
- module
-
-(cherry picked from commit caf7501a1b4ec964190f31f9c3f163de252273b8)
-
-There's a risk that a kernel which has full retpoline mitigations becomes
-vulnerable when a module gets loaded that hasn't been compiled with the
-right compiler or the right option.
-
-To enable detection of that mismatch at module load time, add a module info
-string "retpoline" at build time when the module was compiled with
-retpoline support. This only covers compiled C source, but assembler source
-or prebuilt object files are not checked.
-
-If a retpoline enabled kernel detects a non retpoline protected module at
-load time, print a warning and report it in the sysfs vulnerability file.
-
-[ tglx: Massaged changelog ]
-
-Signed-off-by: Andi Kleen <ak@linux.intel.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: gregkh@linuxfoundation.org
-Cc: torvalds@linux-foundation.org
-Cc: jeyu@kernel.org
-Cc: arjan@linux.intel.com
-Link: https://lkml.kernel.org/r/20180125235028.31211-1-andi@firstfloor.org
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/bugs.c | 17 ++++++++++++++++-
- include/linux/module.h | 9 +++++++++
- kernel/module.c | 11 +++++++++++
- scripts/mod/modpost.c | 9 +++++++++
- 4 files changed, 45 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 8cacf62..4cea7d4 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -10,6 +10,7 @@
- #include <linux/init.h>
- #include <linux/utsname.h>
- #include <linux/cpu.h>
-+#include <linux/module.h>
-
- #include <asm/nospec-branch.h>
- #include <asm/cmdline.h>
-@@ -92,6 +93,19 @@ static const char *spectre_v2_strings[] = {
- #define pr_fmt(fmt) "Spectre V2 mitigation: " fmt
-
- static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
-+static bool spectre_v2_bad_module;
-+
-+#ifdef RETPOLINE
-+bool retpoline_module_ok(bool has_retpoline)
-+{
-+ if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
-+ return true;
-+
-+ pr_err("System may be vunerable to spectre v2\n");
-+ spectre_v2_bad_module = true;
-+ return false;
-+}
-+#endif
-
- static void __init spec2_print_if_insecure(const char *reason)
- {
-@@ -277,6 +291,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
- return sprintf(buf, "Not affected\n");
-
-- return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]);
-+ return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled],
-+ spectre_v2_bad_module ? " - vulnerable module loaded" : "");
- }
- #endif
-diff --git a/include/linux/module.h b/include/linux/module.h
-index 0c3207d..d2224a0 100644
---- a/include/linux/module.h
-+++ b/include/linux/module.h
-@@ -791,6 +791,15 @@ static inline void module_bug_finalize(const Elf_Ehdr *hdr,
- static inline void module_bug_cleanup(struct module *mod) {}
- #endif /* CONFIG_GENERIC_BUG */
-
-+#ifdef RETPOLINE
-+extern bool retpoline_module_ok(bool has_retpoline);
-+#else
-+static inline bool retpoline_module_ok(bool has_retpoline)
-+{
-+ return true;
-+}
-+#endif
-+
- #ifdef CONFIG_MODULE_SIG
- static inline bool module_sig_ok(struct module *module)
- {
-diff --git a/kernel/module.c b/kernel/module.c
-index 0e54d5b..07bfb99 100644
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -2817,6 +2817,15 @@ static int check_modinfo_livepatch(struct module *mod, struct load_info *info)
- }
- #endif /* CONFIG_LIVEPATCH */
-
-+static void check_modinfo_retpoline(struct module *mod, struct load_info *info)
-+{
-+ if (retpoline_module_ok(get_modinfo(info, "retpoline")))
-+ return;
-+
-+ pr_warn("%s: loading module not compiled with retpoline compiler.\n",
-+ mod->name);
-+}
-+
- /* Sets info->hdr and info->len. */
- static int copy_module_from_user(const void __user *umod, unsigned long len,
- struct load_info *info)
-@@ -2969,6 +2978,8 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
- add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK);
- }
-
-+ check_modinfo_retpoline(mod, info);
-+
- if (get_modinfo(info, "staging")) {
- add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK);
- pr_warn("%s: module is from the staging directory, the quality "
-diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
-index 325f1af..96a8047 100644
---- a/scripts/mod/modpost.c
-+++ b/scripts/mod/modpost.c
-@@ -2130,6 +2130,14 @@ static void add_intree_flag(struct buffer *b, int is_intree)
- buf_printf(b, "\nMODULE_INFO(intree, \"Y\");\n");
- }
-
-+/* Cannot check for assembler */
-+static void add_retpoline(struct buffer *b)
-+{
-+ buf_printf(b, "\n#ifdef RETPOLINE\n");
-+ buf_printf(b, "MODULE_INFO(retpoline, \"Y\");\n");
-+ buf_printf(b, "#endif\n");
-+}
-+
- static void add_staging_flag(struct buffer *b, const char *name)
- {
- static const char *staging_dir = "drivers/staging";
-@@ -2474,6 +2482,7 @@ int main(int argc, char **argv)
-
- add_header(&buf, mod);
- add_intree_flag(&buf, !external_module);
-+ add_retpoline(&buf);
- add_staging_flag(&buf, mod->name);
- err |= add_versions(&buf, mod);
- add_depends(&buf, mod, modules);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-mce-Improve-error-message-when-kernel-cannot-rec.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-mce-Improve-error-message-when-kernel-cannot-rec.patch
deleted file mode 100644
index 3ddb8ece..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-mce-Improve-error-message-when-kernel-cannot-rec.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From f08520b8eba49e29d01f53ac8f2a52022e435744 Mon Sep 17 00:00:00 2001
-From: Tony Luck <tony.luck@intel.com>
-Date: Fri, 25 May 2018 14:41:39 -0700
-Subject: [PATCH 07/10] x86/mce: Improve error message when kernel cannot
- recover
-
-commit c7d606f560e4c698884697fef503e4abacdd8c25 upstream.
-
-Since we added support to add recovery from some errors inside the kernel in:
-
-commit b2f9d678e28c ("x86/mce: Check for faults tagged in EXTABLE_CLASS_FAULT exception table entries")
-
-we have done a less than stellar job at reporting the cause of recoverable
-machine checks that occur in other parts of the kernel. The user just gets
-the unhelpful message:
-
- mce: [Hardware Error]: Machine check: Action required: unknown MCACOD
-
-doubly unhelpful when they check the manual for the reported IA32_MSR_STATUS.MCACOD
-and see that it is listed as one of the standard recoverable values.
-
-Add an extra rule to the MCE severity table to catch this case and report it
-as:
-
- mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel
-
-Fixes: b2f9d678e28c ("x86/mce: Check for faults tagged in EXTABLE_CLASS_FAULT exception table entries")
-Signed-off-by: Tony Luck <tony.luck@intel.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
-Cc: Ashok Raj <ashok.raj@intel.com>
-Cc: stable@vger.kernel.org # 4.6+
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Borislav Petkov <bp@suse.de>
-Link: https://lkml.kernel.org/r/4cc7c465150a9a48b8b9f45d0b840278e77eb9b5.1527283897.git.tony.luck@intel.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/mcheck/mce-severity.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/arch/x86/kernel/cpu/mcheck/mce-severity.c b/arch/x86/kernel/cpu/mcheck/mce-severity.c
-index c7efbcf..17dbbdbb 100644
---- a/arch/x86/kernel/cpu/mcheck/mce-severity.c
-+++ b/arch/x86/kernel/cpu/mcheck/mce-severity.c
-@@ -143,6 +143,11 @@ static struct severity {
- SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_INSTR),
- USER
- ),
-+ MCESEV(
-+ PANIC, "Data load in unrecoverable area of kernel",
-+ SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_DATA),
-+ KERNEL
-+ ),
- #endif
- MCESEV(
- PANIC, "Action required: unknown MCACOD",
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-speculation-Add-asm-msr-index.h-dependency.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-speculation-Add-asm-msr-index.h-dependency.patch
deleted file mode 100644
index abf0b6ba..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-speculation-Add-asm-msr-index.h-dependency.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From ae5dca4c2f9a62ec120a32663609b3dabfeb8ae4 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Tue, 13 Feb 2018 14:28:19 +0100
-Subject: [PATCH 07/12] x86/speculation: Add <asm/msr-index.h> dependency
-
-commit ea00f301285ea2f07393678cd2b6057878320c9d upstream.
-
-Joe Konno reported a compile failure resulting from using an MSR
-without inclusion of <asm/msr-index.h>, and while the current code builds
-fine (by accident) this needs fixing for future patches.
-
-Reported-by: Joe Konno <joe.konno@linux.intel.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: arjan@linux.intel.com
-Cc: bp@alien8.de
-Cc: dan.j.williams@intel.com
-Cc: dave.hansen@linux.intel.com
-Cc: dwmw2@infradead.org
-Cc: dwmw@amazon.co.uk
-Cc: gregkh@linuxfoundation.org
-Cc: hpa@zytor.com
-Cc: jpoimboe@redhat.com
-Cc: linux-tip-commits@vger.kernel.org
-Cc: luto@kernel.org
-Fixes: 20ffa1caecca ("x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support")
-Link: http://lkml.kernel.org/r/20180213132819.GJ25201@hirez.programming.kicks-ass.net
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/nospec-branch.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index 300cc15..76b0585 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -6,6 +6,7 @@
- #include <asm/alternative.h>
- #include <asm/alternative-asm.h>
- #include <asm/cpufeatures.h>
-+#include <asm/msr-index.h>
-
- #ifdef __ASSEMBLY__
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-speculation-Remove-Skylake-C2-from-Speculation-C.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-speculation-Remove-Skylake-C2-from-Speculation-C.patch
deleted file mode 100644
index 4da48ef5..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0007-x86-speculation-Remove-Skylake-C2-from-Speculation-C.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 5516ae4d16ab0ce922de31fec20d5d5e198aa258 Mon Sep 17 00:00:00 2001
-From: Alexander Sergeyev <sergeev917@gmail.com>
-Date: Tue, 13 Mar 2018 22:38:56 +0300
-Subject: [PATCH 07/93] x86/speculation: Remove Skylake C2 from Speculation
- Control microcode blacklist
-
-commit e3b3121fa8da94cb20f9e0c64ab7981ae47fd085 upstream.
-
-In accordance with Intel's microcode revision guidance from March 6 MCU
-rev 0xc2 is cleared on both Skylake H/S and Skylake Xeon E3 processors
-that share CPUID 506E3.
-
-Signed-off-by: Alexander Sergeyev <sergeev917@gmail.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Jia Zhang <qianyue.zj@alibaba-inc.com>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Kyle Huey <me@kylehuey.com>
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Link: https://lkml.kernel.org/r/20180313193856.GA8580@localhost.localdomain
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/intel.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
-index 7680425..8fb1d65 100644
---- a/arch/x86/kernel/cpu/intel.c
-+++ b/arch/x86/kernel/cpu/intel.c
-@@ -64,7 +64,7 @@ void check_mpx_erratum(struct cpuinfo_x86 *c)
- /*
- * Early microcode releases for the Spectre v2 mitigation were broken.
- * Information taken from;
-- * - https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf
-+ * - https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf
- * - https://kb.vmware.com/s/article/52345
- * - Microcode revisions observed in the wild
- * - Release note from 20180108 microcode release
-@@ -82,7 +82,6 @@ static const struct sku_microcode spectre_bad_microcodes[] = {
- { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x80 },
- { INTEL_FAM6_SKYLAKE_X, 0x03, 0x0100013e },
- { INTEL_FAM6_SKYLAKE_X, 0x04, 0x0200003c },
-- { INTEL_FAM6_SKYLAKE_DESKTOP, 0x03, 0xc2 },
- { INTEL_FAM6_BROADWELL_CORE, 0x04, 0x28 },
- { INTEL_FAM6_BROADWELL_GT3E, 0x01, 0x1b },
- { INTEL_FAM6_BROADWELL_XEON_D, 0x02, 0x14 },
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-KVM-x86-ioapic-Clear-Remote-IRR-when-entry-is-switch.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-KVM-x86-ioapic-Clear-Remote-IRR-when-entry-is-switch.patch
deleted file mode 100644
index 6e097d05..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-KVM-x86-ioapic-Clear-Remote-IRR-when-entry-is-switch.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From aca211b549c07b81295e817e663a61a1ae1fd659 Mon Sep 17 00:00:00 2001
-From: Nikita Leshenko <nikita.leshchenko@oracle.com>
-Date: Sun, 5 Nov 2017 15:52:32 +0200
-Subject: [PATCH 08/33] KVM: x86: ioapic: Clear Remote IRR when entry is
- switched to edge-triggered
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit a8bfec2930525808c01f038825d1df3904638631 ]
-
-Some OSes (Linux, Xen) use this behavior to clear the Remote IRR bit for
-IOAPICs without an EOI register. They simulate the EOI message manually
-by changing the trigger mode to edge and then back to level, with the
-entry being masked during this.
-
-QEMU implements this feature in commit ed1263c363c9
-("ioapic: clear remote irr bit for edge-triggered interrupts")
-
-As a side effect, this commit removes an incorrect behavior where Remote
-IRR was cleared when the redirection table entry was rewritten. This is not
-consistent with the manual and also opens an opportunity for a strange
-behavior when a redirection table entry is modified from an interrupt
-handler that handles the same entry: The modification will clear the
-Remote IRR bit even though the interrupt handler is still running.
-
-Signed-off-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
-Reviewed-by: Liran Alon <liran.alon@oracle.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Reviewed-by: Steve Rutherford <srutherford@google.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/ioapic.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
-index a7ac868..4b573c8 100644
---- a/arch/x86/kvm/ioapic.c
-+++ b/arch/x86/kvm/ioapic.c
-@@ -306,8 +306,17 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
- } else {
- e->bits &= ~0xffffffffULL;
- e->bits |= (u32) val;
-- e->fields.remote_irr = 0;
- }
-+
-+ /*
-+ * Some OSes (Linux, Xen) assume that Remote IRR bit will
-+ * be cleared by IOAPIC hardware when the entry is configured
-+ * as edge-triggered. This behavior is used to simulate an
-+ * explicit EOI on IOAPICs that don't have the EOI register.
-+ */
-+ if (e->fields.trig_mode == IOAPIC_EDGE_TRIG)
-+ e->fields.remote_irr = 0;
-+
- mask_after = e->fields.mask;
- if (mask_before != mask_after)
- kvm_fire_mask_notifiers(ioapic->kvm, KVM_IRQCHIP_IOAPIC, index, mask_after);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-kaiser-fix-build-and-FIXME-in-alloc_ldt_struct.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-kaiser-fix-build-and-FIXME-in-alloc_ldt_struct.patch
deleted file mode 100644
index a3bda594..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-kaiser-fix-build-and-FIXME-in-alloc_ldt_struct.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 183131e8c381ffb7c32a09a7356cb25450d2bd40 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Sun, 3 Sep 2017 17:09:44 -0700
-Subject: [PATCH 008/103] kaiser: fix build and FIXME in alloc_ldt_struct()
-
-Include linux/kaiser.h instead of asm/kaiser.h to build ldt.c without
-CONFIG_KAISER. kaiser_add_mapping() does already return an error code,
-so fix the FIXME.
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/ldt.c | 10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
-
-diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index 3c2d55b..8331bad 100644
---- a/arch/x86/kernel/ldt.c
-+++ b/arch/x86/kernel/ldt.c
-@@ -15,9 +15,9 @@
- #include <linux/slab.h>
- #include <linux/vmalloc.h>
- #include <linux/uaccess.h>
-+#include <linux/kaiser.h>
-
- #include <asm/ldt.h>
--#include <asm/kaiser.h>
- #include <asm/desc.h>
- #include <asm/mmu_context.h>
- #include <asm/syscalls.h>
-@@ -48,7 +48,7 @@ static struct ldt_struct *alloc_ldt_struct(int size)
- {
- struct ldt_struct *new_ldt;
- int alloc_size;
-- int ret = 0;
-+ int ret;
-
- if (size > LDT_ENTRIES)
- return NULL;
-@@ -76,10 +76,8 @@ static struct ldt_struct *alloc_ldt_struct(int size)
- return NULL;
- }
-
-- // FIXME: make kaiser_add_mapping() return an error code
-- // when it fails
-- kaiser_add_mapping((unsigned long)new_ldt->entries, alloc_size,
-- __PAGE_KERNEL);
-+ ret = kaiser_add_mapping((unsigned long)new_ldt->entries, alloc_size,
-+ __PAGE_KERNEL);
- if (ret) {
- __free_ldt_struct(new_ldt);
- return NULL;
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-cpu-Rename-cpu_data.x86_mask-to-cpu_data.x86_ste.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-cpu-Rename-cpu_data.x86_mask-to-cpu_data.x86_ste.patch
deleted file mode 100644
index 5dc0b927..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-cpu-Rename-cpu_data.x86_mask-to-cpu_data.x86_ste.patch
+++ /dev/null
@@ -1,760 +0,0 @@
-From 4ac936f6e6b191d2eac4083da651826a8bb7b03b Mon Sep 17 00:00:00 2001
-From: Jia Zhang <qianyue.zj@alibaba-inc.com>
-Date: Mon, 1 Jan 2018 09:52:10 +0800
-Subject: [PATCH 08/12] x86/cpu: Rename cpu_data.x86_mask to
- cpu_data.x86_stepping
-
-commit b399151cb48db30ad1e0e93dd40d68c6d007b637 upstream.
-
-x86_mask is a confusing name which is hard to associate with the
-processor's stepping.
-
-Additionally, correct an indent issue in lib/cpu.c.
-
-Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
-[ Updated it to more recent kernels. ]
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: bp@alien8.de
-Cc: tony.luck@intel.com
-Link: http://lkml.kernel.org/r/1514771530-70829-1-git-send-email-qianyue.zj@alibaba-inc.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/events/intel/core.c | 2 +-
- arch/x86/events/intel/lbr.c | 2 +-
- arch/x86/events/intel/p6.c | 2 +-
- arch/x86/include/asm/acpi.h | 2 +-
- arch/x86/include/asm/processor.h | 2 +-
- arch/x86/kernel/amd_nb.c | 2 +-
- arch/x86/kernel/asm-offsets_32.c | 2 +-
- arch/x86/kernel/cpu/amd.c | 26 +++++++++++++-------------
- arch/x86/kernel/cpu/centaur.c | 4 ++--
- arch/x86/kernel/cpu/common.c | 8 ++++----
- arch/x86/kernel/cpu/cyrix.c | 2 +-
- arch/x86/kernel/cpu/intel.c | 18 +++++++++---------
- arch/x86/kernel/cpu/microcode/intel.c | 2 +-
- arch/x86/kernel/cpu/mtrr/generic.c | 2 +-
- arch/x86/kernel/cpu/mtrr/main.c | 4 ++--
- arch/x86/kernel/cpu/proc.c | 4 ++--
- arch/x86/kernel/head_32.S | 4 ++--
- arch/x86/kernel/mpparse.c | 2 +-
- arch/x86/lib/cpu.c | 2 +-
- drivers/char/hw_random/via-rng.c | 2 +-
- drivers/cpufreq/acpi-cpufreq.c | 2 +-
- drivers/cpufreq/longhaul.c | 6 +++---
- drivers/cpufreq/p4-clockmod.c | 2 +-
- drivers/cpufreq/powernow-k7.c | 2 +-
- drivers/cpufreq/speedstep-centrino.c | 4 ++--
- drivers/cpufreq/speedstep-lib.c | 6 +++---
- drivers/crypto/padlock-aes.c | 2 +-
- drivers/edac/amd64_edac.c | 2 +-
- drivers/edac/mce_amd.c | 2 +-
- drivers/hwmon/coretemp.c | 6 +++---
- drivers/hwmon/hwmon-vid.c | 2 +-
- drivers/hwmon/k10temp.c | 2 +-
- drivers/hwmon/k8temp.c | 2 +-
- drivers/video/fbdev/geode/video_gx.c | 2 +-
- 34 files changed, 68 insertions(+), 68 deletions(-)
-
-diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
-index cb85222..6b251fcc 100644
---- a/arch/x86/events/intel/core.c
-+++ b/arch/x86/events/intel/core.c
-@@ -3360,7 +3360,7 @@ static int intel_snb_pebs_broken(int cpu)
- break;
-
- case INTEL_FAM6_SANDYBRIDGE_X:
-- switch (cpu_data(cpu).x86_mask) {
-+ switch (cpu_data(cpu).x86_stepping) {
- case 6: rev = 0x618; break;
- case 7: rev = 0x70c; break;
- }
-diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c
-index 81b321a..34ba350 100644
---- a/arch/x86/events/intel/lbr.c
-+++ b/arch/x86/events/intel/lbr.c
-@@ -1128,7 +1128,7 @@ void __init intel_pmu_lbr_init_atom(void)
- * on PMU interrupt
- */
- if (boot_cpu_data.x86_model == 28
-- && boot_cpu_data.x86_mask < 10) {
-+ && boot_cpu_data.x86_stepping < 10) {
- pr_cont("LBR disabled due to erratum");
- return;
- }
-diff --git a/arch/x86/events/intel/p6.c b/arch/x86/events/intel/p6.c
-index 1f5c47a..c5e441b 100644
---- a/arch/x86/events/intel/p6.c
-+++ b/arch/x86/events/intel/p6.c
-@@ -233,7 +233,7 @@ static __initconst const struct x86_pmu p6_pmu = {
-
- static __init void p6_pmu_rdpmc_quirk(void)
- {
-- if (boot_cpu_data.x86_mask < 9) {
-+ if (boot_cpu_data.x86_stepping < 9) {
- /*
- * PPro erratum 26; fixed in stepping 9 and above.
- */
-diff --git a/arch/x86/include/asm/acpi.h b/arch/x86/include/asm/acpi.h
-index 5391b0a..d32bab6 100644
---- a/arch/x86/include/asm/acpi.h
-+++ b/arch/x86/include/asm/acpi.h
-@@ -92,7 +92,7 @@ static inline unsigned int acpi_processor_cstate_check(unsigned int max_cstate)
- if (boot_cpu_data.x86 == 0x0F &&
- boot_cpu_data.x86_vendor == X86_VENDOR_AMD &&
- boot_cpu_data.x86_model <= 0x05 &&
-- boot_cpu_data.x86_mask < 0x0A)
-+ boot_cpu_data.x86_stepping < 0x0A)
- return 1;
- else if (amd_e400_c1e_detected)
- return 1;
-diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
-index a781668..df29212 100644
---- a/arch/x86/include/asm/processor.h
-+++ b/arch/x86/include/asm/processor.h
-@@ -88,7 +88,7 @@ struct cpuinfo_x86 {
- __u8 x86; /* CPU family */
- __u8 x86_vendor; /* CPU vendor */
- __u8 x86_model;
-- __u8 x86_mask;
-+ __u8 x86_stepping;
- #ifdef CONFIG_X86_32
- char wp_works_ok; /* It doesn't on 386's */
-
-diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c
-index 458da85..8fe41c6 100644
---- a/arch/x86/kernel/amd_nb.c
-+++ b/arch/x86/kernel/amd_nb.c
-@@ -231,7 +231,7 @@ int amd_cache_northbridges(void)
- if (boot_cpu_data.x86 == 0x10 &&
- boot_cpu_data.x86_model >= 0x8 &&
- (boot_cpu_data.x86_model > 0x9 ||
-- boot_cpu_data.x86_mask >= 0x1))
-+ boot_cpu_data.x86_stepping >= 0x1))
- amd_northbridges.flags |= AMD_NB_L3_INDEX_DISABLE;
-
- if (boot_cpu_data.x86 == 0x15)
-diff --git a/arch/x86/kernel/asm-offsets_32.c b/arch/x86/kernel/asm-offsets_32.c
-index 880aa09..36ebb6d 100644
---- a/arch/x86/kernel/asm-offsets_32.c
-+++ b/arch/x86/kernel/asm-offsets_32.c
-@@ -20,7 +20,7 @@ void foo(void)
- OFFSET(CPUINFO_x86, cpuinfo_x86, x86);
- OFFSET(CPUINFO_x86_vendor, cpuinfo_x86, x86_vendor);
- OFFSET(CPUINFO_x86_model, cpuinfo_x86, x86_model);
-- OFFSET(CPUINFO_x86_mask, cpuinfo_x86, x86_mask);
-+ OFFSET(CPUINFO_x86_stepping, cpuinfo_x86, x86_stepping);
- OFFSET(CPUINFO_cpuid_level, cpuinfo_x86, cpuid_level);
- OFFSET(CPUINFO_x86_capability, cpuinfo_x86, x86_capability);
- OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
-diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index 1b89f0c..c375bc6 100644
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -118,7 +118,7 @@ static void init_amd_k6(struct cpuinfo_x86 *c)
- return;
- }
-
-- if (c->x86_model == 6 && c->x86_mask == 1) {
-+ if (c->x86_model == 6 && c->x86_stepping == 1) {
- const int K6_BUG_LOOP = 1000000;
- int n;
- void (*f_vide)(void);
-@@ -147,7 +147,7 @@ static void init_amd_k6(struct cpuinfo_x86 *c)
-
- /* K6 with old style WHCR */
- if (c->x86_model < 8 ||
-- (c->x86_model == 8 && c->x86_mask < 8)) {
-+ (c->x86_model == 8 && c->x86_stepping < 8)) {
- /* We can only write allocate on the low 508Mb */
- if (mbytes > 508)
- mbytes = 508;
-@@ -166,7 +166,7 @@ static void init_amd_k6(struct cpuinfo_x86 *c)
- return;
- }
-
-- if ((c->x86_model == 8 && c->x86_mask > 7) ||
-+ if ((c->x86_model == 8 && c->x86_stepping > 7) ||
- c->x86_model == 9 || c->x86_model == 13) {
- /* The more serious chips .. */
-
-@@ -219,7 +219,7 @@ static void init_amd_k7(struct cpuinfo_x86 *c)
- * are more robust with CLK_CTL set to 200xxxxx instead of 600xxxxx
- * As per AMD technical note 27212 0.2
- */
-- if ((c->x86_model == 8 && c->x86_mask >= 1) || (c->x86_model > 8)) {
-+ if ((c->x86_model == 8 && c->x86_stepping >= 1) || (c->x86_model > 8)) {
- rdmsr(MSR_K7_CLK_CTL, l, h);
- if ((l & 0xfff00000) != 0x20000000) {
- pr_info("CPU: CLK_CTL MSR was %x. Reprogramming to %x\n",
-@@ -239,12 +239,12 @@ static void init_amd_k7(struct cpuinfo_x86 *c)
- * but they are not certified as MP capable.
- */
- /* Athlon 660/661 is valid. */
-- if ((c->x86_model == 6) && ((c->x86_mask == 0) ||
-- (c->x86_mask == 1)))
-+ if ((c->x86_model == 6) && ((c->x86_stepping == 0) ||
-+ (c->x86_stepping == 1)))
- return;
-
- /* Duron 670 is valid */
-- if ((c->x86_model == 7) && (c->x86_mask == 0))
-+ if ((c->x86_model == 7) && (c->x86_stepping == 0))
- return;
-
- /*
-@@ -254,8 +254,8 @@ static void init_amd_k7(struct cpuinfo_x86 *c)
- * See http://www.heise.de/newsticker/data/jow-18.10.01-000 for
- * more.
- */
-- if (((c->x86_model == 6) && (c->x86_mask >= 2)) ||
-- ((c->x86_model == 7) && (c->x86_mask >= 1)) ||
-+ if (((c->x86_model == 6) && (c->x86_stepping >= 2)) ||
-+ ((c->x86_model == 7) && (c->x86_stepping >= 1)) ||
- (c->x86_model > 7))
- if (cpu_has(c, X86_FEATURE_MP))
- return;
-@@ -569,7 +569,7 @@ static void early_init_amd(struct cpuinfo_x86 *c)
- /* Set MTRR capability flag if appropriate */
- if (c->x86 == 5)
- if (c->x86_model == 13 || c->x86_model == 9 ||
-- (c->x86_model == 8 && c->x86_mask >= 8))
-+ (c->x86_model == 8 && c->x86_stepping >= 8))
- set_cpu_cap(c, X86_FEATURE_K6_MTRR);
- #endif
- #if defined(CONFIG_X86_LOCAL_APIC) && defined(CONFIG_PCI)
-@@ -834,11 +834,11 @@ static unsigned int amd_size_cache(struct cpuinfo_x86 *c, unsigned int size)
- /* AMD errata T13 (order #21922) */
- if ((c->x86 == 6)) {
- /* Duron Rev A0 */
-- if (c->x86_model == 3 && c->x86_mask == 0)
-+ if (c->x86_model == 3 && c->x86_stepping == 0)
- size = 64;
- /* Tbird rev A1/A2 */
- if (c->x86_model == 4 &&
-- (c->x86_mask == 0 || c->x86_mask == 1))
-+ (c->x86_stepping == 0 || c->x86_stepping == 1))
- size = 256;
- }
- return size;
-@@ -975,7 +975,7 @@ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum)
- }
-
- /* OSVW unavailable or ID unknown, match family-model-stepping range */
-- ms = (cpu->x86_model << 4) | cpu->x86_mask;
-+ ms = (cpu->x86_model << 4) | cpu->x86_stepping;
- while ((range = *erratum++))
- if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) &&
- (ms >= AMD_MODEL_RANGE_START(range)) &&
-diff --git a/arch/x86/kernel/cpu/centaur.c b/arch/x86/kernel/cpu/centaur.c
-index 1661d8e..4d2f61f 100644
---- a/arch/x86/kernel/cpu/centaur.c
-+++ b/arch/x86/kernel/cpu/centaur.c
-@@ -134,7 +134,7 @@ static void init_centaur(struct cpuinfo_x86 *c)
- clear_cpu_cap(c, X86_FEATURE_TSC);
- break;
- case 8:
-- switch (c->x86_mask) {
-+ switch (c->x86_stepping) {
- default:
- name = "2";
- break;
-@@ -209,7 +209,7 @@ centaur_size_cache(struct cpuinfo_x86 *c, unsigned int size)
- * - Note, it seems this may only be in engineering samples.
- */
- if ((c->x86 == 6) && (c->x86_model == 9) &&
-- (c->x86_mask == 1) && (size == 65))
-+ (c->x86_stepping == 1) && (size == 65))
- size -= 1;
- return size;
- }
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 08e89ed..96b2c83 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -699,7 +699,7 @@ void cpu_detect(struct cpuinfo_x86 *c)
- cpuid(0x00000001, &tfms, &misc, &junk, &cap0);
- c->x86 = x86_family(tfms);
- c->x86_model = x86_model(tfms);
-- c->x86_mask = x86_stepping(tfms);
-+ c->x86_stepping = x86_stepping(tfms);
-
- if (cap0 & (1<<19)) {
- c->x86_clflush_size = ((misc >> 8) & 0xff) * 8;
-@@ -1146,7 +1146,7 @@ static void identify_cpu(struct cpuinfo_x86 *c)
- c->loops_per_jiffy = loops_per_jiffy;
- c->x86_cache_size = -1;
- c->x86_vendor = X86_VENDOR_UNKNOWN;
-- c->x86_model = c->x86_mask = 0; /* So far unknown... */
-+ c->x86_model = c->x86_stepping = 0; /* So far unknown... */
- c->x86_vendor_id[0] = '\0'; /* Unset */
- c->x86_model_id[0] = '\0'; /* Unset */
- c->x86_max_cores = 1;
-@@ -1391,8 +1391,8 @@ void print_cpu_info(struct cpuinfo_x86 *c)
-
- pr_cont(" (family: 0x%x, model: 0x%x", c->x86, c->x86_model);
-
-- if (c->x86_mask || c->cpuid_level >= 0)
-- pr_cont(", stepping: 0x%x)\n", c->x86_mask);
-+ if (c->x86_stepping || c->cpuid_level >= 0)
-+ pr_cont(", stepping: 0x%x)\n", c->x86_stepping);
- else
- pr_cont(")\n");
-
-diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c
-index bd9dcd6..455d8ad 100644
---- a/arch/x86/kernel/cpu/cyrix.c
-+++ b/arch/x86/kernel/cpu/cyrix.c
-@@ -212,7 +212,7 @@ static void init_cyrix(struct cpuinfo_x86 *c)
-
- /* common case step number/rev -- exceptions handled below */
- c->x86_model = (dir1 >> 4) + 1;
-- c->x86_mask = dir1 & 0xf;
-+ c->x86_stepping = dir1 & 0xf;
-
- /* Now cook; the original recipe is by Channing Corn, from Cyrix.
