20 files changed, 881 insertions, 7 deletions

diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
index 06d0931119cc..0e77569bd5e0 100644
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
@@ -486,6 +486,7 @@ What:		/sys/devices/system/cpu/vulnerabilities
                 /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
                 /sys/devices/system/cpu/vulnerabilities/l1tf
                 /sys/devices/system/cpu/vulnerabilities/mds
+                /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
 Date:           January 2018
 Contact:        Linux kernel mailing list <linux-kernel@vger.kernel.org>
 Description:    Information about CPU vulnerabilities
diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst
index 49311f3da6f2..0802b1c67452 100644
--- a/Documentation/admin-guide/hw-vuln/index.rst
+++ b/Documentation/admin-guide/hw-vuln/index.rst
@@ -12,3 +12,4 @@ are configurable at compile, boot or run time.
    spectre
    l1tf
    mds
+   tsx_async_abort
diff --git a/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst b/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
new file mode 100644
index 000000000000..fddbd7579c53
--- /dev/null
+++ b/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
@@ -0,0 +1,276 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+TAA - TSX Asynchronous Abort
+======================================
+
+TAA is a hardware vulnerability that allows unprivileged speculative access to
+data which is available in various CPU internal buffers by using asynchronous
+aborts within an Intel TSX transactional region.
+
+Affected processors
+-------------------
+
+This vulnerability only affects Intel processors that support Intel
+Transactional Synchronization Extensions (TSX) when the TAA_NO bit (bit 8)
+is 0 in the IA32_ARCH_CAPABILITIES MSR.  On processors where the MDS_NO bit
+(bit 5) is 0 in the IA32_ARCH_CAPABILITIES MSR, the existing MDS mitigations
+also mitigate against TAA.
+
+Whether a processor is affected or not can be read out from the TAA
+vulnerability file in sysfs. See :ref:`tsx_async_abort_sys_info`.
+
+Related CVEs
+------------
+
+The following CVE entry is related to this TAA issue:
+
+   ==============  =====  ===================================================
+   CVE-2019-11135  TAA    TSX Asynchronous Abort (TAA) condition on some
+                          microprocessors utilizing speculative execution may
+                          allow an authenticated user to potentially enable
+                          information disclosure via a side channel with
+                          local access.
+   ==============  =====  ===================================================
+
+Problem
+-------
+
+When performing store, load or L1 refill operations, processors write
+data into temporary microarchitectural structures (buffers). The data in
+those buffers can be forwarded to load operations as an optimization.
+
+Intel TSX is an extension to the x86 instruction set architecture that adds
+hardware transactional memory support to improve performance of multi-threaded
+software. TSX lets the processor expose and exploit concurrency hidden in an
+application due to dynamically avoiding unnecessary synchronization.
+
+TSX supports atomic memory transactions that are either committed (success) or
+aborted. During an abort, operations that happened within the transactional region
+are rolled back. An asynchronous abort takes place, among other options, when a
+different thread accesses a cache line that is also used within the transactional
+region when that access might lead to a data race.
+
+Immediately after an uncompleted asynchronous abort, certain speculatively
+executed loads may read data from those internal buffers and pass it to dependent
+operations. This can be then used to infer the value via a cache side channel
+attack.
+
+Because the buffers are potentially shared between Hyper-Threads cross
+Hyper-Thread attacks are possible.
+
+The victim of a malicious actor does not need to make use of TSX. Only the
+attacker needs to begin a TSX transaction and raise an asynchronous abort
+which in turn potenitally leaks data stored in the buffers.
+
+More detailed technical information is available in the TAA specific x86
+architecture section: :ref:`Documentation/x86/tsx_async_abort.rst <tsx_async_abort>`.
+
+
+Attack scenarios
+----------------
+
+Attacks against the TAA vulnerability can be implemented from unprivileged
+applications running on hosts or guests.
+
+As for MDS, the attacker has no control over the memory addresses that can
+be leaked. Only the victim is responsible for bringing data to the CPU. As
+a result, the malicious actor has to sample as much data as possible and
+then postprocess it to try to infer any useful information from it.
+
+A potential attacker only has read access to the data. Also, there is no direct
+privilege escalation by using this technique.
+
+
+.. _tsx_async_abort_sys_info:
+
+TAA system information
+-----------------------
+
+The Linux kernel provides a sysfs interface to enumerate the current TAA status
+of mitigated systems. The relevant sysfs file is:
+
+/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
+
+The possible values in this file are:
+
+.. list-table::
+
+   * - 'Vulnerable'
+     - The CPU is affected by this vulnerability and the microcode and kernel mitigation are not applied.
+   * - 'Vulnerable: Clear CPU buffers attempted, no microcode'
+     - The system tries to clear the buffers but the microcode might not support the operation.
+   * - 'Mitigation: Clear CPU buffers'
+     - The microcode has been updated to clear the buffers. TSX is still enabled.
+   * - 'Mitigation: TSX disabled'
+     - TSX is disabled.
+   * - 'Not affected'
+     - The CPU is not affected by this issue.
+
+.. _ucode_needed:
+
+Best effort mitigation mode
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If the processor is vulnerable, but the availability of the microcode-based
+mitigation mechanism is not advertised via CPUID the kernel selects a best
+effort mitigation mode.  This mode invokes the mitigation instructions
+without a guarantee that they clear the CPU buffers.
+
+This is done to address virtualization scenarios where the host has the
+microcode update applied, but the hypervisor is not yet updated to expose the
+CPUID to the guest. If the host has updated microcode the protection takes
+effect; otherwise a few CPU cycles are wasted pointlessly.
+
+The state in the tsx_async_abort sysfs file reflects this situation
+accordingly.
+
+
+Mitigation mechanism
+--------------------
+
+The kernel detects the affected CPUs and the presence of the microcode which is
+required. If a CPU is affected and the microcode is available, then the kernel
+enables the mitigation by default.
+
+
+The mitigation can be controlled at boot time via a kernel command line option.
+See :ref:`taa_mitigation_control_command_line`.
+
+.. _virt_mechanism:
+
+Virtualization mitigation
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Affected systems where the host has TAA microcode and TAA is mitigated by
+having disabled TSX previously, are not vulnerable regardless of the status
+of the VMs.
+
+In all other cases, if the host either does not have the TAA microcode or
