[x86] Update TAA (Borislav v2) and NX (v9) fixes

The upstream commits for these are now finalised, so we shouldn't need
to replace patches after this (but might need to add more).

debian/changelog

@@ -1,20 +1,5 @@
 linux (4.19.67-2+deb10u2) UNRELEASED; urgency=medium
 
-  * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change
-    (aka iTLB multi-hit, CVE-2018-12207):
-    - KVM: x86: adjust kvm_mmu_page member to save 8 bytes
-    - kvm: Convert kvm_lock to a mutex
-    - kvm: x86: Do not release the page inside mmu_set_spte()
-    - KVM: x86: make FNAME(fetch) and __direct_map more similar
-    - KVM: x86: remove now unneeded hugepage gfn adjustment
-    - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
-    - KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
-    - kvm: x86, powerpc: do not allow clearing largepages debugfs entry
-    - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active
-    - x86: Add ITLB_MULTIHIT bug infrastructure
-    - kvm: mmu: ITLB_MULTIHIT mitigation
-    - kvm: Add helper function for creating VM worker threads
-    - kvm: x86: mmu: Recovery of shattered NX large pages
   * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135):
     - x86/msr: Add the IA32_TSX_CTRL MSR
     - x86/cpu: Add a helper function x86_read_arch_cap_msr()
@@ -27,6 +12,23 @@ linux (4.19.67-2+deb10u2) UNRELEASED; urgency=medium
     - x86/tsx: Add config options to set tsx=on|off|auto
     TSX is now disabled by default; see
     Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+  * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change
+    (aka iTLB multi-hit, CVE-2018-12207):
+    - KVM: x86: adjust kvm_mmu_page member to save 8 bytes
+    - kvm: Convert kvm_lock to a mutex
+    - kvm: x86: Do not release the page inside mmu_set_spte()
+    - KVM: x86: make FNAME(fetch) and __direct_map more similar
+    - KVM: x86: remove now unneeded hugepage gfn adjustment
+    - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
+    - KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
+    - kvm: x86, powerpc: do not allow clearing largepages debugfs entry
+    - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active
+    - x86/bugs: Add ITLB_MULTIHIT bug infrastructure
+    - cpu/speculation: Uninline and export CPU mitigations helpers
+    - kvm: mmu: ITLB_MULTIHIT mitigation
+    - kvm: Add helper function for creating VM worker threads
+    - kvm: x86: mmu: Recovery of shattered NX large pages
+    - Documentation: Add ITLB_MULTIHIT documentation
 
  -- Ben Hutchings <ben@decadent.org.uk>  Sun, 20 Oct 2019 14:21:28 +0100
 

debian/patches/bugfix/x86/itlb_multihit/0010-KVM-x86-adjust-kvm_mmu_page-member-to-save-8-bytes.patch

@@ -27,8 +27,6 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  arch/x86/include/asm/kvm_host.h | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index 0d3f5cf3ff3e..90dccb5c79d9 100644
 --- a/arch/x86/include/asm/kvm_host.h
 +++ b/arch/x86/include/asm/kvm_host.h
 @@ -281,18 +281,18 @@ struct kvm_rmap_head {

debian/patches/bugfix/x86/itlb_multihit/0011-kvm-Convert-kvm_lock-to-a-mutex.patch

@@ -21,11 +21,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  virt/kvm/kvm_main.c                   | 30 +++++++++++++--------------
  6 files changed, 28 insertions(+), 30 deletions(-)
 
-diff --git a/Documentation/virtual/kvm/locking.txt b/Documentation/virtual/kvm/locking.txt
-index 1bb8bcaf8497..635cd6eaf714 100644
 --- a/Documentation/virtual/kvm/locking.txt
 +++ b/Documentation/virtual/kvm/locking.txt
-@@ -15,8 +15,6 @@ KVM Lock Overview
+@@ -15,8 +15,6 @@ The acquisition orders for mutexes are a
  
  On x86, vcpu->mutex is taken outside kvm->arch.hyperv.hv_lock.
  
@@ -34,7 +32,7 @@ index 1bb8bcaf8497..635cd6eaf714 100644
  Everything else is a leaf: no other lock is taken inside the critical
  sections.
  
-@@ -169,7 +167,7 @@ which time it will be set using the Dirty tracking mechanism described above.
+@@ -169,7 +167,7 @@ which time it will be set using the Dirt
  ------------
  
  Name:		kvm_lock
@@ -43,11 +41,9 @@ index 1bb8bcaf8497..635cd6eaf714 100644
  Arch:		any
  Protects:	- vm_list
  
-diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
-index fac1d4eaa426..3c317bc6b799 100644
 --- a/arch/s390/kvm/kvm-s390.c
 +++ b/arch/s390/kvm/kvm-s390.c
-@@ -2110,13 +2110,13 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
+@@ -2108,13 +2108,13 @@ int kvm_arch_init_vm(struct kvm *kvm, un
  	kvm->arch.sca = (struct bsca_block *) get_zeroed_page(alloc_flags);
  	if (!kvm->arch.sca)
  		goto out_err;
@@ -63,11 +59,9 @@ index fac1d4eaa426..3c317bc6b799 100644
  
  	sprintf(debug_name, "kvm-%u", current->pid);
  
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 88940261fb53..c9d4e02bd73a 100644
 --- a/arch/x86/kvm/mmu.c
 +++ b/arch/x86/kvm/mmu.c
-@@ -5819,7 +5819,7 @@ mmu_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+@@ -5819,7 +5819,7 @@ mmu_shrink_scan(struct shrinker *shrink,
  	int nr_to_scan = sc->nr_to_scan;
  	unsigned long freed = 0;
  
@@ -76,7 +70,7 @@ index 88940261fb53..c9d4e02bd73a 100644
  
  	list_for_each_entry(kvm, &vm_list, vm_list) {
  		int idx;
-@@ -5869,7 +5869,7 @@ mmu_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+@@ -5869,7 +5869,7 @@ unlock:
  		break;
  	}
  
@@ -85,11 +79,9 @@ index 88940261fb53..c9d4e02bd73a 100644
  	return freed;
  }
  
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 6ae8a013af31..0c085b895e6e 100644
 --- a/arch/x86/kvm/x86.c
 +++ b/arch/x86/kvm/x86.c
-@@ -6502,7 +6502,7 @@ static void kvm_hyperv_tsc_notifier(void)
+@@ -6490,7 +6490,7 @@ static void kvm_hyperv_tsc_notifier(void
  	struct kvm_vcpu *vcpu;
  	int cpu;
  
@@ -98,7 +90,7 @@ index 6ae8a013af31..0c085b895e6e 100644
  	list_for_each_entry(kvm, &vm_list, vm_list)
  		kvm_make_mclock_inprogress_request(kvm);
  
-@@ -6528,7 +6528,7 @@ static void kvm_hyperv_tsc_notifier(void)
+@@ -6516,7 +6516,7 @@ static void kvm_hyperv_tsc_notifier(void
  
  		spin_unlock(&ka->pvclock_gtod_sync_lock);
  	}
@@ -107,7 +99,7 @@ index 6ae8a013af31..0c085b895e6e 100644
  }
  #endif
  
-@@ -6586,17 +6586,17 @@ static int kvmclock_cpufreq_notifier(struct notifier_block *nb, unsigned long va
+@@ -6574,17 +6574,17 @@ static int kvmclock_cpufreq_notifier(str
  
  	smp_call_function_single(freq->cpu, tsc_khz_changed, freq, 1);
  
@@ -128,7 +120,7 @@ index 6ae8a013af31..0c085b895e6e 100644
  
  	if (freq->old < freq->new && send_ipi) {
  		/*
-@@ -6722,12 +6722,12 @@ static void pvclock_gtod_update_fn(struct work_struct *work)
+@@ -6710,12 +6710,12 @@ static void pvclock_gtod_update_fn(struc
  	struct kvm_vcpu *vcpu;
  	int i;
  
@@ -143,11 +135,9 @@ index 6ae8a013af31..0c085b895e6e 100644
  }
  
  static DECLARE_WORK(pvclock_gtod_work, pvclock_gtod_update_fn);
-diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index d42a36e4e6c2..5246a480d15a 100644
 --- a/include/linux/kvm_host.h
 +++ b/include/linux/kvm_host.h
-@@ -141,7 +141,7 @@ static inline bool is_error_page(struct page *page)
+@@ -141,7 +141,7 @@ static inline bool is_error_page(struct
  
  extern struct kmem_cache *kvm_vcpu_cache;
  
@@ -156,8 +146,6 @@ index d42a36e4e6c2..5246a480d15a 100644
  extern struct list_head vm_list;
  
  struct kvm_io_range {
-diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 4a584a575221..6a8fe26198b9 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
 @@ -92,7 +92,7 @@ EXPORT_SYMBOL_GPL(halt_poll_ns_shrink);
@@ -169,7 +157,7 @@ index 4a584a575221..6a8fe26198b9 100644
  static DEFINE_RAW_SPINLOCK(kvm_count_lock);
  LIST_HEAD(vm_list);
  
-@@ -684,9 +684,9 @@ static struct kvm *kvm_create_vm(unsigned long type)
+@@ -684,9 +684,9 @@ static struct kvm *kvm_create_vm(unsigne
  	if (r)
  		goto out_err;
  
@@ -181,7 +169,7 @@ index 4a584a575221..6a8fe26198b9 100644
  
  	preempt_notifier_inc();
  
-@@ -732,9 +732,9 @@ static void kvm_destroy_vm(struct kvm *kvm)
+@@ -732,9 +732,9 @@ static void kvm_destroy_vm(struct kvm *k
  	kvm_uevent_notify_change(KVM_EVENT_DESTROY_VM, kvm);
  	kvm_destroy_vm_debugfs(kvm);
  	kvm_arch_sync_events(kvm);
@@ -193,7 +181,7 @@ index 4a584a575221..6a8fe26198b9 100644
  	kvm_free_irq_routing(kvm);
  	for (i = 0; i < KVM_NR_BUSES; i++) {
  		struct kvm_io_bus *bus = kvm_get_bus(kvm, i);
-@@ -3828,13 +3828,13 @@ static int vm_stat_get(void *_offset, u64 *val)
+@@ -3828,13 +3828,13 @@ static int vm_stat_get(void *_offset, u6
  	u64 tmp_val;
  
  	*val = 0;
@@ -209,7 +197,7 @@ index 4a584a575221..6a8fe26198b9 100644
  	return 0;
  }
  
-@@ -3847,12 +3847,12 @@ static int vm_stat_clear(void *_offset, u64 val)
+@@ -3847,12 +3847,12 @@ static int vm_stat_clear(void *_offset,
  	if (val)
  		return -EINVAL;
  
@@ -224,7 +212,7 @@ index 4a584a575221..6a8fe26198b9 100644
  
  	return 0;
  }
-@@ -3867,13 +3867,13 @@ static int vcpu_stat_get(void *_offset, u64 *val)
+@@ -3867,13 +3867,13 @@ static int vcpu_stat_get(void *_offset,
  	u64 tmp_val;
  
  	*val = 0;
@@ -240,7 +228,7 @@ index 4a584a575221..6a8fe26198b9 100644
  	return 0;
  }
  
-@@ -3886,12 +3886,12 @@ static int vcpu_stat_clear(void *_offset, u64 val)
+@@ -3886,12 +3886,12 @@ static int vcpu_stat_clear(void *_offset
  	if (val)
  		return -EINVAL;
  
@@ -255,7 +243,7 @@ index 4a584a575221..6a8fe26198b9 100644
  
  	return 0;
  }
-@@ -3912,7 +3912,7 @@ static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm)
+@@ -3912,7 +3912,7 @@ static void kvm_uevent_notify_change(uns
  	if (!kvm_dev.this_device || !kvm)
  		return;
  
@@ -264,7 +252,7 @@ index 4a584a575221..6a8fe26198b9 100644
  	if (type == KVM_EVENT_CREATE_VM) {
  		kvm_createvm_count++;
  		kvm_active_vms++;
-@@ -3921,7 +3921,7 @@ static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm)
+@@ -3921,7 +3921,7 @@ static void kvm_uevent_notify_change(uns
  	}
  	created = kvm_createvm_count;
  	active = kvm_active_vms;

debian/patches/bugfix/x86/itlb_multihit/0012-kvm-x86-Do-not-release-the-page-inside-mmu_set_spte.patch

@@ -17,11 +17,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  arch/x86/kvm/paging_tmpl.h |  8 +++-----
  2 files changed, 10 insertions(+), 16 deletions(-)
 
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index c9d4e02bd73a..7dc18fb42168 100644
 --- a/arch/x86/kvm/mmu.c
 +++ b/arch/x86/kvm/mmu.c
-@@ -3001,8 +3001,6 @@ static int mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep, unsigned pte_access,
+@@ -3001,8 +3001,6 @@ static int mmu_set_spte(struct kvm_vcpu
  		}
  	}
  
@@ -30,7 +28,7 @@ index c9d4e02bd73a..7dc18fb42168 100644
  	return ret;
  }
  
-@@ -3037,9 +3035,11 @@ static int direct_pte_prefetch_many(struct kvm_vcpu *vcpu,
+@@ -3037,9 +3035,11 @@ static int direct_pte_prefetch_many(stru
  	if (ret <= 0)
  		return -1;
  
@@ -43,7 +41,7 @@ index c9d4e02bd73a..7dc18fb42168 100644
  
  	return 0;
  }
-@@ -3445,6 +3445,7 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
+@@ -3445,6 +3445,7 @@ static int nonpaging_map(struct kvm_vcpu
  	if (handle_abnormal_pfn(vcpu, v, gfn, pfn, ACC_ALL, &r))
  		return r;
  
@@ -51,7 +49,7 @@ index c9d4e02bd73a..7dc18fb42168 100644
  	spin_lock(&vcpu->kvm->mmu_lock);
  	if (mmu_notifier_retry(vcpu->kvm, mmu_seq))
  		goto out_unlock;
-@@ -3453,14 +3454,11 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
+@@ -3453,14 +3454,11 @@ static int nonpaging_map(struct kvm_vcpu
  	if (likely(!force_pt_level))
  		transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
  	r = __direct_map(vcpu, write, map_writable, level, gfn, pfn, prefault);
@@ -67,7 +65,7 @@ index c9d4e02bd73a..7dc18fb42168 100644
  }
  
  static void mmu_free_root_page(struct kvm *kvm, hpa_t *root_hpa,
-@@ -4082,6 +4080,7 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
+@@ -4082,6 +4080,7 @@ static int tdp_page_fault(struct kvm_vcp
  	if (handle_abnormal_pfn(vcpu, 0, gfn, pfn, ACC_ALL, &r))
  		return r;
  
@@ -75,7 +73,7 @@ index c9d4e02bd73a..7dc18fb42168 100644
  	spin_lock(&vcpu->kvm->mmu_lock);
  	if (mmu_notifier_retry(vcpu->kvm, mmu_seq))
  		goto out_unlock;
-@@ -4090,14 +4089,11 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
+@@ -4090,14 +4089,11 @@ static int tdp_page_fault(struct kvm_vcp
  	if (likely(!force_pt_level))
  		transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
  	r = __direct_map(vcpu, write, map_writable, level, gfn, pfn, prefault);
@@ -91,11 +89,9 @@ index c9d4e02bd73a..7dc18fb42168 100644
  }
  
  static void nonpaging_init_context(struct kvm_vcpu *vcpu,
-diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
-index 14ffd973df54..569c55dae3fa 100644
 --- a/arch/x86/kvm/paging_tmpl.h
 +++ b/arch/x86/kvm/paging_tmpl.h
-@@ -522,6 +522,7 @@ FNAME(prefetch_gpte)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
+@@ -522,6 +522,7 @@ FNAME(prefetch_gpte)(struct kvm_vcpu *vc
  	mmu_set_spte(vcpu, spte, pte_access, 0, PT_PAGE_TABLE_LEVEL, gfn, pfn,
  		     true, true);
  
@@ -103,7 +99,7 @@ index 14ffd973df54..569c55dae3fa 100644
  	return true;
  }
  
-@@ -673,7 +674,6 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
+@@ -673,7 +674,6 @@ static int FNAME(fetch)(struct kvm_vcpu
  	return ret;
  
  out_gpte_changed:
@@ -111,7 +107,7 @@ index 14ffd973df54..569c55dae3fa 100644
  	return RET_PF_RETRY;
  }
  
-@@ -821,6 +821,7 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr, u32 error_code,
+@@ -821,6 +821,7 @@ static int FNAME(page_fault)(struct kvm_
  			walker.pte_access &= ~ACC_EXEC_MASK;
  	}
  
@@ -119,7 +115,7 @@ index 14ffd973df54..569c55dae3fa 100644
  	spin_lock(&vcpu->kvm->mmu_lock);
  	if (mmu_notifier_retry(vcpu->kvm, mmu_seq))
  		goto out_unlock;
-@@ -834,14 +835,11 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr, u32 error_code,
+@@ -834,14 +835,11 @@ static int FNAME(page_fault)(struct kvm_
  			 level, pfn, map_writable, prefault);
  	++vcpu->stat.pf_fixed;
  	kvm_mmu_audit(vcpu, AUDIT_POST_PAGE_FAULT);

debian/patches/bugfix/x86/itlb_multihit/0013-KVM-x86-make-FNAME-fetch-and-__direct_map-more-simil.patch

