37 files changed, 206 insertions, 98 deletions

diff --git a/Documentation/ioctl/ioctl-number.txt b/Documentation/ioctl/ioctl-number.txt
index 7bb0d934b6d..dbea4f95fc8 100644
--- a/Documentation/ioctl/ioctl-number.txt
+++ b/Documentation/ioctl/ioctl-number.txt
@@ -139,6 +139,7 @@ Code	Seq#	Include File		Comments
 'm'     all     linux/synclink.h        conflict!
 'm'     00-1F   net/irda/irmod.h        conflict!
 'n'     00-7F   linux/ncp_fs.h
+'n'     80-8F   linux/nilfs2_fs.h       NILFS2
 'n'     E0-FF   video/matrox.h          matroxfb
 'o'     00-1F   fs/ocfs2/ocfs2_fs.h     OCFS2
 'o'     00-03   include/mtd/ubi-user.h  conflict! (OCFS2 and UBI overlaps)
diff --git a/Documentation/lockdep-design.txt b/Documentation/lockdep-design.txt
index e20d913d591..abf768c681e 100644
--- a/Documentation/lockdep-design.txt
+++ b/Documentation/lockdep-design.txt
@@ -30,9 +30,9 @@ State
 The validator tracks lock-class usage history into 4n + 1 separate state bits:
 
 - 'ever held in STATE context'
-- 'ever head as readlock in STATE context'
-- 'ever head with STATE enabled'
-- 'ever head as readlock with STATE enabled'
+- 'ever held as readlock in STATE context'
+- 'ever held with STATE enabled'
+- 'ever held as readlock with STATE enabled'
 
 Where STATE can be either one of (kernel/lockdep_states.h)
  - hardirq
diff --git a/arch/ia64/kvm/mmio.c b/arch/ia64/kvm/mmio.c
index 21f63fffc37..9bf55afd08d 100644
--- a/arch/ia64/kvm/mmio.c
+++ b/arch/ia64/kvm/mmio.c
@@ -247,7 +247,8 @@ void emulate_io_inst(struct kvm_vcpu *vcpu, u64 padr, u64 ma)
                 vcpu_get_fpreg(vcpu, inst.M9.f2, &v);
                 /* Write high word. FIXME: this is a kludge!  */
                 v.u.bits[1] &= 0x3ffff;
-                mmio_access(vcpu, padr + 8, &v.u.bits[1], 8, ma, IOREQ_WRITE);
+                mmio_access(vcpu, padr + 8, (u64 *)&v.u.bits[1], 8,
+                            ma, IOREQ_WRITE);
                 data = v.u.bits[0];
                 size = 3;
         } else if (inst.M10.major == 7 && inst.M10.x6 == 0x3B) {
@@ -265,7 +266,8 @@ void emulate_io_inst(struct kvm_vcpu *vcpu, u64 padr, u64 ma)
 
                 /* Write high word.FIXME: this is a kludge!  */
                 v.u.bits[1] &= 0x3ffff;
-                mmio_access(vcpu, padr + 8, &v.u.bits[1], 8, ma, IOREQ_WRITE);
+                mmio_access(vcpu, padr + 8, (u64 *)&v.u.bits[1],
+                            8, ma, IOREQ_WRITE);
                 data = v.u.bits[0];
                 size = 3;
         } else if (inst.M10.major == 7 && inst.M10.x6 == 0x31) {
diff --git a/arch/ia64/kvm/vcpu.c b/arch/ia64/kvm/vcpu.c
index 46b02cbcc87..cc406d064a0 100644
--- a/arch/ia64/kvm/vcpu.c
+++ b/arch/ia64/kvm/vcpu.c
@@ -461,7 +461,7 @@ void setreg(unsigned long regnum, unsigned long val,
 u64 vcpu_get_gr(struct kvm_vcpu *vcpu, unsigned long reg)
 {
         struct kvm_pt_regs *regs = vcpu_regs(vcpu);
-        u64 val;
+        unsigned long val;
 
         if (!reg)
                 return 0;
@@ -469,7 +469,7 @@ u64 vcpu_get_gr(struct kvm_vcpu *vcpu, unsigned long reg)
         return val;
 }
 
-void vcpu_set_gr(struct kvm_vcpu *vcpu, u64 reg, u64 value, int nat)
+void vcpu_set_gr(struct kvm_vcpu *vcpu, unsigned long reg, u64 value, int nat)
 {
         struct kvm_pt_regs *regs = vcpu_regs(vcpu);
         long sof = (regs->cr_ifs) & 0x7f;
@@ -1072,7 +1072,7 @@ void kvm_ttag(struct kvm_vcpu *vcpu, INST64 inst)
         vcpu_set_gr(vcpu, inst.M46.r1, tag, 0);
 }
 
