meltdown

diff -upr linux-3.10.0-693.11.1.el7/arch/arm64/include/asm/barrier.h linux-3.10.0-693.11.6.el7/arch/arm64/include/asm/barrier.h
--- linux-3.10.0-693.11.1.el7/arch/arm64/include/asm/barrier.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/arm64/include/asm/barrier.h	2017-12-28 19:59:43.000000000 +0100
@@ -44,6 +44,8 @@
 #define smp_wmb()	asm volatile("dmb ishst" : : : "memory")
 #endif

+#define gmb()		do { } while (0)
+
 #define read_barrier_depends()		do { } while(0)
 #define smp_read_barrier_depends()	do { } while(0)

diff -upr linux-3.10.0-693.11.1.el7/arch/powerpc/include/asm/barrier.h linux-3.10.0-693.11.6.el7/arch/powerpc/include/asm/barrier.h
--- linux-3.10.0-693.11.1.el7/arch/powerpc/include/asm/barrier.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/powerpc/include/asm/barrier.h	2017-12-28 19:59:43.000000000 +0100
@@ -34,6 +34,8 @@
 #define rmb()  __asm__ __volatile__ ("sync" : : : "memory")
 #define wmb()  __asm__ __volatile__ ("sync" : : : "memory")

+#define gmb()  do { } while (0)
+
 #define set_mb(var, value)	do { var = value; mb(); } while (0)

 #ifdef __SUBARCH_HAS_LWSYNC
diff -upr linux-3.10.0-693.11.1.el7/arch/s390/include/asm/barrier.h linux-3.10.0-693.11.6.el7/arch/s390/include/asm/barrier.h
--- linux-3.10.0-693.11.1.el7/arch/s390/include/asm/barrier.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/s390/include/asm/barrier.h	2017-12-28 19:59:43.000000000 +0100
@@ -30,6 +30,8 @@
 #define smp_rmb()			rmb()
 #define smp_wmb()			wmb()

+#define gmb()				do { } while (0)
+
 #define read_barrier_depends()		do { } while (0)
 #define smp_read_barrier_depends()	do { } while (0)

diff -upr linux-3.10.0-693.11.1.el7/arch/x86/boot/compressed/misc.h linux-3.10.0-693.11.6.el7/arch/x86/boot/compressed/misc.h
--- linux-3.10.0-693.11.1.el7/arch/x86/boot/compressed/misc.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/boot/compressed/misc.h	2017-12-28 19:59:43.000000000 +0100
@@ -7,6 +7,7 @@
  * we just keep it from happening
  */
 #undef CONFIG_PARAVIRT
+#undef CONFIG_KAISER
 #ifdef CONFIG_X86_32
 #define _ASM_X86_DESC_H 1
 #endif
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/events/intel/ds.c linux-3.10.0-693.11.6.el7/arch/x86/events/intel/ds.c
--- linux-3.10.0-693.11.1.el7/arch/x86/events/intel/ds.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/events/intel/ds.c	2017-12-28 19:59:43.000000000 +0100
@@ -1,12 +1,16 @@
 #include <linux/bitops.h>
 #include <linux/types.h>
 #include <linux/slab.h>
+#include <linux/kaiser.h>

 #include <asm/perf_event.h>
 #include <asm/insn.h>

 #include "../perf_event.h"

+static
+DEFINE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(struct debug_store, cpu_debug_store);
+
 /* The size of a BTS record in bytes: */
 #define BTS_RECORD_SIZE		24

@@ -268,6 +272,31 @@ void fini_debug_store_on_cpu(int cpu)

 static DEFINE_PER_CPU(void *, insn_buffer);

+static void *dsalloc(size_t size, gfp_t flags, int node)
+{
+	unsigned int order = get_order(size);
+	struct page *page;
+	unsigned long addr;
+
+	page = alloc_pages_node(node, flags | __GFP_ZERO, order);
+	if (!page)
+		return NULL;
+	addr = (unsigned long)page_address(page);
+	if (kaiser_add_mapping(addr, size, __PAGE_KERNEL | _PAGE_GLOBAL) < 0) {
+		__free_pages(page, order);
+		addr = 0;
+	}
+	return (void *)addr;
+}
+
+static void dsfree(const void *buffer, size_t size)
+{
+	if (!buffer)
+		return;
+	kaiser_remove_mapping((unsigned long)buffer, size);
+	free_pages((unsigned long)buffer, get_order(size));
+}
+
 static int alloc_pebs_buffer(int cpu)
 {
 	struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
@@ -278,7 +307,7 @@ static int alloc_pebs_buffer(int cpu)
 	if (!x86_pmu.pebs)
 		return 0;

-	buffer = kzalloc_node(x86_pmu.pebs_buffer_size, GFP_KERNEL, node);
+	buffer = dsalloc(x86_pmu.pebs_buffer_size, GFP_KERNEL, node);
 	if (unlikely(!buffer))
 		return -ENOMEM;

@@ -289,7 +318,7 @@ static int alloc_pebs_buffer(int cpu)
 	if (x86_pmu.intel_cap.pebs_format < 2) {
 		ibuffer = kzalloc_node(PEBS_FIXUP_SIZE, GFP_KERNEL, node);
 		if (!ibuffer) {
-			kfree(buffer);
+			dsfree(buffer, x86_pmu.pebs_buffer_size);
 			return -ENOMEM;
 		}
 		per_cpu(insn_buffer, cpu) = ibuffer;
@@ -315,7 +344,8 @@ static void release_pebs_buffer(int cpu)
 	kfree(per_cpu(insn_buffer, cpu));
 	per_cpu(insn_buffer, cpu) = NULL;

-	kfree((void *)(unsigned long)ds->pebs_buffer_base);
+	dsfree((void *)(unsigned long)ds->pebs_buffer_base,
+			x86_pmu.pebs_buffer_size);
 	ds->pebs_buffer_base = 0;
 }

@@ -329,7 +359,7 @@ static int alloc_bts_buffer(int cpu)
 	if (!x86_pmu.bts)
 		return 0;

-	buffer = kzalloc_node(BTS_BUFFER_SIZE, GFP_KERNEL | __GFP_NOWARN, node);
+	buffer = dsalloc(BTS_BUFFER_SIZE, GFP_KERNEL | __GFP_NOWARN, node);
 	if (unlikely(!buffer)) {
 		WARN_ONCE(1, "%s: BTS buffer allocation failure\n", __func__);
 		return -ENOMEM;
@@ -355,19 +385,15 @@ static void release_bts_buffer(int cpu)
 	if (!ds || !x86_pmu.bts)
 		return;

-	kfree((void *)(unsigned long)ds->bts_buffer_base);
+	dsfree((void *)(unsigned long)ds->bts_buffer_base, BTS_BUFFER_SIZE);
 	ds->bts_buffer_base = 0;
 }

 static int alloc_ds_buffer(int cpu)
 {
-	int node = cpu_to_node(cpu);
-	struct debug_store *ds;
-
-	ds = kzalloc_node(sizeof(*ds), GFP_KERNEL, node);
-	if (unlikely(!ds))
-		return -ENOMEM;
+	struct debug_store *ds = per_cpu_ptr(&cpu_debug_store, cpu);

+	memset(ds, 0, sizeof(*ds));
 	per_cpu(cpu_hw_events, cpu).ds = ds;

 	return 0;
@@ -381,7 +407,6 @@ static void release_ds_buffer(int cpu)
 		return;

 	per_cpu(cpu_hw_events, cpu).ds = NULL;
-	kfree(ds);
 }

 void release_ds_buffers(void)
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/events/intel/uncore.c linux-3.10.0-693.11.6.el7/arch/x86/events/intel/uncore.c
--- linux-3.10.0-693.11.1.el7/arch/x86/events/intel/uncore.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/events/intel/uncore.c	2017-12-28 19:59:43.000000000 +0100
@@ -840,7 +840,7 @@ static int __init uncore_type_init(struc
 		pmus[i].type	= type;
 		pmus[i].boxes	= kzalloc(size, GFP_KERNEL);
 		if (!pmus[i].boxes)
-			return -ENOMEM;
+			goto err;
 	}

 	type->pmus = pmus;
@@ -854,7 +854,7 @@ static int __init uncore_type_init(struc
 		attr_group = kzalloc(sizeof(struct attribute *) * (i + 1) +
 					sizeof(*attr_group), GFP_KERNEL);
 		if (!attr_group)
-			return -ENOMEM;
+			goto err;

 		attrs = (struct attribute **)(attr_group + 1);
 		attr_group->name = "events";
@@ -867,7 +867,15 @@ static int __init uncore_type_init(struc
 	}

 	type->pmu_group = &uncore_pmu_attr_group;
+
 	return 0;
+
+err:
+	for (i = 0; i < type->num_boxes; i++)
+		kfree(pmus[i].boxes);
+	kfree(pmus);
+
+	return -ENOMEM;
 }

 static int __init
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/ia32/ia32entry.S linux-3.10.0-693.11.6.el7/arch/x86/ia32/ia32entry.S
--- linux-3.10.0-693.11.1.el7/arch/x86/ia32/ia32entry.S	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/ia32/ia32entry.S	2017-12-28 19:59:43.000000000 +0100
@@ -15,8 +15,10 @@
 #include <asm/irqflags.h>
 #include <asm/asm.h>
 #include <asm/smap.h>
+#include <asm/spec_ctrl.h>
 #include <linux/linkage.h>
 #include <linux/err.h>
+#include "../kernel/kaiser.h"

 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
 #include <linux/elf-em.h>
@@ -121,8 +123,12 @@ ENTRY(ia32_sysenter_target)
 	CFI_DEF_CFA	rsp,0
 	CFI_REGISTER	rsp,rbp
 	SWAPGS_UNSAFE_STACK
+	SWITCH_TO_KERNEL_CR3
 	movq	PER_CPU_VAR(kernel_stack), %rsp
 	addq	$(KERNEL_STACK_OFFSET),%rsp
+	ENABLE_IBRS
+	CLEAR_R8_TO_R15
+	STUFF_RSB /* no ret allowed before stuffing the RSB */
 	/*
 	 * No need to follow this irqs on/off section: the syscall
 	 * disabled irqs, here we enable it straight after entry:
@@ -167,6 +173,7 @@ sysenter_dispatch:
 	testl	$_TIF_ALLWORK_MASK,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
 	jnz	sysexit_audit
 sysexit_from_sys_call:
+	DISABLE_IBRS
 	andl    $~TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
 	/* clear IF, that popfq doesn't enable interrupts early */
 	andl  $~0x200,EFLAGS-R11(%rsp)
@@ -182,6 +189,7 @@ sysexit_from_sys_call:
 	popq_cfi %rcx				/* User %esp */
 	CFI_REGISTER rsp,rcx
 	TRACE_IRQS_ON
+	SWITCH_TO_USER_CR3
 	ENABLE_INTERRUPTS_SYSEXIT32

 #ifdef CONFIG_AUDITSYSCALL
@@ -280,14 +288,16 @@ ENTRY(ia32_cstar_target)
 	CFI_REGISTER	rip,rcx
 	/*CFI_REGISTER	rflags,r11*/
 	SWAPGS_UNSAFE_STACK
+	SWITCH_TO_KERNEL_CR3
 	movl	%esp,%r8d
 	CFI_REGISTER	rsp,r8
 	movq	PER_CPU_VAR(kernel_stack),%rsp
+	ENABLE_IBRS
+	STUFF_RSB /* no ret allowed before stuffing the RSB */
 	/*
 	 * No need to follow this irqs on/off section: the syscall
 	 * disabled irqs and here we enable it straight after entry:
 	 */
-	ENABLE_INTERRUPTS(CLBR_NONE)
 	SAVE_ARGS 8,0,0
 	movl 	%eax,%eax	/* zero extension */
 	movq	%rax,ORIG_RAX-ARGOFFSET(%rsp)
@@ -300,11 +310,14 @@ ENTRY(ia32_cstar_target)
 	movq	%r11,EFLAGS-ARGOFFSET(%rsp)
 	/*CFI_REL_OFFSET rflags,EFLAGS-ARGOFFSET*/
 	movq	%r8,RSP-ARGOFFSET(%rsp)
+	CLEAR_R8_TO_R15
+	ENABLE_INTERRUPTS(CLBR_NONE)
 	CFI_REL_OFFSET rsp,RSP-ARGOFFSET
 	/* no need to do an access_ok check here because r8 has been
 	   32bit zero extended */
 	/* hardware stack frame is complete now */
 	ASM_STAC
+	movq	RSP-ARGOFFSET(%rsp), %r8
 1:	movl	(%r8),%r9d
 	_ASM_EXTABLE(1b,ia32_badarg)
 	ASM_CLAC
@@ -324,6 +337,7 @@ cstar_dispatch:
 	testl $_TIF_ALLWORK_MASK,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
 	jnz sysretl_audit
 sysretl_from_sys_call:
+	DISABLE_IBRS
 	andl $~TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
 	RESTORE_ARGS 0,-ARG_SKIP,0,0,0
 	movl RIP-ARGOFFSET(%rsp),%ecx
@@ -336,6 +350,7 @@ sysretl_from_sys_call:
 	TRACE_IRQS_ON
 	movl RSP-ARGOFFSET(%rsp),%esp
 	CFI_RESTORE rsp
+	SWITCH_TO_USER_CR3
 	USERGS_SYSRET32

 #ifdef CONFIG_AUDITSYSCALL
@@ -408,6 +423,47 @@ ENTRY(ia32_syscall)
 	PARAVIRT_ADJUST_EXCEPTION_FRAME
 	ASM_CLAC			/* Do this early to minimize exposure */
 	SWAPGS
+	SWITCH_TO_KERNEL_CR3
+
+	/*
+	 * We could remove the boundary checks, but this is more flexible
+	 * in case we need to change TSS_sp0 during context switch and
+	 * point it to the real kernel stack if booted in Xen PV.
+	*/
+	cld
+	movq %rax, %r8
+	movq %rcx, %r9
+	/* Check to see if we're on the trampoline stack. */
+	movq PER_CPU_VAR(init_tss + TSS_sp0), %rcx
+	cmpq %rcx, %rsp
+	ja 1f
+	leaq -TSS_stack_size(%rcx), %rax
+	cmpq %rsp, %rax
+	ja 1f
+	/*
+	 * We're on the trampoline stack.  Copy the trampoline stack's
+	 * contents to the kernel task stack and switch to it.
+	 */
+	pushq %rdi
+	pushq %rsi
+	subq %rsp, %rcx
+	movq PER_CPU_VAR(kernel_stack), %rdi
+	addq $KERNEL_STACK_OFFSET, %rdi
+	subq %rcx, %rdi
+	movq %rdi, %rax
+	movq %rsp, %rsi
+	rep movsb
+	movq %rax, %rsp
+	popq %rsi
+	popq %rdi
+1:
+	movq %r8, %rax
+	movq %r9, %rcx
+
+	ENABLE_IBRS
+	CLEAR_R8_TO_R15
+	STUFF_RSB /* no ret allowed before stuffing the RSB */
+
 	/*
 	 * No need to follow this irqs on/off section: the syscall
 	 * disabled irqs and here we enable it straight after entry:
@@ -415,7 +471,6 @@ ENTRY(ia32_syscall)
 	ENABLE_INTERRUPTS(CLBR_NONE)
 	movl %eax,%eax
 	pushq_cfi %rax
-	cld
 	/* note the registers are not zero extended to the sf.
 	   this could be a problem. */
 	SAVE_ARGS 0,1,0
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/barrier.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/barrier.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/barrier.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/barrier.h	2017-12-28 19:59:43.000000000 +0100
@@ -24,6 +24,8 @@
 #define wmb()	asm volatile("sfence" ::: "memory")
 #endif

+#define gmb() alternative(ASM_NOP3, "lfence", X86_FEATURE_LFENCE_RDTSC)
+
 #ifdef CONFIG_X86_PPRO_FENCE
 #define dma_rmb()	rmb()
 #else
@@ -100,7 +102,6 @@ do {									\
  */
 static __always_inline void rdtsc_barrier(void)
 {
-	alternative(ASM_NOP3, "mfence", X86_FEATURE_MFENCE_RDTSC);
 	alternative(ASM_NOP3, "lfence", X86_FEATURE_LFENCE_RDTSC);
 }

diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/cpufeature.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/cpufeature.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/cpufeature.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/cpufeature.h	2017-12-28 19:59:43.000000000 +0100
@@ -93,7 +93,7 @@
 #define X86_FEATURE_SYSCALL32	(3*32+14) /* "" syscall in ia32 userspace */
 #define X86_FEATURE_SYSENTER32	(3*32+15) /* "" sysenter in ia32 userspace */
 #define X86_FEATURE_REP_GOOD	(3*32+16) /* rep microcode works well */
-#define X86_FEATURE_MFENCE_RDTSC (3*32+17) /* "" Mfence synchronizes RDTSC */
+
 #define X86_FEATURE_LFENCE_RDTSC (3*32+18) /* "" Lfence synchronizes RDTSC */
 #define X86_FEATURE_11AP	(3*32+19) /* "" Bad local APIC aka 11AP */
 #define X86_FEATURE_NOPL	(3*32+20) /* The NOPL (0F 1F) instructions */
@@ -191,6 +191,7 @@
 #define X86_FEATURE_CAT_L3	(7*32+ 4) /* Cache Allocation Technology L3 */
 #define X86_FEATURE_CAT_L2	(7*32+ 5) /* Cache Allocation Technology L2 */
 #define X86_FEATURE_CDP_L3	(7*32+ 6) /* Code and Data Prioritization L3 */
+#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 7) /* Effectively INVPCID && CR4.PCIDE=1 */

 #define X86_FEATURE_HW_PSTATE	(7*32+ 8) /* AMD HW-PState */
 #define X86_FEATURE_PROC_FEEDBACK (7*32+ 9) /* AMD ProcFeedbackInterface */
@@ -198,7 +199,8 @@
 #define X86_FEATURE_INTEL_PT	( 7*32+15) /* Intel Processor Trace */
 #define X86_FEATURE_AVX512_4VNNIW (7*32+16) /* AVX-512 Neural Network Instructions */
 #define X86_FEATURE_AVX512_4FMAPS (7*32+17) /* AVX-512 Multiply Accumulation Single precision */
-#define X86_FEATURE_AVX512_VPOPCNTDQ (16*32+14) /* POPCNT for vectors of DW/QW */
+#define X86_FEATURE_SPEC_CTRL	( 7*32+19) /* Control Speculation Control */
+#define X86_FEATURE_IBPB_SUPPORT ( 7*32+20) /* Indirect Branch Prediction Barrier Support */

 /* Virtualization flags: Linux defined, word 8 */
 #define X86_FEATURE_TPR_SHADOW  (8*32+ 0) /* Intel TPR Shadow */
@@ -284,6 +286,7 @@

 /* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx), word 16 */
 #define X86_FEATURE_AVX512VBMI	(16*32+ 1) /* AVX512 Vector Bit Manipulation instructions*/
+#define X86_FEATURE_AVX512_VPOPCNTDQ (16*32+14) /* POPCNT for vectors of DW/QW */

 /*
  * BUG word(s)
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/desc.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/desc.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/desc.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/desc.h	2017-12-28 19:59:43.000000000 +0100
@@ -43,7 +43,7 @@ struct gdt_page {
 	struct desc_struct gdt[GDT_ENTRIES];
 } __attribute__((aligned(PAGE_SIZE)));

-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
+DECLARE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(struct gdt_page, gdt_page);

 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
 {
Только в linux-3.10.0-693.11.6.el7/arch/x86/include/asm: kaiser.h
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/kvm_host.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/kvm_host.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/kvm_host.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/kvm_host.h	2017-12-28 19:59:43.000000000 +0100
@@ -32,6 +32,7 @@
 #include <asm/msr-index.h>
 #include <asm/asm.h>
 #include <asm/kvm_page_track.h>
+#include <asm/spec_ctrl.h>

 #define KVM_MAX_VCPUS 384
 #define KVM_SOFT_MAX_VCPUS 384
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/mmu_context.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/mmu_context.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/mmu_context.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/mmu_context.h	2017-12-28 19:59:43.000000000 +0100
@@ -7,6 +7,7 @@
 #include <asm/tlbflush.h>
 #include <asm/paravirt.h>
 #include <asm/mpx.h>
+#include <asm/spec_ctrl.h>
 #ifndef CONFIG_PARAVIRT
 #include <asm-generic/mm_hooks.h>

@@ -31,6 +32,11 @@ static inline void enter_lazy_tlb(struct
 #endif
 }

+static inline void load_cr3(pgd_t *pgdir)
+{
+	__load_cr3(__pa(pgdir));
+}
+
 static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
 			     struct task_struct *tsk)
 {
@@ -43,6 +49,12 @@ static inline void switch_mm(struct mm_s
 #endif
 		cpumask_set_cpu(cpu, mm_cpumask(next));

+#ifndef CONFIG_PREEMPT_RCU
+		spec_ctrl_ibpb_if_different_creds(tsk);
+#else
+		spec_ctrl_ibpb();
+#endif
+
 		/*
 		 * Re-load page tables.
 		 *
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/msr.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/msr.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/msr.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/msr.h	2017-12-28 19:59:43.000000000 +0100
@@ -154,7 +154,6 @@ static __always_inline unsigned long lon
 	 * that some other imaginary CPU is updating continuously with a
 	 * time stamp.
 	 */
-	alternative(ASM_NOP3, "mfence", X86_FEATURE_MFENCE_RDTSC);
 	alternative(ASM_NOP3, "lfence", X86_FEATURE_LFENCE_RDTSC);

 	return rdtsc();
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/msr-index.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/msr-index.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/msr-index.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/msr-index.h	2017-12-28 19:59:43.000000000 +0100
@@ -32,6 +32,10 @@
 #define EFER_FFXSR		(1<<_EFER_FFXSR)

 /* Intel MSRs. Some also available on other CPUs */
+
+#define MSR_IA32_SPEC_CTRL		0x00000048
+#define MSR_IA32_PRED_CMD		0x00000049
+
 #define MSR_IA32_PERFCTR0		0x000000c1
 #define MSR_IA32_PERFCTR1		0x000000c2
 #define MSR_FSB_FREQ			0x000000cd
@@ -316,6 +320,9 @@
 #define MSR_F15H_PERF_CTR		0xc0010201
 #define MSR_F15H_NB_PERF_CTL		0xc0010240
 #define MSR_F15H_NB_PERF_CTR		0xc0010241
+#define MSR_F15H_PTSC			0xc0010280
+#define MSR_F15H_IC_CFG			0xc0011021
+#define MSR_F15H_IC_CFG_DIS_IND		BIT_ULL(14)

 /* Fam 10h MSRs */
 #define MSR_FAM10H_MMIO_CONF_BASE	0xc0010058
@@ -325,6 +332,8 @@
 #define FAM10H_MMIO_CONF_BASE_MASK	0xfffffffULL
 #define FAM10H_MMIO_CONF_BASE_SHIFT	20
 #define MSR_FAM10H_NODE_ID		0xc001100c
+#define MSR_F10H_DECFG			0xc0011029
+#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT	1

 /* K8 MSRs */
 #define MSR_K8_TOP_MEM1			0xc001001a
@@ -406,6 +415,8 @@
 #define FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX	(1<<1)
 #define FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX	(1<<2)
 #define FEATURE_CONTROL_LMCE				(1<<20)
+#define FEATURE_ENABLE_IBRS				(1<<0)
+#define FEATURE_SET_IBPB				(1<<0)

 #define MSR_IA32_APICBASE		0x0000001b
 #define MSR_IA32_APICBASE_BSP		(1<<8)
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/mwait.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/mwait.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/mwait.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/mwait.h	2017-12-28 19:59:43.000000000 +0100
@@ -2,6 +2,7 @@
 #define _ASM_X86_MWAIT_H

 #include <linux/sched.h>
+#include <asm/spec_ctrl.h>

 #define MWAIT_SUBSTATE_MASK		0xf
 #define MWAIT_CSTATE_MASK		0xf
@@ -46,9 +47,16 @@ static inline void mwait_idle_with_hints
 		if (this_cpu_has(X86_FEATURE_CLFLUSH_MONITOR))
 			clflush((void *)&current_thread_info()->flags);

+		/*
+		 * IRQs must be disabled here and nmi uses the
+		 * save_paranoid model which always enables ibrs on
+		 * exception entry before any indirect jump can run.
+		 */
+		spec_ctrl_disable_ibrs();
 		__monitor((void *)&current_thread_info()->flags, 0, 0);
 		if (!need_resched())
 			__mwait(eax, ecx);
+		spec_ctrl_enable_ibrs();
 	}
 	__current_clr_polling();
 }
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/pgtable_64.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/pgtable_64.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/pgtable_64.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/pgtable_64.h	2017-12-28 19:59:43.000000000 +0100
@@ -2,6 +2,7 @@
 #define _ASM_X86_PGTABLE_64_H

 #include <linux/const.h>
+#include <linux/kaiser.h>
 #include <asm/pgtable_64_types.h>

 #ifndef __ASSEMBLY__
@@ -112,10 +113,159 @@ static inline void native_pud_clear(pud_
 	native_set_pud(pud, native_make_pud(0));
 }

+#ifdef CONFIG_KAISER
+/*
+ * All top-level KAISER page tables are order-1 pages (8k-aligned
+ * and 8k in size).  The kernel one is at the beginning 4k and
+ * the user (shadow) one is in the last 4k.  To switch between
+ * them, you just need to flip the 12th bit in their addresses.
+ */
+#define KAISER_PGTABLE_SWITCH_BIT	PAGE_SHIFT
+
+/*
+ * This generates better code than the inline assembly in
+ * __set_bit().
+ */
+static inline void *ptr_set_bit(void *ptr, int bit)
+{
+	unsigned long __ptr = (unsigned long)ptr;
+
+	__ptr |= (1<<bit);
+	return (void *)__ptr;
+}
+static inline void *ptr_clear_bit(void *ptr, int bit)
+{
+	unsigned long __ptr = (unsigned long)ptr;
+
+	__ptr &= ~(1<<bit);
+	return (void *)__ptr;
+}
+
+static inline pgd_t *kernel_to_shadow_pgdp(pgd_t *pgdp)
+{
+	return ptr_set_bit(pgdp, KAISER_PGTABLE_SWITCH_BIT);
+}
+static inline pgd_t *shadow_to_kernel_pgdp(pgd_t *pgdp)
+{
+	return ptr_clear_bit(pgdp, KAISER_PGTABLE_SWITCH_BIT);
+}
+#endif /* CONFIG_KAISER */
+
+/*
+ * Page table pages are page-aligned.  The lower half of the top
+ * level is used for userspace and the top half for the kernel.
+ *
+ * Returns true for parts of the PGD that map userspace and
+ * false for the parts that map the kernel.
+ */
+static inline bool pgdp_maps_userspace(void *__ptr)
+{
+	unsigned long ptr = (unsigned long)__ptr;
+
+	return (ptr & ~PAGE_MASK) < (PAGE_SIZE / 2);
+}
+
+/*
+ * Does this PGD allow access from userspace?
+ */
+static inline bool pgd_userspace_access(pgd_t pgd)
+{
+	return pgd.pgd & _PAGE_USER;
+}
+
+static inline void kaiser_poison_pgd(pgd_t *pgd)
+{
+	if (pgd->pgd & _PAGE_PRESENT && __supported_pte_mask & _PAGE_NX)
+		pgd->pgd |= _PAGE_NX;
+}
+
+static inline void kaiser_unpoison_pgd(pgd_t *pgd)
+{
+	if (pgd->pgd & _PAGE_PRESENT && __supported_pte_mask & _PAGE_NX)
+		pgd->pgd &= ~_PAGE_NX;
+}
+
+static inline void kaiser_poison_pgd_atomic(pgd_t *pgd)
+{
+	BUILD_BUG_ON(_PAGE_NX == 0);
+	if (pgd->pgd & _PAGE_PRESENT && __supported_pte_mask & _PAGE_NX)
+		set_bit(_PAGE_BIT_NX, &pgd->pgd);
+}
+
+static inline void kaiser_unpoison_pgd_atomic(pgd_t *pgd)
+{
+	if (pgd->pgd & _PAGE_PRESENT && __supported_pte_mask & _PAGE_NX)
+		clear_bit(_PAGE_BIT_NX, &pgd->pgd);
+}
+
+/*
+ * Take a PGD location (pgdp) and a pgd value that needs
+ * to be set there.  Populates the shadow and returns
+ * the resulting PGD that must be set in the kernel copy
+ * of the page tables.
+ */
+static inline pgd_t kaiser_set_shadow_pgd(pgd_t *pgdp, pgd_t pgd)
+{
+#ifdef CONFIG_KAISER
+	if (pgd_userspace_access(pgd)) {
+		if (pgdp_maps_userspace(pgdp)) {
+			VM_WARN_ON_ONCE(!is_kaiser_pgd(pgdp));
+			/*
+			 * The user/shadow page tables get the full
+			 * PGD, accessible from userspace:
+			 */
+			kernel_to_shadow_pgdp(pgdp)->pgd = pgd.pgd;
+			/*
+			 * For the copy of the pgd that the kernel
+			 * uses, make it unusable to userspace.  This
+			 * ensures if we get out to userspace with the
+			 * wrong CR3 value, userspace will crash
+			 * instead of running.
+			 */
+			if (kaiser_active())
+				kaiser_poison_pgd(&pgd);
+		}
+	} else if (pgd_userspace_access(*pgdp)) {
+		/*
+		 * We are clearing a _PAGE_USER PGD for which we
+		 * presumably populated the shadow.  We must now
+		 * clear the shadow PGD entry.
+		 */
+		if (pgdp_maps_userspace(pgdp)) {
+			VM_WARN_ON_ONCE(!is_kaiser_pgd(pgdp));
+			kernel_to_shadow_pgdp(pgdp)->pgd = pgd.pgd;
+		} else {
+			/*
+			 * Attempted to clear a _PAGE_USER PGD which
+			 * is in the kernel porttion of the address
+			 * space.  PGDs are pre-populated and we
+			 * never clear them.
+			 */
+			WARN_ON_ONCE(1);
+		}
+	} else {
+		/*
+		 * _PAGE_USER was not set in either the PGD being set
+		 * or cleared.  All kernel PGDs should be
+		 * pre-populated so this should never happen after
+		 * boot.
+		 */
+		VM_WARN_ON_ONCE(system_state == SYSTEM_RUNNING &&
+				is_kaiser_pgd(pgdp));
+	}
+#endif
+	/* return the copy of the PGD we want the kernel to use: */
+	return pgd;
+}
+
 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
 {
 	mm_track_pgd(pgdp);
+#ifdef CONFIG_KAISER
+	*pgdp = kaiser_set_shadow_pgd(pgdp, pgd);
+#else /* CONFIG_KAISER */
 	*pgdp = pgd;
+#endif
 }

 static inline void native_pgd_clear(pgd_t *pgd)
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/pgtable.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/pgtable.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/pgtable.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/pgtable.h	2017-12-28 19:59:43.000000000 +0100
@@ -660,7 +660,12 @@ static inline pud_t *pud_offset(pgd_t *p

 static inline int pgd_bad(pgd_t pgd)
 {
-	return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
+	unsigned long ignore_flags = _PAGE_USER;
+
+	if (IS_ENABLED(CONFIG_KAISER))
+		ignore_flags |= _PAGE_NX;
+
+	return (pgd_flags(pgd) & ~ignore_flags) != _KERNPG_TABLE;
 }

 static inline int pgd_none(pgd_t pgd)
@@ -886,6 +891,11 @@ static inline void pmdp_set_wrprotect(st
 static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
 {
        memcpy(dst, src, count * sizeof(pgd_t));
+#ifdef CONFIG_KAISER
+	/* Clone the shadow pgd part as well */
+	memcpy(kernel_to_shadow_pgdp(dst), kernel_to_shadow_pgdp(src),
+	       count * sizeof(pgd_t));
+#endif
 }