+the kernel is not mitigated, the system might be vulnerable.
+
+
+.. _taa_mitigation_control_command_line:
+
+Mitigation control on the kernel command line
+---------------------------------------------
+
+The kernel command line allows to control the TAA mitigations at boot time with
+the option "tsx_async_abort=". The valid arguments for this option are:
+
+  ============  =============================================================
+  off           This option disables the TAA mitigation on affected platforms.
+                If the system has TSX enabled (see next parameter) and the CPU
+                is affected, the system is vulnerable.
+
+  full          TAA mitigation is enabled. If TSX is enabled, on an affected
+                system it will clear CPU buffers on ring transitions. On
+                systems which are MDS-affected and deploy MDS mitigation,
+                TAA is also mitigated. Specifying this option on those
+                systems will have no effect.
+
+  full,nosmt    The same as tsx_async_abort=full, with SMT disabled on
+                vulnerable CPUs that have TSX enabled. This is the complete
+                mitigation. When TSX is disabled, SMT is not disabled because
+                CPU is not vulnerable to cross-thread TAA attacks.
+  ============  =============================================================
+
+Not specifying this option is equivalent to "tsx_async_abort=full".
+
+The kernel command line also allows to control the TSX feature using the
+parameter "tsx=" on CPUs which support TSX control. MSR_IA32_TSX_CTRL is used
+to control the TSX feature and the enumeration of the TSX feature bits (RTM
+and HLE) in CPUID.
+
+The valid options are:
+
+  ============  =============================================================
+  off           Disables TSX on the system.
+
+                Note that this option takes effect only on newer CPUs which are
+                not vulnerable to MDS, i.e., have MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1
+                and which get the new IA32_TSX_CTRL MSR through a microcode
+                update. This new MSR allows for the reliable deactivation of
+                the TSX functionality.
+
+  on            Enables TSX.
+
+                Although there are mitigations for all known security
+                vulnerabilities, TSX has been known to be an accelerator for
+                several previous speculation-related CVEs, and so there may be
+                unknown security risks associated with leaving it enabled.
+
+  auto          Disables TSX if X86_BUG_TAA is present, otherwise enables TSX
+                on the system.
+  ============  =============================================================
+
+Not specifying this option is equivalent to "tsx=off".
+
+The following combinations of the "tsx_async_abort" and "tsx" are possible. For
+affected platforms tsx=auto is equivalent to tsx=off and the result will be:
+
+  =========  ==========================   =========================================
+  tsx=on     tsx_async_abort=full         The system will use VERW to clear CPU
+                                          buffers. Cross-thread attacks are still
+                                          possible on SMT machines.
+  tsx=on     tsx_async_abort=full,nosmt   As above, cross-thread attacks on SMT
+                                          mitigated.
+  tsx=on     tsx_async_abort=off          The system is vulnerable.
+  tsx=off    tsx_async_abort=full         TSX might be disabled if microcode
+                                          provides a TSX control MSR. If so,
+                                          system is not vulnerable.
+  tsx=off    tsx_async_abort=full,nosmt   Ditto
+  tsx=off    tsx_async_abort=off          ditto
+  =========  ==========================   =========================================
+
+
+For unaffected platforms "tsx=on" and "tsx_async_abort=full" does not clear CPU
+buffers.  For platforms without TSX control (MSR_IA32_ARCH_CAPABILITIES.MDS_NO=0)
+"tsx" command line argument has no effect.
+
+For the affected platforms below table indicates the mitigation status for the
+combinations of CPUID bit MD_CLEAR and IA32_ARCH_CAPABILITIES MSR bits MDS_NO
+and TSX_CTRL_MSR.
+
+  =======  =========  =============  ========================================
+  MDS_NO   MD_CLEAR   TSX_CTRL_MSR   Status
+  =======  =========  =============  ========================================
+    0          0            0        Vulnerable (needs microcode)
+    0          1            0        MDS and TAA mitigated via VERW
+    1          1            0        MDS fixed, TAA vulnerable if TSX enabled
+                                     because MD_CLEAR has no meaning and
+                                     VERW is not guaranteed to clear buffers
+    1          X            1        MDS fixed, TAA can be mitigated by
+                                     VERW or TSX_CTRL_MSR
+  =======  =========  =============  ========================================
+
+Mitigation selection guide
+--------------------------
+
+1. Trusted userspace and guests
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If all user space applications are from a trusted source and do not execute
+untrusted code which is supplied externally, then the mitigation can be
+disabled. The same applies to virtualized environments with trusted guests.
+
+
+2. Untrusted userspace and guests
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If there are untrusted applications or guests on the system, enabling TSX
+might allow a malicious actor to leak data from the host or from other
+processes running on the same physical core.
+
+If the microcode is available and the TSX is disabled on the host, attacks
+are prevented in a virtualized environment as well, even if the VMs do not
+explicitly enable the mitigation.
+
+
+.. _taa_default_mitigations:
+
+Default mitigations
+-------------------
+
+The kernel's default action for vulnerable processors is:
+
+  - Deploy TSX disable mitigation (tsx_async_abort=full tsx=off).
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index a84a83f8881e..fa8f03ddff24 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2636,6 +2636,7 @@
                                                ssbd=force-off [ARM64]
                                                l1tf=off [X86]
                                                mds=off [X86]
+                                               tsx_async_abort=off [X86]
 
                         auto (default)
                                 Mitigate all CPU vulnerabilities, but leave SMT
@@ -2651,6 +2652,7 @@
                                 be fully mitigated, even if it means losing SMT.
                                 Equivalent to: l1tf=flush,nosmt [X86]
                                                mds=full,nosmt [X86]
+                                               tsx_async_abort=full,nosmt [X86]
 
         mminit_loglevel=
                         [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
@@ -4848,6 +4850,71 @@
                         interruptions from clocksource watchdog are not
                         acceptable).
 