@@ -18,11 +18,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  arch/x86/kvm/paging_tmpl.h | 30 ++++++++++-----------
  2 files changed, 39 insertions(+), 44 deletions(-)
 
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 7dc18fb42168..42a7120323bb 100644
 --- a/arch/x86/kvm/mmu.c
 +++ b/arch/x86/kvm/mmu.c
-@@ -3087,40 +3087,39 @@ static void direct_pte_prefetch(struct kvm_vcpu *vcpu, u64 *sptep)
+@@ -3087,40 +3087,39 @@ static void direct_pte_prefetch(struct k
  	__direct_pte_prefetch(vcpu, sp, sptep);
  }
  
@@ -86,7 +84,7 @@ index 7dc18fb42168..42a7120323bb 100644
  }
  
  static void kvm_send_hwpoison_signal(unsigned long address, struct task_struct *tsk)
-@@ -3453,8 +3452,7 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
+@@ -3453,8 +3452,7 @@ static int nonpaging_map(struct kvm_vcpu
  		goto out_unlock;
  	if (likely(!force_pt_level))
  		transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
@@ -96,7 +94,7 @@ index 7dc18fb42168..42a7120323bb 100644
  out_unlock:
  	spin_unlock(&vcpu->kvm->mmu_lock);
  	kvm_release_pfn_clean(pfn);
-@@ -4088,8 +4086,7 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
+@@ -4088,8 +4086,7 @@ static int tdp_page_fault(struct kvm_vcp
  		goto out_unlock;
  	if (likely(!force_pt_level))
  		transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
@@ -106,11 +104,9 @@ index 7dc18fb42168..42a7120323bb 100644
  out_unlock:
  	spin_unlock(&vcpu->kvm->mmu_lock);
  	kvm_release_pfn_clean(pfn);
-diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
-index 569c55dae3fa..eb95d3672acd 100644
 --- a/arch/x86/kvm/paging_tmpl.h
 +++ b/arch/x86/kvm/paging_tmpl.h
-@@ -602,6 +602,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
+@@ -602,6 +602,7 @@ static int FNAME(fetch)(struct kvm_vcpu
  	struct kvm_shadow_walk_iterator it;
  	unsigned direct_access, access = gw->pt_access;
  	int top_level, ret;
@@ -118,7 +114,7 @@ index 569c55dae3fa..eb95d3672acd 100644
  
  	direct_access = gw->pte_access;
  
-@@ -646,31 +647,29 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
+@@ -646,31 +647,29 @@ static int FNAME(fetch)(struct kvm_vcpu
  			link_shadow_page(vcpu, it.sptep, sp);
  	}
  
@@ -163,7 +159,7 @@ index 569c55dae3fa..eb95d3672acd 100644
  	return ret;
  
  out_gpte_changed:
-@@ -833,7 +832,6 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr, u32 error_code,
+@@ -833,7 +832,6 @@ static int FNAME(page_fault)(struct kvm_
  		transparent_hugepage_adjust(vcpu, &walker.gfn, &pfn, &level);
  	r = FNAME(fetch)(vcpu, addr, &walker, write_fault,
  			 level, pfn, map_writable, prefault);

debian/patches/bugfix/x86/itlb_multihit/0014-KVM-x86-remove-now-unneeded-hugepage-gfn-adjustment.patch

@@ -15,11 +15,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  arch/x86/kvm/paging_tmpl.h | 2 +-
  2 files changed, 4 insertions(+), 7 deletions(-)
 
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 42a7120323bb..96803f996819 100644
 --- a/arch/x86/kvm/mmu.c
 +++ b/arch/x86/kvm/mmu.c
-@@ -3155,11 +3155,10 @@ static int kvm_handle_bad_page(struct kvm_vcpu *vcpu, gfn_t gfn, kvm_pfn_t pfn)
+@@ -3155,11 +3155,10 @@ static int kvm_handle_bad_page(struct kv
  }
  
  static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
@@ -32,7 +30,7 @@ index 42a7120323bb..96803f996819 100644
  	int level = *levelp;
  
  	/*
-@@ -3186,8 +3185,6 @@ static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
+@@ -3186,8 +3185,6 @@ static void transparent_hugepage_adjust(
  		mask = KVM_PAGES_PER_HPAGE(level) - 1;
  		VM_BUG_ON((gfn & mask) != (pfn & mask));
  		if (pfn & mask) {
@@ -41,7 +39,7 @@ index 42a7120323bb..96803f996819 100644
  			kvm_release_pfn_clean(pfn);
  			pfn &= ~mask;
  			kvm_get_pfn(pfn);
-@@ -3451,7 +3448,7 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
+@@ -3451,7 +3448,7 @@ static int nonpaging_map(struct kvm_vcpu
  	if (make_mmu_pages_available(vcpu) < 0)
  		goto out_unlock;
  	if (likely(!force_pt_level))
@@ -50,7 +48,7 @@ index 42a7120323bb..96803f996819 100644
  	r = __direct_map(vcpu, v, write, map_writable, level, pfn, prefault);
  out_unlock:
  	spin_unlock(&vcpu->kvm->mmu_lock);
-@@ -4085,7 +4082,7 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
+@@ -4085,7 +4082,7 @@ static int tdp_page_fault(struct kvm_vcp
  	if (make_mmu_pages_available(vcpu) < 0)
  		goto out_unlock;
  	if (likely(!force_pt_level))
@@ -59,11 +57,9 @@ index 42a7120323bb..96803f996819 100644
  	r = __direct_map(vcpu, gpa, write, map_writable, level, pfn, prefault);
  out_unlock:
  	spin_unlock(&vcpu->kvm->mmu_lock);
-diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
-index eb95d3672acd..4aab953f1d31 100644
 --- a/arch/x86/kvm/paging_tmpl.h
 +++ b/arch/x86/kvm/paging_tmpl.h
-@@ -829,7 +829,7 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr, u32 error_code,
+@@ -829,7 +829,7 @@ static int FNAME(page_fault)(struct kvm_
  	if (make_mmu_pages_available(vcpu) < 0)
  		goto out_unlock;
  	if (!force_pt_level)

debian/patches/bugfix/x86/itlb_multihit/0015-KVM-x86-change-kvm_mmu_page_get_gfn-BUG_ON-to-WARN_O.patch

@@ -15,11 +15,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  arch/x86/kvm/mmu.c | 12 +++++++++---
  1 file changed, 9 insertions(+), 3 deletions(-)
 
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 96803f996819..68fa10d890ee 100644
 --- a/arch/x86/kvm/mmu.c
 +++ b/arch/x86/kvm/mmu.c
-@@ -1027,10 +1027,16 @@ static gfn_t kvm_mmu_page_get_gfn(struct kvm_mmu_page *sp, int index)
+@@ -1027,10 +1027,16 @@ static gfn_t kvm_mmu_page_get_gfn(struct
  
  static void kvm_mmu_page_set_gfn(struct kvm_mmu_page *sp, int index, gfn_t gfn)
  {

debian/patches/bugfix/x86/itlb_multihit/0016-KVM-x86-add-tracepoints-around-__direct_map-and-FNAM.patch

@@ -15,8 +15,6 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  arch/x86/kvm/paging_tmpl.h |  2 ++
  3 files changed, 67 insertions(+), 7 deletions(-)
 
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 68fa10d890ee..7f9be921df7c 100644
 --- a/arch/x86/kvm/mmu.c
 +++ b/arch/x86/kvm/mmu.c
 @@ -140,9 +140,6 @@ module_param(dbg, bool, 0644);
@@ -29,7 +27,7 @@ index 68fa10d890ee..7f9be921df7c 100644
  #define SPTE_HOST_WRITEABLE	(1ULL << PT_FIRST_AVAIL_BITS_SHIFT)
  #define SPTE_MMU_WRITEABLE	(1ULL << (PT_FIRST_AVAIL_BITS_SHIFT + 1))
  
-@@ -261,9 +258,13 @@ static u64 __read_mostly shadow_nonpresent_or_rsvd_lower_gfn_mask;
+@@ -261,9 +258,13 @@ static u64 __read_mostly shadow_nonprese
  
  
  static void mmu_spte_set(u64 *sptep, u64 spte);
@@ -43,7 +41,7 @@ index 68fa10d890ee..7f9be921df7c 100644
  void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask, u64 mmio_value)
  {
  	BUG_ON((mmio_mask & mmio_value) != mmio_value);
-@@ -2992,10 +2993,7 @@ static int mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep, unsigned pte_access,
+@@ -2992,10 +2993,7 @@ static int mmu_set_spte(struct kvm_vcpu
  		ret = RET_PF_EMULATE;
  
  	pgprintk("%s: setting spte %llx\n", __func__, *sptep);
@@ -55,7 +53,7 @@ index 68fa10d890ee..7f9be921df7c 100644
  	if (!was_rmapped && is_large_pte(*sptep))
  		++vcpu->kvm->stat.lpages;
  
-@@ -3106,6 +3104,7 @@ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t gpa, int write,
+@@ -3106,6 +3104,7 @@ static int __direct_map(struct kvm_vcpu
  	if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
  		return RET_PF_RETRY;
  
@@ -63,8 +61,6 @@ index 68fa10d890ee..7f9be921df7c 100644
  	for_each_shadow_entry(vcpu, gpa, it) {
  		base_gfn = gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
  		if (it.level == level)
-diff --git a/arch/x86/kvm/mmutrace.h b/arch/x86/kvm/mmutrace.h
-index c73bf4e4988c..918b0d5bf272 100644
 --- a/arch/x86/kvm/mmutrace.h
 +++ b/arch/x86/kvm/mmutrace.h
 @@ -325,6 +325,65 @@ TRACE_EVENT(
@@ -133,11 +129,9 @@ index c73bf4e4988c..918b0d5bf272 100644
  #endif /* _TRACE_KVMMMU_H */
  
  #undef TRACE_INCLUDE_PATH
-diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
-index 4aab953f1d31..3b022b08b577 100644
 --- a/arch/x86/kvm/paging_tmpl.h
 +++ b/arch/x86/kvm/paging_tmpl.h
-@@ -649,6 +649,8 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
+@@ -649,6 +649,8 @@ static int FNAME(fetch)(struct kvm_vcpu
  
  	base_gfn = gw->gfn;
  

debian/patches/bugfix/x86/itlb_multihit/0017-kvm-x86-powerpc-do-not-allow-clearing-largepages-deb.patch

@@ -19,11 +19,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  virt/kvm/kvm_main.c      | 10 +++++++---
  3 files changed, 12 insertions(+), 6 deletions(-)
 
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 0c085b895e6e..2714c1a0e59f 100644
 --- a/arch/x86/kvm/x86.c
 +++ b/arch/x86/kvm/x86.c
-@@ -92,8 +92,8 @@ u64 __read_mostly efer_reserved_bits = ~((u64)(EFER_SCE | EFER_LME | EFER_LMA));
+@@ -92,8 +92,8 @@ u64 __read_mostly efer_reserved_bits = ~
  static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE);
  #endif
  
@@ -34,7 +32,7 @@ index 0c085b895e6e..2714c1a0e59f 100644
  
  #define KVM_X2APIC_API_VALID_FLAGS (KVM_X2APIC_API_USE_32BIT_IDS | \
                                      KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK)
-@@ -205,7 +205,7 @@ struct kvm_stats_debugfs_item debugfs_entries[] = {
+@@ -205,7 +205,7 @@ struct kvm_stats_debugfs_item debugfs_en
  	{ "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
  	{ "mmu_unsync", VM_STAT(mmu_unsync) },
  	{ "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
@@ -43,8 +41,6 @@ index 0c085b895e6e..2714c1a0e59f 100644
  	{ "max_mmu_page_hash_collisions",
  		VM_STAT(max_mmu_page_hash_collisions) },
  	{ NULL }
-diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index 5246a480d15a..553a3115a735 100644
 --- a/include/linux/kvm_host.h
 +++ b/include/linux/kvm_host.h
 @@ -1034,6 +1034,7 @@ enum kvm_stat_kind {
@@ -63,11 +59,9 @@ index 5246a480d15a..553a3115a735 100644
  };
  extern struct kvm_stats_debugfs_item debugfs_entries[];
  extern struct dentry *kvm_debugfs_dir;
-diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 6a8fe26198b9..5482949b452c 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
-@@ -616,8 +616,9 @@ static int kvm_create_vm_debugfs(struct kvm *kvm, int fd)
+@@ -616,8 +616,9 @@ static int kvm_create_vm_debugfs(struct
  
  		stat_data->kvm = kvm;
  		stat_data->offset = p->offset;
@@ -78,7 +72,7 @@ index 6a8fe26198b9..5482949b452c 100644
  				    stat_data, stat_fops_per_vm[p->kind]);
  	}
  	return 0;
-@@ -3714,7 +3715,9 @@ static int kvm_debugfs_open(struct inode *inode, struct file *file,
+@@ -3714,7 +3715,9 @@ static int kvm_debugfs_open(struct inode
  	if (!refcount_inc_not_zero(&stat_data->kvm->users_count))
  		return -ENOENT;
  

debian/patches/bugfix/x86/itlb_multihit/0018-KVM-vmx-svm-always-run-with-EFER.NXE-1-when-shadow-p.patch

@@ -2,7 +2,8 @@ From: Paolo Bonzini <pbonzini@redhat.com>
 Date: Sun, 27 Oct 2019 16:23:23 +0100
 Subject: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
  active
-Origin: https://git.kernel.org/linus/9167ab79936206118cc60e47dcb926c3489f3bd5
+
+commit 9167ab79936206118cc60e47dcb926c3489f3bd5 upstream.
 
 VMX already does so if the host has SMEP, in order to support the combination of
 CR0.WP=1 and CR4.SMEP=1.  However, it is perfectly safe to always do so, and in
@@ -14,14 +15,13 @@ SVM does not have similar code, but it should since recent AMD processors do
 support SMEP.  So this patch also makes the code for the two vendors more similar
 while fixing NPT=0, CR0.WP=1 and CR4.SMEP=1 on AMD processors.
 
-Cc: stable@vger.kernel.org
 Cc: Joerg Roedel <jroedel@suse.de>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-[Salvatore Bonaccorso: Backport to 4.19: Adjust context, filename change back
-to arch/x86/kvm/vmx.c]
+[bwh: Backported to 4.19: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
- arch/x86/kvm/svm.c     | 10 ++++++++--
- arch/x86/kvm/vmx.c     | 14 +++-----------
+ arch/x86/kvm/svm.c | 10 ++++++++--
+ arch/x86/kvm/vmx.c | 14 +++-----------
  2 files changed, 11 insertions(+), 13 deletions(-)
 
 --- a/arch/x86/kvm/svm.c

debian/patches/bugfix/x86/itlb_multihit/0019-x86-bugs-Add-ITLB_MULTIHIT-bug-infrastructure.patch

@@ -1,36 +1,35 @@
-From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
-Date: Thu, 24 Oct 2019 18:34:26 +0200
-Subject: x86: Add ITLB_MULTIHIT bug infrastructure
+From: Vineela Tummalapalli <vineela.tummalapalli@intel.com>
+Date: Mon, 4 Nov 2019 12:22:01 +0100
+Subject: x86/bugs: Add ITLB_MULTIHIT bug infrastructure
 
-Some processors may incur a machine check error possibly
-resulting in an unrecoverable cpu hang when an instruction fetch
-encounters a TLB multi-hit in the instruction TLB. This can occur
-when the page size is changed along with either the physical
-address or cache type [1].
+commit db4d30fbb71b47e4ecb11c4efa5d8aad4b03dfae upstream.
+
+Some processors may incur a machine check error possibly resulting in an
+unrecoverable CPU lockup when an instruction fetch encounters a TLB
+multi-hit in the instruction TLB. This can occur when the page size is
+changed along with either the physical address or cache type. The relevant
+erratum can be found here:
+
+   https://bugzilla.kernel.org/show_bug.cgi?id=205195
+
+There are other processors affected for which the erratum does not fully
+disclose the impact.
 
 This issue affects both bare-metal x86 page tables and EPT.
 
-This can be mitigated by either eliminating the use of large
-pages or by using careful TLB invalidations when changing the
-page size in the page tables.
+It can be mitigated by either eliminating the use of large pages or by
+using careful TLB invalidations when changing the page size in the page
+tables.
 
