diff --git a/SOURCES/Makefile.common b/SOURCES/Makefile.common
index 22b7231..a089ccd 100644
--- a/SOURCES/Makefile.common
+++ b/SOURCES/Makefile.common
@@ -9,7 +9,7 @@ RPMVERSION:=3.10.0
 # marker is git tag which we base off of for exporting patches
 MARKER:=v3.10
 PREBUILD:=
-BUILD:=957.12.2
+BUILD:=957.21.2
 DIST:=.el7
 SPECFILE:=kernel.spec
 RPM:=$(REDHAT)/rpm
diff --git a/SOURCES/patch-i686-fpu-issues-v4-8_0.patch b/SOURCES/patch-i686-fpu-issues-v4-8_0.patch
new file mode 100644
index 0000000..4b86998
--- /dev/null
+++ b/SOURCES/patch-i686-fpu-issues-v4-8_0.patch
@@ -0,0 +1,85 @@
+diff -Naurp a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+--- a/arch/x86/kernel/cpu/bugs.c	2018-08-10 13:17:43.000000000 -0300
++++ b/arch/x86/kernel/cpu/bugs.c	2018-08-15 07:09:24.365615125 -0300
+@@ -26,6 +26,70 @@
+ #include <linux/prctl.h>
+ #include <linux/sched/smt.h>
+ 
++static int __init no_387(char *s)
++{
++	boot_cpu_data.hard_math = 0;
++	write_cr0(X86_CR0_TS | X86_CR0_EM | X86_CR0_MP | read_cr0());
++	return 1;
++}
++
++__setup("no387", no_387);
++
++static double __initdata x = 4195835.0;
++static double __initdata y = 3145727.0;
++
++/*
++ * This used to check for exceptions..
++ * However, it turns out that to support that,
++ * the XMM trap handlers basically had to
++ * be buggy. So let's have a correct XMM trap
++ * handler, and forget about printing out
++ * some status at boot.
++ *
++ * We should really only care about bugs here
++ * anyway. Not features.
++ */
++static void __init check_fpu(void)
++{
++	s32 fdiv_bug;
++
++	if (!boot_cpu_data.hard_math) {
++#ifndef CONFIG_MATH_EMULATION
++		pr_emerg("No coprocessor found and no math emulation present\n");
++		pr_emerg("Giving up\n");
++		for (;;) ;
++#endif
++		return;
++	}
++
++	kernel_fpu_begin();
++
++	/*
++	 * trap_init() enabled FXSR and company _before_ testing for FP
++	 * problems here.
++	 *
++	 * Test for the divl bug: http://en.wikipedia.org/wiki/Fdiv_bug
++	 */
++	__asm__("fninit\n\t"
++		"fldl %1\n\t"
++		"fdivl %2\n\t"
++		"fmull %2\n\t"
++		"fldl %1\n\t"
++		"fsubp %%st,%%st(1)\n\t"
++		"fistpl %0\n\t"
++		"fwait\n\t"
++		"fninit"
++		: "=m" (*&fdiv_bug)
++		: "m" (*&x), "m" (*&y));
++
++	kernel_fpu_end();
++
++	if (fdiv_bug) {
++		set_cpu_bug(&boot_cpu_data, X86_BUG_FDIV);
++		pr_warn("Hmm, FPU with FDIV bug\n");
++	}
++}
++
+ static void __init spectre_v2_select_mitigation(void);
+ static void __init ssb_parse_cmdline(void);
+ void ssb_select_mitigation(void);
+@@ -758,8 +822,10 @@ static ssize_t cpu_show_common(struct de
+ 
+ 	switch (bug) {
+ 	case X86_BUG_CPU_MELTDOWN:
++#ifdef CONFIG_KAISER
+ 		if (kaiser_enabled)
+ 			return sprintf(buf, "Mitigation: PTI\n");
++#endif
+ 
+ 		break;
+ 
diff --git a/SOURCES/patch-spec_ctrl_i686_v3_8_0.patch b/SOURCES/patch-spec_ctrl_i686_v3_8_0.patch
new file mode 100644
index 0000000..7362708
--- /dev/null
+++ b/SOURCES/patch-spec_ctrl_i686_v3_8_0.patch
@@ -0,0 +1,59 @@
+diff -up ./arch/x86/kernel/cpu/common.c.dist ./arch/x86/kernel/cpu/common.c
+--- ./arch/x86/kernel/cpu/common.c.dist	2017-12-29 03:59:43.000000000 +0900
++++ ./arch/x86/kernel/cpu/common.c	2018-01-10 15:37:06.848478838 +0900
+@@ -1349,6 +1349,9 @@ DEFINE_PER_CPU(struct task_struct *, fpu
+ DEFINE_PER_CPU_ALIGNED(struct stack_canary, stack_canary);
+ #endif
+ 
++DEFINE_PER_CPU_USER_MAPPED(struct kernel_ibrs_spec_ctrl, spec_ctrl_pcp);
++EXPORT_PER_CPU_SYMBOL_GPL(spec_ctrl_pcp);
++
+ #endif	/* CONFIG_X86_64 */
+ 
+ /*
+diff -up ./arch/x86/include/asm/spec_ctrl.h.dist ./arch/x86/include/asm/spec_ctrl.h
+--- ./arch/x86/include/asm/spec_ctrl.h.dist    2018-06-15 13:57:32.000000000 -0700
++++ ./arch/x86/include/asm/spec_ctrl.h 2019-05-14 17:48:21.451670849 -0700
+@@ -191,6 +191,8 @@ extern void spec_ctrl_cpu_init(void);
+ extern void ssb_print_mitigation(void);
+ extern void mds_print_mitigation(void);
+ 
++DECLARE_PER_CPU_USER_MAPPED(struct kernel_ibrs_spec_ctrl, spec_ctrl_pcp);
++
+ bool spec_ctrl_force_enable_ibrs(void);