-int vcpu_tpa(struct kvm_vcpu *vcpu, u64 vadr, u64 *padr)
+int vcpu_tpa(struct kvm_vcpu *vcpu, u64 vadr, unsigned long *padr)
 {
         struct thash_data *data;
         union ia64_isr visr, pt_isr;
diff --git a/arch/ia64/kvm/vcpu.h b/arch/ia64/kvm/vcpu.h
index 042af92ced8..360724d3ae6 100644
--- a/arch/ia64/kvm/vcpu.h
+++ b/arch/ia64/kvm/vcpu.h
@@ -686,14 +686,15 @@ static inline int highest_inservice_irq(struct kvm_vcpu *vcpu)
         return highest_bits((int *)&(VMX(vcpu, insvc[0])));
 }
 
-extern void vcpu_get_fpreg(struct kvm_vcpu *vcpu, u64 reg,
+extern void vcpu_get_fpreg(struct kvm_vcpu *vcpu, unsigned long reg,
                                         struct ia64_fpreg *val);
-extern void vcpu_set_fpreg(struct kvm_vcpu *vcpu, u64 reg,
+extern void vcpu_set_fpreg(struct kvm_vcpu *vcpu, unsigned long reg,
                                         struct ia64_fpreg *val);
-extern u64 vcpu_get_gr(struct kvm_vcpu *vcpu, u64 reg);
-extern void vcpu_set_gr(struct kvm_vcpu *vcpu, u64 reg, u64 val, int nat);
-extern u64 vcpu_get_psr(struct kvm_vcpu *vcpu);
-extern void vcpu_set_psr(struct kvm_vcpu *vcpu, u64 val);
+extern u64 vcpu_get_gr(struct kvm_vcpu *vcpu, unsigned long reg);
+extern void vcpu_set_gr(struct kvm_vcpu *vcpu, unsigned long reg,
+                        u64 val, int nat);
+extern unsigned long vcpu_get_psr(struct kvm_vcpu *vcpu);
+extern void vcpu_set_psr(struct kvm_vcpu *vcpu, unsigned long val);
 extern u64 vcpu_thash(struct kvm_vcpu *vcpu, u64 vadr);
 extern void vcpu_bsw0(struct kvm_vcpu *vcpu);
 extern void thash_vhpt_insert(struct kvm_vcpu *v, u64 pte,
diff --git a/arch/mn10300/include/asm/pci.h b/arch/mn10300/include/asm/pci.h
index 35d2ed6396f..19aecc90f7a 100644
--- a/arch/mn10300/include/asm/pci.h
+++ b/arch/mn10300/include/asm/pci.h
@@ -59,7 +59,6 @@ void pcibios_penalize_isa_irq(int irq);
 #include <linux/slab.h>
 #include <asm/scatterlist.h>
 #include <linux/string.h>
-#include <linux/mm.h>
 #include <asm/io.h>
 
 struct pci_dev;
diff --git a/arch/powerpc/include/asm/kvm_host.h b/arch/powerpc/include/asm/kvm_host.h
index dfdf13c9fef..fddc3ed715f 100644
--- a/arch/powerpc/include/asm/kvm_host.h
+++ b/arch/powerpc/include/asm/kvm_host.h
@@ -34,7 +34,7 @@
 #define KVM_COALESCED_MMIO_PAGE_OFFSET 1
 
 /* We don't currently support large pages. */
-#define KVM_PAGES_PER_HPAGE (1<<31)
+#define KVM_PAGES_PER_HPAGE (1UL << 31)
 
 struct kvm;
 struct kvm_run;
diff --git a/arch/powerpc/kernel/dma.c b/arch/powerpc/kernel/dma.c
index 20a60d661ba..ccf129d47d8 100644
--- a/arch/powerpc/kernel/dma.c
+++ b/arch/powerpc/kernel/dma.c
@@ -7,6 +7,7 @@
 
 #include <linux/device.h>
 #include <linux/dma-mapping.h>
+#include <linux/lmb.h>
 #include <asm/bug.h>
 #include <asm/abs_addr.h>
 
@@ -90,11 +91,10 @@ static void dma_direct_unmap_sg(struct device *dev, struct scatterlist *sg,
 static int dma_direct_dma_supported(struct device *dev, u64 mask)
 {
 #ifdef CONFIG_PPC64
-        /* Could be improved to check for memory though it better be
-         * done via some global so platforms can set the limit in case
+        /* Could be improved so platforms can set the limit in case
          * they have limited DMA windows
          */
-        return mask >= DMA_BIT_MASK(32);
+        return mask >= (lmb_end_of_DRAM() - 1);
 #else
         return 1;
 #endif
diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
index f04f5301b1b..4d613415c43 100644
--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
@@ -386,7 +386,7 @@ no_timer:
         }
         __unset_cpu_idle(vcpu);
         __set_current_state(TASK_RUNNING);
-        remove_wait_queue(&vcpu->wq, &wait);
+        remove_wait_queue(&vcpu->arch.local_int.wq, &wait);
         spin_unlock_bh(&vcpu->arch.local_int.lock);
         spin_unlock(&vcpu->arch.local_int.float_int->lock);
         hrtimer_try_to_cancel(&vcpu->arch.ckc_timer);
diff --git a/arch/x86/kernel/apic/x2apic_cluster.c b/arch/x86/kernel/apic/x2apic_cluster.c
index 2ed4e2bb3b3..a5371ec3677 100644
--- a/arch/x86/kernel/apic/x2apic_cluster.c
+++ b/arch/x86/kernel/apic/x2apic_cluster.c
@@ -17,11 +17,13 @@ static int x2apic_acpi_madt_oem_check(char *oem_id, char *oem_table_id)
         return x2apic_enabled();
 }
 
