diff -u linux-aws-4.4.0/arch/x86/include/asm/intel-family.h linux-aws-4.4.0/arch/x86/include/asm/intel-family.h
--- linux-aws-4.4.0/arch/x86/include/asm/intel-family.h
+++ linux-aws-4.4.0/arch/x86/include/asm/intel-family.h
@@ -12,7 +12,6 @@
  */
 
 #define INTEL_FAM6_CORE_YONAH		0x0E
-
 #define INTEL_FAM6_CORE2_MEROM		0x0F
 #define INTEL_FAM6_CORE2_MEROM_L	0x16
 #define INTEL_FAM6_CORE2_PENRYN		0x17
@@ -21,7 +20,6 @@
 #define INTEL_FAM6_NEHALEM		0x1E
 #define INTEL_FAM6_NEHALEM_EP		0x1A
 #define INTEL_FAM6_NEHALEM_EX		0x2E
-
 #define INTEL_FAM6_WESTMERE		0x25
 #define INTEL_FAM6_WESTMERE2		0x1F
 #define INTEL_FAM6_WESTMERE_EP		0x2C
@@ -38,9 +36,9 @@
 #define INTEL_FAM6_HASWELL_GT3E		0x46
 
 #define INTEL_FAM6_BROADWELL_CORE	0x3D
+#define INTEL_FAM6_BROADWELL_XEON_D	0x56
 #define INTEL_FAM6_BROADWELL_GT3E	0x47
 #define INTEL_FAM6_BROADWELL_X		0x4F
-#define INTEL_FAM6_BROADWELL_XEON_D	0x56
 
 #define INTEL_FAM6_SKYLAKE_MOBILE	0x4E
 #define INTEL_FAM6_SKYLAKE_DESKTOP	0x5E
@@ -62,7 +60,6 @@
 #define INTEL_FAM6_ATOM_MOOREFIELD	0x5A /* Anniedale */
 #define INTEL_FAM6_ATOM_GOLDMONT	0x5C
 #define INTEL_FAM6_ATOM_DENVERTON	0x5F /* Goldmont Microserver */
-#define INTEL_FAM6_ATOM_GEMINI_LAKE	0x7A
 
 /* Xeon Phi */
 
diff -u linux-aws-4.4.0/arch/x86/kernel/cpu/intel.c linux-aws-4.4.0/arch/x86/kernel/cpu/intel.c
--- linux-aws-4.4.0/arch/x86/kernel/cpu/intel.c
+++ linux-aws-4.4.0/arch/x86/kernel/cpu/intel.c
@@ -26,59 +26,6 @@
 #include <asm/apic.h>
 #endif
 
-/*
- * Early microcode releases for the Spectre v2 mitigation were broken.
- * Information taken from;
- * - https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf
- * - https://kb.vmware.com/s/article/52345
- * - Microcode revisions observed in the wild
- * - Release note from 20180108 microcode release
- */
-struct sku_microcode {
-	u8 model;
-	u8 stepping;
-	u32 microcode;
-};
-static const struct sku_microcode spectre_bad_microcodes[] = {
-	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x0B,	0x84 },
-	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x0A,	0x84 },
-	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x09,	0x84 },
-	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x0A,	0x84 },
-	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x09,	0x84 },
-	{ INTEL_FAM6_SKYLAKE_X,		0x03,	0x0100013e },
-	{ INTEL_FAM6_SKYLAKE_X,		0x04,	0x0200003c },
-	{ INTEL_FAM6_SKYLAKE_MOBILE,	0x03,	0xc2 },
-	{ INTEL_FAM6_SKYLAKE_DESKTOP,	0x03,	0xc2 },
-	{ INTEL_FAM6_BROADWELL_CORE,	0x04,	0x28 },
-	{ INTEL_FAM6_BROADWELL_GT3E,	0x01,	0x1b },
-	{ INTEL_FAM6_BROADWELL_XEON_D,	0x02,	0x14 },
-	{ INTEL_FAM6_BROADWELL_XEON_D,	0x03,	0x07000011 },
-	{ INTEL_FAM6_BROADWELL_X,	0x01,	0x0b000025 },
-	{ INTEL_FAM6_HASWELL_ULT,	0x01,	0x21 },
-	{ INTEL_FAM6_HASWELL_GT3E,	0x01,	0x18 },
-	{ INTEL_FAM6_HASWELL_CORE,	0x03,	0x23 },
-	{ INTEL_FAM6_HASWELL_X,		0x02,	0x3b },
-	{ INTEL_FAM6_HASWELL_X,		0x04,	0x10 },
-	{ INTEL_FAM6_IVYBRIDGE_X,	0x04,	0x42a },
-	/* Updated in the 20180108 release; blacklist until we know otherwise */
-	{ INTEL_FAM6_ATOM_GEMINI_LAKE,	0x01,	0x22 },
-	/* Observed in the wild */
-	{ INTEL_FAM6_SANDYBRIDGE_X,	0x06,	0x61b },
-	{ INTEL_FAM6_SANDYBRIDGE_X,	0x07,	0x712 },
-};
-
-static bool bad_spectre_microcode(struct cpuinfo_x86 *c)
-{
-	int i;
-
-	for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) {
-		if (c->x86_model == spectre_bad_microcodes[i].model &&
-		    c->x86_mask == spectre_bad_microcodes[i].stepping)
-			return (c->microcode <= spectre_bad_microcodes[i].microcode);
-	}
-	return false;
-}
-
 static void early_init_intel(struct cpuinfo_x86 *c)
 {
 	u64 misc_enable;
@@ -105,20 +52,6 @@
 		rdmsr(MSR_IA32_UCODE_REV, lower_word, c->microcode);
 	}
 
