kernel-5.18.13-200

* Fri Jul 22 2022 Justin M. Forbes <jforbes@fedoraproject.org> [5.18.13-0]
- um: Add missing apply_returns() (Peter Zijlstra)
- x86/bugs: Remove apostrophe typo (Kim Phillips)
- tools headers cpufeatures: Sync with the kernel sources (Arnaldo Carvalho de Melo)
- tools arch x86: Sync the msr-index.h copy with the kernel sources (Arnaldo Carvalho de Melo)
- KVM: emulate: do not adjust size of fastop and setcc subroutines (Paolo Bonzini)
- x86/kvm: fix FASTOP_SIZE when return thunks are enabled (Thadeu Lima de Souza Cascardo)
- efi/x86: use naked RET on mixed mode call wrapper (Thadeu Lima de Souza Cascardo)
- x86/speculation: Use DECLARE_PER_CPU for x86_spec_ctrl_current (Nathan Chancellor)
- x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit (Jiri Slaby)
- fedora: Also enable efifb on aarch64 for Nvidia (Javier Martinez Canillas)
- Turn on configs for retbleed (Justin M. Forbes)
Resolves:

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>

14 files changed, 281 insertions, 57 deletions

diff --git a/Patchlist.changelog b/Patchlist.changelog
index 823e52d7d..7e374847f 100644
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@@ -1,3 +1,30 @@
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/f014b0b869404c24a955539ae044dae72f639cce
+ f014b0b869404c24a955539ae044dae72f639cce um: Add missing apply_returns()
+
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/0aabd44e8df94774bcadbd06c88a49257f5b27f3
+ 0aabd44e8df94774bcadbd06c88a49257f5b27f3 x86/bugs: Remove apostrophe typo
+
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/7095e33ea429177c0b44b7194efeb334af5fd897
+ 7095e33ea429177c0b44b7194efeb334af5fd897 tools headers cpufeatures: Sync with the kernel sources
+
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/44a6c2ee845e197336ad8993d9369d11a342b9b3
+ 44a6c2ee845e197336ad8993d9369d11a342b9b3 tools arch x86: Sync the msr-index.h copy with the kernel sources
+
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/d93f9a7a81a4fcfad3c03b2d3aee7f3ce15b73dc
+ d93f9a7a81a4fcfad3c03b2d3aee7f3ce15b73dc KVM: emulate: do not adjust size of fastop and setcc subroutines
+
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/eda959dfce68b14c64ed2a46be10c3ad190dfec9
+ eda959dfce68b14c64ed2a46be10c3ad190dfec9 x86/kvm: fix FASTOP_SIZE when return thunks are enabled
+
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/ea3cd1bd63d9f4f574c2859b5b0d8ffabc430bef
+ ea3cd1bd63d9f4f574c2859b5b0d8ffabc430bef efi/x86: use naked RET on mixed mode call wrapper
+
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/0b667f92cd5ec5d23426696cf698af4464954c8b
+ 0b667f92cd5ec5d23426696cf698af4464954c8b x86/speculation: Use DECLARE_PER_CPU for x86_spec_ctrl_current
+
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/9fb40753adacf689d8bf16ddccafec7a9cb506c0
+ 9fb40753adacf689d8bf16ddccafec7a9cb506c0 x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit
+
 "https://gitlab.com/cki-project/kernel-ark/-/commit"/124840092adcbd2b256ecb6ec277d90a52e9ca35
  124840092adcbd2b256ecb6ec277d90a52e9ca35 x86/static_call: Serialize __static_call_fixup() properly
 