-/* Start with all IRQs pointing to boot CPU.  IRQ balancing will shift them. */
-
+/*
+ * need to use more than cpu 0, because we need more vectors when
+ * MSI-X are used.
+ */
 static const struct cpumask *x2apic_target_cpus(void)
 {
-        return cpumask_of(0);
+        return cpu_online_mask;
 }
 
 /*
diff --git a/arch/x86/kernel/apic/x2apic_phys.c b/arch/x86/kernel/apic/x2apic_phys.c
index 0b631c6a2e0..a8989aadc99 100644
--- a/arch/x86/kernel/apic/x2apic_phys.c
+++ b/arch/x86/kernel/apic/x2apic_phys.c
@@ -27,11 +27,13 @@ static int x2apic_acpi_madt_oem_check(char *oem_id, char *oem_table_id)
                 return 0;
 }
 
-/* Start with all IRQs pointing to boot CPU.  IRQ balancing will shift them. */
-
+/*
+ * need to use more than cpu 0, because we need more vectors when
+ * MSI-X are used.
+ */
 static const struct cpumask *x2apic_target_cpus(void)
 {
-        return cpumask_of(0);
+        return cpu_online_mask;
 }
 
 static void x2apic_vector_allocation_domain(int cpu, struct cpumask *retmask)
diff --git a/arch/x86/kernel/efi.c b/arch/x86/kernel/efi.c
index 19ccf6d0dcc..fe26ba3e345 100644
--- a/arch/x86/kernel/efi.c
+++ b/arch/x86/kernel/efi.c
@@ -354,7 +354,7 @@ void __init efi_init(void)
          */
         c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2);
         if (c16) {
-                for (i = 0; i < sizeof(vendor) && *c16; ++i)
+                for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
                         vendor[i] = *c16++;
                 vendor[i] = '\0';
         } else
diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
index 834c9da8bf9..9eb89760370 100644
--- a/arch/x86/kernel/reboot.c
+++ b/arch/x86/kernel/reboot.c
@@ -405,7 +405,7 @@ EXPORT_SYMBOL(machine_real_restart);
 #endif /* CONFIG_X86_32 */
 
 /*
- * Apple MacBook5,2 (2009 MacBook) needs reboot=p
+ * Some Apple MacBook and MacBookPro's needs reboot=p to be able to reboot
  */
 static int __init set_pci_reboot(const struct dmi_system_id *d)
 {
@@ -426,6 +426,14 @@ static struct dmi_system_id __initdata pci_reboot_dmi_table[] = {
                         DMI_MATCH(DMI_PRODUCT_NAME, "MacBook5,2"),
                 },
         },
+        {       /* Handle problems with rebooting on Apple MacBookPro5,1 */
+                .callback = set_pci_reboot,
+                .ident = "Apple MacBookPro5,1",
+                .matches = {
+                        DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."),
+                        DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro5,1"),
+                },
+        },
         { }
 };
 
diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
index 6e1a368d21d..71f4368b357 100644
--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -275,15 +275,20 @@ static unsigned long pit_calibrate_tsc(u32 latch, unsigned long ms, int loopmin)
  * use the TSC value at the transitions to calculate a pretty
  * good value for the TSC frequencty.
  */
+static inline int pit_verify_msb(unsigned char val)
+{
+        /* Ignore LSB */
+        inb(0x42);
+        return inb(0x42) == val;
+}
+
 static inline int pit_expect_msb(unsigned char val, u64 *tscp, unsigned long *deltap)
 {
         int count;
         u64 tsc = 0;
 
         for (count = 0; count < 50000; count++) {
-                /* Ignore LSB */
-                inb(0x42);
-                if (inb(0x42) != val)
+                if (!pit_verify_msb(val))
                         break;
                 tsc = get_cycles();
         }
@@ -336,8 +341,7 @@ static unsigned long quick_pit_calibrate(void)
          * to do that is to just read back the 16-bit counter
          * once from the PIT.
          */
-        inb(0x42);
-        inb(0x42);
+        pit_verify_msb(0);
 
