@@ -45,9 +45,9 @@ index af4e581..3547f1f 100644

  return_from_SYSCALL_64:

 +	pax_rand_kstack

 +

- 	RESTORE_EXTRA_REGS

  	TRACE_IRQS_IRETQ		/* we're about to change IF */

+ 	/*

 @@ -449,6 +463,7 @@ ENTRY(ret_from_fork)

  2:

  	movq	%rsp, %rdi

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-esx

 Version:        4.9.75

-Release:        2%{?dist}

+Release:        3%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -152,9 +152,8 @@ The Linux package contains the Linux kernel doc files

 %patch64 -p1

 %patch65 -p1

 %patch66 -p1

-#not ready yet

-#%patch67 -p1

-#%patch68 -p1

+%patch67 -p1

+%patch68 -p1

 %build

 # patch vmw_balloon driver

@@ -251,7 +250,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

-*   Sun Jan 08 2018 Bo Gan <ganb@vmware.com> 4.9.75-2

+*   Sun Jan 07 2018 Bo Gan <ganb@vmware.com> 4.9.75-3

+-   Second Spectre fix, clear user controlled registers upon syscall entry

+*   Sun Jan 07 2018 Bo Gan <ganb@vmware.com> 4.9.75-2

 -   Initial Spectre fix

 *   Fri Jan 05 2018 Anish Swaminathan <anishs@vmware.com> 4.9.75-1

 -   Version update to 4.9.75

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        4.9.75

-Release:        2%{?kat_build:.%kat_build}%{?dist}

+Release:        3%{?kat_build:.%kat_build}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -169,9 +169,6 @@ EOF

 %patch10 -p1

 %patch11 -p1

 %patch12 -p1

-%patch13 -p1

-%patch14 -p1

-%patch15 -p1

 %patch16 -p1

 %patch17 -p1

 %patch19 -p1

@@ -191,6 +188,7 @@ EOF

 %patch34 -p1

 %patch35 -p1

+# spectre

 %patch50 -p1

 %patch51 -p1

 %patch52 -p1

@@ -208,9 +206,13 @@ EOF

 %patch64 -p1

 %patch65 -p1

 %patch66 -p1

-#not ready yet

-#%patch67 -p1

-#%patch68 -p1

+%patch67 -p1

+%patch68 -p1

+

+# secure

+%patch13 -p1

+%patch14 -p1

+%patch15 -p1

 pushd ..

 %patch99 -p0

@@ -337,7 +339,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

-*   Sun Jan 08 2018 Bo Gan <ganb@vmware.com> 4.9.75-2

+*   Sun Jan 07 2018 Bo Gan <ganb@vmware.com> 4.9.75-3

+-   Second Spectre fix, clear user controlled registers upon syscall entry

+*   Sun Jan 07 2018 Bo Gan <ganb@vmware.com> 4.9.75-2

 -   Initial Spectre fix

 *   Fri Jan 05 2018 Bo Gan <ganb@vmware.com> 4.9.75-1

 -   Verion update (fix Intel Meltdown)

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:        4.9.75

-Release:        2%{?kat_build:.%kat_build}%{?dist}

+Release:        3%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -195,9 +195,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch64 -p1

 %patch65 -p1

 %patch66 -p1

-#not ready yet

-#%patch67 -p1

-#%patch68 -p1

+%patch67 -p1

+%patch68 -p1

 %if 0%{?kat_build:1}

 %patch1000 -p1

@@ -365,7 +364,9 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

-*   Sun Jan 08 2018 Bo Gan <ganb@vmware.com> 4.9.75-2

+*   Sun Jan 07 2018 Bo Gan <ganb@vmware.com> 4.9.75-3

+-   Second Spectre fix, clear user controlled registers upon syscall entry

+*   Sun Jan 07 2018 Bo Gan <ganb@vmware.com> 4.9.75-2

 -   Initial Spectre fix

 *   Fri Jan 05 2018 Anish Swaminathan <anishs@vmware.com> 4.9.75-1

 -   Version update to 4.9.75

@@ -12,72 +12,40 @@ for code hygiene.

  arch/x86/entry/entry_64.S | 13 ++++++++++---

  2 files changed, 29 insertions(+), 3 deletions(-)

-diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h

-index 393a5bf..dba5ff7 100644

-+++ b/arch/x86/entry/calling.h

-@@ -156,6 +156,25 @@ For 32-bit we have the following conventions - kernel is built with