diff --git a/kernel-aarch64-debug-fedora.config b/kernel-aarch64-debug-fedora.config
index cdce8b436..62579649d 100644
--- a/kernel-aarch64-debug-fedora.config
+++ b/kernel-aarch64-debug-fedora.config
@@ -2175,7 +2175,7 @@ CONFIG_FAULT_INJECTION=y
 # CONFIG_FB_CIRRUS is not set
 # CONFIG_FB_CYBER2000 is not set
 # CONFIG_FB_DA8XX is not set
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 # CONFIG_FB_HYPERV is not set
 # CONFIG_FB_I740 is not set
diff --git a/kernel-aarch64-fedora.config b/kernel-aarch64-fedora.config
index db198b0fd..65ae1a216 100644
--- a/kernel-aarch64-fedora.config
+++ b/kernel-aarch64-fedora.config
@@ -2159,7 +2159,7 @@ CONFIG_FAT_KUNIT_TEST=m
 # CONFIG_FB_CIRRUS is not set
 # CONFIG_FB_CYBER2000 is not set
 # CONFIG_FB_DA8XX is not set
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 # CONFIG_FB_HYPERV is not set
 # CONFIG_FB_I740 is not set
diff --git a/kernel-armv7hl-debug-fedora.config b/kernel-armv7hl-debug-fedora.config
index 7d4e150a0..f25f5d806 100644
--- a/kernel-armv7hl-debug-fedora.config
+++ b/kernel-armv7hl-debug-fedora.config
@@ -2205,7 +2205,7 @@ CONFIG_FAULT_INJECTION=y
 # CONFIG_FB_CIRRUS is not set
 # CONFIG_FB_CYBER2000 is not set
 # CONFIG_FB_DA8XX is not set
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 # CONFIG_FB_HYPERV is not set
 # CONFIG_FB_I740 is not set
diff --git a/kernel-armv7hl-fedora.config b/kernel-armv7hl-fedora.config
index c13684cb3..286f95eec 100644
--- a/kernel-armv7hl-fedora.config
+++ b/kernel-armv7hl-fedora.config
@@ -2190,7 +2190,7 @@ CONFIG_FAT_KUNIT_TEST=m
 # CONFIG_FB_CIRRUS is not set
 # CONFIG_FB_CYBER2000 is not set
 # CONFIG_FB_DA8XX is not set
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 # CONFIG_FB_HYPERV is not set
 # CONFIG_FB_I740 is not set
diff --git a/kernel-armv7hl-lpae-debug-fedora.config b/kernel-armv7hl-lpae-debug-fedora.config
index 85a6e9670..c319292d4 100644
--- a/kernel-armv7hl-lpae-debug-fedora.config
+++ b/kernel-armv7hl-lpae-debug-fedora.config
@@ -2159,7 +2159,7 @@ CONFIG_FAULT_INJECTION=y
 # CONFIG_FB_CIRRUS is not set
 # CONFIG_FB_CYBER2000 is not set
 # CONFIG_FB_DA8XX is not set
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 # CONFIG_FB_HYPERV is not set
 # CONFIG_FB_I740 is not set
diff --git a/kernel-armv7hl-lpae-fedora.config b/kernel-armv7hl-lpae-fedora.config
index f47fc61be..c53ef7b43 100644
--- a/kernel-armv7hl-lpae-fedora.config
+++ b/kernel-armv7hl-lpae-fedora.config
@@ -2144,7 +2144,7 @@ CONFIG_FAT_KUNIT_TEST=m
 # CONFIG_FB_CIRRUS is not set
 # CONFIG_FB_CYBER2000 is not set
 # CONFIG_FB_DA8XX is not set
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 # CONFIG_FB_HYPERV is not set
 # CONFIG_FB_I740 is not set
diff --git a/kernel-ppc64le-debug-fedora.config b/kernel-ppc64le-debug-fedora.config
index 1bbe70639..8500a9bbd 100644
--- a/kernel-ppc64le-debug-fedora.config
+++ b/kernel-ppc64le-debug-fedora.config
@@ -1724,7 +1724,7 @@ CONFIG_FAULT_INJECTION=y
 # CONFIG_FB_CARMINE is not set
 # CONFIG_FB_CIRRUS is not set
 # CONFIG_FB_CYBER2000 is not set
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 # CONFIG_FB_HYPERV is not set
 # CONFIG_FB_I740 is not set
diff --git a/kernel-ppc64le-fedora.config b/kernel-ppc64le-fedora.config
index 2d4c8e193..e81554a49 100644
--- a/kernel-ppc64le-fedora.config
+++ b/kernel-ppc64le-fedora.config
@@ -1707,7 +1707,7 @@ CONFIG_FAT_KUNIT_TEST=m
 # CONFIG_FB_CARMINE is not set
 # CONFIG_FB_CIRRUS is not set
 # CONFIG_FB_CYBER2000 is not set
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 # CONFIG_FB_HYPERV is not set
 # CONFIG_FB_I740 is not set
diff --git a/kernel-s390x-debug-fedora.config b/kernel-s390x-debug-fedora.config
index 4d0bd2def..9ec3896b9 100644
--- a/kernel-s390x-debug-fedora.config
+++ b/kernel-s390x-debug-fedora.config
@@ -1733,7 +1733,7 @@ CONFIG_FAULT_INJECTION=y
 # CONFIG_FB_CARMINE is not set
 # CONFIG_FB_CIRRUS is not set
 # CONFIG_FB_CYBER2000 is not set
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 # CONFIG_FB_HYPERV is not set
 # CONFIG_FB_I740 is not set
diff --git a/kernel-s390x-fedora.config b/kernel-s390x-fedora.config
index c423eb7c7..fdd0887a4 100644
--- a/kernel-s390x-fedora.config
+++ b/kernel-s390x-fedora.config
@@ -1716,7 +1716,7 @@ CONFIG_FAT_KUNIT_TEST=m
 # CONFIG_FB_CARMINE is not set
 # CONFIG_FB_CIRRUS is not set
 # CONFIG_FB_CYBER2000 is not set
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 # CONFIG_FB_HYPERV is not set
 # CONFIG_FB_I740 is not set
diff --git a/kernel.spec b/kernel.spec
index 32c677d19..cddbe3275 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -122,11 +122,11 @@ Summary: The Linux kernel
 #  the --with-release option overrides this setting.)
 %define debugbuildsenabled 1
 # define buildid .local
-%define specversion 5.18.11
+%define specversion 5.18.13
 %define patchversion 5.18
 %define pkgrelease 200
 %define kversion 5
-%define tarfile_release 5.18.11
+%define tarfile_release 5.18.13
 # This is needed to do merge window version magic
 %define patchlevel 18
 # allow pkg_release to have configurable %%{?dist} tag
@@ -3034,7 +3034,17 @@ fi
 #
 #
 %changelog
-* Tue Jul 12 2022 Justin M. Forbes <jforbes@fedoraproject.org> [5.18.11-200]
+* Fri Jul 22 2022 Justin M. Forbes <jforbes@fedoraproject.org> [5.18.13-0]
+- um: Add missing apply_returns() (Peter Zijlstra)
+- x86/bugs: Remove apostrophe typo (Kim Phillips)
+- tools headers cpufeatures: Sync with the kernel sources (Arnaldo Carvalho de Melo)
+- tools arch x86: Sync the msr-index.h copy with the kernel sources (Arnaldo Carvalho de Melo)
+- KVM: emulate: do not adjust size of fastop and setcc subroutines (Paolo Bonzini)
+- x86/kvm: fix FASTOP_SIZE when return thunks are enabled (Thadeu Lima de Souza Cascardo)
+- efi/x86: use naked RET on mixed mode call wrapper (Thadeu Lima de Souza Cascardo)
+- x86/speculation: Use DECLARE_PER_CPU for x86_spec_ctrl_current (Nathan Chancellor)
+- x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit (Jiri Slaby)
+- fedora: Also enable efifb on aarch64 for Nvidia (Javier Martinez Canillas)
 - Turn on configs for retbleed (Justin M. Forbes)
 