         if (pit_expect_msb(0xff, &tsc, &d1)) {
                 for (i = 1; i <= MAX_QUICK_PIT_ITERATIONS; i++) {
@@ -348,8 +352,19 @@ static unsigned long quick_pit_calibrate(void)
                          * Iterate until the error is less than 500 ppm
                          */
                         delta -= tsc;
-                        if (d1+d2 < delta >> 11)
-                                goto success;
+                        if (d1+d2 >= delta >> 11)
+                                continue;
+
+                        /*
+                         * Check the PIT one more time to verify that
+                         * all TSC reads were stable wrt the PIT.
+                         *
+                         * This also guarantees serialization of the
+                         * last cycle read ('d2') in pit_expect_msb.
+                         */
+                        if (!pit_verify_msb(0xfe - i))
+                                break;
+                        goto success;
                 }
         }
         printk("Fast TSC calibration failed\n");
diff --git a/arch/x86/kernel/vmi_32.c b/arch/x86/kernel/vmi_32.c
index b263423fbe2..95a7289e4b0 100644
--- a/arch/x86/kernel/vmi_32.c
+++ b/arch/x86/kernel/vmi_32.c
@@ -441,7 +441,7 @@ vmi_startup_ipi_hook(int phys_apicid, unsigned long start_eip,
         ap.ds = __USER_DS;
         ap.es = __USER_DS;
         ap.fs = __KERNEL_PERCPU;
-        ap.gs = 0;
+        ap.gs = __KERNEL_STACK_CANARY;
 
         ap.eflags = 0;
 
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 4d6f0d293ee..21f68e00524 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -104,6 +104,9 @@ static s64 __kpit_elapsed(struct kvm *kvm)
         ktime_t remaining;
         struct kvm_kpit_state *ps = &kvm->arch.vpit->pit_state;
 
+        if (!ps->pit_timer.period)
+                return 0;
+
         /*
          * The Counter does not stop when it reaches zero. In
          * Modes 0, 1, 4, and 5 the Counter ``wraps around'' to
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 7030b5f911b..0ef5bb2b404 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -489,16 +489,20 @@ static unsigned long *gfn_to_rmap(struct kvm *kvm, gfn_t gfn, int lpage)
  *
  * If rmapp bit zero is one, (then rmap & ~1) points to a struct kvm_rmap_desc
  * containing more mappings.
+ *
+ * Returns the number of rmap entries before the spte was added or zero if
+ * the spte was not added.
+ *
  */
-static void rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn, int lpage)
+static int rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn, int lpage)
 {
         struct kvm_mmu_page *sp;
         struct kvm_rmap_desc *desc;
         unsigned long *rmapp;
-        int i;
+        int i, count = 0;
 
         if (!is_rmap_pte(*spte))
-                return;
+                return count;
         gfn = unalias_gfn(vcpu->kvm, gfn);
         sp = page_header(__pa(spte));
         sp->gfns[spte - sp->spt] = gfn;
@@ -515,8 +519,10 @@ static void rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn, int lpage)
         } else {
                 rmap_printk("rmap_add: %p %llx many->many\n", spte, *spte);
                 desc = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
-                while (desc->shadow_ptes[RMAP_EXT-1] && desc->more)
+                while (desc->shadow_ptes[RMAP_EXT-1] && desc->more) {
                         desc = desc->more;
+                        count += RMAP_EXT;
+                }
                 if (desc->shadow_ptes[RMAP_EXT-1]) {
                         desc->more = mmu_alloc_rmap_desc(vcpu);
                         desc = desc->more;
@@ -525,6 +531,7 @@ static void rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn, int lpage)
                         ;
                 desc->shadow_ptes[i] = spte;
         }
+        return count;
 }
 
 static void rmap_desc_remove_entry(unsigned long *rmapp,
@@ -754,6 +761,19 @@ static int kvm_age_rmapp(struct kvm *kvm, unsigned long *rmapp)
         return young;
 }
 
+#define RMAP_RECYCLE_THRESHOLD 1000
+
+static void rmap_recycle(struct kvm_vcpu *vcpu, gfn_t gfn, int lpage)
+{
+        unsigned long *rmapp;
+
+        gfn = unalias_gfn(vcpu->kvm, gfn);
+        rmapp = gfn_to_rmap(vcpu->kvm, gfn, lpage);
+
+        kvm_unmap_rmapp(vcpu->kvm, rmapp);
+        kvm_flush_remote_tlbs(vcpu->kvm);
+}
+
 int kvm_age_hva(struct kvm *kvm, unsigned long hva)
 {
         return kvm_handle_hva(kvm, hva, kvm_age_rmapp);
@@ -1407,24 +1427,25 @@ static int kvm_mmu_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp)
  */
 void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages)
 {
+        int used_pages;
+
+        used_pages = kvm->arch.n_alloc_mmu_pages - kvm->arch.n_free_mmu_pages;
+        used_pages = max(0, used_pages);
+
         /*
          * If we set the number of mmu pages to be smaller be than the
          * number of actived pages , we must to free some mmu pages before we
          * change the value
          */
 