-Just like Spectre, Meltdown, L1TF and MDS, a new bit has been
-allocated in MSR_IA32_ARCH_CAPABILITIES (PSCHANGE_MC_NO) and will
-be set on CPUs which are mitigated against this issue.
-
-[1] For example please refer to erratum SKL002 in "6th Generation
-Intel Processor Family Specification Update"
-https://www.intel.com/content/www/us/en/products/docs/processors/core/desktop-6th-gen-core-family-spec-update.html
-https://www.google.com/search?q=site:intel.com+SKL002
-
-There are a lot of other affected processors outside of Skylake and
-that the erratum(referred above) does not fully disclose the issue
-and the impact, both on Skylake and across all the affected CPUs.
+Just like Spectre, Meltdown, L1TF and MDS, a new bit has been allocated in
+MSR_IA32_ARCH_CAPABILITIES (PSCHANGE_MC_NO) and will be set on CPUs which
+are mitigated against this issue.
 
 Signed-off-by: Vineela Tummalapalli <vineela.tummalapalli@intel.com>
 Co-developed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 [bwh: Backported to 4.19:
  - No support for X86_VENDOR_HYGON, ATOM_AIRMONT_NP
  - Adjust context]
@@ -38,38 +37,32 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  .../ABI/testing/sysfs-devices-system-cpu      |  1 +
  arch/x86/include/asm/cpufeatures.h            |  1 +
- arch/x86/include/asm/msr-index.h              |  7 ++
+ arch/x86/include/asm/msr-index.h              |  7 +++
  arch/x86/kernel/cpu/bugs.c                    | 13 ++++
- arch/x86/kernel/cpu/common.c                  | 67 ++++++++++---------
+ arch/x86/kernel/cpu/common.c                  | 61 ++++++++++---------
  drivers/base/cpu.c                            |  8 +++
  include/linux/cpu.h                           |  2 +
- 7 files changed, 68 insertions(+), 31 deletions(-)
+ 7 files changed, 65 insertions(+), 28 deletions(-)
 
-diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
-index 8718d4ad227b..a0edcdc7c0b8 100644
 --- a/Documentation/ABI/testing/sysfs-devices-system-cpu
 +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
-@@ -478,6 +478,7 @@ What:		/sys/devices/system/cpu/vulnerabilities
- 		/sys/devices/system/cpu/vulnerabilities/spec_store_bypass
+@@ -479,6 +479,7 @@ What:		/sys/devices/system/cpu/vulnerabi
  		/sys/devices/system/cpu/vulnerabilities/l1tf
  		/sys/devices/system/cpu/vulnerabilities/mds
+ 		/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
 +		/sys/devices/system/cpu/vulnerabilities/itlb_multihit
  Date:		January 2018
  Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
  Description:	Information about CPU vulnerabilities
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index 759f0a176612..ccad4f183400 100644
 --- a/arch/x86/include/asm/cpufeatures.h
 +++ b/arch/x86/include/asm/cpufeatures.h
-@@ -389,5 +389,6 @@
- #define X86_BUG_MDS			X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */
+@@ -390,5 +390,6 @@
  #define X86_BUG_MSBDS_ONLY		X86_BUG(20) /* CPU is only affected by the  MSDBS variant of BUG_MDS */
  #define X86_BUG_SWAPGS			X86_BUG(21) /* CPU is affected by speculation through SWAPGS */
-+#define X86_BUG_ITLB_MULTIHIT		X86_BUG(22) /* CPU may incur MCE during certain page attribute changes */
+ #define X86_BUG_TAA			X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */
++#define X86_BUG_ITLB_MULTIHIT		X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
  
  #endif /* _ASM_X86_CPUFEATURES_H */
-diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
-index a1d22e4428f6..f58e6921cbf7 100644
 --- a/arch/x86/include/asm/msr-index.h
 +++ b/arch/x86/include/asm/msr-index.h
 @@ -84,6 +84,13 @@
@@ -83,14 +76,12 @@ index a1d22e4428f6..f58e6921cbf7 100644
 +						  * physical address or cache type
 +						  * without TLB invalidation.
 +						  */
- 
- #define MSR_IA32_FLUSH_CMD		0x0000010b
- #define L1D_FLUSH			BIT(0)	/*
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index ee7d17611ead..60e47e492c2f 100644
+ #define ARCH_CAP_TSX_CTRL_MSR		BIT(7)	/* MSR for TSX control is available. */
+ #define ARCH_CAP_TAA_NO			BIT(8)	/*
+ 						 * Not susceptible to
 --- a/arch/x86/kernel/cpu/bugs.c
 +++ b/arch/x86/kernel/cpu/bugs.c
-@@ -1281,6 +1281,11 @@ static ssize_t l1tf_show_state(char *buf)
+@@ -1391,6 +1391,11 @@ static ssize_t l1tf_show_state(char *buf
  }
  #endif
  
@@ -102,9 +93,9 @@ index ee7d17611ead..60e47e492c2f 100644
  static ssize_t mds_show_state(char *buf)
  {
  	if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
-@@ -1366,6 +1371,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
- 	case X86_BUG_MDS:
- 		return mds_show_state(buf);
+@@ -1494,6 +1499,9 @@ static ssize_t cpu_show_common(struct de
+ 	case X86_BUG_TAA:
+ 		return tsx_async_abort_show_state(buf);
  
 +	case X86_BUG_ITLB_MULTIHIT:
 +		return itlb_multihit_show_state(buf);
@@ -112,9 +103,9 @@ index ee7d17611ead..60e47e492c2f 100644
  	default:
  		break;
  	}
-@@ -1402,4 +1410,9 @@ ssize_t cpu_show_mds(struct device *dev, struct device_attribute *attr, char *bu
+@@ -1535,4 +1543,9 @@ ssize_t cpu_show_tsx_async_abort(struct
  {
- 	return cpu_show_common(dev, attr, buf, X86_BUG_MDS);
+ 	return cpu_show_common(dev, attr, buf, X86_BUG_TAA);
  }
 +
 +ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr, char *buf)
@@ -122,11 +113,9 @@ index ee7d17611ead..60e47e492c2f 100644
 +	return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
 +}
  #endif
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index b33fdfa0ff49..128808dccd2f 100644
 --- a/arch/x86/kernel/cpu/common.c
 +++ b/arch/x86/kernel/cpu/common.c
-@@ -946,13 +946,14 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
+@@ -946,13 +946,14 @@ static void identify_cpu_without_cpuid(s
  #endif
  }
  
@@ -148,7 +137,7 @@ index b33fdfa0ff49..128808dccd2f 100644
  
  #define VULNWL(_vendor, _family, _model, _whitelist)	\
  	{ X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist }
-@@ -970,26 +971,26 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
+@@ -970,26 +971,26 @@ static const __initconst struct x86_cpu_
  	VULNWL(NSC,	5, X86_MODEL_ANY,	NO_SPECULATION),
  
  	/* Intel Family 6 */
@@ -191,7 +180,7 @@ index b33fdfa0ff49..128808dccd2f 100644
  
  	/*
  	 * Technically, swapgs isn't serializing on AMD (despite it previously
-@@ -1000,13 +1001,13 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
+@@ -1000,13 +1001,13 @@ static const __initconst struct x86_cpu_
  	 */
  
  	/* AMD Family 0xf - 0x12 */
@@ -210,13 +199,10 @@ index b33fdfa0ff49..128808dccd2f 100644
  	{}
  };
  
-@@ -1021,15 +1022,19 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
+@@ -1031,6 +1032,10 @@ static void __init cpu_set_bug_bits(stru
  {
- 	u64 ia32_cap = 0;
+ 	u64 ia32_cap = x86_read_arch_cap_msr();
  
-+	if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
-+		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
-+
 +	/* Set ITLB_MULTIHIT bug if cpu is not in the whitelist and not mitigated */
 +	if (!cpu_matches(NO_ITLB_MULTIHIT) && !(ia32_cap & ARCH_CAP_PSCHANGE_MC_NO))
 +		setup_force_cpu_bug(X86_BUG_ITLB_MULTIHIT);
@@ -224,20 +210,9 @@ index b33fdfa0ff49..128808dccd2f 100644
  	if (cpu_matches(NO_SPECULATION))
  		return;
  
- 	setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
- 	setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
- 
--	if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
--		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
--
- 	if (!cpu_matches(NO_SSB) && !(ia32_cap & ARCH_CAP_SSB_NO) &&
- 	   !cpu_has(c, X86_FEATURE_AMD_SSB_NO))
- 		setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
-diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
-index 2fd6ca1021c2..c21e2aec5cbb 100644
 --- a/drivers/base/cpu.c
 +++ b/drivers/base/cpu.c
-@@ -552,12 +552,19 @@ ssize_t __weak cpu_show_mds(struct device *dev,
+@@ -559,6 +559,12 @@ ssize_t __weak cpu_show_tsx_async_abort(
  	return sprintf(buf, "Not affected\n");
  }
  
@@ -250,29 +225,28 @@ index 2fd6ca1021c2..c21e2aec5cbb 100644
  static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
  static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
  static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
- static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL);
+@@ -566,6 +572,7 @@ static DEVICE_ATTR(spec_store_bypass, 04
  static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL);
  static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL);
+ static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL);
 +static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL);
  
  static struct attribute *cpu_root_vulnerabilities_attrs[] = {
  	&dev_attr_meltdown.attr,
-@@ -566,6 +573,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
- 	&dev_attr_spec_store_bypass.attr,
+@@ -575,6 +582,7 @@ static struct attribute *cpu_root_vulner
  	&dev_attr_l1tf.attr,
  	&dev_attr_mds.attr,
+ 	&dev_attr_tsx_async_abort.attr,
 +	&dev_attr_itlb_multihit.attr,
  	NULL
  };
  
-diff --git a/include/linux/cpu.h b/include/linux/cpu.h
-index 006f69f9277b..7bb824b0f30e 100644
 --- a/include/linux/cpu.h
 +++ b/include/linux/cpu.h
-@@ -59,6 +59,8 @@ extern ssize_t cpu_show_l1tf(struct device *dev,
- 			     struct device_attribute *attr, char *buf);
- extern ssize_t cpu_show_mds(struct device *dev,
- 			    struct device_attribute *attr, char *buf);
+@@ -62,6 +62,8 @@ extern ssize_t cpu_show_mds(struct devic
+ extern ssize_t cpu_show_tsx_async_abort(struct device *dev,
+ 					struct device_attribute *attr,
+ 					char *buf);
 +extern ssize_t cpu_show_itlb_multihit(struct device *dev,
 +				      struct device_attribute *attr, char *buf);
  

debian/patches/bugfix/x86/itlb_multihit/0020-cpu-speculation-Uninline-and-export-CPU-mitigations-.patch

@@ -0,0 +1,98 @@
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon, 4 Nov 2019 12:22:02 +0100
+Subject: cpu/speculation: Uninline and export CPU mitigations helpers
+
+commit 731dc9df975a5da21237a18c3384f811a7a41cc6 upstream.
+
+A kernel module may need to check the value of the "mitigations=" kernel
+command line parameter as part of its setup when the module needs
+to perform software mitigations for a CPU flaw.
+
+Uninline and export the helper functions surrounding the cpu_mitigations
+enum to allow for their usage from a module.
+
+Lastly, privatize the enum and cpu_mitigations variable since the value of
+cpu_mitigations can be checked with the exported helper functions.
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/linux/cpu.h | 25 ++-----------------------
+ kernel/cpu.c        | 27 ++++++++++++++++++++++++++-
+ 2 files changed, 28 insertions(+), 24 deletions(-)
+
+--- a/include/linux/cpu.h
++++ b/include/linux/cpu.h
+@@ -198,28 +198,7 @@ static inline int cpuhp_smt_enable(void)
+ static inline int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval) { return 0; }
+ #endif
+ 
+-/*
+- * These are used for a global "mitigations=" cmdline option for toggling
+- * optional CPU mitigations.
+- */
+-enum cpu_mitigations {
+-	CPU_MITIGATIONS_OFF,
+-	CPU_MITIGATIONS_AUTO,
+-	CPU_MITIGATIONS_AUTO_NOSMT,
+-};
+-
+-extern enum cpu_mitigations cpu_mitigations;
+-
+-/* mitigations=off */
+-static inline bool cpu_mitigations_off(void)
+-{
+-	return cpu_mitigations == CPU_MITIGATIONS_OFF;
+-}
+-
+-/* mitigations=auto,nosmt */
+-static inline bool cpu_mitigations_auto_nosmt(void)
+-{
+-	return cpu_mitigations == CPU_MITIGATIONS_AUTO_NOSMT;
+-}
++extern bool cpu_mitigations_off(void);
++extern bool cpu_mitigations_auto_nosmt(void);
+ 
+ #endif /* _LINUX_CPU_H_ */
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -2282,7 +2282,18 @@ void __init boot_cpu_hotplug_init(void)
+ 	this_cpu_write(cpuhp_state.state, CPUHP_ONLINE);
+ }
+ 
+-enum cpu_mitigations cpu_mitigations __ro_after_init = CPU_MITIGATIONS_AUTO;
++/*
++ * These are used for a global "mitigations=" cmdline option for toggling
++ * optional CPU mitigations.
++ */
++enum cpu_mitigations {
++	CPU_MITIGATIONS_OFF,
++	CPU_MITIGATIONS_AUTO,
++	CPU_MITIGATIONS_AUTO_NOSMT,
++};
++
++static enum cpu_mitigations cpu_mitigations __ro_after_init =
++	CPU_MITIGATIONS_AUTO;
+ 
+ static int __init mitigations_parse_cmdline(char *arg)
+ {
+@@ -2299,3 +2310,17 @@ static int __init mitigations_parse_cmdl
+ 	return 0;
+ }
+ early_param("mitigations", mitigations_parse_cmdline);
++
++/* mitigations=off */
++bool cpu_mitigations_off(void)
++{
++	return cpu_mitigations == CPU_MITIGATIONS_OFF;
++}
++EXPORT_SYMBOL_GPL(cpu_mitigations_off);
++
++/* mitigations=auto,nosmt */
++bool cpu_mitigations_auto_nosmt(void)
++{
++	return cpu_mitigations == CPU_MITIGATIONS_AUTO_NOSMT;
++}
++EXPORT_SYMBOL_GPL(cpu_mitigations_auto_nosmt);

debian/patches/bugfix/x86/itlb_multihit/0021-kvm-mmu-ITLB_MULTIHIT-mitigation.patch

@@ -1,62 +1,79 @@
 From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 24 Oct 2019 18:34:28 +0200
+Date: Mon, 4 Nov 2019 12:22:02 +0100
 Subject: kvm: mmu: ITLB_MULTIHIT mitigation
 
+commit b8e8c8303ff28c61046a4d0f6ea99aea609a7dc0 upstream.
+
 With some Intel processors, putting the same virtual address in the TLB
 as both a 4 KiB and 2 MiB page can confuse the instruction fetch unit
-and cause the processor to issue a machine check.  Unfortunately if EPT
-page tables use huge pages, it possible for a malicious guest to cause
-this situation.
+and cause the processor to issue a machine check resulting in a CPU lockup.
 
-This patch adds a knob to mark huge pages as non-executable. When the
-nx_huge_pages parameter is enabled (and we are using EPT), all huge pages
-are marked as NX. If the guest attempts to execute in one of those pages,
-the page is broken down into 4K pages, which are then marked executable.
+Unfortunately when EPT page tables use huge pages, it is possible for a
+malicious guest to cause this situation.
+
+Add a knob to mark huge pages as non-executable. When the nx_huge_pages
+parameter is enabled (and we are using EPT), all huge pages are marked as
+NX. If the guest attempts to execute in one of those pages, the page is
+broken down into 4K pages, which are then marked executable.
 
 This is not an issue for shadow paging (except nested EPT), because then
 the host is in control of TLB flushes and the problematic situation cannot
-happen.  With nested EPT, again the nested guest can cause problems so we
-treat shadow and direct EPT the same.
+happen.  With nested EPT, again the nested guest can cause problems shadow
+and direct EPT is treated in the same way.
 