- * We do the same thing for each generation: we work out
-diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
-index 02cb2e3..6ed206b 100644
---- a/arch/x86/kernel/cpu/intel.c
-+++ b/arch/x86/kernel/cpu/intel.c
-@@ -105,7 +105,7 @@ static bool bad_spectre_microcode(struct cpuinfo_x86 *c)
-
- for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) {
- if (c->x86_model == spectre_bad_microcodes[i].model &&
-- c->x86_mask == spectre_bad_microcodes[i].stepping)
-+ c->x86_stepping == spectre_bad_microcodes[i].stepping)
- return (c->microcode <= spectre_bad_microcodes[i].microcode);
- }
- return false;
-@@ -158,7 +158,7 @@ static void early_init_intel(struct cpuinfo_x86 *c)
- * need the microcode to have already been loaded... so if it is
- * not, recommend a BIOS update and disable large pages.
- */
-- if (c->x86 == 6 && c->x86_model == 0x1c && c->x86_mask <= 2 &&
-+ if (c->x86 == 6 && c->x86_model == 0x1c && c->x86_stepping <= 2 &&
- c->microcode < 0x20e) {
- pr_warn("Atom PSE erratum detected, BIOS microcode update recommended\n");
- clear_cpu_cap(c, X86_FEATURE_PSE);
-@@ -174,7 +174,7 @@ static void early_init_intel(struct cpuinfo_x86 *c)
-
- /* CPUID workaround for 0F33/0F34 CPU */
- if (c->x86 == 0xF && c->x86_model == 0x3
-- && (c->x86_mask == 0x3 || c->x86_mask == 0x4))
-+ && (c->x86_stepping == 0x3 || c->x86_stepping == 0x4))
- c->x86_phys_bits = 36;
-
- /*
-@@ -289,7 +289,7 @@ int ppro_with_ram_bug(void)
- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
- boot_cpu_data.x86 == 6 &&
- boot_cpu_data.x86_model == 1 &&
-- boot_cpu_data.x86_mask < 8) {
-+ boot_cpu_data.x86_stepping < 8) {
- pr_info("Pentium Pro with Errata#50 detected. Taking evasive action.\n");
- return 1;
- }
-@@ -306,7 +306,7 @@ static void intel_smp_check(struct cpuinfo_x86 *c)
- * Mask B, Pentium, but not Pentium MMX
- */
- if (c->x86 == 5 &&
-- c->x86_mask >= 1 && c->x86_mask <= 4 &&
-+ c->x86_stepping >= 1 && c->x86_stepping <= 4 &&
- c->x86_model <= 3) {
- /*
- * Remember we have B step Pentia with bugs
-@@ -349,7 +349,7 @@ static void intel_workarounds(struct cpuinfo_x86 *c)
- * SEP CPUID bug: Pentium Pro reports SEP but doesn't have it until
- * model 3 mask 3
- */
-- if ((c->x86<<8 | c->x86_model<<4 | c->x86_mask) < 0x633)
-+ if ((c->x86<<8 | c->x86_model<<4 | c->x86_stepping) < 0x633)
- clear_cpu_cap(c, X86_FEATURE_SEP);
-
- /*
-@@ -367,7 +367,7 @@ static void intel_workarounds(struct cpuinfo_x86 *c)
- * P4 Xeon erratum 037 workaround.
- * Hardware prefetcher may cause stale data to be loaded into the cache.
- */
-- if ((c->x86 == 15) && (c->x86_model == 1) && (c->x86_mask == 1)) {
-+ if ((c->x86 == 15) && (c->x86_model == 1) && (c->x86_stepping == 1)) {
- if (msr_set_bit(MSR_IA32_MISC_ENABLE,
- MSR_IA32_MISC_ENABLE_PREFETCH_DISABLE_BIT) > 0) {
- pr_info("CPU: C0 stepping P4 Xeon detected.\n");
-@@ -382,7 +382,7 @@ static void intel_workarounds(struct cpuinfo_x86 *c)
- * Specification Update").
- */
- if (boot_cpu_has(X86_FEATURE_APIC) && (c->x86<<8 | c->x86_model<<4) == 0x520 &&
-- (c->x86_mask < 0x6 || c->x86_mask == 0xb))
-+ (c->x86_stepping < 0x6 || c->x86_stepping == 0xb))
- set_cpu_bug(c, X86_BUG_11AP);
-
-
-@@ -601,7 +601,7 @@ static void init_intel(struct cpuinfo_x86 *c)
- case 6:
- if (l2 == 128)
- p = "Celeron (Mendocino)";
-- else if (c->x86_mask == 0 || c->x86_mask == 5)
-+ else if (c->x86_stepping == 0 || c->x86_stepping == 5)
- p = "Celeron-A";
- break;
-
-diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
-index cdc0dea..5d346c0 100644
---- a/arch/x86/kernel/cpu/microcode/intel.c
-+++ b/arch/x86/kernel/cpu/microcode/intel.c
-@@ -1055,7 +1055,7 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device,
- enum ucode_state ret;
-
- sprintf(name, "intel-ucode/%02x-%02x-%02x",
-- c->x86, c->x86_model, c->x86_mask);
-+ c->x86, c->x86_model, c->x86_stepping);
-
- if (request_firmware_direct(&firmware, name, device)) {
- pr_debug("data file %s load failed\n", name);
-diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
-index fdc5521..e12ee86 100644
---- a/arch/x86/kernel/cpu/mtrr/generic.c
-+++ b/arch/x86/kernel/cpu/mtrr/generic.c
-@@ -859,7 +859,7 @@ int generic_validate_add_page(unsigned long base, unsigned long size,
- */
- if (is_cpu(INTEL) && boot_cpu_data.x86 == 6 &&
- boot_cpu_data.x86_model == 1 &&
-- boot_cpu_data.x86_mask <= 7) {
-+ boot_cpu_data.x86_stepping <= 7) {
- if (base & ((1 << (22 - PAGE_SHIFT)) - 1)) {
- pr_warn("mtrr: base(0x%lx000) is not 4 MiB aligned\n", base);
- return -EINVAL;
-diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
-index 24e87e7..fae740c 100644
---- a/arch/x86/kernel/cpu/mtrr/main.c
-+++ b/arch/x86/kernel/cpu/mtrr/main.c
-@@ -699,8 +699,8 @@ void __init mtrr_bp_init(void)
- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
- boot_cpu_data.x86 == 0xF &&
- boot_cpu_data.x86_model == 0x3 &&
-- (boot_cpu_data.x86_mask == 0x3 ||
-- boot_cpu_data.x86_mask == 0x4))
-+ (boot_cpu_data.x86_stepping == 0x3 ||
-+ boot_cpu_data.x86_stepping == 0x4))
- phys_addr = 36;
-
- size_or_mask = SIZE_OR_MASK_BITS(phys_addr);
-diff --git a/arch/x86/kernel/cpu/proc.c b/arch/x86/kernel/cpu/proc.c
-index 18ca99f..9e817f2 100644
---- a/arch/x86/kernel/cpu/proc.c
-+++ b/arch/x86/kernel/cpu/proc.c
-@@ -70,8 +70,8 @@ static int show_cpuinfo(struct seq_file *m, void *v)
- c->x86_model,
- c->x86_model_id[0] ? c->x86_model_id : "unknown");
-
-- if (c->x86_mask || c->cpuid_level >= 0)
-- seq_printf(m, "stepping\t: %d\n", c->x86_mask);
-+ if (c->x86_stepping || c->cpuid_level >= 0)
-+ seq_printf(m, "stepping\t: %d\n", c->x86_stepping);
- else
- seq_puts(m, "stepping\t: unknown\n");
- if (c->microcode)
-diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
-index 2dabea4..82155d0 100644
---- a/arch/x86/kernel/head_32.S
-+++ b/arch/x86/kernel/head_32.S
-@@ -35,7 +35,7 @@
- #define X86 new_cpu_data+CPUINFO_x86
- #define X86_VENDOR new_cpu_data+CPUINFO_x86_vendor
- #define X86_MODEL new_cpu_data+CPUINFO_x86_model
--#define X86_MASK new_cpu_data+CPUINFO_x86_mask
-+#define X86_STEPPING new_cpu_data+CPUINFO_x86_stepping
- #define X86_HARD_MATH new_cpu_data+CPUINFO_hard_math
- #define X86_CPUID new_cpu_data+CPUINFO_cpuid_level
- #define X86_CAPABILITY new_cpu_data+CPUINFO_x86_capability
-@@ -441,7 +441,7 @@ enable_paging:
- shrb $4,%al
- movb %al,X86_MODEL
- andb $0x0f,%cl # mask mask revision
-- movb %cl,X86_MASK
-+ movb %cl,X86_STEPPING
- movl %edx,X86_CAPABILITY
-
- is486:
-diff --git a/arch/x86/kernel/mpparse.c b/arch/x86/kernel/mpparse.c
-index 0f8d204..d0fb941 100644
---- a/arch/x86/kernel/mpparse.c
-+++ b/arch/x86/kernel/mpparse.c
-@@ -406,7 +406,7 @@ static inline void __init construct_default_ISA_mptable(int mpc_default_type)
- processor.apicver = mpc_default_type > 4 ? 0x10 : 0x01;
- processor.cpuflag = CPU_ENABLED;
- processor.cpufeature = (boot_cpu_data.x86 << 8) |
-- (boot_cpu_data.x86_model << 4) | boot_cpu_data.x86_mask;
-+ (boot_cpu_data.x86_model << 4) | boot_cpu_data.x86_stepping;
- processor.featureflag = boot_cpu_data.x86_capability[CPUID_1_EDX];
- processor.reserved[0] = 0;
- processor.reserved[1] = 0;
-diff --git a/arch/x86/lib/cpu.c b/arch/x86/lib/cpu.c
-index d6f848d..2dd1fe13 100644
---- a/arch/x86/lib/cpu.c
-+++ b/arch/x86/lib/cpu.c
-@@ -18,7 +18,7 @@ unsigned int x86_model(unsigned int sig)
- {
- unsigned int fam, model;
-
-- fam = x86_family(sig);
-+ fam = x86_family(sig);
-
- model = (sig >> 4) & 0xf;
-
-diff --git a/drivers/char/hw_random/via-rng.c b/drivers/char/hw_random/via-rng.c
-index 44ce806..e278125 100644
---- a/drivers/char/hw_random/via-rng.c
-+++ b/drivers/char/hw_random/via-rng.c
-@@ -166,7 +166,7 @@ static int via_rng_init(struct hwrng *rng)
- /* Enable secondary noise source on CPUs where it is present. */
-
- /* Nehemiah stepping 8 and higher */
-- if ((c->x86_model == 9) && (c->x86_mask > 7))
-+ if ((c->x86_model == 9) && (c->x86_stepping > 7))
- lo |= VIA_NOISESRC2;
-
- /* Esther */
-diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
-index 297e912..1ee3674 100644
---- a/drivers/cpufreq/acpi-cpufreq.c
-+++ b/drivers/cpufreq/acpi-cpufreq.c
-@@ -648,7 +648,7 @@ static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
- if (c->x86_vendor == X86_VENDOR_INTEL) {
- if ((c->x86 == 15) &&
- (c->x86_model == 6) &&
-- (c->x86_mask == 8)) {
-+ (c->x86_stepping == 8)) {
- pr_info("Intel(R) Xeon(R) 7100 Errata AL30, processors may lock up on frequency changes: disabling acpi-cpufreq\n");
- return -ENODEV;
- }
-diff --git a/drivers/cpufreq/longhaul.c b/drivers/cpufreq/longhaul.c
-index c46a12d..d5e27bc 100644
---- a/drivers/cpufreq/longhaul.c
-+++ b/drivers/cpufreq/longhaul.c
-@@ -775,7 +775,7 @@ static int longhaul_cpu_init(struct cpufreq_policy *policy)
- break;
-
- case 7:
-- switch (c->x86_mask) {
-+ switch (c->x86_stepping) {
- case 0:
- longhaul_version = TYPE_LONGHAUL_V1;
- cpu_model = CPU_SAMUEL2;
-@@ -787,7 +787,7 @@ static int longhaul_cpu_init(struct cpufreq_policy *policy)
- break;
- case 1 ... 15:
- longhaul_version = TYPE_LONGHAUL_V2;
-- if (c->x86_mask < 8) {
-+ if (c->x86_stepping < 8) {
- cpu_model = CPU_SAMUEL2;
- cpuname = "C3 'Samuel 2' [C5B]";
- } else {
-@@ -814,7 +814,7 @@ static int longhaul_cpu_init(struct cpufreq_policy *policy)
- numscales = 32;
- memcpy(mults, nehemiah_mults, sizeof(nehemiah_mults));
- memcpy(eblcr, nehemiah_eblcr, sizeof(nehemiah_eblcr));
-- switch (c->x86_mask) {
-+ switch (c->x86_stepping) {
- case 0 ... 1:
- cpu_model = CPU_NEHEMIAH;
- cpuname = "C3 'Nehemiah A' [C5XLOE]";
-diff --git a/drivers/cpufreq/p4-clockmod.c b/drivers/cpufreq/p4-clockmod.c
-index fd77812..a25741b 100644
---- a/drivers/cpufreq/p4-clockmod.c
-+++ b/drivers/cpufreq/p4-clockmod.c
-@@ -168,7 +168,7 @@ static int cpufreq_p4_cpu_init(struct cpufreq_policy *policy)
- #endif
-
- /* Errata workaround */
-- cpuid = (c->x86 << 8) | (c->x86_model << 4) | c->x86_mask;
-+ cpuid = (c->x86 << 8) | (c->x86_model << 4) | c->x86_stepping;
- switch (cpuid) {
- case 0x0f07:
- case 0x0f0a:
-diff --git a/drivers/cpufreq/powernow-k7.c b/drivers/cpufreq/powernow-k7.c
-index 9f013ed..ef276f6 100644
---- a/drivers/cpufreq/powernow-k7.c
-+++ b/drivers/cpufreq/powernow-k7.c
-@@ -131,7 +131,7 @@ static int check_powernow(void)
- return 0;
- }
-
-- if ((c->x86_model == 6) && (c->x86_mask == 0)) {
-+ if ((c->x86_model == 6) && (c->x86_stepping == 0)) {
- pr_info("K7 660[A0] core detected, enabling errata workarounds\n");
- have_a0 = 1;
- }
-diff --git a/drivers/cpufreq/speedstep-centrino.c b/drivers/cpufreq/speedstep-centrino.c
-index 41bc539..4fa5adf 100644
---- a/drivers/cpufreq/speedstep-centrino.c
-+++ b/drivers/cpufreq/speedstep-centrino.c
-@@ -37,7 +37,7 @@ struct cpu_id
- {
- __u8 x86; /* CPU family */
- __u8 x86_model; /* model */
-- __u8 x86_mask; /* stepping */
-+ __u8 x86_stepping; /* stepping */
- };
-
- enum {
-@@ -277,7 +277,7 @@ static int centrino_verify_cpu_id(const struct cpuinfo_x86 *c,
- {
- if ((c->x86 == x->x86) &&
- (c->x86_model == x->x86_model) &&
-- (c->x86_mask == x->x86_mask))
-+ (c->x86_stepping == x->x86_stepping))
- return 1;
- return 0;
- }
-diff --git a/drivers/cpufreq/speedstep-lib.c b/drivers/cpufreq/speedstep-lib.c
-index 1b80621..ade98a2 100644
---- a/drivers/cpufreq/speedstep-lib.c
-+++ b/drivers/cpufreq/speedstep-lib.c
-@@ -272,9 +272,9 @@ unsigned int speedstep_detect_processor(void)
- ebx = cpuid_ebx(0x00000001);
- ebx &= 0x000000FF;
-
-- pr_debug("ebx value is %x, x86_mask is %x\n", ebx, c->x86_mask);
-+ pr_debug("ebx value is %x, x86_stepping is %x\n", ebx, c->x86_stepping);
-
-- switch (c->x86_mask) {
-+ switch (c->x86_stepping) {
- case 4:
- /*
- * B-stepping [M-P4-M]
-@@ -361,7 +361,7 @@ unsigned int speedstep_detect_processor(void)
- msr_lo, msr_hi);
- if ((msr_hi & (1<<18)) &&
- (relaxed_check ? 1 : (msr_hi & (3<<24)))) {
-- if (c->x86_mask == 0x01) {
-+ if (c->x86_stepping == 0x01) {
- pr_debug("early PIII version\n");
- return SPEEDSTEP_CPU_PIII_C_EARLY;
- } else
-diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c
-index 441e86b..9126627 100644
---- a/drivers/crypto/padlock-aes.c
-+++ b/drivers/crypto/padlock-aes.c
-@@ -531,7 +531,7 @@ static int __init padlock_init(void)
-
- printk(KERN_NOTICE PFX "Using VIA PadLock ACE for AES algorithm.\n");
-
-- if (c->x86 == 6 && c->x86_model == 15 && c->x86_mask == 2) {
-+ if (c->x86 == 6 && c->x86_model == 15 && c->x86_stepping == 2) {
- ecb_fetch_blocks = MAX_ECB_FETCH_BLOCKS;
- cbc_fetch_blocks = MAX_CBC_FETCH_BLOCKS;
- printk(KERN_NOTICE PFX "VIA Nano stepping 2 detected: enabling workaround.\n");
-diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c
-index 82dab16..3cb3e8b 100644
---- a/drivers/edac/amd64_edac.c
-+++ b/drivers/edac/amd64_edac.c
-@@ -3150,7 +3150,7 @@ static struct amd64_family_type *per_family_init(struct amd64_pvt *pvt)
- struct amd64_family_type *fam_type = NULL;
-
- pvt->ext_model = boot_cpu_data.x86_model >> 4;
-- pvt->stepping = boot_cpu_data.x86_mask;
-+ pvt->stepping = boot_cpu_data.x86_stepping;
- pvt->model = boot_cpu_data.x86_model;
- pvt->fam = boot_cpu_data.x86;
-
-diff --git a/drivers/edac/mce_amd.c b/drivers/edac/mce_amd.c
-index 3af92fc..3d5436f 100644
---- a/drivers/edac/mce_amd.c
-+++ b/drivers/edac/mce_amd.c
-@@ -949,7 +949,7 @@ amd_decode_mce(struct notifier_block *nb, unsigned long val, void *data)
-
- pr_emerg(HW_ERR "CPU:%d (%x:%x:%x) MC%d_STATUS[%s|%s|%s|%s|%s",
- m->extcpu,
-- c->x86, c->x86_model, c->x86_mask,
-+ c->x86, c->x86_model, c->x86_stepping,
- m->bank,
- ((m->status & MCI_STATUS_OVER) ? "Over" : "-"),
- ((m->status & MCI_STATUS_UC) ? "UE" :
-diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
-index 6a27eb2..be1e380 100644
---- a/drivers/hwmon/coretemp.c
-+++ b/drivers/hwmon/coretemp.c
-@@ -269,13 +269,13 @@ static int adjust_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev)
- for (i = 0; i < ARRAY_SIZE(tjmax_model_table); i++) {
- const struct tjmax_model *tm = &tjmax_model_table[i];
- if (c->x86_model == tm->model &&
-- (tm->mask == ANY || c->x86_mask == tm->mask))
-+ (tm->mask == ANY || c->x86_stepping == tm->mask))
- return tm->tjmax;
- }
-
- /* Early chips have no MSR for TjMax */
-
-- if (c->x86_model == 0xf && c->x86_mask < 4)
-+ if (c->x86_model == 0xf && c->x86_stepping < 4)
- usemsr_ee = 0;
-
- if (c->x86_model > 0xe && usemsr_ee) {
-@@ -426,7 +426,7 @@ static int chk_ucode_version(unsigned int cpu)
- * Readings might stop update when processor visited too deep sleep,
- * fixed for stepping D0 (6EC).
- */
-- if (c->x86_model == 0xe && c->x86_mask < 0xc && c->microcode < 0x39) {
-+ if (c->x86_model == 0xe && c->x86_stepping < 0xc && c->microcode < 0x39) {
- pr_err("Errata AE18 not fixed, update BIOS or microcode of the CPU!\n");
- return -ENODEV;
- }
-diff --git a/drivers/hwmon/hwmon-vid.c b/drivers/hwmon/hwmon-vid.c
-index ef91b8a..84e9128 100644
---- a/drivers/hwmon/hwmon-vid.c
-+++ b/drivers/hwmon/hwmon-vid.c
-@@ -293,7 +293,7 @@ u8 vid_which_vrm(void)
- if (c->x86 < 6) /* Any CPU with family lower than 6 */
- return 0; /* doesn't have VID */
-
-- vrm_ret = find_vrm(c->x86, c->x86_model, c->x86_mask, c->x86_vendor);
-+ vrm_ret = find_vrm(c->x86, c->x86_model, c->x86_stepping, c->x86_vendor);
- if (vrm_ret == 134)
- vrm_ret = get_via_model_d_vrm();
- if (vrm_ret == 0)
-diff --git a/drivers/hwmon/k10temp.c b/drivers/hwmon/k10temp.c
-index 9cdfde6..0124584 100644
---- a/drivers/hwmon/k10temp.c
-+++ b/drivers/hwmon/k10temp.c
-@@ -179,7 +179,7 @@ static bool has_erratum_319(struct pci_dev *pdev)
- * and AM3 formats, but that's the best we can do.
- */
- return boot_cpu_data.x86_model < 4 ||
-- (boot_cpu_data.x86_model == 4 && boot_cpu_data.x86_mask <= 2);
-+ (boot_cpu_data.x86_model == 4 && boot_cpu_data.x86_stepping <= 2);
- }
-
- static int k10temp_probe(struct pci_dev *pdev,
-diff --git a/drivers/hwmon/k8temp.c b/drivers/hwmon/k8temp.c
-index 734d55d..4865027 100644
---- a/drivers/hwmon/k8temp.c
-+++ b/drivers/hwmon/k8temp.c
-@@ -187,7 +187,7 @@ static int k8temp_probe(struct pci_dev *pdev,
- return -ENOMEM;
-
- model = boot_cpu_data.x86_model;
-- stepping = boot_cpu_data.x86_mask;
-+ stepping = boot_cpu_data.x86_stepping;
-
- /* feature available since SH-C0, exclude older revisions */
- if ((model == 4 && stepping == 0) ||
-diff --git a/drivers/video/fbdev/geode/video_gx.c b/drivers/video/fbdev/geode/video_gx.c
-index 6082f65..67773e8 100644
---- a/drivers/video/fbdev/geode/video_gx.c
-+++ b/drivers/video/fbdev/geode/video_gx.c
-@@ -127,7 +127,7 @@ void gx_set_dclk_frequency(struct fb_info *info)
- int timeout = 1000;
-
- /* Rev. 1 Geode GXs use a 14 MHz reference clock instead of 48 MHz. */
-- if (cpu_data(0).x86_mask == 1) {
-+ if (cpu_data(0).x86_stepping == 1) {
- pll_table = gx_pll_table_14MHz;
- pll_table_len = ARRAY_SIZE(gx_pll_table_14MHz);
- } else {
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-cpufeatures-Add-CPUID_7_EDX-CPUID-leaf.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-cpufeatures-Add-CPUID_7_EDX-CPUID-leaf.patch
deleted file mode 100644
index 147b2675..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-cpufeatures-Add-CPUID_7_EDX-CPUID-leaf.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From e187253b583696b67f207047bab1360cabd461c8 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Thu, 25 Jan 2018 16:14:09 +0000
-Subject: [PATCH 08/42] x86/cpufeatures: Add CPUID_7_EDX CPUID leaf
-
-(cherry picked from commit 95ca0ee8636059ea2800dfbac9ecac6212d6b38f)
-
-This is a pure feature bits leaf. There are two AVX512 feature bits in it
-already which were handled as scattered bits, and three more from this leaf
-are going to be added for speculation control features.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Reviewed-by: Borislav Petkov <bp@suse.de>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: ak@linux.intel.com
-Cc: ashok.raj@intel.com
-Cc: dave.hansen@intel.com
-Cc: karahmed@amazon.de
-Cc: arjan@linux.intel.com
-Cc: torvalds@linux-foundation.org
-Cc: peterz@infradead.org
-Cc: bp@alien8.de
-Cc: pbonzini@redhat.com
-Cc: tim.c.chen@linux.intel.com
-Cc: gregkh@linux-foundation.org
-Link: https://lkml.kernel.org/r/1516896855-7642-2-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeature.h | 7 +++++--
- arch/x86/include/asm/cpufeatures.h | 10 ++++++----
- arch/x86/include/asm/disabled-features.h | 3 ++-
- arch/x86/include/asm/required-features.h | 3 ++-
- arch/x86/kernel/cpu/common.c | 1 +
- arch/x86/kernel/cpu/scattered.c | 2 --
- 6 files changed, 16 insertions(+), 10 deletions(-)
-
-diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
-index 9ea67a0..8c10157 100644
---- a/arch/x86/include/asm/cpufeature.h
-+++ b/arch/x86/include/asm/cpufeature.h
-@@ -28,6 +28,7 @@ enum cpuid_leafs
- CPUID_8000_000A_EDX,
- CPUID_7_ECX,
- CPUID_8000_0007_EBX,
-+ CPUID_7_EDX,
- };
-
- #ifdef CONFIG_X86_FEATURE_NAMES
-@@ -78,8 +79,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
- CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 15, feature_bit) || \
- CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 16, feature_bit) || \
- CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 17, feature_bit) || \
-+ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 18, feature_bit) || \
- REQUIRED_MASK_CHECK || \
-- BUILD_BUG_ON_ZERO(NCAPINTS != 18))
-+ BUILD_BUG_ON_ZERO(NCAPINTS != 19))
-
- #define DISABLED_MASK_BIT_SET(feature_bit) \
- ( CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 0, feature_bit) || \
-@@ -100,8 +102,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
- CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 15, feature_bit) || \
- CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 16, feature_bit) || \
- CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 17, feature_bit) || \
-+ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 18, feature_bit) || \
- DISABLED_MASK_CHECK || \
-- BUILD_BUG_ON_ZERO(NCAPINTS != 18))
-+ BUILD_BUG_ON_ZERO(NCAPINTS != 19))
-
- #define cpu_has(c, bit) \
- (__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : \
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index 8537a21..9d4a422 100644
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -12,7 +12,7 @@
- /*
- * Defines x86 CPU feature bits
- */
--#define NCAPINTS 18 /* N 32-bit words worth of info */
-+#define NCAPINTS 19 /* N 32-bit words worth of info */
- #define NBUGINTS 1 /* N 32-bit bug flags */
-
- /*
-@@ -197,9 +197,7 @@
- #define X86_FEATURE_RETPOLINE ( 7*32+12) /* Generic Retpoline mitigation for Spectre variant 2 */
- #define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* AMD Retpoline mitigation for Spectre variant 2 */
-
--#define X86_FEATURE_AVX512_4VNNIW (7*32+16) /* AVX-512 Neural Network Instructions */
--#define X86_FEATURE_AVX512_4FMAPS (7*32+17) /* AVX-512 Multiply Accumulation Single precision */
--#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* Fill RSB on context switches */
-+#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* Fill RSB on context switches */
-
- /* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
- #define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
-@@ -295,6 +293,10 @@
- #define X86_FEATURE_SUCCOR (17*32+1) /* Uncorrectable error containment and recovery */
- #define X86_FEATURE_SMCA (17*32+3) /* Scalable MCA */
-
-+/* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
-+#define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */
-+#define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */
-+
- /*
- * BUG word(s)
- */
-diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h
-index 85599ad..8b45e08 100644
---- a/arch/x86/include/asm/disabled-features.h
-+++ b/arch/x86/include/asm/disabled-features.h
-@@ -57,6 +57,7 @@
- #define DISABLED_MASK15 0
- #define DISABLED_MASK16 (DISABLE_PKU|DISABLE_OSPKE)
- #define DISABLED_MASK17 0
--#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 18)
-+#define DISABLED_MASK18 0
-+#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 19)
-
- #endif /* _ASM_X86_DISABLED_FEATURES_H */
-diff --git a/arch/x86/include/asm/required-features.h b/arch/x86/include/asm/required-features.h
-index fac9a5c..6847d85 100644
---- a/arch/x86/include/asm/required-features.h
-+++ b/arch/x86/include/asm/required-features.h
-@@ -100,6 +100,7 @@
- #define REQUIRED_MASK15 0
- #define REQUIRED_MASK16 0
- #define REQUIRED_MASK17 0
--#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 18)
-+#define REQUIRED_MASK18 0
-+#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 19)
-
- #endif /* _ASM_X86_REQUIRED_FEATURES_H */
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index d198ae0..4267273 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -737,6 +737,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
- cpuid_count(0x00000007, 0, &eax, &ebx, &ecx, &edx);
- c->x86_capability[CPUID_7_0_EBX] = ebx;
- c->x86_capability[CPUID_7_ECX] = ecx;
-+ c->x86_capability[CPUID_7_EDX] = edx;
- }
-
- /* Extended state features: level 0x0000000d */
-diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c
-index b0dd9ae..afbb525 100644
---- a/arch/x86/kernel/cpu/scattered.c
-+++ b/arch/x86/kernel/cpu/scattered.c
-@@ -31,8 +31,6 @@ void init_scattered_cpuid_features(struct cpuinfo_x86 *c)
- const struct cpuid_bit *cb;
-
- static const struct cpuid_bit cpuid_bits[] = {
-- { X86_FEATURE_AVX512_4VNNIW, CR_EDX, 2, 0x00000007, 0 },
-- { X86_FEATURE_AVX512_4FMAPS, CR_EDX, 3, 0x00000007, 0 },
- { X86_FEATURE_APERFMPERF, CR_ECX, 0, 0x00000006, 0 },
- { X86_FEATURE_EPB, CR_ECX, 3, 0x00000006, 0 },
- { X86_FEATURE_HW_PSTATE, CR_EDX, 7, 0x80000007, 0 },
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-mce-Check-for-alternate-indication-of-machine-ch.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-mce-Check-for-alternate-indication-of-machine-ch.patch
deleted file mode 100644
index d8206d02..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-mce-Check-for-alternate-indication-of-machine-ch.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From ed22188fb6b2b43b2af7b1f6714d3befb6fe7965 Mon Sep 17 00:00:00 2001
-From: Tony Luck <tony.luck@intel.com>
-Date: Fri, 25 May 2018 14:42:09 -0700
-Subject: [PATCH 08/10] x86/mce: Check for alternate indication of machine
- check recovery on Skylake
-
-commit 4c5717da1d021cf368eabb3cb1adcaead56c0d1e upstream.
-
-Currently we just check the "CAPID0" register to see whether the CPU
-can recover from machine checks.
-
-But there are also some special SKUs which do not have all advanced
-RAS features, but do enable machine check recovery for use with NVDIMMs.
-
-Add a check for any of bits {8:5} in the "CAPID5" register (each
-reports some NVDIMM mode available, if any of them are set, then
-the system supports memory machine check recovery).
-
-Signed-off-by: Tony Luck <tony.luck@intel.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
-Cc: Ashok Raj <ashok.raj@intel.com>
-Cc: stable@vger.kernel.org # 4.9
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Borislav Petkov <bp@suse.de>
-Link: https://lkml.kernel.org/r/03cbed6e99ddafb51c2eadf9a3b7c8d7a0cc204e.1527283897.git.tony.luck@intel.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/quirks.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/quirks.c b/arch/x86/kernel/quirks.c
-index 0bee04d..b57100a 100644
---- a/arch/x86/kernel/quirks.c
-+++ b/arch/x86/kernel/quirks.c
-@@ -643,12 +643,19 @@ static void quirk_intel_brickland_xeon_ras_cap(struct pci_dev *pdev)
- /* Skylake */
- static void quirk_intel_purley_xeon_ras_cap(struct pci_dev *pdev)
- {
-- u32 capid0;
-+ u32 capid0, capid5;
-
- pci_read_config_dword(pdev, 0x84, &capid0);
-+ pci_read_config_dword(pdev, 0x98, &capid5);
-
-- if ((capid0 & 0xc0) == 0xc0)
-+ /*
-+ * CAPID0{7:6} indicate whether this is an advanced RAS SKU
-+ * CAPID5{8:5} indicate that various NVDIMM usage modes are
-+ * enabled, so memory machine check recovery is also enabled.
-+ */
-+ if ((capid0 & 0xc0) == 0xc0 || (capid5 & 0x1e0))
- static_branch_inc(&mcsafe_key);
-+
- }
- DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x0ec3, quirk_intel_brickland_xeon_ras_cap);
- DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x2fc0, quirk_intel_brickland_xeon_ras_cap);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-reboot-Turn-off-KVM-when-halting-a-CPU.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-reboot-Turn-off-KVM-when-halting-a-CPU.patch
deleted file mode 100644
index 1b5231fc..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-reboot-Turn-off-KVM-when-halting-a-CPU.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 7737fc421365d9f2fd328b19fdccf005092d4ec1 Mon Sep 17 00:00:00 2001
-From: Tiantian Feng <fengtiantian@huawei.com>
-Date: Wed, 19 Apr 2017 18:18:39 +0200
-Subject: [PATCH 08/93] x86/reboot: Turn off KVM when halting a CPU
-
-[ Upstream commit fba4f472b33aa81ca1836f57d005455261e9126f ]
-
-A CPU in VMX root mode will ignore INIT signals and will fail to bring
-up the APs after reboot. Therefore, on a panic we disable VMX on all
-CPUs before rebooting or triggering kdump.
