summaryrefslogtreecommitdiffstats
path: root/debian/patches/bugfix
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/bugfix')
-rw-r--r--debian/patches/bugfix/x86/gds/arm-cpu-switch-to-arch_cpu_finalize_init.patch72
-rw-r--r--debian/patches/bugfix/x86/gds/documentation-x86-fix-backwards-on-off-logic-about-ymm-support.patch31
-rw-r--r--debian/patches/bugfix/x86/gds/ia64-cpu-switch-to-arch_cpu_finalize_init.patch70
-rw-r--r--debian/patches/bugfix/x86/gds/init-invoke-arch_cpu_finalize_init-earlier.patch58
-rw-r--r--debian/patches/bugfix/x86/gds/init-provide-arch_cpu_finalize_init.patch77
-rw-r--r--debian/patches/bugfix/x86/gds/init-remove-check_bugs-leftovers.patch155
-rw-r--r--debian/patches/bugfix/x86/gds/init-x86-move-mem_encrypt_init-into-arch_cpu_finalize_init.patch94
-rw-r--r--debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch69
-rw-r--r--debian/patches/bugfix/x86/gds/m68k-cpu-switch-to-arch_cpu_finalize_init.patch79
-rw-r--r--debian/patches/bugfix/x86/gds/mips-cpu-switch-to-arch_cpu_finalize_init.patch98
-rw-r--r--debian/patches/bugfix/x86/gds/sh-cpu-switch-to-arch_cpu_finalize_init.patch207
-rw-r--r--debian/patches/bugfix/x86/gds/sparc-cpu-switch-to-arch_cpu_finalize_init.patch70
-rw-r--r--debian/patches/bugfix/x86/gds/um-cpu-switch-to-arch_cpu_finalize_init.patch65
-rw-r--r--debian/patches/bugfix/x86/gds/x86-cpu-switch-to-arch_cpu_finalize_init.patch228
-rw-r--r--debian/patches/bugfix/x86/gds/x86-fpu-mark-init-functions-__init.patch39
-rw-r--r--debian/patches/bugfix/x86/gds/x86-fpu-move-fpu-initialization-into-arch_cpu_finalize_init.patch86
-rw-r--r--debian/patches/bugfix/x86/gds/x86-fpu-remove-cpuinfo-argument-from-init-functions.patch67
-rw-r--r--debian/patches/bugfix/x86/gds/x86-speculation-add-force-option-to-gds-mitigation.patch163
-rw-r--r--debian/patches/bugfix/x86/gds/x86-speculation-add-gather-data-sampling-mitigation.patch562
-rw-r--r--debian/patches/bugfix/x86/gds/x86-speculation-add-kconfig-option-for-gds.patch68
-rw-r--r--debian/patches/bugfix/x86/gds/x86-xen-fix-secondary-processors-fpu-initialization.patch44
21 files changed, 0 insertions, 2402 deletions
diff --git a/debian/patches/bugfix/x86/gds/arm-cpu-switch-to-arch_cpu_finalize_init.patch b/debian/patches/bugfix/x86/gds/arm-cpu-switch-to-arch_cpu_finalize_init.patch
deleted file mode 100644
index 8b3c04d39..000000000
--- a/debian/patches/bugfix/x86/gds/arm-cpu-switch-to-arch_cpu_finalize_init.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 980d7eb01638f535e9ab885449c0bbb4cec0fde6 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:25 +0200
-Subject: ARM: cpu: Switch to arch_cpu_finalize_init()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit ee31bb0524a2e7c99b03f50249a411cc1eaa411f upstream
-
-check_bugs() is about to be phased out. Switch over to the new
-arch_cpu_finalize_init() implementation.
-
-No functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Link: https://lore.kernel.org/r/20230613224545.078124882@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/Kconfig | 1 +
- arch/arm/include/asm/bugs.h | 4 ----
- arch/arm/kernel/bugs.c | 3 ++-
- 3 files changed, 3 insertions(+), 5 deletions(-)
-
---- a/arch/arm/Kconfig
-+++ b/arch/arm/Kconfig
-@@ -4,6 +4,7 @@ config ARM
- default y
- select ARCH_CLOCKSOURCE_DATA
- select ARCH_DISCARD_MEMBLOCK if !HAVE_ARCH_PFN_VALID && !KEXEC
-+ select ARCH_HAS_CPU_FINALIZE_INIT if MMU
- select ARCH_HAS_DEBUG_VIRTUAL if MMU
- select ARCH_HAS_DEVMEM_IS_ALLOWED
- select ARCH_HAS_ELF_RANDOMIZE
---- a/arch/arm/include/asm/bugs.h
-+++ b/arch/arm/include/asm/bugs.h
-@@ -1,6 +1,4 @@
- /*
-- * arch/arm/include/asm/bugs.h
-- *
- * Copyright (C) 1995-2003 Russell King
- *
- * This program is free software; you can redistribute it and/or modify
-@@ -13,10 +11,8 @@
- extern void check_writebuffer_bugs(void);
-
- #ifdef CONFIG_MMU
--extern void check_bugs(void);
- extern void check_other_bugs(void);
- #else
--#define check_bugs() do { } while (0)
- #define check_other_bugs() do { } while (0)
- #endif
-
---- a/arch/arm/kernel/bugs.c
-+++ b/arch/arm/kernel/bugs.c
-@@ -1,5 +1,6 @@
- // SPDX-Identifier: GPL-2.0
- #include <linux/init.h>
-+#include <linux/cpu.h>
- #include <asm/bugs.h>
- #include <asm/proc-fns.h>
-
-@@ -11,7 +12,7 @@ void check_other_bugs(void)
- #endif
- }
-
--void __init check_bugs(void)
-+void __init arch_cpu_finalize_init(void)
- {
- check_writebuffer_bugs();
- check_other_bugs();
diff --git a/debian/patches/bugfix/x86/gds/documentation-x86-fix-backwards-on-off-logic-about-ymm-support.patch b/debian/patches/bugfix/x86/gds/documentation-x86-fix-backwards-on-off-logic-about-ymm-support.patch
deleted file mode 100644
index 7bb1f3261..000000000
--- a/debian/patches/bugfix/x86/gds/documentation-x86-fix-backwards-on-off-logic-about-ymm-support.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 1b0fc0345f2852ffe54fb9ae0e12e2ee69ad6a20 Mon Sep 17 00:00:00 2001
-From: Dave Hansen <dave.hansen@linux.intel.com>
-Date: Tue, 1 Aug 2023 07:31:07 -0700
-Subject: Documentation/x86: Fix backwards on/off logic about YMM support
-
-From: Dave Hansen <dave.hansen@linux.intel.com>
-
-commit 1b0fc0345f2852ffe54fb9ae0e12e2ee69ad6a20 upstream
-
-These options clearly turn *off* XSAVE YMM support. Correct the
-typo.
-
-Reported-by: Ben Hutchings <ben@decadent.org.uk>
-Fixes: 553a5c03e90a ("x86/speculation: Add force option to GDS mitigation")
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- Documentation/admin-guide/hw-vuln/gather_data_sampling.rst | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/Documentation/admin-guide/hw-vuln/gather_data_sampling.rst
-+++ b/Documentation/admin-guide/hw-vuln/gather_data_sampling.rst
-@@ -63,7 +63,7 @@ GDS can also be mitigated on systems tha
- disabling AVX. This can be done by setting gather_data_sampling="force" or
- "clearcpuid=avx" on the kernel command-line.
-
--If used, these options will disable AVX use by turning on XSAVE YMM support.
-+If used, these options will disable AVX use by turning off XSAVE YMM support.
- However, the processor will still enumerate AVX support. Userspace that
- does not follow proper AVX enumeration to check both AVX *and* XSAVE YMM
- support will break.
diff --git a/debian/patches/bugfix/x86/gds/ia64-cpu-switch-to-arch_cpu_finalize_init.patch b/debian/patches/bugfix/x86/gds/ia64-cpu-switch-to-arch_cpu_finalize_init.patch
deleted file mode 100644
index 12aa098f7..000000000
--- a/debian/patches/bugfix/x86/gds/ia64-cpu-switch-to-arch_cpu_finalize_init.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From dff0dc6635f86b571b1bb61f3f3525b3763c3566 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:27 +0200
-Subject: ia64/cpu: Switch to arch_cpu_finalize_init()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 6c38e3005621800263f117fb00d6787a76e16de7 upstream
-
-check_bugs() is about to be phased out. Switch over to the new
-arch_cpu_finalize_init() implementation.
-
-No functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Link: https://lore.kernel.org/r/20230613224545.137045745@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/ia64/Kconfig | 1 +
- arch/ia64/include/asm/bugs.h | 20 --------------------
- arch/ia64/kernel/setup.c | 3 +--
- 3 files changed, 2 insertions(+), 22 deletions(-)
- delete mode 100644 arch/ia64/include/asm/bugs.h
-
---- a/arch/ia64/Kconfig
-+++ b/arch/ia64/Kconfig
-@@ -8,6 +8,7 @@ menu "Processor type and features"
-
- config IA64
- bool
-+ select ARCH_HAS_CPU_FINALIZE_INIT
- select ARCH_MIGHT_HAVE_PC_PARPORT
- select ARCH_MIGHT_HAVE_PC_SERIO
- select PCI if (!IA64_HP_SIM)
---- a/arch/ia64/include/asm/bugs.h
-+++ /dev/null
-@@ -1,20 +0,0 @@
--/* SPDX-License-Identifier: GPL-2.0 */
--/*
-- * This is included by init/main.c to check for architecture-dependent bugs.
-- *
-- * Needs:
-- * void check_bugs(void);
-- *
-- * Based on <asm-alpha/bugs.h>.
-- *
-- * Modified 1998, 1999, 2003
-- * David Mosberger-Tang <davidm@hpl.hp.com>, Hewlett-Packard Co.
-- */
--#ifndef _ASM_IA64_BUGS_H
--#define _ASM_IA64_BUGS_H
--
--#include <asm/processor.h>
--
--extern void check_bugs (void);
--
--#endif /* _ASM_IA64_BUGS_H */
---- a/arch/ia64/kernel/setup.c
-+++ b/arch/ia64/kernel/setup.c
-@@ -1050,8 +1050,7 @@ cpu_init (void)
- platform_cpu_init();
- }
-
--void __init
--check_bugs (void)
-+void __init arch_cpu_finalize_init(void)
- {
- ia64_patch_mckinley_e9((unsigned long) __start___mckinley_e9_bundles,
- (unsigned long) __end___mckinley_e9_bundles);
diff --git a/debian/patches/bugfix/x86/gds/init-invoke-arch_cpu_finalize_init-earlier.patch b/debian/patches/bugfix/x86/gds/init-invoke-arch_cpu_finalize_init-earlier.patch
deleted file mode 100644
index bcb206f87..000000000
--- a/debian/patches/bugfix/x86/gds/init-invoke-arch_cpu_finalize_init-earlier.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 4f8644b469a237107a34deb77ca301377c7def7c Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:39 +0200
-Subject: init: Invoke arch_cpu_finalize_init() earlier
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 9df9d2f0471b4c4702670380b8d8a45b40b23a7d upstream
-
-X86 is reworking the boot process so that initializations which are not
-required during early boot can be moved into the late boot process and out
-of the fragile and restricted initial boot phase.
-
-arch_cpu_finalize_init() is the obvious place to do such initializations,
-but arch_cpu_finalize_init() is invoked too late in start_kernel() e.g. for
-initializing the FPU completely. fork_init() requires that the FPU is
-initialized as the size of task_struct on X86 depends on the size of the
-required FPU register buffer.
-
-Fortunately none of the init calls between calibrate_delay() and
-arch_cpu_finalize_init() is relevant for the functionality of
-arch_cpu_finalize_init().
-
-Invoke it right after calibrate_delay() where everything which is relevant
-for arch_cpu_finalize_init() has been set up already.