-	/* Now if any of them are set, check the blacklist and clear the lot */
-	if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) ||
-	     cpu_has(c, X86_FEATURE_INTEL_STIBP) ||
-	     cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) ||
-	     cpu_has(c, X86_FEATURE_STIBP)) && bad_spectre_microcode(c)) {
-		pr_warn("Intel Spectre v2 broken microcode detected; disabling Speculation Control\n");
-		setup_clear_cpu_cap(X86_FEATURE_IBRS);
-		setup_clear_cpu_cap(X86_FEATURE_IBPB);
-		setup_clear_cpu_cap(X86_FEATURE_STIBP);
-		setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
-		setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
-		setup_clear_cpu_cap(X86_FEATURE_SSBD);
-	}
-
 	/*
 	 * Atom erratum AAE44/AAF40/AAG38/AAH41:
 	 *
diff -u linux-aws-4.4.0/arch/x86/kvm/cpuid.c linux-aws-4.4.0/arch/x86/kvm/cpuid.c
--- linux-aws-4.4.0/arch/x86/kvm/cpuid.c
+++ linux-aws-4.4.0/arch/x86/kvm/cpuid.c
@@ -447,7 +447,7 @@
 			// TSC_ADJUST is emulated
 			entry->ebx |= F(TSC_ADJUST);
 			entry->edx &= kvm_supported_7_0_edx_x86_features;
-			entry->edx &= get_scattered_cpuid_leaf(7, 0, 2);
+			cpuid_mask(&entry->edx, 16);
 		} else {
 			entry->ebx = 0;
 			entry->edx = 0;
diff -u linux-aws-4.4.0/debian.aws/changelog linux-aws-4.4.0/debian.aws/changelog
--- linux-aws-4.4.0/debian.aws/changelog
+++ linux-aws-4.4.0/debian.aws/changelog
@@ -1,6 +1,6 @@
-linux-aws (4.4.0-1021.21) trusty; urgency=medium
+linux-aws (4.4.0-1022.22) trusty; urgency=medium
 
-  [ Ubuntu: 4.4.0-126.152 ]
+  [ Ubuntu: 4.4.0-127.153 ]
 
   * CVE-2018-3639 (powerpc)
     - powerpc/pseries: Support firmware disable of RFI flush
@@ -84,8 +84,11 @@
     - SAUCE: x86/bugs: Fix __ssb_select_mitigation() return type
     - SAUCE: x86/bugs: Make cpu_show_common() static
     - x86/entry: define _TIF_ALLWORK_MASK flags explicitly
+    - Revert "x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2
+      microcodes"
+    - SAUCE: kvm/cpuid: Fix CPUID_7_0.EDX handling
 
- -- Juerg Haefliger <juergh@canonical.com>  Fri, 18 May 2018 13:32:59 +0200
+ -- Juerg Haefliger <juergh@canonical.com>  Sun, 20 May 2018 14:29:23 +0200
 
 linux-aws (4.4.0-1020.20) trusty; urgency=medium
 
diff -u linux-aws-4.4.0/debian.master/changelog linux-aws-4.4.0/debian.master/changelog
--- linux-aws-4.4.0/debian.master/changelog
+++ linux-aws-4.4.0/debian.master/changelog
@@ -1,4 +1,4 @@
-linux (4.4.0-126.152) xenial; urgency=medium
+linux (4.4.0-127.153) xenial; urgency=medium
 