 * Tue Jul 12 2022 Justin M. Forbes <jforbes@fedoraproject.org> [5.18.11-0]
diff --git a/patch-5.18-redhat.patch b/patch-5.18-redhat.patch
index 522818b55..9cbca1cfa 100644
--- a/patch-5.18-redhat.patch
+++ b/patch-5.18-redhat.patch
@@ -5,6 +5,7 @@
  arch/s390/include/asm/ipl.h                        |   1 +
  arch/s390/kernel/ipl.c                             |   5 +
  arch/s390/kernel/setup.c                           |   4 +
+ arch/um/kernel/um_arch.c                           |   4 +
  arch/x86/Kconfig                                   | 103 ++++-
  arch/x86/Makefile                                  |   6 +
  arch/x86/boot/header.S                             |   4 +
@@ -22,7 +23,7 @@
  arch/x86/include/asm/efi.h                         |   5 +
  arch/x86/include/asm/linkage.h                     |   8 +
  arch/x86/include/asm/msr-index.h                   |  13 +
- arch/x86/include/asm/nospec-branch.h               |  68 ++-
+ arch/x86/include/asm/nospec-branch.h               |  69 ++-
  arch/x86/include/asm/static_call.h                 |  19 +-
  arch/x86/include/asm/traps.h                       |   2 +-
  arch/x86/include/asm/unwind_hints.h                |  14 +-
@@ -35,6 +36,7 @@
  arch/x86/kernel/cpu/hygon.c                        |   6 +
  arch/x86/kernel/cpu/scattered.c                    |   1 +
  arch/x86/kernel/ftrace.c                           |   7 +-
+ arch/x86/kernel/head_32.S                          |   1 +
  arch/x86/kernel/head_64.S                          |   5 +
  arch/x86/kernel/module.c                           |   8 +-
  arch/x86/kernel/process.c                          |   2 +-
@@ -44,7 +46,7 @@
  arch/x86/kernel/static_call.c                      |  51 ++-
  arch/x86/kernel/traps.c                            |  19 +-
  arch/x86/kernel/vmlinux.lds.S                      |   9 +-
- arch/x86/kvm/emulate.c                             |  28 +-
+ arch/x86/kvm/emulate.c                             |  35 +-
  arch/x86/kvm/svm/vmenter.S                         |  18 +
  arch/x86/kvm/vmx/capabilities.h                    |   4 +-
  arch/x86/kvm/vmx/nested.c                          |   2 +-
@@ -58,6 +60,7 @@
  arch/x86/lib/retpoline.S                           |  79 +++-
  arch/x86/mm/mem_encrypt_boot.S                     |  10 +-
  arch/x86/net/bpf_jit_comp.c                        |  26 +-
+ arch/x86/platform/efi/efi_thunk_64.S               |   5 +-
  arch/x86/xen/setup.c                               |   6 +-
  arch/x86/xen/xen-asm.S                             |  30 +-
  arch/x86/xen/xen-head.S                            |   1 +
@@ -105,7 +108,9 @@
  security/lockdown/Kconfig                          |  13 +
  security/lockdown/lockdown.c                       |   1 +
  security/security.c                                |   6 +
- tools/arch/x86/include/asm/msr-index.h             |   9 +
+ tools/arch/x86/include/asm/cpufeatures.h           |  12 +-
+ tools/arch/x86/include/asm/disabled-features.h     |  21 +-
+ tools/arch/x86/include/asm/msr-index.h             |  13 +
  tools/include/linux/objtool.h                      |   9 +-
  tools/objtool/arch/x86/decode.c                    |   5 +
  tools/objtool/builtin-check.c                      |   4 +-
@@ -116,7 +121,7 @@
  tools/objtool/include/objtool/elf.h                |   1 +
  tools/objtool/include/objtool/objtool.h            |   1 +
  tools/objtool/objtool.c                            |   1 +
- 118 files changed, 2609 insertions(+), 614 deletions(-)
+ 123 files changed, 2656 insertions(+), 622 deletions(-)
 