-
-Do this when halting the machine as well, in case a firmware-level reboot
-does not perform a cold reset for all processors. Without doing this,
-rebooting the host may hang.
-
-Signed-off-by: Tiantian Feng <fengtiantian@huawei.com>
-Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
-[ Rewritten commit message. ]
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: kvm@vger.kernel.org
-Link: http://lkml.kernel.org/r/20170419161839.30550-1-pbonzini@redhat.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/smp.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
-index c00cb64..420f2dc 100644
---- a/arch/x86/kernel/smp.c
-+++ b/arch/x86/kernel/smp.c
-@@ -33,6 +33,7 @@
- #include <asm/mce.h>
- #include <asm/trace/irq_vectors.h>
- #include <asm/kexec.h>
-+#include <asm/virtext.h>
-
- /*
- * Some notes on x86 processor bugs affecting SMP operation:
-@@ -162,6 +163,7 @@ static int smp_stop_nmi_callback(unsigned int val, struct pt_regs *regs)
- if (raw_smp_processor_id() == atomic_read(&stopping_cpu))
- return NMI_HANDLED;
-
-+ cpu_emergency_vmxoff();
- stop_this_cpu(NULL);
-
- return NMI_HANDLED;
-@@ -174,6 +176,7 @@ static int smp_stop_nmi_callback(unsigned int val, struct pt_regs *regs)
- asmlinkage __visible void smp_reboot_interrupt(void)
- {
- ipi_entering_ack_irq();
-+ cpu_emergency_vmxoff();
- stop_this_cpu(NULL);
- irq_exit();
- }
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-spectre_v2-Don-t-check-microcode-versions-when-r.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-spectre_v2-Don-t-check-microcode-versions-when-r.patch
deleted file mode 100644
index 0f35decd..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0008-x86-spectre_v2-Don-t-check-microcode-versions-when-r.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 03a686fb1ba599b2ed6b0bb256fa364f629ed2c7 Mon Sep 17 00:00:00 2001
-From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Date: Mon, 26 Feb 2018 09:35:01 -0500
-Subject: [PATCH 08/14] x86/spectre_v2: Don't check microcode versions when
- running under hypervisors
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 36268223c1e9981d6cfc33aff8520b3bde4b8114 upstream.
-
-As:
-
- 1) It's known that hypervisors lie about the environment anyhow (host
- mismatch)
-
- 2) Even if the hypervisor (Xen, KVM, VMWare, etc) provided a valid
- "correct" value, it all gets to be very murky when migration happens
- (do you provide the "new" microcode of the machine?).
-
-And in reality the cloud vendors are the ones that should make sure that
-the microcode that is running is correct and we should just sing lalalala
-and trust them.
-
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Wanpeng Li <kernellwp@gmail.com>
-Cc: kvm <kvm@vger.kernel.org>
-Cc: Krčmář <rkrcmar@redhat.com>
-Cc: Borislav Petkov <bp@alien8.de>
-CC: "H. Peter Anvin" <hpa@zytor.com>
-CC: stable@vger.kernel.org
-Link: https://lkml.kernel.org/r/20180226213019.GE9497@char.us.oracle.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/intel.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
-index 6ed206b..7680425 100644
---- a/arch/x86/kernel/cpu/intel.c
-+++ b/arch/x86/kernel/cpu/intel.c
-@@ -103,6 +103,13 @@ static bool bad_spectre_microcode(struct cpuinfo_x86 *c)
- {
- int i;
-
-+ /*
-+ * We know that the hypervisor lie to us on the microcode version so
-+ * we may as well hope that it is running the correct version.
-+ */
-+ if (cpu_has(c, X86_FEATURE_HYPERVISOR))
-+ return false;
-+
- for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) {
- if (c->x86_model == spectre_bad_microcodes[i].model &&
- c->x86_stepping == spectre_bad_microcodes[i].stepping)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-KVM-x86-ioapic-Preserve-read-only-values-in-the-redi.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-KVM-x86-ioapic-Preserve-read-only-values-in-the-redi.patch
deleted file mode 100644
index 071eccd3..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-KVM-x86-ioapic-Preserve-read-only-values-in-the-redi.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From a4337b660fe26046e81471186dc393ca77371b83 Mon Sep 17 00:00:00 2001
-From: Nikita Leshenko <nikita.leshchenko@oracle.com>
-Date: Sun, 5 Nov 2017 15:52:33 +0200
-Subject: [PATCH 09/33] KVM: x86: ioapic: Preserve read-only values in the
- redirection table
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit b200dded0a6974a3b69599832b2203483920ab25 ]
-
-According to 82093AA (IOAPIC) manual, Remote IRR and Delivery Status are
-read-only. QEMU implements the bits as RO in commit 479c2a1cb7fb
-("ioapic: keep RO bits for IOAPIC entry").
-
-Signed-off-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
-Reviewed-by: Liran Alon <liran.alon@oracle.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Reviewed-by: Steve Rutherford <srutherford@google.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/ioapic.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
-index 4b573c8..5f810bb 100644
---- a/arch/x86/kvm/ioapic.c
-+++ b/arch/x86/kvm/ioapic.c
-@@ -278,6 +278,7 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
- {
- unsigned index;
- bool mask_before, mask_after;
-+ int old_remote_irr, old_delivery_status;
- union kvm_ioapic_redirect_entry *e;
-
- switch (ioapic->ioregsel) {
-@@ -300,6 +301,9 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
- return;
- e = &ioapic->redirtbl[index];
- mask_before = e->fields.mask;
-+ /* Preserve read-only fields */
-+ old_remote_irr = e->fields.remote_irr;
-+ old_delivery_status = e->fields.delivery_status;
- if (ioapic->ioregsel & 1) {
- e->bits &= 0xffffffff;
- e->bits |= (u64) val << 32;
-@@ -307,6 +311,8 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
- e->bits &= ~0xffffffffULL;
- e->bits |= (u32) val;
- }
-+ e->fields.remote_irr = old_remote_irr;
-+ e->fields.delivery_status = old_delivery_status;
-
- /*
- * Some OSes (Linux, Xen) assume that Remote IRR bit will
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-Revert-x86-retpoline-Simplify-vmexit_fill_RSB.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-Revert-x86-retpoline-Simplify-vmexit_fill_RSB.patch
deleted file mode 100644
index 19dfa3a4..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-Revert-x86-retpoline-Simplify-vmexit_fill_RSB.patch
+++ /dev/null
@@ -1,263 +0,0 @@
-From d901d344ca4172a49bab9852e993e5a2c47a7fde Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Mon, 19 Feb 2018 10:50:56 +0000
-Subject: [PATCH 09/14] Revert "x86/retpoline: Simplify vmexit_fill_RSB()"
-
-commit d1c99108af3c5992640aa2afa7d2e88c3775c06e upstream.
-
-This reverts commit 1dde7415e99933bb7293d6b2843752cbdb43ec11. By putting
-the RSB filling out of line and calling it, we waste one RSB slot for
-returning from the function itself, which means one fewer actual function
-call we can make if we're doing the Skylake abomination of call-depth
-counting.
-
-It also changed the number of RSB stuffings we do on vmexit from 32,
-which was correct, to 16. Let's just stop with the bikeshedding; it
-didn't actually *fix* anything anyway.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: arjan.van.de.ven@intel.com
-Cc: bp@alien8.de
-Cc: dave.hansen@intel.com
-Cc: jmattson@google.com
-Cc: karahmed@amazon.de
-Cc: kvm@vger.kernel.org
-Cc: pbonzini@redhat.com
-Cc: rkrcmar@redhat.com
-Link: http://lkml.kernel.org/r/1519037457-7643-4-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/entry/entry_32.S | 3 +-
- arch/x86/entry/entry_64.S | 3 +-
- arch/x86/include/asm/asm-prototypes.h | 3 --
- arch/x86/include/asm/nospec-branch.h | 70 +++++++++++++++++++++++++++++++----
- arch/x86/lib/Makefile | 1 -
- arch/x86/lib/retpoline.S | 56 ----------------------------
- 6 files changed, 65 insertions(+), 71 deletions(-)
-
-diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
-index f5434b4..a76dc73 100644
---- a/arch/x86/entry/entry_32.S
-+++ b/arch/x86/entry/entry_32.S
-@@ -237,8 +237,7 @@ ENTRY(__switch_to_asm)
- * exist, overwrite the RSB with entries which capture
- * speculative execution to prevent attack.
- */
-- /* Clobbers %ebx */
-- FILL_RETURN_BUFFER RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
-+ FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
- #endif
-
- /* restore callee-saved registers */
-diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
-index e9120d4..caf79e3 100644
---- a/arch/x86/entry/entry_64.S
-+++ b/arch/x86/entry/entry_64.S
-@@ -331,8 +331,7 @@ ENTRY(__switch_to_asm)
- * exist, overwrite the RSB with entries which capture
- * speculative execution to prevent attack.
- */
-- /* Clobbers %rbx */
-- FILL_RETURN_BUFFER RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
-+ FILL_RETURN_BUFFER %r12, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
- #endif
-
- /* restore callee-saved registers */
-diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h
-index 1666542..5a25ada 100644
---- a/arch/x86/include/asm/asm-prototypes.h
-+++ b/arch/x86/include/asm/asm-prototypes.h
-@@ -37,7 +37,4 @@ INDIRECT_THUNK(dx)
- INDIRECT_THUNK(si)
- INDIRECT_THUNK(di)
- INDIRECT_THUNK(bp)
--asmlinkage void __fill_rsb(void);
--asmlinkage void __clear_rsb(void);
--
- #endif /* CONFIG_RETPOLINE */
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index 81a1be3..dace2de 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -8,6 +8,50 @@
- #include <asm/cpufeatures.h>
- #include <asm/msr-index.h>
-
-+/*
-+ * Fill the CPU return stack buffer.
-+ *
-+ * Each entry in the RSB, if used for a speculative 'ret', contains an
-+ * infinite 'pause; lfence; jmp' loop to capture speculative execution.
-+ *
-+ * This is required in various cases for retpoline and IBRS-based
-+ * mitigations for the Spectre variant 2 vulnerability. Sometimes to
-+ * eliminate potentially bogus entries from the RSB, and sometimes
-+ * purely to ensure that it doesn't get empty, which on some CPUs would
-+ * allow predictions from other (unwanted!) sources to be used.
-+ *
-+ * We define a CPP macro such that it can be used from both .S files and
-+ * inline assembly. It's possible to do a .macro and then include that
-+ * from C via asm(".include <asm/nospec-branch.h>") but let's not go there.
-+ */
-+
-+#define RSB_CLEAR_LOOPS 32 /* To forcibly overwrite all entries */
-+#define RSB_FILL_LOOPS 16 /* To avoid underflow */
-+
-+/*
-+ * Google experimented with loop-unrolling and this turned out to be
-+ * the optimal version — two calls, each with their own speculation
-+ * trap should their return address end up getting used, in a loop.
-+ */
-+#define __FILL_RETURN_BUFFER(reg, nr, sp) \
-+ mov $(nr/2), reg; \
-+771: \
-+ call 772f; \
-+773: /* speculation trap */ \
-+ pause; \
-+ lfence; \
-+ jmp 773b; \
-+772: \
-+ call 774f; \
-+775: /* speculation trap */ \
-+ pause; \
-+ lfence; \
-+ jmp 775b; \
-+774: \
-+ dec reg; \
-+ jnz 771b; \
-+ add $(BITS_PER_LONG/8) * nr, sp;
-+
- #ifdef __ASSEMBLY__
-
- /*
-@@ -78,10 +122,17 @@
- #endif
- .endm
-
--/* This clobbers the BX register */
--.macro FILL_RETURN_BUFFER nr:req ftr:req
-+ /*
-+ * A simpler FILL_RETURN_BUFFER macro. Don't make people use the CPP
-+ * monstrosity above, manually.
-+ */
-+.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req
- #ifdef CONFIG_RETPOLINE
-- ALTERNATIVE "", "call __clear_rsb", \ftr
-+ ANNOTATE_NOSPEC_ALTERNATIVE
-+ ALTERNATIVE "jmp .Lskip_rsb_\@", \
-+ __stringify(__FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)) \
-+ \ftr
-+.Lskip_rsb_\@:
- #endif
- .endm
-
-@@ -156,10 +207,15 @@ extern char __indirect_thunk_end[];
- static inline void vmexit_fill_RSB(void)
- {
- #ifdef CONFIG_RETPOLINE
-- alternative_input("",
-- "call __fill_rsb",
-- X86_FEATURE_RETPOLINE,
-- ASM_NO_INPUT_CLOBBER(_ASM_BX, "memory"));
-+ unsigned long loops;
-+
-+ asm volatile (ANNOTATE_NOSPEC_ALTERNATIVE
-+ ALTERNATIVE("jmp 910f",
-+ __stringify(__FILL_RETURN_BUFFER(%0, RSB_CLEAR_LOOPS, %1)),
-+ X86_FEATURE_RETPOLINE)
-+ "910:"
-+ : "=r" (loops), ASM_CALL_CONSTRAINT
-+ : : "memory" );
- #endif
- }
-
-diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile
-index 4ad7c4d..6bf1898 100644
---- a/arch/x86/lib/Makefile
-+++ b/arch/x86/lib/Makefile
-@@ -26,7 +26,6 @@ lib-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += rwsem.o
- lib-$(CONFIG_INSTRUCTION_DECODER) += insn.o inat.o
- lib-$(CONFIG_RANDOMIZE_BASE) += kaslr.o
- lib-$(CONFIG_RETPOLINE) += retpoline.o
--OBJECT_FILES_NON_STANDARD_retpoline.o :=y
-
- obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o
-
-diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S
-index 480edc3..c909961 100644
---- a/arch/x86/lib/retpoline.S
-+++ b/arch/x86/lib/retpoline.S
-@@ -7,7 +7,6 @@
- #include <asm/alternative-asm.h>
- #include <asm/export.h>
- #include <asm/nospec-branch.h>
--#include <asm/bitsperlong.h>
-
- .macro THUNK reg
- .section .text.__x86.indirect_thunk
-@@ -47,58 +46,3 @@ GENERATE_THUNK(r13)
- GENERATE_THUNK(r14)
- GENERATE_THUNK(r15)
- #endif
--
--/*
-- * Fill the CPU return stack buffer.
-- *
-- * Each entry in the RSB, if used for a speculative 'ret', contains an
-- * infinite 'pause; lfence; jmp' loop to capture speculative execution.
-- *
-- * This is required in various cases for retpoline and IBRS-based
-- * mitigations for the Spectre variant 2 vulnerability. Sometimes to
-- * eliminate potentially bogus entries from the RSB, and sometimes
-- * purely to ensure that it doesn't get empty, which on some CPUs would
-- * allow predictions from other (unwanted!) sources to be used.
-- *
-- * Google experimented with loop-unrolling and this turned out to be
-- * the optimal version - two calls, each with their own speculation
-- * trap should their return address end up getting used, in a loop.
-- */
--.macro STUFF_RSB nr:req sp:req
-- mov $(\nr / 2), %_ASM_BX
-- .align 16
--771:
-- call 772f
--773: /* speculation trap */
-- pause
-- lfence
-- jmp 773b
-- .align 16
--772:
-- call 774f
--775: /* speculation trap */
-- pause
-- lfence
-- jmp 775b
-- .align 16
--774:
-- dec %_ASM_BX
-- jnz 771b
-- add $((BITS_PER_LONG/8) * \nr), \sp
--.endm
--
--#define RSB_FILL_LOOPS 16 /* To avoid underflow */
--
--ENTRY(__fill_rsb)
-- STUFF_RSB RSB_FILL_LOOPS, %_ASM_SP
-- ret
--END(__fill_rsb)
--EXPORT_SYMBOL_GPL(__fill_rsb)
--
--#define RSB_CLEAR_LOOPS 32 /* To forcibly overwrite all entries */
--
--ENTRY(__clear_rsb)
-- STUFF_RSB RSB_CLEAR_LOOPS, %_ASM_SP
-- ret
--END(__clear_rsb)
--EXPORT_SYMBOL_GPL(__clear_rsb)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-kaiser-KAISER-depends-on-SMP.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-kaiser-KAISER-depends-on-SMP.patch
deleted file mode 100644
index 206cd97f..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-kaiser-KAISER-depends-on-SMP.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 876bf15aa8a6a2355ed9f880b5f52f1287e44b39 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Wed, 13 Sep 2017 14:03:10 -0700
-Subject: [PATCH 009/103] kaiser: KAISER depends on SMP
-
-It is absurd that KAISER should depend on SMP, but apparently nobody
-has tried a UP build before: which breaks on implicit declaration of
-function 'per_cpu_offset' in arch/x86/mm/kaiser.c.
-
-Now, you would expect that to be trivially fixed up; but looking at
-the System.map when that block is #ifdef'ed out of kaiser_init(),
-I see that in a UP build __per_cpu_user_mapped_end is precisely at
-__per_cpu_user_mapped_start, and the items carefully gathered into
-that section for user-mapping on SMP, dispersed elsewhere on UP.
-
-So, some other kind of section assignment will be needed on UP,
-but implementing that is not a priority: just make KAISER depend
-on SMP for now.
-
-Also inserted a blank line before the option, tidied up the
-brief Kconfig help message, and added an "If unsure, Y".
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- security/Kconfig | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/security/Kconfig b/security/Kconfig
-index 334d2e8..dc78671 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -30,14 +30,16 @@ config SECURITY
- model will be used.
-
- If you are unsure how to answer this question, answer N.
-+
- config KAISER
- bool "Remove the kernel mapping in user mode"
- default y
-- depends on X86_64
-- depends on !PARAVIRT
-+ depends on X86_64 && SMP && !PARAVIRT
- help
-- This enforces a strict kernel and user space isolation in order to close
-- hardware side channels on kernel address information.
-+ This enforces a strict kernel and user space isolation, in order
-+ to close hardware side channels on kernel address information.
-+
-+ If you are unsure how to answer this question, answer Y.
-
- config KAISER_REAL_SWITCH
- bool "KAISER: actually switch page tables"
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-KASLR-Fix-kexec-kernel-boot-crash-when-KASLR-ran.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-KASLR-Fix-kexec-kernel-boot-crash-when-KASLR-ran.patch
deleted file mode 100644
index 1e9973e7..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-KASLR-Fix-kexec-kernel-boot-crash-when-KASLR-ran.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 29fa51519ae0978980c8fc154eba5b244ad7980f Mon Sep 17 00:00:00 2001
-From: Baoquan He <bhe@redhat.com>
-Date: Thu, 27 Apr 2017 15:42:20 +0800
-Subject: [PATCH 09/93] x86/KASLR: Fix kexec kernel boot crash when KASLR
- randomization fails
-
-[ Upstream commit da63b6b20077469bd6bd96e07991ce145fc4fbc4 ]
-
-Dave found that a kdump kernel with KASLR enabled will reset to the BIOS
-immediately if physical randomization failed to find a new position for
-the kernel. A kernel with the 'nokaslr' option works in this case.
-
-The reason is that KASLR will install a new page table for the identity
-mapping, while it missed building it for the original kernel location
-if KASLR physical randomization fails.
-
-This only happens in the kexec/kdump kernel, because the identity mapping
-has been built for kexec/kdump in the 1st kernel for the whole memory by
-calling init_pgtable(). Here if physical randomizaiton fails, it won't build
-the identity mapping for the original area of the kernel but change to a
-new page table '_pgtable'. Then the kernel will triple fault immediately
-caused by no identity mappings.
-
-The normal kernel won't see this bug, because it comes here via startup_32()
-and CR3 will be set to _pgtable already. In startup_32() the identity
-mapping is built for the 0~4G area. In KASLR we just append to the existing
-area instead of entirely overwriting it for on-demand identity mapping
-building. So the identity mapping for the original area of kernel is still
-there.
-
-To fix it we just switch to the new identity mapping page table when physical
-KASLR succeeds. Otherwise we keep the old page table unchanged just like
-"nokaslr" does.
-
-Signed-off-by: Baoquan He <bhe@redhat.com>
-Signed-off-by: Dave Young <dyoung@redhat.com>
-Acked-by: Kees Cook <keescook@chromium.org>
-Cc: Borislav Petkov <bp@suse.de>
-Cc: Dave Jiang <dave.jiang@intel.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Garnier <thgarnie@google.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Yinghai Lu <yinghai@kernel.org>
-Link: http://lkml.kernel.org/r/1493278940-5885-1-git-send-email-bhe@redhat.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/boot/compressed/kaslr.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
-index a66854d..af42b4d 100644
---- a/arch/x86/boot/compressed/kaslr.c
-+++ b/arch/x86/boot/compressed/kaslr.c
-@@ -463,10 +463,17 @@ void choose_random_location(unsigned long input,
- add_identity_map(random_addr, output_size);
- *output = random_addr;
- }
-+
-+ /*
-+ * This loads the identity mapping page table.
-+ * This should only be done if a new physical address
-+ * is found for the kernel, otherwise we should keep
-+ * the old page table to make it be like the "nokaslr"
-+ * case.
-+ */
-+ finalize_identity_maps();
- }
-
-- /* This actually loads the identity pagetable on x86_64. */
-- finalize_identity_maps();
-
- /* Pick random virtual address starting from LOAD_PHYSICAL_ADDR. */
- if (IS_ENABLED(CONFIG_X86_64))
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-cpufeatures-Add-Intel-feature-bits-for-Speculati.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-cpufeatures-Add-Intel-feature-bits-for-Speculati.patch
deleted file mode 100644
index 1de4e886..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-cpufeatures-Add-Intel-feature-bits-for-Speculati.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From a56ed550fd79c3bab8aa9d0f136086314dc377f5 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Thu, 25 Jan 2018 16:14:10 +0000
-Subject: [PATCH 09/42] x86/cpufeatures: Add Intel feature bits for Speculation
- Control
-
-(cherry picked from commit fc67dd70adb711a45d2ef34e12d1a8be75edde61)
-
-Add three feature bits exposed by new microcode on Intel CPUs for
-speculation control.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Reviewed-by: Borislav Petkov <bp@suse.de>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: ak@linux.intel.com
-Cc: ashok.raj@intel.com
-Cc: dave.hansen@intel.com
-Cc: karahmed@amazon.de
-Cc: arjan@linux.intel.com
-Cc: torvalds@linux-foundation.org
-Cc: peterz@infradead.org
-Cc: bp@alien8.de
-Cc: pbonzini@redhat.com
-Cc: tim.c.chen@linux.intel.com
-Cc: gregkh@linux-foundation.org
-Link: https://lkml.kernel.org/r/1516896855-7642-3-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeatures.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index 9d4a422..1f03888 100644
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -296,6 +296,9 @@
- /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
- #define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */
- #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */
-+#define X86_FEATURE_SPEC_CTRL (18*32+26) /* Speculation Control (IBRS + IBPB) */
-+#define X86_FEATURE_STIBP (18*32+27) /* Single Thread Indirect Branch Predictors */
-+#define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
-
- /*
- * BUG word(s)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-mce-Fix-incorrect-Machine-check-from-unknown-sou.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-mce-Fix-incorrect-Machine-check-from-unknown-sou.patch
deleted file mode 100644
index 76fa3b70..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-mce-Fix-incorrect-Machine-check-from-unknown-sou.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From 1357825b6905bcf665161dc41b764a83b21954e9 Mon Sep 17 00:00:00 2001
-From: Tony Luck <tony.luck@intel.com>
-Date: Fri, 22 Jun 2018 11:54:23 +0200
-Subject: [PATCH 09/10] x86/mce: Fix incorrect "Machine check from unknown
- source" message
-
-commit 40c36e2741d7fe1e66d6ec55477ba5fd19c9c5d2 upstream.
-
-Some injection testing resulted in the following console log:
-
- mce: [Hardware Error]: CPU 22: Machine Check Exception: f Bank 1: bd80000000100134
- mce: [Hardware Error]: RIP 10:<ffffffffc05292dd> {pmem_do_bvec+0x11d/0x330 [nd_pmem]}
- mce: [Hardware Error]: TSC c51a63035d52 ADDR 3234bc4000 MISC 88
- mce: [Hardware Error]: PROCESSOR 0:50654 TIME 1526502199 SOCKET 0 APIC 38 microcode 2000043
- mce: [Hardware Error]: Run the above through 'mcelog --ascii'
- Kernel panic - not syncing: Machine check from unknown source
-
-This confused everybody because the first line quite clearly shows
-that we found a logged error in "Bank 1", while the last line says
-"unknown source".
-
-The problem is that the Linux code doesn't do the right thing
-for a local machine check that results in a fatal error.
-
-It turns out that we know very early in the handler whether the
-machine check is fatal. The call to mce_no_way_out() has checked
-all the banks for the CPU that took the local machine check. If
-it says we must crash, we can do so right away with the right
-messages.
-
-We do scan all the banks again. This means that we might initially
-not see a problem, but during the second scan find something fatal.
-If this happens we print a slightly different message (so I can
-see if it actually every happens).
-
-[ bp: Remove unneeded severity assignment. ]
-
-Signed-off-by: Tony Luck <tony.luck@intel.com>
-Signed-off-by: Borislav Petkov <bp@suse.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Ashok Raj <ashok.raj@intel.com>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
-Cc: linux-edac <linux-edac@vger.kernel.org>
-Cc: stable@vger.kernel.org # 4.2
-Link: http://lkml.kernel.org/r/52e049a497e86fd0b71c529651def8871c804df0.1527283897.git.tony.luck@intel.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/mcheck/mce.c | 26 ++++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
-index 72bcd08..4711e1c 100644
---- a/arch/x86/kernel/cpu/mcheck/mce.c
-+++ b/arch/x86/kernel/cpu/mcheck/mce.c
-@@ -1169,13 +1169,18 @@ void do_machine_check(struct pt_regs *regs, long error_code)
- lmce = m.mcgstatus & MCG_STATUS_LMCES;
-
- /*
-+ * Local machine check may already know that we have to panic.
-+ * Broadcast machine check begins rendezvous in mce_start()
- * Go through all banks in exclusion of the other CPUs. This way we
- * don't report duplicated events on shared banks because the first one
-- * to see it will clear it. If this is a Local MCE, then no need to
-- * perform rendezvous.
-+ * to see it will clear it.
- */
-- if (!lmce)
-+ if (lmce) {
-+ if (no_way_out)
-+ mce_panic("Fatal local machine check", &m, msg);
-+ } else {
- order = mce_start(&no_way_out);
-+ }
-
- for (i = 0; i < cfg->banks; i++) {
- __clear_bit(i, toclear);
-@@ -1251,12 +1256,17 @@ void do_machine_check(struct pt_regs *regs, long error_code)
- no_way_out = worst >= MCE_PANIC_SEVERITY;
- } else {
- /*
-- * Local MCE skipped calling mce_reign()
-- * If we found a fatal error, we need to panic here.
-+ * If there was a fatal machine check we should have
-+ * already called mce_panic earlier in this function.
-+ * Since we re-read the banks, we might have found
-+ * something new. Check again to see if we found a
-+ * fatal error. We call "mce_severity()" again to
-+ * make sure we have the right "msg".
- */
-- if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3)
-- mce_panic("Machine check from unknown source",
-- NULL, NULL);
-+ if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3) {
-+ mce_severity(&m, cfg->tolerant, &msg, true);
-+ mce_panic("Local fatal machine check!", &m, msg);
-+ }
- }
-
- /*
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-spectre-Fix-an-error-message.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-spectre-Fix-an-error-message.patch
deleted file mode 100644
index b3f35a95..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0009-x86-spectre-Fix-an-error-message.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 6893aed64644e59c2aec9a347e6a324233b81dd7 Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Wed, 14 Feb 2018 10:14:17 +0300
-Subject: [PATCH 09/12] x86/spectre: Fix an error message
-
-commit 9de29eac8d2189424d81c0d840cd0469aa3d41c8 upstream.
-
-If i == ARRAY_SIZE(mitigation_options) then we accidentally print
-garbage from one space beyond the end of the mitigation_options[] array.
-
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Borislav Petkov <bp@suse.de>
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: KarimAllah Ahmed <karahmed@amazon.de>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: kernel-janitors@vger.kernel.org
-Fixes: 9005c6834c0f ("x86/spectre: Simplify spectre_v2 command line parsing")
-Link: http://lkml.kernel.org/r/20180214071416.GA26677@mwanda
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/bugs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index b83e0c9..baddc9e 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -173,7 +173,7 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
- }
-
- if (i >= ARRAY_SIZE(mitigation_options)) {
-- pr_err("unknown option (%s). Switching to AUTO select\n", mitigation_options[i].option);
-+ pr_err("unknown option (%s). Switching to AUTO select\n", arg);
- return SPECTRE_V2_CMD_AUTO;
- }
- }
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-KVM-VMX-Fix-rflags-cache-during-vCPU-reset.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-KVM-VMX-Fix-rflags-cache-during-vCPU-reset.patch
deleted file mode 100644
index 7ab25b0b..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-KVM-VMX-Fix-rflags-cache-during-vCPU-reset.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From fc18f773d54edfedf8875473d8e69753265a3dfd Mon Sep 17 00:00:00 2001
-From: Wanpeng Li <wanpeng.li@hotmail.com>
-Date: Mon, 20 Nov 2017 14:52:21 -0800
-Subject: [PATCH 10/33] KVM: VMX: Fix rflags cache during vCPU reset
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit c37c28730bb031cc8a44a130c2555c0f3efbe2d0 ]
-
-Reported by syzkaller:
-
- *** Guest State ***
- CR0: actual=0x0000000080010031, shadow=0x0000000060000010, gh_mask=fffffffffffffff7
- CR4: actual=0x0000000000002061, shadow=0x0000000000000000, gh_mask=ffffffffffffe8f1
- CR3 = 0x000000002081e000
- RSP = 0x000000000000fffa RIP = 0x0000000000000000
- RFLAGS=0x00023000 DR7 = 0x00000000000000
- ^^^^^^^^^^
- ------------[ cut here ]------------
- WARNING: CPU: 6 PID: 24431 at /home/kernel/linux/arch/x86/kvm//x86.c:7302 kvm_arch_vcpu_ioctl_run+0x651/0x2ea0 [kvm]
- CPU: 6 PID: 24431 Comm: reprotest Tainted: G W OE 4.14.0+ #26
- RIP: 0010:kvm_arch_vcpu_ioctl_run+0x651/0x2ea0 [kvm]
- RSP: 0018:ffff880291d179e0 EFLAGS: 00010202
- Call Trace:
- kvm_vcpu_ioctl+0x479/0x880 [kvm]
- do_vfs_ioctl+0x142/0x9a0
- SyS_ioctl+0x74/0x80
- entry_SYSCALL_64_fastpath+0x23/0x9a
-
-The failed vmentry is triggered by the following beautified testcase:
-
- #include <unistd.h>
- #include <sys/syscall.h>
- #include <string.h>
- #include <stdint.h>
- #include <linux/kvm.h>
- #include <fcntl.h>
- #include <sys/ioctl.h>
-
- long r[5];
- int main()
- {
- struct kvm_debugregs dr = { 0 };
-
- r[2] = open("/dev/kvm", O_RDONLY);
- r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
- r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
- struct kvm_guest_debug debug = {
- .control = 0xf0403,
- .arch = {
- .debugreg[6] = 0x2,
- .debugreg[7] = 0x2
- }
- };
- ioctl(r[4], KVM_SET_GUEST_DEBUG, &debug);
- ioctl(r[4], KVM_RUN, 0);
- }
-
-which testcase tries to setup the processor specific debug
-registers and configure vCPU for handling guest debug events through
-KVM_SET_GUEST_DEBUG. The KVM_SET_GUEST_DEBUG ioctl will get and set
-rflags in order to set TF bit if single step is needed. All regs' caches
-are reset to avail and GUEST_RFLAGS vmcs field is reset to 0x2 during vCPU
-reset. However, the cache of rflags is not reset during vCPU reset. The
-function vmx_get_rflags() returns an unreset rflags cache value since
-the cache is marked avail, it is 0 after boot. Vmentry fails if the
-rflags reserved bit 1 is 0.