   * CVE-2018-3639 (powerpc)
     - powerpc/pseries: Support firmware disable of RFI flush
@@ -83,8 +83,11 @@
     - SAUCE: x86/bugs: Fix __ssb_select_mitigation() return type
     - SAUCE: x86/bugs: Make cpu_show_common() static
     - x86/entry: define _TIF_ALLWORK_MASK flags explicitly
+    - Revert "x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2
+      microcodes"
+    - SAUCE: kvm/cpuid: Fix CPUID_7_0.EDX handling
 
- -- Juerg Haefliger <juergh@canonical.com>  Thu, 17 May 2018 17:07:29 +0200
+ -- Stefan Bader <stefan.bader@canonical.com>  Sat, 19 May 2018 11:58:02 +0200
 
 linux (4.4.0-125.150) xenial; urgency=medium
 
diff -u linux-aws-4.4.0/debian/changelog linux-aws-4.4.0/debian/changelog
--- linux-aws-4.4.0/debian/changelog
+++ linux-aws-4.4.0/debian/changelog
@@ -1,6 +1,6 @@
-linux-aws (4.4.0-1021.21) trusty; urgency=medium
+linux-aws (4.4.0-1022.22) trusty; urgency=medium
 
-  [ Ubuntu: 4.4.0-126.152 ]
+  [ Ubuntu: 4.4.0-127.153 ]
 
   * CVE-2018-3639 (powerpc)
     - powerpc/pseries: Support firmware disable of RFI flush
@@ -84,8 +84,11 @@
     - SAUCE: x86/bugs: Fix __ssb_select_mitigation() return type
     - SAUCE: x86/bugs: Make cpu_show_common() static
     - x86/entry: define _TIF_ALLWORK_MASK flags explicitly
+    - Revert "x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2
+      microcodes"
+    - SAUCE: kvm/cpuid: Fix CPUID_7_0.EDX handling
 
- -- Juerg Haefliger <juergh@canonical.com>  Fri, 18 May 2018 13:32:59 +0200
+ -- Juerg Haefliger <juergh@canonical.com>  Sun, 20 May 2018 14:29:23 +0200
 
 linux-aws (4.4.0-1020.20) trusty; urgency=medium
 
diff -u linux-aws-4.4.0/debian/control linux-aws-4.4.0/debian/control
--- linux-aws-4.4.0/debian/control
+++ linux-aws-4.4.0/debian/control
@@ -46,7 +46,7 @@
 XS-Testsuite: autopkgtest
 #XS-Testsuite-Depends: gcc-4.7 binutils
 
-Package: linux-aws-headers-4.4.0-1021
+Package: linux-aws-headers-4.4.0-1022
 Architecture: all
 Multi-Arch: foreign
 Section: devel
@@ -56,40 +56,40 @@
 Description: Header files related to Linux kernel version 4.4.0
  This package provides kernel header files for version 4.4.0, for sites
  that want the latest kernel headers. Please read
- /usr/share/doc/linux-aws-headers-4.4.0-1021/debian.README.gz for details
+ /usr/share/doc/linux-aws-headers-4.4.0-1022/debian.README.gz for details
 
-Package: linux-aws-tools-4.4.0-1021
+Package: linux-aws-tools-4.4.0-1022
 Architecture: amd64
 Section: devel
 Priority: optional
 Depends: ${misc:Depends}, ${shlibs:Depends}, linux-tools-common
-Description: Linux kernel version specific tools for version 4.4.0-1021
+Description: Linux kernel version specific tools for version 4.4.0-1022
  This package provides the architecture dependant parts for kernel
  version locked tools (such as perf and x86_energy_perf_policy) for
- version 4.4.0-1021 on
+ version 4.4.0-1022 on
  64 bit x86.
- You probably want to install linux-tools-4.4.0-1021-<flavour>.
+ You probably want to install linux-tools-4.4.0-1022-<flavour>.
 
-Package: linux-aws-cloud-tools-4.4.0-1021
+Package: linux-aws-cloud-tools-4.4.0-1022
 Architecture: amd64
 Section: devel
 Priority: optional
 Depends: ${misc:Depends}, ${shlibs:Depends}, linux-cloud-tools-common
-Description: Linux kernel version specific cloud tools for version 4.4.0-1021
+Description: Linux kernel version specific cloud tools for version 4.4.0-1022
  This package provides the architecture dependant parts for kernel
- version locked tools for cloud tools for version 4.4.0-1021 on
+ version locked tools for cloud tools for version 4.4.0-1022 on
  64 bit x86.
- You probably want to install linux-cloud-tools-4.4.0-1021-<flavour>.
+ You probably want to install linux-cloud-tools-4.4.0-1022-<flavour>.
 