 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
 index c4893782055b..eb92195ca015 100644
@@ -162,7 +167,7 @@ index c4893782055b..eb92195ca015 100644
  			Not specifying this option is equivalent to
  			spectre_v2=auto.
 diff --git a/Makefile b/Makefile
-index 323032d60ac3..bbb113602cc8 100644
+index 1f3c753cb28d..89ed649fae1b 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -18,6 +18,10 @@ $(if $(filter __%, $(MAKECMDGOALS)), \
@@ -260,6 +265,21 @@ index 2cef49983e9e..c50998b4b554 100644
  	/* Have one command line that is parsed and saved in /proc/cmdline */
  	/* boot_command_line has been already set up in early.c */
  	*cmdline_p = boot_command_line;
+diff --git a/arch/um/kernel/um_arch.c b/arch/um/kernel/um_arch.c
+index 0760e24f2eba..9838967d0b2f 100644
+--- a/arch/um/kernel/um_arch.c
++++ b/arch/um/kernel/um_arch.c
+@@ -432,6 +432,10 @@ void apply_retpolines(s32 *start, s32 *end)
+ {
+ }
+
++void apply_returns(s32 *start, s32 *end)
++{
++}
++
+ void apply_alternatives(struct alt_instr *start, struct alt_instr *end)
+ {
+ }
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
 index b2c65f573353..4d1d87f76a74 100644
 --- a/arch/x86/Kconfig
@@ -1148,10 +1168,18 @@ index 4425d6773183..ad084326f24c 100644
  #define MSR_F16H_L2I_PERF_CTL		0xc0010230
  #define MSR_F16H_L2I_PERF_CTR		0xc0010231
 diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index da251a5645b0..bb05ed4f46bd 100644
+index da251a5645b0..10a3bfc1eb23 100644
 --- a/arch/x86/include/asm/nospec-branch.h
 +++ b/arch/x86/include/asm/nospec-branch.h
-@@ -75,6 +75,23 @@
+@@ -11,6 +11,7 @@
+ #include <asm/cpufeatures.h>
+ #include <asm/msr-index.h>
+ #include <asm/unwind_hints.h>
++#include <asm/percpu.h>
+
+ #define RETPOLINE_THUNK_SIZE	32
+
+@@ -75,6 +76,23 @@
  	.popsection
  .endm
 
@@ -1175,7 +1203,7 @@ index da251a5645b0..bb05ed4f46bd 100644
  /*
   * JMP_NOSPEC and CALL_NOSPEC macros can be used instead of a simple
   * indirect jmp/call which may be susceptible to the Spectre variant 2
-@@ -105,10 +122,34 @@
+@@ -105,10 +123,34 @@
    * monstrosity above, manually.
    */
  .macro FILL_RETURN_BUFFER reg:req nr:req ftr:req
@@ -1211,7 +1239,7 @@ index da251a5645b0..bb05ed4f46bd 100644
  #endif
  .endm
 
-@@ -120,17 +161,20 @@
+@@ -120,17 +162,20 @@
  	_ASM_PTR " 999b\n\t"					\
  	".popsection\n\t"
 
@@ -1236,7 +1264,7 @@ index da251a5645b0..bb05ed4f46bd 100644
  #ifdef CONFIG_X86_64
 
  /*
-@@ -193,6 +237,7 @@ enum spectre_v2_mitigation {
+@@ -193,6 +238,7 @@ enum spectre_v2_mitigation {
  	SPECTRE_V2_EIBRS,
  	SPECTRE_V2_EIBRS_RETPOLINE,
  	SPECTRE_V2_EIBRS_LFENCE,
@@ -1244,17 +1272,17 @@ index da251a5645b0..bb05ed4f46bd 100644
  };
 
  /* The indirect branch speculation control variants */
-@@ -235,6 +280,9 @@ static inline void indirect_branch_prediction_barrier(void)
+@@ -235,6 +281,9 @@ static inline void indirect_branch_prediction_barrier(void)
 
  /* The Intel SPEC CTRL MSR base value cache */
  extern u64 x86_spec_ctrl_base;
-+extern u64 x86_spec_ctrl_current;
++DECLARE_PER_CPU(u64, x86_spec_ctrl_current);
 +extern void write_spec_ctrl_current(u64 val, bool force);
 +extern u64 spec_ctrl_current(void);
 
  /*
   * With retpoline, we must use IBRS to restrict branch prediction
-@@ -244,18 +292,16 @@ extern u64 x86_spec_ctrl_base;
+@@ -244,18 +293,16 @@ extern u64 x86_spec_ctrl_base;
   */
  #define firmware_restrict_branch_speculation_start()			\
  do {									\
@@ -1564,7 +1592,7 @@ index 0c0b09796ced..35d5288394cb 100644
  	}
 
 diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index a8a9f6406331..f6dfa26ed88b 100644
+index a8a9f6406331..0b64e894b383 100644
 --- a/arch/x86/kernel/cpu/bugs.c
 +++ b/arch/x86/kernel/cpu/bugs.c
 @@ -38,6 +38,8 @@
@@ -1948,7 +1976,7 @@ index a8a9f6406331..f6dfa26ed88b 100644
 +	if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) {
 +		if (mode != SPECTRE_V2_USER_STRICT &&
 +		    mode != SPECTRE_V2_USER_STRICT_PREFERRED)
-+			pr_info("Selecting STIBP always-on mode to complement retbleed mitigation'\n");
++			pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n");
 +		mode = SPECTRE_V2_USER_STRICT_PREFERRED;
 +	}
 +
@@ -2451,6 +2479,18 @@ index 1e31c7d21597..6892ca67d9c6 100644
 