 #define PTE_SHIFT ilog2(PTRS_PER_PTE)
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/pgtable_types.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/pgtable_types.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/pgtable_types.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/pgtable_types.h	2017-12-28 19:59:43.000000000 +0100
@@ -175,6 +175,17 @@
 #define _PAGE_CACHE_UC_MINUS	(_PAGE_PCD)
 #define _PAGE_CACHE_UC		(_PAGE_PCD | _PAGE_PWT)

+/* The ASID is the lower 12 bits of CR3 */
+#define X86_CR3_PCID_ASID_MASK  (_AC((1<<12)-1, UL))
+
+/* Mask for all the PCID-related bits in CR3: */
+#define X86_CR3_PCID_MASK       (X86_CR3_PCID_NOFLUSH | X86_CR3_PCID_ASID_MASK)
+
+/* Make sure this is only usable in KAISER #ifdef'd code: */
+#ifdef CONFIG_KAISER
+#define X86_CR3_KAISER_SWITCH_BIT 11
+#endif
+
 /*
  * The cache modes defined here are used to translate between pure SW usage
  * and the HW defined cache mode bits and/or PAT entries.
@@ -214,8 +225,20 @@ enum page_cache_mode {
 #define PAGE_READONLY_EXEC	__pgprot(_PAGE_PRESENT | _PAGE_USER |	\
 					 _PAGE_ACCESSED)

+/*
+ * Disable global pages for anything using the default
+ * __PAGE_KERNEL* macros.  PGE will still be enabled
+ * and _PAGE_GLOBAL may still be used carefully.
+ */
+#ifdef CONFIG_KAISER
+#define __PAGE_KERNEL_GLOBAL	0
+#else
+#define __PAGE_KERNEL_GLOBAL	_PAGE_GLOBAL
+#endif
+
 #define __PAGE_KERNEL_EXEC						\
-	(_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
+	(_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED |	\
+	 __PAGE_KERNEL_GLOBAL)
 #define __PAGE_KERNEL		(__PAGE_KERNEL_EXEC | _PAGE_NX)

 #define __PAGE_KERNEL_RO		(__PAGE_KERNEL & ~_PAGE_RW)
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/processor.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/processor.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/processor.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/processor.h	2017-12-28 19:59:43.000000000 +0100
@@ -29,6 +29,7 @@ struct mm_struct;
 #include <linux/math64.h>
 #include <linux/err.h>
 #include <linux/irqflags.h>
+#include <linux/magic.h>

 #include <linux/rh_kabi.h>

@@ -226,11 +227,6 @@ static inline void native_cpuid(unsigned
 	    : "memory");
 }

-static inline void load_cr3(pgd_t *pgdir)
-{
-	write_cr3(__pa(pgdir));
-}
-
 #ifdef CONFIG_X86_32
 /* This is the TSS defined by the hardware. */
 struct x86_hw_tss {
@@ -306,11 +302,30 @@ struct tss_struct {
 	/*
 	 * .. and then another 0x100 bytes for the emergency kernel stack:
 	 */
+	RH_KABI_FILL_HOLE(unsigned long stack_canary)
 	unsigned long		stack[64];

-} ____cacheline_aligned;
+	/*
+	 *
+	 * The Intel SDM says (Volume 3, 7.2.1):
+	 *
+	 *  Avoid placing a page boundary in the part of the TSS that the
+	 *  processor reads during a task switch (the first 104 bytes). The
+	 *  processor may not correctly perform address translations if a
+	 *  boundary occurs in this area. During a task switch, the processor
+	 *  reads and writes into the first 104 bytes of each TSS (using
+	 *  contiguous physical addresses beginning with the physical address
+	 *  of the first byte of the TSS). So, after TSS access begins, if
+	 *  part of the 104 bytes is not physically contiguous, the processor
+	 *  will access incorrect information without generating a page-fault
+	 *  exception.
+	 *
+	 * There are also a lot of errata involving the TSS spanning a page
+	 * boundary.  Assert that we're not doing that.
+	 */
+} __attribute__((__aligned__(PAGE_SIZE)));

-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
+DECLARE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(struct tss_struct, init_tss);

 /*
  * Save the original ist values for checking stack pointers during debugging
@@ -615,8 +630,13 @@ static inline void set_in_cr4(unsigned l
 	unsigned long cr4;

 	mmu_cr4_features |= mask;
-	if (trampoline_cr4_features)
-		*trampoline_cr4_features = mmu_cr4_features;
+	if (trampoline_cr4_features) {
+		/*
+		 * Mask off features that don't work outside long mode (just
+		 * PCIDE for now).
+		 */
+		*trampoline_cr4_features = mmu_cr4_features & ~X86_CR4_PCIDE;
+	}
 	cr4 = read_cr4();
 	cr4 |= mask;
 	write_cr4(cr4);
@@ -937,7 +957,8 @@ extern unsigned long thread_saved_pc(str
 }

 #define INIT_TSS  { \
-	.x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
+	.x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack), \
+	.stack_canary		= STACK_END_MAGIC, \
 }

 /*
Только в linux-3.10.0-693.11.6.el7/arch/x86/include/asm: spec_ctrl.h
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/stacktrace.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/stacktrace.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/stacktrace.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/stacktrace.h	2017-12-28 19:59:43.000000000 +0100
@@ -9,8 +9,6 @@
 #include <linux/uaccess.h>
 #include <linux/ptrace.h>

-extern int kstack_depth_to_print;
-
 struct thread_info;
 struct stacktrace_ops;

@@ -85,10 +83,6 @@ extern void
 show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
 		   unsigned long *stack, unsigned long bp, char *log_lvl);

-extern void
-show_stack_log_lvl(struct task_struct *task, struct pt_regs *regs,
-		   unsigned long *sp, unsigned long bp, char *log_lvl);
-
 extern unsigned int code_bytes;

 /* The form of the top of the frame on the stack */
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/thread_info.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/thread_info.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/thread_info.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/thread_info.h	2017-12-28 19:59:43.000000000 +0100
@@ -204,6 +204,8 @@ static inline struct thread_info *curren
 #ifndef __ASSEMBLY__
 DECLARE_PER_CPU(unsigned long, kernel_stack);
 DECLARE_PER_CPU(unsigned long, __kernel_stack_70__);
+DECLARE_PER_CPU_USER_MAPPED(unsigned int, kaiser_enabled_pcp);
+DECLARE_PER_CPU_USER_MAPPED(unsigned int, spec_ctrl_pcp);

 static inline struct thread_info *current_thread_info(void)
 {
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/asm/tlbflush.h linux-3.10.0-693.11.6.el7/arch/x86/include/asm/tlbflush.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/asm/tlbflush.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/asm/tlbflush.h	2017-12-28 19:59:43.000000000 +0100
@@ -15,9 +15,104 @@
 #define __flush_tlb_single(addr) __native_flush_tlb_single(addr)
 #endif

+static inline void __invpcid(unsigned long pcid, unsigned long addr,
+			     unsigned long type)
+{
+	struct { u64 d[2]; } desc = { { pcid, addr } };
+
+	/*
+	 * The memory clobber is because the whole point is to invalidate
+	 * stale TLB entries and, especially if we're flushing global
+	 * mappings, we don't want the compiler to reorder any subsequent
+	 * memory accesses before the TLB flush.
+	 *
+	 * The hex opcode is invpcid (%ecx), %eax in 32-bit mode and
+	 * invpcid (%rcx), %rax in long mode.
+	 */
+	asm volatile (".byte 0x66, 0x0f, 0x38, 0x82, 0x01"
+		      : : "m" (desc), "a" (type), "c" (&desc) : "memory");
+}
+
+#define INVPCID_TYPE_INDIV_ADDR		0
+#define INVPCID_TYPE_SINGLE_CTXT	1
+#define INVPCID_TYPE_ALL_INCL_GLOBAL	2
+#define INVPCID_TYPE_ALL_NON_GLOBAL	3
+
+/* Flush all mappings for a given pcid and addr, not including globals. */
+static inline void invpcid_flush_one(unsigned long pcid,
+				     unsigned long addr)
+{
+	__invpcid(pcid, addr, INVPCID_TYPE_INDIV_ADDR);
+}
+
+/* Flush all mappings for a given PCID, not including globals. */
+static inline void invpcid_flush_single_context(unsigned long pcid)
+{
+	__invpcid(pcid, 0, INVPCID_TYPE_SINGLE_CTXT);
+}
+
+/* Flush all mappings, including globals, for all PCIDs. */
+static inline void invpcid_flush_all(void)
+{
+	__invpcid(0, 0, INVPCID_TYPE_ALL_INCL_GLOBAL);
+}
+
+/* Flush all mappings for all PCIDs except globals. */
+static inline void invpcid_flush_all_nonglobals(void)
+{
+	__invpcid(0, 0, INVPCID_TYPE_ALL_NON_GLOBAL);
+}
+
+#ifdef CONFIG_KAISER
+static __always_inline void __load_cr3(unsigned long cr3)
+{
+	if (static_cpu_has(X86_FEATURE_PCID) && kaiser_active()) {
+		unsigned long shadow_cr3;
+		VM_WARN_ON(cr3 & KAISER_SHADOW_PCID_ASID);
+		VM_WARN_ON(cr3 & (1<<KAISER_PGTABLE_SWITCH_BIT));
+		VM_WARN_ON(cr3 & X86_CR3_PCID_NOFLUSH);
+
+		if (this_cpu_has(X86_FEATURE_INVPCID_SINGLE)) {
+			invpcid_flush_single_context(KAISER_SHADOW_PCID_ASID);
+			write_cr3(cr3);
+			return;
+		}
+
+		shadow_cr3 = cr3 | (1<<KAISER_PGTABLE_SWITCH_BIT) |
+			KAISER_SHADOW_PCID_ASID;
+		asm volatile("\tjmp 1f\n\t"
+			     "2:\n\t"
+			     ".section .entry.text, \"ax\"\n\t"
+			     "1:\n\t"
+			     "pushf\n\t"
+			     "cli\n\t"
+			     "movq %0, %%cr3\n\t"
+			     "movq %1, %%cr3\n\t"
+			     "popf\n\t"
+			     "jmp 2b\n\t"
+			     ".previous" : :
+			     "r" (shadow_cr3), "r" (cr3) :
+			     "memory");
+	} else
+		write_cr3(cr3);
+}
+#else /* CONFIG_KAISER */
+static __always_inline void __load_cr3(unsigned long cr3)
+{
+	write_cr3(cr3);
+}
+#endif /* CONFIG_KAISER */
+
 static inline void __native_flush_tlb(void)
 {
-	native_write_cr3(native_read_cr3());
+	if (!static_cpu_has(X86_FEATURE_INVPCID)) {
+		__load_cr3(native_read_cr3());
+		return;
+	}
+	/*
+	 * Note, this works with CR4.PCIDE=0 or 1.
+	 */
+	invpcid_flush_all_nonglobals();
 }

 static inline void __native_flush_tlb_global_irq_disabled(void)
@@ -25,9 +120,24 @@ static inline void __native_flush_tlb_gl
 	unsigned long cr4;

 	cr4 = native_read_cr4();
-	/* clear PGE */
-	native_write_cr4(cr4 & ~X86_CR4_PGE);
-	/* write old PGE again and flush TLBs */
+	/*
+	 * This function is only called on systems that support X86_CR4_PGE
+	 * and where we expect X86_CR4_PGE to be set.  Warn if we are called
+	 * without PGE set.
+	 */
+	WARN_ON_ONCE(!(cr4 & X86_CR4_PGE));
+
+	/*
+	 * Architecturally, any _change_ to X86_CR4_PGE will fully flush
+	 * all entries.  Make sure that we _change_ the bit, regardless of
+	 * whether we had X86_CR4_PGE set in the first place.
+	 *
+	 * Note that just toggling PGE *also* flushes all entries from all
+	 * PCIDs, regardless of the state of X86_CR4_PCIDE.
+	 */
+	native_write_cr4(cr4 ^ X86_CR4_PGE);
+
+	/* Put original CR4 value back: */
 	native_write_cr4(cr4);
 }

@@ -35,6 +145,17 @@ static inline void __native_flush_tlb_gl
 {
 	unsigned long flags;

+	if (static_cpu_has(X86_FEATURE_INVPCID)) {
+		/*
+		 * Using INVPCID is considerably faster than a pair of writes
+		 * to CR4 sandwiched inside an IRQ flag save/restore.
+		 *
+		 * Note, this works with CR4.PCIDE=0 or 1.
+		 */
+		invpcid_flush_all();
+		return;
+	}
+
 	/*
 	 * Read-modify-write to CR4 - protect it from preemption and
 	 * from interrupts. (Use the raw variant because this code can
@@ -49,7 +170,56 @@ static inline void __native_flush_tlb_gl

 static inline void __native_flush_tlb_single(unsigned long addr)
 {
-	asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
+#ifdef CONFIG_KAISER
+	unsigned long cr3, shadow_cr3;
+
+	/* Flush the address out of both PCIDs. */
+	/*
+	 * An optimization here might be to determine addresses
+	 * that are only kernel-mapped and only flush the kernel
+	 * ASID.  But, userspace flushes are probably much more
+	 * important performance-wise.
+	 *
+	 * Make sure to do only a single invpcid when KAISER is
+	 * disabled and we have only a single ASID.
+	 */
+	if (static_cpu_has(X86_FEATURE_PCID) && kaiser_active()) {
+		/*
+		 * Some platforms #GP if we call invpcid(type=1/2) before
+		 * CR4.PCIDE=1.  Just call invpcid in the case we are called
+		 * early.
+		 */
+		if (this_cpu_has(X86_FEATURE_INVPCID_SINGLE)) {
+			invpcid_flush_one(KAISER_SHADOW_PCID_ASID, addr);
+			invpcid_flush_one(0, addr);
+			return;
+		}
+
+		cr3 = native_read_cr3();
+		VM_WARN_ON(cr3 & KAISER_SHADOW_PCID_ASID);
+		VM_WARN_ON(cr3 & (1<<KAISER_PGTABLE_SWITCH_BIT));
+		VM_WARN_ON(cr3 & X86_CR3_PCID_NOFLUSH);
+		cr3 |= X86_CR3_PCID_NOFLUSH;
+		shadow_cr3 = cr3 | (1<<KAISER_PGTABLE_SWITCH_BIT) |
+			KAISER_SHADOW_PCID_ASID;
+		asm volatile("\tjmp 1f\n\t"
+			     "2:\n\t"
+			     ".section .entry.text, \"ax\"\n\t"
+			     "1:\n\t"
+			     "pushf\n\t"
+			     "cli\n\t"
+			     "movq %0, %%cr3\n\t"
+			     "invlpg (%2)\n\t"
+			     "movq %1, %%cr3\n\t"
+			     "popf\n\t"
+			     "invlpg (%2)\n\t"
+			     "jmp 2b\n\t"
+			     ".previous" : :
+			     "r" (shadow_cr3), "r" (cr3), "r" (addr) :
+			     "memory");
+	} else
+#endif
+		asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
 }

 static inline void __flush_tlb_all(void)
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/include/uapi/asm/processor-flags.h linux-3.10.0-693.11.6.el7/arch/x86/include/uapi/asm/processor-flags.h
--- linux-3.10.0-693.11.1.el7/arch/x86/include/uapi/asm/processor-flags.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/include/uapi/asm/processor-flags.h	2017-12-28 19:59:43.000000000 +0100
@@ -79,7 +79,8 @@
 #define X86_CR3_PWT		_BITUL(X86_CR3_PWT_BIT)
 #define X86_CR3_PCD_BIT		4 /* Page Cache Disable */
 #define X86_CR3_PCD		_BITUL(X86_CR3_PCD_BIT)
-#define X86_CR3_PCID_MASK	_AC(0x00000fff,UL) /* PCID Mask */
+#define X86_CR3_PCID_NOFLUSH_BIT 63 /* Preserve old PCID */
+#define X86_CR3_PCID_NOFLUSH    _BITULL(X86_CR3_PCID_NOFLUSH_BIT)

 /*
  * Intel CPU features in CR4
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/Kconfig linux-3.10.0-693.11.6.el7/arch/x86/Kconfig
--- linux-3.10.0-693.11.1.el7/arch/x86/Kconfig	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/Kconfig	2017-12-28 19:59:43.000000000 +0100
@@ -2001,6 +2001,14 @@ config COMPAT_VDSO
 	depends on X86_32 || IA32_EMULATION
 	---help---
 	  Map the 32-bit VDSO to the predictable old-style address too.
+		# The VSYSCALL page comes from the kernel page tables
+		# and is not available when KAISER is enabled.
+		depends on ! KAISER
+
+		  When KAISER is enabled, the vsyscall area will become
+		  unreadable.  This emulation option still works, but KAISER
+		  will make it harder to do things like trace code using the
+		  emulation.

 	  Say N here if you are running a sufficiently recent glibc
 	  version (2.3.3 or later), to remove the high-mapped
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/asm-offsets_64.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/asm-offsets_64.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/asm-offsets_64.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/asm-offsets_64.c	2017-12-28 19:59:43.000000000 +0100
@@ -78,6 +78,9 @@ int main(void)
 #undef ENTRY

 	OFFSET(TSS_ist, tss_struct, x86_tss.ist);
+	OFFSET(TSS_sp0, tss_struct, x86_tss.sp0);
+	OFFSET(TSS_stack, tss_struct, stack);
+	DEFINE(TSS_stack_size, sizeof(init_tss.stack));
 	BLANK();

 	DEFINE(__NR_syscall_max, sizeof(syscalls_64) - 1);
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/cpu/amd.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/cpu/amd.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/cpu/amd.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/cpu/amd.c	2017-12-28 19:59:43.000000000 +0100
@@ -704,8 +704,17 @@ static void init_amd(struct cpuinfo_x86
 		set_cpu_cap(c, X86_FEATURE_K8);

 	if (cpu_has_xmm2) {
-		/* MFENCE stops RDTSC speculation */
-		set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
+		/*
+		 * Use LFENCE for execution serialization. On some families
+		 * LFENCE is already serialized and the MSR is not available,
+		 * but msr_set_bit() uses rdmsrl_safe() and wrmsrl_safe().
+		 */
+		if (c->x86 > 0xf)
+			msr_set_bit(MSR_F10H_DECFG,
+				    MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);
+
+		/* LFENCE with MSR_F10H_DECFG[1]=1 stops RDTSC speculation */
+		set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC);
 	}

 #ifdef CONFIG_X86_64
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/cpu/common.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/cpu/common.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/cpu/common.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/cpu/common.c	2017-12-28 19:59:43.000000000 +0100
@@ -42,6 +42,7 @@
 #include <asm/pat.h>
 #include <asm/microcode.h>
 #include <asm/microcode_intel.h>
+#include <asm/kaiser.h>

 #ifdef CONFIG_X86_LOCAL_APIC
 #include <asm/uv/uv.h>
@@ -93,7 +94,7 @@ static const struct cpu_dev default_cpu

 static const struct cpu_dev *this_cpu = &default_cpu;

-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
+DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(struct gdt_page, gdt_page) = { .gdt = {
 #ifdef CONFIG_X86_64
 	/*
 	 * We need valid kernel segments for data and code in long mode too
@@ -202,6 +203,40 @@ static int __init x86_mpx_setup(char *s)
 }
 __setup("nompx", x86_mpx_setup);

+#ifdef CONFIG_X86_64
+static int __init x86_nopcid_setup(char *s)
+{
+	/* nopcid doesn't accept parameters */
+	if (s)
+		return -EINVAL;
+
+	/* do not emit a message if the feature is not present */
+	if (!boot_cpu_has(X86_FEATURE_PCID))
+		return 0;
+
+	setup_clear_cpu_cap(X86_FEATURE_PCID);
+	pr_info("nopcid: PCID feature disabled\n");
+	return 0;
+}
+early_param("nopcid", x86_nopcid_setup);
+
+static int __init x86_noinvpcid_setup(char *s)
+{
+	/* noinvpcid doesn't accept parameters */
+	if (s)
+		return -EINVAL;
+
+	/* do not emit a message if the feature is not present */
+	if (!boot_cpu_has(X86_FEATURE_INVPCID))
+		return 0;
+
+	setup_clear_cpu_cap(X86_FEATURE_INVPCID);
+	pr_info("noinvpcid: INVPCID feature disabled\n");
+	return 0;
+}
+early_param("noinvpcid", x86_noinvpcid_setup);
+#endif
+
 #ifdef CONFIG_X86_32
 static int cachesize_override = -1;
 static int disable_x86_serial_nr = 1;
@@ -1002,6 +1037,8 @@ static void identify_cpu(struct cpuinfo_
 	setup_smep(c);
 	setup_smap(c);

+	spec_ctrl_init(c);
+
 	/*
 	 * The vendor-specific functions might have changed features.
 	 * Now we do "generic changes."
@@ -1227,6 +1264,10 @@ DEFINE_PER_CPU(char *, irq_stack_ptr) =
 	init_per_cpu_var(irq_stack_union.irq_stack) + IRQ_STACK_SIZE - 64;

 DEFINE_PER_CPU(unsigned int, irq_count) = -1;
+DEFINE_PER_CPU_USER_MAPPED(unsigned int, kaiser_enabled_pcp) ____cacheline_aligned;
+DEFINE_PER_CPU_USER_MAPPED(unsigned int, spec_ctrl_pcp);
+EXPORT_PER_CPU_SYMBOL_GPL(spec_ctrl_pcp);
+DEFINE_PER_CPU_USER_MAPPED(unsigned long, kaiser_scratch);

 DEFINE_PER_CPU(struct task_struct *, fpu_owner_task);

@@ -1241,7 +1282,7 @@ static const unsigned int exception_stac
 	  [DEBUG_STACK - 1]			= DEBUG_STKSZ
 };

-static DEFINE_PER_CPU_PAGE_ALIGNED(char, exception_stacks
+DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(char, exception_stacks
 	[(N_EXCEPTION_STACKS - 1) * EXCEPTION_STKSZ + DEBUG_STKSZ]);

 /* May not be marked __init: used by software suspend */
@@ -1443,7 +1484,9 @@ void cpu_init(void)
 	BUG_ON(me->mm);
 	enter_lazy_tlb(&init_mm, me);

-	load_sp0(t, &current->thread);
+	__this_cpu_write(init_tss.x86_tss.sp0,
+			 (unsigned long) t + offsetofend(struct tss_struct,
+							 stack));
 	set_tss_desc(cpu, t);
 	load_TR_desc();
 	load_LDT(&init_mm.context);
@@ -1455,6 +1498,8 @@ void cpu_init(void)

 	if (is_uv_system())
 		uv_cpu_init();
+
+	WARN_ON((unsigned long) &t->x86_tss & ~PAGE_MASK);
 }

 #else
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/cpu/microcode/core.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/cpu/microcode/core.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/cpu/microcode/core.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/cpu/microcode/core.c	2017-12-28 19:59:43.000000000 +0100
@@ -39,6 +39,7 @@
 #include <asm/microcode.h>
 #include <asm/processor.h>
 #include <asm/cmdline.h>
+#include <asm/spec_ctrl.h>

 #define MICROCODE_VERSION	"2.01"

@@ -318,8 +319,10 @@ static ssize_t microcode_write(struct fi
 	if (do_microcode_update(buf, len) == 0)
 		ret = (ssize_t)len;

-	if (ret > 0)
+	if (ret > 0) {
 		perf_check_microcode();
+		spec_ctrl_rescan_cpuid();
+	}

 	mutex_unlock(&microcode_mutex);
 	put_online_cpus();
@@ -410,8 +413,10 @@ static ssize_t reload_store(struct devic
 		if (!ret)
 			ret = tmp_ret;
 	}
-	if (!ret)
+	if (!ret) {
 		perf_check_microcode();
+		spec_ctrl_rescan_cpuid();
+	}
 	mutex_unlock(&microcode_mutex);
 	put_online_cpus();

@@ -645,8 +650,10 @@ int __init microcode_init(void)
 	mutex_lock(&microcode_mutex);

 	error = subsys_interface_register(&mc_cpu_interface);
-	if (!error)
+	if (!error) {
 		perf_check_microcode();
+		spec_ctrl_rescan_cpuid();
+	}
 	mutex_unlock(&microcode_mutex);
 	put_online_cpus();

diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/cpu/scattered.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/cpu/scattered.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/cpu/scattered.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/cpu/scattered.c	2017-12-28 19:59:43.000000000 +0100
@@ -22,6 +22,7 @@ static const struct cpuid_bit cpuid_bits
 	{ X86_FEATURE_INTEL_PT,		CPUID_EBX,25, 0x00000007, 0 },
 	{ X86_FEATURE_AVX512_4VNNIW,	CPUID_EDX, 2, 0x00000007, 0 },
 	{ X86_FEATURE_AVX512_4FMAPS,	CPUID_EDX, 3, 0x00000007, 0 },
+	{ X86_FEATURE_SPEC_CTRL,	CPUID_EDX, 26, 0x00000007, 0 },
 	{ X86_FEATURE_APERFMPERF,	CPUID_ECX, 0, 0x00000006, 0 },
 	{ X86_FEATURE_EPB,		CPUID_ECX, 3, 0x00000006, 0 },
 	{ X86_FEATURE_CAT_L3,		CPUID_EBX, 1, 0x00000010, 0 },
@@ -31,6 +32,7 @@ static const struct cpuid_bit cpuid_bits
 	{ X86_FEATURE_CPB,		CPUID_EDX, 9, 0x80000007, 0 },
 	{ X86_FEATURE_PROC_FEEDBACK,	CPUID_EDX,11, 0x80000007, 0 },
 	{ X86_FEATURE_AVIC,       	CPUID_EDX,13, 0x8000000a, 0 },
+	{ X86_FEATURE_IBPB_SUPPORT,	CPUID_EBX,12, 0x80000008, 0 },
 	{ 0, 0, 0, 0 }
 };

diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/dumpstack_32.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/dumpstack_32.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/dumpstack_32.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/dumpstack_32.c	2017-12-28 19:59:43.000000000 +0100
@@ -54,34 +54,6 @@ void dump_trace(struct task_struct *task
 }
 EXPORT_SYMBOL(dump_trace);

-void
-show_stack_log_lvl(struct task_struct *task, struct pt_regs *regs,
-		   unsigned long *sp, unsigned long bp, char *log_lvl)
-{
-	unsigned long *stack;
-	int i;
-
-	if (sp == NULL) {
-		if (task)
-			sp = (unsigned long *)task->thread.sp;
-		else
-			sp = (unsigned long *)&sp;
-	}
-
-	stack = sp;
-	for (i = 0; i < kstack_depth_to_print; i++) {
-		if (kstack_end(stack))
-			break;
-		if (i && ((i % STACKSLOTS_PER_LINE) == 0))
-			pr_cont("\n");
-		pr_cont(" %08lx", *stack++);
-		touch_nmi_watchdog();
-	}
-	pr_cont("\n");
-	show_trace_log_lvl(task, regs, sp, bp, log_lvl);
-}
-
-
 void show_regs(struct pt_regs *regs)
 {
 	int i;
@@ -99,8 +71,7 @@ void show_regs(struct pt_regs *regs)
 		unsigned char c;
 		u8 *ip;

-		pr_emerg("Stack:\n");
-		show_stack_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);
+		show_trace_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);

 		pr_emerg("Code:");

diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/dumpstack_64.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/dumpstack_64.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/dumpstack_64.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/dumpstack_64.c	2017-12-28 19:59:43.000000000 +0100
@@ -195,55 +195,6 @@ void dump_trace(struct task_struct *task
 }
 EXPORT_SYMBOL(dump_trace);

-void
-show_stack_log_lvl(struct task_struct *task, struct pt_regs *regs,
-		   unsigned long *sp, unsigned long bp, char *log_lvl)
-{
-	unsigned long *irq_stack_end;
-	unsigned long *irq_stack;
-	unsigned long *stack;
-	int cpu;
-	int i;
-
-	preempt_disable();
-	cpu = smp_processor_id();
-
-	irq_stack_end	= (unsigned long *)(per_cpu(irq_stack_ptr, cpu));
-	irq_stack	= (unsigned long *)(per_cpu(irq_stack_ptr, cpu) - IRQ_STACK_SIZE);
-
-	/*
-	 * Debugging aid: "show_stack(NULL, NULL);" prints the
-	 * back trace for this cpu:
-	 */
-	if (sp == NULL) {
-		if (task)
-			sp = (unsigned long *)task->thread.sp;
-		else
-			sp = (unsigned long *)&sp;
-	}
-
-	stack = sp;
-	for (i = 0; i < kstack_depth_to_print; i++) {
-		if (stack >= irq_stack && stack <= irq_stack_end) {
-			if (stack == irq_stack_end) {
-				stack = (unsigned long *) (irq_stack_end[-1]);
-				pr_cont(" <EOI> ");
-			}
-		} else {
-		if (((long) stack & (THREAD_SIZE-1)) == 0)
-			break;
-		}
-		if (i && ((i % STACKSLOTS_PER_LINE) == 0))
-			pr_cont("\n");
-		pr_cont(" %016lx", *stack++);
-		touch_nmi_watchdog();
-	}
-	preempt_enable();
-
-	pr_cont("\n");
-	show_trace_log_lvl(task, regs, sp, bp, log_lvl);
-}
-
 void show_regs(struct pt_regs *regs)
 {
 	int i;
@@ -263,8 +214,7 @@ void show_regs(struct pt_regs *regs)
 		unsigned char c;
 		u8 *ip;