-
-No functional change intended.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
-Link: https://lore.kernel.org/r/20230613224545.612182854@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- init/main.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/init/main.c
-+++ b/init/main.c
-@@ -699,6 +699,9 @@ asmlinkage __visible void __init start_k
- late_time_init();
- sched_clock_init();
- calibrate_delay();
-+
-+ arch_cpu_finalize_init();
-+
- pid_idr_init();
- anon_vma_init();
- #ifdef CONFIG_X86
-@@ -726,8 +729,6 @@ asmlinkage __visible void __init start_k
- delayacct_init();
-
-
-- arch_cpu_finalize_init();
--
- acpi_subsystem_init();
- arch_post_acpi_subsys_init();
- sfi_init_late();
diff --git a/debian/patches/bugfix/x86/gds/init-provide-arch_cpu_finalize_init.patch b/debian/patches/bugfix/x86/gds/init-provide-arch_cpu_finalize_init.patch
deleted file mode 100644
index 9e56c09a8..000000000
--- a/debian/patches/bugfix/x86/gds/init-provide-arch_cpu_finalize_init.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 11bc27b01a313cc489c807ceddb0a93a6770fd11 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:22 +0200
-Subject: init: Provide arch_cpu_finalize_init()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 7725acaa4f0c04fbefb0e0d342635b967bb7d414 upstream
-
-check_bugs() has become a dumping ground for all sorts of activities to
-finalize the CPU initialization before running the rest of the init code.
-
-Most are empty, a few do actual bug checks, some do alternative patching
-and some cobble a CPU advertisement string together....
-
-Aside of that the current implementation requires duplicated function
-declaration and mostly empty header files for them.
-
-Provide a new function arch_cpu_finalize_init(). Provide a generic
-declaration if CONFIG_ARCH_HAS_CPU_FINALIZE_INIT is selected and a stub
-inline otherwise.
-
-This requires a temporary #ifdef in start_kernel() which will be removed
-along with check_bugs() once the architectures are converted over.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Link: https://lore.kernel.org/r/20230613224544.957805717@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/Kconfig | 3 +++
- include/linux/cpu.h | 6 ++++++
- init/main.c | 5 +++++
- 3 files changed, 14 insertions(+)
-
---- a/arch/Kconfig
-+++ b/arch/Kconfig
-@@ -249,6 +249,9 @@ config ARCH_HAS_FORTIFY_SOURCE
- config ARCH_HAS_SET_MEMORY
- bool
-
-+config ARCH_HAS_CPU_FINALIZE_INIT
-+ bool
-+
- # Select if arch init_task must go in the __init_task_data section
- config ARCH_TASK_STRUCT_ON_STACK
- bool
---- a/include/linux/cpu.h
-+++ b/include/linux/cpu.h
-@@ -170,6 +170,12 @@ void arch_cpu_idle_enter(void);
- void arch_cpu_idle_exit(void);
- void arch_cpu_idle_dead(void);
-
-+#ifdef CONFIG_ARCH_HAS_CPU_FINALIZE_INIT
-+void arch_cpu_finalize_init(void);
-+#else
-+static inline void arch_cpu_finalize_init(void) { }
-+#endif
-+
- int cpu_report_state(int cpu);
- int cpu_check_up_prepare(int cpu);
- void cpu_set_state_online(int cpu);
---- a/init/main.c
-+++ b/init/main.c
-@@ -726,7 +726,12 @@ asmlinkage __visible void __init start_k
- taskstats_init_early();
- delayacct_init();
-
-+
-+ arch_cpu_finalize_init();
-+ /* Temporary conditional until everything has been converted */
-+#ifndef CONFIG_ARCH_HAS_CPU_FINALIZE_INIT
- check_bugs();
-+#endif
-
- acpi_subsystem_init();
- arch_post_acpi_subsys_init();
diff --git a/debian/patches/bugfix/x86/gds/init-remove-check_bugs-leftovers.patch b/debian/patches/bugfix/x86/gds/init-remove-check_bugs-leftovers.patch
deleted file mode 100644
index 8698e892d..000000000
--- a/debian/patches/bugfix/x86/gds/init-remove-check_bugs-leftovers.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From eb6d42cbbc5b7384bebb9b783970c5b07ac10fc5 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:38 +0200
-Subject: init: Remove check_bugs() leftovers
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 61235b24b9cb37c13fcad5b9596d59a1afdcec30 upstream
-
-Everything is converted over to arch_cpu_finalize_init(). Remove the
-check_bugs() leftovers including the empty stubs in asm-generic, alpha,
-parisc, powerpc and xtensa.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Link: https://lore.kernel.org/r/20230613224545.553215951@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/alpha/include/asm/bugs.h | 20 --------------------
- arch/parisc/include/asm/bugs.h | 20 --------------------
- arch/powerpc/include/asm/bugs.h | 18 ------------------
- arch/xtensa/include/asm/bugs.h | 18 ------------------
- include/asm-generic/bugs.h | 11 -----------
- init/main.c | 5 -----
- 6 files changed, 92 deletions(-)
- delete mode 100644 arch/alpha/include/asm/bugs.h
- delete mode 100644 arch/parisc/include/asm/bugs.h
- delete mode 100644 arch/powerpc/include/asm/bugs.h
- delete mode 100644 arch/xtensa/include/asm/bugs.h
- delete mode 100644 include/asm-generic/bugs.h
-
---- a/arch/alpha/include/asm/bugs.h
-+++ /dev/null
-@@ -1,20 +0,0 @@
--/*
-- * include/asm-alpha/bugs.h
-- *
-- * Copyright (C) 1994 Linus Torvalds
-- */
--
--/*
-- * This is included by init/main.c to check for architecture-dependent bugs.
-- *
-- * Needs:
-- * void check_bugs(void);
-- */
--
--/*
-- * I don't know of any alpha bugs yet.. Nice chip
-- */
--
--static void check_bugs(void)
--{
--}
---- a/arch/parisc/include/asm/bugs.h
-+++ /dev/null
-@@ -1,20 +0,0 @@
--/* SPDX-License-Identifier: GPL-2.0 */
--/*
-- * include/asm-parisc/bugs.h
-- *
-- * Copyright (C) 1999 Mike Shaver
-- */
--
--/*
-- * This is included by init/main.c to check for architecture-dependent bugs.
-- *
-- * Needs:
-- * void check_bugs(void);
-- */
--
--#include <asm/processor.h>
--
--static inline void check_bugs(void)
--{
--// identify_cpu(&boot_cpu_data);
--}
---- a/arch/powerpc/include/asm/bugs.h
-+++ /dev/null
-@@ -1,18 +0,0 @@
--#ifndef _ASM_POWERPC_BUGS_H
--#define _ASM_POWERPC_BUGS_H
--
--/*
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU General Public License
-- * as published by the Free Software Foundation; either version
-- * 2 of the License, or (at your option) any later version.
-- */
--
--/*
-- * This file is included by 'init/main.c' to check for
-- * architecture-dependent bugs.
-- */
--
--static inline void check_bugs(void) { }
--
--#endif /* _ASM_POWERPC_BUGS_H */
---- a/arch/xtensa/include/asm/bugs.h
-+++ /dev/null
-@@ -1,18 +0,0 @@
--/*
-- * include/asm-xtensa/bugs.h
-- *
-- * This is included by init/main.c to check for architecture-dependent bugs.
-- *
-- * Xtensa processors don't have any bugs. :)
-- *
-- * This file is subject to the terms and conditions of the GNU General
-- * Public License. See the file "COPYING" in the main directory of
-- * this archive for more details.
-- */
--
--#ifndef _XTENSA_BUGS_H
--#define _XTENSA_BUGS_H
--
--static void check_bugs(void) { }
--
--#endif /* _XTENSA_BUGS_H */
---- a/include/asm-generic/bugs.h
-+++ /dev/null
-@@ -1,11 +0,0 @@
--/* SPDX-License-Identifier: GPL-2.0 */
--#ifndef __ASM_GENERIC_BUGS_H
--#define __ASM_GENERIC_BUGS_H
--/*
-- * This file is included by 'init/main.c' to check for
-- * architecture-dependent bugs.
-- */
--
--static inline void check_bugs(void) { }
--
--#endif /* __ASM_GENERIC_BUGS_H */
---- a/init/main.c
-+++ b/init/main.c
-@@ -94,7 +94,6 @@
- #include <linux/mem_encrypt.h>
-
- #include <asm/io.h>
--#include <asm/bugs.h>
- #include <asm/setup.h>
- #include <asm/sections.h>
- #include <asm/cacheflush.h>
-@@ -728,10 +727,6 @@ asmlinkage __visible void __init start_k
-
-
- arch_cpu_finalize_init();
-- /* Temporary conditional until everything has been converted */
--#ifndef CONFIG_ARCH_HAS_CPU_FINALIZE_INIT
-- check_bugs();
--#endif
-
- acpi_subsystem_init();
- arch_post_acpi_subsys_init();
diff --git a/debian/patches/bugfix/x86/gds/init-x86-move-mem_encrypt_init-into-arch_cpu_finalize_init.patch b/debian/patches/bugfix/x86/gds/init-x86-move-mem_encrypt_init-into-arch_cpu_finalize_init.patch
deleted file mode 100644
index aede33ff2..000000000
--- a/debian/patches/bugfix/x86/gds/init-x86-move-mem_encrypt_init-into-arch_cpu_finalize_init.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 555b9962472818fba44eb42f31cfd1e118d20478 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:41 +0200
-Subject: init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 439e17576eb47f26b78c5bbc72e344d4206d2327 upstream
-
-Invoke the X86ism mem_encrypt_init() from X86 arch_cpu_finalize_init() and
-remove the weak fallback from the core code.
-
-No functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Link: https://lore.kernel.org/r/20230613224545.670360645@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/mem_encrypt.h | 2 ++
- arch/x86/kernel/cpu/common.c | 11 +++++++++++
- init/main.c | 11 -----------
- 3 files changed, 13 insertions(+), 11 deletions(-)
-
---- a/arch/x86/include/asm/mem_encrypt.h
-+++ b/arch/x86/include/asm/mem_encrypt.h
-@@ -80,6 +80,8 @@ early_set_memory_decrypted(unsigned long
- static inline int __init
- early_set_memory_encrypted(unsigned long vaddr, unsigned long size) { return 0; }
-
-+static inline void mem_encrypt_init(void) { }
-+
- #define __bss_decrypted
-
- #endif /* CONFIG_AMD_MEM_ENCRYPT */
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -17,6 +17,7 @@
- #include <linux/init.h>
- #include <linux/kprobes.h>
- #include <linux/kgdb.h>
-+#include <linux/mem_encrypt.h>
- #include <linux/smp.h>
- #include <linux/cpu.h>
- #include <linux/io.h>
-@@ -2151,4 +2152,14 @@ void __init arch_cpu_finalize_init(void)
- } else {
- fpu__init_check_bugs();
- }
-+
-+ /*
-+ * This needs to be called before any devices perform DMA
-+ * operations that might use the SWIOTLB bounce buffers. It will
-+ * mark the bounce buffers as decrypted so that their usage will
-+ * not cause "plain-text" data to be decrypted when accessed. It
-+ * must be called after late_time_init() so that Hyper-V x86/x64
-+ * hypercalls work when the SWIOTLB bounce buffers are decrypted.
-+ */
-+ mem_encrypt_init();
- }
---- a/init/main.c
-+++ b/init/main.c
-@@ -91,7 +91,6 @@
- #include <linux/cache.h>
- #include <linux/rodata_test.h>
- #include <linux/jump_label.h>
--#include <linux/mem_encrypt.h>
-
- #include <asm/io.h>
- #include <asm/setup.h>
-@@ -492,8 +491,6 @@ void __init __weak thread_stack_cache_in
- }
- #endif
-
--void __init __weak mem_encrypt_init(void) { }
--
- bool initcall_debug;
- core_param(initcall_debug, initcall_debug, bool, 0644);
-
-@@ -673,14 +670,6 @@ asmlinkage __visible void __init start_k
- */
- locking_selftest();
-
-- /*
-- * This needs to be called before any devices perform DMA
-- * operations that might use the SWIOTLB bounce buffers. It will
-- * mark the bounce buffers as decrypted so that their usage will
-- * not cause "plain-text" data to be decrypted when accessed.