+        tsx=            [X86] Control Transactional Synchronization
+                        Extensions (TSX) feature in Intel processors that
+                        support TSX control.
+
+                        This parameter controls the TSX feature. The options are:
+
+                        on      - Enable TSX on the system. Although there are
+                                mitigations for all known security vulnerabilities,
+                                TSX has been known to be an accelerator for
+                                several previous speculation-related CVEs, and
+                                so there may be unknown security risks associated
+                                with leaving it enabled.
+
+                        off     - Disable TSX on the system. (Note that this
+                                option takes effect only on newer CPUs which are
+                                not vulnerable to MDS, i.e., have
+                                MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1 and which get
+                                the new IA32_TSX_CTRL MSR through a microcode
+                                update. This new MSR allows for the reliable
+                                deactivation of the TSX functionality.)
+
+                        auto    - Disable TSX if X86_BUG_TAA is present,
+                                  otherwise enable TSX on the system.
+
+                        Not specifying this option is equivalent to tsx=off.
+
+                        See Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+                        for more details.
+
+        tsx_async_abort= [X86,INTEL] Control mitigation for the TSX Async
+                        Abort (TAA) vulnerability.
+
+                        Similar to Micro-architectural Data Sampling (MDS)
+                        certain CPUs that support Transactional
+                        Synchronization Extensions (TSX) are vulnerable to an
+                        exploit against CPU internal buffers which can forward
+                        information to a disclosure gadget under certain
+                        conditions.
+
+                        In vulnerable processors, the speculatively forwarded
+                        data can be used in a cache side channel attack, to
+                        access data to which the attacker does not have direct
+                        access.
+
+                        This parameter controls the TAA mitigation.  The
+                        options are:
+
+                        full       - Enable TAA mitigation on vulnerable CPUs
+                                     if TSX is enabled.
+
+                        full,nosmt - Enable TAA mitigation and disable SMT on
+                                     vulnerable CPUs. If TSX is disabled, SMT
+                                     is not disabled because CPU is not
+                                     vulnerable to cross-thread TAA attacks.
+                        off        - Unconditionally disable TAA mitigation
+
+                        Not specifying this option is equivalent to
+                        tsx_async_abort=full.  On CPUs which are MDS affected
+                        and deploy MDS mitigation, TAA mitigation is not
+                        required and doesn't provide any additional
+                        mitigation.
+
+                        For details see:
+                        Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+
         turbografx.map[2|3]=    [HW,JOY]
                         TurboGraFX parallel port interface
                         Format:
diff --git a/Documentation/x86/index.rst b/Documentation/x86/index.rst
index af64c4bb4447..a8de2fbc1caa 100644
--- a/Documentation/x86/index.rst
+++ b/Documentation/x86/index.rst
@@ -27,6 +27,7 @@ x86-specific Documentation
    mds
    microcode
    resctrl_ui
+   tsx_async_abort
    usb-legacy-support
    i386/index
    x86_64/index
diff --git a/Documentation/x86/tsx_async_abort.rst b/Documentation/x86/tsx_async_abort.rst
new file mode 100644
index 000000000000..583ddc185ba2
--- /dev/null
+++ b/Documentation/x86/tsx_async_abort.rst
@@ -0,0 +1,117 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+TSX Async Abort (TAA) mitigation
+================================
+
+.. _tsx_async_abort:
+
+Overview
+--------
+
+TSX Async Abort (TAA) is a side channel attack on internal buffers in some
+Intel processors similar to Microachitectural Data Sampling (MDS).  In this
+case certain loads may speculatively pass invalid data to dependent operations
+when an asynchronous abort condition is pending in a Transactional
+Synchronization Extensions (TSX) transaction.  This includes loads with no
+fault or assist condition. Such loads may speculatively expose stale data from
+the same uarch data structures as in MDS, with same scope of exposure i.e.
+same-thread and cross-thread. This issue affects all current processors that
+support TSX.
+
+Mitigation strategy
+-------------------
+
+a) TSX disable - one of the mitigations is to disable TSX. A new MSR
+IA32_TSX_CTRL will be available in future and current processors after
+microcode update which can be used to disable TSX. In addition, it
+controls the enumeration of the TSX feature bits (RTM and HLE) in CPUID.
+
+b) Clear CPU buffers - similar to MDS, clearing the CPU buffers mitigates this
+vulnerability. More details on this approach can be found in
+:ref:`Documentation/admin-guide/hw-vuln/mds.rst <mds>`.
+
+Kernel internal mitigation modes
+--------------------------------
+
+ =============    ============================================================
+ off              Mitigation is disabled. Either the CPU is not affected or
+                  tsx_async_abort=off is supplied on the kernel command line.
+
+ tsx disabled     Mitigation is enabled. TSX feature is disabled by default at
+                  bootup on processors that support TSX control.
+
+ verw             Mitigation is enabled. CPU is affected and MD_CLEAR is
+                  advertised in CPUID.
+
+ ucode needed     Mitigation is enabled. CPU is affected and MD_CLEAR is not
+                  advertised in CPUID. That is mainly for virtualization
+                  scenarios where the host has the updated microcode but the
+                  hypervisor does not expose MD_CLEAR in CPUID. It's a best
+                  effort approach without guarantee.
+ =============    ============================================================
+
+If the CPU is affected and the "tsx_async_abort" kernel command line parameter is
+not provided then the kernel selects an appropriate mitigation depending on the
+status of RTM and MD_CLEAR CPUID bits.
+
+Below tables indicate the impact of tsx=on|off|auto cmdline options on state of
+TAA mitigation, VERW behavior and TSX feature for various combinations of
+MSR_IA32_ARCH_CAPABILITIES bits.
+
+1. "tsx=off"
+
+=========  =========  ============  ============  ==============  ===================  ======================
+MSR_IA32_ARCH_CAPABILITIES bits     Result with cmdline tsx=off
+----------------------------------  -------------------------------------------------------------------------
+TAA_NO     MDS_NO     TSX_CTRL_MSR  TSX state     VERW can clear  TAA mitigation       TAA mitigation
+                                    after bootup  CPU buffers     tsx_async_abort=off  tsx_async_abort=full
+=========  =========  ============  ============  ==============  ===================  ======================
+    0          0           0         HW default         Yes           Same as MDS           Same as MDS
+    0          0           1        Invalid case   Invalid case       Invalid case          Invalid case
+    0          1           0         HW default         No         Need ucode update     Need ucode update
+    0          1           1          Disabled          Yes           TSX disabled          TSX disabled
+    1          X           1          Disabled           X             None needed           None needed
+=========  =========  ============  ============  ==============  ===================  ======================
+
+2. "tsx=on"
+
+=========  =========  ============  ============  ==============  ===================  ======================
+MSR_IA32_ARCH_CAPABILITIES bits     Result with cmdline tsx=on
+----------------------------------  -------------------------------------------------------------------------
+TAA_NO     MDS_NO     TSX_CTRL_MSR  TSX state     VERW can clear  TAA mitigation       TAA mitigation
+                                    after bootup  CPU buffers     tsx_async_abort=off  tsx_async_abort=full
+=========  =========  ============  ============  ==============  ===================  ======================
+    0          0           0         HW default        Yes            Same as MDS          Same as MDS
+    0          0           1        Invalid case   Invalid case       Invalid case         Invalid case
+    0          1           0         HW default        No          Need ucode update     Need ucode update
+    0          1           1          Enabled          Yes               None              Same as MDS
+    1          X           1          Enabled          X              None needed          None needed
+=========  =========  ============  ============  ==============  ===================  ======================
+
+3. "tsx=auto"
+
+=========  =========  ============  ============  ==============  ===================  ======================
+MSR_IA32_ARCH_CAPABILITIES bits     Result with cmdline tsx=auto
+----------------------------------  -------------------------------------------------------------------------
+TAA_NO     MDS_NO     TSX_CTRL_MSR  TSX state     VERW can clear  TAA mitigation       TAA mitigation
+                                    after bootup  CPU buffers     tsx_async_abort=off  tsx_async_abort=full
+=========  =========  ============  ============  ==============  ===================  ======================
+    0          0           0         HW default    Yes                Same as MDS           Same as MDS
+    0          0           1        Invalid case  Invalid case        Invalid case          Invalid case
+    0          1           0         HW default    No              Need ucode update     Need ucode update
+    0          1           1          Disabled      Yes               TSX disabled          TSX disabled
+    1          X           1          Enabled       X                 None needed           None needed
+=========  =========  ============  ============  ==============  ===================  ======================
+
+In the tables, TSX_CTRL_MSR is a new bit in MSR_IA32_ARCH_CAPABILITIES that
+indicates whether MSR_IA32_TSX_CTRL is supported.
+
+There are two control bits in IA32_TSX_CTRL MSR:
+
+      Bit 0: When set it disables the Restricted Transactional Memory (RTM)
+             sub-feature of TSX (will force all transactions to abort on the
+             XBEGIN instruction).
+
+      Bit 1: When set it disables the enumeration of the RTM and HLE feature
+             (i.e. it will make CPUID(EAX=7).EBX{bit4} and
+             CPUID(EAX=7).EBX{bit11} read as 0).
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index d6e1faa28c58..8ef85139553f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1940,6 +1940,51 @@ config X86_INTEL_MEMORY_PROTECTION_KEYS
 