-
-This patch fixes it by resetting both the GUEST_RFLAGS vmcs field and
-its cache to 0x2 during vCPU reset.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Tested-by: Dmitry Vyukov <dvyukov@google.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Radim Krčmář <rkrcmar@redhat.com>
-Cc: Nadav Amit <nadav.amit@gmail.com>
-Cc: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 8e5001d..98f6545 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -5171,7 +5171,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
- vmcs_write64(GUEST_IA32_DEBUGCTL, 0);
- }
-
-- vmcs_writel(GUEST_RFLAGS, 0x02);
-+ kvm_set_rflags(vcpu, X86_EFLAGS_FIXED);
- kvm_rip_write(vcpu, 0xfff0);
-
- vmcs_writel(GUEST_GDTR_BASE, 0);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-kaiser-fix-regs-to-do_nmi-ifndef-CONFIG_KAISER.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-kaiser-fix-regs-to-do_nmi-ifndef-CONFIG_KAISER.patch
deleted file mode 100644
index 0021537f..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-kaiser-fix-regs-to-do_nmi-ifndef-CONFIG_KAISER.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 74fc29fe722da8a939d8fa59e6ba835296c9bc56 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Thu, 21 Sep 2017 20:39:56 -0700
-Subject: [PATCH 010/103] kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER
-
-pjt has observed that nmi's second (nmi_from_kernel) call to do_nmi()
-adjusted the %rdi regs arg, rightly when CONFIG_KAISER, but wrongly
-when not CONFIG_KAISER.
-
-Although the minimal change is to add an #ifdef CONFIG_KAISER around
-the addq line, that looks cluttered, and I prefer how the first call
-to do_nmi() handled it: prepare args in %rdi and %rsi before getting
-into the CONFIG_KAISER block, since it does not touch them at all.
-
-And while we're here, place the "#ifdef CONFIG_KAISER" that follows
-each, to enclose the "Unconditionally restore CR3" comment: matching
-how the "Unconditionally use kernel CR3" comment above is enclosed.
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/entry/entry_64.S | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
-index d84e3a7..57f7993 100644
---- a/arch/x86/entry/entry_64.S
-+++ b/arch/x86/entry/entry_64.S
-@@ -1321,12 +1321,13 @@ ENTRY(nmi)
- movq %rax, %cr3
- #endif
- call do_nmi
-+
-+#ifdef CONFIG_KAISER
- /*
- * Unconditionally restore CR3. I know we return to
- * kernel code that needs user CR3, but do we ever return
- * to "user mode" where we need the kernel CR3?
- */
--#ifdef CONFIG_KAISER
- popq %rax
- mov %rax, %cr3
- #endif
-@@ -1550,6 +1551,8 @@ end_repeat_nmi:
- SWAPGS
- xorl %ebx, %ebx
- 1:
-+ movq %rsp, %rdi
-+ movq $-1, %rsi
- #ifdef CONFIG_KAISER
- /* Unconditionally use kernel CR3 for do_nmi() */
- /* %rax is saved above, so OK to clobber here */
-@@ -1562,16 +1565,14 @@ end_repeat_nmi:
- #endif
-
- /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
-- movq %rsp, %rdi
-- addq $8, %rdi /* point %rdi at ptregs, fixed up for CR3 */
-- movq $-1, %rsi
- call do_nmi
-+
-+#ifdef CONFIG_KAISER
- /*
- * Unconditionally restore CR3. We might be returning to
- * kernel code that needs user CR3, like just just before
- * a sysret.
- */
--#ifdef CONFIG_KAISER
- popq %rax
- mov %rax, %cr3
- #endif
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-kvm-x86-fix-icebp-instruction-handling.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-kvm-x86-fix-icebp-instruction-handling.patch
deleted file mode 100644
index aef1109b..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-kvm-x86-fix-icebp-instruction-handling.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 694ba89c4cb4e43ae4cb418ea46b1415f6d31ce7 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Tue, 20 Mar 2018 12:16:59 -0700
-Subject: [PATCH 10/93] kvm/x86: fix icebp instruction handling
-
-commit 32d43cd391bacb5f0814c2624399a5dad3501d09 upstream.
-
-The undocumented 'icebp' instruction (aka 'int1') works pretty much like
-'int3' in the absense of in-circuit probing equipment (except,
-obviously, that it raises #DB instead of raising #BP), and is used by
-some validation test-suites as such.
-
-But Andy Lutomirski noticed that his test suite acted differently in kvm
-than on bare hardware.
-
-The reason is that kvm used an inexact test for the icebp instruction:
-it just assumed that an all-zero VM exit qualification value meant that
-the VM exit was due to icebp.
-
-That is not unlike the guess that do_debug() does for the actual
-exception handling case, but it's purely a heuristic, not an absolute
-rule. do_debug() does it because it wants to ascribe _some_ reasons to
-the #DB that happened, and an empty %dr6 value means that 'icebp' is the
-most likely casue and we have no better information.
-
-But kvm can just do it right, because unlike the do_debug() case, kvm
-actually sees the real reason for the #DB in the VM-exit interruption
-information field.
-
-So instead of relying on an inexact heuristic, just use the actual VM
-exit information that says "it was 'icebp'".
-
-Right now the 'icebp' instruction isn't technically documented by Intel,
-but that will hopefully change. The special "privileged software
-exception" information _is_ actually mentioned in the Intel SDM, even
-though the cause of it isn't enumerated.
-
-Reported-by: Andy Lutomirski <luto@kernel.org>
-Tested-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/vmx.h | 1 +
- arch/x86/kvm/vmx.c | 9 ++++++++-
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
-index 6899cf1..9cbfbef 100644
---- a/arch/x86/include/asm/vmx.h
-+++ b/arch/x86/include/asm/vmx.h
-@@ -309,6 +309,7 @@ enum vmcs_field {
- #define INTR_TYPE_NMI_INTR (2 << 8) /* NMI */
- #define INTR_TYPE_HARD_EXCEPTION (3 << 8) /* processor exception */
- #define INTR_TYPE_SOFT_INTR (4 << 8) /* software interrupt */
-+#define INTR_TYPE_PRIV_SW_EXCEPTION (5 << 8) /* ICE breakpoint - undocumented */
- #define INTR_TYPE_SOFT_EXCEPTION (6 << 8) /* software exception */
-
- /* GUEST_INTERRUPTIBILITY_INFO flags. */
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 3c3558b..27f505d 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -1053,6 +1053,13 @@ static inline bool is_machine_check(u32 intr_info)
- (INTR_TYPE_HARD_EXCEPTION | MC_VECTOR | INTR_INFO_VALID_MASK);
- }
-
-+/* Undocumented: icebp/int1 */
-+static inline bool is_icebp(u32 intr_info)
-+{
-+ return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
-+ == (INTR_TYPE_PRIV_SW_EXCEPTION | INTR_INFO_VALID_MASK);
-+}
-+
- static inline bool cpu_has_vmx_msr_bitmap(void)
- {
- return vmcs_config.cpu_based_exec_ctrl & CPU_BASED_USE_MSR_BITMAPS;
-@@ -5708,7 +5715,7 @@ static int handle_exception(struct kvm_vcpu *vcpu)
- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))) {
- vcpu->arch.dr6 &= ~15;
- vcpu->arch.dr6 |= dr6 | DR6_RTM;
-- if (!(dr6 & ~DR6_RESERVED)) /* icebp */
-+ if (is_icebp(intr_info))
- skip_emulated_instruction(vcpu);
-
- kvm_queue_exception(vcpu, DB_VECTOR);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-cpu-Change-type-of-x86_cache_size-variable-to-un.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-cpu-Change-type-of-x86_cache_size-variable-to-un.patch
deleted file mode 100644
index 68e82a01..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-cpu-Change-type-of-x86_cache_size-variable-to-un.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 5d671cb212c75a4adebb52863b5e9d370c8c23c1 Mon Sep 17 00:00:00 2001
-From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
-Date: Tue, 13 Feb 2018 13:22:08 -0600
-Subject: [PATCH 10/12] x86/cpu: Change type of x86_cache_size variable to
- unsigned int
-
-commit 24dbc6000f4b9b0ef5a9daecb161f1907733765a upstream.
-
-Currently, x86_cache_size is of type int, which makes no sense as we
-will never have a valid cache size equal or less than 0. So instead of
-initializing this variable to -1, it can perfectly be initialized to 0
-and use it as an unsigned variable instead.
-
-Suggested-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Addresses-Coverity-ID: 1464429
-Link: http://lkml.kernel.org/r/20180213192208.GA26414@embeddedor.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/processor.h | 2 +-
- arch/x86/kernel/cpu/common.c | 2 +-
- arch/x86/kernel/cpu/proc.c | 4 ++--
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
-index df29212..d51e679 100644
---- a/arch/x86/include/asm/processor.h
-+++ b/arch/x86/include/asm/processor.h
-@@ -113,7 +113,7 @@ struct cpuinfo_x86 {
- char x86_vendor_id[16];
- char x86_model_id[64];
- /* in KB - valid for CPUS which support this call: */
-- int x86_cache_size;
-+ unsigned int x86_cache_size;
- int x86_cache_alignment; /* In bytes */
- /* Cache QoS architectural values: */
- int x86_cache_max_rmid; /* max index */
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 96b2c83..301bbd1 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -1144,7 +1144,7 @@ static void identify_cpu(struct cpuinfo_x86 *c)
- int i;
-
- c->loops_per_jiffy = loops_per_jiffy;
-- c->x86_cache_size = -1;
-+ c->x86_cache_size = 0;
- c->x86_vendor = X86_VENDOR_UNKNOWN;
- c->x86_model = c->x86_stepping = 0; /* So far unknown... */
- c->x86_vendor_id[0] = '\0'; /* Unset */
-diff --git a/arch/x86/kernel/cpu/proc.c b/arch/x86/kernel/cpu/proc.c
-index 9e817f2..c4f772d 100644
---- a/arch/x86/kernel/cpu/proc.c
-+++ b/arch/x86/kernel/cpu/proc.c
-@@ -87,8 +87,8 @@ static int show_cpuinfo(struct seq_file *m, void *v)
- }
-
- /* Cache size */
-- if (c->x86_cache_size >= 0)
-- seq_printf(m, "cache size\t: %d KB\n", c->x86_cache_size);
-+ if (c->x86_cache_size)
-+ seq_printf(m, "cache size\t: %u KB\n", c->x86_cache_size);
-
- show_cpuinfo_core(m, c, cpu);
- show_cpuinfo_misc(m, c);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-cpufeatures-Add-AMD-feature-bits-for-Speculation.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-cpufeatures-Add-AMD-feature-bits-for-Speculation.patch
deleted file mode 100644
index 9417a4ec..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-cpufeatures-Add-AMD-feature-bits-for-Speculation.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 3a855b66f0fb7388b32ed33a536b4f68cd09afc3 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Thu, 25 Jan 2018 16:14:11 +0000
-Subject: [PATCH 10/42] x86/cpufeatures: Add AMD feature bits for Speculation
- Control
-
-(cherry picked from commit 5d10cbc91d9eb5537998b65608441b592eec65e7)
-
-AMD exposes the PRED_CMD/SPEC_CTRL MSRs slightly differently to Intel.
-See http://lkml.kernel.org/r/2b3e25cc-286d-8bd0-aeaf-9ac4aae39de8@amd.com
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Tom Lendacky <thomas.lendacky@amd.com>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: ak@linux.intel.com
-Cc: ashok.raj@intel.com
-Cc: dave.hansen@intel.com
-Cc: karahmed@amazon.de
-Cc: arjan@linux.intel.com
-Cc: torvalds@linux-foundation.org
-Cc: peterz@infradead.org
-Cc: bp@alien8.de
-Cc: pbonzini@redhat.com
-Cc: tim.c.chen@linux.intel.com
-Cc: gregkh@linux-foundation.org
-Link: https://lkml.kernel.org/r/1516896855-7642-4-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeatures.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index 1f03888..c4d03e7 100644
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -258,6 +258,9 @@
- /* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */
- #define X86_FEATURE_CLZERO (13*32+0) /* CLZERO instruction */
- #define X86_FEATURE_IRPERF (13*32+1) /* Instructions Retired Count */
-+#define X86_FEATURE_AMD_PRED_CMD (13*32+12) /* Prediction Command MSR (AMD) */
-+#define X86_FEATURE_AMD_SPEC_CTRL (13*32+14) /* Speculation Control MSR only (AMD) */
-+#define X86_FEATURE_AMD_STIBP (13*32+15) /* Single Thread Indirect Branch Predictors (AMD) */
-
- /* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */
- #define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-mce-Do-not-overwrite-MCi_STATUS-in-mce_no_way_ou.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-mce-Do-not-overwrite-MCi_STATUS-in-mce_no_way_ou.patch
deleted file mode 100644
index d00a4886..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-mce-Do-not-overwrite-MCi_STATUS-in-mce_no_way_ou.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 754013b3067881c493df74f91ad34099c3a32c61 Mon Sep 17 00:00:00 2001
-From: Borislav Petkov <bp@suse.de>
-Date: Fri, 22 Jun 2018 11:54:28 +0200
-Subject: [PATCH 10/10] x86/mce: Do not overwrite MCi_STATUS in
- mce_no_way_out()
-
-commit 1f74c8a64798e2c488f86efc97e308b85fb7d7aa upstream.
-
-mce_no_way_out() does a quick check during #MC to see whether some of
-the MCEs logged would require the kernel to panic immediately. And it
-passes a struct mce where MCi_STATUS gets written.
-
-However, after having saved a valid status value, the next iteration
-of the loop which goes over the MCA banks on the CPU, overwrites the
-valid status value because we're using struct mce as storage instead of
-a temporary variable.
-
-Which leads to MCE records with an empty status value:
-
- mce: [Hardware Error]: CPU 0: Machine Check Exception: 6 Bank 0: 0000000000000000
- mce: [Hardware Error]: RIP 10:<ffffffffbd42fbd7> {trigger_mce+0x7/0x10}
-
-In order to prevent the loss of the status register value, return
-immediately when severity is a panic one so that we can panic
-immediately with the first fatal MCE logged. This is also the intention
-of this function and not to noodle over the banks while a fatal MCE is
-already logged.
-
-Tony: read the rest of the MCA bank to populate the struct mce fully.
-
-Suggested-by: Tony Luck <tony.luck@intel.com>
-Signed-off-by: Borislav Petkov <bp@suse.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: <stable@vger.kernel.org>
-Link: https://lkml.kernel.org/r/20180622095428.626-8-bp@alien8.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/mcheck/mce.c | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
-index 4711e1c..bf6013d 100644
---- a/arch/x86/kernel/cpu/mcheck/mce.c
-+++ b/arch/x86/kernel/cpu/mcheck/mce.c
-@@ -779,23 +779,25 @@ EXPORT_SYMBOL_GPL(machine_check_poll);
- static int mce_no_way_out(struct mce *m, char **msg, unsigned long *validp,
- struct pt_regs *regs)
- {
-- int i, ret = 0;
- char *tmp;
-+ int i;
-
- for (i = 0; i < mca_cfg.banks; i++) {
- m->status = mce_rdmsrl(msr_ops.status(i));
-- if (m->status & MCI_STATUS_VAL) {
-- __set_bit(i, validp);
-- if (quirk_no_way_out)
-- quirk_no_way_out(i, m, regs);
-- }
-+ if (!(m->status & MCI_STATUS_VAL))
-+ continue;
-+
-+ __set_bit(i, validp);
-+ if (quirk_no_way_out)
-+ quirk_no_way_out(i, m, regs);
-
- if (mce_severity(m, mca_cfg.tolerant, &tmp, true) >= MCE_PANIC_SEVERITY) {
-+ mce_read_aux(m, i);
- *msg = tmp;
-- ret = 1;
-+ return 1;
- }
- }
-- return ret;
-+ return 0;
- }
-
- /*
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-speculation-Use-IBRS-if-available-before-calling.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-speculation-Use-IBRS-if-available-before-calling.patch
deleted file mode 100644
index d5bd585e..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0010-x86-speculation-Use-IBRS-if-available-before-calling.patch
+++ /dev/null
@@ -1,232 +0,0 @@
-From d65c0b72013dac24f4e2d0b031ed8bc6b71bfcca Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Mon, 19 Feb 2018 10:50:54 +0000
-Subject: [PATCH 10/14] x86/speculation: Use IBRS if available before calling
- into firmware
-
-commit dd84441a797150dcc49298ec95c459a8891d8bb1 upstream.
-
-Retpoline means the kernel is safe because it has no indirect branches.
-But firmware isn't, so use IBRS for firmware calls if it's available.
-
-Block preemption while IBRS is set, although in practice the call sites
-already had to be doing that.
-
-Ignore hpwdt.c for now. It's taking spinlocks and calling into firmware
-code, from an NMI handler. I don't want to touch that with a bargepole.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: arjan.van.de.ven@intel.com
-Cc: bp@alien8.de
-Cc: dave.hansen@intel.com
-Cc: jmattson@google.com
-Cc: karahmed@amazon.de
-Cc: kvm@vger.kernel.org
-Cc: pbonzini@redhat.com
-Cc: rkrcmar@redhat.com
-Link: http://lkml.kernel.org/r/1519037457-7643-2-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/apm.h | 6 ++++++
- arch/x86/include/asm/cpufeatures.h | 1 +
- arch/x86/include/asm/efi.h | 17 ++++++++++++++--
- arch/x86/include/asm/nospec-branch.h | 39 +++++++++++++++++++++++++++---------
- arch/x86/kernel/cpu/bugs.c | 12 ++++++++++-
- 5 files changed, 63 insertions(+), 12 deletions(-)
-
-diff --git a/arch/x86/include/asm/apm.h b/arch/x86/include/asm/apm.h
-index 93eebc63..46e40ae 100644
---- a/arch/x86/include/asm/apm.h
-+++ b/arch/x86/include/asm/apm.h
-@@ -6,6 +6,8 @@
- #ifndef _ASM_X86_MACH_DEFAULT_APM_H
- #define _ASM_X86_MACH_DEFAULT_APM_H
-
-+#include <asm/nospec-branch.h>
-+
- #ifdef APM_ZERO_SEGS
- # define APM_DO_ZERO_SEGS \
- "pushl %%ds\n\t" \
-@@ -31,6 +33,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in,
- * N.B. We do NOT need a cld after the BIOS call
- * because we always save and restore the flags.
- */
-+ firmware_restrict_branch_speculation_start();
- __asm__ __volatile__(APM_DO_ZERO_SEGS
- "pushl %%edi\n\t"
- "pushl %%ebp\n\t"
-@@ -43,6 +46,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in,
- "=S" (*esi)
- : "a" (func), "b" (ebx_in), "c" (ecx_in)
- : "memory", "cc");
-+ firmware_restrict_branch_speculation_end();
- }
-
- static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in,
-@@ -55,6 +59,7 @@ static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in,
- * N.B. We do NOT need a cld after the BIOS call
- * because we always save and restore the flags.
- */
-+ firmware_restrict_branch_speculation_start();
- __asm__ __volatile__(APM_DO_ZERO_SEGS
- "pushl %%edi\n\t"
- "pushl %%ebp\n\t"
-@@ -67,6 +72,7 @@ static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in,
- "=S" (si)
- : "a" (func), "b" (ebx_in), "c" (ecx_in)
- : "memory", "cc");
-+ firmware_restrict_branch_speculation_end();
- return error;
- }
-
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index 8eb23f5..ed7a1d2 100644
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -203,6 +203,7 @@
- #define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
-
- #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
-+#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
-
- /* Virtualization flags: Linux defined, word 8 */
- #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
-diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
-index 389d700..9df22bb 100644
---- a/arch/x86/include/asm/efi.h
-+++ b/arch/x86/include/asm/efi.h
-@@ -5,6 +5,7 @@
- #include <asm/pgtable.h>
- #include <asm/processor-flags.h>
- #include <asm/tlb.h>
-+#include <asm/nospec-branch.h>
-
- /*
- * We map the EFI regions needed for runtime services non-contiguously,
-@@ -35,8 +36,18 @@
-
- extern unsigned long asmlinkage efi_call_phys(void *, ...);
-
--#define arch_efi_call_virt_setup() kernel_fpu_begin()
--#define arch_efi_call_virt_teardown() kernel_fpu_end()
-+#define arch_efi_call_virt_setup() \
-+({ \
-+ kernel_fpu_begin(); \
-+ firmware_restrict_branch_speculation_start(); \
-+})
-+
-+#define arch_efi_call_virt_teardown() \
-+({ \
-+ firmware_restrict_branch_speculation_end(); \
-+ kernel_fpu_end(); \
-+})
-+
-
- /*
- * Wrap all the virtual calls in a way that forces the parameters on the stack.
-@@ -72,6 +83,7 @@ struct efi_scratch {
- efi_sync_low_kernel_mappings(); \
- preempt_disable(); \
- __kernel_fpu_begin(); \
-+ firmware_restrict_branch_speculation_start(); \
- \
- if (efi_scratch.use_pgd) { \
- efi_scratch.prev_cr3 = read_cr3(); \
-@@ -90,6 +102,7 @@ struct efi_scratch {
- __flush_tlb_all(); \
- } \
- \
-+ firmware_restrict_branch_speculation_end(); \
- __kernel_fpu_end(); \
- preempt_enable(); \
- })
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index dace2de..031840a 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -219,17 +219,38 @@ static inline void vmexit_fill_RSB(void)
- #endif
- }
-
-+#define alternative_msr_write(_msr, _val, _feature) \
-+ asm volatile(ALTERNATIVE("", \
-+ "movl %[msr], %%ecx\n\t" \
-+ "movl %[val], %%eax\n\t" \
-+ "movl $0, %%edx\n\t" \
-+ "wrmsr", \
-+ _feature) \
-+ : : [msr] "i" (_msr), [val] "i" (_val) \
-+ : "eax", "ecx", "edx", "memory")
-+
- static inline void indirect_branch_prediction_barrier(void)
- {
-- asm volatile(ALTERNATIVE("",
-- "movl %[msr], %%ecx\n\t"
-- "movl %[val], %%eax\n\t"
-- "movl $0, %%edx\n\t"
-- "wrmsr",
-- X86_FEATURE_USE_IBPB)
-- : : [msr] "i" (MSR_IA32_PRED_CMD),
-- [val] "i" (PRED_CMD_IBPB)
-- : "eax", "ecx", "edx", "memory");
-+ alternative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB,
-+ X86_FEATURE_USE_IBPB);
-+}
-+
-+/*
-+ * With retpoline, we must use IBRS to restrict branch prediction
-+ * before calling into firmware.
-+ */
-+static inline void firmware_restrict_branch_speculation_start(void)
-+{
-+ preempt_disable();
-+ alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS,
-+ X86_FEATURE_USE_IBRS_FW);
-+}
-+
-+static inline void firmware_restrict_branch_speculation_end(void)
-+{
-+ alternative_msr_write(MSR_IA32_SPEC_CTRL, 0,
-+ X86_FEATURE_USE_IBRS_FW);
-+ preempt_enable();
- }
-
- #endif /* __ASSEMBLY__ */
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index baddc9e..b8b0b6e 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -299,6 +299,15 @@ static void __init spectre_v2_select_mitigation(void)
- setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
- pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
- }
-+
-+ /*
-+ * Retpoline means the kernel is safe because it has no indirect
-+ * branches. But firmware isn't, so use IBRS to protect that.
-+ */
-+ if (boot_cpu_has(X86_FEATURE_IBRS)) {
-+ setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
-+ pr_info("Enabling Restricted Speculation for firmware calls\n");
-+ }
- }
-
- #undef pr_fmt
-@@ -325,8 +334,9 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c
- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
- return sprintf(buf, "Not affected\n");
-
-- return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
-+ return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
- boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
-+ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
- spectre_v2_module_string());
- }
- #endif
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-KVM-x86-Make-indirect-calls-in-emulator-speculation-.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-KVM-x86-Make-indirect-calls-in-emulator-speculation-.patch
deleted file mode 100644
index 4e1d906b..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-KVM-x86-Make-indirect-calls-in-emulator-speculation-.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From adbb63b59bd2792df649335e7d3c28be2fbbe1c2 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Thu, 25 Jan 2018 10:58:13 +0100
-Subject: [PATCH 11/33] KVM: x86: Make indirect calls in emulator speculation
- safe
-
-(cherry picked from commit 1a29b5b7f347a1a9230c1e0af5b37e3e571588ab)
-
-Replace the indirect calls with CALL_NOSPEC.
-
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Andrea Arcangeli <aarcange@redhat.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Ashok Raj <ashok.raj@intel.com>
-Cc: Greg KH <gregkh@linuxfoundation.org>
-Cc: Jun Nakajima <jun.nakajima@intel.com>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: rga@amazon.de
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Asit Mallick <asit.k.mallick@intel.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Jason Baron <jbaron@akamai.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Link: https://lkml.kernel.org/r/20180125095843.595615683@infradead.org
-[dwmw2: Use ASM_CALL_CONSTRAINT like upstream, now we have it]
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/emulate.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 9984daf..6faac71 100644
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -25,6 +25,7 @@
- #include <asm/kvm_emulate.h>
- #include <linux/stringify.h>
- #include <asm/debugreg.h>
-+#include <asm/nospec-branch.h>
-
- #include "x86.h"
- #include "tss.h"
-@@ -1012,8 +1013,8 @@ static __always_inline u8 test_cc(unsigned int condition, unsigned long flags)
- void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf);
-
- flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
-- asm("push %[flags]; popf; call *%[fastop]"
-- : "=a"(rc) : [fastop]"r"(fop), [flags]"r"(flags));
-+ asm("push %[flags]; popf; " CALL_NOSPEC
-+ : "=a"(rc) : [thunk_target]"r"(fop), [flags]"r"(flags));
- return rc;
- }
-
-@@ -5287,15 +5288,14 @@ static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
-
- static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *))
- {
-- register void *__sp asm(_ASM_SP);
- ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
-
- if (!(ctxt->d & ByteOp))
- fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
-
-- asm("push %[flags]; popf; call *%[fastop]; pushf; pop %[flags]\n"
-+ asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n"
- : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
-- [fastop]"+S"(fop), "+r"(__sp)
-+ [thunk_target]"+S"(fop), ASM_CALL_CONSTRAINT
- : "c"(ctxt->src2.val));
-
- ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-bpf-x64-increase-number-of-passes.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-bpf-x64-increase-number-of-passes.patch
deleted file mode 100644
index bf2556b8..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-bpf-x64-increase-number-of-passes.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 1909a1513f6d5b9170e40c4fee98bf2cd57b5b55 Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <daniel@iogearbox.net>
-Date: Wed, 7 Mar 2018 22:10:01 +0100
-Subject: [PATCH 11/93] bpf, x64: increase number of passes
-
-commit 6007b080d2e2adb7af22bf29165f0594ea12b34c upstream.
-
-In Cilium some of the main programs we run today are hitting 9 passes
-on x64's JIT compiler, and we've had cases already where we surpassed
-the limit where the JIT then punts the program to the interpreter
-instead, leading to insertion failures due to CONFIG_BPF_JIT_ALWAYS_ON
-or insertion failures due to the prog array owner being JITed but the
-program to insert not (both must have the same JITed/non-JITed property).
-
-One concrete case the program image shrunk from 12,767 bytes down to
-10,288 bytes where the image converged after 16 steps. I've measured
-that this took 340us in the JIT until it converges on my i7-6600U. Thus,
-increase the original limit we had from day one where the JIT covered
-cBPF only back then before we run into the case (as similar with the
-complexity limit) where we trip over this and hit program rejections.
-Also add a cond_resched() into the compilation loop, the JIT process
-runs without any locks and may sleep anyway.
-
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Acked-by: Alexei Starovoitov <ast@kernel.org>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/net/bpf_jit_comp.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
-index 1f7ed2e..cd97645 100644
---- a/arch/x86/net/bpf_jit_comp.c
-+++ b/arch/x86/net/bpf_jit_comp.c
-@@ -1135,7 +1135,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
- * may converge on the last pass. In such case do one more
- * pass to emit the final image
- */
-- for (pass = 0; pass < 10 || image; pass++) {
-+ for (pass = 0; pass < 20 || image; pass++) {
- proglen = do_jit(prog, addrs, image, oldproglen, &ctx);
- if (proglen <= 0) {
- image = NULL;
-@@ -1162,6 +1162,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
- }
- }
- oldproglen = proglen;
-+ cond_resched();
- }
-
- if (bpf_jit_enable > 1)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-kaiser-fix-perf-crashes.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-kaiser-fix-perf-crashes.patch
deleted file mode 100644
index b1a35070..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-kaiser-fix-perf-crashes.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-From b070484be405393d801b7b9dcd0027875d9fd873 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Wed, 23 Aug 2017 14:21:14 -0700
-Subject: [PATCH 011/103] kaiser: fix perf crashes
-
-Avoid perf crashes: place debug_store in the user-mapped per-cpu area
-instead of allocating, and use page allocator plus kaiser_add_mapping()
-to keep the BTS and PEBS buffers user-mapped (that is, present in the
-user mapping, though visible only to kernel and hardware). The PEBS
-fixup buffer does not need this treatment.
-
-The need for a user-mapped struct debug_store showed up before doing
-any conscious perf testing: in a couple of kernel paging oopses on
-Westmere, implicating the debug_store offset of the per-cpu area.
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/events/intel/ds.c | 57 ++++++++++++++++++++++++++++++++++++----------
- 1 file changed, 45 insertions(+), 12 deletions(-)
-
-diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c
-index be20239..c2e4ae2 100644
---- a/arch/x86/events/intel/ds.c
-+++ b/arch/x86/events/intel/ds.c
-@@ -2,11 +2,15 @@
- #include <linux/types.h>
- #include <linux/slab.h>
-
-+#include <asm/kaiser.h>
- #include <asm/perf_event.h>
- #include <asm/insn.h>
-
- #include "../perf_event.h"
-
-+static
-+DEFINE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(struct debug_store, cpu_debug_store);
-+
- /* The size of a BTS record in bytes: */
- #define BTS_RECORD_SIZE 24
-
-@@ -268,6 +272,39 @@ void fini_debug_store_on_cpu(int cpu)
-
- static DEFINE_PER_CPU(void *, insn_buffer);
-
-+static void *dsalloc(size_t size, gfp_t flags, int node)
-+{
-+#ifdef CONFIG_KAISER
-+ unsigned int order = get_order(size);
-+ struct page *page;
-+ unsigned long addr;
-+
-+ page = __alloc_pages_node(node, flags | __GFP_ZERO, order);
-+ if (!page)
-+ return NULL;
-+ addr = (unsigned long)page_address(page);
-+ if (kaiser_add_mapping(addr, size, __PAGE_KERNEL) < 0) {
-+ __free_pages(page, order);
-+ addr = 0;
-+ }
-+ return (void *)addr;
-+#else
-+ return kmalloc_node(size, flags | __GFP_ZERO, node);
-+#endif
-+}
-+
-+static void dsfree(const void *buffer, size_t size)
-+{
-+#ifdef CONFIG_KAISER
-+ if (!buffer)
-+ return;
-+ kaiser_remove_mapping((unsigned long)buffer, size);
-+ free_pages((unsigned long)buffer, get_order(size));
-+#else
-+ kfree(buffer);
-+#endif
-+}
-+
- static int alloc_pebs_buffer(int cpu)
- {
- struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
-@@ -278,7 +315,7 @@ static int alloc_pebs_buffer(int cpu)
- if (!x86_pmu.pebs)
- return 0;
-
-- buffer = kzalloc_node(x86_pmu.pebs_buffer_size, GFP_KERNEL, node);
-+ buffer = dsalloc(x86_pmu.pebs_buffer_size, GFP_KERNEL, node);
- if (unlikely(!buffer))
- return -ENOMEM;
-
-@@ -289,7 +326,7 @@ static int alloc_pebs_buffer(int cpu)
- if (x86_pmu.intel_cap.pebs_format < 2) {
- ibuffer = kzalloc_node(PEBS_FIXUP_SIZE, GFP_KERNEL, node);
- if (!ibuffer) {
-- kfree(buffer);
-+ dsfree(buffer, x86_pmu.pebs_buffer_size);
- return -ENOMEM;
- }
- per_cpu(insn_buffer, cpu) = ibuffer;
-@@ -315,7 +352,8 @@ static void release_pebs_buffer(int cpu)
- kfree(per_cpu(insn_buffer, cpu));
- per_cpu(insn_buffer, cpu) = NULL;
-
-- kfree((void *)(unsigned long)ds->pebs_buffer_base);
-+ dsfree((void *)(unsigned long)ds->pebs_buffer_base,
-+ x86_pmu.pebs_buffer_size);
- ds->pebs_buffer_base = 0;
- }
-
-@@ -329,7 +367,7 @@ static int alloc_bts_buffer(int cpu)
- if (!x86_pmu.bts)
- return 0;
-
-- buffer = kzalloc_node(BTS_BUFFER_SIZE, GFP_KERNEL | __GFP_NOWARN, node);
-+ buffer = dsalloc(BTS_BUFFER_SIZE, GFP_KERNEL | __GFP_NOWARN, node);
- if (unlikely(!buffer)) {
- WARN_ONCE(1, "%s: BTS buffer allocation failure\n", __func__);
- return -ENOMEM;
-@@ -355,19 +393,15 @@ static void release_bts_buffer(int cpu)
- if (!ds || !x86_pmu.bts)
- return;
-
-- kfree((void *)(unsigned long)ds->bts_buffer_base);
-+ dsfree((void *)(unsigned long)ds->bts_buffer_base, BTS_BUFFER_SIZE);
- ds->bts_buffer_base = 0;
- }
-
- static int alloc_ds_buffer(int cpu)
- {
-- int node = cpu_to_node(cpu);
-- struct debug_store *ds;
--
-- ds = kzalloc_node(sizeof(*ds), GFP_KERNEL, node);
-- if (unlikely(!ds))
-- return -ENOMEM;
-+ struct debug_store *ds = per_cpu_ptr(&cpu_debug_store, cpu);
-
-+ memset(ds, 0, sizeof(*ds));
- per_cpu(cpu_hw_events, cpu).ds = ds;
-
- return 0;
-@@ -381,7 +415,6 @@ static void release_ds_buffer(int cpu)
- return;
-
- per_cpu(cpu_hw_events, cpu).ds = NULL;
-- kfree(ds);
- }
-
- void release_ds_buffers(void)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-microcode-AMD-Change-load_microcode_amd-s-param-.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-microcode-AMD-Change-load_microcode_amd-s-param-.patch
deleted file mode 100644
index 00297c34..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-microcode-AMD-Change-load_microcode_amd-s-param-.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-From df2f7e0d21ca37bdbdf3fc5b6fa42a9b0bc6fbd6 Mon Sep 17 00:00:00 2001
-From: Borislav Petkov <bp@suse.de>
-Date: Mon, 19 Feb 2018 11:13:28 +0100
-Subject: [PATCH 11/12] x86/microcode/AMD: Change load_microcode_amd()'s param
- to bool to fix preemptibility bug
-
-commit dac6ca243c4c49a9ca7507d3d66140ebfac8b04b upstream.