-        if ((kvm->arch.n_alloc_mmu_pages - kvm->arch.n_free_mmu_pages) >
-            kvm_nr_mmu_pages) {
-                int n_used_mmu_pages = kvm->arch.n_alloc_mmu_pages
-                                       - kvm->arch.n_free_mmu_pages;
-
-                while (n_used_mmu_pages > kvm_nr_mmu_pages) {
+        if (used_pages > kvm_nr_mmu_pages) {
+                while (used_pages > kvm_nr_mmu_pages) {
                         struct kvm_mmu_page *page;
 
                         page = container_of(kvm->arch.active_mmu_pages.prev,
                                             struct kvm_mmu_page, link);
                         kvm_mmu_zap_page(kvm, page);
-                        n_used_mmu_pages--;
+                        used_pages--;
                 }
                 kvm->arch.n_free_mmu_pages = 0;
         }
@@ -1740,6 +1761,7 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *shadow_pte,
 {
         int was_rmapped = 0;
         int was_writeble = is_writeble_pte(*shadow_pte);
+        int rmap_count;
 
         pgprintk("%s: spte %llx access %x write_fault %d"
                  " user_fault %d gfn %lx\n",
@@ -1781,9 +1803,11 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *shadow_pte,
 
         page_header_update_slot(vcpu->kvm, shadow_pte, gfn);
         if (!was_rmapped) {
-                rmap_add(vcpu, shadow_pte, gfn, largepage);
+                rmap_count = rmap_add(vcpu, shadow_pte, gfn, largepage);
                 if (!is_rmap_pte(*shadow_pte))
                         kvm_release_pfn_clean(pfn);
+                if (rmap_count > RMAP_RECYCLE_THRESHOLD)
+                        rmap_recycle(vcpu, gfn, largepage);
         } else {
                 if (was_writeble)
                         kvm_release_pfn_dirty(pfn);
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 71510e07e69..b1f658ad2f0 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -711,6 +711,7 @@ static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
                 svm->vmcb->control.tsc_offset += delta;
                 vcpu->cpu = cpu;
                 kvm_migrate_timers(vcpu);
+                svm->asid_generation = 0;
         }
 
         for (i = 0; i < NR_HOST_SAVE_USER_MSRS; i++)
@@ -1031,7 +1032,6 @@ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *svm_data)
                 svm->vmcb->control.tlb_ctl = TLB_CONTROL_FLUSH_ALL_ASID;
         }
 
-        svm->vcpu.cpu = svm_data->cpu;
         svm->asid_generation = svm_data->asid_generation;
         svm->vmcb->control.asid = svm_data->next_asid++;
 }
@@ -2300,8 +2300,8 @@ static void pre_svm_run(struct vcpu_svm *svm)
         struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
 
         svm->vmcb->control.tlb_ctl = TLB_CONTROL_DO_NOTHING;
-        if (svm->vcpu.cpu != cpu ||
-            svm->asid_generation != svm_data->asid_generation)
+        /* FIXME: handle wraparound of asid_generation */
+        if (svm->asid_generation != svm_data->asid_generation)
                 new_asid(svm, svm_data);
 }
 
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 356a0ce85c6..29f912927a5 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -3157,8 +3157,8 @@ static void handle_invalid_guest_state(struct kvm_vcpu *vcpu,
         struct vcpu_vmx *vmx = to_vmx(vcpu);
         enum emulation_result err = EMULATE_DONE;
 
-        preempt_enable();
         local_irq_enable();
+        preempt_enable();
 
         while (!guest_state_valid(vcpu)) {
                 err = emulate_instruction(vcpu, kvm_run, 0, 0, 0);
@@ -3168,7 +3168,7 @@ static void handle_invalid_guest_state(struct kvm_vcpu *vcpu,
 
                 if (err != EMULATE_DONE) {
                         kvm_report_emulation_failure(vcpu, "emulation failure");
-                        return;
+                        break;
                 }
 
                 if (signal_pending(current))
@@ -3177,8 +3177,8 @@ static void handle_invalid_guest_state(struct kvm_vcpu *vcpu,
                         schedule();
         }
 
-        local_irq_disable();
         preempt_disable();
+        local_irq_disable();
 
         vmx->invalid_state_emulation_result = err;
 }
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index fe5474aec41..3d452901182 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -704,11 +704,48 @@ static bool msr_mtrr_valid(unsigned msr)
         return false;
 }
 