+ bool spec_ctrl_cond_enable_ibrs(bool full_retpoline);
+ bool spec_ctrl_enable_ibrs_always(void);
+diff -up ./arch/x86/kernel/reboot.c.dist ./arch/x86/kernel/reboot.c
+--- ./arch/x86/kernel/reboot.c.dist	2017-12-29 03:59:43.000000000 +0900
++++ ./arch/x86/kernel/reboot.c	2018-01-10 15:43:36.819240224 +0900
+@@ -23,6 +23,7 @@
+ #include <asm/cpu.h>
+ #include <asm/nmi.h>
+ #include <asm/smp.h>
++#include <asm/mmu_context.h>
+ 
+ #include <linux/ctype.h>
+ #include <linux/mc146818rtc.h>
+diff -up ./arch/x86/kernel/smpboot.c.dist ./arch/x86/kernel/smpboot.c
+--- ./arch/x86/kernel/smpboot.c.dist	2018-01-10 14:53:15.251175037 +0900
++++ ./arch/x86/kernel/smpboot.c	2018-01-10 15:45:14.219976320 +0900
+@@ -72,6 +72,7 @@
+ #include <asm/fpu-internal.h>
+ #include <asm/setup.h>
+ #include <asm/uv/uv.h>
++#include <asm/mmu_context.h>
+ #include <linux/mc146818rtc.h>
+ 
+ #include <asm/smpboot_hooks.h>
+diff -up ./arch/x86/platform/efi/efi_32.c.dist ./arch/x86/platform/efi/efi_32.c
+--- ./arch/x86/platform/efi/efi_32.c.dist	2017-12-29 03:59:43.000000000 +0900
++++ ./arch/x86/platform/efi/efi_32.c	2018-01-10 15:45:56.356433372 +0900
+@@ -30,6 +30,7 @@
+ #include <asm/pgtable.h>
+ #include <asm/tlbflush.h>
+ #include <asm/efi.h>
++#include <asm/mmu_context.h>
+ 
+ /*
+  * To make EFI call EFI runtime service in physical addressing mode we need
+
diff --git a/SPECS/kernel-plus.spec b/SPECS/kernel-plus.spec
index ef8ee79..58e8866 100644
--- a/SPECS/kernel-plus.spec
+++ b/SPECS/kernel-plus.spec
@@ -14,10 +14,10 @@ Summary: The Linux kernel
 %global distro_build 957
 
 %define rpmversion 3.10.0
-%define pkgrelease 957.12.2.el7
+%define pkgrelease 957.21.2.el7
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 957.12.2%{?dist}
+%define specrelease 957.21.2%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -483,9 +483,11 @@ Patch1015: huge_memory.patch
 Patch1017: i686-7-6.patch
 # Patch1018: firmware-efi-32bit.patch
 # Patch1019: patch-spec_ctrl_i686.patch
-Patch1019: patch-spec_ctrl_i686_v3_7_5.patch
+# Patch1019: patch-spec_ctrl_i686_v3_7_5.patch
+Patch1019: patch-spec_ctrl_i686_v3_8_0.patch
 # Patch1020: patch-i686-fpu-issues.patch
-Patch1020: patch-i686-fpu-issues-v4-7_5.patch
+# Patch1020: patch-i686-fpu-issues-v4-7_5.patch
+Patch1020: patch-i686-fpu-issues-v4-8_0.patch
 Patch1021: i386-retpoline-support-v6.patch
 
 Patch1101: patch-ALIGN-dupdef.patch
@@ -546,13 +548,13 @@ Patch20219: centos-linux-3.10-ecryptfs-bug7369-15353.patch
 Patch20222: centos-linux-3.10-nvme-bug15406.patch
 #Patch20223: centos-linux-3.10-psmouse-fix-button-reporting.patch
 Patch20224: centos-linux-3.10-niu-fix-build-errors-bug15040.patch
-Patch20225: centos-linux-3.10-mm-export-symbol-bug15639.patch
+#Patch20225: centos-linux-3.10-mm-export-symbol-bug15639.patch
 Patch20226: centos-linux-3.10-asus-wmi-bug15707.patch
 Patch20227: centos-linux-3.10-xenbus-bug15742.patch
 Patch20228: centos-linux-3.10-xenbus-fix-previous-patch-bug15742.patch
 #Patch20229: centos-linux-3.10-rtc_wdat-bug15830.patch
 Patch20230: centos-linux-3.10-smartpqi-bug15801.patch
-Patch20231: centos-linux-3.10-ceph-append-write-bug15953.patch
+#Patch20231: centos-linux-3.10-ceph-append-write-bug15953.patch
 
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
@@ -931,9 +933,11 @@ ApplyOptionalPatch huge_memory.patch
 ApplyOptionalPatch i686-7-6.patch
 # ApplyOptionalPatch firmware-efi-32bit.patch
 # ApplyOptionalPatch patch-spec_ctrl_i686.patch
-ApplyOptionalPatch patch-spec_ctrl_i686_v3_7_5.patch
+# ApplyOptionalPatch patch-spec_ctrl_i686_v3_7_5.patch
+ApplyOptionalPatch patch-spec_ctrl_i686_v3_8_0.patch
 # ApplyOptionalPatch patch-i686-fpu-issues.patch
-ApplyOptionalPatch patch-i686-fpu-issues-v4-7_5.patch
+# ApplyOptionalPatch patch-i686-fpu-issues-v4-7_5.patch
+ApplyOptionalPatch patch-i686-fpu-issues-v4-8_0.patch
 ApplyOptionalPatch i386-retpoline-support-v6.patch
 
 ApplyOptionalPatch patch-ALIGN-dupdef.patch
@@ -993,13 +997,13 @@ ApplyOptionalPatch centos-linux-3.10-virtio_balloon-fix-race-bug15216.patch