-Signed-off-by: Junaid Shahid <junaids@google.com>
+[ tglx: Fixup default to auto and massage wording a bit ]
+
+Originally-by: Junaid Shahid <junaids@google.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 [bwh: Backported to 4.19:
  - Use kvm_mmu_invalidate_zap_all_pages() instead of kvm_mmu_zap_all_fast()
  - Adjust context]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
- .../admin-guide/kernel-parameters.txt         |  11 ++
+ .../admin-guide/kernel-parameters.txt         |  19 +++
  arch/x86/include/asm/kvm_host.h               |   2 +
  arch/x86/kernel/cpu/bugs.c                    |  13 +-
- arch/x86/kvm/mmu.c                            | 135 +++++++++++++++++-
+ arch/x86/kvm/mmu.c                            | 141 +++++++++++++++++-
  arch/x86/kvm/paging_tmpl.h                    |  29 +++-
  arch/x86/kvm/x86.c                            |   9 ++
- 6 files changed, 186 insertions(+), 13 deletions(-)
+ 6 files changed, 200 insertions(+), 13 deletions(-)
 
-diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index 16607b178b47..b2c1a5c63ab3 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -1956,6 +1956,17 @@
+@@ -1956,6 +1956,19 @@
  			KVM MMU at runtime.
  			Default is 0 (off)
  
 +	kvm.nx_huge_pages=
-+			[KVM] Controls the sw workaround for bug
-+			X86_BUG_ITLB_MULTIHIT.
++			[KVM] Controls the software workaround for the
++			X86_BUG_ITLB_MULTIHIT bug.
 +			force	: Always deploy workaround.
-+			off	: Default. Never deploy workaround.
-+			auto	: Deploy workaround based on presence of
++			off	: Never deploy workaround.
++			auto    : Deploy workaround based on the presence of
 +				  X86_BUG_ITLB_MULTIHIT.
 +
-+			If the sw workaround is enabled for the host, guests
-+			need not enable it for nested guests.
++			Default is 'auto'.
++
++			If the software workaround is enabled for the host,
++			guests do need not to enable it for nested guests.
 +
  	kvm-amd.nested=	[KVM,AMD] Allow nested virtualization in KVM/SVM.
  			Default is 1 (enabled)
  
-diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index 90dccb5c79d9..59b44445ed59 100644
+@@ -2522,6 +2535,12 @@
+ 					       l1tf=off [X86]
+ 					       mds=off [X86]
+ 					       tsx_async_abort=off [X86]
++					       kvm.nx_huge_pages=off [X86]
++
++				Exceptions:
++					       This does not have any effect on
++					       kvm.nx_huge_pages when
++					       kvm.nx_huge_pages=force.
+ 
+ 			auto (default)
+ 				Mitigate all CPU vulnerabilities, but leave SMT
 --- a/arch/x86/include/asm/kvm_host.h
 +++ b/arch/x86/include/asm/kvm_host.h
 @@ -282,6 +282,7 @@ struct kvm_mmu_page {
@@ -67,7 +84,7 @@ index 90dccb5c79d9..59b44445ed59 100644
  
  	/*
  	 * The following two entries are used to key the shadow page in the
-@@ -890,6 +891,7 @@ struct kvm_vm_stat {
+@@ -887,6 +888,7 @@ struct kvm_vm_stat {
  	ulong mmu_unsync;
  	ulong remote_tlb_flush;
  	ulong lpages;
@@ -75,11 +92,9 @@ index 90dccb5c79d9..59b44445ed59 100644
  	ulong max_mmu_page_hash_collisions;
  };
  
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 60e47e492c2f..1e764992fa64 100644
 --- a/arch/x86/kernel/cpu/bugs.c
 +++ b/arch/x86/kernel/cpu/bugs.c
-@@ -1119,6 +1119,9 @@ void x86_spec_ctrl_setup_ap(void)
+@@ -1229,6 +1229,9 @@ void x86_spec_ctrl_setup_ap(void)
  		x86_amd_ssb_disable();
  }
  
@@ -89,7 +104,7 @@ index 60e47e492c2f..1e764992fa64 100644
  #undef pr_fmt
  #define pr_fmt(fmt)	"L1TF: " fmt
  
-@@ -1274,17 +1277,25 @@ static ssize_t l1tf_show_state(char *buf)
+@@ -1384,17 +1387,25 @@ static ssize_t l1tf_show_state(char *buf
  		       l1tf_vmx_states[l1tf_vmx_mitigation],
  		       sched_smt_active() ? "vulnerable" : "disabled");
  }
@@ -116,8 +131,6 @@ index 60e47e492c2f..1e764992fa64 100644
  
  static ssize_t mds_show_state(char *buf)
  {
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 7f9be921df7c..19c3dc9b05cb 100644
 --- a/arch/x86/kvm/mmu.c
 +++ b/arch/x86/kvm/mmu.c
 @@ -49,6 +49,20 @@
@@ -141,7 +154,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  /*
   * When setting this variable to true it enables Two-Dimensional-Paging
   * where the hardware walks 2 page tables:
-@@ -284,6 +298,11 @@ static inline bool spte_ad_enabled(u64 spte)
+@@ -284,6 +298,11 @@ static inline bool spte_ad_enabled(u64 s
  	return !(spte & shadow_acc_track_value);
  }
  
@@ -153,7 +166,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  static inline u64 spte_shadow_accessed_mask(u64 spte)
  {
  	MMU_WARN_ON((spte & shadow_mmio_mask) == shadow_mmio_value);
-@@ -1096,6 +1115,15 @@ static void account_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
+@@ -1096,6 +1115,15 @@ static void account_shadowed(struct kvm
  	kvm_mmu_gfn_disallow_lpage(slot, gfn);
  }
  
@@ -169,7 +182,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  static void unaccount_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
  {
  	struct kvm_memslots *slots;
-@@ -1113,6 +1141,12 @@ static void unaccount_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
+@@ -1113,6 +1141,12 @@ static void unaccount_shadowed(struct kv
  	kvm_mmu_gfn_allow_lpage(slot, gfn);
  }
  
@@ -182,7 +195,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  static bool __mmu_gfn_lpage_is_disallowed(gfn_t gfn, int level,
  					  struct kvm_memory_slot *slot)
  {
-@@ -2665,6 +2699,9 @@ static int kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
+@@ -2665,6 +2699,9 @@ static int kvm_mmu_prepare_zap_page(stru
  			kvm_reload_remote_mmus(kvm);
  	}
  
@@ -192,7 +205,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  	sp->role.invalid = 1;
  	return ret;
  }
-@@ -2873,6 +2910,11 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
+@@ -2873,6 +2910,11 @@ static int set_spte(struct kvm_vcpu *vcp
  	if (!speculative)
  		spte |= spte_shadow_accessed_mask(spte);
  
@@ -204,7 +217,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  	if (pte_access & ACC_EXEC_MASK)
  		spte |= shadow_x_mask;
  	else
-@@ -3091,9 +3133,32 @@ static void direct_pte_prefetch(struct kvm_vcpu *vcpu, u64 *sptep)
+@@ -3091,9 +3133,32 @@ static void direct_pte_prefetch(struct k
  	__direct_pte_prefetch(vcpu, sp, sptep);
  }
  
@@ -238,7 +251,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  {
  	struct kvm_shadow_walk_iterator it;
  	struct kvm_mmu_page *sp;
-@@ -3106,6 +3171,12 @@ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t gpa, int write,
+@@ -3106,6 +3171,12 @@ static int __direct_map(struct kvm_vcpu
  
  	trace_kvm_mmu_spte_requested(gpa, level, pfn);
  	for_each_shadow_entry(vcpu, gpa, it) {
@@ -251,7 +264,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  		base_gfn = gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
  		if (it.level == level)
  			break;
-@@ -3116,6 +3187,8 @@ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t gpa, int write,
+@@ -3116,6 +3187,8 @@ static int __direct_map(struct kvm_vcpu
  					      it.level - 1, true, ACC_ALL);
  
  			link_shadow_page(vcpu, it.sptep, sp);
@@ -260,7 +273,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  		}
  	}
  
-@@ -3416,11 +3489,14 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
+@@ -3416,11 +3489,14 @@ static int nonpaging_map(struct kvm_vcpu
  {
  	int r;
  	int level;
@@ -276,7 +289,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  	level = mapping_level(vcpu, gfn, &force_pt_level);
  	if (likely(!force_pt_level)) {
  		/*
-@@ -3454,7 +3530,8 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
+@@ -3454,7 +3530,8 @@ static int nonpaging_map(struct kvm_vcpu
  		goto out_unlock;
  	if (likely(!force_pt_level))
  		transparent_hugepage_adjust(vcpu, gfn, &pfn, &level);
@@ -286,7 +299,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  out_unlock:
  	spin_unlock(&vcpu->kvm->mmu_lock);
  	kvm_release_pfn_clean(pfn);
-@@ -4048,6 +4125,8 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
+@@ -4048,6 +4125,8 @@ static int tdp_page_fault(struct kvm_vcp
  	unsigned long mmu_seq;
  	int write = error_code & PFERR_WRITE_MASK;
  	bool map_writable;
@@ -295,7 +308,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  
  	MMU_WARN_ON(!VALID_PAGE(vcpu->arch.mmu.root_hpa));
  
-@@ -4058,8 +4137,9 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
+@@ -4058,8 +4137,9 @@ static int tdp_page_fault(struct kvm_vcp
  	if (r)
  		return r;
  
@@ -307,7 +320,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  	level = mapping_level(vcpu, gfn, &force_pt_level);
  	if (likely(!force_pt_level)) {
  		if (level > PT_DIRECTORY_LEVEL &&
-@@ -4088,7 +4168,8 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
+@@ -4088,7 +4168,8 @@ static int tdp_page_fault(struct kvm_vcp
  		goto out_unlock;
  	if (likely(!force_pt_level))
  		transparent_hugepage_adjust(vcpu, gfn, &pfn, &level);
@@ -317,10 +330,16 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  out_unlock:
  	spin_unlock(&vcpu->kvm->mmu_lock);
  	kvm_release_pfn_clean(pfn);
-@@ -5886,10 +5967,52 @@ static void mmu_destroy_caches(void)
+@@ -5886,10 +5967,58 @@ static void mmu_destroy_caches(void)
  	kmem_cache_destroy(mmu_page_header_cache);
  }
  
++static bool get_nx_auto_mode(void)
++{
++	/* Return true when CPU has the bug, and mitigations are ON */
++	return boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT) && !cpu_mitigations_off();
++}
++
 +static void __set_nx_huge_pages(bool val)
 +{
 +	nx_huge_pages = itlb_multihit_kvm_mitigation = val;
@@ -337,7 +356,7 @@ index 7f9be921df7c..19c3dc9b05cb 100644
 +	else if (sysfs_streq(val, "force"))
 +		new_val = 1;
 +	else if (sysfs_streq(val, "auto"))
-+		new_val = boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT);
++		new_val = get_nx_auto_mode();
 +	else if (strtobool(val, &new_val) < 0)
 +		return -EINVAL;
 +
@@ -365,16 +384,14 @@ index 7f9be921df7c..19c3dc9b05cb 100644
  	int ret = -ENOMEM;
  
 +	if (nx_huge_pages == -1)
-+		__set_nx_huge_pages(boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT));
++		__set_nx_huge_pages(get_nx_auto_mode());
 +
  	kvm_mmu_reset_all_pte_masks();
  
  	pte_list_desc_cache = kmem_cache_create("pte_list_desc",
-diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
-index 3b022b08b577..adf42dc8d38b 100644
 --- a/arch/x86/kvm/paging_tmpl.h
 +++ b/arch/x86/kvm/paging_tmpl.h
-@@ -596,13 +596,14 @@ static void FNAME(pte_prefetch)(struct kvm_vcpu *vcpu, struct guest_walker *gw,
+@@ -596,13 +596,14 @@ static void FNAME(pte_prefetch)(struct k
  static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
  			 struct guest_walker *gw,
  			 int write_fault, int hlevel,
@@ -391,7 +408,7 @@ index 3b022b08b577..adf42dc8d38b 100644
  
  	direct_access = gw->pte_access;
  
-@@ -647,13 +648,25 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
+@@ -647,13 +648,25 @@ static int FNAME(fetch)(struct kvm_vcpu
  			link_shadow_page(vcpu, it.sptep, sp);
  	}
  
@@ -419,7 +436,7 @@ index 3b022b08b577..adf42dc8d38b 100644
  		if (it.level == hlevel)
  			break;
  
-@@ -665,6 +678,8 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
+@@ -665,6 +678,8 @@ static int FNAME(fetch)(struct kvm_vcpu
  			sp = kvm_mmu_get_page(vcpu, base_gfn, addr,
  					      it.level - 1, true, direct_access);
  			link_shadow_page(vcpu, it.sptep, sp);
@@ -428,7 +445,7 @@ index 3b022b08b577..adf42dc8d38b 100644
  		}
  	}
  
-@@ -741,9 +756,11 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr, u32 error_code,
+@@ -741,9 +756,11 @@ static int FNAME(page_fault)(struct kvm_
  	int r;
  	kvm_pfn_t pfn;
  	int level = PT_PAGE_TABLE_LEVEL;
@@ -441,7 +458,7 @@ index 3b022b08b577..adf42dc8d38b 100644
  
  	pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
  
-@@ -833,7 +850,7 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr, u32 error_code,
+@@ -833,7 +850,7 @@ static int FNAME(page_fault)(struct kvm_
  	if (!force_pt_level)
  		transparent_hugepage_adjust(vcpu, walker.gfn, &pfn, &level);
  	r = FNAME(fetch)(vcpu, addr, &walker, write_fault,
@@ -450,11 +467,9 @@ index 3b022b08b577..adf42dc8d38b 100644
  	kvm_mmu_audit(vcpu, AUDIT_POST_PAGE_FAULT);
  
  out_unlock:
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 2714c1a0e59f..ec80bb27504f 100644
 --- a/arch/x86/kvm/x86.c
 +++ b/arch/x86/kvm/x86.c
-@@ -206,6 +206,7 @@ struct kvm_stats_debugfs_item debugfs_entries[] = {
+@@ -206,6 +206,7 @@ struct kvm_stats_debugfs_item debugfs_en
  	{ "mmu_unsync", VM_STAT(mmu_unsync) },
  	{ "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
  	{ "largepages", VM_STAT(lpages, .mode = 0444) },
@@ -462,11 +477,10 @@ index 2714c1a0e59f..ec80bb27504f 100644
  	{ "max_mmu_page_hash_collisions",
  		VM_STAT(max_mmu_page_hash_collisions) },
  	{ NULL }
-@@ -1130,6 +1131,14 @@ u64 kvm_get_arch_capabilities(void)
- 
+@@ -1116,6 +1117,14 @@ u64 kvm_get_arch_capabilities(void)
  	rdmsrl_safe(MSR_IA32_ARCH_CAPABILITIES, &data);
  
-+	/*
+ 	/*
 +	 * If nx_huge_pages is enabled, KVM's shadow paging will ensure that
 +	 * the nested hypervisor runs with NX huge pages.  If it is not,
 +	 * L1 is anyway vulnerable to ITLB_MULTIHIT explots from other
@@ -474,6 +488,7 @@ index 2714c1a0e59f..ec80bb27504f 100644
 +	 */
 +	data |= ARCH_CAP_PSCHANGE_MC_NO;
 +
- 	/*
++	/*
  	 * If we're doing cache flushes (either "always" or "cond")
  	 * we will do one whenever the guest does a vmlaunch/vmresume.
+ 	 * If an outer hypervisor is doing the cache flush for us

debian/patches/bugfix/x86/itlb_multihit/0022-kvm-Add-helper-function-for-creating-VM-worker-threa.patch

@@ -1,15 +1,16 @@
 From: Junaid Shahid <junaids@google.com>
-Date: Thu, 24 Oct 2019 18:34:29 +0200
-Subject: kvm: Add helper function for creating VM worker
+Date: Mon, 4 Nov 2019 12:22:02 +0100
+Subject: kvm: Add helper function for creating VM worker threads
 
- threads
+commit c57c80467f90e5504c8df9ad3555d2c78800bf94 upstream.
 
-This adds a function to create a kernel thread associated with a given
-VM. In particular, it ensures that the worker thread inherits the
-priority and cgroups of the calling thread.
+Add a function to create a kernel thread associated with a given VM. In
+particular, it ensures that the worker thread inherits the priority and
+cgroups of the calling thread.
 
 Signed-off-by: Junaid Shahid <junaids@google.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 [bwh: Backported to 4.19: adjust context]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
@@ -17,11 +18,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  virt/kvm/kvm_main.c      | 84 ++++++++++++++++++++++++++++++++++++++++
  2 files changed, 90 insertions(+)
 
-diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index 553a3115a735..96207939d862 100644
 --- a/include/linux/kvm_host.h
 +++ b/include/linux/kvm_host.h
-@@ -1305,4 +1305,10 @@ static inline int kvm_arch_vcpu_run_pid_change(struct kvm_vcpu *vcpu)
+@@ -1305,4 +1305,10 @@ static inline int kvm_arch_vcpu_run_pid_
  }
  #endif /* CONFIG_HAVE_KVM_VCPU_RUN_PID_CHANGE */
  
@@ -32,8 +31,6 @@ index 553a3115a735..96207939d862 100644
 +				struct task_struct **thread_ptr);
 +
  #endif
-diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 5482949b452c..77da54d334b2 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
 @@ -51,6 +51,7 @@

debian/patches/bugfix/x86/itlb_multihit/0023-kvm-x86-mmu-Recovery-of-shattered-NX-large-pages.patch

@@ -1,35 +1,38 @@
 From: Junaid Shahid <junaids@google.com>
-Date: Thu, 24 Oct 2019 18:34:30 +0200
+Date: Mon, 4 Nov 2019 12:22:03 +0100
 Subject: kvm: x86: mmu: Recovery of shattered NX large pages
 
-The page table pages corresponding to broken down large pages are
-zapped in FIFO order, so that the large page can potentially
-be recovered, if it is no longer being used for execution.  This removes
-the performance penalty for walking deeper EPT page tables.
+commit 1aa9b9572b10529c2e64e2b8f44025d86e124308 upstream.
+
+The page table pages corresponding to broken down large pages are zapped in
+FIFO order, so that the large page can potentially be recovered, if it is
+not longer being used for execution.  This removes the performance penalty
+for walking deeper EPT page tables.
 