+static bool valid_pat_type(unsigned t)
+{
+        return t < 8 && (1 << t) & 0xf3; /* 0, 1, 4, 5, 6, 7 */
+}
+
+static bool valid_mtrr_type(unsigned t)
+{
+        return t < 8 && (1 << t) & 0x73; /* 0, 1, 4, 5, 6 */
+}
+
+static bool mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+{
+        int i;
+
+        if (!msr_mtrr_valid(msr))
+                return false;
+
+        if (msr == MSR_IA32_CR_PAT) {
+                for (i = 0; i < 8; i++)
+                        if (!valid_pat_type((data >> (i * 8)) & 0xff))
+                                return false;
+                return true;
+        } else if (msr == MSR_MTRRdefType) {
+                if (data & ~0xcff)
+                        return false;
+                return valid_mtrr_type(data & 0xff);
+        } else if (msr >= MSR_MTRRfix64K_00000 && msr <= MSR_MTRRfix4K_F8000) {
+                for (i = 0; i < 8 ; i++)
+                        if (!valid_mtrr_type((data >> (i * 8)) & 0xff))
+                                return false;
+                return true;
+        }
+
+        /* variable MTRRs */
+        return valid_mtrr_type(data & 0xff);
+}
+
 static int set_msr_mtrr(struct kvm_vcpu *vcpu, u32 msr, u64 data)
 {
         u64 *p = (u64 *)&vcpu->arch.mtrr_state.fixed_ranges;
 
-        if (!msr_mtrr_valid(msr))
+        if (!mtrr_valid(vcpu, msr, data))
                 return 1;
 
         if (msr == MSR_MTRRdefType) {
@@ -1079,14 +1116,13 @@ long kvm_arch_dev_ioctl(struct file *filp,
                 if (copy_to_user(user_msr_list, &msr_list, sizeof msr_list))
                         goto out;
                 r = -E2BIG;
-                if (n < num_msrs_to_save)
+                if (n < msr_list.nmsrs)
                         goto out;
                 r = -EFAULT;
                 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
                                  num_msrs_to_save * sizeof(u32)))
                         goto out;
-                if (copy_to_user(user_msr_list->indices
-                                 + num_msrs_to_save * sizeof(u32),
+                if (copy_to_user(user_msr_list->indices + num_msrs_to_save,
                                  &emulated_msrs,
                                  ARRAY_SIZE(emulated_msrs) * sizeof(u32)))
                         goto out;
diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
index b4a3dbcebe9..f85aaf21e78 100644
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -566,7 +566,7 @@ int drm_wait_vblank(struct drm_device *dev, void *data,
 
         ret = drm_vblank_get(dev, crtc);
         if (ret) {
-                DRM_ERROR("failed to acquire vblank counter, %d\n", ret);
+                DRM_DEBUG("failed to acquire vblank counter, %d\n", ret);
                 return ret;
         }
         seq = drm_vblank_count(dev, crtc);
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index 54f492a488a..7914097b09c 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -566,6 +566,8 @@ void drm_mode_connector_list_update(struct drm_connector *connector)
                                 found_it = 1;
                                 /* if equal delete the probed mode */
                                 mode->status = pmode->status;
+                                /* Merge type bits together */
+                                mode->type |= pmode->type;
                                 list_del(&pmode->head);
                                 drm_mode_destroy(connector->dev, pmode);
                                 break;
diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
index 83aee80e77a..7ebc84c2881 100644
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
@@ -190,7 +190,7 @@ u32 i915_get_vblank_counter(struct drm_device *dev, int pipe)
         low_frame = pipe ? PIPEBFRAMEPIXEL : PIPEAFRAMEPIXEL;
 
         if (!i915_pipe_enabled(dev, pipe)) {
-                DRM_ERROR("trying to get vblank count for disabled pipe %d\n", pipe);
+                DRM_DEBUG("trying to get vblank count for disabled pipe %d\n", pipe);
                 return 0;
         }
 
@@ -219,7 +219,7 @@ u32 gm45_get_vblank_counter(struct drm_device *dev, int pipe)
         int reg = pipe ? PIPEB_FRMCOUNT_GM45 : PIPEA_FRMCOUNT_GM45;
 
         if (!i915_pipe_enabled(dev, pipe)) {
-                DRM_ERROR("trying to get vblank count for disabled pipe %d\n", pipe);
+                DRM_DEBUG("trying to get vblank count for disabled pipe %d\n", pipe);
                 return 0;
         }
 
diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
index 0f2034c3ed2..e4d9ef0c965 100644
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -1254,6 +1254,7 @@ out_free:
                 if (!ubi->volumes[i])
                         continue;
                 kfree(ubi->volumes[i]->eba_tbl);
+                ubi->volumes[i]->eba_tbl = NULL;
         }
         return err;
 }
diff --git a/drivers/mtd/ubi/scan.c b/drivers/mtd/ubi/scan.c
index a423131b617..b847745394b 100644
--- a/drivers/mtd/ubi/scan.c
+++ b/drivers/mtd/ubi/scan.c
@@ -781,11 +781,22 @@ static int process_eb(struct ubi_device *ubi, struct ubi_scan_info *si,
                         return -EINVAL;
                 }
 