 
-Package: linux-image-4.4.0-1021-aws
+Package: linux-image-4.4.0-1022-aws
 Architecture: amd64
 Section: kernel
 Priority: optional
 Provides: linux-image, fuse-module, ${linux:rprovides}
 Depends: ${misc:Depends}, ${shlibs:Depends}, initramfs-tools | linux-initramfs-tool, kmod
 Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub | lilo
-Suggests: fdutils, linux-aws-tools, linux-headers-4.4.0-1021-aws
+Suggests: fdutils, linux-aws-tools, linux-headers-4.4.0-1022-aws
 Description: Linux kernel image for version 4.4.0 on 64 bit x86 SMP
  This package contains the Linux kernel image for version 4.4.0 on
  64 bit x86 SMP.
@@ -106,11 +106,11 @@
  the linux-aws meta-package, which will ensure that upgrades work
  correctly, and that supporting packages are also installed.
 
-Package: linux-image-extra-4.4.0-1021-aws
+Package: linux-image-extra-4.4.0-1022-aws
 Architecture: amd64
 Section: kernel
 Priority: optional
-Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-4.4.0-1021-aws, crda | wireless-crda
+Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-4.4.0-1022-aws, crda | wireless-crda
 Description: Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
  This package contains the Linux kernel extra modules for version 4.4.0 on
  64 bit x86 SMP.
@@ -127,20 +127,20 @@
  the linux-aws meta-package, which will ensure that upgrades work
  correctly, and that supporting packages are also installed.
 
-Package: linux-headers-4.4.0-1021-aws
+Package: linux-headers-4.4.0-1022-aws
 Architecture: amd64
 Section: devel
 Priority: optional
-Depends: ${misc:Depends}, linux-aws-headers-4.4.0-1021, ${shlibs:Depends}
+Depends: ${misc:Depends}, linux-aws-headers-4.4.0-1022, ${shlibs:Depends}
 Provides: linux-headers, linux-headers-3.0
 Description: Linux kernel headers for version 4.4.0 on 64 bit x86 SMP
  This package provides kernel header files for version 4.4.0 on
  64 bit x86 SMP.
  .
  This is for sites that want the latest kernel headers.  Please read
- /usr/share/doc/linux-aws-headers-4.4.0-1021/debian.README.gz for details.
+ /usr/share/doc/linux-aws-headers-4.4.0-1022/debian.README.gz for details.
 
-Package: linux-image-4.4.0-1021-aws-dbgsym
+Package: linux-image-4.4.0-1022-aws-dbgsym
 Architecture: amd64
 Section: devel
 Priority: optional
@@ -156,25 +156,25 @@
  is uncompressed, and unstripped. This package also includes the
  unstripped modules.
 
-Package: linux-tools-4.4.0-1021-aws
+Package: linux-tools-4.4.0-1022-aws
 Architecture: amd64
 Section: devel
 Priority: optional
-Depends: ${misc:Depends}, linux-aws-tools-4.4.0-1021
-Description: Linux kernel version specific tools for version 4.4.0-1021
+Depends: ${misc:Depends}, linux-aws-tools-4.4.0-1022
+Description: Linux kernel version specific tools for version 4.4.0-1022
  This package provides the architecture dependant parts for kernel
  version locked tools (such as perf and x86_energy_perf_policy) for
- version 4.4.0-1021 on
+ version 4.4.0-1022 on
  64 bit x86.
 
-Package: linux-cloud-tools-4.4.0-1021-aws
+Package: linux-cloud-tools-4.4.0-1022-aws
 Architecture: amd64
 Section: devel
 Priority: optional
-Depends: ${misc:Depends}, linux-aws-cloud-tools-4.4.0-1021
-Description: Linux kernel version specific cloud tools for version 4.4.0-1021
+Depends: ${misc:Depends}, linux-aws-cloud-tools-4.4.0-1022
+Description: Linux kernel version specific cloud tools for version 4.4.0-1022
  This package provides the architecture dependant parts for kernel
- version locked tools for cloud for version 4.4.0-1021 on
+ version locked tools for cloud for version 4.4.0-1022 on
  64 bit x86.
 
 Package: linux-aws-udebs-aws