           If unsure, say y.
 
+choice
+        prompt "TSX enable mode"
+        depends on CPU_SUP_INTEL
+        default X86_INTEL_TSX_MODE_OFF
+        help
+          Intel's TSX (Transactional Synchronization Extensions) feature
+          allows to optimize locking protocols through lock elision which
+          can lead to a noticeable performance boost.
+
+          On the other hand it has been shown that TSX can be exploited
+          to form side channel attacks (e.g. TAA) and chances are there
+          will be more of those attacks discovered in the future.
+
+          Therefore TSX is not enabled by default (aka tsx=off). An admin
+          might override this decision by tsx=on the command line parameter.
+          Even with TSX enabled, the kernel will attempt to enable the best
+          possible TAA mitigation setting depending on the microcode available
+          for the particular machine.
+
+          This option allows to set the default tsx mode between tsx=on, =off
+          and =auto. See Documentation/admin-guide/kernel-parameters.txt for more
+          details.
+
+          Say off if not sure, auto if TSX is in use but it should be used on safe
+          platforms or on if TSX is in use and the security aspect of tsx is not
+          relevant.
+
+config X86_INTEL_TSX_MODE_OFF
+        bool "off"
+        help
+          TSX is disabled if possible - equals to tsx=off command line parameter.
+
+config X86_INTEL_TSX_MODE_ON
+        bool "on"
+        help
+          TSX is always enabled on TSX capable HW - equals the tsx=on command
+          line parameter.
+
+config X86_INTEL_TSX_MODE_AUTO
+        bool "auto"
+        help
+          TSX is enabled on TSX capable HW that is believed to be safe against
+          side channel attacks- equals the tsx=auto command line parameter.
+endchoice
+
 config EFI
         bool "EFI runtime service support"
         depends on ACPI
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 0652d3eed9bd..989e03544f18 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -399,5 +399,6 @@
 #define X86_BUG_MDS                     X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */
 #define X86_BUG_MSBDS_ONLY              X86_BUG(20) /* CPU is only affected by the  MSDBS variant of BUG_MDS */
 #define X86_BUG_SWAPGS                  X86_BUG(21) /* CPU is affected by speculation through SWAPGS */
+#define X86_BUG_TAA                     X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */
 