-
-With CONFIG_DEBUG_PREEMPT enabled, I get:
-
- BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1
- caller is debug_smp_processor_id
- CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc2+ #2
- Call Trace:
- dump_stack
- check_preemption_disabled
- debug_smp_processor_id
- save_microcode_in_initrd_amd
- ? microcode_init
- save_microcode_in_initrd
- ...
-
-because, well, it says it above, we're using smp_processor_id() in
-preemptible code.
-
-But passing the CPU number is not really needed. It is only used to
-determine whether we're on the BSP, and, if so, to save the microcode
-patch for early loading.
-
- [ We don't absolutely need to do it on the BSP but we do that
- customarily there. ]
-
-Instead, convert that function parameter to a boolean which denotes
-whether the patch should be saved or not, thereby avoiding the use of
-smp_processor_id() in preemptible code.
-
-Signed-off-by: Borislav Petkov <bp@suse.de>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Link: http://lkml.kernel.org/r/20170528200414.31305-1-bp@alien8.de
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-[arnd: rebased to 4.9, after running into warning:
- arch/x86/kernel/cpu/microcode/amd.c:881:30: self-comparison always evaluates to true]
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/microcode_amd.h | 1 -
- arch/x86/kernel/cpu/microcode/amd.c | 17 +++++++++++------
- 2 files changed, 11 insertions(+), 7 deletions(-)
-
-diff --git a/arch/x86/include/asm/microcode_amd.h b/arch/x86/include/asm/microcode_amd.h
-index 15eb754..98ccbd1 100644
---- a/arch/x86/include/asm/microcode_amd.h
-+++ b/arch/x86/include/asm/microcode_amd.h
-@@ -59,7 +59,6 @@ static inline u16 find_equiv_id(struct equiv_cpu_entry *equiv_cpu_table,
-
- extern int __apply_microcode_amd(struct microcode_amd *mc_amd);
- extern int apply_microcode_amd(int cpu);
--extern enum ucode_state load_microcode_amd(int cpu, u8 family, const u8 *data, size_t size);
-
- #define PATCH_MAX_SIZE PAGE_SIZE
-
-diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
-index 017bda1..aaab28a 100644
---- a/arch/x86/kernel/cpu/microcode/amd.c
-+++ b/arch/x86/kernel/cpu/microcode/amd.c
-@@ -135,6 +135,9 @@ static size_t compute_container_size(u8 *data, u32 total_size)
- return size;
- }
-
-+static enum ucode_state
-+load_microcode_amd(bool save, u8 family, const u8 *data, size_t size);
-+
- /*
- * Early load occurs before we can vmalloc(). So we look for the microcode
- * patch container file in initrd, traverse equivalent cpu table, look for a
-@@ -451,7 +454,7 @@ int __init save_microcode_in_initrd_amd(void)
- eax = cpuid_eax(0x00000001);
- eax = ((eax >> 8) & 0xf) + ((eax >> 20) & 0xff);
-
-- ret = load_microcode_amd(smp_processor_id(), eax, container, container_size);
-+ ret = load_microcode_amd(true, eax, container, container_size);
- if (ret != UCODE_OK)
- retval = -EINVAL;
-
-@@ -860,7 +863,8 @@ static enum ucode_state __load_microcode_amd(u8 family, const u8 *data,
- return UCODE_OK;
- }
-
--enum ucode_state load_microcode_amd(int cpu, u8 family, const u8 *data, size_t size)
-+static enum ucode_state
-+load_microcode_amd(bool save, u8 family, const u8 *data, size_t size)
- {
- enum ucode_state ret;
-
-@@ -874,8 +878,8 @@ enum ucode_state load_microcode_amd(int cpu, u8 family, const u8 *data, size_t s
-
- #ifdef CONFIG_X86_32
- /* save BSP's matching patch for early load */
-- if (cpu_data(cpu).cpu_index == boot_cpu_data.cpu_index) {
-- struct ucode_patch *p = find_patch(cpu);
-+ if (save) {
-+ struct ucode_patch *p = find_patch(0);
- if (p) {
- memset(amd_ucode_patch, 0, PATCH_MAX_SIZE);
- memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data),
-@@ -907,11 +911,12 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device,
- {
- char fw_name[36] = "amd-ucode/microcode_amd.bin";
- struct cpuinfo_x86 *c = &cpu_data(cpu);
-+ bool bsp = c->cpu_index == boot_cpu_data.cpu_index;
- enum ucode_state ret = UCODE_NFOUND;
- const struct firmware *fw;
-
- /* reload ucode container only on the boot cpu */
-- if (!refresh_fw || c->cpu_index != boot_cpu_data.cpu_index)
-+ if (!refresh_fw || !bsp)
- return UCODE_OK;
-
- if (c->x86 >= 0x15)
-@@ -928,7 +933,7 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device,
- goto fw_release;
- }
-
-- ret = load_microcode_amd(cpu, c->x86, fw->data, fw->size);
-+ ret = load_microcode_amd(bsp, c->x86, fw->data, fw->size);
-
- fw_release:
- release_firmware(fw);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-msr-Add-definitions-for-new-speculation-control-.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-msr-Add-definitions-for-new-speculation-control-.patch
deleted file mode 100644
index 311c2e85..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-msr-Add-definitions-for-new-speculation-control-.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From b733a28baec38d991f253a8587a94e9b2948a7d0 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Thu, 25 Jan 2018 16:14:12 +0000
-Subject: [PATCH 11/42] x86/msr: Add definitions for new speculation control
- MSRs
-
-(cherry picked from commit 1e340c60d0dd3ae07b5bedc16a0469c14b9f3410)
-
-Add MSR and bit definitions for SPEC_CTRL, PRED_CMD and ARCH_CAPABILITIES.
-
-See Intel's 336996-Speculative-Execution-Side-Channel-Mitigations.pdf
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: ak@linux.intel.com
-Cc: ashok.raj@intel.com
-Cc: dave.hansen@intel.com
-Cc: karahmed@amazon.de
-Cc: arjan@linux.intel.com
-Cc: torvalds@linux-foundation.org
-Cc: peterz@infradead.org
-Cc: bp@alien8.de
-Cc: pbonzini@redhat.com
-Cc: tim.c.chen@linux.intel.com
-Cc: gregkh@linux-foundation.org
-Link: https://lkml.kernel.org/r/1516896855-7642-5-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/msr-index.h | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
-index 4eeaa36..0e4da8e 100644
---- a/arch/x86/include/asm/msr-index.h
-+++ b/arch/x86/include/asm/msr-index.h
-@@ -37,6 +37,13 @@
- #define EFER_FFXSR (1<<_EFER_FFXSR)
-
- /* Intel MSRs. Some also available on other CPUs */
-+#define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */
-+#define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */
-+#define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */
-+
-+#define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */
-+#define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */
-+
- #define MSR_IA32_PERFCTR0 0x000000c1
- #define MSR_IA32_PERFCTR1 0x000000c2
- #define MSR_FSB_FREQ 0x000000cd
-@@ -50,6 +57,11 @@
- #define SNB_C3_AUTO_UNDEMOTE (1UL << 28)
-
- #define MSR_MTRRcap 0x000000fe
-+
-+#define MSR_IA32_ARCH_CAPABILITIES 0x0000010a
-+#define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */
-+#define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */
-+
- #define MSR_IA32_BBL_CR_CTL 0x00000119
- #define MSR_IA32_BBL_CR_CTL3 0x0000011e
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-retpoline-Support-retpoline-builds-with-Clang.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-retpoline-Support-retpoline-builds-with-Clang.patch
deleted file mode 100644
index 6caed4a9..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0011-x86-retpoline-Support-retpoline-builds-with-Clang.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From 3de13a223fa7e5d0dc5bb20d87be73f686768daf Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Mon, 19 Feb 2018 10:50:57 +0000
-Subject: [PATCH 11/14] x86/retpoline: Support retpoline builds with Clang
-
-commit 87358710c1fb4f1bf96bbe2349975ff9953fc9b2 upstream.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: arjan.van.de.ven@intel.com
-Cc: bp@alien8.de
-Cc: dave.hansen@intel.com
-Cc: jmattson@google.com
-Cc: karahmed@amazon.de
-Cc: kvm@vger.kernel.org
-Cc: pbonzini@redhat.com
-Cc: rkrcmar@redhat.com
-Link: http://lkml.kernel.org/r/1519037457-7643-5-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/Makefile | 5 ++++-
- include/linux/compiler-clang.h | 5 +++++
- include/linux/compiler-gcc.h | 4 ++++
- include/linux/init.h | 8 ++++----
- 4 files changed, 17 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/Makefile b/arch/x86/Makefile
-index cd22cb8..b609961 100644
---- a/arch/x86/Makefile
-+++ b/arch/x86/Makefile
-@@ -184,7 +184,10 @@ KBUILD_AFLAGS += $(mflags-y)
-
- # Avoid indirect branches in kernel to deal with Spectre
- ifdef CONFIG_RETPOLINE
-- RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register)
-+ RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register
-+ RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk
-+
-+ RETPOLINE_CFLAGS += $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_CFLAGS_CLANG)))
- ifneq ($(RETPOLINE_CFLAGS),)
- KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE
- endif
-diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
-index de17999..01225b0 100644
---- a/include/linux/compiler-clang.h
-+++ b/include/linux/compiler-clang.h
-@@ -15,3 +15,8 @@
- * with any version that can compile the kernel
- */
- #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
-+
-+/* Clang doesn't have a way to turn it off per-function, yet. */
-+#ifdef __noretpoline
-+#undef __noretpoline
-+#endif
-diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
-index 928e5ca..362a1e17 100644
---- a/include/linux/compiler-gcc.h
-+++ b/include/linux/compiler-gcc.h
-@@ -88,6 +88,10 @@
- #define __weak __attribute__((weak))
- #define __alias(symbol) __attribute__((alias(#symbol)))
-
-+#ifdef RETPOLINE
-+#define __noretpoline __attribute__((indirect_branch("keep")))
-+#endif
-+
- /*
- * it doesn't make sense on ARM (currently the only user of __naked)
- * to trace naked functions because then mcount is called without
-diff --git a/include/linux/init.h b/include/linux/init.h
-index 8e346d1..683508f 100644
---- a/include/linux/init.h
-+++ b/include/linux/init.h
-@@ -5,10 +5,10 @@
- #include <linux/types.h>
-
- /* Built-in __init functions needn't be compiled with retpoline */
--#if defined(RETPOLINE) && !defined(MODULE)
--#define __noretpoline __attribute__((indirect_branch("keep")))
-+#if defined(__noretpoline) && !defined(MODULE)
-+#define __noinitretpoline __noretpoline
- #else
--#define __noretpoline
-+#define __noinitretpoline
- #endif
-
- /* These macros are used to mark some functions or
-@@ -46,7 +46,7 @@
-
- /* These are for everybody (although not all archs will actually
- discard it in modules) */
--#define __init __section(.init.text) __cold notrace __latent_entropy __noretpoline
-+#define __init __section(.init.text) __cold notrace __latent_entropy __noinitretpoline
- #define __initdata __section(.init.data)
- #define __initconst __section(.init.rodata)
- #define __exitdata __section(.exit.data)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-KVM-VMX-Make-indirect-call-speculation-safe.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-KVM-VMX-Make-indirect-call-speculation-safe.patch
deleted file mode 100644
index ba052d9e..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-KVM-VMX-Make-indirect-call-speculation-safe.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 9eee1ba493f5899d7c3793818db16deaf084df21 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Thu, 25 Jan 2018 10:58:14 +0100
-Subject: [PATCH 12/33] KVM: VMX: Make indirect call speculation safe
-
-(cherry picked from commit c940a3fb1e2e9b7d03228ab28f375fb5a47ff699)
-
-Replace indirect call with CALL_NOSPEC.
-
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Andrea Arcangeli <aarcange@redhat.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Ashok Raj <ashok.raj@intel.com>
-Cc: Greg KH <gregkh@linuxfoundation.org>
-Cc: Jun Nakajima <jun.nakajima@intel.com>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: rga@amazon.de
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Asit Mallick <asit.k.mallick@intel.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Jason Baron <jbaron@akamai.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Link: https://lkml.kernel.org/r/20180125095843.645776917@infradead.org
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 98f6545..6f3ed0e 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -8659,14 +8659,14 @@ static void vmx_handle_external_intr(struct kvm_vcpu *vcpu)
- #endif
- "pushf\n\t"
- __ASM_SIZE(push) " $%c[cs]\n\t"
-- "call *%[entry]\n\t"
-+ CALL_NOSPEC
- :
- #ifdef CONFIG_X86_64
- [sp]"=&r"(tmp),
- #endif
- "+r"(__sp)
- :
-- [entry]"r"(entry),
-+ THUNK_TARGET(entry),
- [ss]"i"(__KERNEL_DS),
- [cs]"i"(__KERNEL_CS)
- );
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-kaiser-ENOMEM-if-kaiser_pagetable_walk-NULL.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-kaiser-ENOMEM-if-kaiser_pagetable_walk-NULL.patch
deleted file mode 100644
index 74d00005..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-kaiser-ENOMEM-if-kaiser_pagetable_walk-NULL.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 43eb304091f01c302dfec0f98b29072a0022fdf0 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Sun, 3 Sep 2017 18:48:02 -0700
-Subject: [PATCH 012/103] kaiser: ENOMEM if kaiser_pagetable_walk() NULL
-
-kaiser_add_user_map() took no notice when kaiser_pagetable_walk() failed.
-And avoid its might_sleep() when atomic (though atomic at present unused).
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/mm/kaiser.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/arch/x86/mm/kaiser.c b/arch/x86/mm/kaiser.c
-index 8d6061c..ba6fc2c 100644
---- a/arch/x86/mm/kaiser.c
-+++ b/arch/x86/mm/kaiser.c
-@@ -98,11 +98,11 @@ static pte_t *kaiser_pagetable_walk(unsigned long address, bool is_atomic)
- pgd_t *pgd = native_get_shadow_pgd(pgd_offset_k(address));
- gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO);
-
-- might_sleep();
- if (is_atomic) {
- gfp &= ~GFP_KERNEL;
- gfp |= __GFP_HIGH | __GFP_ATOMIC;
-- }
-+ } else
-+ might_sleep();
-
- if (pgd_none(*pgd)) {
- WARN_ONCE(1, "All shadow pgds should have been populated");
-@@ -159,13 +159,17 @@ int kaiser_add_user_map(const void *__start_addr, unsigned long size,
- unsigned long end_addr = PAGE_ALIGN(start_addr + size);
- unsigned long target_address;
-
-- for (;address < end_addr; address += PAGE_SIZE) {
-+ for (; address < end_addr; address += PAGE_SIZE) {
- target_address = get_pa_from_mapping(address);
- if (target_address == -1) {
- ret = -EIO;
- break;
- }
- pte = kaiser_pagetable_walk(address, false);
-+ if (!pte) {
-+ ret = -ENOMEM;
-+ break;
-+ }
- if (pte_none(*pte)) {
- set_pte(pte, __pte(flags | target_address));
- } else {
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-entry-64-Clear-extra-registers-beyond-syscall-ar.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-entry-64-Clear-extra-registers-beyond-syscall-ar.patch
deleted file mode 100644
index f8e4bda9..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-entry-64-Clear-extra-registers-beyond-syscall-ar.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From c8c45aa51a96245b04ac18e6f3475d66bc90d4e3 Mon Sep 17 00:00:00 2001
-From: Dan Williams <dan.j.williams@intel.com>
-Date: Fri, 23 Feb 2018 14:06:21 -0800
-Subject: [PATCH 12/12] x86/entry/64: Clear extra registers beyond syscall
- arguments, to reduce speculation attack surface
-
-commit 8e1eb3fa009aa7c0b944b3c8b26b07de0efb3200 upstream.
-
-At entry userspace may have (maliciously) populated the extra registers
-outside the syscall calling convention with arbitrary values that could
-be useful in a speculative execution (Spectre style) attack.
-
-Clear these registers to minimize the kernel's attack surface.
-
-Note, this only clears the extra registers and not the unused
-registers for syscalls less than 6 arguments, since those registers are
-likely to be clobbered well before their values could be put to use
-under speculation.
-
-Note, Linus found that the XOR instructions can be executed with
-minimized cost if interleaved with the PUSH instructions, and Ingo's
-analysis found that R10 and R11 should be included in the register
-clearing beyond the typical 'extra' syscall calling convention
-registers.
-
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Reported-by: Andi Kleen <ak@linux.intel.com>
-Signed-off-by: Dan Williams <dan.j.williams@intel.com>
-Cc: <stable@vger.kernel.org>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Brian Gerst <brgerst@gmail.com>
-Cc: Denys Vlasenko <dvlasenk@redhat.com>
-Cc: H. Peter Anvin <hpa@zytor.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Link: http://lkml.kernel.org/r/151787988577.7847.16733592218894189003.stgit@dwillia2-desk3.amr.corp.intel.com
-[ Made small improvements to the changelog and the code comments. ]
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/entry/entry_64.S | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
-index c915eeb..e9120d4 100644
---- a/arch/x86/entry/entry_64.S
-+++ b/arch/x86/entry/entry_64.S
-@@ -176,13 +176,26 @@ GLOBAL(entry_SYSCALL_64_after_swapgs)
- pushq %r8 /* pt_regs->r8 */
- pushq %r9 /* pt_regs->r9 */
- pushq %r10 /* pt_regs->r10 */
-+ /*
-+ * Clear extra registers that a speculation attack might
-+ * otherwise want to exploit. Interleave XOR with PUSH
-+ * for better uop scheduling:
-+ */
-+ xorq %r10, %r10 /* nospec r10 */
- pushq %r11 /* pt_regs->r11 */
-+ xorq %r11, %r11 /* nospec r11 */
- pushq %rbx /* pt_regs->rbx */
-+ xorl %ebx, %ebx /* nospec rbx */
- pushq %rbp /* pt_regs->rbp */
-+ xorl %ebp, %ebp /* nospec rbp */
- pushq %r12 /* pt_regs->r12 */
-+ xorq %r12, %r12 /* nospec r12 */
- pushq %r13 /* pt_regs->r13 */
-+ xorq %r13, %r13 /* nospec r13 */
- pushq %r14 /* pt_regs->r14 */
-+ xorq %r14, %r14 /* nospec r14 */
- pushq %r15 /* pt_regs->r15 */
-+ xorq %r15, %r15 /* nospec r15 */
-
- /* IRQs are off. */
- movq %rsp, %rdi
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-mm-kaslr-Use-the-_ASM_MUL-macro-for-multiplicati.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-mm-kaslr-Use-the-_ASM_MUL-macro-for-multiplicati.patch
deleted file mode 100644
index bdb55fda..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-mm-kaslr-Use-the-_ASM_MUL-macro-for-multiplicati.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 280488ceca9427dd91e5ee449d90f8cf16d8e65c Mon Sep 17 00:00:00 2001
-From: Matthias Kaehlcke <mka@chromium.org>
-Date: Mon, 1 May 2017 15:47:41 -0700
-Subject: [PATCH 12/93] x86/mm/kaslr: Use the _ASM_MUL macro for multiplication
- to work around Clang incompatibility
-
-[ Upstream commit 121843eb02a6e2fa30aefab64bfe183c97230c75 ]
-
-The constraint "rm" allows the compiler to put mix_const into memory.
-When the input operand is a memory location then MUL needs an operand
-size suffix, since Clang can't infer the multiplication width from the
-operand.
-
-Add and use the _ASM_MUL macro which determines the operand size and
-resolves to the NUL instruction with the corresponding suffix.
-
-This fixes the following error when building with clang:
-
- CC arch/x86/lib/kaslr.o
- /tmp/kaslr-dfe1ad.s: Assembler messages:
- /tmp/kaslr-dfe1ad.s:182: Error: no instruction mnemonic suffix given and no register operands; can't size instruction
-
-Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
-Cc: Grant Grundler <grundler@chromium.org>
-Cc: Greg Hackmann <ghackmann@google.com>
-Cc: Kees Cook <keescook@chromium.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Michael Davidson <md@google.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Link: http://lkml.kernel.org/r/20170501224741.133938-1-mka@chromium.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/asm.h | 1 +
- arch/x86/lib/kaslr.c | 3 ++-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h
-index 7bb29a4..08684b3 100644
---- a/arch/x86/include/asm/asm.h
-+++ b/arch/x86/include/asm/asm.h
-@@ -34,6 +34,7 @@
- #define _ASM_ADD __ASM_SIZE(add)
- #define _ASM_SUB __ASM_SIZE(sub)
- #define _ASM_XADD __ASM_SIZE(xadd)
-+#define _ASM_MUL __ASM_SIZE(mul)
-
- #define _ASM_AX __ASM_REG(ax)
- #define _ASM_BX __ASM_REG(bx)
-diff --git a/arch/x86/lib/kaslr.c b/arch/x86/lib/kaslr.c
-index 121f59c..0c7fe44 100644
---- a/arch/x86/lib/kaslr.c
-+++ b/arch/x86/lib/kaslr.c
-@@ -5,6 +5,7 @@
- * kernel starts. This file is included in the compressed kernel and
- * normally linked in the regular.
- */
-+#include <asm/asm.h>
- #include <asm/kaslr.h>
- #include <asm/msr.h>
- #include <asm/archrandom.h>
-@@ -79,7 +80,7 @@ unsigned long kaslr_get_random_long(const char *purpose)
- }
-
- /* Circular multiply for better bit diffusion */
-- asm("mul %3"
-+ asm(_ASM_MUL "%3"
- : "=a" (random), "=d" (raw)
- : "a" (random), "rm" (mix_const));
- random += raw;
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-pti-Do-not-enable-PTI-on-CPUs-which-are-not-vuln.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-pti-Do-not-enable-PTI-on-CPUs-which-are-not-vuln.patch
deleted file mode 100644
index b1f180c1..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-pti-Do-not-enable-PTI-on-CPUs-which-are-not-vuln.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 50f378f14484a86ee783e0e4da697e32295c6694 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Thu, 25 Jan 2018 16:14:13 +0000
-Subject: [PATCH 12/42] x86/pti: Do not enable PTI on CPUs which are not
- vulnerable to Meltdown
-
-(cherry picked from commit fec9434a12f38d3aeafeb75711b71d8a1fdef621)
-
-Also, for CPUs which don't speculate at all, don't report that they're
-vulnerable to the Spectre variants either.
-
-Leave the cpu_no_meltdown[] match table with just X86_VENDOR_AMD in it
-for now, even though that could be done with a simple comparison, on the
-assumption that we'll have more to add.
-
-Based on suggestions from Dave Hansen and Alan Cox.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Reviewed-by: Borislav Petkov <bp@suse.de>
-Acked-by: Dave Hansen <dave.hansen@intel.com>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: ak@linux.intel.com
-Cc: ashok.raj@intel.com
-Cc: karahmed@amazon.de
-Cc: arjan@linux.intel.com
-Cc: torvalds@linux-foundation.org
-Cc: peterz@infradead.org
-Cc: bp@alien8.de
-Cc: pbonzini@redhat.com
-Cc: tim.c.chen@linux.intel.com
-Cc: gregkh@linux-foundation.org
-Link: https://lkml.kernel.org/r/1516896855-7642-6-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++++++++++++++++++++++++-----
- 1 file changed, 43 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 4267273..cfa026f 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -44,6 +44,8 @@
- #include <asm/pat.h>
- #include <asm/microcode.h>
- #include <asm/microcode_intel.h>
-+#include <asm/intel-family.h>
-+#include <asm/cpu_device_id.h>
-
- #ifdef CONFIG_X86_LOCAL_APIC
- #include <asm/uv/uv.h>
-@@ -838,6 +840,41 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
- #endif
- }
-
-+static const __initdata struct x86_cpu_id cpu_no_speculation[] = {
-+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW, X86_FEATURE_ANY },
-+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW, X86_FEATURE_ANY },
-+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT, X86_FEATURE_ANY },
-+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PENWELL, X86_FEATURE_ANY },
-+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PINEVIEW, X86_FEATURE_ANY },
-+ { X86_VENDOR_CENTAUR, 5 },
-+ { X86_VENDOR_INTEL, 5 },
-+ { X86_VENDOR_NSC, 5 },
-+ { X86_VENDOR_ANY, 4 },
-+ {}
-+};
-+
-+static const __initdata struct x86_cpu_id cpu_no_meltdown[] = {
-+ { X86_VENDOR_AMD },
-+ {}
-+};
-+
-+static bool __init cpu_vulnerable_to_meltdown(struct cpuinfo_x86 *c)
-+{
-+ u64 ia32_cap = 0;
-+
-+ if (x86_match_cpu(cpu_no_meltdown))
-+ return false;
-+
-+ if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
-+ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
-+
-+ /* Rogue Data Cache Load? No! */
-+ if (ia32_cap & ARCH_CAP_RDCL_NO)
-+ return false;
-+
-+ return true;
-+}
-+
- /*
- * Do minimum CPU detection early.
- * Fields really needed: vendor, cpuid_level, family, model, mask,
-@@ -884,11 +921,12 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
-
- setup_force_cpu_cap(X86_FEATURE_ALWAYS);
-
-- if (c->x86_vendor != X86_VENDOR_AMD)
-- setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
--
-- setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
-- setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
-+ if (!x86_match_cpu(cpu_no_speculation)) {
-+ if (cpu_vulnerable_to_meltdown(c))
-+ setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
-+ setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
-+ setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
-+ }
-
- fpu__init_system(c);
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-speculation-objtool-Annotate-indirect-calls-jump.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-speculation-objtool-Annotate-indirect-calls-jump.patch
deleted file mode 100644
index 62777941..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0012-x86-speculation-objtool-Annotate-indirect-calls-jump.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 05395f5046a3ff9280cde5804ff4505bbd42b115 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Wed, 17 Jan 2018 22:34:34 +0100
-Subject: [PATCH 12/14] x86/speculation, objtool: Annotate indirect calls/jumps
- for objtool
-
-commit 9e0e3c5130e949c389caabc8033e9799b129e429 upstream.
-
-Annotate the indirect calls/jumps in the CALL_NOSPEC/JUMP_NOSPEC
-alternatives.
-
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Dave Hansen <dave.hansen@linux.intel.com>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/nospec-branch.h | 27 +++++++++++++++++++++++----
- 1 file changed, 23 insertions(+), 4 deletions(-)
-
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index 031840a..29e8f30 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -68,6 +68,18 @@
- .endm
-
- /*
-+ * This should be used immediately before an indirect jump/call. It tells
-+ * objtool the subsequent indirect jump/call is vouched safe for retpoline
-+ * builds.
-+ */
-+.macro ANNOTATE_RETPOLINE_SAFE
-+ .Lannotate_\@:
-+ .pushsection .discard.retpoline_safe
-+ _ASM_PTR .Lannotate_\@
-+ .popsection
-+.endm
-+
-+/*
- * These are the bare retpoline primitives for indirect jmp and call.
- * Do not use these directly; they only exist to make the ALTERNATIVE
- * invocation below less ugly.
-@@ -103,9 +115,9 @@
- .macro JMP_NOSPEC reg:req
- #ifdef CONFIG_RETPOLINE
- ANNOTATE_NOSPEC_ALTERNATIVE
-- ALTERNATIVE_2 __stringify(jmp *\reg), \
-+ ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; jmp *\reg), \
- __stringify(RETPOLINE_JMP \reg), X86_FEATURE_RETPOLINE, \
-- __stringify(lfence; jmp *\reg), X86_FEATURE_RETPOLINE_AMD
-+ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *\reg), X86_FEATURE_RETPOLINE_AMD
- #else
- jmp *\reg
- #endif
-@@ -114,9 +126,9 @@
- .macro CALL_NOSPEC reg:req
- #ifdef CONFIG_RETPOLINE
- ANNOTATE_NOSPEC_ALTERNATIVE
-- ALTERNATIVE_2 __stringify(call *\reg), \
-+ ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; call *\reg), \
- __stringify(RETPOLINE_CALL \reg), X86_FEATURE_RETPOLINE,\
-- __stringify(lfence; call *\reg), X86_FEATURE_RETPOLINE_AMD
-+ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; call *\reg), X86_FEATURE_RETPOLINE_AMD
- #else
- call *\reg
- #endif
-@@ -144,6 +156,12 @@
- ".long 999b - .\n\t" \
- ".popsection\n\t"
-
-+#define ANNOTATE_RETPOLINE_SAFE \
-+ "999:\n\t" \
-+ ".pushsection .discard.retpoline_safe\n\t" \
-+ _ASM_PTR " 999b\n\t" \
-+ ".popsection\n\t"
-+
- #if defined(CONFIG_X86_64) && defined(RETPOLINE)
-
- /*
-@@ -153,6 +171,7 @@
- # define CALL_NOSPEC \
- ANNOTATE_NOSPEC_ALTERNATIVE \
- ALTERNATIVE( \
-+ ANNOTATE_RETPOLINE_SAFE \
- "call *%[thunk_target]\n", \
- "call __x86_indirect_thunk_%V[thunk_target]\n", \
- X86_FEATURE_RETPOLINE)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-KVM-X86-Fix-preempt-the-preemption-timer-cancel.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-KVM-X86-Fix-preempt-the-preemption-timer-cancel.patch
deleted file mode 100644
index 4331a9f4..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-KVM-X86-Fix-preempt-the-preemption-timer-cancel.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From b541de5f53d608796a946a42f5c3251e4dd07522 Mon Sep 17 00:00:00 2001
-From: Wanpeng Li <wanpeng.li@hotmail.com>
-Date: Sat, 20 May 2017 20:32:32 -0700
-Subject: [PATCH 13/93] KVM: X86: Fix preempt the preemption timer cancel
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit 5acc1ca4fb15f00bfa3d4046e35ca381bc25d580 ]
-
-Preemption can occur during cancel preemption timer, and there will be
-inconsistent status in lapic, vmx and vmcs field.
-
- CPU0 CPU1
-
- preemption timer vmexit
- handle_preemption_timer(vCPU0)
- kvm_lapic_expired_hv_timer
- vmx_cancel_hv_timer
- vmx->hv_deadline_tsc = -1
- vmcs_clear_bits
- /* hv_timer_in_use still true */
- sched_out
- sched_in
- kvm_arch_vcpu_load
- vmx_set_hv_timer
- write vmx->hv_deadline_tsc
- vmcs_set_bits
- /* back in kvm_lapic_expired_hv_timer */
- hv_timer_in_use = false
- ...
- vmx_vcpu_run
- vmx_arm_hv_run
- write preemption timer deadline
- spurious preemption timer vmexit
- handle_preemption_timer(vCPU0)
- kvm_lapic_expired_hv_timer
- WARN_ON(!apic->lapic_timer.hv_timer_in_use);
-
-This can be reproduced sporadically during boot of L2 on a
-preemptible L1, causing a splat on L1.