-- */
-- mem_encrypt_init();
--
- #ifdef CONFIG_BLK_DEV_INITRD
- if (initrd_start && !initrd_below_start_ok &&
- page_to_pfn(virt_to_page((void *)initrd_start)) < min_low_pfn) {
diff --git a/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch b/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch
deleted file mode 100644
index e16870f6e..000000000
--- a/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From e9a103c76a5ffb605204f25222e6217931ff129b Mon Sep 17 00:00:00 2001
-From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Date: Wed, 12 Jul 2023 19:43:14 -0700
-Subject: KVM: Add GDS_NO support to KVM
-
-From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-
-commit 81ac7e5d741742d650b4ed6186c4826c1a0631a7 upstream
-
-Gather Data Sampling (GDS) is a transient execution attack using
-gather instructions from the AVX2 and AVX512 extensions. This attack
-allows malicious code to infer data that was previously stored in
-vector registers. Systems that are not vulnerable to GDS will set the
-GDS_NO bit of the IA32_ARCH_CAPABILITIES MSR. This is useful for VM
-guests that may think they are on vulnerable systems that are, in
-fact, not affected. Guests that are running on affected hosts where
-the mitigation is enabled are protected as if they were running
-on an unaffected system.
-
-On all hosts that are not affected or that are mitigated, set the
-GDS_NO bit.
-
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/bugs.c | 7 +++++++
- arch/x86/kvm/x86.c | 5 +++++
- 2 files changed, 12 insertions(+)
-
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -628,6 +628,13 @@ static const char * const gds_strings[]
- [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
- };
-
-+bool gds_ucode_mitigated(void)
-+{
-+ return (gds_mitigation == GDS_MITIGATION_FULL ||
-+ gds_mitigation == GDS_MITIGATION_FULL_LOCKED);
-+}
-+EXPORT_SYMBOL_GPL(gds_ucode_mitigated);
-+
- void update_gds_msr(void)
- {
- u64 mcu_ctrl_after;
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -217,6 +217,8 @@ struct kvm_stats_debugfs_item debugfs_en
-
- u64 __read_mostly host_xcr0;
-
-+extern bool gds_ucode_mitigated(void);
-+
- static int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt);
-
- static inline void kvm_async_pf_hash_reset(struct kvm_vcpu *vcpu)
-@@ -1224,6 +1226,9 @@ u64 kvm_get_arch_capabilities(void)
- /* Guests don't need to know "Fill buffer clear control" exists */
- data &= ~ARCH_CAP_FB_CLEAR_CTRL;
-
-+ if (!boot_cpu_has_bug(X86_BUG_GDS) || gds_ucode_mitigated())
-+ data |= ARCH_CAP_GDS_NO;
-+
- return data;
- }
-
diff --git a/debian/patches/bugfix/x86/gds/m68k-cpu-switch-to-arch_cpu_finalize_init.patch b/debian/patches/bugfix/x86/gds/m68k-cpu-switch-to-arch_cpu_finalize_init.patch
deleted file mode 100644
index 8cece9900..000000000
--- a/debian/patches/bugfix/x86/gds/m68k-cpu-switch-to-arch_cpu_finalize_init.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From ca442015ccef31abd0a73cd621c4a4da3a76d20b Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:30 +0200
-Subject: m68k/cpu: Switch to arch_cpu_finalize_init()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 9ceecc2589b9d7cef6b321339ed8de484eac4b20 upstream
-
-check_bugs() is about to be phased out. Switch over to the new
-arch_cpu_finalize_init() implementation.
-
-No functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
-Link: https://lore.kernel.org/r/20230613224545.254342916@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/m68k/Kconfig | 1 +
- arch/m68k/include/asm/bugs.h | 21 ---------------------
- arch/m68k/kernel/setup_mm.c | 3 ++-
- 3 files changed, 3 insertions(+), 22 deletions(-)
- delete mode 100644 arch/m68k/include/asm/bugs.h
-
---- a/arch/m68k/Kconfig
-+++ b/arch/m68k/Kconfig
-@@ -2,6 +2,7 @@
- config M68K
- bool
- default y
-+ select ARCH_HAS_CPU_FINALIZE_INIT if MMU
- select ARCH_HAS_SYNC_DMA_FOR_DEVICE if HAS_DMA
- select ARCH_MIGHT_HAVE_PC_PARPORT if ISA
- select ARCH_NO_COHERENT_DMA_MMAP if !MMU
---- a/arch/m68k/include/asm/bugs.h
-+++ /dev/null
-@@ -1,21 +0,0 @@
--/* SPDX-License-Identifier: GPL-2.0 */
--/*
-- * include/asm-m68k/bugs.h
-- *
-- * Copyright (C) 1994 Linus Torvalds
-- */
--
--/*
-- * This is included by init/main.c to check for architecture-dependent bugs.
-- *
-- * Needs:
-- * void check_bugs(void);
-- */
--
--#ifdef CONFIG_MMU
--extern void check_bugs(void); /* in arch/m68k/kernel/setup.c */
--#else
--static void check_bugs(void)
--{
--}
--#endif
---- a/arch/m68k/kernel/setup_mm.c
-+++ b/arch/m68k/kernel/setup_mm.c
-@@ -10,6 +10,7 @@
- */
-
- #include <linux/kernel.h>
-+#include <linux/cpu.h>
- #include <linux/mm.h>
- #include <linux/sched.h>
- #include <linux/delay.h>
-@@ -526,7 +527,7 @@ static int __init proc_hardware_init(voi
- module_init(proc_hardware_init);
- #endif
-
--void check_bugs(void)
-+void __init arch_cpu_finalize_init(void)
- {
- #if defined(CONFIG_FPU) && !defined(CONFIG_M68KFPU_EMU)
- if (m68k_fputype == 0) {
diff --git a/debian/patches/bugfix/x86/gds/mips-cpu-switch-to-arch_cpu_finalize_init.patch b/debian/patches/bugfix/x86/gds/mips-cpu-switch-to-arch_cpu_finalize_init.patch
deleted file mode 100644
index 575e1e0a5..000000000
--- a/debian/patches/bugfix/x86/gds/mips-cpu-switch-to-arch_cpu_finalize_init.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 2bedb079d39e87a51a6af0a9606dbd147a9bbfde Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:32 +0200
-Subject: mips/cpu: Switch to arch_cpu_finalize_init()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 7f066a22fe353a827a402ee2835e81f045b1574d upstream
-
-check_bugs() is about to be phased out. Switch over to the new
-arch_cpu_finalize_init() implementation.
-
-No functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Link: https://lore.kernel.org/r/20230613224545.312438573@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/mips/Kconfig | 1 +
- arch/mips/include/asm/bugs.h | 17 -----------------
- arch/mips/kernel/setup.c | 13 +++++++++++++
- 3 files changed, 14 insertions(+), 17 deletions(-)
-
---- a/arch/mips/Kconfig
-+++ b/arch/mips/Kconfig
-@@ -4,6 +4,7 @@ config MIPS
- default y
- select ARCH_BINFMT_ELF_STATE
- select ARCH_CLOCKSOURCE_DATA
-+ select ARCH_HAS_CPU_FINALIZE_INIT
- select ARCH_DISCARD_MEMBLOCK
- select ARCH_HAS_ELF_RANDOMIZE
- select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
---- a/arch/mips/include/asm/bugs.h
-+++ b/arch/mips/include/asm/bugs.h
-@@ -1,17 +1,11 @@
- /* SPDX-License-Identifier: GPL-2.0 */
- /*
-- * This is included by init/main.c to check for architecture-dependent bugs.
-- *
- * Copyright (C) 2007 Maciej W. Rozycki
-- *
-- * Needs:
-- * void check_bugs(void);
- */
- #ifndef _ASM_BUGS_H
- #define _ASM_BUGS_H
-
- #include <linux/bug.h>
--#include <linux/delay.h>
- #include <linux/smp.h>
-
- #include <asm/cpu.h>
-@@ -31,17 +25,6 @@ static inline void check_bugs_early(void
- #endif
- }
-
--static inline void check_bugs(void)
--{
-- unsigned int cpu = smp_processor_id();
--
-- cpu_data[cpu].udelay_val = loops_per_jiffy;
-- check_bugs32();
--#ifdef CONFIG_64BIT
-- check_bugs64();
--#endif
--}
--
- static inline int r4k_daddiu_bug(void)
- {
- #ifdef CONFIG_64BIT
---- a/arch/mips/kernel/setup.c
-+++ b/arch/mips/kernel/setup.c
-@@ -11,6 +11,8 @@
- * Copyright (C) 2000, 2001, 2002, 2007 Maciej W. Rozycki
- */
- #include <linux/init.h>
-+#include <linux/cpu.h>
-+#include <linux/delay.h>
- #include <linux/ioport.h>
- #include <linux/export.h>
- #include <linux/screen_info.h>
-@@ -1108,3 +1110,14 @@ static int __init setnocoherentio(char *
- }
- early_param("nocoherentio", setnocoherentio);
- #endif
-+
-+void __init arch_cpu_finalize_init(void)
-+{
-+ unsigned int cpu = smp_processor_id();
-+
-+ cpu_data[cpu].udelay_val = loops_per_jiffy;
-+ check_bugs32();
-+
-+ if (IS_ENABLED(CONFIG_CPU_R4X00_BUGS64))
-+ check_bugs64();
-+}
diff --git a/debian/patches/bugfix/x86/gds/sh-cpu-switch-to-arch_cpu_finalize_init.patch b/debian/patches/bugfix/x86/gds/sh-cpu-switch-to-arch_cpu_finalize_init.patch
deleted file mode 100644
index 55c9d37fd..000000000
--- a/debian/patches/bugfix/x86/gds/sh-cpu-switch-to-arch_cpu_finalize_init.patch
+++ /dev/null
@@ -1,207 +0,0 @@
-From 3ea1c65b457df5417ae78185f0381816b6d0c22c Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:33 +0200
-Subject: sh/cpu: Switch to arch_cpu_finalize_init()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 01eb454e9bfe593f320ecbc9aaec60bf87cd453d upstream
-
-check_bugs() is about to be phased out. Switch over to the new
-arch_cpu_finalize_init() implementation.
-
-No functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Link: https://lore.kernel.org/r/20230613224545.371697797@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/sh/Kconfig | 1
- arch/sh/include/asm/bugs.h | 78 ----------------------------------------
- arch/sh/include/asm/processor.h | 2 +
- arch/sh/kernel/idle.c | 1
- arch/sh/kernel/setup.c | 55 ++++++++++++++++++++++++++++
- 5 files changed, 59 insertions(+), 78 deletions(-)
- delete mode 100644 arch/sh/include/asm/bugs.h
-
---- a/arch/sh/Kconfig
-+++ b/arch/sh/Kconfig
-@@ -1,6 +1,7 @@
- # SPDX-License-Identifier: GPL-2.0
- config SUPERH
- def_bool y
-+ select ARCH_HAS_CPU_FINALIZE_INIT
- select ARCH_HAS_PTE_SPECIAL
- select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
- select ARCH_MIGHT_HAVE_PC_PARPORT
---- a/arch/sh/include/asm/bugs.h
-+++ /dev/null
-@@ -1,78 +0,0 @@
--/* SPDX-License-Identifier: GPL-2.0 */
--#ifndef __ASM_SH_BUGS_H
--#define __ASM_SH_BUGS_H
--
--/*
-- * This is included by init/main.c to check for architecture-dependent bugs.
-- *
-- * Needs:
-- * void check_bugs(void);
-- */
--
--/*
-- * I don't know of any Super-H bugs yet.
-- */
--
--#include <asm/processor.h>
--
--extern void select_idle_routine(void);
--
--static void __init check_bugs(void)
--{
-- extern unsigned long loops_per_jiffy;
-- char *p = &init_utsname()->machine[2]; /* "sh" */
--
-- select_idle_routine();
--
-- current_cpu_data.loops_per_jiffy = loops_per_jiffy;
--
-- switch (current_cpu_data.family) {
-- case CPU_FAMILY_SH2:
-- *p++ = '2';
-- break;
-- case CPU_FAMILY_SH2A:
-- *p++ = '2';
-- *p++ = 'a';
-- break;
-- case CPU_FAMILY_SH3:
-- *p++ = '3';
-- break;
-- case CPU_FAMILY_SH4:
-- *p++ = '4';
-- break;
-- case CPU_FAMILY_SH4A:
-- *p++ = '4';
-- *p++ = 'a';
-- break;
-- case CPU_FAMILY_SH4AL_DSP:
-- *p++ = '4';
-- *p++ = 'a';
-- *p++ = 'l';
-- *p++ = '-';
-- *p++ = 'd';
-- *p++ = 's';
-- *p++ = 'p';
-- break;
-- case CPU_FAMILY_SH5:
-- *p++ = '6';
-- *p++ = '4';
-- break;
-- case CPU_FAMILY_UNKNOWN:
-- /*
-- * Specifically use CPU_FAMILY_UNKNOWN rather than
-- * default:, so we're able to have the compiler whine
-- * about unhandled enumerations.