-		printk(KERN_DEFAULT "Stack:\n");
-		show_stack_log_lvl(NULL, regs, (unsigned long *)sp,
+		show_trace_log_lvl(NULL, regs, (unsigned long *)sp,
 				   0, KERN_DEFAULT);

 		printk(KERN_DEFAULT "Code: ");
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/dumpstack.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/dumpstack.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/dumpstack.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/dumpstack.c	2017-12-28 19:59:43.000000000 +0100
@@ -22,7 +22,6 @@
 int panic_on_unrecovered_nmi;
 int panic_on_io_nmi;
 unsigned int code_bytes = 64;
-int kstack_depth_to_print = 3 * STACKSLOTS_PER_LINE;
 static int die_counter;

 void printk_address(unsigned long address, int reliable)
@@ -188,7 +187,7 @@ void show_stack(struct task_struct *task
 		bp = stack_frame(current, NULL);
 	}

-	show_stack_log_lvl(task, NULL, sp, bp, "");
+	show_trace_log_lvl(task, NULL, sp, bp, "");
 }

 static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED;
@@ -304,22 +303,6 @@ void die(const char *str, struct pt_regs
 	oops_end(flags, regs, sig);
 }

-static int __init kstack_setup(char *s)
-{
-	ssize_t ret;
-	unsigned long val;
-
-	if (!s)
-		return -EINVAL;
-
-	ret = kstrtoul(s, 0, &val);
-	if (ret)
-		return ret;
-	kstack_depth_to_print = val;
-	return 0;
-}
-early_param("kstack", kstack_setup);
-
 static int __init code_bytes_setup(char *s)
 {
 	ssize_t ret;
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/entry_64.S linux-3.10.0-693.11.6.el7/arch/x86/kernel/entry_64.S
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/entry_64.S	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/entry_64.S	2017-12-28 19:59:43.000000000 +0100
@@ -57,7 +57,9 @@
 #include <asm/asm.h>
 #include <asm/context_tracking.h>
 #include <asm/smap.h>
+#include <asm/spec_ctrl.h>
 #include <linux/err.h>
+#include "kaiser.h"

 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
 #include <linux/elf-em.h>
@@ -262,6 +264,34 @@ ENDPROC(native_usergs_sysret64)
 	testl $3, CS-RBP(%rsi)
 	je 1f
 	SWAPGS
+	SWITCH_TO_KERNEL_CR3
+	ENABLE_IBRS_CLOBBER /* no indirect jump allowed before IBRS */
+	movq PER_CPU_VAR(kernel_stack), %rsp
+	STUFF_RSB /* no ret allowed before stuffing the RSB */
+	movq %rsi, %rsp
+1:
+	/* Check to see if we're on the trampoline stack. */
+	movq PER_CPU_VAR(init_tss + TSS_sp0), %rcx
+	cmpq %rcx, %rsp
+	ja 1f
+	leaq -TSS_stack_size(%rcx), %rax
+	cmpq %rsp, %rax
+	ja 1f
+	/*
+	 * We're on the trampoline stack.  Copy the trampoline stack's
+	 * contents to the kernel task stack and switch to it.
+	 */
+	pushq %rdi
+	subq %rsp, %rcx
+	movq PER_CPU_VAR(kernel_stack), %rdi
+	addq $KERNEL_STACK_OFFSET, %rdi
+	subq %rcx, %rdi
+	movq %rdi, %rax
+	movq %rsp, %rsi
+	rep movsb
+	movq %rax, %rsp
+	popq %rdi
+	movq %rsp, %rsi /* we earlier saved %rsp in %rsi, update it to new one */
 	/*
 	 * irq_count is used to check if a CPU is already on an interrupt stack
 	 * or not. While this is essentially redundant with preempt_count it is
@@ -325,7 +355,11 @@ ENTRY(save_paranoid)
 	js 1f	/* negative -> in kernel */
 	SWAPGS
 	xorl %ebx,%ebx
-1:	ret
+1:
+	SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14
+	ENABLE_IBRS_SAVE_AND_CLOBBER save_reg=%r13d /* no indirect jump allowed before IBRS */
+	STUFF_RSB /* no ret allowed before stuffing the RSB */
+	ret
 	CFI_ENDPROC
 END(save_paranoid)
 	.popsection
@@ -391,7 +425,7 @@ END(ret_from_fork)
  * r8   arg4
  * r9   arg5
  * r11  eflags for syscall/sysret, temporary for C
- * r12-r15,rbp,rbx saved by C code, not touched.
+ * r12-r15,rbp,rbx saved by C code, not used.
  *
  * Interrupts are off on entry.
  * Only called from user space.
@@ -418,18 +452,23 @@ ENTRY(system_call)
 	 */
 GLOBAL(system_call_after_swapgs)

+	SWITCH_TO_KERNEL_CR3
 	movq	%rsp,PER_CPU_VAR(old_rsp)
 	movq	PER_CPU_VAR(kernel_stack),%rsp
+	ENABLE_IBRS /* no indirect jump allowed before IBRS */
+	STUFF_RSB /* no ret allowed before stuffing the RSB */
 	/*
 	 * No need to follow this irqs off/on section - it's straight
 	 * and short:
 	 */
 	ENABLE_INTERRUPTS(CLBR_NONE)
 	SAVE_ARGS 8,0
-	movq  %rax,ORIG_RAX-ARGOFFSET(%rsp)
-	movq  %rcx,RIP-ARGOFFSET(%rsp)
-	CFI_REL_OFFSET rip,RIP-ARGOFFSET
-	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
+	SAVE_REST
+	CLEAR_EXTRA_REGS
+	movq  %rax,ORIG_RAX(%rsp)
+	movq  %rcx,RIP(%rsp)
+	CFI_REL_OFFSET rip,RIP
+	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP)
 	jnz tracesys
 system_call_fastpath:
 #if __SYSCALL_MASK == ~0
@@ -441,7 +480,7 @@ system_call_fastpath:
 	ja badsys
 	movq %r10,%rcx
 	call *sys_call_table(,%rax,8)  # XXX:	 rip relative
-	movq %rax,RAX-ARGOFFSET(%rsp)
+	movq %rax,RAX(%rsp)
 /*
  * Syscall return path ending with SYSRET (fast path)
  * Has incomplete stack frame and undefined top of stack.
@@ -453,7 +492,7 @@ sysret_check:
 	LOCKDEP_SYS_EXIT
 	DISABLE_INTERRUPTS(CLBR_NONE)
 	TRACE_IRQS_OFF
-	movl TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET),%edx
+	movl TI_flags+THREAD_INFO(%rsp,RIP),%edx
 	andl %edi,%edx
 	jnz  sysret_careful
 	CFI_REMEMBER_STATE
@@ -461,11 +500,14 @@ sysret_check:
 	 * sysretq will re-enable interrupts:
 	 */
 	TRACE_IRQS_ON
-	movq RIP-ARGOFFSET(%rsp),%rcx
+	DISABLE_IBRS_CLOBBER
+	movq RIP(%rsp),%rcx
 	CFI_REGISTER	rip,rcx
+	RESTORE_REST
 	RESTORE_ARGS 1,-ARG_SKIP,0
 	/*CFI_REGISTER	rflags,r11*/
 	movq	PER_CPU_VAR(old_rsp), %rsp
+	SWITCH_TO_USER_CR3
 	USERGS_SYSRET64

 	CFI_RESTORE_STATE
@@ -494,11 +536,11 @@ sysret_signal:
 	 * These all wind up with the iret return path anyway,
 	 * so just join that path right now.
 	 */
-	FIXUP_TOP_OF_STACK %r11, -ARGOFFSET
+	FIXUP_TOP_OF_STACK %r11
 	jmp int_check_syscall_exit_work

 badsys:
-	movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
+	movq $-ENOSYS,RAX(%rsp)
 	jmp ret_from_sys_call

 #ifdef CONFIG_AUDITSYSCALL
@@ -514,7 +556,7 @@ auditsys:
 	movq %rdi,%rsi			/* 2nd arg: 1st syscall arg */
 	movq %rax,%rdi			/* 1st arg: syscall number */
 	call __audit_syscall_entry
-	LOAD_ARGS 0		/* reload call-clobbered registers */
+	LOAD_ARGS ARGOFFSET		/* reload call-clobbered registers */
 	jmp system_call_fastpath

 	/*
@@ -523,7 +565,7 @@ auditsys:
 	 * masked off.
 	 */
 sysret_audit:
-	movq RAX-ARGOFFSET(%rsp),%rsi	/* second arg, syscall return value */
+	movq RAX(%rsp),%rsi	/* second arg, syscall return value */
 	cmpq $-MAX_ERRNO,%rsi	/* is it < -MAX_ERRNO? */
 	setbe %al		/* 1 if so, 0 if not */
 	movzbl %al,%edi		/* zero-extend that into %edi */
@@ -535,10 +577,9 @@ sysret_audit:
 	/* Do syscall tracing */
 tracesys:
 #ifdef CONFIG_AUDITSYSCALL
-	testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
+	testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP)
 	jz auditsys
 #endif
-	SAVE_REST
 	movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
 	FIXUP_TOP_OF_STACK %rdi
 	movq %rsp,%rdi
@@ -549,18 +590,18 @@ tracesys:
 	 * the value it wants us to use in the table lookup.
 	 */
 	LOAD_ARGS ARGOFFSET, 1
-	RESTORE_REST
 #if __SYSCALL_MASK == ~0
 	cmpq $__NR_syscall_max,%rax
 #else
 	andl $__SYSCALL_MASK,%eax
 	cmpl $__NR_syscall_max,%eax
 #endif
-	ja   int_ret_from_sys_call	/* RAX(%rsp) set to -ENOSYS above */
+	ja   1f		/* RAX(%rsp) set to -ENOSYS above */
 	movq %r10,%rcx	/* fixup for C */
 	call *sys_call_table(,%rax,8)
-	movq %rax,RAX-ARGOFFSET(%rsp)
-	/* Use IRET because user could have changed frame */
+	movq %rax,RAX(%rsp)
+1:	RESTORE_REST
+/* Use IRET because user could have changed frame */

 /*
  * Syscall return path ending with IRET.
@@ -599,8 +640,8 @@ int_careful:
 int_very_careful:
 	TRACE_IRQS_ON
 	ENABLE_INTERRUPTS(CLBR_NONE)
-int_check_syscall_exit_work:
 	SAVE_REST
+int_check_syscall_exit_work:
 	/* Check for syscall exit trace */
 	testl $_TIF_WORK_SYSCALL_EXIT,%edx
 	jz int_signal
@@ -629,15 +670,11 @@ END(system_call)
 	.macro FORK_LIKE func
 ENTRY(stub_\func)
 	CFI_STARTPROC
-	popq	%r11			/* save return address */
-	PARTIAL_FRAME 0
-	SAVE_REST
-	pushq	%r11			/* put it back on stack */
-	FIXUP_TOP_OF_STACK %r11, 8
 	DEFAULT_FRAME 0 8		/* offset 8: return address */
+	FIXUP_TOP_OF_STACK %r11, 8
 	call sys_\func
 	RESTORE_TOP_OF_STACK %r11, 8
-	ret $REST_SKIP		/* pop extended registers */
+	ret
 	CFI_ENDPROC
 END(stub_\func)
 	.endm
@@ -645,10 +682,10 @@ END(stub_\func)
 	.macro FIXED_FRAME label,func
 ENTRY(\label)
 	CFI_STARTPROC
-	PARTIAL_FRAME 0 8		/* offset 8: return address */
-	FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET
+	DEFAULT_FRAME 0 8		/* offset 8: return address */
+	FIXUP_TOP_OF_STACK %r11, 8
 	call \func
-	RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET
+	RESTORE_TOP_OF_STACK %r11, 8
 	ret
 	CFI_ENDPROC
 END(\label)
@@ -659,24 +696,10 @@ END(\label)
 	FORK_LIKE  vfork
 	FIXED_FRAME stub_iopl, sys_iopl

-ENTRY(ptregscall_common)
-	DEFAULT_FRAME 1 8	/* offset 8: return address */
-	RESTORE_TOP_OF_STACK %r11, 8
-	movq_cfi_restore R15+8, r15
-	movq_cfi_restore R14+8, r14
-	movq_cfi_restore R13+8, r13
-	movq_cfi_restore R12+8, r12
-	movq_cfi_restore RBP+8, rbp
-	movq_cfi_restore RBX+8, rbx
-	ret $REST_SKIP		/* pop extended registers */
-	CFI_ENDPROC
-END(ptregscall_common)
-
 ENTRY(stub_execve)
 	CFI_STARTPROC
 	addq $8, %rsp
-	PARTIAL_FRAME 0
-	SAVE_REST
+	DEFAULT_FRAME 0
 	FIXUP_TOP_OF_STACK %r11
 	call sys_execve
 	movq %rax,RAX(%rsp)
@@ -692,8 +715,7 @@ END(stub_execve)
 ENTRY(stub_rt_sigreturn)
 	CFI_STARTPROC
 	addq $8, %rsp
-	PARTIAL_FRAME 0
-	SAVE_REST
+	DEFAULT_FRAME 0
 	FIXUP_TOP_OF_STACK %r11
 	call sys_rt_sigreturn
 	movq %rax,RAX(%rsp) # fixme, this could be done at the higher layer
@@ -706,8 +728,7 @@ END(stub_rt_sigreturn)
 ENTRY(stub_x32_rt_sigreturn)
 	CFI_STARTPROC
 	addq $8, %rsp
-	PARTIAL_FRAME 0
-	SAVE_REST
+	DEFAULT_FRAME 0
 	FIXUP_TOP_OF_STACK %r11
 	call sys32_x32_rt_sigreturn
 	movq %rax,RAX(%rsp) # fixme, this could be done at the higher layer
@@ -719,8 +740,7 @@ END(stub_x32_rt_sigreturn)
 ENTRY(stub_x32_execve)
 	CFI_STARTPROC
 	addq $8, %rsp
-	PARTIAL_FRAME 0
-	SAVE_REST
+	DEFAULT_FRAME 0
 	FIXUP_TOP_OF_STACK %r11
 	call compat_sys_execve
 	RESTORE_TOP_OF_STACK %r11
@@ -840,8 +860,31 @@ retint_swapgs:		/* return to user-space
 	 */
 	DISABLE_INTERRUPTS(CLBR_ANY)
 	TRACE_IRQS_IRETQ
+
+retint_userspace_restore_args:
+	DISABLE_IBRS_CLOBBER
+	/*
+	 * Returning from an interrupt/NMI/exception to user space, currently
+	 * on the kernel task stack, which is not user-mapped.  Copy the iret
+	 * frame to the trampoline stack and switch to it before returning.
+	 */
+	RESTORE_ARGS 1,8,1
+	pushq %rax
+	movq %rsp, %rax
+	movq PER_CPU_VAR(init_tss + TSS_sp0), %rsp
+	pushq SS-ORIG_RAX(%rax)
+	pushq RSP-ORIG_RAX(%rax)
+	pushq EFLAGS-ORIG_RAX(%rax)
+	pushq CS-ORIG_RAX(%rax)
+	pushq RIP-ORIG_RAX(%rax)
+	movq (%rax), %rax
+	SWITCH_TO_USER_CR3
 	SWAPGS
-	jmp restore_args
+	jmp irq_return
+
+paranoid_userspace_restore_all:
+	RESTORE_REST
+	jmp retint_userspace_restore_args

 retint_restore_args:	/* return to kernel space */
 	DISABLE_INTERRUPTS(CLBR_ANY)
@@ -849,7 +892,6 @@ retint_restore_args:	/* return to kernel
 	 * The iretq could re-enable interrupts:
 	 */
 	TRACE_IRQS_IRETQ
-restore_args:
 	RESTORE_ARGS 1,8,1

 irq_return:
@@ -876,7 +918,16 @@ bad_iret:
 	 */
 	pushq $0

+	/*
+	 * If a kernel bug clears user CS bit and in turn we'll skip SWAPGS in
+	 * general_protection, skip the SWAPGS here as well so we won't hard reboot.
+	 * This increases robustness of bad_iret to kernel bugs as well.
+	 */
+	testl $3, 8*2(%rsp)
+	je 1f
 	SWAPGS
+1:
+
 	jmp general_protection

 	.previous
@@ -1340,23 +1391,27 @@ ENTRY(paranoid_exit)
 	DISABLE_INTERRUPTS(CLBR_NONE)
 	TRACE_IRQS_OFF_DEBUG
 	testl %ebx,%ebx				/* swapgs needed? */
-	jnz paranoid_restore
+	jnz paranoid_noswapgs_restore
 	testl $3,CS(%rsp)
 	jnz   paranoid_userspace
-paranoid_swapgs:
-	TRACE_IRQS_IRETQ 0
-	SWAPGS_UNSAFE_STACK
+paranoid_swapgs_restore:
+	/* return to kernel with swapgs */
+	RESTORE_IBRS_CLOBBER save_reg=%r13d
+	RESTORE_CR3 scratch_reg=%rax save_reg=%r14
 	RESTORE_ALL 8
+	SWAPGS
 	jmp irq_return
-paranoid_restore:
-	TRACE_IRQS_IRETQ_DEBUG 0
+paranoid_noswapgs_restore:
+	/* return to kernel */
+	RESTORE_IBRS_CLOBBER save_reg=%r13d
+	RESTORE_CR3 scratch_reg=%rax save_reg=%r14
 	RESTORE_ALL 8
 	jmp irq_return
 paranoid_userspace:
 	GET_THREAD_INFO(%rcx)
 	movl TI_flags(%rcx),%ebx
 	andl $_TIF_WORK_MASK,%ebx
-	jz paranoid_swapgs
+	jz paranoid_userspace_restore_all
 	movq %rsp,%rdi			/* &pt_regs */
 	call sync_regs
 	movq %rax,%rsp			/* switch stack for scheduling */
@@ -1410,7 +1465,33 @@ ENTRY(error_entry)
 	je error_kernelspace
 error_swapgs:
 	SWAPGS
+	SWITCH_TO_KERNEL_CR3
+	movq %rsp, %rsi
+	movq PER_CPU_VAR(kernel_stack), %rsp
+	ENABLE_IBRS_CLOBBER /* no indirect jump allowed before IBRS */
+	STUFF_RSB /* no ret allowed before stuffing the RSB */
+	movq %rsi, %rsp
 error_sti:
+	/* Check to see if we're on the trampoline stack. */
+	movq PER_CPU_VAR(init_tss + TSS_sp0), %rcx
+	cmpq %rcx, %rsp
+	ja 1f
+	leaq -TSS_stack_size(%rcx), %rax
+	cmpq %rsp, %rax
+	ja 1f
+	/*
+	 * We're on the trampoline stack.  Copy the trampoline stack's
+	 * contents to the kernel task stack and switch to it.
+	 */
+	subq %rsp, %rcx
+	movq PER_CPU_VAR(kernel_stack), %rdi
+	addq $KERNEL_STACK_OFFSET, %rdi
+	subq %rcx, %rdi
+	movq %rdi, %rax
+	movq %rsp, %rsi
+	rep movsb
+	movq %rax, %rsp
+1:
 	TRACE_IRQS_OFF
 	ret

@@ -1478,7 +1559,7 @@ ENTRY(nmi)
 	/*
 	 * Fix up the exception frame if we're on Xen.
 	 * PARAVIRT_ADJUST_EXCEPTION_FRAME is guaranteed to push at most
-	 * one value to the stack on native, so it may clobber the rdx
+	 * one value to the stack on native, so it may clobber the rsi
 	 * scratch slot, but it won't clobber any of the important
 	 * slots past it.
 	 *
@@ -1525,9 +1606,9 @@ ENTRY(nmi)
 	 * other IST entries.
 	 */

-	/* Use %rdx as out temp variable throughout */
-	pushq_cfi %rdx
-	CFI_REL_OFFSET rdx, 0
+	/* Use %rsi as out temp variable throughout */
+	pushq_cfi %rsi
+	CFI_REL_OFFSET rsi, 0

 	testb	$3, CS-RIP+8(%rsp)
 	jz	.Lnmi_from_kernel
@@ -1544,19 +1625,20 @@ ENTRY(nmi)
 	 */

 	SWAPGS_UNSAFE_STACK
+	SWITCH_TO_KERNEL_CR3
 	cld
-	movq	%rsp, %rdx
+	movq	%rsp, %rsi
 	movq	PER_CPU_VAR(kernel_stack), %rsp
 	addq	$KERNEL_STACK_OFFSET, %rsp
-	pushq	5*8(%rdx)	/* pt_regs->ss */
-	pushq	4*8(%rdx)	/* pt_regs->rsp */
-	pushq	3*8(%rdx)	/* pt_regs->flags */
-	pushq	2*8(%rdx)	/* pt_regs->cs */
-	pushq	1*8(%rdx)	/* pt_regs->rip */
+	pushq	5*8(%rsi)	/* pt_regs->ss */
+	pushq	4*8(%rsi)	/* pt_regs->rsp */
+	pushq	3*8(%rsi)	/* pt_regs->flags */
+	pushq	2*8(%rsi)	/* pt_regs->cs */
+	pushq	1*8(%rsi)	/* pt_regs->rip */
 	pushq   $-1		/* pt_regs->orig_ax */
 	pushq   %rdi		/* pt_regs->di */
-	pushq   %rsi		/* pt_regs->si */
-	pushq   (%rdx)		/* pt_regs->dx */
+	pushq   (%rsi)		/* pt_regs->si */
+	pushq   %rdx		/* pt_regs->dx */
 	pushq   %rcx		/* pt_regs->cx */
 	pushq   %rax		/* pt_regs->ax */
 	pushq   %r8		/* pt_regs->r8 */
@@ -1570,6 +1652,9 @@ ENTRY(nmi)
 	pushq	%r14		/* pt_regs->r14 */
 	pushq	%r15		/* pt_regs->r15 */

+	ENABLE_IBRS_CLOBBER /* no indirect jump allowed before IBRS */
+	STUFF_RSB /* no ret allowed before stuffing the RSB */
+
 	/*
 	 * At this point we no longer need to worry about stack damage
 	 * due to nesting -- we're on the normal thread stack and we're
@@ -1585,10 +1670,8 @@ ENTRY(nmi)
 	 * work, because we don't want to enable interrupts.  Fortunately,
 	 * do_nmi doesn't modify pt_regs.
 	 */
-	SWAPGS
-
 	addq	$6*8, %rsp	/* skip bx, bp, and r12-r15 */
-	jmp	restore_args
+	jmp	retint_userspace_restore_args

 .Lnmi_from_kernel:
 	/*
@@ -1600,7 +1683,7 @@ ENTRY(nmi)
 	 * | original CS                                             |
 	 * | original RIP                                            |
 	 * +---------------------------------------------------------+
-	 * | temp storage for rdx                                    |
+	 * | temp storage for rsi                                    |
 	 * +---------------------------------------------------------+
 	 * | "NMI executing" variable                                |
 	 * +---------------------------------------------------------+
@@ -1642,11 +1725,11 @@ ENTRY(nmi)
 	 * about to about to call do_nmi anyway, so we can just
 	 * resume the outer NMI.
 	 */
-	movq	$repeat_nmi, %rdx
-	cmpq	8(%rsp), %rdx
+	movq	$repeat_nmi, %rsi
+	cmpq	8(%rsp), %rsi
 	ja	1f
-	movq	$end_repeat_nmi, %rdx
-	cmpq	8(%rsp), %rdx
+	movq	$end_repeat_nmi, %rsi
+	cmpq	8(%rsp), %rsi
 	ja	nested_nmi_out
 1:

@@ -1670,8 +1753,8 @@ ENTRY(nmi)
 	 * if it controls the kernel's RSP.  We set DF before we clear
 	 * "NMI executing".
 	 */
-	lea 6*8(%rsp), %rdx
-	test_in_nmi rdx, 4*8(%rsp), nested_nmi, first_nmi
+	lea 6*8(%rsp), %rsi
+	test_in_nmi rsi, 4*8(%rsp), nested_nmi, first_nmi

 	/* Ah, it is within the NMI stack. */

@@ -1687,12 +1770,12 @@ nested_nmi:
 	 * Modify the "iret" frame to point to repeat_nmi, forcing another
 	 * iteration of NMI handling.
 	 */
-	leaq -1*8(%rsp), %rdx
-	movq %rdx, %rsp
+	leaq -1*8(%rsp), %rsi
+	movq %rsi, %rsp
 	CFI_ADJUST_CFA_OFFSET 1*8
-	leaq -10*8(%rsp), %rdx
+	leaq -10*8(%rsp), %rsi
 	pushq_cfi $__KERNEL_DS
-	pushq_cfi %rdx
+	pushq_cfi %rsi
 	pushfq_cfi
 	pushq_cfi $__KERNEL_CS
 	pushq_cfi $repeat_nmi
@@ -1702,17 +1785,17 @@ nested_nmi:
 	CFI_ADJUST_CFA_OFFSET -6*8

 nested_nmi_out:
-	popq_cfi %rdx
-	CFI_RESTORE rdx
+	popq_cfi %rsi
+	CFI_RESTORE rsi

 	/* We are returning to kernel mode, so this cannot result in a fault. */
 	INTERRUPT_RETURN

 	CFI_RESTORE_STATE
 first_nmi:
-	/* Restore rdx. */
-	movq (%rsp), %rdx
-	CFI_RESTORE rdx
+	/* Restore rsi. */
+	movq (%rsp), %rsi
+	CFI_RESTORE rsi

 	/* Set "NMI executing" on the stack. */
 	pushq_cfi $1
@@ -1796,6 +1879,10 @@ end_repeat_nmi:
 	movq $-1,%rsi
 	call do_nmi

+	RESTORE_IBRS_CLOBBER save_reg=%r13d
+
+	RESTORE_CR3 scratch_reg=%rax save_reg=%r14
+
 	/* Did the NMI take a page fault? Restore cr2 if it did */
 	movq %cr2, %rcx
 	cmpq %rcx, %r12
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/head64.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/head64.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/head64.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/head64.c	2017-12-28 19:59:43.000000000 +0100
@@ -46,7 +46,7 @@ static void __init reset_early_page_tabl

 	next_early_pgt = 0;

-	write_cr3(__pa(early_level4_pgt));
+	__load_cr3(__pa(early_level4_pgt));
 }

 /* Create a new PMD entry */
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/head_64.S linux-3.10.0-693.11.6.el7/arch/x86/kernel/head_64.S
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/head_64.S	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/head_64.S	2017-12-28 19:59:43.000000000 +0100
@@ -440,6 +440,27 @@ early_idt_ripmsg:
 	.balign	PAGE_SIZE; \
 GLOBAL(name)

+#ifdef CONFIG_KAISER
+/*
+ * Each PGD needs to be 8k long and 8k aligned.  We do not
+ * ever go out to userspace with these, so we do not
+ * strictly *need* the second page, but this allows us to
+ * have a single set_pgd() implementation that does not
+ * need to worry about whether it has 4k or 8k to work
+ * with.
+ *
+ * This ensures PGDs are 8k long:
+ */
+#define KAISER_USER_PGD_FILL	512
+/* This ensures they are 8k-aligned: */
+#define NEXT_PGD_PAGE(name) \
+	.balign 2 * PAGE_SIZE; \
+GLOBAL(name)
+#else
+#define NEXT_PGD_PAGE(name) NEXT_PAGE(name)
+#define KAISER_USER_PGD_FILL	0
+#endif
+
 /* Automate the creation of 1 to 1 mapping pmd entries */
 #define PMDS(START, PERM, COUNT)			\
 	i = 0 ;						\
@@ -449,9 +470,10 @@ GLOBAL(name)
 	.endr

 	__INITDATA
-NEXT_PAGE(early_level4_pgt)
+NEXT_PGD_PAGE(early_level4_pgt)
 	.fill	511,8,0
 	.quad	level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
+	.fill	KAISER_USER_PGD_FILL,8,0

 NEXT_PAGE(early_dynamic_pgts)
 	.fill	512*EARLY_DYNAMIC_PAGE_TABLES,8,0
@@ -459,16 +481,18 @@ NEXT_PAGE(early_dynamic_pgts)
 	.data

 #ifndef CONFIG_XEN
-NEXT_PAGE(init_level4_pgt)
+NEXT_PGD_PAGE(init_level4_pgt)
 	.fill	512,8,0
+	.fill	KAISER_USER_PGD_FILL,8,0
 #else
-NEXT_PAGE(init_level4_pgt)
+NEXT_PGD_PAGE(init_level4_pgt)
 	.quad   level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
 	.org    init_level4_pgt + L4_PAGE_OFFSET*8, 0
 	.quad   level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
 	.org    init_level4_pgt + L4_START_KERNEL*8, 0
 	/* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
 	.quad   level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
+	.fill	KAISER_USER_PGD_FILL,8,0

 NEXT_PAGE(level3_ident_pgt)
 	.quad	level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/hpet.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/hpet.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/hpet.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/hpet.c	2017-12-28 19:59:43.000000000 +0100
@@ -11,6 +11,7 @@
 #include <linux/cpu.h>
 #include <linux/pm.h>
 #include <linux/io.h>
+#include <linux/kaiser.h>

 #include <asm/fixmap.h>
 #include <asm/hpet.h>
@@ -76,6 +77,8 @@ static inline void hpet_set_mapping(void
 	hpet_virt_address = ioremap_nocache(hpet_address, HPET_MMAP_SIZE);
 #ifdef CONFIG_X86_64
 	__set_fixmap(VSYSCALL_HPET, hpet_address, PAGE_KERNEL_VVAR_NOCACHE);
+	kaiser_add_mapping(__fix_to_virt(VSYSCALL_HPET), PAGE_SIZE,
+			   __PAGE_KERNEL_VVAR_NOCACHE | _PAGE_GLOBAL);
 #endif
 }

diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/irq_64.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/irq_64.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/irq_64.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/irq_64.c	2017-12-28 19:59:43.000000000 +0100
@@ -16,6 +16,7 @@
 #include <linux/ftrace.h>
 #include <linux/uaccess.h>
 #include <linux/smp.h>
+#include <linux/magic.h>
 #include <asm/io_apic.h>
 #include <asm/idle.h>
 #include <asm/apic.h>
@@ -46,6 +47,9 @@ static inline void stack_overflow_check(
 	u64 estack_top, estack_bottom;
 	u64 curbase = (u64)task_stack_page(current);

+	if (WARN_ON(__this_cpu_read(init_tss.stack_canary) != STACK_END_MAGIC))
+		__this_cpu_write(init_tss.stack_canary, STACK_END_MAGIC);
+
 	if (user_mode_vm(regs))
 		return;