-
- WARNING: CPU: 3 PID: 1952 at arch/x86/kvm/lapic.c:1529 kvm_lapic_expired_hv_timer+0xb5/0xd0 [kvm]
- CPU: 3 PID: 1952 Comm: qemu-system-x86 Not tainted 4.12.0-rc1+ #24 RIP: 0010:kvm_lapic_expired_hv_timer+0xb5/0xd0 [kvm]
- Call Trace:
- handle_preemption_timer+0xe/0x20 [kvm_intel]
- vmx_handle_exit+0xc9/0x15f0 [kvm_intel]
- ? lock_acquire+0xdb/0x250
- ? lock_acquire+0xdb/0x250
- ? kvm_arch_vcpu_ioctl_run+0xdf3/0x1ce0 [kvm]
- kvm_arch_vcpu_ioctl_run+0xe55/0x1ce0 [kvm]
- kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
- ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
- ? __fget+0xf3/0x210
- do_vfs_ioctl+0xa4/0x700
- ? __fget+0x114/0x210
- SyS_ioctl+0x79/0x90
- do_syscall_64+0x8f/0x750
- ? trace_hardirqs_on_thunk+0x1a/0x1c
- entry_SYSCALL64_slow_path+0x25/0x25
-
-This patch fixes it by disabling preemption while cancelling
-preemption timer. This way cancel_hv_timer is atomic with
-respect to kvm_arch_vcpu_load.
-
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/lapic.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
-index 3f05c04..650ff4a 100644
---- a/arch/x86/kvm/lapic.c
-+++ b/arch/x86/kvm/lapic.c
-@@ -1358,8 +1358,10 @@ EXPORT_SYMBOL_GPL(kvm_lapic_hv_timer_in_use);
-
- static void cancel_hv_tscdeadline(struct kvm_lapic *apic)
- {
-+ preempt_disable();
- kvm_x86_ops->cancel_hv_timer(apic->vcpu);
- apic->lapic_timer.hv_timer_in_use = false;
-+ preempt_enable();
- }
-
- void kvm_lapic_expired_hv_timer(struct kvm_vcpu *vcpu)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-kaiser-tidied-up-asm-kaiser.h-somewhat.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-kaiser-tidied-up-asm-kaiser.h-somewhat.patch
deleted file mode 100644
index 61cff38e..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-kaiser-tidied-up-asm-kaiser.h-somewhat.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 7bb8f481c84ef1755e442700593f0ef10857c108 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Sun, 3 Sep 2017 19:18:07 -0700
-Subject: [PATCH 013/103] kaiser: tidied up asm/kaiser.h somewhat
-
-Mainly deleting a surfeit of blank lines, and reflowing header comment.
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/kaiser.h | 32 +++++++++++++-------------------
- 1 file changed, 13 insertions(+), 19 deletions(-)
-
-diff --git a/arch/x86/include/asm/kaiser.h b/arch/x86/include/asm/kaiser.h
-index 0703f48..7394ba9 100644
---- a/arch/x86/include/asm/kaiser.h
-+++ b/arch/x86/include/asm/kaiser.h
-@@ -1,15 +1,17 @@
- #ifndef _ASM_X86_KAISER_H
- #define _ASM_X86_KAISER_H
--
--/* This file includes the definitions for the KAISER feature.
-- * KAISER is a counter measure against x86_64 side channel attacks on the kernel virtual memory.
-- * It has a shodow-pgd for every process. the shadow-pgd has a minimalistic kernel-set mapped,
-- * but includes the whole user memory. Within a kernel context switch, or when an interrupt is handled,
-- * the pgd is switched to the normal one. When the system switches to user mode, the shadow pgd is enabled.
-- * By this, the virtual memory chaches are freed, and the user may not attack the whole kernel memory.
-+/*
-+ * This file includes the definitions for the KAISER feature.
-+ * KAISER is a counter measure against x86_64 side channel attacks on
-+ * the kernel virtual memory. It has a shadow pgd for every process: the
-+ * shadow pgd has a minimalistic kernel-set mapped, but includes the whole
-+ * user memory. Within a kernel context switch, or when an interrupt is handled,
-+ * the pgd is switched to the normal one. When the system switches to user mode,
-+ * the shadow pgd is enabled. By this, the virtual memory caches are freed,
-+ * and the user may not attack the whole kernel memory.
- *
-- * A minimalistic kernel mapping holds the parts needed to be mapped in user mode, as the entry/exit functions
-- * of the user space, or the stacks.
-+ * A minimalistic kernel mapping holds the parts needed to be mapped in user
-+ * mode, such as the entry/exit functions of the user space, or the stacks.
- */
- #ifdef __ASSEMBLY__
- #ifdef CONFIG_KAISER
-@@ -48,13 +50,10 @@ _SWITCH_TO_KERNEL_CR3 %rax
- movq PER_CPU_VAR(unsafe_stack_register_backup), %rax
- .endm
-
--
- .macro SWITCH_USER_CR3_NO_STACK
--
- movq %rax, PER_CPU_VAR(unsafe_stack_register_backup)
- _SWITCH_TO_USER_CR3 %rax
- movq PER_CPU_VAR(unsafe_stack_register_backup), %rax
--
- .endm
-
- #else /* CONFIG_KAISER */
-@@ -72,7 +71,6 @@ movq PER_CPU_VAR(unsafe_stack_register_backup), %rax
-
- #else /* __ASSEMBLY__ */
-
--
- #ifdef CONFIG_KAISER
- /*
- * Upon kernel/user mode switch, it may happen that the address
-@@ -80,7 +78,6 @@ movq PER_CPU_VAR(unsafe_stack_register_backup), %rax
- * stored. To change the address space, another register is
- * needed. A register therefore has to be stored/restored.
- */
--
- DECLARE_PER_CPU_USER_MAPPED(unsigned long, unsafe_stack_register_backup);
-
- /**
-@@ -95,7 +92,6 @@ DECLARE_PER_CPU_USER_MAPPED(unsigned long, unsafe_stack_register_backup);
- */
- extern int kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags);
-
--
- /**
- * kaiser_remove_mapping - unmap a virtual memory part of the shadow mapping
- * @addr: the start address of the range
-@@ -104,12 +100,12 @@ extern int kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned l
- extern void kaiser_remove_mapping(unsigned long start, unsigned long size);
-
- /**
-- * kaiser_initialize_mapping - Initalize the shadow mapping
-+ * kaiser_init - Initialize the shadow mapping
- *
- * Most parts of the shadow mapping can be mapped upon boot
- * time. Only per-process things like the thread stacks
- * or a new LDT have to be mapped at runtime. These boot-
-- * time mappings are permanent and nevertunmapped.
-+ * time mappings are permanent and never unmapped.
- */
- extern void kaiser_init(void);
-
-@@ -117,6 +113,4 @@ extern void kaiser_init(void);
-
- #endif /* __ASSEMBLY */
-
--
--
- #endif /* _ASM_X86_KAISER_H */
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-boot-objtool-Annotate-indirect-jump-in-secondary.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-boot-objtool-Annotate-indirect-jump-in-secondary.patch
deleted file mode 100644
index 7fa185ec..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-boot-objtool-Annotate-indirect-jump-in-secondary.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 8642e6bac57983a63f16725873f6df03a16c5e14 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Tue, 16 Jan 2018 10:38:09 +0100
-Subject: [PATCH 13/14] x86/boot, objtool: Annotate indirect jump in
- secondary_startup_64()
-
-commit bd89004f6305cbf7352238f61da093207ee518d6 upstream.
-
-The objtool retpoline validation found this indirect jump. Seeing how
-it's on CPU bringup before we run userspace it should be safe, annotate
-it.
-
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: Dave Hansen <dave.hansen@linux.intel.com>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/head_64.S | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index 67cd7c1..9d72cf5 100644
---- a/arch/x86/kernel/head_64.S
-+++ b/arch/x86/kernel/head_64.S
-@@ -22,6 +22,7 @@
- #include <asm/nops.h>
- #include "../entry/calling.h"
- #include <asm/export.h>
-+#include <asm/nospec-branch.h>
-
- #ifdef CONFIG_PARAVIRT
- #include <asm/asm-offsets.h>
-@@ -200,6 +201,7 @@ ENTRY(secondary_startup_64)
-
- /* Ensure I am executing from virtual addresses */
- movq $1f, %rax
-+ ANNOTATE_RETPOLINE_SAFE
- jmp *%rax
- 1:
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-cpufeature-Blacklist-SPEC_CTRL-PRED_CMD-on-early.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-cpufeature-Blacklist-SPEC_CTRL-PRED_CMD-on-early.patch
deleted file mode 100644
index 7377d2cd..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-cpufeature-Blacklist-SPEC_CTRL-PRED_CMD-on-early.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-From ba3461b1d9bf51d9719e001f3095a2f4b9b7031d Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Thu, 25 Jan 2018 16:14:14 +0000
-Subject: [PATCH 13/42] x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early
- Spectre v2 microcodes
-
-(cherry picked from commit a5b2966364538a0e68c9fa29bc0a3a1651799035)
-
-This doesn't refuse to load the affected microcodes; it just refuses to
-use the Spectre v2 mitigation features if they're detected, by clearing
-the appropriate feature bits.
-
-The AMD CPUID bits are handled here too, because hypervisors *may* have
-been exposing those bits even on Intel chips, for fine-grained control
-of what's available.
-
-It is non-trivial to use x86_match_cpu() for this table because that
-doesn't handle steppings. And the approach taken in commit bd9240a18
-almost made me lose my lunch.
-
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: ak@linux.intel.com
-Cc: ashok.raj@intel.com
-Cc: dave.hansen@intel.com
-Cc: karahmed@amazon.de
-Cc: arjan@linux.intel.com
-Cc: torvalds@linux-foundation.org
-Cc: peterz@infradead.org
-Cc: bp@alien8.de
-Cc: pbonzini@redhat.com
-Cc: tim.c.chen@linux.intel.com
-Cc: gregkh@linux-foundation.org
-Link: https://lkml.kernel.org/r/1516896855-7642-7-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/intel-family.h | 7 ++--
- arch/x86/kernel/cpu/intel.c | 66 +++++++++++++++++++++++++++++++++++++
- 2 files changed, 71 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h
-index 34a46dc..75b748a 100644
---- a/arch/x86/include/asm/intel-family.h
-+++ b/arch/x86/include/asm/intel-family.h
-@@ -12,6 +12,7 @@
- */
-
- #define INTEL_FAM6_CORE_YONAH 0x0E
-+
- #define INTEL_FAM6_CORE2_MEROM 0x0F
- #define INTEL_FAM6_CORE2_MEROM_L 0x16
- #define INTEL_FAM6_CORE2_PENRYN 0x17
-@@ -21,6 +22,7 @@
- #define INTEL_FAM6_NEHALEM_G 0x1F /* Auburndale / Havendale */
- #define INTEL_FAM6_NEHALEM_EP 0x1A
- #define INTEL_FAM6_NEHALEM_EX 0x2E
-+
- #define INTEL_FAM6_WESTMERE 0x25
- #define INTEL_FAM6_WESTMERE_EP 0x2C
- #define INTEL_FAM6_WESTMERE_EX 0x2F
-@@ -36,9 +38,9 @@
- #define INTEL_FAM6_HASWELL_GT3E 0x46
-
- #define INTEL_FAM6_BROADWELL_CORE 0x3D
--#define INTEL_FAM6_BROADWELL_XEON_D 0x56
- #define INTEL_FAM6_BROADWELL_GT3E 0x47
- #define INTEL_FAM6_BROADWELL_X 0x4F
-+#define INTEL_FAM6_BROADWELL_XEON_D 0x56
-
- #define INTEL_FAM6_SKYLAKE_MOBILE 0x4E
- #define INTEL_FAM6_SKYLAKE_DESKTOP 0x5E
-@@ -57,9 +59,10 @@
- #define INTEL_FAM6_ATOM_SILVERMONT2 0x4D /* Avaton/Rangely */
- #define INTEL_FAM6_ATOM_AIRMONT 0x4C /* CherryTrail / Braswell */
- #define INTEL_FAM6_ATOM_MERRIFIELD 0x4A /* Tangier */
--#define INTEL_FAM6_ATOM_MOOREFIELD 0x5A /* Annidale */
-+#define INTEL_FAM6_ATOM_MOOREFIELD 0x5A /* Anniedale */
- #define INTEL_FAM6_ATOM_GOLDMONT 0x5C
- #define INTEL_FAM6_ATOM_DENVERTON 0x5F /* Goldmont Microserver */
-+#define INTEL_FAM6_ATOM_GEMINI_LAKE 0x7A
-
- /* Xeon Phi */
-
-diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
-index fcd484d..4d23d78 100644
---- a/arch/x86/kernel/cpu/intel.c
-+++ b/arch/x86/kernel/cpu/intel.c
-@@ -61,6 +61,59 @@ void check_mpx_erratum(struct cpuinfo_x86 *c)
- }
- }
-
-+/*
-+ * Early microcode releases for the Spectre v2 mitigation were broken.
-+ * Information taken from;
-+ * - https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf
-+ * - https://kb.vmware.com/s/article/52345
-+ * - Microcode revisions observed in the wild
-+ * - Release note from 20180108 microcode release
-+ */
-+struct sku_microcode {
-+ u8 model;
-+ u8 stepping;
-+ u32 microcode;
-+};
-+static const struct sku_microcode spectre_bad_microcodes[] = {
-+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0B, 0x84 },
-+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0A, 0x84 },
-+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x09, 0x84 },
-+ { INTEL_FAM6_KABYLAKE_MOBILE, 0x0A, 0x84 },
-+ { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x84 },
-+ { INTEL_FAM6_SKYLAKE_X, 0x03, 0x0100013e },
-+ { INTEL_FAM6_SKYLAKE_X, 0x04, 0x0200003c },
-+ { INTEL_FAM6_SKYLAKE_MOBILE, 0x03, 0xc2 },
-+ { INTEL_FAM6_SKYLAKE_DESKTOP, 0x03, 0xc2 },
-+ { INTEL_FAM6_BROADWELL_CORE, 0x04, 0x28 },
-+ { INTEL_FAM6_BROADWELL_GT3E, 0x01, 0x1b },
-+ { INTEL_FAM6_BROADWELL_XEON_D, 0x02, 0x14 },
-+ { INTEL_FAM6_BROADWELL_XEON_D, 0x03, 0x07000011 },
-+ { INTEL_FAM6_BROADWELL_X, 0x01, 0x0b000025 },
-+ { INTEL_FAM6_HASWELL_ULT, 0x01, 0x21 },
-+ { INTEL_FAM6_HASWELL_GT3E, 0x01, 0x18 },
-+ { INTEL_FAM6_HASWELL_CORE, 0x03, 0x23 },
-+ { INTEL_FAM6_HASWELL_X, 0x02, 0x3b },
-+ { INTEL_FAM6_HASWELL_X, 0x04, 0x10 },
-+ { INTEL_FAM6_IVYBRIDGE_X, 0x04, 0x42a },
-+ /* Updated in the 20180108 release; blacklist until we know otherwise */
-+ { INTEL_FAM6_ATOM_GEMINI_LAKE, 0x01, 0x22 },
-+ /* Observed in the wild */
-+ { INTEL_FAM6_SANDYBRIDGE_X, 0x06, 0x61b },
-+ { INTEL_FAM6_SANDYBRIDGE_X, 0x07, 0x712 },
-+};
-+
-+static bool bad_spectre_microcode(struct cpuinfo_x86 *c)
-+{
-+ int i;
-+
-+ for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) {
-+ if (c->x86_model == spectre_bad_microcodes[i].model &&
-+ c->x86_mask == spectre_bad_microcodes[i].stepping)
-+ return (c->microcode <= spectre_bad_microcodes[i].microcode);
-+ }
-+ return false;
-+}
-+
- static void early_init_intel(struct cpuinfo_x86 *c)
- {
- u64 misc_enable;
-@@ -87,6 +140,19 @@ static void early_init_intel(struct cpuinfo_x86 *c)
- rdmsr(MSR_IA32_UCODE_REV, lower_word, c->microcode);
- }
-
-+ if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) ||
-+ cpu_has(c, X86_FEATURE_STIBP) ||
-+ cpu_has(c, X86_FEATURE_AMD_SPEC_CTRL) ||
-+ cpu_has(c, X86_FEATURE_AMD_PRED_CMD) ||
-+ cpu_has(c, X86_FEATURE_AMD_STIBP)) && bad_spectre_microcode(c)) {
-+ pr_warn("Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL\n");
-+ clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
-+ clear_cpu_cap(c, X86_FEATURE_STIBP);
-+ clear_cpu_cap(c, X86_FEATURE_AMD_SPEC_CTRL);
-+ clear_cpu_cap(c, X86_FEATURE_AMD_PRED_CMD);
-+ clear_cpu_cap(c, X86_FEATURE_AMD_STIBP);
-+ }
-+
- /*
- * Atom erratum AAE44/AAF40/AAG38/AAH41:
- *
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-kvm-Update-spectre-v1-mitigation.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-kvm-Update-spectre-v1-mitigation.patch
deleted file mode 100644
index 8b58f32e..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0013-x86-kvm-Update-spectre-v1-mitigation.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 7a1d0c7758b49b1f107157db33df0aae1c10cf26 Mon Sep 17 00:00:00 2001
-From: Dan Williams <dan.j.williams@intel.com>
-Date: Wed, 31 Jan 2018 17:47:03 -0800
-Subject: [PATCH 13/33] x86/kvm: Update spectre-v1 mitigation
-
-(cherry picked from commit 085331dfc6bbe3501fb936e657331ca943827600)
-
-Commit 75f139aaf896 "KVM: x86: Add memory barrier on vmcs field lookup"
-added a raw 'asm("lfence");' to prevent a bounds check bypass of
-'vmcs_field_to_offset_table'.
-
-The lfence can be avoided in this path by using the array_index_nospec()
-helper designed for these types of fixes.
-
-Signed-off-by: Dan Williams <dan.j.williams@intel.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Andrew Honig <ahonig@google.com>
-Cc: kvm@vger.kernel.org
-Cc: Jim Mattson <jmattson@google.com>
-Link: https://lkml.kernel.org/r/151744959670.6342.3001723920950249067.stgit@dwillia2-desk3.amr.corp.intel.com
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 20 +++++++++-----------
- 1 file changed, 9 insertions(+), 11 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 6f3ed0e..af90bc4 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -33,6 +33,7 @@
- #include <linux/slab.h>
- #include <linux/tboot.h>
- #include <linux/hrtimer.h>
-+#include <linux/nospec.h>
- #include "kvm_cache_regs.h"
- #include "x86.h"
-
-@@ -856,21 +857,18 @@ static const unsigned short vmcs_field_to_offset_table[] = {
-
- static inline short vmcs_field_to_offset(unsigned long field)
- {
-- BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);
-+ const size_t size = ARRAY_SIZE(vmcs_field_to_offset_table);
-+ unsigned short offset;
-
-- if (field >= ARRAY_SIZE(vmcs_field_to_offset_table))
-+ BUILD_BUG_ON(size > SHRT_MAX);
-+ if (field >= size)
- return -ENOENT;
-
-- /*
-- * FIXME: Mitigation for CVE-2017-5753. To be replaced with a
-- * generic mechanism.
-- */
-- asm("lfence");
--
-- if (vmcs_field_to_offset_table[field] == 0)
-+ field = array_index_nospec(field, size);
-+ offset = vmcs_field_to_offset_table[field];
-+ if (offset == 0)
- return -ENOENT;
--
-- return vmcs_field_to_offset_table[field];
-+ return offset;
- }
-
- static inline struct vmcs12 *get_vmcs12(struct kvm_vcpu *vcpu)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-KVM-nVMX-Fix-handling-of-lmsw-instruction.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-KVM-nVMX-Fix-handling-of-lmsw-instruction.patch
deleted file mode 100644
index 43b1f38e..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-KVM-nVMX-Fix-handling-of-lmsw-instruction.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 2c5329f428b85d1167abdd3206bdac08a02ae082 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh@amazon.de>
-Date: Sat, 20 May 2017 13:22:56 +0200
-Subject: [PATCH 14/93] KVM: nVMX: Fix handling of lmsw instruction
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit e1d39b17e044e8ae819827810d87d809ba5f58c0 ]
-
-The decision whether or not to exit from L2 to L1 on an lmsw instruction is
-based on bogus values: instead of using the information encoded within the
-exit qualification, it uses the data also used for the mov-to-cr
-instruction, which boils down to using whatever is in %eax at that point.
-
-Use the correct values instead.
-
-Without this fix, an L1 may not get notified when a 32-bit Linux L2
-switches its secondary CPUs to protected mode; the L1 is only notified on
-the next modification of CR0. This short time window poses a problem, when
-there is some other reason to exit to L1 in between. Then, L2 will be
-resumed in real mode and chaos ensues.
-
-Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
-Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 27f505d..8d842d9 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -7910,11 +7910,13 @@ static bool nested_vmx_exit_handled_cr(struct kvm_vcpu *vcpu,
- {
- unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
- int cr = exit_qualification & 15;
-- int reg = (exit_qualification >> 8) & 15;
-- unsigned long val = kvm_register_readl(vcpu, reg);
-+ int reg;
-+ unsigned long val;
-
- switch ((exit_qualification >> 4) & 3) {
- case 0: /* mov to cr */
-+ reg = (exit_qualification >> 8) & 15;
-+ val = kvm_register_readl(vcpu, reg);
- switch (cr) {
- case 0:
- if (vmcs12->cr0_guest_host_mask &
-@@ -7969,6 +7971,7 @@ static bool nested_vmx_exit_handled_cr(struct kvm_vcpu *vcpu,
- * lmsw can change bits 1..3 of cr0, and only set bit 0 of
- * cr0. Other attempted changes are ignored, with no exit.
- */
-+ val = (exit_qualification >> LMSW_SOURCE_DATA_SHIFT) & 0x0f;
- if (vmcs12->cr0_guest_host_mask & 0xe &
- (val ^ vmcs12->cr0_read_shadow))
- return true;
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-KVM-nVMX-kmap-can-t-fail.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-KVM-nVMX-kmap-can-t-fail.patch
deleted file mode 100644
index 38a23282..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-KVM-nVMX-kmap-can-t-fail.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 6b359ffcb519698f93eadc2706d06805ce933086 Mon Sep 17 00:00:00 2001
-From: David Hildenbrand <david@redhat.com>
-Date: Wed, 25 Jan 2017 11:58:57 +0100
-Subject: [PATCH 14/33] KVM: nVMX: kmap() can't fail
-
-commit 42cf014d38d8822cce63703a467e00f65d000952 upstream.
-
-kmap() can't fail, therefore it will always return a valid pointer. Let's
-just get rid of the unnecessary checks.
-
-Signed-off-by: David Hildenbrand <david@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 9 ---------
- 1 file changed, 9 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index af90bc4..17fcbaf 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -4742,10 +4742,6 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
- return 0;
-
- vapic_page = kmap(vmx->nested.virtual_apic_page);
-- if (!vapic_page) {
-- WARN_ON(1);
-- return -ENOMEM;
-- }
- __kvm_apic_update_irr(vmx->nested.pi_desc->pir, vapic_page);
- kunmap(vmx->nested.virtual_apic_page);
-
-@@ -9562,11 +9558,6 @@ static inline bool nested_vmx_merge_msr_bitmap(struct kvm_vcpu *vcpu,
- return false;
- }
- msr_bitmap_l1 = (unsigned long *)kmap(page);
-- if (!msr_bitmap_l1) {
-- nested_release_page_clean(page);
-- WARN_ON(1);
-- return false;
-- }
-
- memset(msr_bitmap_l0, 0xff, PAGE_SIZE);
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-kaiser-tidied-up-kaiser_add-remove_mapping-slightly.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-kaiser-tidied-up-kaiser_add-remove_mapping-slightly.patch
deleted file mode 100644
index 4827bd5a..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-kaiser-tidied-up-kaiser_add-remove_mapping-slightly.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From c20c1df0acf8c3b295e2a3e6e24febdd56f13816 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Sun, 3 Sep 2017 19:23:08 -0700
-Subject: [PATCH 014/103] kaiser: tidied up kaiser_add/remove_mapping slightly
-
-Yes, unmap_pud_range_nofree()'s declaration ought to be in a
-header file really, but I'm not sure we want to use it anyway:
-so for now just declare it inside kaiser_remove_mapping().
-And there doesn't seem to be such a thing as unmap_p4d_range(),
-even in a 5-level paging tree.
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/mm/kaiser.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/arch/x86/mm/kaiser.c b/arch/x86/mm/kaiser.c
-index ba6fc2c..7a7e850 100644
---- a/arch/x86/mm/kaiser.c
-+++ b/arch/x86/mm/kaiser.c
-@@ -285,8 +285,7 @@ void __init kaiser_init(void)
- __PAGE_KERNEL);
- }
-
--extern void unmap_pud_range_nofree(pgd_t *pgd, unsigned long start, unsigned long end);
--// add a mapping to the shadow-mapping, and synchronize the mappings
-+/* Add a mapping to the shadow mapping, and synchronize the mappings */
- int kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long flags)
- {
- return kaiser_add_user_map((const void *)addr, size, flags);
-@@ -294,15 +293,13 @@ int kaiser_add_mapping(unsigned long addr, unsigned long size, unsigned long fla
-
- void kaiser_remove_mapping(unsigned long start, unsigned long size)
- {
-+ extern void unmap_pud_range_nofree(pgd_t *pgd,
-+ unsigned long start, unsigned long end);
- unsigned long end = start + size;
- unsigned long addr;
-
- for (addr = start; addr < end; addr += PGDIR_SIZE) {
- pgd_t *pgd = native_get_shadow_pgd(pgd_offset_k(addr));
-- /*
-- * unmap_p4d_range() handles > P4D_SIZE unmaps,
-- * so no need to trim 'end'.
-- */
- unmap_pud_range_nofree(pgd, addr, end);
- }
- }
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-x86-speculation-Add-basic-IBPB-Indirect-Branch-Predi.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-x86-speculation-Add-basic-IBPB-Indirect-Branch-Predi.patch
deleted file mode 100644
index ed57dfd2..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-x86-speculation-Add-basic-IBPB-Indirect-Branch-Predi.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 8d91a1887b4fccf06f4077529dc167a52590b348 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Thu, 25 Jan 2018 16:14:15 +0000
-Subject: [PATCH 14/42] x86/speculation: Add basic IBPB (Indirect Branch
- Prediction Barrier) support
-
-(cherry picked from commit 20ffa1caecca4db8f79fe665acdeaa5af815a24d)
-
-Expose indirect_branch_prediction_barrier() for use in subsequent patches.
-
-[ tglx: Add IBPB status to spectre_v2 sysfs file ]
-
-Co-developed-by: KarimAllah Ahmed <karahmed@amazon.de>
-Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Cc: gnomes@lxorguk.ukuu.org.uk
-Cc: ak@linux.intel.com
-Cc: ashok.raj@intel.com
-Cc: dave.hansen@intel.com
-Cc: arjan@linux.intel.com
-Cc: torvalds@linux-foundation.org
-Cc: peterz@infradead.org
-Cc: bp@alien8.de
-Cc: pbonzini@redhat.com
-Cc: tim.c.chen@linux.intel.com
-Cc: gregkh@linux-foundation.org
-Link: https://lkml.kernel.org/r/1516896855-7642-8-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeatures.h | 2 ++
- arch/x86/include/asm/nospec-branch.h | 13 +++++++++++++
- arch/x86/kernel/cpu/bugs.c | 10 +++++++++-
- 3 files changed, 24 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index c4d03e7..3901545 100644
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -202,6 +202,8 @@
- /* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
- #define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
-
-+#define X86_FEATURE_IBPB ( 7*32+21) /* Indirect Branch Prediction Barrier enabled*/
-+
- /* Virtualization flags: Linux defined, word 8 */
- #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
- #define X86_FEATURE_VNMI ( 8*32+ 1) /* Intel Virtual NMI */
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index 4ad4108..34e384c 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -218,5 +218,18 @@ static inline void vmexit_fill_RSB(void)
- #endif
- }
-
-+static inline void indirect_branch_prediction_barrier(void)
-+{
-+ asm volatile(ALTERNATIVE("",
-+ "movl %[msr], %%ecx\n\t"
-+ "movl %[val], %%eax\n\t"
-+ "movl $0, %%edx\n\t"
-+ "wrmsr",
-+ X86_FEATURE_IBPB)
-+ : : [msr] "i" (MSR_IA32_PRED_CMD),
-+ [val] "i" (PRED_CMD_IBPB)
-+ : "eax", "ecx", "edx", "memory");
-+}
-+
- #endif /* __ASSEMBLY__ */
- #endif /* __NOSPEC_BRANCH_H__ */
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 4cea7d4..1c4b39d 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -262,6 +262,13 @@ static void __init spectre_v2_select_mitigation(void)
- setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
- pr_info("Filling RSB on context switch\n");
- }
-+
-+ /* Initialize Indirect Branch Prediction Barrier if supported */
-+ if (boot_cpu_has(X86_FEATURE_SPEC_CTRL) ||
-+ boot_cpu_has(X86_FEATURE_AMD_PRED_CMD)) {
-+ setup_force_cpu_cap(X86_FEATURE_IBPB);
-+ pr_info("Enabling Indirect Branch Prediction Barrier\n");
-+ }
- }
-
- #undef pr_fmt
-@@ -291,7 +298,8 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
- return sprintf(buf, "Not affected\n");
-
-- return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled],
-+ return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
-+ boot_cpu_has(X86_FEATURE_IBPB) ? ", IPBP" : "",
- spectre_v2_bad_module ? " - vulnerable module loaded" : "");
- }
- #endif
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-x86-speculation-Move-firmware_restrict_branch_specul.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-x86-speculation-Move-firmware_restrict_branch_specul.patch
deleted file mode 100644
index 29fb0352..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0014-x86-speculation-Move-firmware_restrict_branch_specul.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 9c1c34861d012ab32557236c23a303e70bef627e Mon Sep 17 00:00:00 2001
-From: Ingo Molnar <mingo@kernel.org>
-Date: Wed, 21 Feb 2018 09:20:37 +0100
-Subject: [PATCH 14/14] x86/speculation: Move
- firmware_restrict_branch_speculation_*() from C to CPP
-
-commit d72f4e29e6d84b7ec02ae93088aa459ac70e733b upstream.
-
-firmware_restrict_branch_speculation_*() recently started using
-preempt_enable()/disable(), but those are relatively high level
-primitives and cause build failures on some 32-bit builds.
-
-Since we want to keep <asm/nospec-branch.h> low level, convert
-them to macros to avoid header hell...
-
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: arjan.van.de.ven@intel.com
-Cc: bp@alien8.de
-Cc: dave.hansen@intel.com
-Cc: jmattson@google.com
-Cc: karahmed@amazon.de
-Cc: kvm@vger.kernel.org
-Cc: pbonzini@redhat.com
-Cc: rkrcmar@redhat.com
-Cc: linux-kernel@vger.kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/nospec-branch.h | 26 ++++++++++++++------------
- 1 file changed, 14 insertions(+), 12 deletions(-)
-
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index 29e8f30..d0dabea 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -257,20 +257,22 @@ static inline void indirect_branch_prediction_barrier(void)
- /*
- * With retpoline, we must use IBRS to restrict branch prediction
- * before calling into firmware.
-+ *
-+ * (Implemented as CPP macros due to header hell.)
- */
--static inline void firmware_restrict_branch_speculation_start(void)
--{
-- preempt_disable();
-- alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS,
-- X86_FEATURE_USE_IBRS_FW);
--}
-+#define firmware_restrict_branch_speculation_start() \
-+do { \
-+ preempt_disable(); \
-+ alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS, \
-+ X86_FEATURE_USE_IBRS_FW); \
-+} while (0)
-
--static inline void firmware_restrict_branch_speculation_end(void)
--{
-- alternative_msr_write(MSR_IA32_SPEC_CTRL, 0,
-- X86_FEATURE_USE_IBRS_FW);
-- preempt_enable();
--}
-+#define firmware_restrict_branch_speculation_end() \
-+do { \
-+ alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, \
-+ X86_FEATURE_USE_IBRS_FW); \
-+ preempt_enable(); \
-+} while (0)
-
- #endif /* __ASSEMBLY__ */
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-KVM-SVM-do-not-zero-out-segment-attributes-if-segmen.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-KVM-SVM-do-not-zero-out-segment-attributes-if-segmen.patch
deleted file mode 100644
index 913e3fe5..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-KVM-SVM-do-not-zero-out-segment-attributes-if-segmen.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 348032cf73954af79ac077ae0c13d6faa99294af Mon Sep 17 00:00:00 2001
-From: Roman Pen <roman.penyaev@profitbricks.com>
-Date: Thu, 1 Jun 2017 10:55:03 +0200
-Subject: [PATCH 15/93] KVM: SVM: do not zero out segment attributes if segment
- is unusable or not present
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit d9c1b5431d5f0e07575db785a022bce91051ac1d ]
-
-This is a fix for the problem [1], where VMCB.CPL was set to 0 and interrupt
-was taken on userspace stack. The root cause lies in the specific AMD CPU
-behaviour which manifests itself as unusable segment attributes on SYSRET.