-- */
-- break;
-- }
--
-- printk("CPU: %s\n", get_cpu_subtype(&current_cpu_data));
--
--#ifndef __LITTLE_ENDIAN__
-- /* 'eb' means 'Endian Big' */
-- *p++ = 'e';
-- *p++ = 'b';
--#endif
-- *p = '\0';
--}
--#endif /* __ASM_SH_BUGS_H */
---- a/arch/sh/include/asm/processor.h
-+++ b/arch/sh/include/asm/processor.h
-@@ -173,6 +173,8 @@ extern unsigned int instruction_size(uns
- #define instruction_size(insn) (4)
- #endif
-
-+void select_idle_routine(void);
-+
- #endif /* __ASSEMBLY__ */
-
- #ifdef CONFIG_SUPERH32
---- a/arch/sh/kernel/idle.c
-+++ b/arch/sh/kernel/idle.c
-@@ -18,6 +18,7 @@
- #include <linux/smp.h>
- #include <linux/atomic.h>
- #include <asm/pgalloc.h>
-+#include <asm/processor.h>
- #include <asm/smp.h>
- #include <asm/bl_bit.h>
-
---- a/arch/sh/kernel/setup.c
-+++ b/arch/sh/kernel/setup.c
-@@ -42,6 +42,7 @@
- #include <asm/smp.h>
- #include <asm/mmu_context.h>
- #include <asm/mmzone.h>
-+#include <asm/processor.h>
- #include <asm/sparsemem.h>
-
- /*
-@@ -361,3 +362,57 @@ int test_mode_pin(int pin)
- {
- return sh_mv.mv_mode_pins() & pin;
- }
-+
-+void __init arch_cpu_finalize_init(void)
-+{
-+ char *p = &init_utsname()->machine[2]; /* "sh" */
-+
-+ select_idle_routine();
-+
-+ current_cpu_data.loops_per_jiffy = loops_per_jiffy;
-+
-+ switch (current_cpu_data.family) {
-+ case CPU_FAMILY_SH2:
-+ *p++ = '2';
-+ break;
-+ case CPU_FAMILY_SH2A:
-+ *p++ = '2';
-+ *p++ = 'a';
-+ break;
-+ case CPU_FAMILY_SH3:
-+ *p++ = '3';
-+ break;
-+ case CPU_FAMILY_SH4:
-+ *p++ = '4';
-+ break;
-+ case CPU_FAMILY_SH4A:
-+ *p++ = '4';
-+ *p++ = 'a';
-+ break;
-+ case CPU_FAMILY_SH4AL_DSP:
-+ *p++ = '4';
-+ *p++ = 'a';
-+ *p++ = 'l';
-+ *p++ = '-';
-+ *p++ = 'd';
-+ *p++ = 's';
-+ *p++ = 'p';
-+ break;
-+ case CPU_FAMILY_UNKNOWN:
-+ /*
-+ * Specifically use CPU_FAMILY_UNKNOWN rather than
-+ * default:, so we're able to have the compiler whine
-+ * about unhandled enumerations.
-+ */
-+ break;
-+ }
-+
-+ pr_info("CPU: %s\n", get_cpu_subtype(&current_cpu_data));
-+
-+#ifndef __LITTLE_ENDIAN__
-+ /* 'eb' means 'Endian Big' */
-+ *p++ = 'e';
-+ *p++ = 'b';
-+#endif
-+ *p = '\0';
-+}
diff --git a/debian/patches/bugfix/x86/gds/sparc-cpu-switch-to-arch_cpu_finalize_init.patch b/debian/patches/bugfix/x86/gds/sparc-cpu-switch-to-arch_cpu_finalize_init.patch
deleted file mode 100644
index a1677f487..000000000
--- a/debian/patches/bugfix/x86/gds/sparc-cpu-switch-to-arch_cpu_finalize_init.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From e7a2caf480097e1131b5239e95083c3e8995be07 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:35 +0200
-Subject: sparc/cpu: Switch to arch_cpu_finalize_init()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 44ade508e3bfac45ae97864587de29eb1a881ec0 upstream
-
-check_bugs() is about to be phased out. Switch over to the new
-arch_cpu_finalize_init() implementation.
-
-No functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
-Link: https://lore.kernel.org/r/20230613224545.431995857@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/sparc/Kconfig | 1 +
- arch/sparc/include/asm/bugs.h | 18 ------------------
- arch/sparc/kernel/setup_32.c | 7 +++++++
- 3 files changed, 8 insertions(+), 18 deletions(-)
- delete mode 100644 arch/sparc/include/asm/bugs.h
-
---- a/arch/sparc/Kconfig
-+++ b/arch/sparc/Kconfig
-@@ -12,6 +12,7 @@ config 64BIT
- config SPARC
- bool
- default y
-+ select ARCH_HAS_CPU_FINALIZE_INIT if !SMP
- select ARCH_MIGHT_HAVE_PC_PARPORT if SPARC64 && PCI
- select ARCH_MIGHT_HAVE_PC_SERIO
- select OF
---- a/arch/sparc/include/asm/bugs.h
-+++ /dev/null
-@@ -1,18 +0,0 @@
--/* SPDX-License-Identifier: GPL-2.0 */
--/* include/asm/bugs.h: Sparc probes for various bugs.
-- *
-- * Copyright (C) 1996, 2007 David S. Miller (davem@davemloft.net)
-- */
--
--#ifdef CONFIG_SPARC32
--#include <asm/cpudata.h>
--#endif
--
--extern unsigned long loops_per_jiffy;
--
--static void __init check_bugs(void)
--{
--#if defined(CONFIG_SPARC32) && !defined(CONFIG_SMP)
-- cpu_data(0).udelay_val = loops_per_jiffy;
--#endif
--}
---- a/arch/sparc/kernel/setup_32.c
-+++ b/arch/sparc/kernel/setup_32.c
-@@ -422,3 +422,10 @@ static int __init topology_init(void)
- }
-
- subsys_initcall(topology_init);
-+
-+#if defined(CONFIG_SPARC32) && !defined(CONFIG_SMP)
-+void __init arch_cpu_finalize_init(void)
-+{
-+ cpu_data(0).udelay_val = loops_per_jiffy;
-+}
-+#endif
diff --git a/debian/patches/bugfix/x86/gds/um-cpu-switch-to-arch_cpu_finalize_init.patch b/debian/patches/bugfix/x86/gds/um-cpu-switch-to-arch_cpu_finalize_init.patch
deleted file mode 100644
index 372822010..000000000
--- a/debian/patches/bugfix/x86/gds/um-cpu-switch-to-arch_cpu_finalize_init.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 760b926637a95305fe8b066e8943ef688607dc0e Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:36 +0200
-Subject: um/cpu: Switch to arch_cpu_finalize_init()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 9349b5cd0908f8afe95529fc7a8cbb1417df9b0c upstream
-
-check_bugs() is about to be phased out. Switch over to the new
-arch_cpu_finalize_init() implementation.
-
-No functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Richard Weinberger <richard@nod.at>
-Link: https://lore.kernel.org/r/20230613224545.493148694@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/um/Kconfig | 1 +
- arch/um/include/asm/bugs.h | 7 -------
- arch/um/kernel/um_arch.c | 3 ++-
- 3 files changed, 3 insertions(+), 8 deletions(-)
- delete mode 100644 arch/um/include/asm/bugs.h
-
---- a/arch/um/Kconfig
-+++ b/arch/um/Kconfig
-@@ -5,6 +5,7 @@ menu "UML-specific options"
- config UML
- bool
- default y
-+ select ARCH_HAS_CPU_FINALIZE_INIT
- select ARCH_HAS_KCOV
- select ARCH_NO_PREEMPT
- select HAVE_ARCH_AUDITSYSCALL
---- a/arch/um/include/asm/bugs.h
-+++ /dev/null
-@@ -1,7 +0,0 @@
--/* SPDX-License-Identifier: GPL-2.0 */
--#ifndef __UM_BUGS_H
--#define __UM_BUGS_H
--
--void check_bugs(void);
--
--#endif
---- a/arch/um/kernel/um_arch.c
-+++ b/arch/um/kernel/um_arch.c
-@@ -3,6 +3,7 @@
- * Licensed under the GPL
- */
-
-+#include <linux/cpu.h>
- #include <linux/delay.h>
- #include <linux/init.h>
- #include <linux/mm.h>
-@@ -352,7 +353,7 @@ void __init setup_arch(char **cmdline_p)
- setup_hostinfo(host_info, sizeof host_info);
- }
-
--void __init check_bugs(void)
-+void __init arch_cpu_finalize_init(void)
- {
- arch_check_bugs();
- os_check_bugs();
diff --git a/debian/patches/bugfix/x86/gds/x86-cpu-switch-to-arch_cpu_finalize_init.patch b/debian/patches/bugfix/x86/gds/x86-cpu-switch-to-arch_cpu_finalize_init.patch
deleted file mode 100644
index 7d9b171a2..000000000
--- a/debian/patches/bugfix/x86/gds/x86-cpu-switch-to-arch_cpu_finalize_init.patch
+++ /dev/null
@@ -1,228 +0,0 @@
-From b3454eb2d26a6cecada04b38e72e255ae702ccdb Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:24 +0200
-Subject: x86/cpu: Switch to arch_cpu_finalize_init()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 7c7077a72674402654f3291354720cd73cdf649e upstream
-
-check_bugs() is a dumping ground for finalizing the CPU bringup. Only parts of
-it has to do with actual CPU bugs.
-
-Split it apart into arch_cpu_finalize_init() and cpu_select_mitigations().
-
-Fixup the bogus 32bit comments while at it.
-
-No functional change.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
-Link: https://lore.kernel.org/r/20230613224545.019583869@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/Kconfig | 1
- arch/x86/include/asm/bugs.h | 2 -
- arch/x86/kernel/cpu/bugs.c | 51 ---------------------------------------
- arch/x86/kernel/cpu/common.c | 55 +++++++++++++++++++++++++++++++++++++++++++
- arch/x86/kernel/cpu/cpu.h | 1
- 5 files changed, 58 insertions(+), 52 deletions(-)
-
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -50,6 +50,7 @@ config X86
- select ARCH_CLOCKSOURCE_DATA
- select ARCH_DISCARD_MEMBLOCK
- select ARCH_HAS_ACPI_TABLE_UPGRADE if ACPI
-+ select ARCH_HAS_CPU_FINALIZE_INIT
- select ARCH_HAS_DEBUG_VIRTUAL
- select ARCH_HAS_DEVMEM_IS_ALLOWED
- select ARCH_HAS_ELF_RANDOMIZE
---- a/arch/x86/include/asm/bugs.h
-+++ b/arch/x86/include/asm/bugs.h
-@@ -4,8 +4,6 @@
-
- #include <asm/processor.h>
-
--extern void check_bugs(void);
--
- #if defined(CONFIG_CPU_SUP_INTEL)
- void check_mpx_erratum(struct cpuinfo_x86 *c);
- #else
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -9,7 +9,6 @@
- * - Andrew D. Balsa (code cleanup).
- */
- #include <linux/init.h>
--#include <linux/utsname.h>
- #include <linux/cpu.h>
- #include <linux/module.h>
- #include <linux/nospec.h>
-@@ -25,9 +24,7 @@
- #include <asm/msr.h>
- #include <asm/vmx.h>
- #include <asm/paravirt.h>
--#include <asm/alternative.h>
- #include <asm/pgtable.h>
--#include <asm/set_memory.h>
- #include <asm/intel-family.h>
- #include <asm/e820/api.h>
- #include <asm/hypervisor.h>
-@@ -115,21 +112,8 @@ EXPORT_SYMBOL_GPL(mds_idle_clear);
- DEFINE_STATIC_KEY_FALSE(mmio_stale_data_clear);
- EXPORT_SYMBOL_GPL(mmio_stale_data_clear);
-
--void __init check_bugs(void)
-+void __init cpu_select_mitigations(void)
- {
-- identify_boot_cpu();
--
-- /*
-- * identify_boot_cpu() initialized SMT support information, let the
-- * core code know.