 #endif /* _ASM_X86_CPUFEATURES_H */
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
index 20ce682a2540..b3a8bb2af0b6 100644
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -93,6 +93,11 @@
                                                   * Microarchitectural Data
                                                   * Sampling (MDS) vulnerabilities.
                                                   */
+#define ARCH_CAP_TSX_CTRL_MSR           BIT(7)  /* MSR for TSX control is available. */
+#define ARCH_CAP_TAA_NO                 BIT(8)  /*
+                                                 * Not susceptible to
+                                                 * TSX Async Abort (TAA) vulnerabilities.
+                                                 */
 
 #define MSR_IA32_FLUSH_CMD              0x0000010b
 #define L1D_FLUSH                       BIT(0)  /*
@@ -103,6 +108,10 @@
 #define MSR_IA32_BBL_CR_CTL             0x00000119
 #define MSR_IA32_BBL_CR_CTL3            0x0000011e
 
+#define MSR_IA32_TSX_CTRL               0x00000122
+#define TSX_CTRL_RTM_DISABLE            BIT(0)  /* Disable RTM feature */
+#define TSX_CTRL_CPUID_CLEAR            BIT(1)  /* Disable TSX enumeration */
+
 #define MSR_IA32_SYSENTER_CS            0x00000174
 #define MSR_IA32_SYSENTER_ESP           0x00000175
 #define MSR_IA32_SYSENTER_EIP           0x00000176
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 80bc209c0708..5c24a7b35166 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -314,7 +314,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear);
 #include <asm/segment.h>
 
 /**
- * mds_clear_cpu_buffers - Mitigation for MDS vulnerability
+ * mds_clear_cpu_buffers - Mitigation for MDS and TAA vulnerability
  *
  * This uses the otherwise unused and obsolete VERW instruction in
  * combination with microcode which triggers a CPU buffer flush when the
@@ -337,7 +337,7 @@ static inline void mds_clear_cpu_buffers(void)
 }
 
 /**
- * mds_user_clear_cpu_buffers - Mitigation for MDS vulnerability
+ * mds_user_clear_cpu_buffers - Mitigation for MDS and TAA vulnerability
  *
  * Clear CPU buffers if the corresponding static key is enabled
  */
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 6e0a3b43d027..54f5d54280f6 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -988,4 +988,11 @@ enum mds_mitigations {
         MDS_MITIGATION_VMWERV,
 };
 
+enum taa_mitigations {
+        TAA_MITIGATION_OFF,
+        TAA_MITIGATION_UCODE_NEEDED,
+        TAA_MITIGATION_VERW,
+        TAA_MITIGATION_TSX_DISABLED,
+};
+
 #endif /* _ASM_X86_PROCESSOR_H */
diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
index d7a1e5a9331c..890f60083eca 100644
--- a/arch/x86/kernel/cpu/Makefile
+++ b/arch/x86/kernel/cpu/Makefile
@@ -30,7 +30,7 @@ obj-$(CONFIG_PROC_FS)	+= proc.o
 obj-$(CONFIG_X86_FEATURE_NAMES) += capflags.o powerflags.o
 
 ifdef CONFIG_CPU_SUP_INTEL
-obj-y                   += intel.o intel_pconfig.o
+obj-y                   += intel.o intel_pconfig.o tsx.o
 obj-$(CONFIG_PM)        += intel_epb.o
 endif
 obj-$(CONFIG_CPU_SUP_AMD)               += amd.o
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 91c2561b905f..43c647e19439 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -39,6 +39,7 @@ static void __init spectre_v2_select_mitigation(void);
 static void __init ssb_select_mitigation(void);
 static void __init l1tf_select_mitigation(void);
 static void __init mds_select_mitigation(void);
+static void __init taa_select_mitigation(void);
 
 /* The base value of the SPEC_CTRL MSR that always has to be preserved. */
 u64 x86_spec_ctrl_base;
@@ -105,6 +106,7 @@ void __init check_bugs(void)
         ssb_select_mitigation();
         l1tf_select_mitigation();
         mds_select_mitigation();
+        taa_select_mitigation();
 
         arch_smt_update();
 
@@ -269,6 +271,100 @@ static int __init mds_cmdline(char *str)
 early_param("mds", mds_cmdline);
 