-The corresponding work around for the kernel is the following:
-
-61f01dd941ba ("x86_64, asm: Work around AMD SYSRET SS descriptor attribute issue")
-
-In other turn virtualization side treated unusable segment incorrectly and
-restored CPL from SS attributes, which were zeroed out few lines above.
-
-In current patch it is assured only that P bit is cleared in VMCB.save state
-and segment attributes are not zeroed out if segment is not presented or is
-unusable, therefore CPL can be safely restored from DPL field.
-
-This is only one part of the fix, since QEMU side should be fixed accordingly
-not to zero out attributes on its side. Corresponding patch will follow.
-
-[1] Message id: CAJrWOzD6Xq==b-zYCDdFLgSRMPM-NkNuTSDFEtX=7MreT45i7Q@mail.gmail.com
-
-Signed-off-by: Roman Pen <roman.penyaev@profitbricks.com>
-Signed-off-by: Mikhail Sennikovskii <mikhail.sennikovskii@profitbricks.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Radim KrÄmář <rkrcmar@redhat.com>
-Cc: kvm@vger.kernel.org
-Cc: linux-kernel@vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/svm.c | 24 +++++++++++-------------
- 1 file changed, 11 insertions(+), 13 deletions(-)
-
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 2d96e30..8551a54 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1876,6 +1876,7 @@ static void svm_get_segment(struct kvm_vcpu *vcpu,
- */
- if (var->unusable)
- var->db = 0;
-+ /* This is symmetric with svm_set_segment() */
- var->dpl = to_svm(vcpu)->vmcb->save.cpl;
- break;
- }
-@@ -2021,18 +2022,14 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
- s->base = var->base;
- s->limit = var->limit;
- s->selector = var->selector;
-- if (var->unusable)
-- s->attrib = 0;
-- else {
-- s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK);
-- s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT;
-- s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT;
-- s->attrib |= (var->present & 1) << SVM_SELECTOR_P_SHIFT;
-- s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT;
-- s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT;
-- s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT;
-- s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT;
-- }
-+ s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK);
-+ s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT;
-+ s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT;
-+ s->attrib |= ((var->present & 1) && !var->unusable) << SVM_SELECTOR_P_SHIFT;
-+ s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT;
-+ s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT;
-+ s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT;
-+ s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT;
-
- /*
- * This is always accurate, except if SYSRET returned to a segment
-@@ -2041,7 +2038,8 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
- * would entail passing the CPL to userspace and back.
- */
- if (seg == VCPU_SREG_SS)
-- svm->vmcb->save.cpl = (s->attrib >> SVM_SELECTOR_DPL_SHIFT) & 3;
-+ /* This is symmetric with svm_get_segment() */
-+ svm->vmcb->save.cpl = (var->dpl & 3);
-
- mark_dirty(svm->vmcb, VMCB_SEG);
- }
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-KVM-nVMX-vmx_complete_nested_posted_interrupt-can-t-.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-KVM-nVMX-vmx_complete_nested_posted_interrupt-can-t-.patch
deleted file mode 100644
index 806b1ac0..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-KVM-nVMX-vmx_complete_nested_posted_interrupt-can-t-.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From b53c02711255aa79e4e1a9974ca24610c4fbd7d7 Mon Sep 17 00:00:00 2001
-From: David Hildenbrand <david@redhat.com>
-Date: Wed, 25 Jan 2017 11:58:58 +0100
-Subject: [PATCH 15/33] KVM: nVMX: vmx_complete_nested_posted_interrupt() can't
- fail
-
-(cherry picked from commit 6342c50ad12e8ce0736e722184a7dbdea4a3477f)
-
-vmx_complete_nested_posted_interrupt() can't fail, let's turn it into
-a void function.
-
-Signed-off-by: David Hildenbrand <david@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 17fcbaf..13dc454 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -4722,7 +4722,7 @@ static bool vmx_get_enable_apicv(void)
- return enable_apicv;
- }
-
--static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
-+static void vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
- {
- struct vcpu_vmx *vmx = to_vmx(vcpu);
- int max_irr;
-@@ -4733,13 +4733,13 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
- vmx->nested.pi_pending) {
- vmx->nested.pi_pending = false;
- if (!pi_test_and_clear_on(vmx->nested.pi_desc))
-- return 0;
-+ return;
-
- max_irr = find_last_bit(
- (unsigned long *)vmx->nested.pi_desc->pir, 256);
-
- if (max_irr == 256)
-- return 0;
-+ return;
-
- vapic_page = kmap(vmx->nested.virtual_apic_page);
- __kvm_apic_update_irr(vmx->nested.pi_desc->pir, vapic_page);
-@@ -4752,7 +4752,6 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
- vmcs_write16(GUEST_INTR_STATUS, status);
- }
- }
-- return 0;
- }
-
- static inline bool kvm_vcpu_trigger_posted_interrupt(struct kvm_vcpu *vcpu)
-@@ -10440,7 +10439,8 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu, bool external_intr)
- return 0;
- }
-
-- return vmx_complete_nested_posted_interrupt(vcpu);
-+ vmx_complete_nested_posted_interrupt(vcpu);
-+ return 0;
- }
-
- static u32 vmx_get_preemption_timer_value(struct kvm_vcpu *vcpu)
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-kaiser-align-addition-to-x86-mm-Makefile.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-kaiser-align-addition-to-x86-mm-Makefile.patch
deleted file mode 100644
index 373ea47c..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-kaiser-align-addition-to-x86-mm-Makefile.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 7f3dc5773f4a6a737cda30183ea2650016426dee Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Sun, 3 Sep 2017 19:51:10 -0700
-Subject: [PATCH 015/103] kaiser: align addition to x86/mm/Makefile
-
-Use tab not space so they line up properly, kaslr.o also.
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/mm/Makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
-index 682c162..c505569 100644
---- a/arch/x86/mm/Makefile
-+++ b/arch/x86/mm/Makefile
-@@ -37,5 +37,5 @@ obj-$(CONFIG_NUMA_EMU) += numa_emulation.o
-
- obj-$(CONFIG_X86_INTEL_MPX) += mpx.o
- obj-$(CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS) += pkeys.o
--obj-$(CONFIG_RANDOMIZE_MEMORY) += kaslr.o
--obj-$(CONFIG_KAISER) += kaiser.o
-+obj-$(CONFIG_RANDOMIZE_MEMORY) += kaslr.o
-+obj-$(CONFIG_KAISER) += kaiser.o
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-x86-nospec-Fix-header-guards-names.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-x86-nospec-Fix-header-guards-names.patch
deleted file mode 100644
index e3c3192e..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0015-x86-nospec-Fix-header-guards-names.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From d4cebbf42a124247c55852e555cea3e84b09e892 Mon Sep 17 00:00:00 2001
-From: Borislav Petkov <bp@suse.de>
-Date: Fri, 26 Jan 2018 13:11:37 +0100
-Subject: [PATCH 15/42] x86/nospec: Fix header guards names
-
-(cherry picked from commit 7a32fc51ca938e67974cbb9db31e1a43f98345a9)
-
-... to adhere to the _ASM_X86_ naming scheme.
-
-No functional change.
-
-Signed-off-by: Borislav Petkov <bp@suse.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: riel@redhat.com
-Cc: ak@linux.intel.com
-Cc: peterz@infradead.org
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: jikos@kernel.org
-Cc: luto@amacapital.net
-Cc: dave.hansen@intel.com
-Cc: torvalds@linux-foundation.org
-Cc: keescook@google.com
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: tim.c.chen@linux.intel.com
-Cc: gregkh@linux-foundation.org
-Cc: pjt@google.com
-Link: https://lkml.kernel.org/r/20180126121139.31959-3-bp@alien8.de
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/nospec-branch.h | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index 34e384c..865192a 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -1,7 +1,7 @@
- /* SPDX-License-Identifier: GPL-2.0 */
-
--#ifndef __NOSPEC_BRANCH_H__
--#define __NOSPEC_BRANCH_H__
-+#ifndef _ASM_X86_NOSPEC_BRANCH_H_
-+#define _ASM_X86_NOSPEC_BRANCH_H_
-
- #include <asm/alternative.h>
- #include <asm/alternative-asm.h>
-@@ -232,4 +232,4 @@ static inline void indirect_branch_prediction_barrier(void)
- }
-
- #endif /* __ASSEMBLY__ */
--#endif /* __NOSPEC_BRANCH_H__ */
-+#endif /* _ASM_X86_NOSPEC_BRANCH_H_ */
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-KVM-nVMX-Update-vmcs12-guest_linear_address-on-neste.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-KVM-nVMX-Update-vmcs12-guest_linear_address-on-neste.patch
deleted file mode 100644
index cf8424c9..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-KVM-nVMX-Update-vmcs12-guest_linear_address-on-neste.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From d79905a595224c714dc8da5df054653c3b958250 Mon Sep 17 00:00:00 2001
-From: Jim Mattson <jmattson@google.com>
-Date: Thu, 1 Jun 2017 12:44:46 -0700
-Subject: [PATCH 16/93] KVM: nVMX: Update vmcs12->guest_linear_address on
- nested VM-exit
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[ Upstream commit d281e13b0bfe745a21061a194e386a949784393f ]
-
-The guest-linear address field is set for VM exits due to attempts to
-execute LMSW with a memory operand and VM exits due to attempts to
-execute INS or OUTS for which the relevant segment is usable,
-regardless of whether or not EPT is in use.
-
-Fixes: 119a9c01a5922 ("KVM: nVMX: pass valid guest linear-address to the L1")
-Signed-off-by: Jim Mattson <jmattson@google.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 8d842d9..273313f 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -10621,8 +10621,7 @@ static void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
- vmcs12->guest_pdptr3 = vmcs_read64(GUEST_PDPTR3);
- }
-
-- if (nested_cpu_has_ept(vmcs12))
-- vmcs12->guest_linear_address = vmcs_readl(GUEST_LINEAR_ADDRESS);
-+ vmcs12->guest_linear_address = vmcs_readl(GUEST_LINEAR_ADDRESS);
-
- if (nested_cpu_has_vid(vmcs12))
- vmcs12->guest_intr_status = vmcs_read16(GUEST_INTR_STATUS);
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-KVM-nVMX-mark-vmcs12-pages-dirty-on-L2-exit.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-KVM-nVMX-mark-vmcs12-pages-dirty-on-L2-exit.patch
deleted file mode 100644
index e7f44b1b..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-KVM-nVMX-mark-vmcs12-pages-dirty-on-L2-exit.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 50fefe1aabf115927dbe944d4607d3696ed2773e Mon Sep 17 00:00:00 2001
-From: David Matlack <dmatlack@google.com>
-Date: Tue, 1 Aug 2017 14:00:40 -0700
-Subject: [PATCH 16/33] KVM: nVMX: mark vmcs12 pages dirty on L2 exit
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-(cherry picked from commit c9f04407f2e0b3fc9ff7913c65fcfcb0a4b61570)
-
-The host physical addresses of L1's Virtual APIC Page and Posted
-Interrupt descriptor are loaded into the VMCS02. The CPU may write
-to these pages via their host physical address while L2 is running,
-bypassing address-translation-based dirty tracking (e.g. EPT write
-protection). Mark them dirty on every exit from L2 to prevent them
-from getting out of sync with dirty tracking.
-
-Also mark the virtual APIC page and the posted interrupt descriptor
-dirty when KVM is virtualizing posted interrupt processing.
-
-Signed-off-by: David Matlack <dmatlack@google.com>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 53 +++++++++++++++++++++++++++++++++++++++++++----------
- 1 file changed, 43 insertions(+), 10 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 13dc454..2e88fd1 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -4722,6 +4722,28 @@ static bool vmx_get_enable_apicv(void)
- return enable_apicv;
- }
-
-+static void nested_mark_vmcs12_pages_dirty(struct kvm_vcpu *vcpu)
-+{
-+ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
-+ gfn_t gfn;
-+
-+ /*
-+ * Don't need to mark the APIC access page dirty; it is never
-+ * written to by the CPU during APIC virtualization.
-+ */
-+
-+ if (nested_cpu_has(vmcs12, CPU_BASED_TPR_SHADOW)) {
-+ gfn = vmcs12->virtual_apic_page_addr >> PAGE_SHIFT;
-+ kvm_vcpu_mark_page_dirty(vcpu, gfn);
-+ }
-+
-+ if (nested_cpu_has_posted_intr(vmcs12)) {
-+ gfn = vmcs12->posted_intr_desc_addr >> PAGE_SHIFT;
-+ kvm_vcpu_mark_page_dirty(vcpu, gfn);
-+ }
-+}
-+
-+
- static void vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
- {
- struct vcpu_vmx *vmx = to_vmx(vcpu);
-@@ -4729,18 +4751,15 @@ static void vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
- void *vapic_page;
- u16 status;
-
-- if (vmx->nested.pi_desc &&
-- vmx->nested.pi_pending) {
-- vmx->nested.pi_pending = false;
-- if (!pi_test_and_clear_on(vmx->nested.pi_desc))
-- return;
--
-- max_irr = find_last_bit(
-- (unsigned long *)vmx->nested.pi_desc->pir, 256);
-+ if (!vmx->nested.pi_desc || !vmx->nested.pi_pending)
-+ return;
-
-- if (max_irr == 256)
-- return;
-+ vmx->nested.pi_pending = false;
-+ if (!pi_test_and_clear_on(vmx->nested.pi_desc))
-+ return;
-
-+ max_irr = find_last_bit((unsigned long *)vmx->nested.pi_desc->pir, 256);
-+ if (max_irr != 256) {
- vapic_page = kmap(vmx->nested.virtual_apic_page);
- __kvm_apic_update_irr(vmx->nested.pi_desc->pir, vapic_page);
- kunmap(vmx->nested.virtual_apic_page);
-@@ -4752,6 +4771,8 @@ static void vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
- vmcs_write16(GUEST_INTR_STATUS, status);
- }
- }
-+
-+ nested_mark_vmcs12_pages_dirty(vcpu);
- }
-
- static inline bool kvm_vcpu_trigger_posted_interrupt(struct kvm_vcpu *vcpu)
-@@ -8009,6 +8030,18 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
- vmcs_read32(VM_EXIT_INTR_ERROR_CODE),
- KVM_ISA_VMX);
-
-+ /*
-+ * The host physical addresses of some pages of guest memory
-+ * are loaded into VMCS02 (e.g. L1's Virtual APIC Page). The CPU
-+ * may write to these pages via their host physical address while
-+ * L2 is running, bypassing any address-translation-based dirty
-+ * tracking (e.g. EPT write protection).
-+ *
-+ * Mark them dirty on every exit from L2 to prevent them from
-+ * getting out of sync with dirty tracking.
-+ */
-+ nested_mark_vmcs12_pages_dirty(vcpu);
-+
- if (vmx->nested.nested_run_pending)
- return false;
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-kaiser-cleanups-while-trying-for-gold-link.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-kaiser-cleanups-while-trying-for-gold-link.patch
deleted file mode 100644
index d42f36bb..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-kaiser-cleanups-while-trying-for-gold-link.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From a63051533f5b1a7dd6ff897afebf2f4034f38e83 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Mon, 21 Aug 2017 20:11:43 -0700
-Subject: [PATCH 016/103] kaiser: cleanups while trying for gold link
-
-While trying to get our gold link to work, four cleanups:
-matched the gdt_page declaration to its definition;
-in fiddling unsuccessfully with PERCPU_INPUT(), lined up backslashes;
-lined up the backslashes according to convention in percpu-defs.h;
-deleted the unused irq_stack_pointer addition to irq_stack_union.
-
-Sad to report that aligning backslashes does not appear to help gold
-align to 8192: but while these did not help, they are worth keeping.
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/desc.h | 2 +-
- arch/x86/include/asm/processor.h | 5 -----
- include/asm-generic/vmlinux.lds.h | 18 ++++++++----------
- include/linux/percpu-defs.h | 22 +++++++++++-----------
- 4 files changed, 20 insertions(+), 27 deletions(-)
-
-diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
-index 12080d8..2ed5a2b 100644
---- a/arch/x86/include/asm/desc.h
-+++ b/arch/x86/include/asm/desc.h
-@@ -43,7 +43,7 @@ struct gdt_page {
- struct desc_struct gdt[GDT_ENTRIES];
- } __attribute__((aligned(PAGE_SIZE)));
-
--DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
-+DECLARE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(struct gdt_page, gdt_page);
-
- static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
- {
-diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
-index 3d4784e2..8cb52ee 100644
---- a/arch/x86/include/asm/processor.h
-+++ b/arch/x86/include/asm/processor.h
-@@ -335,11 +335,6 @@ union irq_stack_union {
- char gs_base[40];
- unsigned long stack_canary;
- };
--
-- struct {
-- char irq_stack_pointer[64];
-- char unused[IRQ_STACK_SIZE - 64];
-- };
- };
-
- DECLARE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __visible;
-diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
-index 0b16b5d..174f5c8 100644
---- a/include/asm-generic/vmlinux.lds.h
-+++ b/include/asm-generic/vmlinux.lds.h
-@@ -764,16 +764,14 @@
- */
- #define PERCPU_INPUT(cacheline) \
- VMLINUX_SYMBOL(__per_cpu_start) = .; \
-- \
-- VMLINUX_SYMBOL(__per_cpu_user_mapped_start) = .; \
-- *(.data..percpu..first) \
-- . = ALIGN(cacheline); \
-- *(.data..percpu..user_mapped) \
-- *(.data..percpu..user_mapped..shared_aligned) \
-- . = ALIGN(PAGE_SIZE); \
-- *(.data..percpu..user_mapped..page_aligned) \
-- VMLINUX_SYMBOL(__per_cpu_user_mapped_end) = .; \
-- \
-+ VMLINUX_SYMBOL(__per_cpu_user_mapped_start) = .; \
-+ *(.data..percpu..first) \
-+ . = ALIGN(cacheline); \
-+ *(.data..percpu..user_mapped) \
-+ *(.data..percpu..user_mapped..shared_aligned) \
-+ . = ALIGN(PAGE_SIZE); \
-+ *(.data..percpu..user_mapped..page_aligned) \
-+ VMLINUX_SYMBOL(__per_cpu_user_mapped_end) = .; \
- . = ALIGN(PAGE_SIZE); \
- *(.data..percpu..page_aligned) \
- . = ALIGN(cacheline); \
-diff --git a/include/linux/percpu-defs.h b/include/linux/percpu-defs.h
-index 8ea945f..cfe13cb 100644
---- a/include/linux/percpu-defs.h
-+++ b/include/linux/percpu-defs.h
-@@ -121,10 +121,10 @@
- #define DEFINE_PER_CPU(type, name) \
- DEFINE_PER_CPU_SECTION(type, name, "")
-
--#define DECLARE_PER_CPU_USER_MAPPED(type, name) \
-+#define DECLARE_PER_CPU_USER_MAPPED(type, name) \
- DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION)
-
--#define DEFINE_PER_CPU_USER_MAPPED(type, name) \
-+#define DEFINE_PER_CPU_USER_MAPPED(type, name) \
- DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION)
-
- /*
-@@ -156,11 +156,11 @@
- DEFINE_PER_CPU_SECTION(type, name, PER_CPU_SHARED_ALIGNED_SECTION) \
- ____cacheline_aligned_in_smp
-
--#define DECLARE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(type, name) \
-+#define DECLARE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(type, name) \
- DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION PER_CPU_SHARED_ALIGNED_SECTION) \
- ____cacheline_aligned_in_smp
-
--#define DEFINE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(type, name) \
-+#define DEFINE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(type, name) \
- DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION PER_CPU_SHARED_ALIGNED_SECTION) \
- ____cacheline_aligned_in_smp
-
-@@ -185,18 +185,18 @@
- /*
- * Declaration/definition used for per-CPU variables that must be page aligned and need to be mapped in user mode.
- */
--#define DECLARE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(type, name) \
-- DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION"..page_aligned") \
-- __aligned(PAGE_SIZE)
-+#define DECLARE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(type, name) \
-+ DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION"..page_aligned") \
-+ __aligned(PAGE_SIZE)
-
--#define DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(type, name) \
-- DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION"..page_aligned") \
-- __aligned(PAGE_SIZE)
-+#define DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(type, name) \
-+ DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION"..page_aligned") \
-+ __aligned(PAGE_SIZE)
-
- /*
- * Declaration/definition used for per-CPU variables that must be read mostly.
- */
--#define DECLARE_PER_CPU_READ_MOSTLY(type, name) \
-+#define DECLARE_PER_CPU_READ_MOSTLY(type, name) \
- DECLARE_PER_CPU_SECTION(type, name, "..read_mostly")
-
- #define DEFINE_PER_CPU_READ_MOSTLY(type, name) \
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-x86-bugs-Drop-one-mitigation-from-dmesg.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-x86-bugs-Drop-one-mitigation-from-dmesg.patch
deleted file mode 100644
index c7571ac4..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0016-x86-bugs-Drop-one-mitigation-from-dmesg.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 50014cf904736f358e41d1fb1337d10f92b40aa7 Mon Sep 17 00:00:00 2001
-From: Borislav Petkov <bp@suse.de>
-Date: Fri, 26 Jan 2018 13:11:39 +0100
-Subject: [PATCH 16/42] x86/bugs: Drop one "mitigation" from dmesg
-
-(cherry picked from commit 55fa19d3e51f33d9cd4056d25836d93abf9438db)
-
-Make
-
-[ 0.031118] Spectre V2 mitigation: Mitigation: Full generic retpoline
-
-into
-
-[ 0.031118] Spectre V2: Mitigation: Full generic retpoline
-
-to reduce the mitigation mitigations strings.
-
-Signed-off-by: Borislav Petkov <bp@suse.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: riel@redhat.com
-Cc: ak@linux.intel.com
-Cc: peterz@infradead.org
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: jikos@kernel.org
-Cc: luto@amacapital.net
-Cc: dave.hansen@intel.com
-Cc: torvalds@linux-foundation.org
-Cc: keescook@google.com
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: tim.c.chen@linux.intel.com
-Cc: pjt@google.com
-Link: https://lkml.kernel.org/r/20180126121139.31959-5-bp@alien8.de
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/bugs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 1c4b39d..674ad46 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -90,7 +90,7 @@ static const char *spectre_v2_strings[] = {
- };
-
- #undef pr_fmt
--#define pr_fmt(fmt) "Spectre V2 mitigation: " fmt
-+#define pr_fmt(fmt) "Spectre V2 : " fmt
-
- static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
- static bool spectre_v2_bad_module;
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-KVM-nVMX-Eliminate-vmcs02-pool.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-KVM-nVMX-Eliminate-vmcs02-pool.patch
deleted file mode 100644
index 96687e49..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-KVM-nVMX-Eliminate-vmcs02-pool.patch
+++ /dev/null
@@ -1,295 +0,0 @@
-From 8e52c41b7072930e5951b324964f31ef6991f3af Mon Sep 17 00:00:00 2001
-From: Jim Mattson <jmattson@google.com>
-Date: Mon, 27 Nov 2017 17:22:25 -0600
-Subject: [PATCH 17/33] KVM: nVMX: Eliminate vmcs02 pool
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-(cherry picked from commit de3a0021a60635de96aa92713c1a31a96747d72c)
-
-The potential performance advantages of a vmcs02 pool have never been
-realized. To simplify the code, eliminate the pool. Instead, a single
-vmcs02 is allocated per VCPU when the VCPU enters VMX operation.
-
-Cc: stable@vger.kernel.org # prereq for Spectre mitigation
-Signed-off-by: Jim Mattson <jmattson@google.com>
-Signed-off-by: Mark Kanda <mark.kanda@oracle.com>
-Reviewed-by: Ameya More <ameya.more@oracle.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 146 +++++++++--------------------------------------------
- 1 file changed, 23 insertions(+), 123 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 2e88fd1..099f221 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -174,7 +174,6 @@ module_param(ple_window_max, int, S_IRUGO);
- extern const ulong vmx_return;
-
- #define NR_AUTOLOAD_MSRS 8
--#define VMCS02_POOL_SIZE 1
-
- struct vmcs {
- u32 revision_id;
-@@ -208,7 +207,7 @@ struct shared_msr_entry {
- * stored in guest memory specified by VMPTRLD, but is opaque to the guest,
- * which must access it using VMREAD/VMWRITE/VMCLEAR instructions.
- * More than one of these structures may exist, if L1 runs multiple L2 guests.
-- * nested_vmx_run() will use the data here to build a vmcs02: a VMCS for the
-+ * nested_vmx_run() will use the data here to build the vmcs02: a VMCS for the
- * underlying hardware which will be used to run L2.
- * This structure is packed to ensure that its layout is identical across
- * machines (necessary for live migration).
-@@ -387,13 +386,6 @@ struct __packed vmcs12 {
- */
- #define VMCS12_SIZE 0x1000
-
--/* Used to remember the last vmcs02 used for some recently used vmcs12s */
--struct vmcs02_list {
-- struct list_head list;
-- gpa_t vmptr;
-- struct loaded_vmcs vmcs02;
--};
--
- /*
- * The nested_vmx structure is part of vcpu_vmx, and holds information we need
- * for correct emulation of VMX (i.e., nested VMX) on this vcpu.
-@@ -420,15 +412,15 @@ struct nested_vmx {
- */
- bool sync_shadow_vmcs;
-
-- /* vmcs02_list cache of VMCSs recently used to run L2 guests */
-- struct list_head vmcs02_pool;
-- int vmcs02_num;
- bool change_vmcs01_virtual_x2apic_mode;
- /* L2 must run next, and mustn't decide to exit to L1. */
- bool nested_run_pending;
-+
-+ struct loaded_vmcs vmcs02;
-+
- /*
-- * Guest pages referred to in vmcs02 with host-physical pointers, so
-- * we must keep them pinned while L2 runs.
-+ * Guest pages referred to in the vmcs02 with host-physical
-+ * pointers, so we must keep them pinned while L2 runs.
- */
- struct page *apic_access_page;
- struct page *virtual_apic_page;
-@@ -6657,94 +6649,6 @@ static int handle_monitor(struct kvm_vcpu *vcpu)
- }
-
- /*
-- * To run an L2 guest, we need a vmcs02 based on the L1-specified vmcs12.
-- * We could reuse a single VMCS for all the L2 guests, but we also want the
-- * option to allocate a separate vmcs02 for each separate loaded vmcs12 - this
-- * allows keeping them loaded on the processor, and in the future will allow
-- * optimizations where prepare_vmcs02 doesn't need to set all the fields on
-- * every entry if they never change.
-- * So we keep, in vmx->nested.vmcs02_pool, a cache of size VMCS02_POOL_SIZE
-- * (>=0) with a vmcs02 for each recently loaded vmcs12s, most recent first.
-- *
-- * The following functions allocate and free a vmcs02 in this pool.
-- */
--
--/* Get a VMCS from the pool to use as vmcs02 for the current vmcs12. */
--static struct loaded_vmcs *nested_get_current_vmcs02(struct vcpu_vmx *vmx)
--{
-- struct vmcs02_list *item;
-- list_for_each_entry(item, &vmx->nested.vmcs02_pool, list)
-- if (item->vmptr == vmx->nested.current_vmptr) {
-- list_move(&item->list, &vmx->nested.vmcs02_pool);
-- return &item->vmcs02;
-- }
--
-- if (vmx->nested.vmcs02_num >= max(VMCS02_POOL_SIZE, 1)) {
-- /* Recycle the least recently used VMCS. */
-- item = list_last_entry(&vmx->nested.vmcs02_pool,
-- struct vmcs02_list, list);
-- item->vmptr = vmx->nested.current_vmptr;
-- list_move(&item->list, &vmx->nested.vmcs02_pool);
-- return &item->vmcs02;
-- }
--
-- /* Create a new VMCS */
-- item = kmalloc(sizeof(struct vmcs02_list), GFP_KERNEL);
-- if (!item)
-- return NULL;
-- item->vmcs02.vmcs = alloc_vmcs();
-- item->vmcs02.shadow_vmcs = NULL;
-- if (!item->vmcs02.vmcs) {
-- kfree(item);
-- return NULL;
-- }
-- loaded_vmcs_init(&item->vmcs02);
-- item->vmptr = vmx->nested.current_vmptr;
-- list_add(&(item->list), &(vmx->nested.vmcs02_pool));
-- vmx->nested.vmcs02_num++;
-- return &item->vmcs02;
--}
--
--/* Free and remove from pool a vmcs02 saved for a vmcs12 (if there is one) */
--static void nested_free_vmcs02(struct vcpu_vmx *vmx, gpa_t vmptr)
--{
-- struct vmcs02_list *item;
-- list_for_each_entry(item, &vmx->nested.vmcs02_pool, list)
-- if (item->vmptr == vmptr) {
-- free_loaded_vmcs(&item->vmcs02);
-- list_del(&item->list);
-- kfree(item);
-- vmx->nested.vmcs02_num--;
-- return;
-- }
--}
--
--/*
-- * Free all VMCSs saved for this vcpu, except the one pointed by
-- * vmx->loaded_vmcs. We must be running L1, so vmx->loaded_vmcs
-- * must be &vmx->vmcs01.
-- */
--static void nested_free_all_saved_vmcss(struct vcpu_vmx *vmx)
--{
-- struct vmcs02_list *item, *n;
--
-- WARN_ON(vmx->loaded_vmcs != &vmx->vmcs01);
-- list_for_each_entry_safe(item, n, &vmx->nested.vmcs02_pool, list) {
-- /*
-- * Something will leak if the above WARN triggers. Better than
-- * a use-after-free.
-- */
-- if (vmx->loaded_vmcs == &item->vmcs02)
-- continue;
--
-- free_loaded_vmcs(&item->vmcs02);
-- list_del(&item->list);
-- kfree(item);
-- vmx->nested.vmcs02_num--;
-- }
--}
--
--/*
- * The following 3 functions, nested_vmx_succeed()/failValid()/failInvalid(),
- * set the success or error code of an emulated VMX instruction, as specified
- * by Vol 2B, VMX Instruction Reference, "Conventions".
-@@ -7051,6 +6955,12 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
- return 1;
- }
-
-+ vmx->nested.vmcs02.vmcs = alloc_vmcs();
-+ vmx->nested.vmcs02.shadow_vmcs = NULL;
-+ if (!vmx->nested.vmcs02.vmcs)
-+ goto out_vmcs02;
-+ loaded_vmcs_init(&vmx->nested.vmcs02);
-+
- if (cpu_has_vmx_msr_bitmap()) {
- vmx->nested.msr_bitmap =
- (unsigned long *)__get_free_page(GFP_KERNEL);
-@@ -7073,9 +6983,6 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
- vmx->vmcs01.shadow_vmcs = shadow_vmcs;
- }
-
-- INIT_LIST_HEAD(&(vmx->nested.vmcs02_pool));
-- vmx->nested.vmcs02_num = 0;
--
- hrtimer_init(&vmx->nested.preemption_timer, CLOCK_MONOTONIC,
- HRTIMER_MODE_REL_PINNED);
- vmx->nested.preemption_timer.function = vmx_preemption_timer_fn;
-@@ -7093,6 +7000,9 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
- free_page((unsigned long)vmx->nested.msr_bitmap);
-
- out_msr_bitmap:
-+ free_loaded_vmcs(&vmx->nested.vmcs02);
-+
-+out_vmcs02:
- return -ENOMEM;
- }
-
-@@ -7178,7 +7088,7 @@ static void free_nested(struct vcpu_vmx *vmx)
- vmx->vmcs01.shadow_vmcs = NULL;
- }
- kfree(vmx->nested.cached_vmcs12);
-- /* Unpin physical memory we referred to in current vmcs02 */
-+ /* Unpin physical memory we referred to in the vmcs02 */
- if (vmx->nested.apic_access_page) {
- nested_release_page(vmx->nested.apic_access_page);
- vmx->nested.apic_access_page = NULL;
-@@ -7194,7 +7104,7 @@ static void free_nested(struct vcpu_vmx *vmx)
- vmx->nested.pi_desc = NULL;
- }
-
-- nested_free_all_saved_vmcss(vmx);
-+ free_loaded_vmcs(&vmx->nested.vmcs02);
- }
-
- /* Emulate the VMXOFF instruction */
-@@ -7242,8 +7152,6 @@ static int handle_vmclear(struct kvm_vcpu *vcpu)
- kunmap(page);
- nested_release_page(page);
-
-- nested_free_vmcs02(vmx, vmptr);
--
- skip_emulated_instruction(vcpu);
- nested_vmx_succeed(vcpu);
- return 1;
-@@ -8032,10 +7940,11 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
-
- /*
- * The host physical addresses of some pages of guest memory
-- * are loaded into VMCS02 (e.g. L1's Virtual APIC Page). The CPU
-- * may write to these pages via their host physical address while
-- * L2 is running, bypassing any address-translation-based dirty
-- * tracking (e.g. EPT write protection).