-- */
-- cpu_smt_check_topology();
--
-- if (!IS_ENABLED(CONFIG_SMP)) {
-- pr_info("CPU: ");
-- print_cpu_info(&boot_cpu_data);
-- }
--
- /*
- * Read the SPEC_CTRL MSR to account for reserved bits which may
- * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
-@@ -165,39 +149,6 @@ void __init check_bugs(void)
- l1tf_select_mitigation();
- md_clear_select_mitigation();
- srbds_select_mitigation();
--
-- arch_smt_update();
--
--#ifdef CONFIG_X86_32
-- /*
-- * Check whether we are able to run this kernel safely on SMP.
-- *
-- * - i386 is no longer supported.
-- * - In order to run on anything without a TSC, we need to be
-- * compiled for a i486.
-- */
-- if (boot_cpu_data.x86 < 4)
-- panic("Kernel requires i486+ for 'invlpg' and other features");
--
-- init_utsname()->machine[1] =
-- '0' + (boot_cpu_data.x86 > 6 ? 6 : boot_cpu_data.x86);
-- alternative_instructions();
--
-- fpu__init_check_bugs();
--#else /* CONFIG_X86_64 */
-- alternative_instructions();
--
-- /*
-- * Make sure the first 2MB area is not mapped by huge pages
-- * There are typically fixed size MTRRs in there and overlapping
-- * MTRRs into large pages causes slow downs.
-- *
-- * Right now we don't do that with gbpages because there seems
-- * very little benefit for that case.
-- */
-- if (!direct_gbpages)
-- set_memory_4k((unsigned long)__va(0), 1);
--#endif
- }
-
- /*
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -13,14 +13,19 @@
- #include <linux/sched/mm.h>
- #include <linux/sched/clock.h>
- #include <linux/sched/task.h>
-+#include <linux/sched/smt.h>
- #include <linux/init.h>
- #include <linux/kprobes.h>
- #include <linux/kgdb.h>
- #include <linux/smp.h>
-+#include <linux/cpu.h>
- #include <linux/io.h>
- #include <linux/syscore_ops.h>
-
- #include <asm/stackprotector.h>
-+#include <linux/utsname.h>
-+
-+#include <asm/alternative.h>
- #include <asm/perf_event.h>
- #include <asm/mmu_context.h>
- #include <asm/archrandom.h>
-@@ -56,6 +61,7 @@
- #ifdef CONFIG_X86_LOCAL_APIC
- #include <asm/uv/uv.h>
- #endif
-+#include <asm/set_memory.h>
-
- #include "cpu.h"
-
-@@ -2097,3 +2103,52 @@ void microcode_check(void)
- pr_warn("x86/CPU: CPU features have changed after loading microcode, but might not take effect.\n");
- pr_warn("x86/CPU: Please consider either early loading through initrd/built-in or a potential BIOS update.\n");
- }
-+
-+void __init arch_cpu_finalize_init(void)
-+{
-+ identify_boot_cpu();
-+
-+ /*
-+ * identify_boot_cpu() initialized SMT support information, let the
-+ * core code know.
-+ */
-+ cpu_smt_check_topology();
-+
-+ if (!IS_ENABLED(CONFIG_SMP)) {
-+ pr_info("CPU: ");
-+ print_cpu_info(&boot_cpu_data);
-+ }
-+
-+ cpu_select_mitigations();
-+
-+ arch_smt_update();
-+
-+ if (IS_ENABLED(CONFIG_X86_32)) {
-+ /*
-+ * Check whether this is a real i386 which is not longer
-+ * supported and fixup the utsname.
-+ */
-+ if (boot_cpu_data.x86 < 4)
-+ panic("Kernel requires i486+ for 'invlpg' and other features");
-+
-+ init_utsname()->machine[1] =
-+ '0' + (boot_cpu_data.x86 > 6 ? 6 : boot_cpu_data.x86);
-+ }
-+
-+ alternative_instructions();
-+
-+ if (IS_ENABLED(CONFIG_X86_64)) {
-+ /*
-+ * Make sure the first 2MB area is not mapped by huge pages
-+ * There are typically fixed size MTRRs in there and overlapping
-+ * MTRRs into large pages causes slow downs.
-+ *
-+ * Right now we don't do that with gbpages because there seems
-+ * very little benefit for that case.
-+ */
-+ if (!direct_gbpages)
-+ set_memory_4k((unsigned long)__va(0), 1);
-+ } else {
-+ fpu__init_check_bugs();
-+ }
-+}
---- a/arch/x86/kernel/cpu/cpu.h
-+++ b/arch/x86/kernel/cpu/cpu.h
-@@ -79,6 +79,7 @@ extern void detect_ht(struct cpuinfo_x86
- extern void check_null_seg_clears_base(struct cpuinfo_x86 *c);
-
- unsigned int aperfmperf_get_khz(int cpu);
-+void cpu_select_mitigations(void);
-
- extern void x86_spec_ctrl_setup_ap(void);
- extern void update_srbds_msr(void);
diff --git a/debian/patches/bugfix/x86/gds/x86-fpu-mark-init-functions-__init.patch b/debian/patches/bugfix/x86/gds/x86-fpu-mark-init-functions-__init.patch
deleted file mode 100644
index b6e116465..000000000
--- a/debian/patches/bugfix/x86/gds/x86-fpu-mark-init-functions-__init.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 677d1e9bb0bff552b161e9058f1b6fdfd88ece91 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:45 +0200
-Subject: x86/fpu: Mark init functions __init
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 1703db2b90c91b2eb2d699519fc505fe431dde0e upstream
-
-No point in keeping them around.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Link: https://lore.kernel.org/r/20230613224545.841685728@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/fpu/init.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/arch/x86/kernel/fpu/init.c
-+++ b/arch/x86/kernel/fpu/init.c
-@@ -49,7 +49,7 @@ void fpu__init_cpu(void)
- fpu__init_cpu_xstate();
- }
-
--static bool fpu__probe_without_cpuid(void)
-+static bool __init fpu__probe_without_cpuid(void)
- {
- unsigned long cr0;
- u16 fsw, fcw;
-@@ -67,7 +67,7 @@ static bool fpu__probe_without_cpuid(voi
- return fsw == 0 && (fcw & 0x103f) == 0x003f;
- }
-
--static void fpu__init_system_early_generic(void)
-+static void __init fpu__init_system_early_generic(void)
- {
- if (!boot_cpu_has(X86_FEATURE_CPUID) &&
- !test_bit(X86_FEATURE_FPU, (unsigned long *)cpu_caps_cleared)) {
diff --git a/debian/patches/bugfix/x86/gds/x86-fpu-move-fpu-initialization-into-arch_cpu_finalize_init.patch b/debian/patches/bugfix/x86/gds/x86-fpu-move-fpu-initialization-into-arch_cpu_finalize_init.patch
deleted file mode 100644
index b0423f814..000000000
--- a/debian/patches/bugfix/x86/gds/x86-fpu-move-fpu-initialization-into-arch_cpu_finalize_init.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 8a3b312da29169625141ff9c984a796724240ac1 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:46 +0200
-Subject: x86/fpu: Move FPU initialization into arch_cpu_finalize_init()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit b81fac906a8f9e682e513ddd95697ec7a20878d4 upstream
-
-Initializing the FPU during the early boot process is a pointless
-exercise. Early boot is convoluted and fragile enough.
-
-Nothing requires that the FPU is set up early. It has to be initialized
-before fork_init() because the task_struct size depends on the FPU register
-buffer size.
-
-Move the initialization to arch_cpu_finalize_init() which is the perfect
-place to do so.
-
-No functional change.
-
-This allows to remove quite some of the custom early command line parsing,
-but that's subject to the next installment.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Link: https://lore.kernel.org/r/20230613224545.902376621@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/common.c | 13 +++++++------
- arch/x86/kernel/smpboot.c | 1 +
- 2 files changed, 8 insertions(+), 6 deletions(-)
-
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -1278,8 +1278,6 @@ static void __init early_identify_cpu(st
-
- cpu_set_bug_bits(c);
-
-- fpu__init_system();
--
- #ifdef CONFIG_X86_32
- /*
- * Regardless of whether PCID is enumerated, the SDM says
-@@ -1985,8 +1983,6 @@ void cpu_init(void)
- clear_all_debug_regs();
- dbg_restore_debug_regs();
-
-- fpu__init_cpu();
--
- if (is_uv_system())
- uv_cpu_init();
-
-@@ -2050,8 +2046,6 @@ void cpu_init(void)
- clear_all_debug_regs();
- dbg_restore_debug_regs();
-
-- fpu__init_cpu();
--
- load_fixmap_gdt(cpu);
- }
- #endif
-@@ -2136,6 +2130,13 @@ void __init arch_cpu_finalize_init(void)
- '0' + (boot_cpu_data.x86 > 6 ? 6 : boot_cpu_data.x86);
- }
-
-+ /*
-+ * Must be before alternatives because it might set or clear
-+ * feature bits.
-+ */
-+ fpu__init_system();
-+ fpu__init_cpu();
-+
- alternative_instructions();
-
- if (IS_ENABLED(CONFIG_X86_64)) {
---- a/arch/x86/kernel/smpboot.c
-+++ b/arch/x86/kernel/smpboot.c
-@@ -231,6 +231,7 @@ static void notrace start_secondary(void
- #endif
- load_current_idt();
- cpu_init();
-+ fpu__init_cpu();
- x86_cpuinit.early_percpu_clock_init();
- preempt_disable();
- smp_callin();
diff --git a/debian/patches/bugfix/x86/gds/x86-fpu-remove-cpuinfo-argument-from-init-functions.patch b/debian/patches/bugfix/x86/gds/x86-fpu-remove-cpuinfo-argument-from-init-functions.patch
deleted file mode 100644
index f5eddda28..000000000
--- a/debian/patches/bugfix/x86/gds/x86-fpu-remove-cpuinfo-argument-from-init-functions.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From a03b110dad183d18d01f0f8e370228c2747133e6 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Wed, 14 Jun 2023 01:39:43 +0200
-Subject: x86/fpu: Remove cpuinfo argument from init functions
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit 1f34bb2a24643e0087652d81078e4f616562738d upstream
-
-Nothing in the call chain requires it
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Link: https://lore.kernel.org/r/20230613224545.783704297@linutronix.de
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/fpu/internal.h | 2 +-
- arch/x86/kernel/cpu/common.c | 2 +-
- arch/x86/kernel/fpu/init.c | 6 +++---
- 3 files changed, 5 insertions(+), 5 deletions(-)
-
---- a/arch/x86/include/asm/fpu/internal.h
-+++ b/arch/x86/include/asm/fpu/internal.h
-@@ -42,7 +42,7 @@ extern int dump_fpu(struct pt_regs *ptr
- extern void fpu__init_cpu(void);
- extern void fpu__init_system_xstate(void);
- extern void fpu__init_cpu_xstate(void);
--extern void fpu__init_system(struct cpuinfo_x86 *c);
-+extern void fpu__init_system(void);
- extern void fpu__init_check_bugs(void);
- extern void fpu__resume_cpu(void);
- extern u64 fpu__get_supported_xfeatures_mask(void);
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -1278,7 +1278,7 @@ static void __init early_identify_cpu(st
-
- cpu_set_bug_bits(c);
-
-- fpu__init_system(c);
-+ fpu__init_system();
-
- #ifdef CONFIG_X86_32
- /*
---- a/arch/x86/kernel/fpu/init.c
-+++ b/arch/x86/kernel/fpu/init.c
-@@ -67,7 +67,7 @@ static bool fpu__probe_without_cpuid(voi
- return fsw == 0 && (fcw & 0x103f) == 0x003f;
- }
-
--static void fpu__init_system_early_generic(struct cpuinfo_x86 *c)
-+static void fpu__init_system_early_generic(void)
- {
- if (!boot_cpu_has(X86_FEATURE_CPUID) &&
- !test_bit(X86_FEATURE_FPU, (unsigned long *)cpu_caps_cleared)) {
-@@ -297,10 +297,10 @@ static void __init fpu__init_parse_early
- * Called on the boot CPU once per system bootup, to set up the initial
- * FPU state that is later cloned into all processes:
- */
--void __init fpu__init_system(struct cpuinfo_x86 *c)
-+void __init fpu__init_system(void)
- {
- fpu__init_parse_early_param();
-- fpu__init_system_early_generic(c);
-+ fpu__init_system_early_generic();
-
- /*
- * The FPU has to be operational for some of the
diff --git a/debian/patches/bugfix/x86/gds/x86-speculation-add-force-option-to-gds-mitigation.patch b/debian/patches/bugfix/x86/gds/x86-speculation-add-force-option-to-gds-mitigation.patch
deleted file mode 100644
index 65c4594b1..000000000
--- a/debian/patches/bugfix/x86/gds/x86-speculation-add-force-option-to-gds-mitigation.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From ead252286b6800873dd961075a36939f15e9b163 Mon Sep 17 00:00:00 2001
-From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Date: Wed, 12 Jul 2023 19:43:12 -0700
-Subject: x86/speculation: Add force option to GDS mitigation
-
-From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-
-commit 553a5c03e90a6087e88f8ff878335ef0621536fb upstream
-
-The Gather Data Sampling (GDS) vulnerability allows malicious software
-to infer stale data previously stored in vector registers. This may
-include sensitive data such as cryptographic keys. GDS is mitigated in
-microcode, and systems with up-to-date microcode are protected by
-default. However, any affected system that is running with older
-microcode will still be vulnerable to GDS attacks.