 #undef pr_fmt
+#define pr_fmt(fmt)     "TAA: " fmt
+
+/* Default mitigation for TAA-affected CPUs */
+static enum taa_mitigations taa_mitigation __ro_after_init = TAA_MITIGATION_VERW;
+static bool taa_nosmt __ro_after_init;
+
+static const char * const taa_strings[] = {
+        [TAA_MITIGATION_OFF]            = "Vulnerable",
+        [TAA_MITIGATION_UCODE_NEEDED]   = "Vulnerable: Clear CPU buffers attempted, no microcode",
+        [TAA_MITIGATION_VERW]           = "Mitigation: Clear CPU buffers",
+        [TAA_MITIGATION_TSX_DISABLED]   = "Mitigation: TSX disabled",
+};
+
+static void __init taa_select_mitigation(void)
+{
+        u64 ia32_cap;
+
+        if (!boot_cpu_has_bug(X86_BUG_TAA)) {
+                taa_mitigation = TAA_MITIGATION_OFF;
+                return;
+        }
+
+        /* TSX previously disabled by tsx=off */
+        if (!boot_cpu_has(X86_FEATURE_RTM)) {
+                taa_mitigation = TAA_MITIGATION_TSX_DISABLED;
+                goto out;
+        }
+
+        if (cpu_mitigations_off()) {
+                taa_mitigation = TAA_MITIGATION_OFF;
+                return;
+        }
+
+        /* TAA mitigation is turned off on the cmdline (tsx_async_abort=off) */
+        if (taa_mitigation == TAA_MITIGATION_OFF)
+                goto out;
+
+        if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
+                taa_mitigation = TAA_MITIGATION_VERW;
+        else
+                taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
+
+        /*
+         * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.
+         * A microcode update fixes this behavior to clear CPU buffers. It also
+         * adds support for MSR_IA32_TSX_CTRL which is enumerated by the
+         * ARCH_CAP_TSX_CTRL_MSR bit.
+         *
+         * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode
+         * update is required.
+         */
+        ia32_cap = x86_read_arch_cap_msr();
+        if ( (ia32_cap & ARCH_CAP_MDS_NO) &&
+            !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR))
+                taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
+
+        /*
+         * TSX is enabled, select alternate mitigation for TAA which is
+         * the same as MDS. Enable MDS static branch to clear CPU buffers.
+         *
+         * For guests that can't determine whether the correct microcode is
+         * present on host, enable the mitigation for UCODE_NEEDED as well.
+         */
+        static_branch_enable(&mds_user_clear);
+
+        if (taa_nosmt || cpu_mitigations_auto_nosmt())
+                cpu_smt_disable(false);
+
+out:
+        pr_info("%s\n", taa_strings[taa_mitigation]);
+}
+
+static int __init tsx_async_abort_parse_cmdline(char *str)
+{
+        if (!boot_cpu_has_bug(X86_BUG_TAA))
+                return 0;
+
+        if (!str)
+                return -EINVAL;
+
+        if (!strcmp(str, "off")) {
+                taa_mitigation = TAA_MITIGATION_OFF;
+        } else if (!strcmp(str, "full")) {
+                taa_mitigation = TAA_MITIGATION_VERW;
+        } else if (!strcmp(str, "full,nosmt")) {
+                taa_mitigation = TAA_MITIGATION_VERW;
+                taa_nosmt = true;
+        }
+
+        return 0;
+}
+early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
+
+#undef pr_fmt
 #define pr_fmt(fmt)     "Spectre V1 : " fmt
 
 enum spectre_v1_mitigation {
@@ -786,6 +882,7 @@ static void update_mds_branch_idle(void)
 }
 
 #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n"
+#define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.\n"
 
 void cpu_bugs_smt_update(void)
 {
@@ -819,6 +916,17 @@ void cpu_bugs_smt_update(void)
                 break;
         }
 
+        switch (taa_mitigation) {
+        case TAA_MITIGATION_VERW:
+        case TAA_MITIGATION_UCODE_NEEDED:
+                if (sched_smt_active())
+                        pr_warn_once(TAA_MSG_SMT);
+                break;
+        case TAA_MITIGATION_TSX_DISABLED:
+        case TAA_MITIGATION_OFF:
+                break;
+        }
+
         mutex_unlock(&spec_ctrl_mutex);
 }
 
@@ -1328,6 +1436,21 @@ static ssize_t mds_show_state(char *buf)
                        sched_smt_active() ? "vulnerable" : "disabled");
 }
 
+static ssize_t tsx_async_abort_show_state(char *buf)
+{
+        if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) ||
+            (taa_mitigation == TAA_MITIGATION_OFF))
+                return sprintf(buf, "%s\n", taa_strings[taa_mitigation]);
+
+        if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
+                return sprintf(buf, "%s; SMT Host state unknown\n",
+                               taa_strings[taa_mitigation]);
+        }
+
+        return sprintf(buf, "%s; SMT %s\n", taa_strings[taa_mitigation],
+                       sched_smt_active() ? "vulnerable" : "disabled");
+}
+
 static char *stibp_state(void)
 {
         if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
@@ -1398,6 +1521,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
         case X86_BUG_MDS:
                 return mds_show_state(buf);
 
+        case X86_BUG_TAA:
+                return tsx_async_abort_show_state(buf);
+
         default:
                 break;
         }
@@ -1434,4 +1560,9 @@ ssize_t cpu_show_mds(struct device *dev, struct device_attribute *attr, char *bu
 {
         return cpu_show_common(dev, attr, buf, X86_BUG_MDS);
 }
+
+ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf)
+{
+        return cpu_show_common(dev, attr, buf, X86_BUG_TAA);
+}
 #endif
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 9ae7d1bcd4f4..f8b8afc8f5b5 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1092,19 +1092,26 @@ static bool __init cpu_matches(unsigned long which)
         return m && !!(m->driver_data & which);
 }
 
-static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
+u64 x86_read_arch_cap_msr(void)
 {
         u64 ia32_cap = 0;
 