 ApplyOptionalPatch centos-linux-3.10-nvme-bug15406.patch
 #ApplyOptionalPatch centos-linux-3.10-psmouse-fix-button-reporting.patch
 ApplyOptionalPatch centos-linux-3.10-niu-fix-build-errors-bug15040.patch
-ApplyOptionalPatch centos-linux-3.10-mm-export-symbol-bug15639.patch
+#ApplyOptionalPatch centos-linux-3.10-mm-export-symbol-bug15639.patch
 ApplyOptionalPatch centos-linux-3.10-asus-wmi-bug15707.patch
 ApplyOptionalPatch centos-linux-3.10-xenbus-bug15742.patch
 ApplyOptionalPatch centos-linux-3.10-xenbus-fix-previous-patch-bug15742.patch
 #ApplyOptionalPatch centos-linux-3.10-rtc_wdat-bug15830.patch
 ApplyOptionalPatch centos-linux-3.10-smartpqi-bug15801.patch
-ApplyOptionalPatch centos-linux-3.10-ceph-append-write-bug15953.patch
+#ApplyOptionalPatch centos-linux-3.10-ceph-append-write-bug15953.patch
 ### end of plus mod
 # End of CentOS Modification
 
@@ -1997,7 +2001,7 @@ fi
 %kernel_variant_files %{with_kdump} kdump
 
 %changelog
-* Tue May 14 2019 Akemi Yagi <toracat@centos.org> [3.10.0-957.12.2.el7.centos.plus]
+* Tue Jun 04 2019 Akemi Yagi <toracat@centos.org> [3.10.0-957.21.2.el7.centos.plus]
 - Apply debranding changes
 - Roll in i686 mods
    addmissing.patch  [puias]
@@ -2051,48 +2055,124 @@ fi
 - Add an i686 patch to fix Hyper-V issue [bug#15374]
 - Add an nvme patch [bug#15406]
 - Enable NIU and add a patch that fixes build errors submitted by h-masuda [bug#15040]
-- Apply a patch from bug15639
 - Apply a patch from bug15707
 - Apply a patch from bug15742
 - Add a patch that fixes the earlier patch from bug15742
 - Add a patch from bug#15801
-- Add a patch from bug#15953 (ceph bug)
-
-* Fri Apr 19 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.12.2.el7]
-- [x86] x86/speculation/mds: Add SMT warning message (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/speculation: Move arch_smt_update() call to after mitigation decisions (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [documentation] x86/speculation/mds: Add mds=full,nosmt cmdline option (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [kernel] x86/speculation: Remove redundant arch_smt_update() invocation (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/spec_ctrl: Update MDS mitigation status after late microcode load (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/spec_ctrl: Add debugfs x86/smt_present file (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/spec_ctrl: Disable automatic enabling of STIBP with SMT on (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [documentation] Documentation: Add MDS vulnerability documentation (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [documentation] Documentation: Move L1TF to separate directory (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/speculation/mds: Add mitigation mode VMWERV (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [base] x86/speculation/mds: Add sysfs reporting for MDS (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/speculation/mds: Add mitigation control for MDS (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/speculation/mds: Conditionally clear CPU buffers on idle entry (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [kvm] x86/kvm/vmx: Add MDS protection when L1D Flush is not active (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/speculation/mds: Clear CPU buffers on exit to user (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/speculation/mds: Add mds_clear_cpu_buffers() (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
-- [kvm] x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/speculation/mds: Add BUG_MSBDS_ONLY (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/speculation/mds: Add basic bug infrastructure for MDS (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
-- [x86] x86/speculation: Consolidate CPU whitelists (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/msr-index: Cleanup bit defines (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