-
-Since the gather instructions used by the attacker are part of the
-AVX2 and AVX512 extensions, disabling these extensions prevents gather
-instructions from being executed, thereby mitigating the system from
-GDS. Disabling AVX2 is sufficient, but we don't have the granularity
-to do this. The XCR0[2] disables AVX, with no option to just disable
-AVX2.
-
-Add a kernel parameter gather_data_sampling=force that will enable the
-microcode mitigation if available, otherwise it will disable AVX on
-affected systems.
-
-This option will be ignored if cmdline mitigations=off.
-
-This is a *big* hammer. It is known to break buggy userspace that
-uses incomplete, buggy AVX enumeration. Unfortunately, such userspace
-does exist in the wild:
-
- https://www.mail-archive.com/bug-coreutils@gnu.org/msg33046.html
-
-[ dhansen: add some more ominous warnings about disabling AVX ]
-
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- Documentation/admin-guide/hw-vuln/gather_data_sampling.rst | 18 +++++++++--
- Documentation/admin-guide/kernel-parameters.txt | 8 ++++-
- arch/x86/kernel/cpu/bugs.c | 20 ++++++++++++-
- 3 files changed, 40 insertions(+), 6 deletions(-)
-
---- a/Documentation/admin-guide/hw-vuln/gather_data_sampling.rst
-+++ b/Documentation/admin-guide/hw-vuln/gather_data_sampling.rst
-@@ -60,14 +60,21 @@ bits:
- ================================ === ============================
-
- GDS can also be mitigated on systems that don't have updated microcode by
--disabling AVX. This can be done by setting "clearcpuid=avx" on the kernel
--command-line.
-+disabling AVX. This can be done by setting gather_data_sampling="force" or
-+"clearcpuid=avx" on the kernel command-line.
-+
-+If used, these options will disable AVX use by turning on XSAVE YMM support.
-+However, the processor will still enumerate AVX support. Userspace that
-+does not follow proper AVX enumeration to check both AVX *and* XSAVE YMM
-+support will break.
-
- Mitigation control on the kernel command line
- ---------------------------------------------
- The mitigation can be disabled by setting "gather_data_sampling=off" or
--"mitigations=off" on the kernel command line. Not specifying either will
--default to the mitigation being enabled.
-+"mitigations=off" on the kernel command line. Not specifying either will default
-+to the mitigation being enabled. Specifying "gather_data_sampling=force" will
-+use the microcode mitigation when available or disable AVX on affected systems
-+where the microcode hasn't been updated to include the mitigation.
-
- GDS System Information
- ------------------------
-@@ -83,6 +90,9 @@ The possible values contained in this fi
- Vulnerable Processor vulnerable and mitigation disabled.
- Vulnerable: No microcode Processor vulnerable and microcode is missing
- mitigation.
-+ Mitigation: AVX disabled,
-+ no microcode Processor is vulnerable and microcode is missing
-+ mitigation. AVX disabled as mitigation.
- Mitigation: Microcode Processor is vulnerable and mitigation is in
- effect.
- Mitigation: Microcode (locked) Processor is vulnerable and mitigation is in
---- a/Documentation/admin-guide/kernel-parameters.txt
-+++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -1300,7 +1300,13 @@
-
- This issue is mitigated by default in updated microcode.
- The mitigation may have a performance impact but can be
-- disabled.
-+ disabled. On systems without the microcode mitigation
-+ disabling AVX serves as a mitigation.
-+
-+ force: Disable AVX to mitigate systems without
-+ microcode mitigation. No effect if the microcode
-+ mitigation is present. Known to cause crashes in
-+ userspace with buggy AVX enumeration.
-
- off: Disable GDS mitigation.
-
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -607,6 +607,7 @@ early_param("srbds", srbds_parse_cmdline
- enum gds_mitigations {
- GDS_MITIGATION_OFF,
- GDS_MITIGATION_UCODE_NEEDED,
-+ GDS_MITIGATION_FORCE,
- GDS_MITIGATION_FULL,
- GDS_MITIGATION_FULL_LOCKED,
- GDS_MITIGATION_HYPERVISOR,
-@@ -617,6 +618,7 @@ static enum gds_mitigations gds_mitigati
- static const char * const gds_strings[] = {
- [GDS_MITIGATION_OFF] = "Vulnerable",
- [GDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
-+ [GDS_MITIGATION_FORCE] = "Mitigation: AVX disabled, no microcode",
- [GDS_MITIGATION_FULL] = "Mitigation: Microcode",
- [GDS_MITIGATION_FULL_LOCKED] = "Mitigation: Microcode (locked)",
- [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
-@@ -642,6 +644,7 @@ void update_gds_msr(void)
- rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
- mcu_ctrl &= ~GDS_MITG_DIS;
- break;
-+ case GDS_MITIGATION_FORCE:
- case GDS_MITIGATION_UCODE_NEEDED:
- case GDS_MITIGATION_HYPERVISOR:
- return;
-@@ -676,10 +679,23 @@ static void __init gds_select_mitigation
-
- /* No microcode */
- if (!(x86_read_arch_cap_msr() & ARCH_CAP_GDS_CTRL)) {
-- gds_mitigation = GDS_MITIGATION_UCODE_NEEDED;
-+ if (gds_mitigation == GDS_MITIGATION_FORCE) {
-+ /*
-+ * This only needs to be done on the boot CPU so do it
-+ * here rather than in update_gds_msr()
-+ */
-+ setup_clear_cpu_cap(X86_FEATURE_AVX);
-+ pr_warn("Microcode update needed! Disabling AVX as mitigation.\n");
-+ } else {
-+ gds_mitigation = GDS_MITIGATION_UCODE_NEEDED;
-+ }
- goto out;
- }
-
-+ /* Microcode has mitigation, use it */
-+ if (gds_mitigation == GDS_MITIGATION_FORCE)
-+ gds_mitigation = GDS_MITIGATION_FULL;
-+
- rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
- if (mcu_ctrl & GDS_MITG_LOCKED) {
- if (gds_mitigation == GDS_MITIGATION_OFF)
-@@ -710,6 +726,8 @@ static int __init gds_parse_cmdline(char
-
- if (!strcmp(str, "off"))
- gds_mitigation = GDS_MITIGATION_OFF;
-+ else if (!strcmp(str, "force"))
-+ gds_mitigation = GDS_MITIGATION_FORCE;
-
- return 0;
- }
diff --git a/debian/patches/bugfix/x86/gds/x86-speculation-add-gather-data-sampling-mitigation.patch b/debian/patches/bugfix/x86/gds/x86-speculation-add-gather-data-sampling-mitigation.patch
deleted file mode 100644
index c426811c6..000000000
--- a/debian/patches/bugfix/x86/gds/x86-speculation-add-gather-data-sampling-mitigation.patch
+++ /dev/null
@@ -1,562 +0,0 @@
-From d63b3f0e819275ee64648eb01330aad3e347d9ba Mon Sep 17 00:00:00 2001
-From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Date: Wed, 12 Jul 2023 19:43:11 -0700
-Subject: x86/speculation: Add Gather Data Sampling mitigation
-
-From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-
-commit 8974eb588283b7d44a7c91fa09fcbaf380339f3a upstream
-
-Gather Data Sampling (GDS) is a hardware vulnerability which allows
-unprivileged speculative access to data which was previously stored in
-vector registers.
-
-Intel processors that support AVX2 and AVX512 have gather instructions
-that fetch non-contiguous data elements from memory. On vulnerable
-hardware, when a gather instruction is transiently executed and
-encounters a fault, stale data from architectural or internal vector
-registers may get transiently stored to the destination vector
-register allowing an attacker to infer the stale data using typical
-side channel techniques like cache timing attacks.
-
-This mitigation is different from many earlier ones for two reasons.
-First, it is enabled by default and a bit must be set to *DISABLE* it.
-This is the opposite of normal mitigation polarity. This means GDS can
-be mitigated simply by updating microcode and leaving the new control
-bit alone.
-
-Second, GDS has a "lock" bit. This lock bit is there because the
-mitigation affects the hardware security features KeyLocker and SGX.
-It needs to be enabled and *STAY* enabled for these features to be
-mitigated against GDS.
-
-The mitigation is enabled in the microcode by default. Disable it by
-setting gather_data_sampling=off or by disabling all mitigations with
-mitigations=off. The mitigation status can be checked by reading:
-
- /sys/devices/system/cpu/vulnerabilities/gather_data_sampling
-
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- Documentation/ABI/testing/sysfs-devices-system-cpu | 11 -
- Documentation/admin-guide/hw-vuln/gather_data_sampling.rst | 99 +++++++++
- Documentation/admin-guide/hw-vuln/index.rst | 1
- Documentation/admin-guide/kernel-parameters.txt | 33 ++-
- arch/x86/include/asm/cpufeatures.h | 1
- arch/x86/include/asm/msr-index.h | 11 +
- arch/x86/kernel/cpu/bugs.c | 129 +++++++++++++
- arch/x86/kernel/cpu/common.c | 34 ++-
- arch/x86/kernel/cpu/cpu.h | 1
- drivers/base/cpu.c | 8
- 10 files changed, 305 insertions(+), 23 deletions(-)
- create mode 100644 Documentation/admin-guide/hw-vuln/gather_data_sampling.rst
-
---- a/Documentation/ABI/testing/sysfs-devices-system-cpu
-+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
-@@ -472,16 +472,17 @@ Description: information about CPUs hete
- cpu_capacity: capacity of cpu#.
-
- What: /sys/devices/system/cpu/vulnerabilities
-+ /sys/devices/system/cpu/vulnerabilities/gather_data_sampling
-+ /sys/devices/system/cpu/vulnerabilities/itlb_multihit
-+ /sys/devices/system/cpu/vulnerabilities/l1tf
-+ /sys/devices/system/cpu/vulnerabilities/mds
- /sys/devices/system/cpu/vulnerabilities/meltdown
-+ /sys/devices/system/cpu/vulnerabilities/mmio_stale_data
-+ /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
- /sys/devices/system/cpu/vulnerabilities/spectre_v1
- /sys/devices/system/cpu/vulnerabilities/spectre_v2
-- /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
-- /sys/devices/system/cpu/vulnerabilities/l1tf
-- /sys/devices/system/cpu/vulnerabilities/mds
- /sys/devices/system/cpu/vulnerabilities/srbds
- /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
-- /sys/devices/system/cpu/vulnerabilities/itlb_multihit
-- /sys/devices/system/cpu/vulnerabilities/mmio_stale_data
- Date: January 2018
- Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
- Description: Information about CPU vulnerabilities
---- /dev/null
-+++ b/Documentation/admin-guide/hw-vuln/gather_data_sampling.rst
-@@ -0,0 +1,99 @@
-+.. SPDX-License-Identifier: GPL-2.0
-+
-+GDS - Gather Data Sampling
-+==========================
-+
-+Gather Data Sampling is a hardware vulnerability which allows unprivileged
-+speculative access to data which was previously stored in vector registers.
-+
-+Problem
-+-------
-+When a gather instruction performs loads from memory, different data elements
-+are merged into the destination vector register. However, when a gather
-+instruction that is transiently executed encounters a fault, stale data from
-+architectural or internal vector registers may get transiently forwarded to the
-+destination vector register instead. This will allow a malicious attacker to
-+infer stale data using typical side channel techniques like cache timing
-+attacks. GDS is a purely sampling-based attack.