+        if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
+                rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
+
+        return ia32_cap;
+}
+
+static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
+{
+        u64 ia32_cap = x86_read_arch_cap_msr();
+
         if (cpu_matches(NO_SPECULATION))
                 return;
 
         setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
         setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
 
-        if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
-                rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
-
         if (!cpu_matches(NO_SSB) && !(ia32_cap & ARCH_CAP_SSB_NO) &&
            !cpu_has(c, X86_FEATURE_AMD_SSB_NO))
                 setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
@@ -1121,6 +1128,21 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
         if (!cpu_matches(NO_SWAPGS))
                 setup_force_cpu_bug(X86_BUG_SWAPGS);
 
+        /*
+         * When the CPU is not mitigated for TAA (TAA_NO=0) set TAA bug when:
+         *      - TSX is supported or
+         *      - TSX_CTRL is present
+         *
+         * TSX_CTRL check is needed for cases when TSX could be disabled before
+         * the kernel boot e.g. kexec.
+         * TSX_CTRL check alone is not sufficient for cases when the microcode
+         * update is not present or running as guest that don't get TSX_CTRL.
+         */
+        if (!(ia32_cap & ARCH_CAP_TAA_NO) &&
+            (cpu_has(c, X86_FEATURE_RTM) ||
+             (ia32_cap & ARCH_CAP_TSX_CTRL_MSR)))
+                setup_force_cpu_bug(X86_BUG_TAA);
+
         if (cpu_matches(NO_MELTDOWN))
                 return;
 
@@ -1554,6 +1576,8 @@ void __init identify_boot_cpu(void)
 #endif
         cpu_detect_tlb(&boot_cpu_data);
         setup_cr_pinning();
+
+        tsx_init();
 }
 
 void identify_secondary_cpu(struct cpuinfo_x86 *c)
diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h
index c0e2407abdd6..38ab6e115eac 100644
--- a/arch/x86/kernel/cpu/cpu.h
+++ b/arch/x86/kernel/cpu/cpu.h
@@ -44,6 +44,22 @@ struct _tlb_table {
 extern const struct cpu_dev *const __x86_cpu_dev_start[],
                             *const __x86_cpu_dev_end[];
 
+#ifdef CONFIG_CPU_SUP_INTEL
+enum tsx_ctrl_states {
+        TSX_CTRL_ENABLE,
+        TSX_CTRL_DISABLE,
+        TSX_CTRL_NOT_SUPPORTED,
+};
+
+extern __ro_after_init enum tsx_ctrl_states tsx_ctrl_state;
+
+extern void __init tsx_init(void);
+extern void tsx_enable(void);
+extern void tsx_disable(void);
+#else
+static inline void tsx_init(void) { }
+#endif /* CONFIG_CPU_SUP_INTEL */
+
 extern void get_cpu_cap(struct cpuinfo_x86 *c);
 extern void get_cpu_address_sizes(struct cpuinfo_x86 *c);
 extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c);
@@ -62,4 +78,6 @@ unsigned int aperfmperf_get_khz(int cpu);
 
 extern void x86_spec_ctrl_setup_ap(void);
 
+extern u64 x86_read_arch_cap_msr(void);
+
 #endif /* ARCH_X86_CPU_H */
diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index c2fdc00df163..11d5c5950e2d 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -762,6 +762,11 @@ static void init_intel(struct cpuinfo_x86 *c)
                 detect_tme(c);
 
         init_intel_misc_features(c);
+
+        if (tsx_ctrl_state == TSX_CTRL_ENABLE)
+                tsx_enable();
+        if (tsx_ctrl_state == TSX_CTRL_DISABLE)
+                tsx_disable();
 }
 