Только в linux-3.10.0-693.11.6.el7/arch/x86/kernel: kaiser.h
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/ldt.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/ldt.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/ldt.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/ldt.c	2017-12-28 19:59:43.000000000 +0100
@@ -10,6 +10,7 @@
 #include <linux/gfp.h>
 #include <linux/sched.h>
 #include <linux/string.h>
+#include <linux/kaiser.h>
 #include <linux/mm.h>
 #include <linux/smp.h>
 #include <linux/vmalloc.h>
@@ -28,10 +29,19 @@ static void flush_ldt(void *current_mm)
 }
 #endif

+static void free_ldt(void *ldt, int size)
+{
+	if (size * LDT_ENTRY_SIZE > PAGE_SIZE)
+		vfree(ldt);
+	else
+		put_page(virt_to_page(ldt));
+}
+
 static int alloc_ldt(mm_context_t *pc, int mincount, int reload)
 {
 	void *oldldt, *newldt;
 	int oldsize;
+	int ret;

 	if (mincount <= pc->size)
 		return 0;
@@ -45,6 +55,13 @@ static int alloc_ldt(mm_context_t *pc, i

 	if (!newldt)
 		return -ENOMEM;
+	ret = kaiser_add_mapping((unsigned long)newldt,
+				 mincount * LDT_ENTRY_SIZE,
+				 __PAGE_KERNEL | _PAGE_GLOBAL);
+	if (ret) {
+		free_ldt(newldt, mincount);
+		return -ENOMEM;
+	}

 	if (oldsize)
 		memcpy(newldt, pc->ldt, oldsize * LDT_ENTRY_SIZE);
@@ -76,11 +93,10 @@ static int alloc_ldt(mm_context_t *pc, i
 #endif
 	}
 	if (oldsize) {
+		kaiser_remove_mapping((unsigned long)oldldt,
+				      oldsize * LDT_ENTRY_SIZE);
 		paravirt_free_ldt(oldldt, oldsize);
-		if (oldsize * LDT_ENTRY_SIZE > PAGE_SIZE)
-			vfree(oldldt);
-		else
-			put_page(virt_to_page(oldldt));
+		free_ldt(oldldt, oldsize);
 	}
 	return 0;
 }
@@ -131,6 +147,8 @@ void destroy_context(struct mm_struct *m
 		if (mm == current->active_mm)
 			clear_LDT();
 #endif
+		kaiser_remove_mapping((unsigned long)mm->context.ldt,
+				      mm->context.size * LDT_ENTRY_SIZE);
 		paravirt_free_ldt(mm->context.ldt, mm->context.size);
 		if (mm->context.size * LDT_ENTRY_SIZE > PAGE_SIZE)
 			vfree(mm->context.ldt);
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/Makefile linux-3.10.0-693.11.6.el7/arch/x86/kernel/Makefile
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/Makefile	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/Makefile	2017-12-28 19:59:43.000000000 +0100
@@ -120,3 +120,5 @@ ifeq ($(CONFIG_X86_64),y)
 	obj-$(CONFIG_PCI_MMCONFIG)	+= mmconf-fam10h_64.o
 	obj-y				+= vsmp_64.o
 endif
+
+obj-y				+= spec_ctrl.o
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/paravirt_patch_64.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/paravirt_patch_64.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/paravirt_patch_64.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/paravirt_patch_64.c	2017-12-28 19:59:43.000000000 +0100
@@ -1,5 +1,6 @@
 #include <asm/paravirt.h>
 #include <asm/asm-offsets.h>
+#include <asm/processor.h>
 #include <linux/stringify.h>

 DEF_NATIVE(pv_irq_ops, irq_disable, "cli");
@@ -66,7 +67,14 @@ unsigned native_patch(u8 type, u16 clobb
 		PATCH_SITE(pv_mmu_ops, read_cr3);
 		PATCH_SITE(pv_mmu_ops, write_cr3);
 		PATCH_SITE(pv_cpu_ops, clts);
-		PATCH_SITE(pv_mmu_ops, flush_tlb_single);
+		case PARAVIRT_PATCH(pv_mmu_ops.flush_tlb_single):
+			if (!boot_cpu_has(X86_FEATURE_PCID)) {
+				start = start_pv_mmu_ops_flush_tlb_single;
+				end   = end_pv_mmu_ops_flush_tlb_single;
+				goto patch_site;
+			} else {
+				goto patch_default;
+			}
 		PATCH_SITE(pv_cpu_ops, wbinvd);
 #if defined(CONFIG_PARAVIRT_SPINLOCKS) && defined(CONFIG_QUEUED_SPINLOCKS)
 		case PARAVIRT_PATCH(pv_lock_ops.unlock_kick):
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/process_64.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/process_64.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/process_64.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/process_64.c	2017-12-28 19:59:43.000000000 +0100
@@ -280,9 +280,6 @@ __switch_to(struct task_struct *prev_p,

 	fpu = switch_fpu_prepare(prev_p, next_p, cpu);

-	/* Reload esp0 and ss1. */
-	load_sp0(tss, next);
-
 	/* We must save %fs and %gs before load_TLS() because
 	 * %fs and %gs may be cleared by load_TLS().
 	 *
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/process.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/process.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/process.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/process.c	2017-12-28 19:59:43.000000000 +0100
@@ -37,7 +37,7 @@
  * section. Since TSS's are completely CPU-local, we want them
  * on exact cacheline boundaries, to eliminate cacheline ping-pong.
  */
-DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
+DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(struct tss_struct, init_tss) = INIT_TSS;

 #ifdef CONFIG_X86_64
 static DEFINE_PER_CPU(unsigned char, is_idle);
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/reboot.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/reboot.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/reboot.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/reboot.c	2017-12-28 19:59:43.000000000 +0100
@@ -180,6 +180,10 @@ void __noreturn machine_real_restart(uns
 	load_cr3(initial_page_table);
 #else
 	write_cr3(real_mode_header->trampoline_pgd);
+
+	/* Exiting long mode will fail if CR4.PCIDE is set. */
+	if (static_cpu_has(X86_FEATURE_PCID))
+		clear_in_cr4(X86_CR4_PCIDE);
 #endif

 	/* Jump to the identity-mapped low memory code */
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/smpboot.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/smpboot.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/smpboot.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/smpboot.c	2017-12-28 19:59:43.000000000 +0100
@@ -198,10 +198,12 @@ static int enable_start_cpu0;
 static void notrace start_secondary(void *unused)
 {
 	/*
-	 * Don't put *anything* before cpu_init(), SMP booting is too
-	 * fragile that we want to limit the things done here to the
-	 * most necessary things.
+	 * Don't put *anything* except direct CPU state initialization
+	 * before cpu_init(), SMP booting is too fragile that we want to
+	 * limit the things done here to the most necessary things.
 	 */
+	if (boot_cpu_has(X86_FEATURE_PCID))
+		write_cr4(read_cr4() | X86_CR4_PCIDE);
 	cpu_init();
 	x86_cpuinit.early_percpu_clock_init();
 	preempt_disable();
@@ -1650,9 +1652,13 @@ void native_play_dead(void)
 	play_dead_common();
 	tboot_shutdown(TB_SHUTDOWN_WFS);

+	spec_ctrl_disable_ibrs();
+
 	mwait_play_dead();	/* Only returns on failure */
 	if (cpuidle_play_dead())
 		hlt_play_dead();
+
+	spec_ctrl_enable_ibrs();
 }

 #else /* ... !CONFIG_HOTPLUG_CPU */
Только в linux-3.10.0-693.11.6.el7/arch/x86/kernel: spec_ctrl.c
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/vmlinux.lds.S linux-3.10.0-693.11.6.el7/arch/x86/kernel/vmlinux.lds.S
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/vmlinux.lds.S	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/vmlinux.lds.S	2017-12-28 19:59:43.000000000 +0100
@@ -79,6 +79,12 @@ PHDRS {
 	note PT_NOTE FLAGS(0);          /* ___ */
 }

+#ifdef CONFIG_KAISER
+#define ALIGN_KAISER()	. = ALIGN(PAGE_SIZE);
+#else
+#define ALIGN_KAISER()
+#endif
+
 SECTIONS
 {
 #ifdef CONFIG_X86_32
@@ -100,9 +106,11 @@ SECTIONS
 		SCHED_TEXT
 		CPUIDLE_TEXT
 		LOCK_TEXT
+		ALIGN_KAISER()
 		KPROBES_TEXT
 		ENTRY_TEXT
 		IRQENTRY_TEXT
+		ALIGN_KAISER()
 		*(.fixup)
 		*(.gnu.warning)
 		/* End of text section */
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kernel/vsyscall_64.c linux-3.10.0-693.11.6.el7/arch/x86/kernel/vsyscall_64.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kernel/vsyscall_64.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kernel/vsyscall_64.c	2017-12-28 19:59:43.000000000 +0100
@@ -56,7 +56,7 @@
 DEFINE_VVAR(int, vgetcpu_mode);
 DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data);

-static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;
+enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;

 static int __init vsyscall_setup(char *str)
 {
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kvm/cpuid.c linux-3.10.0-693.11.6.el7/arch/x86/kvm/cpuid.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kvm/cpuid.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kvm/cpuid.c	2017-12-28 19:59:43.000000000 +0100
@@ -68,8 +68,16 @@ u64 kvm_supported_xcr0(void)
 #define F(x) bit(X86_FEATURE_##x)

 /* These are scattered features in cpufeatures.h. */
+
+/* CPUID[eax=7,ecx=0].edx */
 #define KVM_CPUID_BIT_AVX512_4VNNIW     2
 #define KVM_CPUID_BIT_AVX512_4FMAPS     3
+#define KVM_CPUID_BIT_SPEC_CTRL		26
+#define KVM_CPUID_BIT_STIBP		27
+
+/* CPUID[eax=0x80000008].ebx */
+#define KVM_CPUID_BIT_IBPB_SUPPORT	12
+
 #define KF(x) bit(KVM_CPUID_BIT_##x)

 int kvm_update_cpuid(struct kvm_vcpu *vcpu)
@@ -375,7 +383,12 @@ static inline int __do_cpuid_ent(struct

 	/* cpuid 7.0.edx*/
 	const u32 kvm_cpuid_7_0_edx_x86_features =
-		KF(AVX512_4VNNIW) | KF(AVX512_4FMAPS);
+		KF(AVX512_4VNNIW) | KF(AVX512_4FMAPS) |
+		KF(SPEC_CTRL) | KF(STIBP);
+
+	/* cpuid 0x80000008.ebx */
+	const u32 kvm_cpuid_80000008_ebx_x86_features =
+		KF(IBPB_SUPPORT);

 	/* all calls to cpuid_count() should be made on the same cpu */
 	get_cpu();
@@ -607,7 +620,9 @@ static inline int __do_cpuid_ent(struct
 		if (!g_phys_as)
 			g_phys_as = phys_as;
 		entry->eax = g_phys_as | (virt_as << 8);
-		entry->ebx = entry->edx = 0;
+		entry->ebx &= kvm_cpuid_80000008_ebx_x86_features;
+		entry->ebx &= get_scattered_cpuid_leaf(0x80000008, 0, CPUID_EBX);
+		entry->edx = 0;
 		break;
 	}
 	case 0x80000019:
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kvm/svm.c linux-3.10.0-693.11.6.el7/arch/x86/kvm/svm.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kvm/svm.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kvm/svm.c	2017-12-28 19:59:43.000000000 +0100
@@ -163,6 +163,8 @@ struct vcpu_svm {
 		u64 gs_base;
 	} host;

+	u64 spec_ctrl;
+
 	u32 *msrpm;

 	ulong nmi_iret_rip;
@@ -199,7 +201,7 @@ static DEFINE_PER_CPU(u64, current_tsc_r

 static const struct svm_direct_access_msrs {
 	u32 index;   /* Index of the MSR */
-	bool always; /* True if intercept is always on */
+	bool always; /* True if intercept is always off */
 } direct_access_msrs[] = {
 	{ .index = MSR_STAR,				.always = true  },
 	{ .index = MSR_IA32_SYSENTER_CS,		.always = true  },
@@ -211,6 +213,8 @@ static const struct svm_direct_access_ms
 	{ .index = MSR_CSTAR,				.always = true  },
 	{ .index = MSR_SYSCALL_MASK,			.always = true  },
 #endif
+	{ .index = MSR_IA32_SPEC_CTRL,			.always = true  },
+	{ .index = MSR_IA32_PRED_CMD,			.always = true  },
 	{ .index = MSR_IA32_LASTBRANCHFROMIP,		.always = false },
 	{ .index = MSR_IA32_LASTBRANCHTOIP,		.always = false },
 	{ .index = MSR_IA32_LASTINTFROMIP,		.always = false },
@@ -469,6 +473,8 @@ struct svm_cpu_data {
 	struct kvm_ldttss_desc *tss_desc;

 	struct page *save_area;
+
+	struct vmcb *current_vmcb;
 };

 static DEFINE_PER_CPU(struct svm_cpu_data *, svm_data);
@@ -1476,11 +1482,18 @@ static void svm_free_vcpu(struct kvm_vcp
 	__free_pages(virt_to_page(svm->nested.msrpm), MSRPM_ALLOC_ORDER);
 	kvm_vcpu_uninit(vcpu);
 	kmem_cache_free(kvm_vcpu_cache, svm);
+
+	/*
+	 * The VMCB could be recycled, causing a false negative in svm_vcpu_load;
+	 * block speculative execution.
+	 */
+	spec_ctrl_ibpb();
 }

 static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
 {
 	struct vcpu_svm *svm = to_svm(vcpu);
+	struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
 	int i;

 	if (unlikely(cpu != vcpu->cpu)) {
@@ -1506,6 +1519,11 @@ static void svm_vcpu_load(struct kvm_vcp
 		}
 	}

+	if (sd->current_vmcb != svm->vmcb) {
+		sd->current_vmcb = svm->vmcb;
+		spec_ctrl_ibpb();
+	}
+
 	avic_vcpu_load(vcpu, cpu);
 }

@@ -2522,6 +2540,11 @@ static int nested_svm_vmexit(struct vcpu
 	if (!nested_vmcb)
 		return 1;

+	/*
+	 * No need for IBPB here, the L1 hypervisor should be running with
+	 * IBRS=1 and inserts one already when switching L2 VMs.
+	 */
+
 	/* Exit Guest-Mode */
 	leave_guest_mode(&svm->vcpu);
 	svm->nested.vmcb = 0;
@@ -2688,6 +2711,11 @@ static bool nested_svm_vmrun(struct vcpu
 	if (!nested_vmcb)
 		return false;

+	/*
+	 * No need for IBPB here, since the nested VM is less privileged.  The
+	 * L1 hypervisor inserts one already when switching L2 VMs.
+	 */
+
 	if (!nested_vmcb_checks(nested_vmcb)) {
 		nested_vmcb->control.exit_code    = SVM_EXIT_ERR;
 		nested_vmcb->control.exit_code_hi = 0;
@@ -3317,6 +3345,9 @@ static int svm_get_msr(struct kvm_vcpu *
 	case MSR_VM_CR:
 		msr_info->data = svm->nested.vm_cr_msr;
 		break;
+	case MSR_IA32_SPEC_CTRL:
+		msr_info->data = svm->spec_ctrl;
+		break;
 	case MSR_IA32_UCODE_REV:
 		msr_info->data = 0x01000065;
 		break;
@@ -3436,6 +3467,9 @@ static int svm_set_msr(struct kvm_vcpu *
 	case MSR_VM_IGNNE:
 		vcpu_unimpl(vcpu, "unimplemented wrmsr: 0x%x data 0x%llx\n", ecx, data);
 		break;
+	case MSR_IA32_SPEC_CTRL:
+		svm->spec_ctrl = data;
+		break;
 	case MSR_IA32_APICBASE:
 		if (kvm_vcpu_apicv_active(vcpu))
 			avic_update_vapic_bar(to_svm(vcpu), data);
@@ -4396,6 +4430,8 @@ static void svm_vcpu_run(struct kvm_vcpu

 	local_irq_enable();

+	spec_ctrl_vmenter_ibrs(svm->spec_ctrl);
+
 	asm volatile (
 		"push %%" _ASM_BP "; \n\t"
 		"mov %c[rbx](%[svm]), %%" _ASM_BX " \n\t"
@@ -4440,6 +4476,25 @@ static void svm_vcpu_run(struct kvm_vcpu
 		"mov %%r14, %c[r14](%[svm]) \n\t"
 		"mov %%r15, %c[r15](%[svm]) \n\t"
 #endif
+		/*
+		 * Clear host registers marked as clobbered to prevent
+		 * speculative use.
+		 */
+		"xor %%" _ASM_BX ", %%" _ASM_BX " \n\t"
+		"xor %%" _ASM_CX ", %%" _ASM_CX " \n\t"
+		"xor %%" _ASM_DX ", %%" _ASM_DX " \n\t"
+		"xor %%" _ASM_SI ", %%" _ASM_SI " \n\t"
+		"xor %%" _ASM_DI ", %%" _ASM_DI " \n\t"
+#ifdef CONFIG_X86_64
+		"xor %%r8, %%r8 \n\t"
+		"xor %%r9, %%r9 \n\t"
+		"xor %%r10, %%r10 \n\t"
+		"xor %%r11, %%r11 \n\t"
+		"xor %%r12, %%r12 \n\t"
+		"xor %%r13, %%r13 \n\t"
+		"xor %%r14, %%r14 \n\t"
+		"xor %%r15, %%r15 \n\t"
+#endif
 		"pop %%" _ASM_BP
 		:
 		: [svm]"a"(svm),
@@ -4470,7 +4525,7 @@ static void svm_vcpu_run(struct kvm_vcpu
 		);

 #ifdef CONFIG_X86_64
-	wrmsrl(MSR_GS_BASE, svm->host.gs_base);
+	native_wrmsrl(MSR_GS_BASE, svm->host.gs_base);
 #else
 	loadsegment(fs, svm->host.fs);
 #ifndef CONFIG_X86_32_LAZY_GS
@@ -4478,6 +4533,12 @@ static void svm_vcpu_run(struct kvm_vcpu
 #endif
 #endif

+	if (cpu_has_spec_ctrl()) {
+		rdmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
+		__spec_ctrl_vmexit_ibrs(svm->spec_ctrl);
+	}
+	stuff_RSB();
+
 	reload_tss(vcpu);

 	local_irq_disable();
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kvm/vmx.c linux-3.10.0-693.11.6.el7/arch/x86/kvm/vmx.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kvm/vmx.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kvm/vmx.c	2017-12-28 19:59:43.000000000 +0100
@@ -544,6 +544,8 @@ struct vcpu_vmx {
 	u64 		      msr_host_kernel_gs_base;
 	u64 		      msr_guest_kernel_gs_base;
 #endif
+	u64		      spec_ctrl;
+
 	u32 vm_entry_controls_shadow;
 	u32 vm_exit_controls_shadow;
 	/*
@@ -2076,6 +2078,7 @@ static void vmx_vcpu_load(struct kvm_vcp
 	if (per_cpu(current_vmcs, cpu) != vmx->loaded_vmcs->vmcs) {
 		per_cpu(current_vmcs, cpu) = vmx->loaded_vmcs->vmcs;
 		vmcs_load(vmx->loaded_vmcs->vmcs);
+		spec_ctrl_ibpb();
 	}

 	if (vmx->loaded_vmcs->cpu != cpu) {
@@ -2796,6 +2799,9 @@ static int vmx_get_msr(struct kvm_vcpu *
 	case MSR_IA32_TSC:
 		msr_info->data = guest_read_tsc(vcpu);
 		break;
+	case MSR_IA32_SPEC_CTRL:
+		msr_info->data = to_vmx(vcpu)->spec_ctrl;
+		break;
 	case MSR_IA32_SYSENTER_CS:
 		msr_info->data = vmcs_read32(GUEST_SYSENTER_CS);
 		break;
@@ -2891,6 +2897,9 @@ static int vmx_set_msr(struct kvm_vcpu *
 	case MSR_IA32_TSC:
 		kvm_write_tsc(vcpu, msr_info);
 		break;
+	case MSR_IA32_SPEC_CTRL:
+		to_vmx(vcpu)->spec_ctrl = msr_info->data;
+		break;
 	case MSR_IA32_CR_PAT:
 		if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
 			if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
@@ -3328,6 +3337,12 @@ static void free_loaded_vmcs(struct load
 	free_vmcs(loaded_vmcs->vmcs);
 	loaded_vmcs->vmcs = NULL;
 	WARN_ON(loaded_vmcs->shadow_vmcs != NULL);
+
+	/*
+	 * The VMCS could be recycled, causing a false negative in vmx_vcpu_load;
+	 * block speculative execution.
+	 */
+	spec_ctrl_ibpb();
 }

 static void free_kvm_area(void)
@@ -6196,6 +6211,8 @@ static __init int hardware_setup(void)
 	vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_ESP, false);
 	vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_EIP, false);
 	vmx_disable_intercept_for_msr(MSR_IA32_BNDCFGS, true);
+	vmx_disable_intercept_for_msr(MSR_IA32_SPEC_CTRL, false);
+	vmx_disable_intercept_for_msr(MSR_IA32_PRED_CMD, false);

 	memcpy(vmx_msr_bitmap_legacy_x2apic,
 			vmx_msr_bitmap_legacy, PAGE_SIZE);
@@ -8548,6 +8565,8 @@ static void __noclone vmx_vcpu_run(struc
 	if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)
 		vmx_set_interrupt_shadow(vcpu, 0);

+	spec_ctrl_vmenter_ibrs(vmx->spec_ctrl);
+
 	atomic_switch_perf_msrs(vmx);
 	debugctlmsr = get_debugctlmsr();

@@ -8621,6 +8640,23 @@ static void __noclone vmx_vcpu_run(struc

 		"pop  %%" _ASM_BP "; pop  %%" _ASM_DX " \n\t"
 		"setbe %c[fail](%0) \n\t"
+		/*
+		 * Clear host registers marked as clobbered to prevent
+		 * speculative use.
+		 */
+		"xor %%" _ASM_BX ", %%" _ASM_BX " \n\t"
+		"xor %%" _ASM_SI ", %%" _ASM_SI " \n\t"
+		"xor %%" _ASM_DI ", %%" _ASM_DI " \n\t"
+#ifdef CONFIG_X86_64
+		"xor %%r8, %%r8 \n\t"
+		"xor %%r9, %%r9 \n\t"
+		"xor %%r10, %%r10 \n\t"
+		"xor %%r11, %%r11 \n\t"
+		"xor %%r12, %%r12 \n\t"
+		"xor %%r13, %%r13 \n\t"
+		"xor %%r14, %%r14 \n\t"
+		"xor %%r15, %%r15 \n\t"
+#endif
 		".pushsection .rodata \n\t"
 		".global vmx_return \n\t"
 		"vmx_return: " _ASM_PTR " 2b \n\t"
@@ -8657,6 +8693,12 @@ static void __noclone vmx_vcpu_run(struc
 #endif
 	      );

+	if (cpu_has_spec_ctrl()) {
+		rdmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl);
+		__spec_ctrl_vmexit_ibrs(vmx->spec_ctrl);
+	}
+	stuff_RSB();
+
 	/* MSR_IA32_DEBUGCTLMSR is zeroed on vmexit. Restore it if needed */
 	if (debugctlmsr)
 		update_debugctlmsr(debugctlmsr);
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/kvm/x86.c linux-3.10.0-693.11.6.el7/arch/x86/kvm/x86.c
--- linux-3.10.0-693.11.1.el7/arch/x86/kvm/x86.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/kvm/x86.c	2017-12-28 19:59:43.000000000 +0100
@@ -768,7 +768,8 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, u
 			return 1;

 		/* PCID can not be enabled when cr3[11:0]!=000H or EFER.LMA=0 */
-		if ((kvm_read_cr3(vcpu) & X86_CR3_PCID_MASK) || !is_long_mode(vcpu))
+		if ((kvm_read_cr3(vcpu) & X86_CR3_PCID_ASID_MASK) ||
+		    !is_long_mode(vcpu))
 			return 1;
 	}

@@ -969,6 +970,7 @@ static u32 msrs_to_save[] = {
 #endif
 	MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
 	MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS, MSR_TSC_AUX,
+	MSR_IA32_SPEC_CTRL,
 };

 static unsigned num_msrs_to_save;
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/mm/init.c linux-3.10.0-693.11.6.el7/arch/x86/mm/init.c
--- linux-3.10.0-693.11.1.el7/arch/x86/mm/init.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/mm/init.c	2017-12-28 19:59:43.000000000 +0100
@@ -18,6 +18,8 @@
 #include <asm/dma.h>		/* for MAX_DMA_PFN */
 #include <asm/microcode.h>
 #include <asm/kaslr.h>
+#include <asm/cpufeature.h>
+#include <asm/mmu_context.h>

 #include "mm_internal.h"

@@ -192,6 +194,47 @@ static void __init probe_page_size_mask(
 	}
 }

+static void setup_pcid(void)
+{
+#ifdef CONFIG_X86_64
+	if (boot_cpu_has(X86_FEATURE_PCID)) {
+		if (boot_cpu_has(X86_FEATURE_PGE)) {
+			/*
+			 * This can't be cr4_set_bits_and_update_boot() --
+			 * the trampoline code can't handle CR4.PCIDE and
+			 * it wouldn't do any good anyway.  Despite the name,
+			 * cr4_set_bits_and_update_boot() doesn't actually
+			 * cause the bits in question to remain set all the
+			 * way through the secondary boot asm.
+			 *
+			 * Instead, we brute-force it and set CR4.PCIDE
+			 * manually in start_secondary().
+			 */
+			set_in_cr4(X86_CR4_PCIDE);
+			/*
+			 * INVPCID's single-context modes (2/3) only work
+			 * if we set X86_CR4_PCIDE, *and* we INVPCID
+			 * support.  It's unusable on systems that have
+			 * X86_CR4_PCIDE clear, or that have no INVPCID
+			 * support at all.
+			 */
+			if (boot_cpu_has(X86_FEATURE_INVPCID))
+				setup_force_cpu_cap(X86_FEATURE_INVPCID_SINGLE);
+		} else {
+			/*
+			 * flush_tlb_all(), as currently implemented, won't
+			 * work if PCID is on but PGE is not.  Since that
+			 * combination doesn't exist on real hardware, there's
+			 * no reason to try to fully support it, but it's
+			 * polite to avoid corrupting data if we're on
+			 * an improperly configured VM.
+			 */
+			setup_clear_cpu_cap(X86_FEATURE_PCID);
+		}
+	}
+#endif
+}
+
 #ifdef CONFIG_X86_32
 #define NR_RANGE_MR 3
 #else /* CONFIG_X86_64 */
@@ -570,6 +613,7 @@ void __init init_mem_mapping(void)
 	unsigned long end;

 	probe_page_size_mask();
+	setup_pcid();

 #ifdef CONFIG_X86_64
 	end = max_pfn << PAGE_SHIFT;
Только в linux-3.10.0-693.11.6.el7/arch/x86/mm: kaiser.c
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/mm/Makefile linux-3.10.0-693.11.6.el7/arch/x86/mm/Makefile
--- linux-3.10.0-693.11.1.el7/arch/x86/mm/Makefile	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/mm/Makefile	2017-12-28 19:59:43.000000000 +0100
@@ -33,5 +33,6 @@ obj-$(CONFIG_MEMTEST)		+= memtest.o

 obj-$(CONFIG_X86_INTEL_MPX)	+= mpx.o
 obj-$(CONFIG_RANDOMIZE_MEMORY)	+= kaslr.o
+obj-$(CONFIG_KAISER)		+= kaiser.o

 obj-$(CONFIG_TRACK_DIRTY_PAGES)	+= track.o
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/mm/pageattr.c linux-3.10.0-693.11.6.el7/arch/x86/mm/pageattr.c
--- linux-3.10.0-693.11.1.el7/arch/x86/mm/pageattr.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/mm/pageattr.c	2017-12-28 19:59:43.000000000 +0100
@@ -501,9 +501,9 @@ try_preserve_large_page(pte_t *kpte, uns
 	 * for the ancient hardware that doesn't support it.
 	 */
 	if (pgprot_val(req_prot) & _PAGE_PRESENT)
-		pgprot_val(req_prot) |= _PAGE_PSE | _PAGE_GLOBAL;
+		pgprot_val(req_prot) |= _PAGE_PSE | __PAGE_KERNEL_GLOBAL;
 	else
-		pgprot_val(req_prot) &= ~(_PAGE_PSE | _PAGE_GLOBAL);
+		pgprot_val(req_prot) &= ~(_PAGE_PSE | __PAGE_KERNEL_GLOBAL);

 	req_prot = canon_pgprot(req_prot);

@@ -617,9 +617,9 @@ __split_large_page(struct cpa_data *cpa,
 	 * for the ancient hardware that doesn't support it.
 	 */
 	if (pgprot_val(ref_prot) & _PAGE_PRESENT)
-		pgprot_val(ref_prot) |= _PAGE_GLOBAL;
+		pgprot_val(ref_prot) |= __PAGE_KERNEL_GLOBAL;
 	else
-		pgprot_val(ref_prot) &= ~_PAGE_GLOBAL;
+		pgprot_val(ref_prot) &= ~__PAGE_KERNEL_GLOBAL;

 	/*
 	 * Get the target pfn from the original entry:
@@ -1134,9 +1134,9 @@ repeat:
 		 * support it.
 		 */
 		if (pgprot_val(new_prot) & _PAGE_PRESENT)
-			pgprot_val(new_prot) |= _PAGE_GLOBAL;
+			pgprot_val(new_prot) |= __PAGE_KERNEL_GLOBAL;
 		else
-			pgprot_val(new_prot) &= ~_PAGE_GLOBAL;
+			pgprot_val(new_prot) &= ~__PAGE_KERNEL_GLOBAL;

 		/*
 		 * We need to keep the pfn from the existing PTE,
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/mm/pgtable.c linux-3.10.0-693.11.6.el7/arch/x86/mm/pgtable.c
--- linux-3.10.0-693.11.1.el7/arch/x86/mm/pgtable.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/mm/pgtable.c	2017-12-28 19:59:43.000000000 +0100
@@ -274,12 +274,23 @@ static void pgd_prepopulate_pmd(struct m
 	}
 }

+#ifdef CONFIG_KAISER
+/*
+ * Instead of one pgd, we aquire two pgds.  Being order-1, it is
+ * both 8k in size and 8k-aligned.  That lets us just flip bit 12
+ * in a pointer to swap between the two 4k halves.
+ */
+#define PGD_ALLOCATION_ORDER 1
+#else
+#define PGD_ALLOCATION_ORDER 0
+#endif
+
 pgd_t *pgd_alloc(struct mm_struct *mm)
 {
 	pgd_t *pgd;
 	pmd_t *pmds[PREALLOCATED_PMDS];