-+
-+The attacker uses gather instructions to infer the stale vector register data.
-+The victim does not need to do anything special other than use the vector
-+registers. The victim does not need to use gather instructions to be
-+vulnerable.
-+
-+Because the buffers are shared between Hyper-Threads cross Hyper-Thread attacks
-+are possible.
-+
-+Attack scenarios
-+----------------
-+Without mitigation, GDS can infer stale data across virtually all
-+permission boundaries:
-+
-+ Non-enclaves can infer SGX enclave data
-+ Userspace can infer kernel data
-+ Guests can infer data from hosts
-+ Guest can infer guest from other guests
-+ Users can infer data from other users
-+
-+Because of this, it is important to ensure that the mitigation stays enabled in
-+lower-privilege contexts like guests and when running outside SGX enclaves.
-+
-+The hardware enforces the mitigation for SGX. Likewise, VMMs should ensure
-+that guests are not allowed to disable the GDS mitigation. If a host erred and
-+allowed this, a guest could theoretically disable GDS mitigation, mount an
-+attack, and re-enable it.
-+
-+Mitigation mechanism
-+--------------------
-+This issue is mitigated in microcode. The microcode defines the following new
-+bits:
-+
-+ ================================ === ============================
-+ IA32_ARCH_CAPABILITIES[GDS_CTRL] R/O Enumerates GDS vulnerability
-+ and mitigation support.
-+ IA32_ARCH_CAPABILITIES[GDS_NO] R/O Processor is not vulnerable.
-+ IA32_MCU_OPT_CTRL[GDS_MITG_DIS] R/W Disables the mitigation
-+ 0 by default.
-+ IA32_MCU_OPT_CTRL[GDS_MITG_LOCK] R/W Locks GDS_MITG_DIS=0. Writes
-+ to GDS_MITG_DIS are ignored
-+ Can't be cleared once set.
-+ ================================ === ============================
-+
-+GDS can also be mitigated on systems that don't have updated microcode by
-+disabling AVX. This can be done by setting "clearcpuid=avx" on the kernel
-+command-line.
-+
-+Mitigation control on the kernel command line
-+---------------------------------------------
-+The mitigation can be disabled by setting "gather_data_sampling=off" or
-+"mitigations=off" on the kernel command line. Not specifying either will
-+default to the mitigation being enabled.
-+
-+GDS System Information
-+------------------------
-+The kernel provides vulnerability status information through sysfs. For
-+GDS this can be accessed by the following sysfs file:
-+
-+/sys/devices/system/cpu/vulnerabilities/gather_data_sampling
-+
-+The possible values contained in this file are:
-+
-+ ============================== =============================================
-+ Not affected Processor not vulnerable.
-+ Vulnerable Processor vulnerable and mitigation disabled.
-+ Vulnerable: No microcode Processor vulnerable and microcode is missing
-+ mitigation.
-+ Mitigation: Microcode Processor is vulnerable and mitigation is in
-+ effect.
-+ Mitigation: Microcode (locked) Processor is vulnerable and mitigation is in
-+ effect and cannot be disabled.
-+ Unknown: Dependent on
-+ hypervisor status Running on a virtual guest processor that is
-+ affected but with no way to know if host
-+ processor is mitigated or vulnerable.
-+ ============================== =============================================
-+
-+GDS Default mitigation
-+----------------------
-+The updated microcode will enable the mitigation by default. The kernel's
-+default action is to leave the mitigation enabled.
---- a/Documentation/admin-guide/hw-vuln/index.rst
-+++ b/Documentation/admin-guide/hw-vuln/index.rst
-@@ -16,3 +16,4 @@ are configurable at compile, boot or run
- multihit.rst
- special-register-buffer-data-sampling.rst
- processor_mmio_stale_data.rst
-+ gather_data_sampling.rst
---- a/Documentation/admin-guide/kernel-parameters.txt
-+++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -1290,6 +1290,20 @@
- Format: off | on
- default: on
-
-+ gather_data_sampling=
-+ [X86,INTEL] Control the Gather Data Sampling (GDS)
-+ mitigation.
-+
-+ Gather Data Sampling is a hardware vulnerability which
-+ allows unprivileged speculative access to data which was
-+ previously stored in vector registers.
-+
-+ This issue is mitigated by default in updated microcode.
-+ The mitigation may have a performance impact but can be
-+ disabled.
-+
-+ off: Disable GDS mitigation.
-+
- gcov_persist= [GCOV] When non-zero (default), profiling data for
- kernel modules is saved and remains accessible via
- debugfs, even when the module is unloaded/reloaded.
-@@ -2555,22 +2569,23 @@
- Disable all optional CPU mitigations. This
- improves system performance, but it may also
- expose users to several CPU vulnerabilities.
-- Equivalent to: nopti [X86,PPC]
-+ Equivalent to: gather_data_sampling=off [X86]
- kpti=0 [ARM64]
-- nospectre_v1 [PPC]
-+ kvm.nx_huge_pages=off [X86]
-+ l1tf=off [X86]
-+ mds=off [X86]
-+ mmio_stale_data=off [X86]
-+ no_entry_flush [PPC]
-+ no_uaccess_flush [PPC]
- nobp=0 [S390]
-+ nopti [X86,PPC]
-+ nospectre_v1 [PPC]
- nospectre_v1 [X86]
- nospectre_v2 [X86,PPC,S390,ARM64]
-- spectre_v2_user=off [X86]
- spec_store_bypass_disable=off [X86,PPC]
-+ spectre_v2_user=off [X86]
- ssbd=force-off [ARM64]
-- l1tf=off [X86]
-- mds=off [X86]
- tsx_async_abort=off [X86]
-- kvm.nx_huge_pages=off [X86]
-- no_entry_flush [PPC]
-- no_uaccess_flush [PPC]
-- mmio_stale_data=off [X86]
-
- Exceptions:
- This does not have any effect on
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -409,5 +409,6 @@
- #define X86_BUG_MMIO_UNKNOWN X86_BUG(26) /* CPU is too old and its MMIO Stale Data status is unknown */
- #define X86_BUG_RETBLEED X86_BUG(27) /* CPU is affected by RETBleed */
- #define X86_BUG_EIBRS_PBRSB X86_BUG(28) /* EIBRS is vulnerable to Post Barrier RSB Predictions */
-+#define X86_BUG_GDS X86_BUG(29) /* CPU is affected by Gather Data Sampling */
-
- #endif /* _ASM_X86_CPUFEATURES_H */
---- a/arch/x86/include/asm/msr-index.h
-+++ b/arch/x86/include/asm/msr-index.h
-@@ -138,6 +138,15 @@
- * Not susceptible to Post-Barrier
- * Return Stack Buffer Predictions.
- */
-+#define ARCH_CAP_GDS_CTRL BIT(25) /*
-+ * CPU is vulnerable to Gather
-+ * Data Sampling (GDS) and
-+ * has controls for mitigation.
-+ */
-+#define ARCH_CAP_GDS_NO BIT(26) /*
-+ * CPU is not vulnerable to Gather
-+ * Data Sampling (GDS).
-+ */
-
- #define MSR_IA32_FLUSH_CMD 0x0000010b
- #define L1D_FLUSH BIT(0) /*
-@@ -156,6 +165,8 @@
- #define MSR_IA32_MCU_OPT_CTRL 0x00000123
- #define RNGDS_MITG_DIS BIT(0)
- #define FB_CLEAR_DIS BIT(3) /* CPU Fill buffer clear disable */
-+#define GDS_MITG_DIS BIT(4) /* Disable GDS mitigation */
-+#define GDS_MITG_LOCKED BIT(5) /* GDS mitigation locked */
-
- #define MSR_IA32_SYSENTER_CS 0x00000174
- #define MSR_IA32_SYSENTER_ESP 0x00000175
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -44,6 +44,7 @@ static void __init md_clear_select_mitig
- static void __init taa_select_mitigation(void);
- static void __init mmio_select_mitigation(void);
- static void __init srbds_select_mitigation(void);
-+static void __init gds_select_mitigation(void);
-
- /* The base value of the SPEC_CTRL MSR without task-specific bits set */
- u64 x86_spec_ctrl_base;
-@@ -149,6 +150,7 @@ void __init cpu_select_mitigations(void)
- l1tf_select_mitigation();
- md_clear_select_mitigation();
- srbds_select_mitigation();
-+ gds_select_mitigation();
- }
-
- /*
-@@ -600,6 +602,120 @@ static int __init srbds_parse_cmdline(ch
- early_param("srbds", srbds_parse_cmdline);
-
- #undef pr_fmt
-+#define pr_fmt(fmt) "GDS: " fmt
-+
-+enum gds_mitigations {
-+ GDS_MITIGATION_OFF,
-+ GDS_MITIGATION_UCODE_NEEDED,
-+ GDS_MITIGATION_FULL,
-+ GDS_MITIGATION_FULL_LOCKED,
-+ GDS_MITIGATION_HYPERVISOR,
-+};
-+
-+static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL;
-+
-+static const char * const gds_strings[] = {
-+ [GDS_MITIGATION_OFF] = "Vulnerable",
-+ [GDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
-+ [GDS_MITIGATION_FULL] = "Mitigation: Microcode",
-+ [GDS_MITIGATION_FULL_LOCKED] = "Mitigation: Microcode (locked)",
-+ [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
-+};
-+
-+void update_gds_msr(void)
-+{
-+ u64 mcu_ctrl_after;
-+ u64 mcu_ctrl;
-+
-+ switch (gds_mitigation) {
-+ case GDS_MITIGATION_OFF:
-+ rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
-+ mcu_ctrl |= GDS_MITG_DIS;
-+ break;
-+ case GDS_MITIGATION_FULL_LOCKED:
-+ /*
-+ * The LOCKED state comes from the boot CPU. APs might not have
-+ * the same state. Make sure the mitigation is enabled on all
-+ * CPUs.
-+ */
-+ case GDS_MITIGATION_FULL:
-+ rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
-+ mcu_ctrl &= ~GDS_MITG_DIS;
-+ break;
-+ case GDS_MITIGATION_UCODE_NEEDED:
-+ case GDS_MITIGATION_HYPERVISOR:
-+ return;
-+ };
-+
-+ wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
-+
-+ /*
-+ * Check to make sure that the WRMSR value was not ignored. Writes to
-+ * GDS_MITG_DIS will be ignored if this processor is locked but the boot
-+ * processor was not.
-+ */
-+ rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl_after);
-+ WARN_ON_ONCE(mcu_ctrl != mcu_ctrl_after);
-+}
-+
-+static void __init gds_select_mitigation(void)
-+{
-+ u64 mcu_ctrl;
-+
-+ if (!boot_cpu_has_bug(X86_BUG_GDS))
-+ return;
-+
-+ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
-+ gds_mitigation = GDS_MITIGATION_HYPERVISOR;
-+ goto out;
-+ }
-+
-+ if (cpu_mitigations_off())
-+ gds_mitigation = GDS_MITIGATION_OFF;
-+ /* Will verify below that mitigation _can_ be disabled */
-+
-+ /* No microcode */
-+ if (!(x86_read_arch_cap_msr() & ARCH_CAP_GDS_CTRL)) {
-+ gds_mitigation = GDS_MITIGATION_UCODE_NEEDED;
-+ goto out;
-+ }
-+
-+ rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
-+ if (mcu_ctrl & GDS_MITG_LOCKED) {
-+ if (gds_mitigation == GDS_MITIGATION_OFF)
-+ pr_warn("Mitigation locked. Disable failed.\n");
-+
-+ /*
-+ * The mitigation is selected from the boot CPU. All other CPUs
-+ * _should_ have the same state. If the boot CPU isn't locked
-+ * but others are then update_gds_msr() will WARN() of the state
-+ * mismatch. If the boot CPU is locked update_gds_msr() will
-+ * ensure the other CPUs have the mitigation enabled.