 By default, one large page will last about one hour once the guest
 reaches a steady state.
 
 Signed-off-by: Junaid Shahid <junaids@google.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-[bwh: Backported to 4.19: adjust context]
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+[bwh: Backported to 4.19:
+ - Update another error path in kvm_create_vm() to use out_err_no_mmu_notifier
+ - Adjust context]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  .../admin-guide/kernel-parameters.txt         |   6 +
- arch/x86/include/asm/kvm_host.h               |   5 +
+ arch/x86/include/asm/kvm_host.h               |   4 +
  arch/x86/kvm/mmu.c                            | 129 ++++++++++++++++++
  arch/x86/kvm/mmu.h                            |   4 +
  arch/x86/kvm/x86.c                            |  11 ++
  virt/kvm/kvm_main.c                           |  30 +++-
- 6 files changed, 184 insertions(+), 1 deletion(-)
+ 6 files changed, 183 insertions(+), 1 deletion(-)
 
-diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index b2c1a5c63ab3..efdc471ed0b9 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -1967,6 +1967,12 @@
- 			If the sw workaround is enabled for the host, guests
- 			need not enable it for nested guests.
+@@ -1969,6 +1969,12 @@
+ 			If the software workaround is enabled for the host,
+ 			guests do need not to enable it for nested guests.
  
 +	kvm.nx_huge_pages_recovery_ratio=
 +			[KVM] Controls how many 4KiB pages are periodically zapped
@@ -40,8 +43,6 @@ index b2c1a5c63ab3..efdc471ed0b9 100644
  	kvm-amd.nested=	[KVM,AMD] Allow nested virtualization in KVM/SVM.
  			Default is 1 (enabled)
  
-diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index 59b44445ed59..efe3ba61fc23 100644
 --- a/arch/x86/include/asm/kvm_host.h
 +++ b/arch/x86/include/asm/kvm_host.h
 @@ -281,6 +281,8 @@ struct kvm_rmap_head {
@@ -53,7 +54,7 @@ index 59b44445ed59..efe3ba61fc23 100644
  	bool unsync;
  	bool lpage_disallowed; /* Can't be replaced by an equiv large page */
  
-@@ -808,6 +810,7 @@ struct kvm_arch {
+@@ -805,6 +807,7 @@ struct kvm_arch {
  	 */
  	struct list_head active_mmu_pages;
  	struct list_head zapped_obsolete_pages;
@@ -61,17 +62,14 @@ index 59b44445ed59..efe3ba61fc23 100644
  	struct kvm_page_track_notifier_node mmu_sp_tracker;
  	struct kvm_page_track_notifier_head track_notifier_head;
  
-@@ -878,6 +881,8 @@ struct kvm_arch {
+@@ -875,6 +878,7 @@ struct kvm_arch {
  	bool x2apic_broadcast_quirk_disabled;
  
  	bool guest_can_read_msr_platform_info;
-+
 +	struct task_struct *nx_lpage_recovery_thread;
  };
  
  struct kvm_vm_stat {
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 19c3dc9b05cb..bafb9001ce94 100644
 --- a/arch/x86/kvm/mmu.c
 +++ b/arch/x86/kvm/mmu.c
 @@ -40,6 +40,7 @@
@@ -109,7 +107,7 @@ index 19c3dc9b05cb..bafb9001ce94 100644
  
  /*
   * When setting this variable to true it enables Two-Dimensional-Paging
-@@ -1121,6 +1132,8 @@ static void account_huge_nx_page(struct kvm *kvm, struct kvm_mmu_page *sp)
+@@ -1121,6 +1132,8 @@ static void account_huge_nx_page(struct
  		return;
  
  	++kvm->stat.nx_lpage_splits;
@@ -118,7 +116,7 @@ index 19c3dc9b05cb..bafb9001ce94 100644
  	sp->lpage_disallowed = true;
  }
  
-@@ -1145,6 +1158,7 @@ static void unaccount_huge_nx_page(struct kvm *kvm, struct kvm_mmu_page *sp)
+@@ -1145,6 +1158,7 @@ static void unaccount_huge_nx_page(struc
  {
  	--kvm->stat.nx_lpage_splits;
  	sp->lpage_disallowed = false;
@@ -126,7 +124,7 @@ index 19c3dc9b05cb..bafb9001ce94 100644
  }
  
  static bool __mmu_gfn_lpage_is_disallowed(gfn_t gfn, int level,
-@@ -5999,6 +6013,8 @@ static int set_nx_huge_pages(const char *val, const struct kernel_param *kp)
+@@ -6005,6 +6019,8 @@ static int set_nx_huge_pages(const char
  			idx = srcu_read_lock(&kvm->srcu);
  			kvm_mmu_invalidate_zap_all_pages(kvm);
  			srcu_read_unlock(&kvm->srcu, idx);
@@ -135,7 +133,7 @@ index 19c3dc9b05cb..bafb9001ce94 100644
  		}
  		mutex_unlock(&kvm_lock);
  	}
-@@ -6079,3 +6095,116 @@ void kvm_mmu_module_exit(void)
+@@ -6086,3 +6102,116 @@ void kvm_mmu_module_exit(void)
  	unregister_shrinker(&mmu_shrinker);
  	mmu_audit_disable();
  }
@@ -252,11 +250,9 @@ index 19c3dc9b05cb..bafb9001ce94 100644
 +	if (kvm->arch.nx_lpage_recovery_thread)
 +		kthread_stop(kvm->arch.nx_lpage_recovery_thread);
 +}
-diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
-index 65892288bf51..f7b2de7b6382 100644
 --- a/arch/x86/kvm/mmu.h
 +++ b/arch/x86/kvm/mmu.h
-@@ -216,4 +216,8 @@ void kvm_mmu_gfn_allow_lpage(struct kvm_memory_slot *slot, gfn_t gfn);
+@@ -216,4 +216,8 @@ void kvm_mmu_gfn_allow_lpage(struct kvm_
  bool kvm_mmu_slot_gfn_write_protect(struct kvm *kvm,
  				    struct kvm_memory_slot *slot, u64 gfn);
  int kvm_arch_write_log_dirty(struct kvm_vcpu *vcpu);
@@ -265,11 +261,9 @@ index 65892288bf51..f7b2de7b6382 100644
 +void kvm_mmu_pre_destroy_vm(struct kvm *kvm);
 +
  #endif
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index ec80bb27504f..da688e726632 100644
 --- a/arch/x86/kvm/x86.c
 +++ b/arch/x86/kvm/x86.c
-@@ -8958,6 +8958,7 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
+@@ -8952,6 +8952,7 @@ int kvm_arch_init_vm(struct kvm *kvm, un
  	INIT_HLIST_HEAD(&kvm->arch.mask_notifier_list);
  	INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
  	INIT_LIST_HEAD(&kvm->arch.zapped_obsolete_pages);
@@ -277,7 +271,7 @@ index ec80bb27504f..da688e726632 100644
  	INIT_LIST_HEAD(&kvm->arch.assigned_dev_head);
  	atomic_set(&kvm->arch.noncoherent_dma_count, 0);
  
-@@ -8989,6 +8990,11 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
+@@ -8983,6 +8984,11 @@ int kvm_arch_init_vm(struct kvm *kvm, un
  	return 0;
  }
  
@@ -289,7 +283,7 @@ index ec80bb27504f..da688e726632 100644
  static void kvm_unload_vcpu_mmu(struct kvm_vcpu *vcpu)
  {
  	vcpu_load(vcpu);
-@@ -9090,6 +9096,11 @@ int x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size)
+@@ -9084,6 +9090,11 @@ int x86_set_memory_region(struct kvm *kv
  }
  EXPORT_SYMBOL_GPL(x86_set_memory_region);
  
@@ -301,11 +295,9 @@ index ec80bb27504f..da688e726632 100644
  void kvm_arch_destroy_vm(struct kvm *kvm)
  {
  	if (current->mm == kvm->mm) {
-diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 77da54d334b2..7a0d86d52230 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
-@@ -625,6 +625,23 @@ static int kvm_create_vm_debugfs(struct kvm *kvm, int fd)
+@@ -625,6 +625,23 @@ static int kvm_create_vm_debugfs(struct
  	return 0;
  }
  
@@ -329,7 +321,7 @@ index 77da54d334b2..7a0d86d52230 100644
  static struct kvm *kvm_create_vm(unsigned long type)
  {
  	int r, i;
-@@ -679,10 +696,14 @@ static struct kvm *kvm_create_vm(unsigned long type)
+@@ -679,11 +696,15 @@ static struct kvm *kvm_create_vm(unsigne
  		rcu_assign_pointer(kvm->buses[i],
  			kzalloc(sizeof(struct kvm_io_bus), GFP_KERNEL));
  		if (!kvm->buses[i])
@@ -338,14 +330,15 @@ index 77da54d334b2..7a0d86d52230 100644
  	}
  
  	r = kvm_init_mmu_notifier(kvm);
-+	if (r)
+ 	if (r)
 +		goto out_err_no_mmu_notifier;
 +
 +	r = kvm_arch_post_init_vm(kvm);
- 	if (r)
++	if (r)
  		goto out_err;
  
-@@ -695,6 +716,11 @@ static struct kvm *kvm_create_vm(unsigned long type)
+ 	mutex_lock(&kvm_lock);
+@@ -695,6 +716,11 @@ static struct kvm *kvm_create_vm(unsigne
  	return kvm;
  
  out_err:
@@ -357,7 +350,7 @@ index 77da54d334b2..7a0d86d52230 100644
  	cleanup_srcu_struct(&kvm->irq_srcu);
  out_err_no_irq_srcu:
  	cleanup_srcu_struct(&kvm->srcu);
-@@ -737,6 +763,8 @@ static void kvm_destroy_vm(struct kvm *kvm)
+@@ -737,6 +763,8 @@ static void kvm_destroy_vm(struct kvm *k
  	mutex_lock(&kvm_lock);
  	list_del(&kvm->vm_list);
  	mutex_unlock(&kvm_lock);

debian/patches/bugfix/x86/itlb_multihit/0024-Documentation-Add-ITLB_MULTIHIT-documentation.patch

@@ -0,0 +1,194 @@
+From: "Gomez Iglesias, Antonio" <antonio.gomez.iglesias@intel.com>
+Date: Mon, 4 Nov 2019 12:22:03 +0100
+Subject: Documentation: Add ITLB_MULTIHIT documentation
+
+commit 7f00cc8d4a51074eb0ad4c3f16c15757b1ddfb7d upstream.
+
+Add the initial ITLB_MULTIHIT documentation.
+
+[ tglx: Add it to the index so it gets actually built. ]
+
+Signed-off-by: Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com>
+Signed-off-by: Nelson D'Souza <nelson.dsouza@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ Documentation/admin-guide/hw-vuln/index.rst   |   1 +
+ .../admin-guide/hw-vuln/multihit.rst          | 163 ++++++++++++++++++
+ 2 files changed, 164 insertions(+)
+ create mode 100644 Documentation/admin-guide/hw-vuln/multihit.rst
+
+--- a/Documentation/admin-guide/hw-vuln/index.rst
++++ b/Documentation/admin-guide/hw-vuln/index.rst
+@@ -13,3 +13,4 @@ are configurable at compile, boot or run
+    l1tf
+    mds
+    tsx_async_abort
++   multihit.rst
+--- /dev/null
++++ b/Documentation/admin-guide/hw-vuln/multihit.rst
+@@ -0,0 +1,163 @@
++iTLB multihit
++=============
++
++iTLB multihit is an erratum where some processors may incur a machine check
++error, possibly resulting in an unrecoverable CPU lockup, when an
++instruction fetch hits multiple entries in the instruction TLB. This can
++occur when the page size is changed along with either the physical address
++or cache type. A malicious guest running on a virtualized system can
++exploit this erratum to perform a denial of service attack.
++
++
++Affected processors
++-------------------
++
++Variations of this erratum are present on most Intel Core and Xeon processor
++models. The erratum is not present on:
++
++   - non-Intel processors
++
++   - Some Atoms (Airmont, Bonnell, Goldmont, GoldmontPlus, Saltwell, Silvermont)
++
++   - Intel processors that have the PSCHANGE_MC_NO bit set in the
++     IA32_ARCH_CAPABILITIES MSR.
++
++
++Related CVEs
++------------
++
++The following CVE entry is related to this issue:
++
++   ==============  =================================================
++   CVE-2018-12207  Machine Check Error Avoidance on Page Size Change
++   ==============  =================================================
++
++
++Problem
++-------
++
++Privileged software, including OS and virtual machine managers (VMM), are in
++charge of memory management. A key component in memory management is the control
++of the page tables. Modern processors use virtual memory, a technique that creates
++the illusion of a very large memory for processors. This virtual space is split
++into pages of a given size. Page tables translate virtual addresses to physical
++addresses.
++
++To reduce latency when performing a virtual to physical address translation,
++processors include a structure, called TLB, that caches recent translations.
++There are separate TLBs for instruction (iTLB) and data (dTLB).
++
++Under this errata, instructions are fetched from a linear address translated
++using a 4 KB translation cached in the iTLB. Privileged software modifies the
++paging structure so that the same linear address using large page size (2 MB, 4
++MB, 1 GB) with a different physical address or memory type.  After the page
++structure modification but before the software invalidates any iTLB entries for
++the linear address, a code fetch that happens on the same linear address may
++cause a machine-check error which can result in a system hang or shutdown.
++
++
++Attack scenarios
++----------------
++
++Attacks against the iTLB multihit erratum can be mounted from malicious
++guests in a virtualized system.
++
++
++iTLB multihit system information
++--------------------------------
++
++The Linux kernel provides a sysfs interface to enumerate the current iTLB
++multihit status of the system:whether the system is vulnerable and which
++mitigations are active. The relevant sysfs file is:
++
++/sys/devices/system/cpu/vulnerabilities/itlb_multihit
++
++The possible values in this file are:
++
++.. list-table::
++
++     * - Not affected
++       - The processor is not vulnerable.
++     * - KVM: Mitigation: Split huge pages
++       - Software changes mitigate this issue.
++     * - KVM: Vulnerable
++       - The processor is vulnerable, but no mitigation enabled
++
++
++Enumeration of the erratum
++--------------------------------
++
++A new bit has been allocated in the IA32_ARCH_CAPABILITIES (PSCHANGE_MC_NO) msr
++and will be set on CPU's which are mitigated against this issue.
++
++   =======================================   ===========   ===============================
++   IA32_ARCH_CAPABILITIES MSR                Not present   Possibly vulnerable,check model
++   IA32_ARCH_CAPABILITIES[PSCHANGE_MC_NO]    '0'           Likely vulnerable,check model
++   IA32_ARCH_CAPABILITIES[PSCHANGE_MC_NO]    '1'           Not vulnerable
++   =======================================   ===========   ===============================
++
++
++Mitigation mechanism
++-------------------------
++
++This erratum can be mitigated by restricting the use of large page sizes to
++non-executable pages.  This forces all iTLB entries to be 4K, and removes
++the possibility of multiple hits.
++
++In order to mitigate the vulnerability, KVM initially marks all huge pages
++as non-executable. If the guest attempts to execute in one of those pages,
++the page is broken down into 4K pages, which are then marked executable.
++
++If EPT is disabled or not available on the host, KVM is in control of TLB
++flushes and the problematic situation cannot happen.  However, the shadow
++EPT paging mechanism used by nested virtualization is vulnerable, because
++the nested guest can trigger multiple iTLB hits by modifying its own
++(non-nested) page tables.  For simplicity, KVM will make large pages
++non-executable in all shadow paging modes.
++
++Mitigation control on the kernel command line and KVM - module parameter
++------------------------------------------------------------------------
++
++The KVM hypervisor mitigation mechanism for marking huge pages as
++non-executable can be controlled with a module parameter "nx_huge_pages=".
++The kernel command line allows to control the iTLB multihit mitigations at
++boot time with the option "kvm.nx_huge_pages=".
++
++The valid arguments for these options are:
++
++  ==========  ================================================================
++  force       Mitigation is enabled. In this case, the mitigation implements
++              non-executable huge pages in Linux kernel KVM module. All huge
++              pages in the EPT are marked as non-executable.
++              If a guest attempts to execute in one of those pages, the page is
++              broken down into 4K pages, which are then marked executable.
++
++  off	      Mitigation is disabled.
++
++  auto        Enable mitigation only if the platform is affected and the kernel
++              was not booted with the "mitigations=off" command line parameter.
++	      This is the default option.
++  ==========  ================================================================
++
++
++Mitigation selection guide
++--------------------------
++
++1. No virtualization in use
++^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++   The system is protected by the kernel unconditionally and no further
++   action is required.
++
++2. Virtualization with trusted guests
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++   If the guest comes from a trusted source, you may assume that the guest will
++   not attempt to maliciously exploit these errata and no further action is
++   required.
++
++3. Virtualization with untrusted guests
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++   If the guest comes from an untrusted source, the guest host kernel will need
++   to apply iTLB multihit mitigation via the kernel command line or kvm
++   module parameter.

debian/patches/bugfix/x86/taa/0001-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch

@@ -2,12 +2,19 @@ From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Date: Wed, 23 Oct 2019 10:45:50 +0200
 Subject: x86/msr: Add the IA32_TSX_CTRL MSR
 
+commit c2955f270a84762343000f103e0640d29c7a96f3 upstream.
+
 Transactional Synchronization Extensions (TSX) may be used on certain
 processors as part of a speculative side channel attack.  A microcode
 update for existing processors that are vulnerable to this attack will
 add a new MSR - IA32_TSX_CTRL to allow the system administrator the
 option to disable TSX as one of the possible mitigations.
 