-	pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
+	pgd = (pgd_t *)__get_free_pages(PGALLOC_GFP, PGD_ALLOCATION_ORDER);

 	if (pgd == NULL)
 		goto out;
@@ -309,7 +320,7 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
 out_free_pmds:
 	free_pmds(pmds);
 out_free_pgd:
-	free_page((unsigned long)pgd);
+	free_pages((unsigned long)pgd, PGD_ALLOCATION_ORDER);
 out:
 	return NULL;
 }
@@ -319,7 +330,7 @@ void pgd_free(struct mm_struct *mm, pgd_
 	pgd_mop_up_pmds(mm, pgd);
 	pgd_dtor(pgd);
 	paravirt_pgd_free(mm, pgd);
-	free_page((unsigned long)pgd);
+	free_pages((unsigned long)pgd, PGD_ALLOCATION_ORDER);
 }

 /*
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/platform/efi/early_printk.c linux-3.10.0-693.11.6.el7/arch/x86/platform/efi/early_printk.c
--- linux-3.10.0-693.11.1.el7/arch/x86/platform/efi/early_printk.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/platform/efi/early_printk.c	2017-12-28 19:59:43.000000000 +0100
@@ -187,6 +187,7 @@ early_efi_write(struct console *con, con
 		if (efi_y + font->height > si->lfb_height) {
 			u32 i;

+			gmb();
 			efi_y -= font->height;
 			early_efi_scroll_up();

diff -upr linux-3.10.0-693.11.1.el7/arch/x86/power/cpu.c linux-3.10.0-693.11.6.el7/arch/x86/power/cpu.c
--- linux-3.10.0-693.11.1.el7/arch/x86/power/cpu.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/power/cpu.c	2017-12-28 19:59:43.000000000 +0100
@@ -24,6 +24,7 @@
 #include <asm/debugreg.h>
 #include <asm/fpu-internal.h> /* pcntxt_mask */
 #include <asm/cpu.h>
+#include <asm/mmu_context.h>

 #ifdef CONFIG_X86_32
 unsigned long saved_context_ebx;
@@ -183,7 +184,6 @@ static void notrace __restore_processor_
 	write_cr8(ctxt->cr8);
 	write_cr4(ctxt->cr4);
 #endif
-	write_cr3(ctxt->cr3);
 	write_cr2(ctxt->cr2);
 	write_cr0(ctxt->cr0);

@@ -226,6 +226,12 @@ static void notrace __restore_processor_
 #endif

 	/*
+	 * __load_cr3 requires kernel %gs to be initialized to be able
+	 * to access per-cpu areas.
+	 */
+	__load_cr3(ctxt->cr3);
+
+	/*
 	 * restore XCR0 for xsave capable cpu's.
 	 */
 	if (cpu_has_xsave)
@@ -237,6 +243,7 @@ static void notrace __restore_processor_
 	x86_platform.restore_sched_clock_state();
 	mtrr_bp_restore();
 	perf_restore_debug_store();
+	spec_ctrl_cpu_init();
 }

 /* Needed by apm.c */
diff -upr linux-3.10.0-693.11.1.el7/arch/x86/um/asm/barrier.h linux-3.10.0-693.11.6.el7/arch/x86/um/asm/barrier.h
--- linux-3.10.0-693.11.1.el7/arch/x86/um/asm/barrier.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/um/asm/barrier.h	2017-12-28 19:59:43.000000000 +0100
@@ -64,7 +64,6 @@
  */
 static inline void rdtsc_barrier(void)
 {
-	alternative(ASM_NOP3, "mfence", X86_FEATURE_MFENCE_RDTSC);
 	alternative(ASM_NOP3, "lfence", X86_FEATURE_LFENCE_RDTSC);
 }

diff -upr linux-3.10.0-693.11.1.el7/arch/x86/xen/smp.c linux-3.10.0-693.11.6.el7/arch/x86/xen/smp.c
--- linux-3.10.0-693.11.1.el7/arch/x86/xen/smp.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/arch/x86/xen/smp.c	2017-12-28 19:59:43.000000000 +0100
@@ -23,6 +23,7 @@
 #include <asm/desc.h>
 #include <asm/pgtable.h>
 #include <asm/cpu.h>
+#include <asm/mmu_context.h>

 #include <xen/interface/xen.h>
 #include <xen/interface/vcpu.h>
diff -upr linux-3.10.0-693.11.1.el7/block/cfq-iosched.c linux-3.10.0-693.11.6.el7/block/cfq-iosched.c
--- linux-3.10.0-693.11.1.el7/block/cfq-iosched.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/block/cfq-iosched.c	2017-12-28 19:59:43.000000000 +0100
@@ -2758,10 +2758,12 @@ static void cfq_arm_slice_timer(struct c
 	 */
 	if (sample_valid(cic->ttime.ttime_samples) &&
 	    (cfqq->slice_end - jiffies < cic->ttime.ttime_mean)) {
+		gmb();
 		cfq_log_cfqq(cfqd, cfqq, "Not idling. think_time:%lu",
 			     cic->ttime.ttime_mean);
 		return;
 	}
+	gmb();

 	/* There are other queues in the group, don't do group idle */
 	if (group_idle && cfqq->cfqg->nr_cfqq > 1)
diff -upr linux-3.10.0-693.11.1.el7/Documentation/kernel-parameters.txt linux-3.10.0-693.11.6.el7/Documentation/kernel-parameters.txt
--- linux-3.10.0-693.11.1.el7/Documentation/kernel-parameters.txt	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/Documentation/kernel-parameters.txt	2017-12-28 19:59:43.000000000 +0100
@@ -1479,8 +1479,7 @@ bytes respectively. Such letter suffixes
 			Valid arguments: on, off
 			Default: on

-	kstack=N	[X86] Print N words from the kernel stack
-			in oops dumps.
+	kpti		[X86-64] Enable kernel page table isolation.

 	kvm.ignore_msrs=[KVM] Ignore guest accesses to unhandled MSRs.
 			Default is 0 (don't ignore, but inject #GP)
@@ -2223,6 +2222,8 @@ bytes respectively. Such letter suffixes
 			steal time is computed, but won't influence scheduler
 			behaviour

+	nopti		[X86-64] Disable kernel page table isolation.
+
 	nolapic		[X86-32,APIC] Do not enable or use the local APIC.

 	nolapic_timer	[X86-32,APIC] Do not use the local APIC timer.
Только в linux-3.10.0-693.11.6.el7/Documentation: spec_ctrl.txt
diff -upr linux-3.10.0-693.11.1.el7/Documentation/sysctl/kernel.txt linux-3.10.0-693.11.6.el7/Documentation/sysctl/kernel.txt
--- linux-3.10.0-693.11.1.el7/Documentation/sysctl/kernel.txt	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/Documentation/sysctl/kernel.txt	2017-12-28 19:59:43.000000000 +0100
@@ -40,7 +40,6 @@ show up in /proc/sys/kernel:
 - hung_task_timeout_secs
 - hung_task_warnings
 - kptr_restrict
-- kstack_depth_to_print       [ X86 only ]
 - l2cr                        [ PPC only ]
 - modprobe                    ==> Documentation/debugging-modules.txt
 - modules_disabled
@@ -388,13 +387,6 @@ When kptr_restrict is set to (2), kernel

 ==============================================================

-kstack_depth_to_print: (X86 only)
-
-Controls the number of words to print when dumping the raw
-kernel stack.
-
-==============================================================
-
 l2cr: (PPC only)

 This flag controls the L2 cache of G3 processor boards. If
diff -upr linux-3.10.0-693.11.1.el7/Documentation/x86/x86_64/boot-options.txt linux-3.10.0-693.11.6.el7/Documentation/x86/x86_64/boot-options.txt
--- linux-3.10.0-693.11.1.el7/Documentation/x86/x86_64/boot-options.txt	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/Documentation/x86/x86_64/boot-options.txt	2017-12-28 19:59:43.000000000 +0100
@@ -288,10 +288,6 @@ IOMMU (input/output memory management un
     space might stop working. Use this option if you have devices that
     are accessed from userspace directly on some PCI host bridge.

-Debugging
-
-  kstack=N	Print N words from the kernel stack in oops dumps.
-
   pagefaulttrace  Dump all page faults. Only useful for extreme debugging
 		and will create a lot of output.

diff -upr linux-3.10.0-693.11.1.el7/drivers/ata/sata_sil24.c linux-3.10.0-693.11.6.el7/drivers/ata/sata_sil24.c
--- linux-3.10.0-693.11.1.el7/drivers/ata/sata_sil24.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/ata/sata_sil24.c	2017-12-28 19:59:43.000000000 +0100
@@ -1041,6 +1041,7 @@ static void sil24_error_intr(struct ata_
 			pmp = (context >> 5) & 0xf;

 			if (pmp < ap->nr_pmp_links) {
+				gmb();
 				link = &ap->pmp_link[pmp];
 				ehi = &link->eh_info;
 				qc = ata_qc_from_tag(ap, link->active_tag);
diff -upr linux-3.10.0-693.11.1.el7/drivers/cpufreq/amd_freq_sensitivity.c linux-3.10.0-693.11.6.el7/drivers/cpufreq/amd_freq_sensitivity.c
--- linux-3.10.0-693.11.1.el7/drivers/cpufreq/amd_freq_sensitivity.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/cpufreq/amd_freq_sensitivity.c	2017-12-28 19:59:43.000000000 +0100
@@ -85,13 +85,16 @@ static unsigned int amd_powersave_bias_t
 		if (data->freq_prev == policy->cur)
 			freq_next = policy->cur;

-		if (freq_next > policy->cur)
+		if (freq_next > policy->cur) {
+			gmb();
 			freq_next = policy->cur;
-		else if (freq_next < policy->cur)
+		} else if (freq_next < policy->cur) {
+			gmb();
 			freq_next = policy->min;
-		else {
+		} else {
 			unsigned int index;

+			gmb();
 			cpufreq_frequency_table_target(policy,
 				od_info->freq_table, policy->cur - 1,
 				CPUFREQ_RELATION_H, &index);
diff -upr linux-3.10.0-693.11.1.el7/drivers/dax/dax.c linux-3.10.0-693.11.6.el7/drivers/dax/dax.c
--- linux-3.10.0-693.11.1.el7/drivers/dax/dax.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/dax/dax.c	2017-12-28 19:59:43.000000000 +0100
@@ -420,6 +420,7 @@ static phys_addr_t pgoff_to_phys(struct
 	}

 	if (i < dax_dev->num_resources) {
+		gmb();
 		res = &dax_dev->res[i];
 		if (phys + size - 1 <= res->end)
 			return phys;
diff -upr linux-3.10.0-693.11.1.el7/drivers/gpu/drm/ast/ast_post.c linux-3.10.0-693.11.6.el7/drivers/gpu/drm/ast/ast_post.c
--- linux-3.10.0-693.11.1.el7/drivers/gpu/drm/ast/ast_post.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/gpu/drm/ast/ast_post.c	2017-12-28 19:59:43.000000000 +0100
@@ -658,6 +658,7 @@ FINETUNE_START:
 	passcnt = 0;
 	for (cnt = 0; cnt < 16; cnt++) {
 		if ((dllmax[cnt] > dllmin[cnt]) && ((dllmax[cnt] - dllmin[cnt]) >= CBR_THRESHOLD2)) {
+			gmb();
 			gold_sadj[0] += dllmin[cnt];
 			passcnt++;
 		}
@@ -676,6 +677,7 @@ FINETUNE_DONE:
 	for (cnt = 0; cnt < 8; cnt++) {
 		data >>= 3;
 		if ((dllmax[cnt] > dllmin[cnt]) && ((dllmax[cnt] - dllmin[cnt]) >= CBR_THRESHOLD2)) {
+			gmb();
 			dlli = dllmin[cnt];
 			if (gold_sadj[0] >= dlli) {
 				dlli = ((gold_sadj[0] - dlli) * 19) >> 5;
@@ -698,6 +700,7 @@ FINETUNE_DONE:
 	for (cnt = 8; cnt < 16; cnt++) {
 		data >>= 3;
 		if ((dllmax[cnt] > dllmin[cnt]) && ((dllmax[cnt] - dllmin[cnt]) >= CBR_THRESHOLD2)) {
+			gmb();
 			dlli = dllmin[cnt];
 			if (gold_sadj[1] >= dlli) {
 				dlli = ((gold_sadj[1] - dlli) * 19) >> 5;
diff -upr linux-3.10.0-693.11.1.el7/drivers/gpu/drm/i915/gvt/mmio.c linux-3.10.0-693.11.6.el7/drivers/gpu/drm/i915/gvt/mmio.c
--- linux-3.10.0-693.11.1.el7/drivers/gpu/drm/i915/gvt/mmio.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/gpu/drm/i915/gvt/mmio.c	2017-12-28 19:59:43.000000000 +0100
@@ -79,6 +79,7 @@ static void failsafe_emulate_mmio_rw(str
 					bytes);
 	} else if (reg_is_gtt(gvt, offset) &&
 			vgpu->gtt.ggtt_mm->virtual_page_table) {
+		gmb();
 		offset -= gvt->device_info.gtt_start_offset;
 		pt = vgpu->gtt.ggtt_mm->virtual_page_table + offset;
 		if (read)
diff -upr linux-3.10.0-693.11.1.el7/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c linux-3.10.0-693.11.6.el7/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
--- linux-3.10.0-693.11.1.el7/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c	2017-12-28 19:59:43.000000000 +0100
@@ -34,6 +34,7 @@ nvbios_addr(struct nvkm_bios *bios, u32
 	u32 p = *addr;

 	if (*addr > bios->image0_size && bios->imaged_addr) {
+		gmb();
 		*addr -= bios->image0_size;
 		*addr += bios->imaged_addr;
 	}
diff -upr linux-3.10.0-693.11.1.el7/drivers/gpu/drm/radeon/ni_dpm.c linux-3.10.0-693.11.6.el7/drivers/gpu/drm/radeon/ni_dpm.c
--- linux-3.10.0-693.11.1.el7/drivers/gpu/drm/radeon/ni_dpm.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/gpu/drm/radeon/ni_dpm.c	2017-12-28 19:59:43.000000000 +0100
@@ -1344,10 +1344,13 @@ static int ni_get_std_voltage_value(stru
 				    u16 *std_voltage)
 {
 	if (rdev->pm.dpm.dyn_state.cac_leakage_table.entries &&
-	    ((u32)voltage->index < rdev->pm.dpm.dyn_state.cac_leakage_table.count))
+	    ((u32)voltage->index < rdev->pm.dpm.dyn_state.cac_leakage_table.count)) {
+		gmb();
 		*std_voltage = rdev->pm.dpm.dyn_state.cac_leakage_table.entries[voltage->index].vddc;
-	else
+	} else {
+		gmb();
 		*std_voltage = be16_to_cpu(voltage->value);
+	}

 	return 0;
 }
diff -upr linux-3.10.0-693.11.1.el7/drivers/hid/hid-input.c linux-3.10.0-693.11.6.el7/drivers/hid/hid-input.c
--- linux-3.10.0-693.11.1.el7/drivers/hid/hid-input.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/hid/hid-input.c	2017-12-28 19:59:43.000000000 +0100
@@ -952,6 +952,8 @@ mapped:
 	if (usage->type == EV_ABS &&
 	    (usage->hat_min < usage->hat_max || usage->hat_dir)) {
 		int i;
+
+		gmb();
 		for (i = usage->code; i < usage->code + 2 && i <= max; i++) {
 			input_set_abs_params(input, i, -1, 1, 0, 0);
 			set_bit(i, input->absbit);
diff -upr linux-3.10.0-693.11.1.el7/drivers/infiniband/hw/mthca/mthca_cq.c linux-3.10.0-693.11.6.el7/drivers/infiniband/hw/mthca/mthca_cq.c
--- linux-3.10.0-693.11.1.el7/drivers/infiniband/hw/mthca/mthca_cq.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/infiniband/hw/mthca/mthca_cq.c	2017-12-28 19:59:43.000000000 +0100
@@ -339,6 +339,7 @@ void mthca_cq_resize_copy_cqes(struct mt
 	 */
 	if (!mthca_is_memfree(to_mdev(cq->ibcq.device)) &&
 	    cq->ibcq.cqe < cq->resize_buf->cqe) {
+		gmb();
 		cq->cons_index &= cq->ibcq.cqe;
 		if (cqe_sw(get_cqe(cq, cq->ibcq.cqe)))
 			cq->cons_index -= cq->ibcq.cqe + 1;
diff -upr linux-3.10.0-693.11.1.el7/drivers/infiniband/hw/mthca/mthca_profile.c linux-3.10.0-693.11.6.el7/drivers/infiniband/hw/mthca/mthca_profile.c
--- linux-3.10.0-693.11.1.el7/drivers/infiniband/hw/mthca/mthca_profile.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/infiniband/hw/mthca/mthca_profile.c	2017-12-28 19:59:43.000000000 +0100
@@ -135,8 +135,10 @@ s64 mthca_make_profile(struct mthca_dev
 	 */
 	for (i = MTHCA_RES_NUM; i > 0; --i)
 		for (j = 1; j < i; ++j) {
-			if (profile[j].size > profile[j - 1].size)
+			if (profile[j].size > profile[j - 1].size) {
+				gmb();
 				swap(profile[j], profile[j - 1]);
+			}
 		}

 	for (i = 0; i < MTHCA_RES_NUM; ++i) {
diff -upr linux-3.10.0-693.11.1.el7/drivers/infiniband/hw/nes/nes_mgt.c linux-3.10.0-693.11.6.el7/drivers/infiniband/hw/nes/nes_mgt.c
--- linux-3.10.0-693.11.1.el7/drivers/infiniband/hw/nes/nes_mgt.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/infiniband/hw/nes/nes_mgt.c	2017-12-28 19:59:43.000000000 +0100
@@ -796,6 +796,7 @@ static void nes_mgt_ce_handler(struct ne
 			qp_id = le32_to_cpu(cq->cq_vbase[head].cqe_words[NES_NIC_CQE_ACCQP_ID_IDX]);
 			qp_id &= 0x001fffff;
 			if (qp_id < nesadapter->max_qp) {
+				gmb();
 				context = (unsigned long)nesadapter->qp_table[qp_id - NES_FIRST_QPN];
 				nesqp = (struct nes_qp *)context;
 			}
diff -upr linux-3.10.0-693.11.1.el7/drivers/infiniband/hw/qib/qib_user_sdma.c linux-3.10.0-693.11.6.el7/drivers/infiniband/hw/qib/qib_user_sdma.c
--- linux-3.10.0-693.11.1.el7/drivers/infiniband/hw/qib/qib_user_sdma.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/infiniband/hw/qib/qib_user_sdma.c	2017-12-28 19:59:43.000000000 +0100
@@ -1281,6 +1281,7 @@ retry:
 			 * buffer packet.
 			 */
 			if (ofs > dd->piosize2kmax_dwords) {
+				gmb();
 				for (j = pkt->index; j <= i; j++) {
 					ppd->sdma_descq[dtail].qw[0] |=
 						cpu_to_le64(1ULL << 14);
diff -upr linux-3.10.0-693.11.1.el7/drivers/md/dm-cache-target.c linux-3.10.0-693.11.6.el7/drivers/md/dm-cache-target.c
--- linux-3.10.0-693.11.1.el7/drivers/md/dm-cache-target.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/md/dm-cache-target.c	2017-12-28 19:59:43.000000000 +0100
@@ -3522,6 +3522,7 @@ static void cache_io_hints(struct dm_tar
 	 */
 	if (io_opt_sectors < cache->sectors_per_block ||
 	    do_div(io_opt_sectors, cache->sectors_per_block)) {
+		gmb();
 		blk_limits_io_min(limits, cache->sectors_per_block << SECTOR_SHIFT);
 		blk_limits_io_opt(limits, cache->sectors_per_block << SECTOR_SHIFT);
 	}
diff -upr linux-3.10.0-693.11.1.el7/drivers/md/dm-era-target.c linux-3.10.0-693.11.6.el7/drivers/md/dm-era-target.c
--- linux-3.10.0-693.11.1.el7/drivers/md/dm-era-target.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/md/dm-era-target.c	2017-12-28 19:59:43.000000000 +0100
@@ -1703,6 +1703,7 @@ static void era_io_hints(struct dm_targe
 	 */
 	if (io_opt_sectors < era->sectors_per_block ||
 	    do_div(io_opt_sectors, era->sectors_per_block)) {
+		gmb();
 		blk_limits_io_min(limits, 0);
 		blk_limits_io_opt(limits, era->sectors_per_block << SECTOR_SHIFT);
 	}
diff -upr linux-3.10.0-693.11.1.el7/drivers/md/raid10.c linux-3.10.0-693.11.6.el7/drivers/md/raid10.c
--- linux-3.10.0-693.11.1.el7/drivers/md/raid10.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/md/raid10.c	2017-12-28 19:59:43.000000000 +0100
@@ -1266,6 +1266,7 @@ static bool raid10_make_request(struct m
 		bio->bi_sector + sectors > conf->reshape_progress)
 	     : (bio->bi_sector + sectors > conf->reshape_safe &&
 		bio->bi_sector < conf->reshape_progress))) {
+		gmb();
 		/* Need to update reshape_position in metadata */
 		mddev->reshape_position = conf->reshape_progress;
 		set_mask_bits(&mddev->sb_flags, 0,
diff -upr linux-3.10.0-693.11.1.el7/drivers/md/raid5.c linux-3.10.0-693.11.6.el7/drivers/md/raid5.c
--- linux-3.10.0-693.11.1.el7/drivers/md/raid5.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/md/raid5.c	2017-12-28 19:59:43.000000000 +0100
@@ -7592,6 +7592,7 @@ static int check_stripe_cache(struct mdd
 	    > conf->min_nr_stripes ||
 	    ((mddev->new_chunk_sectors << 9) / STRIPE_SIZE) * 4
 	    > conf->min_nr_stripes) {
+		gmb();
 		pr_warn("md/raid:%s: reshape: not enough stripes.  Needed %lu\n",
 			mdname(mddev),
 			((max(mddev->chunk_sectors, mddev->new_chunk_sectors) << 9)
diff -upr linux-3.10.0-693.11.1.el7/drivers/media/common/btcx-risc.c linux-3.10.0-693.11.6.el7/drivers/media/common/btcx-risc.c
--- linux-3.10.0-693.11.1.el7/drivers/media/common/btcx-risc.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/media/common/btcx-risc.c	2017-12-28 19:59:43.000000000 +0100
@@ -172,6 +172,7 @@ btcx_sort_clips(struct v4l2_clip *clips,
 	for (i = nclips-2; i >= 0; i--) {
 		for (n = 0, j = 0; j <= i; j++) {
 			if (clips[j].c.left > clips[j+1].c.left) {
+				gmb();
 				swap = clips[j];
 				clips[j] = clips[j+1];
 				clips[j+1] = swap;
diff -upr linux-3.10.0-693.11.1.el7/drivers/media/dvb-frontends/au8522_common.c linux-3.10.0-693.11.6.el7/drivers/media/dvb-frontends/au8522_common.c
--- linux-3.10.0-693.11.1.el7/drivers/media/dvb-frontends/au8522_common.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/media/dvb-frontends/au8522_common.c	2017-12-28 19:59:43.000000000 +0100
@@ -202,11 +202,13 @@ int au8522_led_ctrl(struct au8522_state
 			val &= ~led_config->led_states[i];

 		/* set selected LED state */
-		if (led < led_config->num_led_states)
+		if (led < led_config->num_led_states) {
+			gmb();
 			val |= led_config->led_states[led];
-		else if (led_config->num_led_states)
+		} else if (led_config->num_led_states) {
 			val |=
 			led_config->led_states[led_config->num_led_states - 1];
+		}

 		ret = au8522_writereg(state, 0x8000 |
 				      (led_config->gpio_leds & ~0xc000), val);
diff -upr linux-3.10.0-693.11.1.el7/drivers/media/dvb-frontends/dib7000m.c linux-3.10.0-693.11.6.el7/drivers/media/dvb-frontends/dib7000m.c
--- linux-3.10.0-693.11.1.el7/drivers/media/dvb-frontends/dib7000m.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/media/dvb-frontends/dib7000m.c	2017-12-28 19:59:43.000000000 +0100
@@ -641,14 +641,18 @@ static int dib7000m_agc_soft_split(struc
 	// n_agc_global
 	agc = dib7000m_read_word(state, 390);

-	if (agc > state->current_agc->split.min_thres)
+	if (agc > state->current_agc->split.min_thres) {
+		gmb();
 		split_offset = state->current_agc->split.min;
-	else if (agc < state->current_agc->split.max_thres)
+	} else if (agc < state->current_agc->split.max_thres) {
+		gmb();
 		split_offset = state->current_agc->split.max;
-	else
+	} else {
+		gmb();
 		split_offset = state->current_agc->split.max *
 			(agc - state->current_agc->split.min_thres) /
 			(state->current_agc->split.max_thres - state->current_agc->split.min_thres);
+	}

 	dprintk( "AGC split_offset: %d",split_offset);

diff -upr linux-3.10.0-693.11.1.el7/drivers/media/dvb-frontends/dib8000.c linux-3.10.0-693.11.6.el7/drivers/media/dvb-frontends/dib8000.c
--- linux-3.10.0-693.11.1.el7/drivers/media/dvb-frontends/dib8000.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/media/dvb-frontends/dib8000.c	2017-12-28 19:59:43.000000000 +0100
@@ -1181,14 +1181,18 @@ static int dib8000_agc_soft_split(struct
 	// n_agc_global
 	agc = dib8000_read_word(state, 390);

-	if (agc > state->current_agc->split.min_thres)
+	if (agc > state->current_agc->split.min_thres) {
+		gmb();
 		split_offset = state->current_agc->split.min;
-	else if (agc < state->current_agc->split.max_thres)
+	} else if (agc < state->current_agc->split.max_thres) {
+		gmb();
 		split_offset = state->current_agc->split.max;
-	else
+	} else {
+		gmb();
 		split_offset = state->current_agc->split.max *
 			(agc - state->current_agc->split.min_thres) /
 			(state->current_agc->split.max_thres - state->current_agc->split.min_thres);
+	}

 	dprintk("AGC split_offset: %d", split_offset);

diff -upr linux-3.10.0-693.11.1.el7/drivers/media/dvb-frontends/stb0899_drv.c linux-3.10.0-693.11.6.el7/drivers/media/dvb-frontends/stb0899_drv.c
--- linux-3.10.0-693.11.1.el7/drivers/media/dvb-frontends/stb0899_drv.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/media/dvb-frontends/stb0899_drv.c	2017-12-28 19:59:43.000000000 +0100
@@ -940,11 +940,14 @@ static int stb0899_table_lookup(const st
 	int res = 0;
 	int min = 0, med;

-	if (val < tab[min].read)
+	if (val < tab[min].read) {
+		gmb();
 		res = tab[min].real;
-	else if (val >= tab[max].read)
+	} else if (val >= tab[max].read) {
+		gmb();
 		res = tab[max].real;
-	else {
+	} else {
+		gmb();
 		while ((max - min) > 1) {
 			med = (max + min) / 2;
 			if (val >= tab[min].read && val < tab[med].read)
diff -upr linux-3.10.0-693.11.1.el7/drivers/media/dvb-frontends/stv090x.c linux-3.10.0-693.11.6.el7/drivers/media/dvb-frontends/stv090x.c
--- linux-3.10.0-693.11.1.el7/drivers/media/dvb-frontends/stv090x.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/media/dvb-frontends/stv090x.c	2017-12-28 19:59:43.000000000 +0100
@@ -3621,11 +3621,16 @@ static int stv090x_table_lookup(const st
 			tab[min].real;
 	} else {
 		if (tab[min].read < tab[max].read) {
-			if (val < tab[min].read)
+			gmb();
+			if (val < tab[min].read) {
+				gmb();
 				res = tab[min].real;
-			else if (val >= tab[max].read)
+			} else if (val >= tab[max].read) {
+				gmb();
 				res = tab[max].real;
+			}
 		} else {
+			gmb();
 			if (val >= tab[min].read)
 				res = tab[min].real;
 			else if (val < tab[max].read)
diff -upr linux-3.10.0-693.11.1.el7/drivers/media/mmc/siano/smssdio.c linux-3.10.0-693.11.6.el7/drivers/media/mmc/siano/smssdio.c
--- linux-3.10.0-693.11.1.el7/drivers/media/mmc/siano/smssdio.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/media/mmc/siano/smssdio.c	2017-12-28 19:59:43.000000000 +0100
@@ -222,10 +222,12 @@ static void smssdio_interrupt(struct sdi
 				}

 				buffer += smsdev->func->cur_blksize;
-				if (size > smsdev->func->cur_blksize)
+				if (size > smsdev->func->cur_blksize) {
+					gmb();
 					size -= smsdev->func->cur_blksize;
-				else
+				} else {
 					size = 0;
+				}
 			}
 		}
 	}
diff -upr linux-3.10.0-693.11.1.el7/drivers/media/tuners/r820t.c linux-3.10.0-693.11.6.el7/drivers/media/tuners/r820t.c
--- linux-3.10.0-693.11.1.el7/drivers/media/tuners/r820t.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/media/tuners/r820t.c	2017-12-28 19:59:43.000000000 +0100
@@ -1564,8 +1564,10 @@ static void r820t_compre_cor(struct r820
 	int i;

 	for (i = 3; i > 0; i--) {
-		if (iq[0].value > iq[i - 1].value)
+		if (iq[0].value > iq[i - 1].value) {
+			gmb();
 			swap(iq[0], iq[i - 1]);
+		}
 	}
 }

diff -upr linux-3.10.0-693.11.1.el7/drivers/media/usb/gspca/autogain_functions.c linux-3.10.0-693.11.6.el7/drivers/media/usb/gspca/autogain_functions.c
--- linux-3.10.0-693.11.1.el7/drivers/media/usb/gspca/autogain_functions.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/media/usb/gspca/autogain_functions.c	2017-12-28 19:59:43.000000000 +0100
@@ -145,10 +145,13 @@ int gspca_coarse_grained_expo_autogain(
 		gspca_dev->exp_too_low_cnt = 0;
 	} else {
 		gain += steps;
-		if (gain > gspca_dev->gain->maximum)
+		if (gain > gspca_dev->gain->maximum) {
+			gmb();
 			gain = gspca_dev->gain->maximum;
-		else if (gain < gspca_dev->gain->minimum)
+		} else if (gain < gspca_dev->gain->minimum) {
+			gmb();
 			gain = gspca_dev->gain->minimum;
+		}
 		gspca_dev->exp_too_high_cnt = 0;
 		gspca_dev->exp_too_low_cnt = 0;
 	}
diff -upr linux-3.10.0-693.11.1.el7/drivers/media/usb/gspca/xirlink_cit.c linux-3.10.0-693.11.6.el7/drivers/media/usb/gspca/xirlink_cit.c
--- linux-3.10.0-693.11.1.el7/drivers/media/usb/gspca/xirlink_cit.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/media/usb/gspca/xirlink_cit.c	2017-12-28 19:59:43.000000000 +0100
@@ -2900,10 +2900,12 @@ static void sd_pkt_scan(struct gspca_dev