  	/* No need to test direct calls on created trampolines */
  	if (ops->flags & FTRACE_OPS_FL_SAVE_REGS) {
+diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
+index eb8656bac99b..9b7acc9c7874 100644
+--- a/arch/x86/kernel/head_32.S
++++ b/arch/x86/kernel/head_32.S
+@@ -23,6 +23,7 @@
+ #include <asm/cpufeatures.h>
+ #include <asm/percpu.h>
+ #include <asm/nops.h>
++#include <asm/nospec-branch.h>
+ #include <asm/bootparam.h>
+ #include <asm/export.h>
+ #include <asm/pgtable_32.h>
 diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
 index b8e3019547a5..3178fd81f93f 100644
 --- a/arch/x86/kernel/head_64.S
@@ -2898,10 +2938,36 @@ index 7fda7f27e762..071faf2c8a77 100644
 
  #ifdef CONFIG_X86_KERNEL_IBT
 diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 89b11e7dca8a..db96bf7d1122 100644
+index 89b11e7dca8a..f8382abe22ff 100644
 --- a/arch/x86/kvm/emulate.c
 +++ b/arch/x86/kvm/emulate.c
-@@ -325,13 +325,15 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop);
+@@ -189,9 +189,6 @@
+ #define X8(x...) X4(x), X4(x)
+ #define X16(x...) X8(x), X8(x)
+
+-#define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
+-#define FASTOP_SIZE (8 * (1 + HAS_KERNEL_IBT))
+-
+ struct opcode {
+ 	u64 flags;
+ 	u8 intercept;
+@@ -306,9 +303,15 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
+  * Moreover, they are all exactly FASTOP_SIZE bytes long, so functions for
+  * different operand sizes can be reached by calculation, rather than a jump
+  * table (which would be bigger than the code).
++ *
++ * The 16 byte alignment, considering 5 bytes for the RET thunk, 3 for ENDBR
++ * and 1 for the straight line speculation INT3, leaves 7 bytes for the
++ * body of the function.  Currently none is larger than 4.
+  */
+ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop);
+
++#define FASTOP_SIZE	16
++
+ #define __FOP_FUNC(name) \
+ 	".align " __stringify(FASTOP_SIZE) " \n\t" \
+ 	".type " name ", @function \n\t" \
+@@ -325,13 +328,15 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop);
  #define FOP_RET(name) \
  	__FOP_RET(#name)
 
@@ -2919,7 +2985,7 @@ index 89b11e7dca8a..db96bf7d1122 100644
  #define FOP_END \
  	    ".popsection")
 
-@@ -435,16 +437,15 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop);
+@@ -435,17 +440,12 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop);
  /*
   * Depending on .config the SETcc functions look like:
   *
@@ -2937,14 +3003,12 @@ index 89b11e7dca8a..db96bf7d1122 100644
   */
 -#define SETCC_LENGTH	(ENDBR_INSN_SIZE + 4 + IS_ENABLED(CONFIG_SLS))
 -#define SETCC_ALIGN	(4 << IS_ENABLED(CONFIG_SLS) << HAS_KERNEL_IBT)
-+#define RET_LENGTH	(1 + (4 * IS_ENABLED(CONFIG_RETHUNK)) + \
-+			 IS_ENABLED(CONFIG_SLS))
-+#define SETCC_LENGTH	(ENDBR_INSN_SIZE + 3 + RET_LENGTH)
-+#define SETCC_ALIGN	(4 << ((SETCC_LENGTH > 4) & 1) << ((SETCC_LENGTH > 8) & 1))
- static_assert(SETCC_LENGTH <= SETCC_ALIGN);
+-static_assert(SETCC_LENGTH <= SETCC_ALIGN);
++#define SETCC_ALIGN	16
 
  #define FOP_SETCC(op) \
-@@ -453,9 +454,10 @@ static_assert(SETCC_LENGTH <= SETCC_ALIGN);
+ 	".align " __stringify(SETCC_ALIGN) " \n\t" \
+@@ -453,9 +453,10 @@ static_assert(SETCC_LENGTH <= SETCC_ALIGN);
  	#op ": \n\t" \
  	ASM_ENDBR \
  	#op " %al \n\t" \
@@ -3498,10 +3562,10 @@ index 5e7f41225780..5cfc49ddb1b4 100644
  asmlinkage void vmread_error(unsigned long field, bool fault);
  __attribute__((regparm(0))) void vmread_error_trampoline(unsigned long field,
 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 558d1f2ab5b4..9caa902f0de1 100644
+index 828f5cf1af45..53b6fdf30c99 100644
 --- a/arch/x86/kvm/x86.c
 +++ b/arch/x86/kvm/x86.c
-@@ -12531,9 +12531,9 @@ void kvm_arch_end_assignment(struct kvm *kvm)
+@@ -12533,9 +12533,9 @@ void kvm_arch_end_assignment(struct kvm *kvm)
  }
  EXPORT_SYMBOL_GPL(kvm_arch_end_assignment);
 