+                /*
+                 * Make sure that all PEBs have the same image sequence number.
+                 * This allows us to detect situations when users flash UBI
+                 * images incorrectly, so that the flash has the new UBI image
+                 * and leftovers from the old one. This feature was added
+                 * relatively recently, and the sequence number was always
+                 * zero, because old UBI implementations always set it to zero.
+                 * For this reasons, we do not panic if some PEBs have zero
+                 * sequence number, while other PEBs have non-zero sequence
+                 * number.
+                 */
                 image_seq = be32_to_cpu(ech->image_seq);
                 if (!si->image_seq_set) {
                         ubi->image_seq = image_seq;
                         si->image_seq_set = 1;
-                } else if (ubi->image_seq != image_seq) {
+                } else if (ubi->image_seq && ubi->image_seq != image_seq) {
                         ubi_err("bad image sequence number %d in PEB %d, "
                                 "expected %d", image_seq, pnum, ubi->image_seq);
                         ubi_dbg_dump_ec_hdr(ech);
diff --git a/drivers/pci/hotplug/sgi_hotplug.c b/drivers/pci/hotplug/sgi_hotplug.c
index a4494d78e7c..8aebe1e9d3d 100644
--- a/drivers/pci/hotplug/sgi_hotplug.c
+++ b/drivers/pci/hotplug/sgi_hotplug.c
@@ -90,11 +90,10 @@ static struct hotplug_slot_ops sn_hotplug_slot_ops = {
 
 static DEFINE_MUTEX(sn_hotplug_mutex);
 
-static ssize_t path_show (struct hotplug_slot *bss_hotplug_slot,
-                          char *buf)
+static ssize_t path_show(struct pci_slot *pci_slot, char *buf)
 {
         int retval = -ENOENT;
-        struct slot *slot = bss_hotplug_slot->private;
+        struct slot *slot = pci_slot->hotplug->private;
 
         if (!slot)
                 return retval;
@@ -103,7 +102,7 @@ static ssize_t path_show (struct hotplug_slot *bss_hotplug_slot,
         return retval;
 }
 
-static struct hotplug_slot_attribute sn_slot_path_attr = __ATTR_RO(path);
+static struct pci_slot_attribute sn_slot_path_attr = __ATTR_RO(path);
 
 static int sn_pci_slot_valid(struct pci_bus *pci_bus, int device)
 {
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 3ce5ae9e3d2..175db258942 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -234,23 +234,20 @@ static int check_mem_permission(struct task_struct *task)
 
 struct mm_struct *mm_for_maps(struct task_struct *task)
 {
-        struct mm_struct *mm = get_task_mm(task);
-        if (!mm)
+        struct mm_struct *mm;
+
+        if (mutex_lock_killable(&task->cred_guard_mutex))
                 return NULL;
-        down_read(&mm->mmap_sem);
-        task_lock(task);
-        if (task->mm != mm)
-                goto out;
-        if (task->mm != current->mm &&
-            __ptrace_may_access(task, PTRACE_MODE_READ) < 0)
-                goto out;
-        task_unlock(task);
+
+        mm = get_task_mm(task);
+        if (mm && mm != current->mm &&
+                        !ptrace_may_access(task, PTRACE_MODE_READ)) {
+                mmput(mm);
+                mm = NULL;
+        }
+        mutex_unlock(&task->cred_guard_mutex);
+
         return mm;
-out:
-        task_unlock(task);
-        up_read(&mm->mmap_sem);
-        mmput(mm);
-        return NULL;
 }
 
 static int proc_pid_cmdline(struct task_struct *task, char * buffer)
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 6f61b7cc32e..9bd8be1d235 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -119,6 +119,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
         mm = mm_for_maps(priv->task);
         if (!mm)
                 return NULL;
+        down_read(&mm->mmap_sem);
 
         tail_vma = get_gate_vma(priv->task);
         priv->tail_vma = tail_vma;
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
index 64a72e2e765..8f5c05d3dbd 100644
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -189,6 +189,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
                 priv->task = NULL;
                 return NULL;
         }
+        down_read(&mm->mmap_sem);
 
         /* start from the Nth VMA */
         for (p = rb_first(&mm->mm_rb); p; p = rb_next(p))
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 16713dc672e..3060bdc35ff 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -110,6 +110,7 @@ struct kvm_memory_slot {
 
 struct kvm_kernel_irq_routing_entry {
         u32 gsi;
+        u32 type;
         int (*set)(struct kvm_kernel_irq_routing_entry *e,
                     struct kvm *kvm, int level);
         union {
diff --git a/kernel/irq/numa_migrate.c b/kernel/irq/numa_migrate.c
index 2f69bee57bf..3fd30197da2 100644
--- a/kernel/irq/numa_migrate.c
+++ b/kernel/irq/numa_migrate.c
@@ -107,8 +107,8 @@ out_unlock:
 
 struct irq_desc *move_irq_desc(struct irq_desc *desc, int node)
 {
-        /* those all static, do move them */
-        if (desc->irq < NR_IRQS_LEGACY)
+        /* those static or target node is -1, do not move them */
+        if (desc->irq < NR_IRQS_LEGACY || node == -1)
                 return desc;
 
         if (desc->node != node)
diff --git a/kernel/lockdep_proc.c b/kernel/lockdep_proc.c
index d7135aa2d2c..e94caa666db 100644
--- a/kernel/lockdep_proc.c
+++ b/kernel/lockdep_proc.c
@@ -758,7 +758,8 @@ static int __init lockdep_proc_init(void)
                     &proc_lockdep_stats_operations);
 