 		/* finish decoding current frame */
 		n = sof - data;
-		if (n > sd->sof_len)
+		if (n > sd->sof_len) {
+			gmb();
 			n -= sd->sof_len;
-		else
+		} else {
 			n = 0;
+		}
 		gspca_frame_add(gspca_dev, LAST_PACKET,
 				data, n);
 		gspca_frame_add(gspca_dev, FIRST_PACKET, NULL, 0);
diff -upr linux-3.10.0-693.11.1.el7/drivers/media/usb/uvc/uvc_v4l2.c linux-3.10.0-693.11.6.el7/drivers/media/usb/uvc/uvc_v4l2.c
--- linux-3.10.0-693.11.1.el7/drivers/media/usb/uvc/uvc_v4l2.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/media/usb/uvc/uvc_v4l2.c	2017-12-28 19:59:43.000000000 +0100
@@ -720,6 +720,7 @@ static long uvc_v4l2_do_ioctl(struct fil
 			}
 			pin = iterm->id;
 		} else if (index < selector->bNrInPins) {
+			gmb();
 			pin = selector->baSourceID[index];
 			list_for_each_entry(iterm, &chain->entities, chain) {
 				if (!UVC_ENTITY_IS_ITERM(iterm))
diff -upr linux-3.10.0-693.11.1.el7/drivers/memstick/host/r592.c linux-3.10.0-693.11.6.el7/drivers/memstick/host/r592.c
--- linux-3.10.0-693.11.1.el7/drivers/memstick/host/r592.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/memstick/host/r592.c	2017-12-28 19:59:43.000000000 +0100
@@ -336,6 +336,7 @@ static void r592_write_fifo_pio(struct r

 		if (!kfifo_is_full(&dev->pio_fifo))
 			return;
+		gmb();
 		len -= copy_len;
 		buffer += copy_len;

diff -upr linux-3.10.0-693.11.1.el7/drivers/mmc/core/core.c linux-3.10.0-693.11.6.el7/drivers/mmc/core/core.c
--- linux-3.10.0-693.11.1.el7/drivers/mmc/core/core.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/mmc/core/core.c	2017-12-28 19:59:43.000000000 +0100
@@ -2009,9 +2009,11 @@ void mmc_init_erase(struct mmc_card *car
 			card->pref_erase = 2 * 1024 * 1024 / 512;
 		else
 			card->pref_erase = 4 * 1024 * 1024 / 512;
-		if (card->pref_erase < card->erase_size)
+		if (card->pref_erase < card->erase_size) {
+			gmb();
 			card->pref_erase = card->erase_size;
-		else {
+		} else {
+			gmb();
 			sz = card->pref_erase % card->erase_size;
 			if (sz)
 				card->pref_erase += card->erase_size - sz;
diff -upr linux-3.10.0-693.11.1.el7/drivers/mmc/core/mmc.c linux-3.10.0-693.11.6.el7/drivers/mmc/core/mmc.c
--- linux-3.10.0-693.11.1.el7/drivers/mmc/core/mmc.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/mmc/core/mmc.c	2017-12-28 19:59:43.000000000 +0100
@@ -940,12 +940,16 @@ static void mmc_set_bus_speed(struct mmc
 	unsigned int max_dtr = (unsigned int)-1;

 	if ((mmc_card_hs200(card) || mmc_card_hs400(card)) &&
-	     max_dtr > card->ext_csd.hs200_max_dtr)
+	     max_dtr > card->ext_csd.hs200_max_dtr) {
+		gmb();
 		max_dtr = card->ext_csd.hs200_max_dtr;
-	else if (mmc_card_hs(card) && max_dtr > card->ext_csd.hs_max_dtr)
+	} else if (mmc_card_hs(card) && max_dtr > card->ext_csd.hs_max_dtr) {
+		gmb();
 		max_dtr = card->ext_csd.hs_max_dtr;
-	else if (max_dtr > card->csd.max_dtr)
+	} else if (max_dtr > card->csd.max_dtr) {
+		gmb();
 		max_dtr = card->csd.max_dtr;
+	}

 	mmc_set_clock(card->host, max_dtr);
 }
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/can/dev.c linux-3.10.0-693.11.6.el7/drivers/net/can/dev.c
--- linux-3.10.0-693.11.1.el7/drivers/net/can/dev.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/can/dev.c	2017-12-28 19:59:43.000000000 +0100
@@ -94,6 +94,7 @@ static int can_update_spt(const struct c
 		*tseg2 = btc->tseg2_max;
 	*tseg1 = tseg - *tseg2;
 	if (*tseg1 > btc->tseg1_max) {
+		gmb();
 		*tseg1 = btc->tseg1_max;
 		*tseg2 = tseg - *tseg1;
 	}
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/ethernet/amazon/ena/ena_netdev.c linux-3.10.0-693.11.6.el7/drivers/net/ethernet/amazon/ena/ena_netdev.c
--- linux-3.10.0-693.11.1.el7/drivers/net/ethernet/amazon/ena/ena_netdev.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/ethernet/amazon/ena/ena_netdev.c	2017-12-28 19:59:43.000000000 +0100
@@ -647,6 +647,7 @@ static int validate_tx_req_id(struct ena
 	struct ena_tx_buffer *tx_info = NULL;

 	if (likely(req_id < tx_ring->ring_size)) {
+		gmb();
 		tx_info = &tx_ring->tx_buffer_info[req_id];
 		if (likely(tx_info->skb))
 			return 0;
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c linux-3.10.0-693.11.6.el7/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
--- linux-3.10.0-693.11.1.el7/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c	2017-12-28 19:59:43.000000000 +0100
@@ -274,9 +274,11 @@ static int cfg_queues_uld(struct adapter
 		return -ENOMEM;

 	if (adap->flags & USING_MSIX && uld_info->nrxq > s->nqs_per_uld) {
+		gmb();
 		i = s->nqs_per_uld;
 		rxq_info->nrxq = roundup(i, adap->params.nports);
 	} else {
+		gmb();
 		i = min_t(int, uld_info->nrxq,
 			  num_online_cpus());
 		rxq_info->nrxq = roundup(i, adap->params.nports);
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/ethernet/mellanox/mlx4/en_rx.c linux-3.10.0-693.11.6.el7/drivers/net/ethernet/mellanox/mlx4/en_rx.c
--- linux-3.10.0-693.11.1.el7/drivers/net/ethernet/mellanox/mlx4/en_rx.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/ethernet/mellanox/mlx4/en_rx.c	2017-12-28 19:59:43.000000000 +0100
@@ -1295,10 +1295,13 @@ int mlx4_en_config_rss_steer(struct mlx4
 	mlx4_en_fill_qp_context(priv, 0, 0, 0, 1, priv->base_qpn,
 				priv->rx_ring[0]->cqn, -1, &context);

-	if (!priv->prof->rss_rings || priv->prof->rss_rings > priv->rx_ring_num)
+	if (!priv->prof->rss_rings || priv->prof->rss_rings > priv->rx_ring_num) {
+		gmb();
 		rss_rings = priv->rx_ring_num;
-	else
+	} else {
+		gmb();
 		rss_rings = priv->prof->rss_rings;
+	}

 	ptr = ((void *) &context) + offsetof(struct mlx4_qp_context, pri_path)
 					+ MLX4_RSS_OFFSET_IN_QPC_PRI_PATH;
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/ethernet/mellanox/mlx4/profile.c linux-3.10.0-693.11.6.el7/drivers/net/ethernet/mellanox/mlx4/profile.c
--- linux-3.10.0-693.11.1.el7/drivers/net/ethernet/mellanox/mlx4/profile.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/ethernet/mellanox/mlx4/profile.c	2017-12-28 19:59:43.000000000 +0100
@@ -148,8 +148,10 @@ u64 mlx4_make_profile(struct mlx4_dev *d
 	 */
 	for (i = MLX4_RES_NUM; i > 0; --i)
 		for (j = 1; j < i; ++j) {
-			if (profile[j].size > profile[j - 1].size)
+			if (profile[j].size > profile[j - 1].size) {
+				gmb();
 				swap(profile[j], profile[j - 1]);
+			}
 		}

 	for (i = 0; i < MLX4_RES_NUM; ++i) {
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/ethernet/qlogic/qlge/qlge_main.c linux-3.10.0-693.11.6.el7/drivers/net/ethernet/qlogic/qlge/qlge_main.c
--- linux-3.10.0-693.11.1.el7/drivers/net/ethernet/qlogic/qlge/qlge_main.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/ethernet/qlogic/qlge/qlge_main.c	2017-12-28 19:59:43.000000000 +0100
@@ -4149,6 +4149,7 @@ static int ql_configure_rings(struct ql_
 		rx_ring->cq_id = i;
 		rx_ring->cpu = i % cpu_cnt;	/* CPU to run handler on. */
 		if (i < qdev->rss_ring_count) {
+			gmb();
 			/*
 			 * Inbound (RSS) queues.
 			 */
@@ -4165,6 +4166,7 @@ static int ql_configure_rings(struct ql_
 			rx_ring->sbq_buf_size = SMALL_BUF_MAP_SIZE;
 			rx_ring->type = RX_Q;
 		} else {
+			gmb();
 			/*
 			 * Outbound queue handles outbound completions only.
 			 */
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/ethernet/sfc/falcon/tx.c linux-3.10.0-693.11.6.el7/drivers/net/ethernet/sfc/falcon/tx.c
--- linux-3.10.0-693.11.1.el7/drivers/net/ethernet/sfc/falcon/tx.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/ethernet/sfc/falcon/tx.c	2017-12-28 19:59:43.000000000 +0100
@@ -451,6 +451,7 @@ int ef4_setup_tc(struct net_device *net_
 	}

 	if (num_tc > net_dev->num_tc) {
+		gmb();
 		/* Initialise high-priority queues as necessary */
 		ef4_for_each_channel(channel, efx) {
 			ef4_for_each_possible_channel_tx_queue(tx_queue,
@@ -468,6 +469,7 @@ int ef4_setup_tc(struct net_device *net_
 			}
 		}
 	} else {
+		gmb();
 		/* Reduce number of classes before number of queues */
 		net_dev->num_tc = num_tc;
 	}
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/ethernet/sfc/tx.c linux-3.10.0-693.11.6.el7/drivers/net/ethernet/sfc/tx.c
--- linux-3.10.0-693.11.1.el7/drivers/net/ethernet/sfc/tx.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/ethernet/sfc/tx.c	2017-12-28 19:59:43.000000000 +0100
@@ -679,6 +679,7 @@ int efx_setup_tc(struct net_device *net_
 	}

 	if (num_tc > net_dev->num_tc) {
+		gmb();
 		/* Initialise high-priority queues as necessary */
 		efx_for_each_channel(channel, efx) {
 			efx_for_each_possible_channel_tx_queue(tx_queue,
@@ -696,6 +697,7 @@ int efx_setup_tc(struct net_device *net_
 			}
 		}
 	} else {
+		gmb();
 		/* Reduce number of classes before number of queues */
 		net_dev->num_tc = num_tc;
 	}
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/hyperv/rndis_filter.c linux-3.10.0-693.11.6.el7/drivers/net/hyperv/rndis_filter.c
--- linux-3.10.0-693.11.1.el7/drivers/net/hyperv/rndis_filter.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/hyperv/rndis_filter.c	2017-12-28 19:59:43.000000000 +0100
@@ -1088,10 +1088,13 @@ int rndis_filter_device_add(struct hv_de
 	num_possible_rss_qs = cpumask_weight(node_cpu_mask);

 	/* We will use the given number of channels if available. */
-	if (device_info->num_chn && device_info->num_chn < net_device->max_chn)
+	if (device_info->num_chn && device_info->num_chn < net_device->max_chn) {
+		gmb();
 		net_device->num_chn = device_info->num_chn;
-	else
+	} else {
+		gmb();
 		net_device->num_chn = min(num_possible_rss_qs, num_rss_qs);
+	}

 	num_rss_qs = net_device->num_chn - 1;
 	net_device->num_sc_offered = num_rss_qs;
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/wireless/ath/ath10k/htt_rx.c linux-3.10.0-693.11.6.el7/drivers/net/wireless/ath/ath10k/htt_rx.c
--- linux-3.10.0-693.11.1.el7/drivers/net/wireless/ath/ath10k/htt_rx.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/wireless/ath/ath10k/htt_rx.c	2017-12-28 19:59:43.000000000 +0100
@@ -1635,6 +1635,7 @@ static void ath10k_htt_rx_tx_compl_ind(s
 		 *  writer, you don't need extra locking to use these macro.
 		 */
 		if (!kfifo_put(&htt->txdone_fifo, &tx_done)) {
+			gmb();
 			ath10k_warn(ar, "txdone fifo overrun, msdu_id %d status %d\n",
 				    tx_done.msdu_id, tx_done.status);
 			ath10k_txrx_tx_unref(htt, &tx_done);
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/wireless/ath/ath9k/calib.c linux-3.10.0-693.11.6.el7/drivers/net/wireless/ath/ath9k/calib.c
--- linux-3.10.0-693.11.1.el7/drivers/net/wireless/ath/ath9k/calib.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/wireless/ath/ath9k/calib.c	2017-12-28 19:59:43.000000000 +0100
@@ -370,11 +370,13 @@ static void ath9k_hw_nf_sanitize(struct
 			(i >= 3 ? "ext" : "ctl"), i % 3, nf[i]);

 		if (nf[i] > limit->max) {
+			gmb();
 			ath_dbg(common, CALIBRATE,
 				"NF[%d] (%d) > MAX (%d), correcting to MAX\n",
 				i, nf[i], limit->max);
 			nf[i] = limit->max;
 		} else if (nf[i] < limit->min) {
+			gmb();
 			ath_dbg(common, CALIBRATE,
 				"NF[%d] (%d) < MIN (%d), correcting to NOM\n",
 				i, nf[i], limit->min);
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/wireless/ath/carl9170/main.c linux-3.10.0-693.11.6.el7/drivers/net/wireless/ath/carl9170/main.c
--- linux-3.10.0-693.11.1.el7/drivers/net/wireless/ath/carl9170/main.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/wireless/ath/carl9170/main.c	2017-12-28 19:59:43.000000000 +0100
@@ -1388,6 +1388,7 @@ static int carl9170_op_conf_tx(struct ie

 	mutex_lock(&ar->mutex);
 	if (queue < ar->hw->queues) {
+		gmb();
 		memcpy(&ar->edcf[ar9170_qmap[queue]], param, sizeof(*param));
 		ret = carl9170_set_qos(ar);
 	} else {
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/wireless/marvell/mwifiex/11n.h linux-3.10.0-693.11.6.el7/drivers/net/wireless/marvell/mwifiex/11n.h
--- linux-3.10.0-693.11.1.el7/drivers/net/wireless/marvell/mwifiex/11n.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/wireless/marvell/mwifiex/11n.h	2017-12-28 19:59:43.000000000 +0100
@@ -154,6 +154,7 @@ mwifiex_find_stream_to_delete(struct mwi
 	spin_lock_irqsave(&priv->tx_ba_stream_tbl_lock, flags);
 	list_for_each_entry(tx_tbl, &priv->tx_ba_stream_tbl_ptr, list) {
 		if (tid > priv->aggr_prio_tbl[tx_tbl->tid].ampdu_user) {
+			gmb();
 			tid = priv->aggr_prio_tbl[tx_tbl->tid].ampdu_user;
 			*ptid = tx_tbl->tid;
 			memcpy(ra, tx_tbl->ra, ETH_ALEN);
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/wireless/marvell/mwifiex/wmm.c linux-3.10.0-693.11.6.el7/drivers/net/wireless/marvell/mwifiex/wmm.c
--- linux-3.10.0-693.11.1.el7/drivers/net/wireless/marvell/mwifiex/wmm.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/wireless/marvell/mwifiex/wmm.c	2017-12-28 19:59:43.000000000 +0100
@@ -265,14 +265,18 @@ mwifiex_wmm_setup_queue_priorities(struc
 	for (i = 0; i < num_ac; i++) {
 		for (j = 1; j < num_ac - i; j++) {
 			if (tmp[j - 1] > tmp[j]) {
+				gmb();
 				swap(tmp[j - 1], tmp[j]);
 				swap(priv->wmm.queue_priority[j - 1],
 				     priv->wmm.queue_priority[j]);
 			} else if (tmp[j - 1] == tmp[j]) {
+				gmb();
 				if (priv->wmm.queue_priority[j - 1]
-				    < priv->wmm.queue_priority[j])
+				    < priv->wmm.queue_priority[j]) {
+					gmb();
 					swap(priv->wmm.queue_priority[j - 1],
 					     priv->wmm.queue_priority[j]);
+				}
 			}
 		}
 	}
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/wireless/p54/main.c linux-3.10.0-693.11.6.el7/drivers/net/wireless/p54/main.c
--- linux-3.10.0-693.11.1.el7/drivers/net/wireless/p54/main.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/wireless/p54/main.c	2017-12-28 19:59:43.000000000 +0100
@@ -418,6 +418,7 @@ static int p54_conf_tx(struct ieee80211_

 	mutex_lock(&priv->conf_mutex);
 	if (queue < dev->queues) {
+		gmb();
 		P54_SET_QUEUE(priv->qos_params[queue], params->aifs,
 			params->cw_min, params->cw_max, params->txop);
 		ret = p54_set_edcf(priv);
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/wireless/ralink/rt2x00/rt2800mmio.c linux-3.10.0-693.11.6.el7/drivers/net/wireless/ralink/rt2x00/rt2800mmio.c
--- linux-3.10.0-693.11.1.el7/drivers/net/wireless/ralink/rt2x00/rt2800mmio.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/wireless/ralink/rt2x00/rt2800mmio.c	2017-12-28 19:59:43.000000000 +0100
@@ -445,6 +445,7 @@ static void rt2800mmio_txstatus_interrup
 			break;

 		if (!kfifo_put(&rt2x00dev->txstatus_fifo, &status)) {
+			gmb();
 			rt2x00_warn(rt2x00dev, "TX status FIFO overrun, drop tx status report\n");
 			break;
 		}
diff -upr linux-3.10.0-693.11.1.el7/drivers/net/wireless/ralink/rt2x00/rt2800usb.c linux-3.10.0-693.11.6.el7/drivers/net/wireless/ralink/rt2x00/rt2800usb.c
--- linux-3.10.0-693.11.1.el7/drivers/net/wireless/ralink/rt2x00/rt2800usb.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/net/wireless/ralink/rt2x00/rt2800usb.c	2017-12-28 19:59:43.000000000 +0100
@@ -161,8 +161,10 @@ static bool rt2800usb_tx_sta_fifo_read_c

 	valid = rt2x00_get_field32(tx_status, TX_STA_FIFO_VALID);
 	if (valid) {
-		if (!kfifo_put(&rt2x00dev->txstatus_fifo, &tx_status))
+		if (!kfifo_put(&rt2x00dev->txstatus_fifo, &tx_status)) {
+			gmb();
 			rt2x00_warn(rt2x00dev, "TX status FIFO overrun\n");
+		}

 		queue_work(rt2x00dev->workqueue, &rt2x00dev->txdone_work);

diff -upr linux-3.10.0-693.11.1.el7/drivers/pnp/quirks.c linux-3.10.0-693.11.6.el7/drivers/pnp/quirks.c
--- linux-3.10.0-693.11.1.el7/drivers/pnp/quirks.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/pnp/quirks.c	2017-12-28 19:59:43.000000000 +0100
@@ -323,6 +323,7 @@ static void quirk_amd_mmconfig_area(stru
 			 "%pR covers only part of AMD MMCONFIG area %pR; adding more reservations\n",
 			 res, mmconfig);
 		if (mmconfig->start < res->start) {
+			gmb();
 			start = mmconfig->start;
 			end = res->start - 1;
 			pnp_add_mem_resource(dev, start, end, 0);
diff -upr linux-3.10.0-693.11.1.el7/drivers/scsi/be2iscsi/be_iscsi.c linux-3.10.0-693.11.6.el7/drivers/scsi/be2iscsi/be_iscsi.c
--- linux-3.10.0-693.11.1.el7/drivers/scsi/be2iscsi/be_iscsi.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/scsi/be2iscsi/be_iscsi.c	2017-12-28 19:59:43.000000000 +0100
@@ -67,6 +67,7 @@ struct iscsi_cls_session *beiscsi_sessio
 	beiscsi_log(phba, KERN_INFO, BEISCSI_LOG_CONFIG,
 		    "BS_%d : In beiscsi_session_create\n");
 	if (cmds_max > beiscsi_ep->phba->params.wrbs_per_cxn) {
+		gmb();
 		beiscsi_log(phba, KERN_ERR, BEISCSI_LOG_CONFIG,
 			    "BS_%d : Cannot handle %d cmds."
 			    "Max cmds per session supported is %d. Using %d."
diff -upr linux-3.10.0-693.11.1.el7/drivers/scsi/bnx2i/bnx2i_hwi.c linux-3.10.0-693.11.6.el7/drivers/scsi/bnx2i/bnx2i_hwi.c
--- linux-3.10.0-693.11.1.el7/drivers/scsi/bnx2i/bnx2i_hwi.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/scsi/bnx2i/bnx2i_hwi.c	2017-12-28 19:59:43.000000000 +0100
@@ -239,11 +239,14 @@ void bnx2i_put_rq_buf(struct bnx2i_conn
 	ep->qp.rq_prod_idx += count;

 	if (ep->qp.rq_prod_idx > bnx2i_conn->hba->max_rqes) {
+		gmb();
 		ep->qp.rq_prod_idx %= bnx2i_conn->hba->max_rqes;
 		if (!hi_bit)
 			ep->qp.rq_prod_idx |= 0x8000;
-	} else
+	} else {
+		gmb();
 		ep->qp.rq_prod_idx |= hi_bit;
+	}

 	if (test_bit(BNX2I_NX2_DEV_57710, &ep->hba->cnic_dev_type)) {
 		rq_db = (struct bnx2i_5771x_sq_rq_db *) ep->qp.rq_pgtbl_virt;
diff -upr linux-3.10.0-693.11.1.el7/drivers/scsi/hpsa.c linux-3.10.0-693.11.6.el7/drivers/scsi/hpsa.c
--- linux-3.10.0-693.11.1.el7/drivers/scsi/hpsa.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/scsi/hpsa.c	2017-12-28 19:59:43.000000000 +0100
@@ -4839,6 +4839,7 @@ static int hpsa_scsi_ioaccel2_queue_comm
 	if (use_sg) {
 		curr_sg = cp->sg;
 		if (use_sg > h->ioaccel_maxsg) {
+			gmb();
 			addr64 = le64_to_cpu(
 				h->ioaccel2_cmd_sg_list[c->cmdindex]->address);
 			curr_sg->address = cpu_to_le64(addr64);
diff -upr linux-3.10.0-693.11.1.el7/drivers/scsi/isci/host.c linux-3.10.0-693.11.6.el7/drivers/scsi/isci/host.c
--- linux-3.10.0-693.11.1.el7/drivers/scsi/isci/host.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/scsi/isci/host.c	2017-12-28 19:59:43.000000000 +0100
@@ -2465,8 +2465,10 @@ struct isci_request *sci_request_by_tag(
 	task_index = ISCI_TAG_TCI(io_tag);

 	if (task_index < ihost->task_context_entries) {
-		struct isci_request *ireq = ihost->reqs[task_index];
+		struct isci_request *ireq;

+		gmb();
+		ireq = ihost->reqs[task_index];
 		if (test_bit(IREQ_ACTIVE, &ireq->flags)) {
 			task_sequence = ISCI_TAG_SEQ(io_tag);

diff -upr linux-3.10.0-693.11.1.el7/drivers/scsi/lpfc/lpfc_bsg.c linux-3.10.0-693.11.6.el7/drivers/scsi/lpfc/lpfc_bsg.c
--- linux-3.10.0-693.11.1.el7/drivers/scsi/lpfc/lpfc_bsg.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/scsi/lpfc/lpfc_bsg.c	2017-12-28 19:59:43.000000000 +0100
@@ -1321,6 +1321,7 @@ lpfc_bsg_hba_get_event(struct fc_bsg_job
 	}

 	if (evt_dat->len > job->request_payload.payload_len) {
+		gmb();
 		evt_dat->len = job->request_payload.payload_len;
 		lpfc_printf_log(phba, KERN_WARNING, LOG_LIBDFC,
 				"2618 Truncated event data at %d "
diff -upr linux-3.10.0-693.11.1.el7/drivers/scsi/mpt3sas/mpt3sas_base.c linux-3.10.0-693.11.6.el7/drivers/scsi/mpt3sas/mpt3sas_base.c
--- linux-3.10.0-693.11.1.el7/drivers/scsi/mpt3sas/mpt3sas_base.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/scsi/mpt3sas/mpt3sas_base.c	2017-12-28 19:59:43.000000000 +0100
@@ -3407,6 +3407,7 @@ _base_allocate_memory_pools(struct MPT3S
 	   ioc->max_sges_in_main_message)/ioc->max_sges_in_chain_message)
 	    + 1;
 	if (chains_needed_per_io > facts->MaxChainDepth) {
+		gmb();
 		chains_needed_per_io = facts->MaxChainDepth;
 		ioc->shost->sg_tablesize = min_t(u16,
 		ioc->max_sges_in_main_message + (ioc->max_sges_in_chain_message
diff -upr linux-3.10.0-693.11.1.el7/drivers/scsi/osst.c linux-3.10.0-693.11.6.el7/drivers/scsi/osst.c
--- linux-3.10.0-693.11.1.el7/drivers/scsi/osst.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/scsi/osst.c	2017-12-28 19:59:43.000000000 +0100
@@ -3493,6 +3493,7 @@ static ssize_t osst_write(struct file *
 				}
       			}
 			if ((STps->drv_file + STps->drv_block) > 0 && STps->drv_file < STp->filemark_cnt) {
+				gmb();
 				STp->filemark_cnt = STps->drv_file;
 				STp->last_mark_ppos =
 				       	ntohl(STp->header_cache->dat_fm_tab.fm_tab_ent[STp->filemark_cnt-1]);
diff -upr linux-3.10.0-693.11.1.el7/drivers/scsi/qla2xxx/qla_isr.c linux-3.10.0-693.11.6.el7/drivers/scsi/qla2xxx/qla_isr.c
--- linux-3.10.0-693.11.1.el7/drivers/scsi/qla2xxx/qla_isr.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/scsi/qla2xxx/qla_isr.c	2017-12-28 19:59:43.000000000 +0100
@@ -2093,6 +2093,7 @@ qla2x00_status_entry(scsi_qla_host_t *vh

 	/* Validate handle. */
 	if (handle < req->num_outstanding_cmds) {
+		gmb();
 		sp = req->outstanding_cmds[handle];
 		if (!sp) {
 			ql_dbg(ql_dbg_io, vha, 0x3075,
@@ -2101,6 +2102,7 @@ qla2x00_status_entry(scsi_qla_host_t *vh
 			return;
 		}
 	} else {
+		gmb();
 		ql_dbg(ql_dbg_io, vha, 0x3017,
 		    "Invalid status handle, out of range (0x%x).\n",
 		    sts->handle);
diff -upr linux-3.10.0-693.11.1.el7/drivers/scsi/qla2xxx/qla_mr.c linux-3.10.0-693.11.6.el7/drivers/scsi/qla2xxx/qla_mr.c
--- linux-3.10.0-693.11.1.el7/drivers/scsi/qla2xxx/qla_mr.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/scsi/qla2xxx/qla_mr.c	2017-12-28 19:59:43.000000000 +0100
@@ -2303,10 +2303,12 @@ qlafx00_status_entry(scsi_qla_host_t *vh
 	req = ha->req_q_map[que];

 	/* Validate handle. */
-	if (handle < req->num_outstanding_cmds)
+	if (handle < req->num_outstanding_cmds) {
+		gmb();
 		sp = req->outstanding_cmds[handle];
-	else
+	} else {
 		sp = NULL;
+	}

 	if (sp == NULL) {
 		ql_dbg(ql_dbg_io, vha, 0x3034,
@@ -2654,10 +2656,12 @@ qlafx00_multistatus_entry(struct scsi_ql
 		req = ha->req_q_map[que];