 #ifdef CONFIG_X86_32
diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c
new file mode 100644
index 000000000000..3e20d322bc98
--- /dev/null
+++ b/arch/x86/kernel/cpu/tsx.c
@@ -0,0 +1,140 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Intel Transactional Synchronization Extensions (TSX) control.
+ *
+ * Copyright (C) 2019 Intel Corporation
+ *
+ * Author:
+ *      Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+ */
+
+#include <linux/cpufeature.h>
+
+#include <asm/cmdline.h>
+
+#include "cpu.h"
+
+enum tsx_ctrl_states tsx_ctrl_state __ro_after_init = TSX_CTRL_NOT_SUPPORTED;
+
+void tsx_disable(void)
+{
+        u64 tsx;
+
+        rdmsrl(MSR_IA32_TSX_CTRL, tsx);
+
+        /* Force all transactions to immediately abort */
+        tsx |= TSX_CTRL_RTM_DISABLE;
+
+        /*
+         * Ensure TSX support is not enumerated in CPUID.
+         * This is visible to userspace and will ensure they
+         * do not waste resources trying TSX transactions that
+         * will always abort.
+         */
+        tsx |= TSX_CTRL_CPUID_CLEAR;
+
+        wrmsrl(MSR_IA32_TSX_CTRL, tsx);
+}
+
+void tsx_enable(void)
+{
+        u64 tsx;
+
+        rdmsrl(MSR_IA32_TSX_CTRL, tsx);
+
+        /* Enable the RTM feature in the cpu */
+        tsx &= ~TSX_CTRL_RTM_DISABLE;
+
+        /*
+         * Ensure TSX support is enumerated in CPUID.
+         * This is visible to userspace and will ensure they
+         * can enumerate and use the TSX feature.
+         */
+        tsx &= ~TSX_CTRL_CPUID_CLEAR;
+
+        wrmsrl(MSR_IA32_TSX_CTRL, tsx);
+}
+
+static bool __init tsx_ctrl_is_supported(void)
+{
+        u64 ia32_cap = x86_read_arch_cap_msr();
+
+        /*
+         * TSX is controlled via MSR_IA32_TSX_CTRL.  However, support for this
+         * MSR is enumerated by ARCH_CAP_TSX_MSR bit in MSR_IA32_ARCH_CAPABILITIES.
+         *
+         * TSX control (aka MSR_IA32_TSX_CTRL) is only available after a
+         * microcode update on CPUs that have their MSR_IA32_ARCH_CAPABILITIES
+         * bit MDS_NO=1. CPUs with MDS_NO=0 are not planned to get
+         * MSR_IA32_TSX_CTRL support even after a microcode update. Thus,
+         * tsx= cmdline requests will do nothing on CPUs without
+         * MSR_IA32_TSX_CTRL support.
+         */
+        return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR);
+}
+
+static enum tsx_ctrl_states x86_get_tsx_auto_mode(void)
+{
+        if (boot_cpu_has_bug(X86_BUG_TAA))
+                return TSX_CTRL_DISABLE;
+
+        return TSX_CTRL_ENABLE;
+}
+
+void __init tsx_init(void)
+{
+        char arg[5] = {};
+        int ret;
+
+        if (!tsx_ctrl_is_supported())
+                return;
+
+        ret = cmdline_find_option(boot_command_line, "tsx", arg, sizeof(arg));
+        if (ret >= 0) {
+                if (!strcmp(arg, "on")) {
+                        tsx_ctrl_state = TSX_CTRL_ENABLE;
+                } else if (!strcmp(arg, "off")) {
+                        tsx_ctrl_state = TSX_CTRL_DISABLE;
+                } else if (!strcmp(arg, "auto")) {
+                        tsx_ctrl_state = x86_get_tsx_auto_mode();
+                } else {
+                        tsx_ctrl_state = TSX_CTRL_DISABLE;
+                        pr_err("tsx: invalid option, defaulting to off\n");
+                }
+        } else {
+                /* tsx= not provided */
+                if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_AUTO))
+                        tsx_ctrl_state = x86_get_tsx_auto_mode();
+                else if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_OFF))
+                        tsx_ctrl_state = TSX_CTRL_DISABLE;
+                else
+                        tsx_ctrl_state = TSX_CTRL_ENABLE;
+        }
+
+        if (tsx_ctrl_state == TSX_CTRL_DISABLE) {
+                tsx_disable();
+
+                /*
+                 * tsx_disable() will change the state of the
+                 * RTM CPUID bit.  Clear it here since it is now
+                 * expected to be not set.
+                 */
+                setup_clear_cpu_cap(X86_FEATURE_RTM);
+        } else if (tsx_ctrl_state == TSX_CTRL_ENABLE) {
+
+                /*
+                 * HW defaults TSX to be enabled at bootup.
+                 * We may still need the TSX enable support
+                 * during init for special cases like
+                 * kexec after TSX is disabled.
+                 */
+                tsx_enable();
+
+                /*
+                 * tsx_enable() will change the state of the
+                 * RTM CPUID bit.  Force it here since it is now
+                 * expected to be set.
+                 */
+                setup_force_cpu_cap(X86_FEATURE_RTM);
+        }
+}
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index ff395f812719..32d70ca2a7fd 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1298,6 +1298,25 @@ static u64 kvm_get_arch_capabilities(void)
         if (!boot_cpu_has_bug(X86_BUG_MDS))
                 data |= ARCH_CAP_MDS_NO;
 
+        /*
+         * On TAA affected systems, export MDS_NO=0 when:
+         *      - TSX is enabled on the host, i.e. X86_FEATURE_RTM=1.
+         *      - Updated microcode is present. This is detected by
+         *        the presence of ARCH_CAP_TSX_CTRL_MSR and ensures
+         *        that VERW clears CPU buffers.
+         *
+         * When MDS_NO=0 is exported, guests deploy clear CPU buffer
+         * mitigation and don't complain:
+         *
+         *      "Vulnerable: Clear CPU buffers attempted, no microcode"
+         *
+         * If TSX is disabled on the system, guests are also mitigated against
+         * TAA and clear CPU buffer mitigation is not required for guests.
+         */
+        if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) &&
+            (data & ARCH_CAP_TSX_CTRL_MSR))
+                data &= ~ARCH_CAP_MDS_NO;
+
         return data;
 }
 
diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
index cc37511de866..0fccd8c0312e 100644
--- a/drivers/base/cpu.c
+++ b/drivers/base/cpu.c
@@ -554,12 +554,20 @@ ssize_t __weak cpu_show_mds(struct device *dev,
         return sprintf(buf, "Not affected\n");
 }
 
+ssize_t __weak cpu_show_tsx_async_abort(struct device *dev,
+                                        struct device_attribute *attr,
+                                        char *buf)
+{
+        return sprintf(buf, "Not affected\n");
+}
+
 static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
 static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
 static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
 static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL);
 static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL);
 static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL);
+static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL);
 
 static struct attribute *cpu_root_vulnerabilities_attrs[] = {
         &dev_attr_meltdown.attr,
@@ -568,6 +576,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
         &dev_attr_spec_store_bypass.attr,
         &dev_attr_l1tf.attr,
         &dev_attr_mds.attr,
+        &dev_attr_tsx_async_abort.attr,
         NULL
 };
 
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index d0633ebdaa9c..f35369f79771 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -59,6 +59,9 @@ extern ssize_t cpu_show_l1tf(struct device *dev,
                              struct device_attribute *attr, char *buf);
 extern ssize_t cpu_show_mds(struct device *dev,
                             struct device_attribute *attr, char *buf);
+extern ssize_t cpu_show_tsx_async_abort(struct device *dev,
+                                        struct device_attribute *attr,
+                                        char *buf);
 
 extern __printf(4, 5)
 struct device *cpu_device_create(struct device *parent, void *drvdata,