- 	popq %rbx

- 	.endm

- 

-+	.macro RESTORE_EXTRA_REGS offset=0

-+	movq 0*8+\offset(%rsp), %r15

-+	movq 1*8+\offset(%rsp), %r14

-+	movq 2*8+\offset(%rsp), %r13

-+	movq 3*8+\offset(%rsp), %r12

-+	movq 4*8+\offset(%rsp), %rbp

-+	movq 5*8+\offset(%rsp), %rbx

-+	UNWIND_HINT_REGS offset=\offset extra=0

-+	.endm

-+

-+	.macro CLEAR_EXTRA_REGS

-+	xorq %r15, %r15

-+	xorq %r14, %r14

-+	xorq %r13, %r13

-+	xorq %r12, %r12

-+	xorq %rbp, %rbp

-+	xorq %rbx, %rbx

-+	.endm

-+

- 	.macro POP_C_REGS

- 	popq %r11

- 	popq %r10

+ Removed arch/x86/entry/calling.h changes, as it's in 4.9 upstream already

+

 diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S

-index e58a78f..f65060a 100644

+index af4e581..9e31419 100644

 --- a/arch/x86/entry/entry_64.S

 +++ b/arch/x86/entry/entry_64.S

-@@ -235,9 +235,16 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)

+@@ -176,7 +176,14 @@ GLOBAL(entry_SYSCALL_64_after_swapgs)

  	pushq	%r9				/* pt_regs->r9 */

  	pushq	%r10				/* pt_regs->r10 */

  	pushq	%r11				/* pt_regs->r11 */

 -	sub	$(6*8), %rsp			/* pt_regs->bp, bx, r12-15 not saved */

 +	sub	$(6*8), %rsp			/* pt_regs->bp, bx, r12-15 not used */

- 	UNWIND_HINT_REGS extra=0

- 

++

 +	/*

 +	 * Clear the unused extra regs for code hygiene.

 +	 * Will restore the callee saved extra regs at end of syscall.

 +	 */

 +	SAVE_EXTRA_REGS

-+	CLEAR_EXTRA_REGS

-+

- 	TRACE_IRQS_OFF

++	ZERO_EXTRA_REGS

- 	STUFF_RSB

-@@ -290,7 +297,9 @@ entry_SYSCALL_64_fastpath:

+ 	/*

+ 	 * If we need to do entry work or if we guess we'll need to do

+@@ -229,6 +236,7 @@ entry_SYSCALL_64_fastpath:

  	TRACE_IRQS_ON		/* user mode is traced as IRQs on */

  	movq	RIP(%rsp), %rcx

  	movq	EFLAGS(%rsp), %r11

 +	RESTORE_EXTRA_REGS

- 	addq	$6*8, %rsp	/* skip extra regs -- they were preserved */

-+

- 	UNWIND_HINT_EMPTY

- 	jmp	.Lpop_c_regs_except_rcx_r11_and_sysret

- 

-@@ -302,14 +311,12 @@ entry_SYSCALL_64_fastpath:

+ 	RESTORE_C_REGS_EXCEPT_RCX_R11

+ 	/*

+ 	 * This opens a window where we have a user CR3, but are

+@@ -249,19 +257,16 @@ entry_SYSCALL_64_fastpath:

  	 */

  	TRACE_IRQS_ON

- 	ENABLE_INTERRUPTS(CLBR_ANY)

+ 	ENABLE_INTERRUPTS(CLBR_NONE)

 -	SAVE_EXTRA_REGS

  	movq	%rsp, %rdi

  	call	syscall_return_slowpath	/* returns with IRQs disabled */

@@ -89,6 +57,28 @@ index e58a78f..f65060a 100644

  	movq	%rsp, %rdi

  	call	do_syscall_64		/* returns with IRQs disabled */

+ return_from_SYSCALL_64:

+-	RESTORE_EXTRA_REGS

+ 	TRACE_IRQS_IRETQ		/* we're about to change IF */

+ 

+ 	/*

+@@ -331,6 +336,7 @@ return_from_SYSCALL_64:

+ 	 * perf profiles. Nothing jumps here.