 		/* Validate handle. */
-		if (handle < req->num_outstanding_cmds)
+		if (handle < req->num_outstanding_cmds) {
+			gmb();
 			sp = req->outstanding_cmds[handle];
-		else
+		} else {
 			sp = NULL;
+		}

 		if (sp == NULL) {
 			ql_dbg(ql_dbg_io, vha, 0x3044,
diff -upr linux-3.10.0-693.11.1.el7/drivers/target/iscsi/iscsi_target_datain_values.c linux-3.10.0-693.11.6.el7/drivers/target/iscsi/iscsi_target_datain_values.c
--- linux-3.10.0-693.11.1.el7/drivers/target/iscsi/iscsi_target_datain_values.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/target/iscsi/iscsi_target_datain_values.c	2017-12-28 19:59:43.000000000 +0100
@@ -127,10 +127,12 @@ static struct iscsi_datain_req *iscsit_s
 		if ((next_burst_len +
 		     conn->conn_ops->MaxRecvDataSegmentLength) <
 		     conn->sess->sess_ops->MaxBurstLength) {
+			gmb();
 			datain->length =
 				conn->conn_ops->MaxRecvDataSegmentLength;
 			next_burst_len += datain->length;
 		} else {
+			gmb();
 			datain->length = (conn->sess->sess_ops->MaxBurstLength -
 					  next_burst_len);
 			next_burst_len = 0;
diff -upr linux-3.10.0-693.11.1.el7/drivers/target/iscsi/iscsi_target_erl1.c linux-3.10.0-693.11.6.el7/drivers/target/iscsi/iscsi_target_erl1.c
--- linux-3.10.0-693.11.1.el7/drivers/target/iscsi/iscsi_target_erl1.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/target/iscsi/iscsi_target_erl1.c	2017-12-28 19:59:43.000000000 +0100
@@ -212,11 +212,13 @@ int iscsit_create_recovery_datain_values
 		if ((dr->next_burst_len +
 		     conn->conn_ops->MaxRecvDataSegmentLength) <
 		     conn->sess->sess_ops->MaxBurstLength) {
+			gmb();
 			dr->read_data_done +=
 				conn->conn_ops->MaxRecvDataSegmentLength;
 			dr->next_burst_len +=
 				conn->conn_ops->MaxRecvDataSegmentLength;
 		} else {
+			gmb();
 			dr->read_data_done +=
 				(conn->sess->sess_ops->MaxBurstLength -
 				 dr->next_burst_len);
diff -upr linux-3.10.0-693.11.1.el7/drivers/target/iscsi/iscsi_target_erl2.c linux-3.10.0-693.11.6.el7/drivers/target/iscsi/iscsi_target_erl2.c
--- linux-3.10.0-693.11.1.el7/drivers/target/iscsi/iscsi_target_erl2.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/target/iscsi/iscsi_target_erl2.c	2017-12-28 19:59:43.000000000 +0100
@@ -46,11 +46,13 @@ void iscsit_create_conn_recovery_datain_
 		if ((cmd->next_burst_len +
 		     conn->conn_ops->MaxRecvDataSegmentLength) <
 		     conn->sess->sess_ops->MaxBurstLength) {
+			gmb();
 			cmd->read_data_done +=
 			       conn->conn_ops->MaxRecvDataSegmentLength;
 			cmd->next_burst_len +=
 			       conn->conn_ops->MaxRecvDataSegmentLength;
 		} else {
+			gmb();
 			cmd->read_data_done +=
 				(conn->sess->sess_ops->MaxBurstLength -
 				cmd->next_burst_len);
diff -upr linux-3.10.0-693.11.1.el7/drivers/target/target_core_rd.c linux-3.10.0-693.11.6.el7/drivers/target/target_core_rd.c
--- linux-3.10.0-693.11.1.el7/drivers/target/target_core_rd.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/drivers/target/target_core_rd.c	2017-12-28 19:59:43.000000000 +0100
@@ -350,6 +350,7 @@ static struct rd_dev_sg_table *rd_get_sg

 	i = page / sg_per_table;
 	if (i < rd_dev->sg_table_count) {
+		gmb();
 		sg_table = &rd_dev->sg_table_array[i];
 		if ((sg_table->page_start_offset <= page) &&
 		    (sg_table->page_end_offset >= page))
@@ -370,6 +371,7 @@ static struct rd_dev_sg_table *rd_get_pr

 	i = page / sg_per_table;
 	if (i < rd_dev->sg_prot_count) {
+		gmb();
 		sg_table = &rd_dev->sg_prot_array[i];
 		if ((sg_table->page_start_offset <= page) &&
 		     (sg_table->page_end_offset >= page))
diff -upr linux-3.10.0-693.11.1.el7/fs/btrfs/free-space-cache.c linux-3.10.0-693.11.6.el7/fs/btrfs/free-space-cache.c
--- linux-3.10.0-693.11.1.el7/fs/btrfs/free-space-cache.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/btrfs/free-space-cache.c	2017-12-28 19:59:43.000000000 +0100
@@ -1439,10 +1439,13 @@ static int tree_insert_offset(struct rb_
 		info = rb_entry(parent, struct btrfs_free_space, offset_index);

 		if (offset < info->offset) {
+			gmb();
 			p = &(*p)->rb_left;
 		} else if (offset > info->offset) {
+			gmb();
 			p = &(*p)->rb_right;
 		} else {
+			gmb();
 			/*
 			 * we could have a bitmap entry and an extent entry
 			 * share the same offset.  If this is the case, we want
@@ -1796,6 +1799,7 @@ find_free_space(struct btrfs_free_space_
 	for (node = &entry->offset_index; node; node = rb_next(node)) {
 		entry = rb_entry(node, struct btrfs_free_space, offset_index);
 		if (entry->bytes < *bytes) {
+			gmb();
 			if (entry->bytes > *max_extent_size)
 				*max_extent_size = entry->bytes;
 			continue;
diff -upr linux-3.10.0-693.11.1.el7/fs/btrfs/volumes.c linux-3.10.0-693.11.6.el7/fs/btrfs/volumes.c
--- linux-3.10.0-693.11.1.el7/fs/btrfs/volumes.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/btrfs/volumes.c	2017-12-28 19:59:43.000000000 +0100
@@ -1803,8 +1803,10 @@ static int btrfs_check_raid_min_devices(
 			continue;

 		if (num_devices < btrfs_raid_array[i].devs_min) {
-			int ret = btrfs_raid_mindev_error[i];
+			int ret;

+			gmb();
+			ret = btrfs_raid_mindev_error[i];
 			if (ret)
 				return ret;
 		}
diff -upr linux-3.10.0-693.11.1.el7/fs/ceph/snap.c linux-3.10.0-693.11.6.el7/fs/ceph/snap.c
--- linux-3.10.0-693.11.1.el7/fs/ceph/snap.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/ceph/snap.c	2017-12-28 19:59:43.000000000 +0100
@@ -140,11 +140,14 @@ static struct ceph_snap_realm *__lookup_

 	while (n) {
 		r = rb_entry(n, struct ceph_snap_realm, node);
-		if (ino < r->ino)
+		if (ino < r->ino) {
+			gmb();
 			n = n->rb_left;
-		else if (ino > r->ino)
+		} else if (ino > r->ino) {
+			gmb();
 			n = n->rb_right;
-		else {
+		} else {
+			gmb();
 			dout("lookup_snap_realm %llx %p\n", r->ino, r);
 			return r;
 		}
diff -upr linux-3.10.0-693.11.1.el7/fs/ext4/extents.c linux-3.10.0-693.11.6.el7/fs/ext4/extents.c
--- linux-3.10.0-693.11.1.el7/fs/ext4/extents.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/ext4/extents.c	2017-12-28 19:59:43.000000000 +0100
@@ -3577,6 +3577,7 @@ static int ext4_ext_convert_to_initializ
 	split_map.m_len = map->m_len;

 	if (max_zeroout && (allocated > map->m_len)) {
+		gmb();
 		if (allocated <= max_zeroout) {
 			/* case 3 */
 			zero_ex.ee_block =
diff -upr linux-3.10.0-693.11.1.el7/fs/locks.c linux-3.10.0-693.11.6.el7/fs/locks.c
--- linux-3.10.0-693.11.1.el7/fs/locks.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/locks.c	2017-12-28 19:59:43.000000000 +0100
@@ -1046,14 +1046,20 @@ static int __posix_lock_file(struct inod
 			 * lock yielding from the lower start address of both
 			 * locks to the higher end address.
 			 */
-			if (fl->fl_start > request->fl_start)
+			if (fl->fl_start > request->fl_start) {
+				gmb();
 				fl->fl_start = request->fl_start;
-			else
+			} else {
+				gmb();
 				request->fl_start = fl->fl_start;
-			if (fl->fl_end < request->fl_end)
+			}
+			if (fl->fl_end < request->fl_end) {
+				gmb();
 				fl->fl_end = request->fl_end;
-			else
+			} else {
+				gmb();
 				request->fl_end = fl->fl_end;
+			}
 			if (added) {
 				locks_delete_lock(before, &dispose);
 				continue;
diff -upr linux-3.10.0-693.11.1.el7/fs/nfs/direct.c linux-3.10.0-693.11.6.el7/fs/nfs/direct.c
--- linux-3.10.0-693.11.1.el7/fs/nfs/direct.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/nfs/direct.c	2017-12-28 19:59:43.000000000 +0100
@@ -165,9 +165,10 @@ nfs_direct_select_verf(struct nfs_direct
 	 * for layout segment where nbuckets is zero.
 	 */
 	if (ds_clp && dreq->ds_cinfo.nbuckets > 0) {
-		if (commit_idx >= 0 && commit_idx < dreq->ds_cinfo.nbuckets)
+		if (commit_idx >= 0 && commit_idx < dreq->ds_cinfo.nbuckets) {
+			gmb();
 			verfp = &dreq->ds_cinfo.buckets[commit_idx].direct_verf;
-		else
+		} else
 			WARN_ON_ONCE(1);
 	}
 #endif
diff -upr linux-3.10.0-693.11.1.el7/fs/nfs/flexfilelayout/flexfilelayout.c linux-3.10.0-693.11.6.el7/fs/nfs/flexfilelayout/flexfilelayout.c
--- linux-3.10.0-693.11.1.el7/fs/nfs/flexfilelayout/flexfilelayout.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/nfs/flexfilelayout/flexfilelayout.c	2017-12-28 19:59:43.000000000 +0100
@@ -343,9 +343,11 @@ static void ff_layout_sort_mirrors(struc
 	for (i = 0; i < fls->mirror_array_cnt - 1; i++) {
 		for (j = i + 1; j < fls->mirror_array_cnt; j++)
 			if (fls->mirror_array[i]->efficiency <
-			    fls->mirror_array[j]->efficiency)
+			    fls->mirror_array[j]->efficiency) {
+				gmb();
 				swap(fls->mirror_array[i],
 				     fls->mirror_array[j]);
+			}
 	}
 }

diff -upr linux-3.10.0-693.11.1.el7/fs/udf/balloc.c linux-3.10.0-693.11.6.el7/fs/udf/balloc.c
--- linux-3.10.0-693.11.1.el7/fs/udf/balloc.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/udf/balloc.c	2017-12-28 19:59:43.000000000 +0100
@@ -491,6 +491,7 @@ static void udf_table_free_blocks(struct
 			aed->previousAllocExtLocation =
 				cpu_to_le32(oepos.block.logicalBlockNum);
 			if (epos.offset + adsize > sb->s_blocksize) {
+				gmb();
 				loffset = epos.offset;
 				aed->lengthAllocDescs = cpu_to_le32(adsize);
 				sptr = iinfo->i_ext.i_data + epos.offset
@@ -501,6 +502,7 @@ static void udf_table_free_blocks(struct
 				epos.offset = sizeof(struct allocExtDesc) +
 						adsize;
 			} else {
+				gmb();
 				loffset = epos.offset + adsize;
 				aed->lengthAllocDescs = cpu_to_le32(0);
 				if (oepos.bh) {
diff -upr linux-3.10.0-693.11.1.el7/fs/udf/inode.c linux-3.10.0-693.11.6.el7/fs/udf/inode.c
--- linux-3.10.0-693.11.1.el7/fs/udf/inode.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/udf/inode.c	2017-12-28 19:59:43.000000000 +0100
@@ -1915,6 +1915,7 @@ int udf_add_aext(struct inode *inode, st
 			aed->previousAllocExtLocation =
 					cpu_to_le32(obloc.logicalBlockNum);
 		if (epos->offset + adsize > inode->i_sb->s_blocksize) {
+			gmb();
 			loffset = epos->offset;
 			aed->lengthAllocDescs = cpu_to_le32(adsize);
 			sptr = ptr - adsize;
@@ -1922,6 +1923,7 @@ int udf_add_aext(struct inode *inode, st
 			memcpy(dptr, sptr, adsize);
 			epos->offset = sizeof(struct allocExtDesc) + adsize;
 		} else {
+			gmb();
 			loffset = epos->offset + adsize;
 			aed->lengthAllocDescs = cpu_to_le32(0);
 			sptr = ptr;
diff -upr linux-3.10.0-693.11.1.el7/fs/udf/misc.c linux-3.10.0-693.11.6.el7/fs/udf/misc.c
--- linux-3.10.0-693.11.1.el7/fs/udf/misc.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/udf/misc.c	2017-12-28 19:59:43.000000000 +0100
@@ -103,8 +103,10 @@ struct genericFormat *udf_add_extendedat
 		if (type < 2048) {
 			if (le32_to_cpu(eahd->appAttrLocation) <
 					iinfo->i_lenEAttr) {
-				uint32_t aal =
-					le32_to_cpu(eahd->appAttrLocation);
+				uint32_t aal;
+
+				gmb();
+				aal = le32_to_cpu(eahd->appAttrLocation);
 				memmove(&ea[offset - aal + size],
 					&ea[aal], offset - aal);
 				offset -= aal;
@@ -113,8 +115,10 @@ struct genericFormat *udf_add_extendedat
 			}
 			if (le32_to_cpu(eahd->impAttrLocation) <
 					iinfo->i_lenEAttr) {
-				uint32_t ial =
-					le32_to_cpu(eahd->impAttrLocation);
+				uint32_t ial;
+
+				gmb();
+				ial = le32_to_cpu(eahd->impAttrLocation);
 				memmove(&ea[offset - ial + size],
 					&ea[ial], offset - ial);
 				offset -= ial;
@@ -124,8 +128,10 @@ struct genericFormat *udf_add_extendedat
 		} else if (type < 65536) {
 			if (le32_to_cpu(eahd->appAttrLocation) <
 					iinfo->i_lenEAttr) {
-				uint32_t aal =
-					le32_to_cpu(eahd->appAttrLocation);
+				uint32_t aal;
+
+				gmb();
+				aal = le32_to_cpu(eahd->appAttrLocation);
 				memmove(&ea[offset - aal + size],
 					&ea[aal], offset - aal);
 				offset -= aal;
diff -upr linux-3.10.0-693.11.1.el7/fs/udf/super.c linux-3.10.0-693.11.6.el7/fs/udf/super.c
--- linux-3.10.0-693.11.1.el7/fs/udf/super.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/udf/super.c	2017-12-28 19:59:43.000000000 +0100
@@ -2374,6 +2374,7 @@ static unsigned int udf_count_free(struc
 			(struct logicalVolIntegrityDesc *)
 			sbi->s_lvid_bh->b_data;
 		if (le32_to_cpu(lvid->numOfPartitions) > sbi->s_partition) {
+			gmb();
 			accum = le32_to_cpu(
 					lvid->freeSpaceTable[sbi->s_partition]);
 			if (accum == 0xFFFFFFFF)
diff -upr linux-3.10.0-693.11.1.el7/fs/userfaultfd.c linux-3.10.0-693.11.6.el7/fs/userfaultfd.c
--- linux-3.10.0-693.11.1.el7/fs/userfaultfd.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/userfaultfd.c	2017-12-28 19:59:43.000000000 +0100
@@ -557,6 +557,12 @@ static void userfaultfd_event_wait_compl
 			break;
 		if (ACCESS_ONCE(ctx->released) ||
 		    fatal_signal_pending(current)) {
+			/*
+			 * &ewq->wq may be queued in fork_event, but
+			 * __remove_wait_queue ignores the head
+			 * parameter. It would be a problem if it
+			 * didn't.
+			 */
 			__remove_wait_queue(&ctx->event_wqh, &ewq->wq);
 			if (ewq->msg.event == UFFD_EVENT_FORK) {
 				struct userfaultfd_ctx *new;
@@ -1027,6 +1033,12 @@ static ssize_t userfaultfd_ctx_read(stru
 					(unsigned long)
 					uwq->msg.arg.reserved.reserved1;
 				list_move(&uwq->wq.task_list, &fork_event);
+				/*
+				 * fork_nctx can be freed as soon as
+				 * we drop the lock, unless we take a
+				 * reference on it.
+				 */
+				userfaultfd_ctx_get(fork_nctx);
 				spin_unlock(&ctx->event_wqh.lock);
 				ret = 0;
 				break;
@@ -1057,19 +1069,53 @@ static ssize_t userfaultfd_ctx_read(stru

 	if (!ret && msg->event == UFFD_EVENT_FORK) {
 		ret = resolve_userfault_fork(ctx, fork_nctx, msg);
+		spin_lock(&ctx->event_wqh.lock);
+		if (!list_empty(&fork_event)) {
+			/*
+			 * The fork thread didn't abort, so we can
+			 * drop the temporary refcount.
+			 */
+			userfaultfd_ctx_put(fork_nctx);
+
+			uwq = list_first_entry(&fork_event,
+					       typeof(*uwq),
+					       wq.task_list);
+			/*
+			 * If fork_event list wasn't empty and in turn
+			 * the event wasn't already released by fork
+			 * (the event is allocated on fork kernel
+			 * stack), put the event back to its place in
+			 * the event_wq. fork_event head will be freed
+			 * as soon as we return so the event cannot
+			 * stay queued there no matter the current
+			 * "ret" value.
+			 */
+			list_del(&uwq->wq.task_list);
+			__add_wait_queue(&ctx->event_wqh, &uwq->wq);

-		if (!ret) {
-			spin_lock(&ctx->event_wqh.lock);
-			if (!list_empty(&fork_event)) {
-				uwq = list_first_entry(&fork_event,
-						       typeof(*uwq),
-						       wq.task_list);
-				list_del(&uwq->wq.task_list);
-				__add_wait_queue(&ctx->event_wqh, &uwq->wq);
+			/*
+			 * Leave the event in the waitqueue and report
+			 * error to userland if we failed to resolve
+			 * the userfault fork.
+			 */
+			if (likely(!ret))
 				userfaultfd_event_complete(ctx, uwq);
-			}
-			spin_unlock(&ctx->event_wqh.lock);
+		} else {
+			/*
+			 * Here the fork thread aborted and the
+			 * refcount from the fork thread on fork_nctx
+			 * has already been released. We still hold
+			 * the reference we took before releasing the
+			 * lock above. If resolve_userfault_fork
+			 * failed we've to drop it because the
+			 * fork_nctx has to be freed in such case. If
+			 * it succeeded we'll hold it because the new
+			 * uffd references it.
+			 */
+			if (ret)
+				userfaultfd_ctx_put(fork_nctx);
 		}
+		spin_unlock(&ctx->event_wqh.lock);
 	}

 	return ret;
diff -upr linux-3.10.0-693.11.1.el7/fs/xfs/libxfs/xfs_attr_leaf.c linux-3.10.0-693.11.6.el7/fs/xfs/libxfs/xfs_attr_leaf.c
--- linux-3.10.0-693.11.1.el7/fs/xfs/libxfs/xfs_attr_leaf.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/xfs/libxfs/xfs_attr_leaf.c	2017-12-28 19:59:43.000000000 +0100
@@ -1172,9 +1172,11 @@ xfs_attr3_leaf_add(
 					+ xfs_attr3_leaf_hdr_size(leaf);
 	for (sum = 0, i = XFS_ATTR_LEAF_MAPSIZE - 1; i >= 0; i--) {
 		if (tablesize > ichdr.firstused) {
+			gmb();
 			sum += ichdr.freemap[i].size;
 			continue;
 		}
+		gmb();
 		if (!ichdr.freemap[i].size)
 			continue;	/* no space in this map */
 		tmp = entsize;
@@ -1526,6 +1528,7 @@ xfs_attr3_leaf_rebalance(
 	 * Move any entries required from leaf to leaf:
 	 */
 	if (count < ichdr1.count) {
+		gmb();
 		/*
 		 * Figure the total bytes to be added to the destination leaf.
 		 */
@@ -1549,6 +1552,7 @@ xfs_attr3_leaf_rebalance(
 				ichdr1.count - count, leaf2, &ichdr2, 0, count);

 	} else if (count > ichdr1.count) {
+		gmb();
 		/*
 		 * I assert that since all callers pass in an empty
 		 * second buffer, this code should never execute.
diff -upr linux-3.10.0-693.11.1.el7/fs/xfs/libxfs/xfs_bmap.c linux-3.10.0-693.11.6.el7/fs/xfs/libxfs/xfs_bmap.c
--- linux-3.10.0-693.11.1.el7/fs/xfs/libxfs/xfs_bmap.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/fs/xfs/libxfs/xfs_bmap.c	2017-12-28 19:59:43.000000000 +0100
@@ -3467,13 +3467,17 @@ xfs_bmap_adjacent(
 			 * offset by our length.
 			 */
 			if (gotdiff <= XFS_ALLOC_GAP_UNITS * ap->length &&
-			    ISVALID(gotbno - gotdiff, gotbno))
+			    ISVALID(gotbno - gotdiff, gotbno)) {
+				gmb();
 				gotbno -= adjust;
-			else if (ISVALID(gotbno - ap->length, gotbno)) {
+			} else if (ISVALID(gotbno - ap->length, gotbno)) {
+				gmb();
 				gotbno -= ap->length;
 				gotdiff += adjust - ap->length;
-			} else
+			} else {
+				gmb();
 				gotdiff += adjust;
+			}
 			/*
 			 * If the firstblock forbids it, can't use it,
 			 * must use default.
diff -upr linux-3.10.0-693.11.1.el7/include/asm-generic/barrier.h linux-3.10.0-693.11.6.el7/include/asm-generic/barrier.h
--- linux-3.10.0-693.11.1.el7/include/asm-generic/barrier.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/include/asm-generic/barrier.h	2017-12-28 19:59:43.000000000 +0100
@@ -42,6 +42,10 @@
 #define wmb()	mb()
 #endif

+#ifndef gmb
+#define gmb()	do { } while (0)
+#endif
+
 #ifndef dma_rmb
 #define dma_rmb()	rmb()
 #endif
diff -upr linux-3.10.0-693.11.1.el7/include/asm-generic/sections.h linux-3.10.0-693.11.6.el7/include/asm-generic/sections.h
--- linux-3.10.0-693.11.1.el7/include/asm-generic/sections.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/include/asm-generic/sections.h	2017-12-28 19:59:43.000000000 +0100
@@ -12,6 +12,7 @@ extern char _end[];
 extern char __per_cpu_load[], __per_cpu_start[], __per_cpu_end[];
 extern char __kprobes_text_start[], __kprobes_text_end[];
 extern char __entry_text_start[], __entry_text_end[];
+extern char __irqentry_text_start[], __irqentry_text_end[];
 extern char __initdata_begin[], __initdata_end[];
 extern char __start_rodata[], __end_rodata[];

diff -upr linux-3.10.0-693.11.1.el7/include/asm-generic/vmlinux.lds.h linux-3.10.0-693.11.6.el7/include/asm-generic/vmlinux.lds.h
--- linux-3.10.0-693.11.1.el7/include/asm-generic/vmlinux.lds.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/include/asm-generic/vmlinux.lds.h	2017-12-28 19:59:43.000000000 +0100
@@ -718,6 +718,13 @@
 	VMLINUX_SYMBOL(__per_cpu_start) = .;				\
 	*(.data..percpu..first)						\
 	. = ALIGN(PAGE_SIZE);						\
+	VMLINUX_SYMBOL(__per_cpu_user_mapped_start) = .;		\
+	*(.data..percpu..user_mapped..page_aligned)			\
+	. = ALIGN(cacheline);						\
+	*(.data..percpu..user_mapped)					\
+	*(.data..percpu..user_mapped..shared_aligned)			\
+	VMLINUX_SYMBOL(__per_cpu_user_mapped_end) = .;			\
+	. = ALIGN(PAGE_SIZE);						\
 	*(.data..percpu..page_aligned)					\
 	. = ALIGN(cacheline);						\
 	*(.data..percpu..readmostly)					\
diff -upr linux-3.10.0-693.11.1.el7/include/linux/ceph/libceph.h linux-3.10.0-693.11.6.el7/include/linux/ceph/libceph.h
--- linux-3.10.0-693.11.1.el7/include/linux/ceph/libceph.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/include/linux/ceph/libceph.h	2017-12-28 19:59:43.000000000 +0100
@@ -195,11 +195,13 @@ static void insert_##name(struct rb_root
 		type *cur = rb_entry(*n, type, nodefld);		\
 									\
 		parent = *n;						\
-		if (t->keyfld < cur->keyfld)				\
+		if (t->keyfld < cur->keyfld) {				\
+			gmb();						\
 			n = &(*n)->rb_left;				\
-		else if (t->keyfld > cur->keyfld)			\
+		} else if (t->keyfld > cur->keyfld) {			\
+			gmb();						\
 			n = &(*n)->rb_right;				\
-		else							\
+		} else							\
 			BUG();						\
 	}								\
 									\
diff -upr linux-3.10.0-693.11.1.el7/include/linux/fdtable.h linux-3.10.0-693.11.6.el7/include/linux/fdtable.h
--- linux-3.10.0-693.11.1.el7/include/linux/fdtable.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/include/linux/fdtable.h	2017-12-28 19:59:43.000000000 +0100
@@ -77,8 +77,10 @@ static inline struct file * fcheck_files
 	struct file * file = NULL;
 	struct fdtable *fdt = files_fdtable(files);

-	if (fd < fdt->max_fds)
+	if (fd < fdt->max_fds) {
+		gmb();
 		file = rcu_dereference_check_fdtable(files, fdt->fd[fd]);
+	}
 	return file;
 }

diff -upr linux-3.10.0-693.11.1.el7/include/linux/interval_tree_generic.h linux-3.10.0-693.11.6.el7/include/linux/interval_tree_generic.h
--- linux-3.10.0-693.11.1.el7/include/linux/interval_tree_generic.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/include/linux/interval_tree_generic.h	2017-12-28 19:59:43.000000000 +0100
@@ -76,10 +76,13 @@ ITSTATIC void ITPREFIX ## _insert(ITSTRU
 		parent = rb_entry(rb_parent, ITSTRUCT, ITRB);		      \
 		if (parent->ITSUBTREE < last)				      \
 			parent->ITSUBTREE = last;			      \
-		if (start < ITSTART(parent))				      \
+		if (start < ITSTART(parent)) {				      \
+			gmb();						      \
 			link = &parent->ITRB.rb_left;			      \
-		else							      \
+		} else {						      \
+			gmb();						      \
 			link = &parent->ITRB.rb_right;			      \
+		}							      \
 	}								      \
 									      \
 	node->ITSUBTREE = last;						      \
Только в linux-3.10.0-693.11.6.el7/include/linux: kaiser.h
diff -upr linux-3.10.0-693.11.1.el7/include/linux/percpu-defs.h linux-3.10.0-693.11.6.el7/include/linux/percpu-defs.h
--- linux-3.10.0-693.11.1.el7/include/linux/percpu-defs.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/include/linux/percpu-defs.h	2017-12-28 19:59:43.000000000 +0100
@@ -1,6 +1,12 @@
 #ifndef _LINUX_PERCPU_DEFS_H
 #define _LINUX_PERCPU_DEFS_H

+#ifdef CONFIG_KAISER
+#define USER_MAPPED_SECTION "..user_mapped"
+#else
+#define USER_MAPPED_SECTION ""
+#endif
+
 /*
  * Base implementations of per-CPU variable declarations and definitions, where
  * the section in which the variable is to be placed is provided by the
@@ -93,6 +99,12 @@
 #define DEFINE_PER_CPU(type, name)					\
 	DEFINE_PER_CPU_SECTION(type, name, "")

+#define DECLARE_PER_CPU_USER_MAPPED(type, name)				\
+	DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION)
+
+#define DEFINE_PER_CPU_USER_MAPPED(type, name)				\
+	DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION)
+
 /*
  * Declaration/definition used for per-CPU variables that must come first in
  * the set of variables.
@@ -122,6 +134,14 @@
 	DEFINE_PER_CPU_SECTION(type, name, PER_CPU_SHARED_ALIGNED_SECTION) \
 	____cacheline_aligned_in_smp

+#define DECLARE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(type, name)		\
+	DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION PER_CPU_SHARED_ALIGNED_SECTION) \
+	____cacheline_aligned_in_smp
+
+#define DEFINE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(type, name)		\
+	DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION PER_CPU_SHARED_ALIGNED_SECTION) \
+	____cacheline_aligned_in_smp
+
 #define DECLARE_PER_CPU_ALIGNED(type, name)				\
 	DECLARE_PER_CPU_SECTION(type, name, PER_CPU_ALIGNED_SECTION)	\
 	____cacheline_aligned
@@ -140,6 +160,16 @@
 #define DEFINE_PER_CPU_PAGE_ALIGNED(type, name)				\
 	DEFINE_PER_CPU_SECTION(type, name, "..page_aligned")		\
 	__aligned(PAGE_SIZE)
+/*
+ * Declaration/definition used for per-CPU variables that must be page aligned and need to be mapped in user mode.
+ */
+#define DECLARE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(type, name)		\
+	DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION"..page_aligned") \
+	__aligned(PAGE_SIZE)
+
+#define DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(type, name)		\
+	DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION"..page_aligned") \
+	__aligned(PAGE_SIZE)

 /*
  * Declaration/definition used for per-CPU variables that must be read mostly.
diff -upr linux-3.10.0-693.11.1.el7/include/linux/ptrace.h linux-3.10.0-693.11.6.el7/include/linux/ptrace.h
--- linux-3.10.0-693.11.1.el7/include/linux/ptrace.h	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/include/linux/ptrace.h	2017-12-28 19:59:43.000000000 +0100
@@ -58,8 +58,15 @@ extern void exit_ptrace(struct task_stru
 #define PTRACE_MODE_READ	0x01
 #define PTRACE_MODE_ATTACH	0x02
 #define PTRACE_MODE_NOAUDIT	0x04
+#define PTRACE_MODE_NOACCESS_CHK 0x20
+#define PTRACE_MODE_IBPB (PTRACE_MODE_ATTACH | PTRACE_MODE_NOAUDIT	\
+			  | PTRACE_MODE_NOACCESS_CHK)
 /* Returns true on success, false on denial. */
 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
+extern int ___ptrace_may_access(struct task_struct *tracer,
+				const struct cred *cred, /* tracer cred */
+				struct task_struct *task,
+				unsigned int mode);

 static inline int ptrace_reparented(struct task_struct *child)
 {
diff -upr linux-3.10.0-693.11.1.el7/init/main.c linux-3.10.0-693.11.6.el7/init/main.c
--- linux-3.10.0-693.11.1.el7/init/main.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/init/main.c	2017-12-28 19:59:43.000000000 +0100
@@ -72,6 +72,7 @@
 #include <linux/perf_event.h>
 #include <linux/file.h>
 #include <linux/ptrace.h>
+#include <linux/kaiser.h>
 #include <linux/blkdev.h>
 #include <linux/elevator.h>
 #include <linux/random.h>
@@ -478,6 +479,8 @@ static void __init mm_init(void)
 	pgtable_init();
 	vmalloc_init();
 	ioremap_huge_init();
+	/* This just needs to be done before we first run userspace: */
+	kaiser_init();
 }

 asmlinkage void __init start_kernel(void)
diff -upr linux-3.10.0-693.11.1.el7/kernel/fork.c linux-3.10.0-693.11.6.el7/kernel/fork.c
--- linux-3.10.0-693.11.1.el7/kernel/fork.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/kernel/fork.c	2017-12-28 19:59:43.000000000 +0100
@@ -57,6 +57,7 @@
 #include <linux/tsacct_kern.h>
 #include <linux/cn_proc.h>
 #include <linux/freezer.h>
+#include <linux/kaiser.h>
 #include <linux/delayacct.h>
 #include <linux/taskstats_kern.h>
 #include <linux/random.h>
diff -upr linux-3.10.0-693.11.1.el7/kernel/ptrace.c linux-3.10.0-693.11.6.el7/kernel/ptrace.c
--- linux-3.10.0-693.11.1.el7/kernel/ptrace.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/kernel/ptrace.c	2017-12-28 19:59:43.000000000 +0100
@@ -222,9 +222,12 @@ static int ptrace_has_cap(struct user_na
 }

