diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 64869cc6385..2947fca9b7d 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -188,8 +188,9 @@ config X86_NO_SPECTRE_V1
 	bool
 	help
 	  This hidden option should be set on a per-SOC basis to indicate that
-	  a particular SOC is not vulnerable to the Spectre V1, V1.1, and V1.2
-	  CPU vulnerabilities as described in CVE-2017-5753 and CVE-2018-3693.
+	  a particular SOC is not vulnerable to the Spectre V1, V1.1, V1.2, and
+	  swapgs CPU vulnerabilities as described in CVE-2017-5753,
+	  CVE-2018-3693, and CVE-2019-1125.
 
 config X86_NO_SPECTRE_V2
 	bool
diff --git a/arch/x86/core/intel64/locore.S b/arch/x86/core/intel64/locore.S
index 8e5ef3d6e98..fb340838eb1 100644
--- a/arch/x86/core/intel64/locore.S
+++ b/arch/x86/core/intel64/locore.S
@@ -310,8 +310,12 @@ __resume:
 	jz 1f
 	swapgs
 #endif /* CONFIG_USERSPACE */
-
-1:	iretq
+1:
+#ifdef CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION
+	/* swapgs variant of Spectre V1. Disable speculation past this point */
+	lfence
+#endif /* CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION */
+	iretq
 
 
 
@@ -329,6 +333,10 @@ except: /*
 	jz 1f
 	swapgs
 1:
+#ifdef CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION
+	/* swapgs variant of Spectre V1. Disable speculation past this point */
+	lfence
+#endif /* CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION */
 #endif /* CONFIG_USERSPACE */
 	pushq %r15
 	subq $X86_FXSAVE_SIZE, %rsp
@@ -427,6 +435,10 @@ irq:
 	jz 1f
 	swapgs
 1:
+#ifdef CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION
+	/* swapgs variant of Spectre V1. Disable speculation past this point */
+	lfence
+#endif /* CONFIG_X86_BOUNDS_CHECK_BYPASS_MITIGATION */
 #endif /* CONFIG_USERSPACE */
 	pushq %rsi
 	movq %gs:__x86_tss64_t_cpu_OFFSET, %rsi