@@ -3716,6 +3780,29 @@ index 4c71fa04e784..2dab2816b3f7 100644
  	/* Make sure the trampoline generation logic doesn't overflow */
  	if (WARN_ON_ONCE(prog > (u8 *)image_end - BPF_INSN_SAFETY)) {
  		ret = -EFAULT;
+diff --git a/arch/x86/platform/efi/efi_thunk_64.S b/arch/x86/platform/efi/efi_thunk_64.S
+index 854dd81804b7..bc740a7c438c 100644
+--- a/arch/x86/platform/efi/efi_thunk_64.S
++++ b/arch/x86/platform/efi/efi_thunk_64.S
+@@ -23,6 +23,7 @@
+ #include <linux/objtool.h>
+ #include <asm/page_types.h>
+ #include <asm/segment.h>
++#include <asm/nospec-branch.h>
+
+ 	.text
+ 	.code64
+@@ -75,7 +76,9 @@ STACK_FRAME_NON_STANDARD __efi64_thunk
+ 1:	movq	0x20(%rsp), %rsp
+ 	pop	%rbx
+ 	pop	%rbp
+-	RET
++	ANNOTATE_UNRET_SAFE
++	ret
++	int3
+
+ 	.code32
+ 2:	pushl	$__KERNEL_CS
 diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
 index 81aa46f770c5..cfa99e8f054b 100644
 --- a/arch/x86/xen/setup.c
@@ -3830,7 +3917,7 @@ index caa9bc2fa100..6b4fdf6b9542 100644
 
  #endif	/* CONFIG_IA32_EMULATION */
 diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S
-index 3a2cd93bf059..fa884fc73e07 100644
+index 13af6fe453e3..ffaa62167f6e 100644
 --- a/arch/x86/xen/xen-head.S
 +++ b/arch/x86/xen/xen-head.S
 @@ -26,6 +26,7 @@ SYM_CODE_START(hypercall_page)
@@ -4559,7 +4646,7 @@ index 000000000000..de0a3714a5d4
 +	}
 +}
 diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c
-index 2bfbb05f7d89..a504f7234f35 100644
+index 1f276f108cc9..7039ad9bdf7f 100644
 --- a/drivers/firmware/sysfb.c
 +++ b/drivers/firmware/sysfb.c
 @@ -34,6 +34,22 @@
@@ -4582,18 +4669,18 @@ index 2bfbb05f7d89..a504f7234f35 100644
 +}
 +early_param("nvidia-drm.modeset", simpledrm_disable);
 +
- static __init int sysfb_init(void)
- {
- 	struct screen_info *si = &screen_info;
-@@ -45,7 +61,7 @@ static __init int sysfb_init(void)
+ static struct platform_device *pd;
+ static DEFINE_MUTEX(disable_lock);
+ static bool disabled;
+@@ -83,7 +99,7 @@ static __init int sysfb_init(void)
 
  	/* try to create a simple-framebuffer device */
  	compatible = sysfb_parse_mode(si, &mode);
 -	if (compatible) {
 +	if (compatible && !skip_simpledrm) {
- 		ret = sysfb_create_simplefb(si, &mode);
- 		if (!ret)
- 			return 0;
+ 		pd = sysfb_create_simplefb(si, &mode);
+ 		if (!IS_ERR(pd))
+ 			goto unlock_mutex;
 diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
 index 6c9e6e7f0afd..f0ff2f1f5fcb 100644
 --- a/drivers/gpu/drm/i915/display/intel_psr.c
@@ -5121,7 +5208,7 @@ index 857d4c2fd1a2..9353941f3a97 100644
   * Changes the default domain of an iommu group that has *only* one device
   *
 diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
-index a2862a56fadc..1cddbc757925 100644
+index c9831daafbc6..5c4bb1e9ba0a 100644
 --- a/drivers/nvme/host/core.c
 +++ b/drivers/nvme/host/core.c
 @@ -240,6 +240,9 @@ static void nvme_delete_ctrl_sync(struct nvme_ctrl *ctrl)
@@ -5235,10 +5322,10 @@ index d464fdf978fb..acdaab3d7697 100644
 