+The CPUs which get this new MSR after a microcode upgrade are the ones
+which do not set MSR_IA32_ARCH_CAPABILITIES.MDS_NO (bit 5) because those
+CPUs have CPUID.MD_CLEAR, i.e., the VERW implementation which clears all
+CPU buffers takes care of the TAA case as well.
+
   [ Note that future processors that are not vulnerable will also
     support the IA32_TSX_CTRL MSR. ]
 
@@ -34,36 +41,33 @@ There are two control bits in IA32_TSX_CTRL MSR:
 	  CPUID(EAX=7).EBX{bit11} read as 0).
 
 The other TSX sub-feature, Hardware Lock Elision (HLE), is
-unconditionally disabled but still enumerated as present by
-CPUID(EAX=7).EBX{bit4}.
+unconditionally disabled by the new microcode but still enumerated
+as present by CPUID(EAX=7).EBX{bit4}, unless disabled by
+IA32_TSX_CTRL_MSR[1] - TSX_CTRL_CPUID_CLEAR.
 
 Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
 Reviewed-by: Mark Gross <mgross@linux.intel.com>
 Reviewed-by: Tony Luck <tony.luck@intel.com>
-Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: x86-ml <x86@kernel.org>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  arch/x86/include/asm/msr-index.h | 5 +++++
  1 file changed, 5 insertions(+)
 
-diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
-index f58e6921cbf7..da7887a9f314 100644
 --- a/arch/x86/include/asm/msr-index.h
 +++ b/arch/x86/include/asm/msr-index.h
-@@ -91,6 +91,7 @@
- 						  * physical address or cache type
- 						  * without TLB invalidation.
+@@ -84,6 +84,7 @@
+ 						  * Microarchitectural Data
+ 						  * Sampling (MDS) vulnerabilities.
  						  */
 +#define ARCH_CAP_TSX_CTRL_MSR		BIT(7)	/* MSR for TSX control is available. */
  
  #define MSR_IA32_FLUSH_CMD		0x0000010b
  #define L1D_FLUSH			BIT(0)	/*
-@@ -101,6 +102,10 @@
+@@ -94,6 +95,10 @@
  #define MSR_IA32_BBL_CR_CTL		0x00000119
  #define MSR_IA32_BBL_CR_CTL3		0x0000011e
  

debian/patches/bugfix/x86/taa/0002-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch

@@ -2,31 +2,26 @@ From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Date: Wed, 23 Oct 2019 10:52:35 +0200
 Subject: x86/cpu: Add a helper function x86_read_arch_cap_msr()
 
+commit 286836a70433fb64131d2590f4bf512097c255e1 upstream.
+
 Add a helper function to read the IA32_ARCH_CAPABILITIES MSR.
 
 Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
 Reviewed-by: Mark Gross <mgross@linux.intel.com>
 Reviewed-by: Tony Luck <tony.luck@intel.com>
-Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: x86-ml <x86@kernel.org>
-[bwh: Forward-ported on top of NX: Fix conflict (neighbouring changes)
- in arch/x86/kernel/cpu/common.c]
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
- arch/x86/kernel/cpu/common.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
+ arch/x86/kernel/cpu/common.c | 15 +++++++++++----
+ arch/x86/kernel/cpu/cpu.h    |  2 ++
+ 2 files changed, 13 insertions(+), 4 deletions(-)
 
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 128808dccd2f..cee109bd7f00 100644
 --- a/arch/x86/kernel/cpu/common.c
 +++ b/arch/x86/kernel/cpu/common.c
-@@ -1018,13 +1018,20 @@ static bool __init cpu_matches(unsigned long which)
+@@ -1017,19 +1017,26 @@ static bool __init cpu_matches(unsigned
  	return m && !!(m->driver_data & which);
  }
  
@@ -35,10 +30,9 @@ index 128808dccd2f..cee109bd7f00 100644
  {
  	u64 ia32_cap = 0;
  
--	if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
 +	if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
- 		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
- 
++		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
++
 +	return ia32_cap;
 +}
 +
@@ -46,6 +40,24 @@ index 128808dccd2f..cee109bd7f00 100644
 +{
 +	u64 ia32_cap = x86_read_arch_cap_msr();
 +
- 	/* Set ITLB_MULTIHIT bug if cpu is not in the whitelist and not mitigated */
- 	if (!cpu_matches(NO_ITLB_MULTIHIT) && !(ia32_cap & ARCH_CAP_PSCHANGE_MC_NO))
- 		setup_force_cpu_bug(X86_BUG_ITLB_MULTIHIT);
+ 	if (cpu_matches(NO_SPECULATION))
+ 		return;
+ 
+ 	setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
+ 	setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
+ 
+-	if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
+-		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
+-
+ 	if (!cpu_matches(NO_SSB) && !(ia32_cap & ARCH_CAP_SSB_NO) &&
+ 	   !cpu_has(c, X86_FEATURE_AMD_SSB_NO))
+ 		setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
+--- a/arch/x86/kernel/cpu/cpu.h
++++ b/arch/x86/kernel/cpu/cpu.h
+@@ -65,4 +65,6 @@ unsigned int aperfmperf_get_khz(int cpu)
+ 
+ extern void x86_spec_ctrl_setup_ap(void);
+ 
++extern u64 x86_read_arch_cap_msr(void);
++
+ #endif /* ARCH_X86_CPU_H */

debian/patches/bugfix/x86/taa/0003-x86-cpu-Add-a-tsx-cmdline-option-with-TSX-disabled-b.patch

@@ -2,6 +2,8 @@ From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Date: Wed, 23 Oct 2019 11:01:53 +0200
 Subject: x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
 
+commit 95c5824f75f3ba4c9e8e5a4b1a623c95390ac266 upstream.
+
 Add a kernel cmdline parameter "tsx" to control the Transactional
 Synchronization Extensions (TSX) feature. On CPUs that support TSX
 control, use "tsx=on|off" to enable or disable TSX. Not specifying this
@@ -12,46 +14,29 @@ Carve out the TSX controlling functionality into a separate compilation
 unit because TSX is a CPU feature while the TSX async abort control
 machinery will go to cpu/bugs.c.
 
- [ bp: Massage, shorten and clear the arg buffer. ]
+ [ bp: - Massage, shorten and clear the arg buffer.
+       - Clarifications of the tsx= possible options - Josh.
+       - Expand on TSX_CTRL availability - Pawan. ]
 
 Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Signed-off-by: Borislav Petkov <bp@suse.de>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Babu Moger <Babu.Moger@amd.com>
-Cc: Fenghua Yu <fenghua.yu@intel.com>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Jonathan Corbet <corbet@lwn.net>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Juergen Gross <jgross@suse.com>
-Cc: Kees Cook <keescook@chromium.org>
-Cc: linux-doc@vger.kernel.org
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
-Cc: Rahul Tanwar <rahul.tanwar@linux.intel.com>
-Cc: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
-Cc: Sean Christopherson <sean.j.christopherson@intel.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: x86-ml <x86@kernel.org>
-Cc: Zhao Yakui <yakui.zhao@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
 [bwh: Backported to 4.19: adjust context]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
- .../admin-guide/kernel-parameters.txt         |  11 ++
+ .../admin-guide/kernel-parameters.txt         |  26 ++++
  arch/x86/kernel/cpu/Makefile                  |   2 +-
  arch/x86/kernel/cpu/common.c                  |   2 +
- arch/x86/kernel/cpu/cpu.h                     |  18 +++
+ arch/x86/kernel/cpu/cpu.h                     |  16 +++
  arch/x86/kernel/cpu/intel.c                   |   5 +
- arch/x86/kernel/cpu/tsx.c                     | 119 ++++++++++++++++++
- 6 files changed, 156 insertions(+), 1 deletion(-)
+ arch/x86/kernel/cpu/tsx.c                     | 125 ++++++++++++++++++
+ 6 files changed, 175 insertions(+), 1 deletion(-)
  create mode 100644 arch/x86/kernel/cpu/tsx.c
 
-diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index efdc471ed0b9..f03756d2addb 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -4707,6 +4707,17 @@
+@@ -4685,6 +4685,32 @@
  			marks the TSC unconditionally unstable at bootup and
  			avoids any further wobbles once the TSC watchdog notices.
  
@@ -61,16 +46,29 @@ index efdc471ed0b9..f03756d2addb 100644
 +
 +			This parameter controls the TSX feature. The options are:
 +
-+			on	- Enable TSX on the system.
-+			off	- Disable TSX on the system.
++			on	- Enable TSX on the system. Although there are
++				mitigations for all known security vulnerabilities,
++				TSX has been known to be an accelerator for
++				several previous speculation-related CVEs, and
++				so there may be unknown	security risks associated
++				with leaving it enabled.
++
++			off	- Disable TSX on the system. (Note that this
++				option takes effect only on newer CPUs which are
++				not vulnerable to MDS, i.e., have
++				MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1 and which get
++				the new IA32_TSX_CTRL MSR through a microcode
++				update. This new MSR allows for the reliable
++				deactivation of the TSX functionality.)
 +
 +			Not specifying this option is equivalent to tsx=off.
++
++			See Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
++			for more details.
 +
  	turbografx.map[2|3]=	[HW,JOY]
  			TurboGraFX parallel port interface
  			Format:
-diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
-index 347137e80bf5..320769b4807b 100644
 --- a/arch/x86/kernel/cpu/Makefile
 +++ b/arch/x86/kernel/cpu/Makefile
 @@ -28,7 +28,7 @@ obj-y			+= cpuid-deps.o
@@ -82,11 +80,9 @@ index 347137e80bf5..320769b4807b 100644
  obj-$(CONFIG_CPU_SUP_AMD)		+= amd.o
  obj-$(CONFIG_CPU_SUP_CYRIX_32)		+= cyrix.o
  obj-$(CONFIG_CPU_SUP_CENTAUR)		+= centaur.o
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index cee109bd7f00..5f89d78fe132 100644
 --- a/arch/x86/kernel/cpu/common.c
 +++ b/arch/x86/kernel/cpu/common.c
-@@ -1487,6 +1487,8 @@ void __init identify_boot_cpu(void)
+@@ -1482,6 +1482,8 @@ void __init identify_boot_cpu(void)
  	enable_sep_cpu();
  #endif
  	cpu_detect_tlb(&boot_cpu_data);
@@ -95,8 +91,6 @@ index cee109bd7f00..5f89d78fe132 100644
  }
  
  void identify_secondary_cpu(struct cpuinfo_x86 *c)
-diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h
-index 7b229afa0a37..236582c90d3f 100644
 --- a/arch/x86/kernel/cpu/cpu.h
 +++ b/arch/x86/kernel/cpu/cpu.h
 @@ -45,6 +45,22 @@ struct _tlb_table {
@@ -122,18 +116,9 @@ index 7b229afa0a37..236582c90d3f 100644
  extern void get_cpu_cap(struct cpuinfo_x86 *c);
  extern void get_cpu_address_sizes(struct cpuinfo_x86 *c);
  extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c);
-@@ -65,4 +81,6 @@ unsigned int aperfmperf_get_khz(int cpu);
- 
- extern void x86_spec_ctrl_setup_ap(void);
- 
-+extern u64 x86_read_arch_cap_msr(void);
-+
- #endif /* ARCH_X86_CPU_H */
-diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
-index fc3c07fe7df5..a5287b18a63f 100644
 --- a/arch/x86/kernel/cpu/intel.c
 +++ b/arch/x86/kernel/cpu/intel.c
-@@ -766,6 +766,11 @@ static void init_intel(struct cpuinfo_x86 *c)
+@@ -766,6 +766,11 @@ static void init_intel(struct cpuinfo_x8
  	init_intel_energy_perf(c);
  
  	init_intel_misc_features(c);
@@ -145,12 +130,9 @@ index fc3c07fe7df5..a5287b18a63f 100644
  }
  
  #ifdef CONFIG_X86_32
-diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c
-new file mode 100644
-index 000000000000..e5933ef50add
 --- /dev/null
 +++ b/arch/x86/kernel/cpu/tsx.c
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,125 @@
 +// SPDX-License-Identifier: GPL-2.0
 +/*
 + * Intel Transactional Synchronization Extensions (TSX) control.
@@ -213,9 +195,15 @@ index 000000000000..e5933ef50add
 +	u64 ia32_cap = x86_read_arch_cap_msr();
 +
 +	/*
-+	 * TSX is controlled via MSR_IA32_TSX_CTRL.  However,
-+	 * support for this MSR is enumerated by ARCH_CAP_TSX_MSR bit
-+	 * in MSR_IA32_ARCH_CAPABILITIES.
++	 * TSX is controlled via MSR_IA32_TSX_CTRL.  However, support for this
++	 * MSR is enumerated by ARCH_CAP_TSX_MSR bit in MSR_IA32_ARCH_CAPABILITIES.
++	 *
++	 * TSX control (aka MSR_IA32_TSX_CTRL) is only available after a
++	 * microcode update on CPUs that have their MSR_IA32_ARCH_CAPABILITIES
++	 * bit MDS_NO=1. CPUs with MDS_NO=0 are not planned to get
++	 * MSR_IA32_TSX_CTRL support even after a microcode update. Thus,
++	 * tsx= cmdline requests will do nothing on CPUs without
++	 * MSR_IA32_TSX_CTRL support.
 +	 */
 +	return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR);
 +}

debian/patches/bugfix/x86/taa/0004-x86-speculation-taa-Add-mitigation-for-TSX-Async-Abo.patch

@@ -2,6 +2,8 @@ From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Date: Wed, 23 Oct 2019 11:30:45 +0200
 Subject: x86/speculation/taa: Add mitigation for TSX Async Abort
 
+commit 1b42f017415b46c317e71d41c34ec088417a1883 upstream.
+
 TSX Async Abort (TAA) is a side channel vulnerability to the internal
 buffers in some Intel processors similar to Microachitectural Data
 Sampling (MDS). In this case, certain loads may speculatively pass
@@ -52,22 +54,8 @@ deployed. The effective mitigation state can be read from sysfs.
 
 Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Signed-off-by: Borislav Petkov <bp@suse.de>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Fenghua Yu <fenghua.yu@intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Kees Cook <keescook@chromium.org>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
-Cc: Sean Christopherson <sean.j.christopherson@intel.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Thomas Lendacky <Thomas.Lendacky@amd.com>
-Cc: x86-ml <x86@kernel.org>
-[bwh: Forward-ported on top of NX: Renumber bug bit after
- X86_BUG_ITLB_MULTIHIT]
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
 [bwh: Backported to 4.19: Add #include "cpu.h" in bugs.c]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
@@ -75,27 +63,23 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  arch/x86/include/asm/msr-index.h     |   4 +
  arch/x86/include/asm/nospec-branch.h |   4 +-
  arch/x86/include/asm/processor.h     |   7 ++
- arch/x86/kernel/cpu/bugs.c           | 112 +++++++++++++++++++++++++++
+ arch/x86/kernel/cpu/bugs.c           | 110 +++++++++++++++++++++++++++
  arch/x86/kernel/cpu/common.c         |  15 ++++
- 6 files changed, 141 insertions(+), 2 deletions(-)
+ 6 files changed, 139 insertions(+), 2 deletions(-)
 
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index ccad4f183400..5a2eecfed727 100644
 --- a/arch/x86/include/asm/cpufeatures.h
 +++ b/arch/x86/include/asm/cpufeatures.h
-@@ -390,5 +390,6 @@
+@@ -389,5 +389,6 @@
+ #define X86_BUG_MDS			X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */
  #define X86_BUG_MSBDS_ONLY		X86_BUG(20) /* CPU is only affected by the  MSDBS variant of BUG_MDS */
  #define X86_BUG_SWAPGS			X86_BUG(21) /* CPU is affected by speculation through SWAPGS */
- #define X86_BUG_ITLB_MULTIHIT		X86_BUG(22) /* CPU may incur MCE during certain page attribute changes */
-+#define X86_BUG_TAA			X86_BUG(23) /* CPU is affected by TSX Async Abort(TAA) */
++#define X86_BUG_TAA			X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */
  
  #endif /* _ASM_X86_CPUFEATURES_H */
-diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
-index da7887a9f314..0f4feee6d082 100644
 --- a/arch/x86/include/asm/msr-index.h
 +++ b/arch/x86/include/asm/msr-index.h
-@@ -92,6 +92,10 @@
- 						  * without TLB invalidation.
+@@ -85,6 +85,10 @@
+ 						  * Sampling (MDS) vulnerabilities.
  						  */
  #define ARCH_CAP_TSX_CTRL_MSR		BIT(7)	/* MSR for TSX control is available. */
 +#define ARCH_CAP_TAA_NO			BIT(8)	/*
@@ -105,11 +89,9 @@ index da7887a9f314..0f4feee6d082 100644
  
  #define MSR_IA32_FLUSH_CMD		0x0000010b
  #define L1D_FLUSH			BIT(0)	/*
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index 28cb2b31527a..09c7466c4880 100644
 --- a/arch/x86/include/asm/nospec-branch.h
 +++ b/arch/x86/include/asm/nospec-branch.h
-@@ -323,7 +323,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear);
+@@ -323,7 +323,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear)
  #include <asm/segment.h>
  
  /**
@@ -118,7 +100,7 @@ index 28cb2b31527a..09c7466c4880 100644
   *
   * This uses the otherwise unused and obsolete VERW instruction in
   * combination with microcode which triggers a CPU buffer flush when the
-@@ -346,7 +346,7 @@ static inline void mds_clear_cpu_buffers(void)
+@@ -346,7 +346,7 @@ static inline void mds_clear_cpu_buffers
  }
  
  /**
@@ -127,8 +109,6 @@ index 28cb2b31527a..09c7466c4880 100644
   *
   * Clear CPU buffers if the corresponding static key is enabled
   */
-diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
-index b54f25697beb..efb44bd3a714 100644
 --- a/arch/x86/include/asm/processor.h
 +++ b/arch/x86/include/asm/processor.h
 @@ -1003,4 +1003,11 @@ enum mds_mitigations {
@@ -143,8 +123,6 @@ index b54f25697beb..efb44bd3a714 100644
 +};
 +
  #endif /* _ASM_X86_PROCESSOR_H */
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 1e764992fa64..828b2fe4bc0a 100644
 --- a/arch/x86/kernel/cpu/bugs.c
 +++ b/arch/x86/kernel/cpu/bugs.c
 @@ -32,11 +32,14 @@
@@ -170,11 +148,10 @@ index 1e764992fa64..828b2fe4bc0a 100644
  
  	arch_smt_update();
  
-@@ -266,6 +270,100 @@ static int __init mds_cmdline(char *str)
- }
+@@ -267,6 +271,100 @@ static int __init mds_cmdline(char *str)
  early_param("mds", mds_cmdline);
  
-+#undef pr_fmt
+ #undef pr_fmt
 +#define pr_fmt(fmt)	"TAA: " fmt
 +
 +/* Default mitigation for TAA-affected CPUs */
@@ -268,9 +245,10 @@ index 1e764992fa64..828b2fe4bc0a 100644
 +}
 +early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
 +
- #undef pr_fmt
++#undef pr_fmt
  #define pr_fmt(fmt)     "Spectre V1 : " fmt
  
+ enum spectre_v1_mitigation {
 @@ -772,6 +870,7 @@ static void update_mds_branch_idle(void)
  }
  
@@ -279,7 +257,7 @@ index 1e764992fa64..828b2fe4bc0a 100644
  
  void arch_smt_update(void)
  {
-@@ -804,6 +903,19 @@ void arch_smt_update(void)
+@@ -804,6 +903,17 @@ void arch_smt_update(void)
  		break;
  	}
  
@@ -288,8 +266,6 @@ index 1e764992fa64..828b2fe4bc0a 100644
 +	case TAA_MITIGATION_UCODE_NEEDED:
 +		if (sched_smt_active())
 +			pr_warn_once(TAA_MSG_SMT);
-+		/* TSX is enabled, apply MDS idle buffer clearing. */
-+		update_mds_branch_idle();
 +		break;
 +	case TAA_MITIGATION_TSX_DISABLED:
 +	case TAA_MITIGATION_OFF:
@@ -299,11 +275,9 @@ index 1e764992fa64..828b2fe4bc0a 100644
  	mutex_unlock(&spec_ctrl_mutex);
  }
  
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 5f89d78fe132..de1e552c9705 100644
 --- a/arch/x86/kernel/cpu/common.c
 +++ b/arch/x86/kernel/cpu/common.c
-@@ -1058,6 +1058,21 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
+@@ -1053,6 +1053,21 @@ static void __init cpu_set_bug_bits(stru
  	if (!cpu_matches(NO_SWAPGS))
  		setup_force_cpu_bug(X86_BUG_SWAPGS);
  

debian/patches/bugfix/x86/taa/0005-x86-speculation-taa-Add-sysfs-reporting-for-TSX-Asyn.patch

@@ -2,6 +2,8 @@ From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Date: Wed, 23 Oct 2019 12:19:51 +0200
 Subject: x86/speculation/taa: Add sysfs reporting for TSX Async Abort
 
+commit 6608b45ac5ecb56f9e171252229c39580cc85f0f upstream.
+
 Add the sysfs reporting file for TSX Async Abort. It exposes the
 vulnerability and the mitigation state similar to the existing files for
 the other hardware vulnerabilities.
@@ -11,20 +13,12 @@ Sysfs file path is:
 
 Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
 Reviewed-by: Mark Gross <mgross@linux.intel.com>
 Reviewed-by: Tony Luck <tony.luck@intel.com>
-Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Jiri Kosina <jkosina@suse.cz>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: x86-ml <x86@kernel.org>
-[bwh: Forward-ported on top of NX: Fix conflicts (neighbouring
- insertions) in arch/x86/kernel/cpu/bugs.c, drivers/base/cpu.c,
- include/linux/cpu.h]
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  arch/x86/kernel/cpu/bugs.c | 23 +++++++++++++++++++++++
@@ -32,11 +26,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  include/linux/cpu.h        |  3 +++
  3 files changed, 35 insertions(+)
 
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 828b2fe4bc0a..1ed43b858c52 100644
 --- a/arch/x86/kernel/cpu/bugs.c
 +++ b/arch/x86/kernel/cpu/bugs.c
-@@ -1426,6 +1426,21 @@ static ssize_t mds_show_state(char *buf)
+@@ -1408,6 +1408,21 @@ static ssize_t mds_show_state(char *buf)
  		       sched_smt_active() ? "vulnerable" : "disabled");
  }
  
@@ -58,9 +50,9 @@ index 828b2fe4bc0a..1ed43b858c52 100644
  static char *stibp_state(void)
  {
  	if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
-@@ -1497,6 +1512,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
- 	case X86_BUG_ITLB_MULTIHIT:
- 		return itlb_multihit_show_state(buf);
+@@ -1476,6 +1491,9 @@ static ssize_t cpu_show_common(struct de
+ 	case X86_BUG_MDS:
+ 		return mds_show_state(buf);
  
 +	case X86_BUG_TAA:
 +		return tsx_async_abort_show_state(buf);
@@ -68,9 +60,9 @@ index 828b2fe4bc0a..1ed43b858c52 100644
  	default:
  		break;
  	}
-@@ -1538,4 +1556,9 @@ ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr
+@@ -1512,4 +1530,9 @@ ssize_t cpu_show_mds(struct device *dev,
  {
- 	return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
+ 	return cpu_show_common(dev, attr, buf, X86_BUG_MDS);
  }
 +
 +ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf)
@@ -78,11 +70,9 @@ index 828b2fe4bc0a..1ed43b858c52 100644
 +	return cpu_show_common(dev, attr, buf, X86_BUG_TAA);
 +}
  #endif
-diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
-index c21e2aec5cbb..e9e7fde0fe00 100644
 --- a/drivers/base/cpu.c
 +++ b/drivers/base/cpu.c
-@@ -558,6 +558,13 @@ ssize_t __weak cpu_show_itlb_multihit(struct device *dev,
+@@ -552,12 +552,20 @@ ssize_t __weak cpu_show_mds(struct devic
  	return sprintf(buf, "Not affected\n");
  }
  
@@ -96,30 +86,27 @@ index c21e2aec5cbb..e9e7fde0fe00 100644
  static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
  static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
  static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
-@@ -565,6 +572,7 @@ static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL);
+ static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL);
  static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL);
  static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL);
- static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL);
 +static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL);
  
  static struct attribute *cpu_root_vulnerabilities_attrs[] = {
  	&dev_attr_meltdown.attr,
-@@ -574,6 +582,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
+@@ -566,6 +574,7 @@ static struct attribute *cpu_root_vulner
+ 	&dev_attr_spec_store_bypass.attr,
  	&dev_attr_l1tf.attr,
  	&dev_attr_mds.attr,
- 	&dev_attr_itlb_multihit.attr,
 +	&dev_attr_tsx_async_abort.attr,
  	NULL
  };
  
-diff --git a/include/linux/cpu.h b/include/linux/cpu.h
-index 7bb824b0f30e..9d8dba19844e 100644
 --- a/include/linux/cpu.h
 +++ b/include/linux/cpu.h
-@@ -61,6 +61,9 @@ extern ssize_t cpu_show_mds(struct device *dev,
+@@ -59,6 +59,9 @@ extern ssize_t cpu_show_l1tf(struct devi
+ 			     struct device_attribute *attr, char *buf);
+ extern ssize_t cpu_show_mds(struct device *dev,
  			    struct device_attribute *attr, char *buf);
- extern ssize_t cpu_show_itlb_multihit(struct device *dev,
- 				      struct device_attribute *attr, char *buf);
 +extern ssize_t cpu_show_tsx_async_abort(struct device *dev,
 +					struct device_attribute *attr,
 +					char *buf);

debian/patches/bugfix/x86/taa/0006-kvm-x86-Export-MDS_NO-0-to-guests-when-TSX-is-enable.patch

@@ -2,6 +2,8 @@ From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Date: Wed, 23 Oct 2019 12:23:33 +0200
 Subject: kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
 
+commit e1d38b63acd843cfdd4222bf19a26700fd5c699e upstream.
+
 Export the IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0 to guests on TSX
 Async Abort(TAA) affected hosts that have TSX enabled and updated
 microcode. This is required so that the guests don't complain,
@@ -20,26 +22,18 @@ CPUID.MD_CLEAR=1, they deploy MDS mitigation which also mitigates TAA.
 
 Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Signed-off-by: Borislav Petkov <bp@suse.de>
-Reviewed-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Joerg Roedel <joro@8bytes.org>
-Cc: kvm ML <kvm@vger.kernel.org>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: "Radim Krcmar" <rkrcmar@redhat.com>
-Cc: Sean Christopherson <sean.j.christopherson@intel.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: x86-ml <x86@kernel.org>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  arch/x86/kvm/x86.c | 19 +++++++++++++++++++
  1 file changed, 19 insertions(+)
 
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index da688e726632..c68ee8d1ef8c 100644
 --- a/arch/x86/kvm/x86.c
 +++ b/arch/x86/kvm/x86.c
-@@ -1151,6 +1151,25 @@ u64 kvm_get_arch_capabilities(void)
+@@ -1127,6 +1127,25 @@ u64 kvm_get_arch_capabilities(void)
  	if (l1tf_vmx_mitigation != VMENTER_L1D_FLUSH_NEVER)
  		data |= ARCH_CAP_SKIP_VMENTRY_L1DFLUSH;
  

debian/patches/bugfix/x86/taa/0007-x86-tsx-Add-auto-option-to-the-tsx-cmdline-parameter.patch

@@ -2,6 +2,8 @@ From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Date: Wed, 23 Oct 2019 12:28:57 +0200
 Subject: x86/tsx: Add "auto" option to the tsx= cmdline parameter
 
+commit 7531a3596e3272d1f6841e0d601a614555dc6b65 upstream.
+
 Platforms which are not affected by X86_BUG_TAA may want the TSX feature
 enabled. Add "auto" option to the TSX cmdline parameter. When tsx=auto
 disable TSX when X86_BUG_TAA is present, otherwise enable TSX.
@@ -13,45 +15,30 @@ https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
 
 Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 Reviewed-by: Tony Luck <tony.luck@intel.com>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: "Paul E. McKenney" <paulmck@linux.ibm.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Jonathan Corbet <corbet@lwn.net>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Juergen Gross <jgross@suse.com>
-Cc: linux-doc@vger.kernel.org
-Cc: Mark Gross <mgross@linux.intel.com>
-Cc: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: x86-ml <x86@kernel.org>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
- Documentation/admin-guide/kernel-parameters.txt | 5 +++++
+ Documentation/admin-guide/kernel-parameters.txt | 3 +++
  arch/x86/kernel/cpu/tsx.c                       | 7 ++++++-
- 2 files changed, 11 insertions(+), 1 deletion(-)
+ 2 files changed, 9 insertions(+), 1 deletion(-)
 
-diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index f03756d2addb..e6a58cbbfab8 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -4715,6 +4715,11 @@
+@@ -4706,6 +4706,9 @@
+ 				update. This new MSR allows for the reliable
+ 				deactivation of the TSX functionality.)
  
- 			on	- Enable TSX on the system.
- 			off	- Disable TSX on the system.
 +			auto	- Disable TSX if X86_BUG_TAA is present,
 +				  otherwise enable TSX on the system.
 +
-+			More details on X86_BUG_TAA here:
-+			Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
- 
  			Not specifying this option is equivalent to tsx=off.
  
-diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c
-index e5933ef50add..89ab91eacd4f 100644
+ 			See Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
 --- a/arch/x86/kernel/cpu/tsx.c
 +++ b/arch/x86/kernel/cpu/tsx.c
-@@ -69,7 +69,7 @@ static bool __init tsx_ctrl_is_supported(void)
+@@ -75,7 +75,7 @@ static bool __init tsx_ctrl_is_supported
  
  void __init tsx_init(void)
  {
@@ -60,7 +47,7 @@ index e5933ef50add..89ab91eacd4f 100644
  	int ret;
  
  	if (!tsx_ctrl_is_supported())
-@@ -81,6 +81,11 @@ void __init tsx_init(void)
+@@ -87,6 +87,11 @@ void __init tsx_init(void)
  			tsx_ctrl_state = TSX_CTRL_ENABLE;
  		} else if (!strcmp(arg, "off")) {
  			tsx_ctrl_state = TSX_CTRL_DISABLE;

debian/patches/bugfix/x86/taa/0008-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch

@@ -2,49 +2,42 @@ From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Date: Wed, 23 Oct 2019 12:32:55 +0200
 Subject: x86/speculation/taa: Add documentation for TSX Async Abort
 
+commit a7a248c593e4fd7a67c50b5f5318fe42a0db335e upstream.
+
 Add the documenation for TSX Async Abort. Include the description of
 the issue, how to check the mitigation state, control the mitigation,
 guidance for system administrators.
 