-+ * are loaded into the vmcs02 (e.g. vmcs12's Virtual APIC
-+ * Page). The CPU may write to these pages via their host
-+ * physical address while L2 is running, bypassing any
-+ * address-translation-based dirty tracking (e.g. EPT write
-+ * protection).
- *
- * Mark them dirty on every exit from L2 to prevent them from
- * getting out of sync with dirty tracking.
-@@ -10170,7 +10079,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
- struct vmcs12 *vmcs12;
- struct vcpu_vmx *vmx = to_vmx(vcpu);
- int cpu;
-- struct loaded_vmcs *vmcs02;
- bool ia32e;
- u32 msr_entry_idx;
-
-@@ -10310,17 +10218,13 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
- * the nested entry.
- */
-
-- vmcs02 = nested_get_current_vmcs02(vmx);
-- if (!vmcs02)
-- return -ENOMEM;
--
- enter_guest_mode(vcpu);
-
- if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
- vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
-
- cpu = get_cpu();
-- vmx->loaded_vmcs = vmcs02;
-+ vmx->loaded_vmcs = &vmx->nested.vmcs02;
- vmx_vcpu_put(vcpu);
- vmx_vcpu_load(vcpu, cpu);
- vcpu->cpu = cpu;
-@@ -10833,10 +10737,6 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason,
- vm_exit_controls_reset_shadow(vmx);
- vmx_segment_cache_clear(vmx);
-
-- /* if no vmcs02 cache requested, remove the one we used */
-- if (VMCS02_POOL_SIZE == 0)
-- nested_free_vmcs02(vmx, vmx->nested.current_vmptr);
--
- load_vmcs12_host_state(vcpu, vmcs12);
-
- /* Update any VMCS fields that might have changed while L2 ran */
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-kaiser-name-that-0x1000-KAISER_SHADOW_PGD_OFFSET.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-kaiser-name-that-0x1000-KAISER_SHADOW_PGD_OFFSET.patch
deleted file mode 100644
index f43ed637..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-kaiser-name-that-0x1000-KAISER_SHADOW_PGD_OFFSET.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From ed14e28d25f96ab356ced2a7e9af56fac6483f4d Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Sat, 9 Sep 2017 17:31:18 -0700
-Subject: [PATCH 017/103] kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET
-
-There's a 0x1000 in various places, which looks better with a name.
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/entry/entry_64.S | 4 ++--
- arch/x86/include/asm/kaiser.h | 7 +++++--
- 2 files changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
-index 57f7993..3c8fc97 100644
---- a/arch/x86/entry/entry_64.S
-+++ b/arch/x86/entry/entry_64.S
-@@ -1316,7 +1316,7 @@ ENTRY(nmi)
- movq %cr3, %rax
- pushq %rax
- #ifdef CONFIG_KAISER_REAL_SWITCH
-- andq $(~0x1000), %rax
-+ andq $(~KAISER_SHADOW_PGD_OFFSET), %rax
- #endif
- movq %rax, %cr3
- #endif
-@@ -1559,7 +1559,7 @@ end_repeat_nmi:
- movq %cr3, %rax
- pushq %rax
- #ifdef CONFIG_KAISER_REAL_SWITCH
-- andq $(~0x1000), %rax
-+ andq $(~KAISER_SHADOW_PGD_OFFSET), %rax
- #endif
- movq %rax, %cr3
- #endif
-diff --git a/arch/x86/include/asm/kaiser.h b/arch/x86/include/asm/kaiser.h
-index 7394ba9..051acf6 100644
---- a/arch/x86/include/asm/kaiser.h
-+++ b/arch/x86/include/asm/kaiser.h
-@@ -13,13 +13,16 @@
- * A minimalistic kernel mapping holds the parts needed to be mapped in user
- * mode, such as the entry/exit functions of the user space, or the stacks.
- */
-+
-+#define KAISER_SHADOW_PGD_OFFSET 0x1000
-+
- #ifdef __ASSEMBLY__
- #ifdef CONFIG_KAISER
-
- .macro _SWITCH_TO_KERNEL_CR3 reg
- movq %cr3, \reg
- #ifdef CONFIG_KAISER_REAL_SWITCH
--andq $(~0x1000), \reg
-+andq $(~KAISER_SHADOW_PGD_OFFSET), \reg
- #endif
- movq \reg, %cr3
- .endm
-@@ -27,7 +30,7 @@ movq \reg, %cr3
- .macro _SWITCH_TO_USER_CR3 reg
- movq %cr3, \reg
- #ifdef CONFIG_KAISER_REAL_SWITCH
--orq $(0x1000), \reg
-+orq $(KAISER_SHADOW_PGD_OFFSET), \reg
- #endif
- movq \reg, %cr3
- .endm
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-perf-x86-Fix-possible-Spectre-v1-indexing-for-hw_per.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-perf-x86-Fix-possible-Spectre-v1-indexing-for-hw_per.patch
deleted file mode 100644
index cb6045b1..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-perf-x86-Fix-possible-Spectre-v1-indexing-for-hw_per.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 1007b2c9e70fe3aaffda12b809da0f3b53642777 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Fri, 20 Apr 2018 14:06:29 +0200
-Subject: [PATCH 17/93] perf/x86: Fix possible Spectre-v1 indexing for
- hw_perf_event cache_*
-
-commit ef9ee4ad38445a30909c48998624861716f2a994 upstream.
-
-> arch/x86/events/core.c:319 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_event_ids[cache_type]' (local cap)
-> arch/x86/events/core.c:319 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_event_ids' (local cap)
-> arch/x86/events/core.c:328 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_extra_regs[cache_type]' (local cap)
-> arch/x86/events/core.c:328 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_extra_regs' (local cap)
-
-Userspace controls @config which contains 3 (byte) fields used for a 3
-dimensional array deref.
-
-Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: <stable@kernel.org>
-Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
-Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
-Cc: Jiri Olsa <jolsa@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Stephane Eranian <eranian@google.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Vince Weaver <vincent.weaver@maine.edu>
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/events/core.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
-index 38623e2..6b955e3 100644
---- a/arch/x86/events/core.c
-+++ b/arch/x86/events/core.c
-@@ -303,17 +303,20 @@ set_ext_hw_attr(struct hw_perf_event *hwc, struct perf_event *event)
-
- config = attr->config;
-
-- cache_type = (config >> 0) & 0xff;
-+ cache_type = (config >> 0) & 0xff;
- if (cache_type >= PERF_COUNT_HW_CACHE_MAX)
- return -EINVAL;
-+ cache_type = array_index_nospec(cache_type, PERF_COUNT_HW_CACHE_MAX);
-
- cache_op = (config >> 8) & 0xff;
- if (cache_op >= PERF_COUNT_HW_CACHE_OP_MAX)
- return -EINVAL;
-+ cache_op = array_index_nospec(cache_op, PERF_COUNT_HW_CACHE_OP_MAX);
-
- cache_result = (config >> 16) & 0xff;
- if (cache_result >= PERF_COUNT_HW_CACHE_RESULT_MAX)
- return -EINVAL;
-+ cache_result = array_index_nospec(cache_result, PERF_COUNT_HW_CACHE_RESULT_MAX);
-
- val = hw_cache_event_ids[cache_type][cache_op][cache_result];
-
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-x86-cpu-bugs-Make-retpoline-module-warning-condition.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-x86-cpu-bugs-Make-retpoline-module-warning-condition.patch
deleted file mode 100644
index f5232d18..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0017-x86-cpu-bugs-Make-retpoline-module-warning-condition.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 0af038c29f5df7028f229d2d4bf8ee7163db4cdd Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Sat, 27 Jan 2018 15:45:14 +0100
-Subject: [PATCH 17/42] x86/cpu/bugs: Make retpoline module warning conditional
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-(cherry picked from commit e383095c7fe8d218e00ec0f83e4b95ed4e627b02)
-
-If sysfs is disabled and RETPOLINE not defined:
-
-arch/x86/kernel/cpu/bugs.c:97:13: warning: ‘spectre_v2_bad_module’ defined but not used
-[-Wunused-variable]
- static bool spectre_v2_bad_module;
-
-Hide it.
-
-Fixes: caf7501a1b4e ("module/retpoline: Warn about missing retpoline in module")
-Reported-by: Borislav Petkov <bp@alien8.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/bugs.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 674ad46..efe55c5 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -93,9 +93,10 @@ static const char *spectre_v2_strings[] = {
- #define pr_fmt(fmt) "Spectre V2 : " fmt
-
- static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
--static bool spectre_v2_bad_module;
-
- #ifdef RETPOLINE
-+static bool spectre_v2_bad_module;
-+
- bool retpoline_module_ok(bool has_retpoline)
- {
- if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
-@@ -105,6 +106,13 @@ bool retpoline_module_ok(bool has_retpoline)
- spectre_v2_bad_module = true;
- return false;
- }
-+
-+static inline const char *spectre_v2_module_string(void)
-+{
-+ return spectre_v2_bad_module ? " - vulnerable module loaded" : "";
-+}
-+#else
-+static inline const char *spectre_v2_module_string(void) { return ""; }
- #endif
-
- static void __init spec2_print_if_insecure(const char *reason)
-@@ -299,7 +307,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
- return sprintf(buf, "Not affected\n");
-
- return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
-- boot_cpu_has(X86_FEATURE_IBPB) ? ", IPBP" : "",
-- spectre_v2_bad_module ? " - vulnerable module loaded" : "");
-+ boot_cpu_has(X86_FEATURE_IBPB) ? ", IBPB" : "",
-+ spectre_v2_module_string());
- }
- #endif
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-KVM-VMX-introduce-alloc_loaded_vmcs.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-KVM-VMX-introduce-alloc_loaded_vmcs.patch
deleted file mode 100644
index a22f91a8..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-KVM-VMX-introduce-alloc_loaded_vmcs.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From 80f4f0e9de9cce1047ac0aac305aca7310e37313 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 11 Jan 2018 12:16:15 +0100
-Subject: [PATCH 18/33] KVM: VMX: introduce alloc_loaded_vmcs
-
-(cherry picked from commit f21f165ef922c2146cc5bdc620f542953c41714b)
-
-Group together the calls to alloc_vmcs and loaded_vmcs_init. Soon we'll also
-allocate an MSR bitmap there.
-
-Cc: stable@vger.kernel.org # prereq for Spectre mitigation
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 38 +++++++++++++++++++++++---------------
- 1 file changed, 23 insertions(+), 15 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 099f221..6814355 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -3514,11 +3514,6 @@ static struct vmcs *alloc_vmcs_cpu(int cpu)
- return vmcs;
- }
-
--static struct vmcs *alloc_vmcs(void)
--{
-- return alloc_vmcs_cpu(raw_smp_processor_id());
--}
--
- static void free_vmcs(struct vmcs *vmcs)
- {
- free_pages((unsigned long)vmcs, vmcs_config.order);
-@@ -3537,6 +3532,22 @@ static void free_loaded_vmcs(struct loaded_vmcs *loaded_vmcs)
- WARN_ON(loaded_vmcs->shadow_vmcs != NULL);
- }
-
-+static struct vmcs *alloc_vmcs(void)
-+{
-+ return alloc_vmcs_cpu(raw_smp_processor_id());
-+}
-+
-+static int alloc_loaded_vmcs(struct loaded_vmcs *loaded_vmcs)
-+{
-+ loaded_vmcs->vmcs = alloc_vmcs();
-+ if (!loaded_vmcs->vmcs)
-+ return -ENOMEM;
-+
-+ loaded_vmcs->shadow_vmcs = NULL;
-+ loaded_vmcs_init(loaded_vmcs);
-+ return 0;
-+}
-+
- static void free_kvm_area(void)
- {
- int cpu;
-@@ -6916,6 +6927,7 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
- struct vmcs *shadow_vmcs;
- const u64 VMXON_NEEDED_FEATURES = FEATURE_CONTROL_LOCKED
- | FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX;
-+ int r;
-
- /* The Intel VMX Instruction Reference lists a bunch of bits that
- * are prerequisite to running VMXON, most notably cr4.VMXE must be
-@@ -6955,11 +6967,9 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
- return 1;
- }
-
-- vmx->nested.vmcs02.vmcs = alloc_vmcs();
-- vmx->nested.vmcs02.shadow_vmcs = NULL;
-- if (!vmx->nested.vmcs02.vmcs)
-+ r = alloc_loaded_vmcs(&vmx->nested.vmcs02);
-+ if (r < 0)
- goto out_vmcs02;
-- loaded_vmcs_init(&vmx->nested.vmcs02);
-
- if (cpu_has_vmx_msr_bitmap()) {
- vmx->nested.msr_bitmap =
-@@ -9090,17 +9100,15 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
- if (!vmx->guest_msrs)
- goto free_pml;
-
-- vmx->loaded_vmcs = &vmx->vmcs01;
-- vmx->loaded_vmcs->vmcs = alloc_vmcs();
-- vmx->loaded_vmcs->shadow_vmcs = NULL;
-- if (!vmx->loaded_vmcs->vmcs)
-- goto free_msrs;
- if (!vmm_exclusive)
- kvm_cpu_vmxon(__pa(per_cpu(vmxarea, raw_smp_processor_id())));
-- loaded_vmcs_init(vmx->loaded_vmcs);
-+ err = alloc_loaded_vmcs(&vmx->vmcs01);
- if (!vmm_exclusive)
- kvm_cpu_vmxoff();
-+ if (err < 0)
-+ goto free_msrs;
-
-+ vmx->loaded_vmcs = &vmx->vmcs01;
- cpu = get_cpu();
- vmx_vcpu_load(&vmx->vcpu, cpu);
- vmx->vcpu.cpu = cpu;
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-kaiser-delete-KAISER_REAL_SWITCH-option.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-kaiser-delete-KAISER_REAL_SWITCH-option.patch
deleted file mode 100644
index 945d478d..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-kaiser-delete-KAISER_REAL_SWITCH-option.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 319109fa5b31997c1bfa7a8384fdb5c3f20b3c6a Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd@google.com>
-Date: Sun, 3 Sep 2017 18:30:43 -0700
-Subject: [PATCH 018/103] kaiser: delete KAISER_REAL_SWITCH option
-
-We fail to see what CONFIG_KAISER_REAL_SWITCH is for: it seems to be
-left over from early development, and now just obscures tricky parts
-of the code. Delete it before adding PCIDs, or nokaiser boot option.
-
-(Or if there is some good reason to keep the option, then it needs
-a help text - and a "depends on KAISER", so that all those without
-KAISER are not asked the question. But we'd much rather delete it.)
-
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/entry/entry_64.S | 4 ----
- arch/x86/include/asm/kaiser.h | 4 ----
- security/Kconfig | 4 ----
- 3 files changed, 12 deletions(-)
-
-diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
-index 3c8fc97..df33f10 100644
---- a/arch/x86/entry/entry_64.S
-+++ b/arch/x86/entry/entry_64.S
-@@ -1315,9 +1315,7 @@ ENTRY(nmi)
- /* %rax is saved above, so OK to clobber here */
- movq %cr3, %rax
- pushq %rax
--#ifdef CONFIG_KAISER_REAL_SWITCH
- andq $(~KAISER_SHADOW_PGD_OFFSET), %rax
--#endif
- movq %rax, %cr3
- #endif
- call do_nmi
-@@ -1558,9 +1556,7 @@ end_repeat_nmi:
- /* %rax is saved above, so OK to clobber here */
- movq %cr3, %rax
- pushq %rax
--#ifdef CONFIG_KAISER_REAL_SWITCH
- andq $(~KAISER_SHADOW_PGD_OFFSET), %rax
--#endif
- movq %rax, %cr3
- #endif
-
-diff --git a/arch/x86/include/asm/kaiser.h b/arch/x86/include/asm/kaiser.h
-index 051acf6..e0fc45e 100644
---- a/arch/x86/include/asm/kaiser.h
-+++ b/arch/x86/include/asm/kaiser.h
-@@ -21,17 +21,13 @@
-
- .macro _SWITCH_TO_KERNEL_CR3 reg
- movq %cr3, \reg
--#ifdef CONFIG_KAISER_REAL_SWITCH
- andq $(~KAISER_SHADOW_PGD_OFFSET), \reg
--#endif
- movq \reg, %cr3
- .endm
-
- .macro _SWITCH_TO_USER_CR3 reg
- movq %cr3, \reg
--#ifdef CONFIG_KAISER_REAL_SWITCH
- orq $(KAISER_SHADOW_PGD_OFFSET), \reg
--#endif
- movq \reg, %cr3
- .endm
-
-diff --git a/security/Kconfig b/security/Kconfig
-index dc78671..d8ae933 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -41,10 +41,6 @@ config KAISER
-
- If you are unsure how to answer this question, answer Y.
-
--config KAISER_REAL_SWITCH
-- bool "KAISER: actually switch page tables"
-- default y
--
- config SECURITYFS
- bool "Enable the securityfs filesystem"
- help
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-perf-x86-cstate-Fix-possible-Spectre-v1-indexing-for.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-perf-x86-cstate-Fix-possible-Spectre-v1-indexing-for.patch
deleted file mode 100644
index 40bc2cae..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-perf-x86-cstate-Fix-possible-Spectre-v1-indexing-for.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 8708c762c727c3c4a8fb6c75fc1d5585f89ece90 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Fri, 20 Apr 2018 14:25:48 +0200
-Subject: [PATCH 18/93] perf/x86/cstate: Fix possible Spectre-v1 indexing for
- pkg_msr
-
-commit a5f81290ce475489fa2551c01a07470c1a4c932e upstream.
-
-> arch/x86/events/intel/cstate.c:307 cstate_pmu_event_init() warn: potential spectre issue 'pkg_msr' (local cap)
-
-Userspace controls @attr, sanitize cfg (attr->config) before using it
-to index an array.
-
-Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: <stable@kernel.org>
-Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
-Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
-Cc: Jiri Olsa <jolsa@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Stephane Eranian <eranian@google.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Vince Weaver <vincent.weaver@maine.edu>
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/events/intel/cstate.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/arch/x86/events/intel/cstate.c b/arch/x86/events/intel/cstate.c
-index fec8a46..c6a04c0 100644
---- a/arch/x86/events/intel/cstate.c
-+++ b/arch/x86/events/intel/cstate.c
-@@ -90,6 +90,7 @@
- #include <linux/module.h>
- #include <linux/slab.h>
- #include <linux/perf_event.h>
-+#include <linux/nospec.h>
- #include <asm/cpu_device_id.h>
- #include <asm/intel-family.h>
- #include "../perf_event.h"
-@@ -300,6 +301,7 @@ static int cstate_pmu_event_init(struct perf_event *event)
- } else if (event->pmu == &cstate_pkg_pmu) {
- if (cfg >= PERF_CSTATE_PKG_EVENT_MAX)
- return -EINVAL;
-+ cfg = array_index_nospec((unsigned long)cfg, PERF_CSTATE_PKG_EVENT_MAX);
- if (!pkg_msr[cfg].attr)
- return -EINVAL;
- event->hw.event_base = pkg_msr[cfg].msr;
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-x86-cpufeatures-Clean-up-Spectre-v2-related-CPUID-fl.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-x86-cpufeatures-Clean-up-Spectre-v2-related-CPUID-fl.patch
deleted file mode 100644
index 09e6e0ce..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0018-x86-cpufeatures-Clean-up-Spectre-v2-related-CPUID-fl.patch
+++ /dev/null
@@ -1,181 +0,0 @@
-From 9d680bb2dea42b419a94a55a4b65afb1b785b307 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw@amazon.co.uk>
-Date: Sat, 27 Jan 2018 16:24:32 +0000
-Subject: [PATCH 18/42] x86/cpufeatures: Clean up Spectre v2 related CPUID
- flags
-
-(cherry picked from commit 2961298efe1ea1b6fc0d7ee8b76018fa6c0bcef2)
-
-We want to expose the hardware features simply in /proc/cpuinfo as "ibrs",
-"ibpb" and "stibp". Since AMD has separate CPUID bits for those, use them
-as the user-visible bits.
-
-When the Intel SPEC_CTRL bit is set which indicates both IBRS and IBPB
-capability, set those (AMD) bits accordingly. Likewise if the Intel STIBP
-bit is set, set the AMD STIBP that's used for the generic hardware
-capability.
-
-Hide the rest from /proc/cpuinfo by putting "" in the comments. Including
-RETPOLINE and RETPOLINE_AMD which shouldn't be visible there. There are
-patches to make the sysfs vulnerabilities information non-readable by
-non-root, and the same should apply to all information about which
-mitigations are actually in use. Those *shouldn't* appear in /proc/cpuinfo.
-
-The feature bit for whether IBPB is actually used, which is needed for
-ALTERNATIVEs, is renamed to X86_FEATURE_USE_IBPB.
-
-Originally-by: Borislav Petkov <bp@suse.de>
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: ak@linux.intel.com
-Cc: dave.hansen@intel.com
-Cc: karahmed@amazon.de
-Cc: arjan@linux.intel.com
-Cc: torvalds@linux-foundation.org
-Cc: peterz@infradead.org
-Cc: bp@alien8.de
-Cc: pbonzini@redhat.com
-Cc: tim.c.chen@linux.intel.com
-Cc: gregkh@linux-foundation.org
-Link: https://lkml.kernel.org/r/1517070274-12128-2-git-send-email-dwmw@amazon.co.uk
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeatures.h | 18 +++++++++---------
- arch/x86/include/asm/nospec-branch.h | 2 +-
- arch/x86/kernel/cpu/bugs.c | 7 +++----
- arch/x86/kernel/cpu/intel.c | 31 +++++++++++++++++++++----------
- 4 files changed, 34 insertions(+), 24 deletions(-)
-
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index 3901545..8eb23f5 100644
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -194,15 +194,15 @@
- #define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */
- #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
-
--#define X86_FEATURE_RETPOLINE ( 7*32+12) /* Generic Retpoline mitigation for Spectre variant 2 */
--#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* AMD Retpoline mitigation for Spectre variant 2 */
-+#define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */
-+#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */
-
--#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* Fill RSB on context switches */
-+#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */
-
- /* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
- #define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
-
--#define X86_FEATURE_IBPB ( 7*32+21) /* Indirect Branch Prediction Barrier enabled*/
-+#define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
-
- /* Virtualization flags: Linux defined, word 8 */
- #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
-@@ -260,9 +260,9 @@
- /* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */
- #define X86_FEATURE_CLZERO (13*32+0) /* CLZERO instruction */
- #define X86_FEATURE_IRPERF (13*32+1) /* Instructions Retired Count */
--#define X86_FEATURE_AMD_PRED_CMD (13*32+12) /* Prediction Command MSR (AMD) */
--#define X86_FEATURE_AMD_SPEC_CTRL (13*32+14) /* Speculation Control MSR only (AMD) */
--#define X86_FEATURE_AMD_STIBP (13*32+15) /* Single Thread Indirect Branch Predictors (AMD) */
-+#define X86_FEATURE_IBPB (13*32+12) /* Indirect Branch Prediction Barrier */
-+#define X86_FEATURE_IBRS (13*32+14) /* Indirect Branch Restricted Speculation */
-+#define X86_FEATURE_STIBP (13*32+15) /* Single Thread Indirect Branch Predictors */
-
- /* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */
- #define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */
-@@ -301,8 +301,8 @@
- /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
- #define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */
- #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */
--#define X86_FEATURE_SPEC_CTRL (18*32+26) /* Speculation Control (IBRS + IBPB) */
--#define X86_FEATURE_STIBP (18*32+27) /* Single Thread Indirect Branch Predictors */
-+#define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */
-+#define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */
- #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
-
- /*
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index 865192a..19ecb54 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -225,7 +225,7 @@ static inline void indirect_branch_prediction_barrier(void)
- "movl %[val], %%eax\n\t"
- "movl $0, %%edx\n\t"
- "wrmsr",
-- X86_FEATURE_IBPB)
-+ X86_FEATURE_USE_IBPB)
- : : [msr] "i" (MSR_IA32_PRED_CMD),
- [val] "i" (PRED_CMD_IBPB)
- : "eax", "ecx", "edx", "memory");
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index efe55c5..3a06718 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -272,9 +272,8 @@ static void __init spectre_v2_select_mitigation(void)
- }
-
- /* Initialize Indirect Branch Prediction Barrier if supported */
-- if (boot_cpu_has(X86_FEATURE_SPEC_CTRL) ||
-- boot_cpu_has(X86_FEATURE_AMD_PRED_CMD)) {
-- setup_force_cpu_cap(X86_FEATURE_IBPB);
-+ if (boot_cpu_has(X86_FEATURE_IBPB)) {
-+ setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
- pr_info("Enabling Indirect Branch Prediction Barrier\n");
- }
- }
-@@ -307,7 +306,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
- return sprintf(buf, "Not affected\n");
-
- return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
-- boot_cpu_has(X86_FEATURE_IBPB) ? ", IBPB" : "",
-+ boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
- spectre_v2_module_string());
- }
- #endif
-diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
-index 4d23d78..2e257f8 100644
---- a/arch/x86/kernel/cpu/intel.c
-+++ b/arch/x86/kernel/cpu/intel.c
-@@ -140,17 +140,28 @@ static void early_init_intel(struct cpuinfo_x86 *c)
- rdmsr(MSR_IA32_UCODE_REV, lower_word, c->microcode);
- }
-
-- if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) ||
-- cpu_has(c, X86_FEATURE_STIBP) ||
-- cpu_has(c, X86_FEATURE_AMD_SPEC_CTRL) ||
-- cpu_has(c, X86_FEATURE_AMD_PRED_CMD) ||
-- cpu_has(c, X86_FEATURE_AMD_STIBP)) && bad_spectre_microcode(c)) {
-- pr_warn("Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL\n");
-- clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
-+ /*
-+ * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support,
-+ * and they also have a different bit for STIBP support. Also,
-+ * a hypervisor might have set the individual AMD bits even on
-+ * Intel CPUs, for finer-grained selection of what's available.
-+ */
-+ if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
-+ set_cpu_cap(c, X86_FEATURE_IBRS);
-+ set_cpu_cap(c, X86_FEATURE_IBPB);
-+ }
-+ if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
-+ set_cpu_cap(c, X86_FEATURE_STIBP);
-+
-+ /* Now if any of them are set, check the blacklist and clear the lot */
-+ if ((cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) ||
-+ cpu_has(c, X86_FEATURE_STIBP)) && bad_spectre_microcode(c)) {
-+ pr_warn("Intel Spectre v2 broken microcode detected; disabling Speculation Control\n");
-+ clear_cpu_cap(c, X86_FEATURE_IBRS);
-+ clear_cpu_cap(c, X86_FEATURE_IBPB);
- clear_cpu_cap(c, X86_FEATURE_STIBP);
-- clear_cpu_cap(c, X86_FEATURE_AMD_SPEC_CTRL);
-- clear_cpu_cap(c, X86_FEATURE_AMD_PRED_CMD);
-- clear_cpu_cap(c, X86_FEATURE_AMD_STIBP);
-+ clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
-+ clear_cpu_cap(c, X86_FEATURE_INTEL_STIBP);
- }
-
- /*
---
-2.7.4
-
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0019-KVM-VMX-make-MSR-bitmaps-per-VCPU.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0019-KVM-VMX-make-MSR-bitmaps-per-VCPU.patch
deleted file mode 100644
index 0a8db555..00000000
--- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0019-KVM-VMX-make-MSR-bitmaps-per-VCPU.patch
+++ /dev/null
@@ -1,585 +0,0 @@
-From cc42f184dfdfed46c394274020b84a1641f24714 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 16 Jan 2018 16:51:18 +0100
-Subject: [PATCH 19/33] KVM: VMX: make MSR bitmaps per-VCPU
-
-(cherry picked from commit 904e14fb7cb96401a7dc803ca2863fd5ba32ffe6)
-
-Place the MSR bitmap in struct loaded_vmcs, and update it in place
-every time the x2apic or APICv state can change. This is rare and
-the loop can handle 64 MSRs per iteration, in a similar fashion as
-nested_vmx_prepare_msr_bitmap.
-
-This prepares for choosing, on a per-VM basis, whether to intercept
-the SPEC_CTRL and PRED_CMD MSRs.
-
-Cc: stable@vger.kernel.org # prereq for Spectre mitigation
-Suggested-by: Jim Mattson <jmattson@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 315 +++++++++++++++++++----------------------------------
- 1 file changed, 114 insertions(+), 201 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 6814355..c6a7563 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -110,6 +110,14 @@ static u64 __read_mostly host_xss;
- static bool __read_mostly enable_pml = 1;
- module_param_named(pml, enable_pml, bool, S_IRUGO);
-
-+#define MSR_TYPE_R 1
-+#define MSR_TYPE_W 2
-+#define MSR_TYPE_RW 3
-+
-+#define MSR_BITMAP_MODE_X2APIC 1
-+#define MSR_BITMAP_MODE_X2APIC_APICV 2
-+#define MSR_BITMAP_MODE_LM 4
-+
- #define KVM_VMX_TSC_MULTIPLIER_MAX 0xffffffffffffffffULL
-
- /* Guest_tsc -> host_tsc conversion requires 64-bit division. */
-@@ -191,6 +199,7 @@ struct loaded_vmcs {
- struct vmcs *shadow_vmcs;
- int cpu;
- int launched;
-+ unsigned long *msr_bitmap;
- struct list_head loaded_vmcss_on_cpu_link;
- };
-
-@@ -429,8 +438,6 @@ struct nested_vmx {
- bool pi_pending;
- u16 posted_intr_nv;
-
-- unsigned long *msr_bitmap;
--
- struct hrtimer preemption_timer;
- bool preemption_timer_expired;
-
-@@ -531,6 +538,7 @@ struct vcpu_vmx {
- unsigned long host_rsp;
- u8 fail;
- bool nmi_known_unmasked;
-+ u8 msr_bitmap_mode;
- u32 exit_intr_info;
- u32 idt_vectoring_info;
- ulong rflags;
-@@ -902,6 +910,7 @@ static u32 vmx_segment_access_rights(struct kvm_segment *var);
- static void copy_vmcs12_to_shadow(struct vcpu_vmx *vmx);
- static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx);
- static int alloc_identity_pagetable(struct kvm *kvm);
-+static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu);
-
- static DEFINE_PER_CPU(struct vmcs *, vmxarea);
- static DEFINE_PER_CPU(struct vmcs *, current_vmcs);
-@@ -921,12 +930,6 @@ static DEFINE_PER_CPU(spinlock_t, blocked_vcpu_on_cpu_lock);
-
- static unsigned long *vmx_io_bitmap_a;
- static unsigned long *vmx_io_bitmap_b;
--static unsigned long *vmx_msr_bitmap_legacy;
--static unsigned long *vmx_msr_bitmap_longmode;
--static unsigned long *vmx_msr_bitmap_legacy_x2apic;
--static unsigned long *vmx_msr_bitmap_longmode_x2apic;
--static unsigned long *vmx_msr_bitmap_legacy_x2apic_apicv_inactive;
--static unsigned long *vmx_msr_bitmap_longmode_x2apic_apicv_inactive;
- static unsigned long *vmx_vmread_bitmap;
- static unsigned long *vmx_vmwrite_bitmap;
-
-@@ -2517,36 +2520,6 @@ static void move_msr_up(struct vcpu_vmx *vmx, int from, int to)
- vmx->guest_msrs[from] = tmp;
- }
-
--static void vmx_set_msr_bitmap(struct kvm_vcpu *vcpu)
--{
-- unsigned long *msr_bitmap;
--
-- if (is_guest_mode(vcpu))
-- msr_bitmap = to_vmx(vcpu)->nested.msr_bitmap;
-- else if (cpu_has_secondary_exec_ctrls() &&
-- (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) &
-- SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) {
-- if (enable_apicv && kvm_vcpu_apicv_active(vcpu)) {
-- if (is_long_mode(vcpu))
-- msr_bitmap = vmx_msr_bitmap_longmode_x2apic;
-- else
-- msr_bitmap = vmx_msr_bitmap_legacy_x2apic;
-- } else {
-- if (is_long_mode(vcpu))
-- msr_bitmap = vmx_msr_bitmap_longmode_x2apic_apicv_inactive;
-- else
-- msr_bitmap = vmx_msr_bitmap_legacy_x2apic_apicv_inactive;
-- }
-- } else {