  	if (!ctrl->max_namespaces ||
 diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
-index a2b53ca63335..021e51c64cde 100644
+index 337ae1e3ad25..727cc7fb542e 100644
 --- a/drivers/nvme/host/nvme.h
 +++ b/drivers/nvme/host/nvme.h
-@@ -800,6 +800,7 @@ void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys);
+@@ -801,6 +801,7 @@ void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys);
  void nvme_mpath_start_freeze(struct nvme_subsystem *subsys);
  void nvme_mpath_default_iopolicy(struct nvme_subsystem *subsys);
  void nvme_failover_req(struct request *req);
@@ -5246,7 +5333,7 @@ index a2b53ca63335..021e51c64cde 100644
  void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl);
  int nvme_mpath_alloc_disk(struct nvme_ctrl *ctrl,struct nvme_ns_head *head);
  void nvme_mpath_add_disk(struct nvme_ns *ns, struct nvme_id_ns *id);
-@@ -836,6 +837,9 @@ static inline bool nvme_ctrl_use_ana(struct nvme_ctrl *ctrl)
+@@ -837,6 +838,9 @@ static inline bool nvme_ctrl_use_ana(struct nvme_ctrl *ctrl)
  static inline void nvme_failover_req(struct request *req)
  {
  }
@@ -5695,8 +5782,90 @@ index aaf6566deb9f..86926966c15d 100644
  #ifdef CONFIG_PERF_EVENTS
  int security_perf_event_open(struct perf_event_attr *attr, int type)
  {
+diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h
+index e17de69faa54..5d09ded0c491 100644
+--- a/tools/arch/x86/include/asm/cpufeatures.h
++++ b/tools/arch/x86/include/asm/cpufeatures.h
+@@ -203,8 +203,8 @@
+ #define X86_FEATURE_PROC_FEEDBACK	( 7*32+ 9) /* AMD ProcFeedbackInterface */
+ /* FREE!                                ( 7*32+10) */
+ #define X86_FEATURE_PTI			( 7*32+11) /* Kernel Page Table Isolation enabled */
+-#define X86_FEATURE_RETPOLINE		( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */
+-#define X86_FEATURE_RETPOLINE_LFENCE	( 7*32+13) /* "" Use LFENCE for Spectre variant 2 */
++#define X86_FEATURE_KERNEL_IBRS		( 7*32+12) /* "" Set/clear IBRS on kernel entry/exit */
++#define X86_FEATURE_RSB_VMEXIT		( 7*32+13) /* "" Fill RSB on VM-Exit */
+ #define X86_FEATURE_INTEL_PPIN		( 7*32+14) /* Intel Processor Inventory Number */
+ #define X86_FEATURE_CDP_L2		( 7*32+15) /* Code and Data Prioritization L2 */
+ #define X86_FEATURE_MSR_SPEC_CTRL	( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
+@@ -295,6 +295,12 @@
+ #define X86_FEATURE_PER_THREAD_MBA	(11*32+ 7) /* "" Per-thread Memory Bandwidth Allocation */
+ #define X86_FEATURE_SGX1		(11*32+ 8) /* "" Basic SGX */
+ #define X86_FEATURE_SGX2		(11*32+ 9) /* "" SGX Enclave Dynamic Memory Management (EDMM) */
++#define X86_FEATURE_ENTRY_IBPB		(11*32+10) /* "" Issue an IBPB on kernel entry */
++#define X86_FEATURE_RRSBA_CTRL		(11*32+11) /* "" RET prediction control */
++#define X86_FEATURE_RETPOLINE		(11*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */
++#define X86_FEATURE_RETPOLINE_LFENCE	(11*32+13) /* "" Use LFENCE for Spectre variant 2 */
++#define X86_FEATURE_RETHUNK		(11*32+14) /* "" Use REturn THUNK */
++#define X86_FEATURE_UNRET		(11*32+15) /* "" AMD BTB untrain return */
+
+ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
+ #define X86_FEATURE_AVX_VNNI		(12*32+ 4) /* AVX VNNI instructions */
+@@ -315,6 +321,7 @@
+ #define X86_FEATURE_VIRT_SSBD		(13*32+25) /* Virtualized Speculative Store Bypass Disable */
+ #define X86_FEATURE_AMD_SSB_NO		(13*32+26) /* "" Speculative Store Bypass is fixed in hardware. */
+ #define X86_FEATURE_CPPC		(13*32+27) /* Collaborative Processor Performance Control */
++#define X86_FEATURE_BTC_NO		(13*32+29) /* "" Not vulnerable to Branch Type Confusion */
+
+ /* Thermal and Power Management Leaf, CPUID level 0x00000006 (EAX), word 14 */
+ #define X86_FEATURE_DTHERM		(14*32+ 0) /* Digital Thermal Sensor */
+@@ -444,5 +451,6 @@
+ #define X86_BUG_ITLB_MULTIHIT		X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
+ #define X86_BUG_SRBDS			X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
+ #define X86_BUG_MMIO_STALE_DATA		X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
++#define X86_BUG_RETBLEED		X86_BUG(26) /* CPU is affected by RETBleed */
+
+ #endif /* _ASM_X86_CPUFEATURES_H */
+diff --git a/tools/arch/x86/include/asm/disabled-features.h b/tools/arch/x86/include/asm/disabled-features.h
+index 1231d63f836d..f7be189e9723 100644
+--- a/tools/arch/x86/include/asm/disabled-features.h
++++ b/tools/arch/x86/include/asm/disabled-features.h
+@@ -56,6 +56,25 @@
+ # define DISABLE_PTI		(1 << (X86_FEATURE_PTI & 31))
+ #endif
+
++#ifdef CONFIG_RETPOLINE
++# define DISABLE_RETPOLINE	0
++#else
++# define DISABLE_RETPOLINE	((1 << (X86_FEATURE_RETPOLINE & 31)) | \
++				 (1 << (X86_FEATURE_RETPOLINE_LFENCE & 31)))
++#endif
++
++#ifdef CONFIG_RETHUNK
++# define DISABLE_RETHUNK	0
++#else
++# define DISABLE_RETHUNK	(1 << (X86_FEATURE_RETHUNK & 31))
++#endif
++
++#ifdef CONFIG_CPU_UNRET_ENTRY
++# define DISABLE_UNRET		0
++#else
++# define DISABLE_UNRET		(1 << (X86_FEATURE_UNRET & 31))
++#endif
++
+ #ifdef CONFIG_INTEL_IOMMU_SVM
+ # define DISABLE_ENQCMD		0
+ #else
+@@ -82,7 +101,7 @@
+ #define DISABLED_MASK8	0
+ #define DISABLED_MASK9	(DISABLE_SMAP|DISABLE_SGX)
+ #define DISABLED_MASK10	0
+-#define DISABLED_MASK11	0
++#define DISABLED_MASK11	(DISABLE_RETPOLINE|DISABLE_RETHUNK|DISABLE_UNRET)
+ #define DISABLED_MASK12	0
+ #define DISABLED_MASK13	0
+ #define DISABLED_MASK14	0
 diff --git a/tools/arch/x86/include/asm/msr-index.h b/tools/arch/x86/include/asm/msr-index.h
-index 4425d6773183..8a0a53cf360d 100644
+index 4425d6773183..ad084326f24c 100644
 --- a/tools/arch/x86/include/asm/msr-index.h
 +++ b/tools/arch/x86/include/asm/msr-index.h
 @@ -51,6 +51,8 @@
@@ -5708,7 +5877,15 @@ index 4425d6773183..8a0a53cf360d 100644
 