+ 	 */

+ syscall_return_via_sysret:

++	RESTORE_EXTRA_REGS

+ 	/* rcx and r11 are already restored (see code above) */

+ 	RESTORE_C_REGS_EXCEPT_RCX_R11

+ 	/*

+@@ -354,7 +360,7 @@ opportunistic_sysret_failed:

+ 	 */

+ 	SWITCH_USER_CR3

+ 	SWAPGS

+-	jmp	restore_c_regs_and_iret

++	jmp	restore_regs_and_iret

+ END(entry_SYSCALL_64)

+ 

+ ENTRY(stub_ptregs_64)

 -- 

 2.9.5

@@ -15,11 +15,11 @@ Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>

  2 files changed, 25 insertions(+), 4 deletions(-)

 diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h

-index dba5ff7..b4c6842 100644

+index 9a9e588..1439429 100644

 --- a/arch/x86/entry/calling.h

 +++ b/arch/x86/entry/calling.h

-@@ -156,6 +156,17 @@ For 32-bit we have the following conventions - kernel is built with

- 	popq %rbx

+@@ -129,6 +129,17 @@ For 32-bit we have the following conventions - kernel is built with

+ 	SAVE_C_REGS_HELPER 0, 0, 0, 1, 0

  	.endm

 +	.macro CLEAR_R8_TO_R15

@@ -33,23 +33,33 @@ index dba5ff7..b4c6842 100644

 +	xorq %r8, %r8

 +	.endm

 +

- 	.macro RESTORE_EXTRA_REGS offset=0

- 	movq 0*8+\offset(%rsp), %r15

- 	movq 1*8+\offset(%rsp), %r14

+ 	.macro SAVE_EXTRA_REGS offset=0

+ 	movq %r15, 0*8+\offset(%rsp)

+ 	movq %r14, 1*8+\offset(%rsp)

 diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S

-index 574b599..7951358 100644

+index d76a976..9217245 100644

 --- a/arch/x86/entry/entry_64_compat.S

 +++ b/arch/x86/entry/entry_64_compat.S

-@@ -100,6 +100,8 @@ ENTRY(entry_SYSENTER_compat)

- 

- 	STUFF_RSB

+@@ -88,12 +88,14 @@ ENTRY(entry_SYSENTER_compat)

+ 	pushq   $0			/* pt_regs->r11 = 0 */

+ 	pushq   %rbx                    /* pt_regs->rbx */

+ 	pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */

+-	pushq   $0			/* pt_regs->r12 = 0 */

+-	pushq   $0			/* pt_regs->r13 = 0 */

+-	pushq   $0			/* pt_regs->r14 = 0 */

+-	pushq   $0			/* pt_regs->r15 = 0 */

++	pushq   %r12                    /* pt_regs->r12 */

++	pushq   %r13                    /* pt_regs->r13 */

++	pushq   %r14                    /* pt_regs->r14 */

++	pushq   %r15                    /* pt_regs->r15 */

+ 	cld

 +	CLEAR_R8_TO_R15

 +

  	/*

  	 * SYSENTER doesn't filter flags, so we need to clear NT and AC

  	 * ourselves.  To save a few cycles, we can check whether

-@@ -218,10 +220,12 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe)

+@@ -214,10 +217,12 @@ ENTRY(entry_SYSCALL_compat)

  	pushq   $0			/* pt_regs->r11 = 0 */

  	pushq   %rbx                    /* pt_regs->rbx */

  	pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */

@@ -65,11 +75,11 @@ index 574b599..7951358 100644

 +	CLEAR_R8_TO_R15

  	/*

- 	 * We just saved %rdi so it is safe to clobber.  It is not

-@@ -247,6 +251,10 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe)

+ 	 * User mode is traced as though IRQs are on, and SYSENTER

+@@ -234,6 +238,10 @@ ENTRY(entry_SYSCALL_compat)

+ 	/* Opportunistic SYSRET */

  sysret32_from_system_call:

  	TRACE_IRQS_ON			/* User mode traces as IRQs on. */

- 	DISABLE_IBRS_CLOBBER

 +	movq    R15(%rsp), %r15         /* pt_regs->r15 */

 +	movq    R14(%rsp), %r14         /* pt_regs->r14 */

 +	movq    R13(%rsp), %r13         /* pt_regs->r13 */

@@ -77,9 +87,9 @@ index 574b599..7951358 100644

  	movq	RBX(%rsp), %rbx		/* pt_regs->rbx */

  	movq	RBP(%rsp), %rbp		/* pt_regs->rbp */

  	movq	EFLAGS(%rsp), %r11	/* pt_regs->flags (in r11) */

-@@ -359,6 +367,8 @@ ENTRY(entry_INT80_compat)

- 

- 	STUFF_RSB

+@@ -331,6 +339,8 @@ ENTRY(entry_INT80_compat)

+ 	pushq   %r15                    /* pt_regs->r15 */

+ 	cld

 +	CLEAR_R8_TO_R15

 +