- [ bp: Add proper SPDX tags, touch ups. ]
+ [ bp: Add proper SPDX tags, touch ups by Josh and me. ]
 
 Co-developed-by: Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com>
+
 Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Signed-off-by: Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com>
 Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 Reviewed-by: Mark Gross <mgross@linux.intel.com>
 Reviewed-by: Tony Luck <tony.luck@intel.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Fenghua Yu <fenghua.yu@intel.com>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Jonathan Corbet <corbet@lwn.net>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Juergen Gross <jgross@suse.com>
-Cc: linux-doc@vger.kernel.org
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: x86-ml <x86@kernel.org>
-[bwh: Forward-ported on top of NX: Fix conflict (neighbouring
- insertions) in Documentation/ABI/testing/sysfs-devices-system-cpu]
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
 [bwh: Backported to 4.19: adjust context]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  .../ABI/testing/sysfs-devices-system-cpu      |   1 +
  Documentation/admin-guide/hw-vuln/index.rst   |   1 +
- .../admin-guide/hw-vuln/tsx_async_abort.rst   | 256 ++++++++++++++++++
- .../admin-guide/kernel-parameters.txt         |  36 +++
+ .../admin-guide/hw-vuln/tsx_async_abort.rst   | 276 ++++++++++++++++++
+ .../admin-guide/kernel-parameters.txt         |  38 +++
  Documentation/x86/index.rst                   |   1 +
  Documentation/x86/tsx_async_abort.rst         | 117 ++++++++
- 6 files changed, 412 insertions(+)
+ 6 files changed, 434 insertions(+)
  create mode 100644 Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
  create mode 100644 Documentation/x86/tsx_async_abort.rst
 
 --- a/Documentation/ABI/testing/sysfs-devices-system-cpu
 +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
-@@ -479,6 +479,7 @@ What:		/sys/devices/system/cpu/vulnerabi
+@@ -478,6 +478,7 @@ What:		/sys/devices/system/cpu/vulnerabi
+ 		/sys/devices/system/cpu/vulnerabilities/spec_store_bypass
  		/sys/devices/system/cpu/vulnerabilities/l1tf
  		/sys/devices/system/cpu/vulnerabilities/mds
- 		/sys/devices/system/cpu/vulnerabilities/itlb_multihit
 +		/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
  Date:		January 2018
  Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
@@ -58,7 +51,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 +   tsx_async_abort
 --- /dev/null
 +++ b/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
-@@ -0,0 +1,256 @@
+@@ -0,0 +1,276 @@
 +.. SPDX-License-Identifier: GPL-2.0
 +
 +TAA - TSX Asynchronous Abort
@@ -121,7 +114,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 +
 +The victim of a malicious actor does not need to make use of TSX. Only the
 +attacker needs to begin a TSX transaction and raise an asynchronous abort
-+to try to leak some of data stored in the buffers.
++which in turn potenitally leaks data stored in the buffers.
 +
 +More detailed technical information is available in the TAA specific x86
 +architecture section: :ref:`Documentation/x86/tsx_async_abort.rst <tsx_async_abort>`.
@@ -133,9 +126,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 +Attacks against the TAA vulnerability can be implemented from unprivileged
 +applications running on hosts or guests.
 +
-+As for MDS, the attacker has no control over the memory addresses that can be
-+leaked. Only the victim is responsible for bringing data to the CPU. As a
-+result, the malicious actor has to first sample as much data as possible and
++As for MDS, the attacker has no control over the memory addresses that can
++be leaked. Only the victim is responsible for bringing data to the CPU. As
++a result, the malicious actor has to sample as much data as possible and
 +then postprocess it to try to infer any useful information from it.
 +
 +A potential attacker only has read access to the data. Also, there is no direct
@@ -202,11 +195,12 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 +Virtualization mitigation
 +^^^^^^^^^^^^^^^^^^^^^^^^^
 +
-+Affected systems where the host has the TAA microcode and the TAA mitigation is
-+ON (with TSX disabled) are not vulnerable regardless of the status of the VMs.
++Affected systems where the host has TAA microcode and TAA is mitigated by
++having disabled TSX previously, are not vulnerable regardless of the status
++of the VMs.
 +
-+In all other cases, if the host either does not have the TAA microcode or the
-+kernel is not mitigated, the system might be vulnerable.
++In all other cases, if the host either does not have the TAA microcode or
++the kernel is not mitigated, the system might be vulnerable.
 +
 +
 +.. _taa_mitigation_control_command_line:
@@ -244,11 +238,23 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 +The valid options are:
 +
 +  ============  =============================================================
-+  off		Disables TSX.
++  off		Disables TSX on the system.
++
++                Note that this option takes effect only on newer CPUs which are
++                not vulnerable to MDS, i.e., have MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1
++                and which get the new IA32_TSX_CTRL MSR through a microcode
++                update. This new MSR allows for the reliable deactivation of
++                the TSX functionality.
 +
 +  on		Enables TSX.
 +
-+  auto		Disables TSX on affected platform, otherwise enables TSX.
++                Although there are mitigations for all known security
++                vulnerabilities, TSX has been known to be an accelerator for
++                several previous speculation-related CVEs, and so there may be
++                unknown security risks associated with leaving it enabled.
++
++  auto		Disables TSX if X86_BUG_TAA is present, otherwise enables TSX
++                on the system.
 +  ============  =============================================================
 +
 +Not specifying this option is equivalent to "tsx=off".
@@ -256,17 +262,24 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 +The following combinations of the "tsx_async_abort" and "tsx" are possible. For
 +affected platforms tsx=auto is equivalent to tsx=off and the result will be:
 +
-+  =========  ====================   =========================================
-+  tsx=on     tsx_async_abort=full   The system will use VERW to clear CPU
-+                                    buffers.
-+  tsx=on     tsx_async_abort=off    The system is vulnerable.
-+  tsx=off    tsx_async_abort=full   TSX is disabled. System is not vulnerable.
-+  tsx=off    tsx_async_abort=off    TSX is disabled. System is not vulnerable.
-+  =========  ====================   =========================================
++  =========  ==========================   =========================================
++  tsx=on     tsx_async_abort=full         The system will use VERW to clear CPU
++                                          buffers. Cross-thread attacks are still
++					  possible on SMT machines.
++  tsx=on     tsx_async_abort=full,nosmt   As above, cross-thread attacks on SMT
++                                          mitigated.
++  tsx=on     tsx_async_abort=off          The system is vulnerable.
++  tsx=off    tsx_async_abort=full         TSX might be disabled if microcode
++                                          provides a TSX control MSR. If so,
++					  system is not vulnerable.
++  tsx=off    tsx_async_abort=full,nosmt   Ditto
++  tsx=off    tsx_async_abort=off          ditto
++  =========  ==========================   =========================================
++
 +
 +For unaffected platforms "tsx=on" and "tsx_async_abort=full" does not clear CPU
-+buffers.  For platforms without TSX control "tsx" command line argument has no
-+effect.
++buffers.  For platforms without TSX control (MSR_IA32_ARCH_CAPABILITIES.MDS_NO=0)
++"tsx" command line argument has no effect.
 +
 +For the affected platforms below table indicates the mitigation status for the
 +combinations of CPUID bit MD_CLEAR and IA32_ARCH_CAPABILITIES MSR bits MDS_NO
@@ -275,7 +288,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 +  =======  =========  =============  ========================================
 +  MDS_NO   MD_CLEAR   TSX_CTRL_MSR   Status
 +  =======  =========  =============  ========================================
-+    0          0            0        Vulnerable (needs ucode)
++    0          0            0        Vulnerable (needs microcode)
 +    0          1            0        MDS and TAA mitigated via VERW
 +    1          1            0        MDS fixed, TAA vulnerable if TSX enabled
 +                                     because MD_CLEAR has no meaning and
@@ -317,7 +330,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 +  - Deploy TSX disable mitigation (tsx_async_abort=full tsx=off).
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -2538,6 +2538,7 @@
+@@ -2521,6 +2521,7 @@
  					       spec_store_bypass_disable=off [X86,PPC]
  					       l1tf=off [X86]
  					       mds=off [X86]
@@ -325,7 +338,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
  			auto (default)
  				Mitigate all CPU vulnerabilities, but leave SMT
-@@ -2553,6 +2554,7 @@
+@@ -2536,6 +2537,7 @@
  				be fully mitigated, even if it means losing SMT.
  				Equivalent to: l1tf=flush,nosmt [X86]
  					       mds=full,nosmt [X86]
@@ -333,9 +346,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
  	mminit_loglevel=
  			[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
-@@ -4718,6 +4720,40 @@
- 
- 			Not specifying this option is equivalent to tsx=off.
+@@ -4714,6 +4716,42 @@
+ 			See Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+ 			for more details.
  
 +	tsx_async_abort= [X86,INTEL] Control mitigation for the TSX Async
 +			Abort (TAA) vulnerability.
@@ -356,6 +369,8 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 +			options are:
 +
 +			full       - Enable TAA mitigation on vulnerable CPUs
++				     if TSX is enabled.
++
 +			full,nosmt - Enable TAA mitigation and disable SMT on
 +				     vulnerable CPUs. If TSX is disabled, SMT
 +				     is not disabled because CPU is not

debian/patches/bugfix/x86/taa/0009-x86-tsx-Add-config-options-to-set-tsx-on-off-auto.patch

@@ -2,6 +2,8 @@ From: Michal Hocko <mhocko@suse.com>
 Date: Wed, 23 Oct 2019 12:35:50 +0200
 Subject: x86/tsx: Add config options to set tsx=on|off|auto
 
+commit db616173d787395787ecc93eef075fa975227b10 upstream.
+
 There is a general consensus that TSX usage is not largely spread while
 the history shows there is a non trivial space for side channel attacks
 possible. Therefore the tsx is disabled by default even on platforms
@@ -17,22 +19,20 @@ Introduce config options X86_INTEL_TSX_MODE_OFF, X86_INTEL_TSX_MODE_ON
 and X86_INTEL_TSX_MODE_AUTO to control the TSX feature. The config
 setting can be overridden by the tsx cmdline options.
 
+ [ bp: Text cleanups from Josh. ]
+
 Suggested-by: Borislav Petkov <bpetkov@suse.de>
 Signed-off-by: Michal Hocko <mhocko@suse.com>
 Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
 Signed-off-by: Borislav Petkov <bp@suse.de>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Tony Luck <tony.luck@intel.com>
-Cc: x86-ml <x86@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  arch/x86/Kconfig          | 45 +++++++++++++++++++++++++++++++++++++++
  arch/x86/kernel/cpu/tsx.c | 22 +++++++++++++------
  2 files changed, 61 insertions(+), 6 deletions(-)
 
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index e76d16ac2776..a47343bb439c 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
 @@ -1903,6 +1903,51 @@ config X86_INTEL_MEMORY_PROTECTION_KEYS
@@ -53,13 +53,13 @@ index e76d16ac2776..a47343bb439c 100644
 +	  will be more of those attacks discovered in the future.
 +
 +	  Therefore TSX is not enabled by default (aka tsx=off). An admin
-+	  might override this decision by tsx=on command line parameter. This
-+	  has a risk that TSX will get enabled also on platforms which are
-+	  known to be vulnerable to attacks like TAA and a safer option is to
-+	  use tsx=auto command line parameter.
++	  might override this decision by tsx=on the command line parameter.
++	  Even with TSX enabled, the kernel will attempt to enable the best
++	  possible TAA mitigation setting depending on the microcode available
++	  for the particular machine.
 +
-+	  This options allows to set the default tsx mode between tsx=on, off
-+	  and auto. See Documentation/admin-guide/kernel-parameters.txt for more
++	  This option allows to set the default tsx mode between tsx=on, =off
++	  and =auto. See Documentation/admin-guide/kernel-parameters.txt for more
 +	  details.
 +
 +	  Say off if not sure, auto if TSX is in use but it should be used on safe
@@ -69,29 +69,27 @@ index e76d16ac2776..a47343bb439c 100644
 +config X86_INTEL_TSX_MODE_OFF
 +	bool "off"
 +	help
-+	  TSX is always disabled - equals tsx=off command line parameter.
++	  TSX is disabled if possible - equals to tsx=off command line parameter.
 +
 +config X86_INTEL_TSX_MODE_ON
 +	bool "on"
 +	help
-+	  TSX is always enabled on TSX capable HW - equals tsx=on command line
-+	  parameter.
++	  TSX is always enabled on TSX capable HW - equals the tsx=on command
++	  line parameter.
 +
 +config X86_INTEL_TSX_MODE_AUTO
 +	bool "auto"
 +	help
 +	  TSX is enabled on TSX capable HW that is believed to be safe against
-+	  side channel attacks- equals tsx=auto command line parameter.
++	  side channel attacks- equals the tsx=auto command line parameter.
 +endchoice
 +
  config EFI
  	bool "EFI runtime service support"
  	depends on ACPI
-diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c
-index 89ab91eacd4f..ab400f8bbfe1 100644
 --- a/arch/x86/kernel/cpu/tsx.c
 +++ b/arch/x86/kernel/cpu/tsx.c
-@@ -67,6 +67,14 @@ static bool __init tsx_ctrl_is_supported(void)
+@@ -73,6 +73,14 @@ static bool __init tsx_ctrl_is_supported
  	return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR);
  }
  
@@ -106,7 +104,7 @@ index 89ab91eacd4f..ab400f8bbfe1 100644
  void __init tsx_init(void)
  {
  	char arg[5] = {};
-@@ -82,17 +90,19 @@ void __init tsx_init(void)
+@@ -88,17 +96,19 @@ void __init tsx_init(void)
  		} else if (!strcmp(arg, "off")) {
  			tsx_ctrl_state = TSX_CTRL_DISABLE;
  		} else if (!strcmp(arg, "auto")) {

debian/patches/series

@@ -258,28 +258,30 @@ bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.pa
 bugfix/all/vhost-make-sure-log_num-in_num.patch
 bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch
 bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch
-bugfix/x86/itlb_multihit/0001-KVM-x86-adjust-kvm_mmu_page-member-to-save-8-bytes.patch
-bugfix/x86/itlb_multihit/0002-kvm-Convert-kvm_lock-to-a-mutex.patch
-bugfix/x86/itlb_multihit/0003-kvm-x86-Do-not-release-the-page-inside-mmu_set_spte.patch
-bugfix/x86/itlb_multihit/0004-KVM-x86-make-FNAME-fetch-and-__direct_map-more-simil.patch
-bugfix/x86/itlb_multihit/0005-KVM-x86-remove-now-unneeded-hugepage-gfn-adjustment.patch
-bugfix/x86/itlb_multihit/0006-KVM-x86-change-kvm_mmu_page_get_gfn-BUG_ON-to-WARN_O.patch
-bugfix/x86/itlb_multihit/0007-KVM-x86-add-tracepoints-around-__direct_map-and-FNAM.patch
-bugfix/x86/itlb_multihit/0008-kvm-x86-powerpc-do-not-allow-clearing-largepages-deb.patch
-bugfix/x86/itlb_multihit/0009-KVM-vmx-svm-always-run-with-EFER.NXE-1-when-shadow-p.patch
-bugfix/x86/itlb_multihit/0009-x86-Add-ITLB_MULTIHIT-bug-infrastructure.patch
-bugfix/x86/itlb_multihit/0010-kvm-mmu-ITLB_MULTIHIT-mitigation.patch
-bugfix/x86/itlb_multihit/0011-kvm-Add-helper-function-for-creating-VM-worker.patch
-bugfix/x86/itlb_multihit/0012-kvm-x86-mmu-Recovery-of-shattered-NX-large-pages.patch
-bugfix/x86/taa/0013-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch
-bugfix/x86/taa/0014-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch
-bugfix/x86/taa/0015-x86-cpu-Add-a-tsx-cmdline-option-with-TSX-disabled-b.patch
-bugfix/x86/taa/0016-x86-speculation-taa-Add-mitigation-for-TSX-Async-Abo.patch
-bugfix/x86/taa/0017-x86-speculation-taa-Add-sysfs-reporting-for-TSX-Asyn.patch
-bugfix/x86/taa/0018-kvm-x86-Export-MDS_NO-0-to-guests-when-TSX-is-enable.patch
-bugfix/x86/taa/0019-x86-tsx-Add-auto-option-to-the-tsx-cmdline-parameter.patch
-bugfix/x86/taa/0020-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch
-bugfix/x86/taa/0021-x86-tsx-Add-config-options-to-set-tsx-on-off-auto.patch
+bugfix/x86/taa/0001-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch
+bugfix/x86/taa/0002-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch
+bugfix/x86/taa/0003-x86-cpu-Add-a-tsx-cmdline-option-with-TSX-disabled-b.patch
+bugfix/x86/taa/0004-x86-speculation-taa-Add-mitigation-for-TSX-Async-Abo.patch
+bugfix/x86/taa/0005-x86-speculation-taa-Add-sysfs-reporting-for-TSX-Asyn.patch
+bugfix/x86/taa/0006-kvm-x86-Export-MDS_NO-0-to-guests-when-TSX-is-enable.patch
+bugfix/x86/taa/0007-x86-tsx-Add-auto-option-to-the-tsx-cmdline-parameter.patch
+bugfix/x86/taa/0008-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch
+bugfix/x86/taa/0009-x86-tsx-Add-config-options-to-set-tsx-on-off-auto.patch
+bugfix/x86/itlb_multihit/0010-KVM-x86-adjust-kvm_mmu_page-member-to-save-8-bytes.patch
+bugfix/x86/itlb_multihit/0011-kvm-Convert-kvm_lock-to-a-mutex.patch
+bugfix/x86/itlb_multihit/0012-kvm-x86-Do-not-release-the-page-inside-mmu_set_spte.patch
+bugfix/x86/itlb_multihit/0013-KVM-x86-make-FNAME-fetch-and-__direct_map-more-simil.patch
+bugfix/x86/itlb_multihit/0014-KVM-x86-remove-now-unneeded-hugepage-gfn-adjustment.patch
+bugfix/x86/itlb_multihit/0015-KVM-x86-change-kvm_mmu_page_get_gfn-BUG_ON-to-WARN_O.patch
+bugfix/x86/itlb_multihit/0016-KVM-x86-add-tracepoints-around-__direct_map-and-FNAM.patch
+bugfix/x86/itlb_multihit/0017-kvm-x86-powerpc-do-not-allow-clearing-largepages-deb.patch
+bugfix/x86/itlb_multihit/0018-KVM-vmx-svm-always-run-with-EFER.NXE-1-when-shadow-p.patch
+bugfix/x86/itlb_multihit/0019-x86-bugs-Add-ITLB_MULTIHIT-bug-infrastructure.patch
+bugfix/x86/itlb_multihit/0020-cpu-speculation-Uninline-and-export-CPU-mitigations-.patch
+bugfix/x86/itlb_multihit/0021-kvm-mmu-ITLB_MULTIHIT-mitigation.patch
+bugfix/x86/itlb_multihit/0022-kvm-Add-helper-function-for-creating-VM-worker-threa.patch
+bugfix/x86/itlb_multihit/0023-kvm-x86-mmu-Recovery-of-shattered-NX-large-pages.patch
+bugfix/x86/itlb_multihit/0024-Documentation-Add-ITLB_MULTIHIT-documentation.patch
 
 # ABI maintenance
 debian/abi/powerpc-avoid-abi-change-for-disabling-tm.patch