-- [x86] x86/l1tf: Show actual SMT state (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
-- [x86] x86/speculation: Simplify sysfs report of VMX L1TF vulnerability (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
-- [x86] x86/speculation: Rework SMT state change (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
-- [kernel] sched/smt: Expose sched_smt_present static key (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
-- [kernel] sched/smt: Make sched_smt_present track topology (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
-- [x86] x86/speculation: Disable STIBP when enhanced IBRS is in use (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
-- [x86] x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/spectre_v2: Make spectre_v2_mitigation mode available (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/spec_ctrl: Add X86_FEATURE_USE_IBPB (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130}
-- [x86] x86/spec_ctrl: Add casting to fix compilation error (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
-- [x86] x86/cpu: Sanitize FAM6_ATOM naming (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
-- [x86] x86/cpufeatures: Add Intel PCONFIG cpufeature (Waiman Long) [1692597 1692598 1692599 1690335 1690348 1690358] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127}
+
+* Tue May 28 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.21.2.el7]
+- [security] xattr: use RH_KABI_CONST to avoid security_inode_init_security checksum change (Cestmir Kalina) [1702286 1710633]
+
+* Thu May 23 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.21.1.el7]
+- [x86] spec_ctrl: Update MDS mitigation status after late microcode load (Waiman Long) [1712998 1712993 1710501 1710498] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [x86] speculation/mds: Properly set/clear mds_idle_clear static key (Waiman Long) [1713004 1707292] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+
+* Wed May 15 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.20.1.el7]
+- [x86] x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/speculation/mds: Fix comment (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/speculation/mds: Add SMT warning message (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/speculation: Move arch_smt_update() call to after mitigation decisions (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [documentation] x86/speculation/mds: Add mds=full,nosmt cmdline option (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [kernel] x86/speculation: Remove redundant arch_smt_update() invocation (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/spec_ctrl: Update MDS mitigation status after late microcode load (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/spec_ctrl: Add debugfs x86/smt_present file (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/spec_ctrl: Disable automatic enabling of STIBP with SMT on (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [documentation] Documentation: Add MDS vulnerability documentation (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [documentation] Documentation: Move L1TF to separate directory (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/speculation/mds: Add mitigation mode VMWERV (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [base] x86/speculation/mds: Add sysfs reporting for MDS (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/speculation/mds: Add mitigation control for MDS (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/speculation/mds: Conditionally clear CPU buffers on idle entry (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [kvm] x86/kvm/vmx: Add MDS protection when L1D Flush is not active (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/speculation/mds: Clear CPU buffers on exit to user (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/speculation/mds: Add