 /* Returns 0 on success, -errno on denial. */
-static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+int ___ptrace_may_access(struct task_struct *tracer,
+			 const struct cred *cred, /* tracer cred */
+			 struct task_struct *task,
+			 unsigned int mode)
 {
-	const struct cred *cred = current_cred(), *tcred;
+	const struct cred *tcred;

 	/* May we inspect the given task?
 	 * This check is used both for attaching with ptrace
@@ -236,9 +239,17 @@ static int __ptrace_may_access(struct ta
 	 */
 	int dumpable = 0;
 	/* Don't let security modules deny introspection */
-	if (task == current)
+	if (task == tracer)
 		return 0;
 	rcu_read_lock();
+	if (!cred) {
+		WARN_ON_ONCE(tracer == current);
+		WARN_ON_ONCE(task != current);
+		cred = __task_cred(tracer);
+	} else {
+		WARN_ON_ONCE(tracer != current);
+		WARN_ON_ONCE(task == current);
+	}
 	tcred = __task_cred(task);
 	if (uid_eq(cred->uid, tcred->euid) &&
 	    uid_eq(cred->uid, tcred->suid) &&
@@ -264,7 +275,15 @@ ok:
 	}
 	rcu_read_unlock();

-	return security_ptrace_access_check(task, mode);
+	if (!(mode & PTRACE_MODE_NOACCESS_CHK))
+		return security_ptrace_access_check(task, mode);
+
+	return 0;
+}
+
+static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+{
+	return ___ptrace_may_access(current, current_cred(), task, mode);
 }

 bool ptrace_may_access(struct task_struct *task, unsigned int mode)
diff -upr linux-3.10.0-693.11.1.el7/kernel/sched/cputime.c linux-3.10.0-693.11.6.el7/kernel/sched/cputime.c
--- linux-3.10.0-693.11.1.el7/kernel/sched/cputime.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/kernel/sched/cputime.c	2017-12-28 19:59:43.000000000 +0100
@@ -635,6 +635,7 @@ update:
 	 * monotonicity for stime, analogous argument to above.
 	 */
 	if (utime < prev->utime) {
+		gmb();
 		utime = prev->utime;
 		stime = rtime - utime;
 	}
diff -upr linux-3.10.0-693.11.1.el7/kernel/sysctl.c linux-3.10.0-693.11.6.el7/kernel/sysctl.c
--- linux-3.10.0-693.11.1.el7/kernel/sysctl.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/kernel/sysctl.c	2017-12-28 19:59:43.000000000 +0100
@@ -978,13 +978,6 @@ static struct ctl_table kern_table[] = {
 		.proc_handler	= proc_dointvec,
 	},
 	{
-		.procname	= "kstack_depth_to_print",
-		.data		= &kstack_depth_to_print,
-		.maxlen		= sizeof(int),
-		.mode		= 0644,
-		.proc_handler	= proc_dointvec,
-	},
-	{
 		.procname	= "io_delay_type",
 		.data		= &io_delay_type,
 		.maxlen		= sizeof(int),
diff -upr linux-3.10.0-693.11.1.el7/kernel/user_namespace.c linux-3.10.0-693.11.6.el7/kernel/user_namespace.c
--- linux-3.10.0-693.11.1.el7/kernel/user_namespace.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/kernel/user_namespace.c	2017-12-28 19:59:43.000000000 +0100
@@ -554,8 +554,10 @@ static void *m_start(struct seq_file *se
 	struct uid_gid_extent *extent = NULL;
 	loff_t pos = *ppos;

-	if (pos < map->nr_extents)
+	if (pos < map->nr_extents) {
+		gmb();
 		extent = &map->extent[pos];
+	}

 	return extent;
 }
diff -upr linux-3.10.0-693.11.1.el7/Makefile linux-3.10.0-693.11.6.el7/Makefile
--- linux-3.10.0-693.11.1.el7/Makefile	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/Makefile	2017-12-28 19:59:43.000000000 +0100
@@ -5,7 +5,7 @@ EXTRAVERSION =
 NAME = Unicycling Gorilla
 RHEL_MAJOR = 7
 RHEL_MINOR = 4
-RHEL_RELEASE = 693.11.1
+RHEL_RELEASE = 693.11.6

 #
 # DRM backport version
diff -upr linux-3.10.0-693.11.1.el7/mm/fremap.c linux-3.10.0-693.11.6.el7/mm/fremap.c
--- linux-3.10.0-693.11.1.el7/mm/fremap.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/mm/fremap.c	2017-12-28 19:59:43.000000000 +0100
@@ -28,24 +28,35 @@ static void zap_pte(struct mm_struct *mm
 			unsigned long addr, pte_t *ptep)
 {
 	pte_t pte = *ptep;
+	struct page *page;
+	swp_entry_t entry;

 	if (pte_present(pte)) {
-		struct page *page;
-
 		flush_cache_page(vma, addr, pte_pfn(pte));
 		pte = ptep_clear_flush_notify(vma, addr, ptep);
 		page = vm_normal_page(vma, addr, pte);
 		if (page) {
 			if (pte_dirty(pte))
 				set_page_dirty(page);
+			update_hiwater_rss(mm);
+			dec_mm_counter(mm, mm_counter(page));
 			page_remove_rmap(page);
 			page_cache_release(page);
+		}
+	} else {	/* zap_pte() is not called when pte_none() */
+		if (!pte_file(pte)) {
 			update_hiwater_rss(mm);
-			dec_mm_counter(mm, mm_counter_file(page));
+			entry = pte_to_swp_entry(pte);
+			if (non_swap_entry(entry)) {
+				if (is_migration_entry(entry)) {
+					page = migration_entry_to_page(entry);
+					dec_mm_counter(mm, mm_counter(page));
+				}
+			} else {
+				free_swap_and_cache(entry);
+				dec_mm_counter(mm, MM_SWAPENTS);
+			}
 		}
-	} else {
-		if (!pte_file(pte))
-			free_swap_and_cache(pte_to_swp_entry(pte));
 		pte_clear_not_present_full(mm, addr, ptep, 0);
 	}
 }
diff -upr linux-3.10.0-693.11.1.el7/mm/hugetlb.c linux-3.10.0-693.11.6.el7/mm/hugetlb.c
--- linux-3.10.0-693.11.1.el7/mm/hugetlb.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/mm/hugetlb.c	2017-12-28 19:59:43.000000000 +0100
@@ -4047,6 +4047,9 @@ int hugetlb_mcopy_atomic_pte(struct mm_s
 			    unsigned long src_addr,
 			    struct page **pagep)
 {
+	struct address_space *mapping;
+	pgoff_t idx;
+	unsigned long size;
 	int vm_shared = dst_vma->vm_flags & VM_SHARED;
 	struct hstate *h = hstate_vma(dst_vma);
 	pte_t _dst_pte;
@@ -4084,13 +4087,24 @@ int hugetlb_mcopy_atomic_pte(struct mm_s
 	__SetPageUptodate(page);
 	set_page_huge_active(page);

+	mapping = dst_vma->vm_file->f_mapping;
+	idx = vma_hugecache_offset(h, dst_vma, dst_addr);
+
 	/*
 	 * If shared, add to page cache
 	 */
 	if (vm_shared) {
-		struct address_space *mapping = dst_vma->vm_file->f_mapping;
-		pgoff_t idx = vma_hugecache_offset(h, dst_vma, dst_addr);
+		size = i_size_read(mapping->host) >> huge_page_shift(h);
+		ret = -EFAULT;
+		if (idx >= size)
+			goto out_release_nounlock;

+		/*
+		 * Serialization between remove_inode_hugepages() and
+		 * huge_add_to_page_cache() below happens through the
+		 * hugetlb_fault_mutex_table that here must be hold by
+		 * the caller.
+		 */
 		ret = huge_add_to_page_cache(page, mapping, idx);
 		if (ret)
 			goto out_release_nounlock;
@@ -4099,6 +4113,20 @@ int hugetlb_mcopy_atomic_pte(struct mm_s
 	ptl = huge_pte_lockptr(h, dst_mm, dst_pte);
 	spin_lock(ptl);

+	/*
+	 * Recheck the i_size after holding PT lock to make sure not
+	 * to leave any page mapped (as page_mapped()) beyond the end
+	 * of the i_size (remove_inode_hugepages() is strict about
+	 * enforcing that). If we bail out here, we'll also leave a
+	 * page in the radix tree in the vm_shared case beyond the end
+	 * of the i_size, but remove_inode_hugepages() will take care
+	 * of it as soon as we drop the hugetlb_fault_mutex_table.
+	 */
+	size = i_size_read(mapping->host) >> huge_page_shift(h);
+	ret = -EFAULT;
+	if (idx >= size)
+		goto out_release_unlock;
+
 	ret = -EEXIST;
 	if (!huge_pte_none(huge_ptep_get(dst_pte)))
 		goto out_release_unlock;
@@ -4131,9 +4159,9 @@ out:
 	return ret;
 out_release_unlock:
 	spin_unlock(ptl);
-out_release_nounlock:
 	if (vm_shared)
 		unlock_page(page);
+out_release_nounlock:
 	put_page(page);
 	goto out;
 }
diff -upr linux-3.10.0-693.11.1.el7/mm/memory-failure.c linux-3.10.0-693.11.6.el7/mm/memory-failure.c
--- linux-3.10.0-693.11.1.el7/mm/memory-failure.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/mm/memory-failure.c	2017-12-28 19:59:43.000000000 +0100
@@ -1339,11 +1339,14 @@ void memory_failure_queue(unsigned long

 	mf_cpu = &get_cpu_var(memory_failure_cpu);
 	spin_lock_irqsave(&mf_cpu->lock, proc_flags);
-	if (kfifo_put(&mf_cpu->fifo, &entry))
+	if (kfifo_put(&mf_cpu->fifo, &entry)) {
+		gmb();
 		schedule_work_on(smp_processor_id(), &mf_cpu->work);
-	else
+	} else {
+		gmb();
 		pr_err("Memory failure: buffer overflow when queuing memory failure at 0x%#lx\n",
 		       pfn);
+	}
 	spin_unlock_irqrestore(&mf_cpu->lock, proc_flags);
 	put_cpu_var(memory_failure_cpu);
 }
diff -upr linux-3.10.0-693.11.1.el7/net/6lowpan/nhc.c linux-3.10.0-693.11.6.el7/net/6lowpan/nhc.c
--- linux-3.10.0-693.11.1.el7/net/6lowpan/nhc.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/6lowpan/nhc.c	2017-12-28 19:59:43.000000000 +0100
@@ -33,10 +33,13 @@ static int lowpan_nhc_insert(struct lowp

 		len_dif = nhc->idlen - this->idlen;

-		if (nhc->idlen < this->idlen)
+		if (nhc->idlen < this->idlen) {
+			gmb();
 			len = nhc->idlen;
-		else
+		} else {
+			gmb();
 			len = this->idlen;
+		}

 		result = memcmp(nhc->id, this->id, len);
 		if (!result)
diff -upr linux-3.10.0-693.11.1.el7/net/bluetooth/l2cap_core.c linux-3.10.0-693.11.6.el7/net/bluetooth/l2cap_core.c
--- linux-3.10.0-693.11.1.el7/net/bluetooth/l2cap_core.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/bluetooth/l2cap_core.c	2017-12-28 19:59:43.000000000 +0100
@@ -1509,6 +1509,7 @@ static void l2cap_le_conn_ready(struct l
 	     hcon->le_conn_interval > hcon->le_conn_max_interval)) {
 		struct l2cap_conn_param_update_req req;

+		gmb();
 		req.min = cpu_to_le16(hcon->le_conn_min_interval);
 		req.max = cpu_to_le16(hcon->le_conn_max_interval);
 		req.latency = cpu_to_le16(hcon->le_conn_latency);
diff -upr linux-3.10.0-693.11.1.el7/net/ceph/messenger.c linux-3.10.0-693.11.6.el7/net/ceph/messenger.c
--- linux-3.10.0-693.11.1.el7/net/ceph/messenger.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/ceph/messenger.c	2017-12-28 19:59:43.000000000 +0100
@@ -1248,6 +1248,7 @@ static void prepare_write_message(struct
 	/* Sneak an ack in there first?  If we can get it into the same
 	 * TCP packet that's a good thing. */
 	if (con->in_seq > con->in_seq_acked) {
+		gmb();
 		con->in_seq_acked = con->in_seq;
 		con_out_kvec_add(con, sizeof (tag_ack), &tag_ack);
 		con->out_temp_ack = cpu_to_le64(con->in_seq_acked);
diff -upr linux-3.10.0-693.11.1.el7/net/core/tso.c linux-3.10.0-693.11.6.el7/net/core/tso.c
--- linux-3.10.0-693.11.1.el7/net/core/tso.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/core/tso.c	2017-12-28 19:59:43.000000000 +0100
@@ -51,7 +51,10 @@ void tso_build_data(struct sk_buff *skb,

 	if ((tso->size == 0) &&
 	    (tso->next_frag_idx < skb_shinfo(skb)->nr_frags)) {
-		skb_frag_t *frag = &skb_shinfo(skb)->frags[tso->next_frag_idx];
+		skb_frag_t *frag;
+
+		gmb();
+		frag = &skb_shinfo(skb)->frags[tso->next_frag_idx];

 		/* Move to next segment */
 		tso->size = frag->size;
@@ -75,8 +78,10 @@ void tso_start(struct sk_buff *skb, stru
 	tso->data = skb->data + hdr_len;
 	if ((tso->size == 0) &&
 	    (tso->next_frag_idx < skb_shinfo(skb)->nr_frags)) {
-		skb_frag_t *frag = &skb_shinfo(skb)->frags[tso->next_frag_idx];
+		skb_frag_t *frag;

+		gmb();
+		frag = &skb_shinfo(skb)->frags[tso->next_frag_idx];
 		/* Move to next segment */
 		tso->size = frag->size;
 		tso->data = page_address(frag->page.p) + frag->page_offset;
diff -upr linux-3.10.0-693.11.1.el7/net/dccp/ccids/ccid2.c linux-3.10.0-693.11.6.el7/net/dccp/ccids/ccid2.c
--- linux-3.10.0-693.11.1.el7/net/dccp/ccids/ccid2.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/dccp/ccids/ccid2.c	2017-12-28 19:59:43.000000000 +0100
@@ -389,6 +389,7 @@ static void ccid2_rtt_estimator(struct s
 		hc->tx_mdev += m;

 		if (hc->tx_mdev > hc->tx_mdev_max) {
+			gmb();
 			hc->tx_mdev_max = hc->tx_mdev;
 			if (hc->tx_mdev_max > hc->tx_rttvar)
 				hc->tx_rttvar = hc->tx_mdev_max;
diff -upr linux-3.10.0-693.11.1.el7/net/mac80211/util.c linux-3.10.0-693.11.6.el7/net/mac80211/util.c
--- linux-3.10.0-693.11.1.el7/net/mac80211/util.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/mac80211/util.c	2017-12-28 19:59:43.000000000 +0100
@@ -1605,11 +1605,14 @@ u32 ieee80211_sta_get_rates(struct ieee8
 		u8 rate = 0;
 		int own_rate;
 		bool is_basic;
-		if (i < elems->supp_rates_len)
+		if (i < elems->supp_rates_len) {
+			gmb();
 			rate = elems->supp_rates[i];
-		else if (elems->ext_supp_rates)
+		} else if (elems->ext_supp_rates) {
+			gmb();
 			rate = elems->ext_supp_rates
 				[i - elems->supp_rates_len];
+		}
 		own_rate = 5 * (rate & 0x7f);
 		is_basic = !!(rate & 0x80);

diff -upr linux-3.10.0-693.11.1.el7/net/netfilter/ipvs/ip_vs_wrr.c linux-3.10.0-693.11.6.el7/net/netfilter/ipvs/ip_vs_wrr.c
--- linux-3.10.0-693.11.1.el7/net/netfilter/ipvs/ip_vs_wrr.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/netfilter/ipvs/ip_vs_wrr.c	2017-12-28 19:59:43.000000000 +0100
@@ -149,10 +149,13 @@ static int ip_vs_wrr_dest_changed(struct
 	mark->cl = list_entry(&svc->destinations, struct ip_vs_dest, n_list);
 	mark->di = ip_vs_wrr_gcd_weight(svc);
 	mark->mw = ip_vs_wrr_max_weight(svc) - (mark->di - 1);
-	if (mark->cw > mark->mw || !mark->cw)
+	if (mark->cw > mark->mw || !mark->cw) {
+		gmb();
 		mark->cw = mark->mw;
-	else if (mark->di > 1)
+	} else if (mark->di > 1) {
+		gmb();
 		mark->cw = (mark->cw / mark->di) * mark->di + 1;
+	}
 	spin_unlock_bh(&svc->sched_lock);
 	return 0;
 }
diff -upr linux-3.10.0-693.11.1.el7/net/netfilter/nf_conntrack_core.c linux-3.10.0-693.11.6.el7/net/netfilter/nf_conntrack_core.c
--- linux-3.10.0-693.11.1.el7/net/netfilter/nf_conntrack_core.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/netfilter/nf_conntrack_core.c	2017-12-28 19:59:43.000000000 +0100
@@ -1418,6 +1418,7 @@ get_next_corpse(struct net *net, int (*i
 		local_bh_disable();
 		spin_lock(lockp);
 		if (*bucket < net->ct.htable_size) {
+			gmb();
 			hlist_nulls_for_each_entry(h, n, &net->ct.hash[*bucket], hnnode) {
 				if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
 					continue;
diff -upr linux-3.10.0-693.11.1.el7/net/netfilter/nf_conntrack_helper.c linux-3.10.0-693.11.6.el7/net/netfilter/nf_conntrack_helper.c
--- linux-3.10.0-693.11.1.el7/net/netfilter/nf_conntrack_helper.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/netfilter/nf_conntrack_helper.c	2017-12-28 19:59:43.000000000 +0100
@@ -419,6 +419,7 @@ static void __nf_conntrack_helper_unregi
 	for (i = 0; i < net->ct.htable_size; i++) {
 		spin_lock(&nf_conntrack_locks[i % CONNTRACK_LOCKS]);
 		if (i < net->ct.htable_size) {
+			gmb();
 			hlist_nulls_for_each_entry(h, nn, &net->ct.hash[i], hnnode)
 				unhelp(h, me);
 		}
diff -upr linux-3.10.0-693.11.1.el7/net/netfilter/nf_conntrack_proto_tcp.c linux-3.10.0-693.11.6.el7/net/netfilter/nf_conntrack_proto_tcp.c
--- linux-3.10.0-693.11.1.el7/net/netfilter/nf_conntrack_proto_tcp.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/netfilter/nf_conntrack_proto_tcp.c	2017-12-28 19:59:43.000000000 +0100
@@ -1056,14 +1056,18 @@ static int tcp_packet(struct nf_conn *ct
 		ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;

 	if (ct->proto.tcp.retrans >= tn->tcp_max_retrans &&
-	    timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
+	    timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS]) {
+		gmb();
 		timeout = timeouts[TCP_CONNTRACK_RETRANS];
-	else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) &
+	} else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) &
 		 IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&
-		 timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK])
+		 timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK]) {
+		gmb();
 		timeout = timeouts[TCP_CONNTRACK_UNACK];
-	else
+	} else {
+		gmb();
 		timeout = timeouts[new_state];
+	}
 	spin_unlock_bh(&ct->lock);

 	if (new_state != old_state)
diff -upr linux-3.10.0-693.11.1.el7/net/netfilter/nfnetlink_cttimeout.c linux-3.10.0-693.11.6.el7/net/netfilter/nfnetlink_cttimeout.c
--- linux-3.10.0-693.11.1.el7/net/netfilter/nfnetlink_cttimeout.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/netfilter/nfnetlink_cttimeout.c	2017-12-28 19:59:43.000000000 +0100
@@ -311,6 +311,7 @@ static void ctnl_untimeout(struct net *n
 	for (i = 0; i < net->ct.htable_size; i++) {
 		spin_lock(&nf_conntrack_locks[i % CONNTRACK_LOCKS]);
 		if (i < net->ct.htable_size) {
+			gmb();
 			hlist_nulls_for_each_entry(h, nn, &net->ct.hash[i], hnnode)
 				untimeout(h, timeout);
 		}
diff -upr linux-3.10.0-693.11.1.el7/net/netlink/af_netlink.c linux-3.10.0-693.11.6.el7/net/netlink/af_netlink.c
--- linux-3.10.0-693.11.1.el7/net/netlink/af_netlink.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/netlink/af_netlink.c	2017-12-28 19:59:43.000000000 +0100
@@ -628,8 +628,10 @@ static bool netlink_dump_space(struct ne
 		return false;

 	n = ring->head + ring->frame_max / 2;
-	if (n > ring->frame_max)
+	if (n > ring->frame_max) {
+		gmb();
 		n -= ring->frame_max;
+	}

 	hdr = __netlink_lookup_frame(ring, n);

diff -upr linux-3.10.0-693.11.1.el7/net/sched/sch_fq_codel.c linux-3.10.0-693.11.6.el7/net/sched/sch_fq_codel.c
--- linux-3.10.0-693.11.1.el7/net/sched/sch_fq_codel.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/sched/sch_fq_codel.c	2017-12-28 19:59:43.000000000 +0100
@@ -640,9 +640,12 @@ static int fq_codel_dump_class_stats(str
 	struct tc_fq_codel_xstats xstats;

 	if (idx < q->flows_cnt) {
-		const struct fq_codel_flow *flow = &q->flows[idx];
-		const struct sk_buff *skb = flow->head;
+		const struct fq_codel_flow *flow;
+		const struct sk_buff *skb;

+		gmb();
+		flow = &q->flows[idx];
+		skb = flow->head;
 		memset(&xstats, 0, sizeof(xstats));
 		xstats.type = TCA_FQ_CODEL_XSTATS_CLASS;
 		xstats.class_stats.deficit = flow->deficit;
diff -upr linux-3.10.0-693.11.1.el7/net/sunrpc/cache.c linux-3.10.0-693.11.6.el7/net/sunrpc/cache.c
--- linux-3.10.0-693.11.1.el7/net/sunrpc/cache.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/sunrpc/cache.c	2017-12-28 19:59:43.000000000 +0100
@@ -433,6 +433,7 @@ static int cache_clean(void)
 		struct cache_head *ch, **cp;
 		struct cache_detail *d;

+		gmb();
 		write_lock(&current_detail->hash_lock);

 		/* Ok, now to clean this strand */
diff -upr linux-3.10.0-693.11.1.el7/net/sunrpc/xdr.c linux-3.10.0-693.11.6.el7/net/sunrpc/xdr.c
--- linux-3.10.0-693.11.1.el7/net/sunrpc/xdr.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/sunrpc/xdr.c	2017-12-28 19:59:43.000000000 +0100
@@ -916,6 +916,7 @@ static unsigned int xdr_align_pages(stru
 	}

 	if (nwords > xdr->nwords) {
+		gmb();
 		nwords = xdr->nwords;
 		len = nwords << 2;
 	}
diff -upr linux-3.10.0-693.11.1.el7/net/vmw_vsock/vmci_transport_notify.c linux-3.10.0-693.11.6.el7/net/vmw_vsock/vmci_transport_notify.c
--- linux-3.10.0-693.11.1.el7/net/vmw_vsock/vmci_transport_notify.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/vmw_vsock/vmci_transport_notify.c	2017-12-28 19:59:43.000000000 +0100
@@ -413,6 +413,7 @@ vmci_transport_notify_pkt_recv_init(
 		PKT_FIELD(vsk, write_notify_min_window) = target + 1;
 		if (PKT_FIELD(vsk, write_notify_window) <
 		    PKT_FIELD(vsk, write_notify_min_window)) {
+			gmb();
 			/* If the current window is smaller than the new
 			 * minimal window size, we need to reevaluate whether
 			 * we need to notify the sender. If the number of ready
diff -upr linux-3.10.0-693.11.1.el7/net/vmw_vsock/vmci_transport_notify_qstate.c linux-3.10.0-693.11.6.el7/net/vmw_vsock/vmci_transport_notify_qstate.c
--- linux-3.10.0-693.11.1.el7/net/vmw_vsock/vmci_transport_notify_qstate.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/net/vmw_vsock/vmci_transport_notify_qstate.c	2017-12-28 19:59:43.000000000 +0100
@@ -221,6 +221,7 @@ vmci_transport_notify_pkt_recv_init(
 		PKT_FIELD(vsk, write_notify_min_window) = target + 1;
 		if (PKT_FIELD(vsk, write_notify_window) <
 		    PKT_FIELD(vsk, write_notify_min_window)) {
+			gmb();
 			/* If the current window is smaller than the new
 			 * minimal window size, we need to reevaluate whether
 			 * we need to notify the sender. If the number of ready
diff -upr linux-3.10.0-693.11.1.el7/security/Kconfig linux-3.10.0-693.11.6.el7/security/Kconfig
--- linux-3.10.0-693.11.1.el7/security/Kconfig	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/security/Kconfig	2017-12-28 19:59:43.000000000 +0100
@@ -48,6 +48,16 @@ config SECURITY_NETWORK
 	  implement socket and networking access controls.
 	  If you are unsure how to answer this question, answer N.

+config KAISER
+	bool "Remove the kernel mapping in user mode"
+	depends on X86_64 && SMP && STOP_MACHINE
+	help
+	  This feature reduces the number of hardware side channels by
+	  ensuring that the majority of kernel addresses are not mapped
+	  into userspace.
+
+	  See Documentation/x86/kaiser.txt for more details.
+
 config SECURITY_NETWORK_XFRM
 	bool "XFRM (IPSec) Networking Security Hooks"
 	depends on XFRM && SECURITY_NETWORK
diff -upr linux-3.10.0-693.11.1.el7/sound/core/pcm_lib.c linux-3.10.0-693.11.6.el7/sound/core/pcm_lib.c
--- linux-3.10.0-693.11.1.el7/sound/core/pcm_lib.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/sound/core/pcm_lib.c	2017-12-28 19:59:43.000000000 +0100
@@ -606,18 +606,22 @@ int snd_interval_refine(struct snd_inter
 	if (snd_BUG_ON(snd_interval_empty(i)))
 		return -EINVAL;
 	if (i->min < v->min) {
+		gmb();
 		i->min = v->min;
 		i->openmin = v->openmin;
 		changed = 1;
 	} else if (i->min == v->min && !i->openmin && v->openmin) {
+		gmb();
 		i->openmin = 1;
 		changed = 1;
 	}
 	if (i->max > v->max) {
+		gmb();
 		i->max = v->max;
 		i->openmax = v->openmax;
 		changed = 1;
 	} else if (i->max == v->max && !i->openmax && v->openmax) {
+		gmb();
 		i->openmax = 1;
 		changed = 1;
 	}
@@ -828,8 +832,10 @@ int snd_interval_ratnum(struct snd_inter
 		else {
 			unsigned int r;
 			r = (den - rats[k].den_min) % rats[k].den_step;
-			if (r != 0)
+			if (r != 0) {
+				gmb();
 				den -= r;
+			}
 		}
 		diff = num - q * den;
 		if (diff < 0)
@@ -869,8 +875,10 @@ int snd_interval_ratnum(struct snd_inter
 		else {
 			unsigned int r;
 			r = (den - rats[k].den_min) % rats[k].den_step;
-			if (r != 0)
+			if (r != 0) {
+				gmb();
 				den += rats[k].den_step - r;
+			}
 		}
 		diff = q * den - num;
 		if (diff < 0)
@@ -943,8 +951,10 @@ static int snd_interval_ratden(struct sn
 		else {
 			unsigned int r;
 			r = (num - rats[k].num_min) % rats[k].num_step;
-			if (r != 0)
+			if (r != 0) {
+				gmb();
 				num += rats[k].num_step - r;
+			}
 		}
 		diff = num - q * den;
 		if (best_num == 0 ||
@@ -975,8 +985,10 @@ static int snd_interval_ratden(struct sn
 		else {
 			unsigned int r;
 			r = (num - rats[k].num_min) % rats[k].num_step;
-			if (r != 0)
+			if (r != 0) {
+				gmb();
 				num -= r;
+			}
 		}
 		diff = q * den - num;
 		if (best_num == 0 ||
@@ -1084,12 +1096,14 @@ int snd_interval_ranges(struct snd_inter
 			continue;

 		if (range.min < range_union.min) {
+			gmb();
 			range_union.min = range.min;
 			range_union.openmin = 1;
 		}
 		if (range.min == range_union.min && !range.openmin)
 			range_union.openmin = 0;
 		if (range.max > range_union.max) {
+			gmb();
 			range_union.max = range.max;
 			range_union.openmax = 1;
 		}
diff -upr linux-3.10.0-693.11.1.el7/sound/pci/emu10k1/emufx.c linux-3.10.0-693.11.6.el7/sound/pci/emu10k1/emufx.c
--- linux-3.10.0-693.11.1.el7/sound/pci/emu10k1/emufx.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/sound/pci/emu10k1/emufx.c	2017-12-28 19:59:43.000000000 +0100
@@ -911,6 +911,7 @@ static int snd_emu10k1_list_controls(str
 		total++;
 		if (icode->gpr_list_controls &&
 		    i < icode->gpr_list_control_count) {
+			gmb();
 			memset(gctl, 0, sizeof(*gctl));
 			id = &ctl->kcontrol->id;
 			gctl->id.iface = id->iface;
diff -upr linux-3.10.0-693.11.1.el7/sound/pci/es1968.c linux-3.10.0-693.11.6.el7/sound/pci/es1968.c
--- linux-3.10.0-693.11.1.el7/sound/pci/es1968.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/sound/pci/es1968.c	2017-12-28 19:59:43.000000000 +0100
@@ -1879,6 +1879,7 @@ static void snd_es1968_update_pcm(struct
 	es->count += diff;

 	if (es->count > es->frag_size) {
+		gmb();
 		spin_unlock(&chip->substream_lock);
 		snd_pcm_period_elapsed(subs);
 		spin_lock(&chip->substream_lock);
diff -upr linux-3.10.0-693.11.1.el7/tools/objtool/builtin-check.c linux-3.10.0-693.11.6.el7/tools/objtool/builtin-check.c
--- linux-3.10.0-693.11.1.el7/tools/objtool/builtin-check.c	2017-10-27 11:14:15.000000000 +0200
+++ linux-3.10.0-693.11.6.el7/tools/objtool/builtin-check.c	2017-12-28 19:59:43.000000000 +0100
@@ -404,7 +404,7 @@ static int add_call_destinations(struct
 			dest_off = insn->offset + insn->len + insn->immediate;
 			insn->call_dest = find_symbol_by_offset(insn->sec,
 								dest_off);
-			if (!insn->call_dest) {
+			if (!insn->call_dest && !insn->visited) {
 				WARN_FUNC("can't find call dest symbol at offset 0x%lx",
 					  insn->sec, insn->offset, dest_off);
 				return -1;