-+ */
-+ gds_mitigation = GDS_MITIGATION_FULL_LOCKED;
-+ }
-+
-+ update_gds_msr();
-+out:
-+ pr_info("%s\n", gds_strings[gds_mitigation]);
-+}
-+
-+static int __init gds_parse_cmdline(char *str)
-+{
-+ if (!str)
-+ return -EINVAL;
-+
-+ if (!boot_cpu_has_bug(X86_BUG_GDS))
-+ return 0;
-+
-+ if (!strcmp(str, "off"))
-+ gds_mitigation = GDS_MITIGATION_OFF;
-+
-+ return 0;
-+}
-+early_param("gather_data_sampling", gds_parse_cmdline);
-+
-+#undef pr_fmt
- #define pr_fmt(fmt) "Spectre V1 : " fmt
-
- enum spectre_v1_mitigation {
-@@ -2147,6 +2263,11 @@ static ssize_t retbleed_show_state(char
- return sprintf(buf, "%s\n", retbleed_strings[retbleed_mitigation]);
- }
-
-+static ssize_t gds_show_state(char *buf)
-+{
-+ return sysfs_emit(buf, "%s\n", gds_strings[gds_mitigation]);
-+}
-+
- static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
- char *buf, unsigned int bug)
- {
-@@ -2196,6 +2317,9 @@ static ssize_t cpu_show_common(struct de
- case X86_BUG_RETBLEED:
- return retbleed_show_state(buf);
-
-+ case X86_BUG_GDS:
-+ return gds_show_state(buf);
-+
- default:
- break;
- }
-@@ -2260,4 +2384,9 @@ ssize_t cpu_show_retbleed(struct device
- {
- return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED);
- }
-+
-+ssize_t cpu_show_gds(struct device *dev, struct device_attribute *attr, char *buf)
-+{
-+ return cpu_show_common(dev, attr, buf, X86_BUG_GDS);
-+}
- #endif
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -1047,6 +1047,8 @@ static const __initconst struct x86_cpu_
- #define MMIO_SBDS BIT(2)
- /* CPU is affected by RETbleed, speculating where you would not expect it */
- #define RETBLEED BIT(3)
-+/* CPU is affected by GDS */
-+#define GDS BIT(4)
-
- static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = {
- VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS),
-@@ -1059,18 +1061,20 @@ static const struct x86_cpu_id cpu_vuln_
- VULNBL_INTEL_STEPPINGS(BROADWELL_X, X86_STEPPING_ANY, MMIO),
- VULNBL_INTEL_STEPPINGS(BROADWELL_CORE, X86_STEPPING_ANY, SRBDS),
- VULNBL_INTEL_STEPPINGS(SKYLAKE_MOBILE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),
-- VULNBL_INTEL_STEPPINGS(SKYLAKE_X, X86_STEPPING_ANY, MMIO | RETBLEED),
-+ VULNBL_INTEL_STEPPINGS(SKYLAKE_X, X86_STEPPING_ANY, MMIO | RETBLEED | GDS),
- VULNBL_INTEL_STEPPINGS(SKYLAKE_DESKTOP, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),
-- VULNBL_INTEL_STEPPINGS(KABYLAKE_MOBILE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),
-- VULNBL_INTEL_STEPPINGS(KABYLAKE_DESKTOP,X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),
-+ VULNBL_INTEL_STEPPINGS(KABYLAKE_MOBILE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED | GDS),
-+ VULNBL_INTEL_STEPPINGS(KABYLAKE_DESKTOP,X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED | GDS),
- VULNBL_INTEL_STEPPINGS(CANNONLAKE_MOBILE,X86_STEPPING_ANY, RETBLEED),
-- VULNBL_INTEL_STEPPINGS(ICELAKE_MOBILE, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),
-- VULNBL_INTEL_STEPPINGS(ICELAKE_XEON_D, X86_STEPPING_ANY, MMIO),
-- VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPING_ANY, MMIO),
-- VULNBL_INTEL_STEPPINGS(COMETLAKE, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),
-- VULNBL_INTEL_STEPPINGS(COMETLAKE_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),
-+ VULNBL_INTEL_STEPPINGS(ICELAKE_MOBILE, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED | GDS),
-+ VULNBL_INTEL_STEPPINGS(ICELAKE_XEON_D, X86_STEPPING_ANY, MMIO | GDS),
-+ VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPING_ANY, MMIO | GDS),
-+ VULNBL_INTEL_STEPPINGS(COMETLAKE, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED | GDS),
-+ VULNBL_INTEL_STEPPINGS(COMETLAKE_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED | GDS),
-+ VULNBL_INTEL_STEPPINGS(TIGERLAKE_L, X86_STEPPING_ANY, GDS),
-+ VULNBL_INTEL_STEPPINGS(TIGERLAKE, X86_STEPPING_ANY, GDS),
- VULNBL_INTEL_STEPPINGS(LAKEFIELD, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),
-- VULNBL_INTEL_STEPPINGS(ROCKETLAKE, X86_STEPPING_ANY, MMIO | RETBLEED),
-+ VULNBL_INTEL_STEPPINGS(ROCKETLAKE, X86_STEPPING_ANY, MMIO | RETBLEED | GDS),
- VULNBL_INTEL_STEPPINGS(ATOM_TREMONT, X86_STEPPING_ANY, MMIO | MMIO_SBDS),
- VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_X, X86_STEPPING_ANY, MMIO),
- VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS),
-@@ -1193,6 +1197,16 @@ static void __init cpu_set_bug_bits(stru
- !(ia32_cap & ARCH_CAP_PBRSB_NO))
- setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB);
-
-+ /*
-+ * Check if CPU is vulnerable to GDS. If running in a virtual machine on
-+ * an affected processor, the VMM may have disabled the use of GATHER by
-+ * disabling AVX2. The only way to do this in HW is to clear XCR0[2],
-+ * which means that AVX will be disabled.
-+ */
-+ if (cpu_matches(cpu_vuln_blacklist, GDS) && !(ia32_cap & ARCH_CAP_GDS_NO) &&
-+ boot_cpu_has(X86_FEATURE_AVX))
-+ setup_force_cpu_bug(X86_BUG_GDS);
-+
- if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
- return;
-
-@@ -1666,6 +1680,8 @@ void identify_secondary_cpu(struct cpuin
- validate_apic_and_package_id(c);
- x86_spec_ctrl_setup_ap();
- update_srbds_msr();
-+ if (boot_cpu_has_bug(X86_BUG_GDS))
-+ update_gds_msr();
- }
-
- static __init int setup_noclflush(char *arg)
---- a/arch/x86/kernel/cpu/cpu.h
-+++ b/arch/x86/kernel/cpu/cpu.h
-@@ -83,6 +83,7 @@ void cpu_select_mitigations(void);
-
- extern void x86_spec_ctrl_setup_ap(void);
- extern void update_srbds_msr(void);
-+extern void update_gds_msr(void);
-
- extern u64 x86_read_arch_cap_msr(void);
-
---- a/drivers/base/cpu.c
-+++ b/drivers/base/cpu.c
-@@ -584,6 +584,12 @@ ssize_t __weak cpu_show_retbleed(struct
- return sysfs_emit(buf, "Not affected\n");
- }
-
-+ssize_t __weak cpu_show_gds(struct device *dev,
-+ struct device_attribute *attr, char *buf)
-+{
-+ return sysfs_emit(buf, "Not affected\n");
-+}
-+
- static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
- static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
- static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
-@@ -595,6 +601,7 @@ static DEVICE_ATTR(itlb_multihit, 0444,
- static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL);
- static DEVICE_ATTR(mmio_stale_data, 0444, cpu_show_mmio_stale_data, NULL);
- static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL);
-+static DEVICE_ATTR(gather_data_sampling, 0444, cpu_show_gds, NULL);
-
- static struct attribute *cpu_root_vulnerabilities_attrs[] = {
- &dev_attr_meltdown.attr,
-@@ -608,6 +615,7 @@ static struct attribute *cpu_root_vulner
- &dev_attr_srbds.attr,
- &dev_attr_mmio_stale_data.attr,
- &dev_attr_retbleed.attr,
-+ &dev_attr_gather_data_sampling.attr,
- NULL
- };
-
diff --git a/debian/patches/bugfix/x86/gds/x86-speculation-add-kconfig-option-for-gds.patch b/debian/patches/bugfix/x86/gds/x86-speculation-add-kconfig-option-for-gds.patch
deleted file mode 100644
index 5d01d4fa9..000000000
--- a/debian/patches/bugfix/x86/gds/x86-speculation-add-kconfig-option-for-gds.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From dc9710d3e8c3a26fbd764f4bd733814c9464bf31 Mon Sep 17 00:00:00 2001
-From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Date: Wed, 12 Jul 2023 19:43:13 -0700
-Subject: x86/speculation: Add Kconfig option for GDS
-
-From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-
-commit 53cf5797f114ba2bd86d23a862302119848eff19 upstream
-
-Gather Data Sampling (GDS) is mitigated in microcode. However, on
-systems that haven't received the updated microcode, disabling AVX
-can act as a mitigation. Add a Kconfig option that uses the microcode
-mitigation if available and disables AVX otherwise. Setting this
-option has no effect on systems not affected by GDS. This is the
-equivalent of setting gather_data_sampling=force.
-
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
-Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/Kconfig | 19 +++++++++++++++++++
- arch/x86/kernel/cpu/bugs.c | 4 ++++
- 2 files changed, 23 insertions(+)
-
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -2438,6 +2438,25 @@ config ARCH_ENABLE_SPLIT_PMD_PTLOCK
- def_bool y
- depends on X86_64 || X86_PAE
-
-+config GDS_FORCE_MITIGATION
-+ bool "Force GDS Mitigation"
-+ depends on CPU_SUP_INTEL
-+ default n
-+ help
-+ Gather Data Sampling (GDS) is a hardware vulnerability which allows
-+ unprivileged speculative access to data which was previously stored in
-+ vector registers.
-+
-+ This option is equivalent to setting gather_data_sampling=force on the
-+ command line. The microcode mitigation is used if present, otherwise
-+ AVX is disabled as a mitigation. On affected systems that are missing
-+ the microcode any userspace code that unconditionally uses AVX will
-+ break with this option set.
-+
-+ Setting this option on systems not vulnerable to GDS has no effect.
-+
-+ If in doubt, say N.
-+
- config ARCH_ENABLE_HUGEPAGE_MIGRATION
- def_bool y
- depends on X86_64 && HUGETLB_PAGE && MIGRATION
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -613,7 +613,11 @@ enum gds_mitigations {
- GDS_MITIGATION_HYPERVISOR,
- };
-
-+#if IS_ENABLED(CONFIG_GDS_FORCE_MITIGATION)
-+static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FORCE;
-+#else
- static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL;
-+#endif
-
- static const char * const gds_strings[] = {
- [GDS_MITIGATION_OFF] = "Vulnerable",
diff --git a/debian/patches/bugfix/x86/gds/x86-xen-fix-secondary-processors-fpu-initialization.patch b/debian/patches/bugfix/x86/gds/x86-xen-fix-secondary-processors-fpu-initialization.patch
deleted file mode 100644
index 658710bb5..000000000
--- a/debian/patches/bugfix/x86/gds/x86-xen-fix-secondary-processors-fpu-initialization.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From fe3e0a13e597c1c8617814bf9b42ab732db5c26e Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Mon, 3 Jul 2023 15:00:32 +0200
-Subject: x86/xen: Fix secondary processors' FPU initialization
-
-From: Juergen Gross <jgross@suse.com>
-
-commit fe3e0a13e597c1c8617814bf9b42ab732db5c26e upstream.
-
-Moving the call of fpu__init_cpu() from cpu_init() to start_secondary()
-broke Xen PV guests, as those don't call start_secondary() for APs.
-
-Call fpu__init_cpu() in Xen's cpu_bringup(), which is the Xen PV
-replacement of start_secondary().
-
-Fixes: b81fac906a8f ("x86/fpu: Move FPU initialization into arch_cpu_finalize_init()")
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Link: https://lore.kernel.org/r/20230703130032.22916-1-jgross@suse.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/xen/smp_pv.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/arch/x86/xen/smp_pv.c
-+++ b/arch/x86/xen/smp_pv.c
-@@ -27,6 +27,7 @@
- #include <asm/desc.h>
- #include <asm/pgtable.h>
- #include <asm/cpu.h>
-+#include <asm/fpu/internal.h>
-
- #include <xen/interface/xen.h>
- #include <xen/interface/vcpu.h>
-@@ -58,6 +59,7 @@ static void cpu_bringup(void)
- int cpu;
-
- cpu_init();
-+ fpu__init_cpu();
- touch_softlockup_watchdog();
- preempt_disable();
-