mds_clear_cpu_buffers() (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [kvm] x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/speculation/mds: Add BUG_MSBDS_ONLY (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/speculation/mds: Add basic bug infrastructure for MDS (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [x86] x86/speculation: Consolidate CPU whitelists (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/msr-index: Cleanup bit defines (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [x86] x86/l1tf: Show actual SMT state (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [x86] x86/speculation: Simplify sysfs report of VMX L1TF vulnerability (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [x86] x86/speculation: Rework SMT state change (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [kernel] sched/smt: Expose sched_smt_present static key (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [kernel] sched/smt: Make sched_smt_present track topology (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [x86] x86/speculation: Disable STIBP when enhanced IBRS is in use (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [x86] x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/spectre_v2: Make spectre_v2_mitigation mode available (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/spec_ctrl: Add X86_FEATURE_USE_IBPB (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
+- [x86] x86/spec_ctrl: Add casting to fix compilation error (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [x86] x86/cpu: Sanitize FAM6_ATOM naming (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+- [x86] x86/cpufeatures: Add Intel PCONFIG cpufeature (Waiman Long) [1692597 1692598 1692599 1705815 1690335 1690348 1690358 1709296] {CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091}
+
+* Fri Apr 26 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.19.1.el7]
+- [security] selinux: always allow mounting submounts (Ondrej Mosnacek) [1702923 1077929]
+- [block] Make blk_queue_enter() reexamine the DYING flag (Ming Lei) [1702921 1701348]
+- [block] wakeup tasks blocked on q->mq_freeze_wq (Ming Lei) [1702921 1701348]
+- [fs] revert "[fs] xfs: use rhashtable to track buffer cache" (Brian Foster) [1702922 1658749]
+- [fs] xfs: hold xfs_buf locked between shortform->leaf conversion and the addition of an attribute (Brian Foster) [1701293 1613405]
+- [fs] xfs: add the ability to join a held buffer to a defer_ops (Brian Foster) [1701293 1613405]
+- [fs] xfs: refactor buffer logging into buffer dirtying helper (Brian Foster) [1701293 1613405]
+- [char] ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash (Tony Camuso) [1701991 1692236]
+- [char] ipmi_si: Fix crash when using hard-coded device (Tony Camuso) [1701991 1692236]
+- [char] ipmi: Remove platform driver overrides and use the id_table (Tony Camuso) [1701991 1692236]
+- [security] xattr: Constify ->name member of "struct xattr" (Aaron Tomlin) [1702286 1607307]
+- [net] ipv6 Use get_hash_from_flowi6 for rt6 hash (Sabrina Dubroca) [1702282 1625454]
+- [s390] zcrypt: fix specification exception on z196 during ap probe (Hendrik Brueckner) [1700706 1669535]
+- [md] dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors (Mike Snitzer) [1699722 1693466]
+- [fs] blockdev: Fix livelocks on loop device (Lukas Czerner) [1698110 1686149]
+- [fs] ext4: fix crash during online resizing (Lukas Czerner) [1698110 1686149]
+- [fs] ext4: fix overflow caused by missing cast in ext4_resize_fs() (Lukas Czerner) [1698110 1671293]
+- [powerpc] livepatch: return -ERRNO values in save_stack_trace_tsk_reliable() (Joe Lawrence) [1697867 1658435]
+- [powerpc] livepatch: small cleanups in save_stack_trace_tsk_reliable() (Joe Lawrence) [1697867 1658435]
+- [powerpc] livepatch: relax reliable stack tracer checks for first-frame (Joe Lawrence) [1697867 1658435]
+- [powerpc] 64s: Make reliable stacktrace dependency clearer (Joe Lawrence) [1697867 1658435]