  #define MSR_IA32_PRED_CMD		0x00000049 /* Prediction Command */
  #define PRED_CMD_IBPB			BIT(0)	   /* Indirect Branch Prediction Barrier */
-@@ -138,6 +140,13 @@
+@@ -91,6 +93,7 @@
+ #define MSR_IA32_ARCH_CAPABILITIES	0x0000010a
+ #define ARCH_CAP_RDCL_NO		BIT(0)	/* Not susceptible to Meltdown */
+ #define ARCH_CAP_IBRS_ALL		BIT(1)	/* Enhanced IBRS support */
++#define ARCH_CAP_RSBA			BIT(2)	/* RET may use alternative branch predictors */
+ #define ARCH_CAP_SKIP_VMENTRY_L1DFLUSH	BIT(3)	/* Skip L1D flush on vmentry */
+ #define ARCH_CAP_SSB_NO			BIT(4)	/*
+ 						 * Not susceptible to Speculative Store Bypass
+@@ -138,6 +141,13 @@
  						 * bit available to control VERW
  						 * behavior.
  						 */
@@ -5722,6 +5899,16 @@ index 4425d6773183..8a0a53cf360d 100644
 
  #define MSR_IA32_FLUSH_CMD		0x0000010b
  #define L1D_FLUSH			BIT(0)	/*
+@@ -552,6 +562,9 @@
+ /* Fam 17h MSRs */
+ #define MSR_F17H_IRPERF			0xc00000e9
+
++#define MSR_ZEN2_SPECTRAL_CHICKEN	0xc00110e3
++#define MSR_ZEN2_SPECTRAL_CHICKEN_BIT	BIT_ULL(1)
++
+ /* Fam 16h MSRs */
+ #define MSR_F16H_L2I_PERF_CTL		0xc0010230
+ #define MSR_F16H_L2I_PERF_CTR		0xc0010231
 diff --git a/tools/include/linux/objtool.h b/tools/include/linux/objtool.h
 index c81ea2264ad8..376110ead758 100644
 --- a/tools/include/linux/objtool.h
diff --git a/sources b/sources
index c194b0105..b42703832 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.18.11.tar.xz) = 86d9e65efe242e5bc612c28f1164211805f18dfef08266d4fe6a8d7d41fa42fa4e7be124778c31a792b4c59a523612906933f6fc84c0a0528825adcd559a989e
-SHA512 (kernel-abi-stablelists-5.18.11-200.tar.bz2) = 287bb744000091a7a5b65500bf70765c1d05b0f5e6ecd3d3a302fceddf0264a354844e6d969c8b34b2f96a3222e44c99c80bf13c5a0a99ef9a9f8a2678a6ce21
-SHA512 (kernel-kabi-dw-5.18.11-200.tar.bz2) = 2cdaae4c18d710ae130e7ce660e8e69ac9f4da297039a844c1c6b6068ac0a7bcea4b9b58e884488ce1fb91c14e43165e25f271b0f5d5591db5e7eab9e578d0b2
+SHA512 (linux-5.18.13.tar.xz) = b5d026d72078c27cc66299a3df1e7ea9dfee3936d9c9c91e3ca7ea9c5ca981e41c67d60c0d8872669a16005fc7e28955e2e7048d3894cd63155749ef9247b348
+SHA512 (kernel-abi-stablelists-5.18.13-200.tar.bz2) = cb25a3b33edc3148fd018456d13706a958fbad533b7429f086acce334034654ab4b770d08e4cef3fc71f98cb42d53ebadeb6d6fe102c304c462542438dc35b16
+SHA512 (kernel-kabi-dw-5.18.13-200.tar.bz2) = 0b9d8a8ec265a266b4689d25a900d5adccf7b8fdd98371677a273b5305bf363c4f0b7afa10bd5c14370c2ceeee17bd44670e7105970fb03e8bdb92e89362df0c