+- [powerpc] 64s: Clear on-stack exception marker upon exception return (Joe Lawrence) [1697867 1658435]
+- [powerpc] livepatch: Fix build error with kprobes disabled (Joe Lawrence) [1697867 1658435]
+- [fs] xfs: don't screw up direct writes when freesp is fragmented (Brian Foster) [1693796 1667523]
+- [nvme] ensure forward progress during Admin passthru (David Milburn) [1690519 1672428]
+
+* Tue Apr 23 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.18.1.el7]
+- [s390] cputime: fix incorrect system time (Hendrik Brueckner) [1701743 1698825]
+
+* Mon Apr 15 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.17.1.el7]
+- [message] scsi: mptsas: Fixup device hotplug for VMWare ESXi (Tomas Henzl) [1699723 1661906]
+
+* Thu Apr 11 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.16.1.el7]
+- [netdrv] net/mlx5e: Properly set steering match levels for offloaded TC decap rules (Alaa Hleihel) [1686292 1618427]
+- [netdrv] net/mlx5e: Always use the match level enum when parsing TC rule match (Alaa Hleihel) [1686292 1618427]
+- [netdrv] net/mlx5e: Support offloaded TC flows with no matches on headers (Alaa Hleihel) [1686292 1618427]
+- [netdrv] net/mlx5e: Get the required HW match level while parsing TC flow matches (Alaa Hleihel) [1686292 1618427]
+- [netdrv] net/mlx5e: Properly order min inline mode setup while parsing TC matches (Alaa Hleihel) [1686292 1618427]
+- [netdrv] net/mlx5e: Avoid redundant zeroing of offloaded TC flow attributes (Alaa Hleihel) [1686292 1618427]
+- [netdrv] net/mlx5e: Err if asked to offload TC match on frag being first (Alaa Hleihel) [1686292 1618427]
+- [x86] hyperv: Stop suppressing X86_FEATURE_PCID (Vitaly Kuznetsov) [1697940 1691421]
+- [net] geneve: correctly handle ipv6.disable module parameter (Jiri Benc) [1694981 1677049]
+- [fs] ceph: Fix append mode for sync/direct write (Zheng Yan) [1696595 1691227]
+- [fs] ovl: fix return value from ovl_posix_acl_create() (Miklos Szeredi) [1696292 1677705]
+- [x86] mm: Unbreak modules that use the DMA API (Gary Hook) [1695511 1697241 1676613 1662887]
+- [sound] alsa/hda: add more quirks for HP Z2 G4 and HP Z240 (Jaroslav Kysela) [1693562 1680180]
+- [sound] alsa: hda/conexant - Add fixup for HP Z2 G4 workstation (Jaroslav Kysela) [1693562 1657855]
+- [block] mtip32xx: fix memory corruption by initializing internal command header (Ming Lei) [1689929 1660292]
+- [fs] nfsd: deal with revoked delegations appropriately (Dave Wysochanski) [1689811 1552203]
+
+* Thu Mar 28 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.15.1.el7]
+- [fs] ext4: Fix data corruption caused by unaligned direct AIO (Lukas Czerner) [1693561 1684780]
+- [net] sched: act_csum: Fix csum calc for tagged packets (Ivan Vecera) [1693110 1676462]
+
+* Tue Mar 26 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.14.1.el7]
+- [fs] move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) (Zheng Yan) [1692266 1627001]
+- [fs] dcache: d_splice_alias should ignore DCACHE_DISCONNECTED (Zheng Yan) [1692266 1627001]
+- [fs] dcache: d_splice_alias should detect loops (Zheng Yan) [1692266 1627001]
+- [fs] dcache: d_splice_alias mustn't create directory aliases (Zheng Yan) [1692266 1627001]
+- [fs] dcache: close d_move race in d_splice_alias (Zheng Yan) [1692266 1627001]
+- [fs] dcache: move d_splice_alias (Zheng Yan) [1692266 1627001]
+- [fs] dcache: don't clear DCACHE_DISCONNECTED too early (Zheng Yan) [1692266 1627001]
+- [fs] dcache: Don't set DISCONNECTED on "pseudo filesystem" dentries (Zheng Yan) [1692266 1627001]
+- [fs] dcache: use IS_ROOT to decide where dentry is hashed (Zheng Yan) [1692266 1627001]
+
+* Thu Mar 21 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.13.1.el7]
+- [drm] drm/nouveau/kms/nv50-: also flush fb writes when rewinding push buffer (Ben Skeggs) [1690761 1669098]
 
 * Wed Mar 20 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.12.1.el7]
 - [kernel] locking/rwsem: Fix (possible) missed wakeup (Waiman Long) [1690323 1547078]