 #ifdef CONFIG_LOCK_STAT
-        proc_create("lock_stat", S_IRUSR, NULL, &proc_lock_stat_operations);
+        proc_create("lock_stat", S_IRUSR | S_IWUSR, NULL,
+                    &proc_lock_stat_operations);
 #endif
 
         return 0;
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
index bece7c0b67b..e33a21cb940 100644
--- a/kernel/posix-cpu-timers.c
+++ b/kernel/posix-cpu-timers.c
@@ -521,11 +521,12 @@ void posix_cpu_timers_exit(struct task_struct *tsk)
 }
 void posix_cpu_timers_exit_group(struct task_struct *tsk)
 {
-        struct task_cputime cputime;
+        struct signal_struct *const sig = tsk->signal;
 
-        thread_group_cputimer(tsk, &cputime);
         cleanup_timers(tsk->signal->cpu_timers,
-                       cputime.utime, cputime.stime, cputime.sum_exec_runtime);
+                       cputime_add(tsk->utime, sig->utime),
+                       cputime_add(tsk->stime, sig->stime),
+                       tsk->se.sum_exec_runtime + sig->sum_sched_runtime);
 }
 
 static void clear_dead_task(struct k_itimer *timer, union cpu_time_count now)
diff --git a/kernel/rtmutex.c b/kernel/rtmutex.c
index fcd107a78c5..29bd4baf9e7 100644
--- a/kernel/rtmutex.c
+++ b/kernel/rtmutex.c
@@ -1039,16 +1039,14 @@ int rt_mutex_start_proxy_lock(struct rt_mutex *lock,
         if (!rt_mutex_owner(lock) || try_to_steal_lock(lock, task)) {
                 /* We got the lock for task. */
                 debug_rt_mutex_lock(lock);
-
                 rt_mutex_set_owner(lock, task, 0);
-
+                spin_unlock(&lock->wait_lock);
                 rt_mutex_deadlock_account_lock(lock, task);
                 return 1;
         }
 
         ret = task_blocks_on_rt_mutex(lock, waiter, task, detect_deadlock);
 
-
         if (ret && !waiter->task) {
                 /*
                  * Reset the return value. We might have
diff --git a/mm/mempool.c b/mm/mempool.c
index a46eb1b4bb6..32e75d40050 100644
--- a/mm/mempool.c
+++ b/mm/mempool.c
@@ -303,14 +303,14 @@ EXPORT_SYMBOL(mempool_free_slab);
  */
 void *mempool_kmalloc(gfp_t gfp_mask, void *pool_data)
 {
-        size_t size = (size_t)(long)pool_data;
+        size_t size = (size_t)pool_data;
         return kmalloc(size, gfp_mask);
 }
 EXPORT_SYMBOL(mempool_kmalloc);
 
 void *mempool_kzalloc(gfp_t gfp_mask, void *pool_data)
 {
-        size_t size = (size_t) pool_data;
+        size_t size = (size_t)pool_data;
         return kzalloc(size, gfp_mask);
 }
 EXPORT_SYMBOL(mempool_kzalloc);
diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
index 1eddae94bab..1150c6d5c7b 100644
--- a/virt/kvm/ioapic.c
+++ b/virt/kvm/ioapic.c
@@ -95,8 +95,6 @@ static int ioapic_service(struct kvm_ioapic *ioapic, unsigned int idx)
                 if (injected && pent->fields.trig_mode == IOAPIC_LEVEL_TRIG)
                         pent->fields.remote_irr = 1;
         }
-        if (!pent->fields.trig_mode)
-                ioapic->irr &= ~(1 << idx);
 
         return injected;
 }
@@ -136,7 +134,8 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
                 mask_after = ioapic->redirtbl[index].fields.mask;
                 if (mask_before != mask_after)
                         kvm_fire_mask_notifiers(ioapic->kvm, index, mask_after);
-                if (ioapic->irr & (1 << index))
+                if (ioapic->redirtbl[index].fields.trig_mode == IOAPIC_LEVEL_TRIG
+                    && ioapic->irr & (1 << index))
                         ioapic_service(ioapic, index);
                 break;
         }
@@ -184,9 +183,10 @@ int kvm_ioapic_set_irq(struct kvm_ioapic *ioapic, int irq, int level)
                 if (!level)
                         ioapic->irr &= ~mask;
                 else {
+                        int edge = (entry.fields.trig_mode == IOAPIC_EDGE_TRIG);
                         ioapic->irr |= mask;
-                        if ((!entry.fields.trig_mode && old_irr != ioapic->irr)
-                            || !entry.fields.remote_irr)
+                        if ((edge && old_irr != ioapic->irr) ||
+                            (!edge && !entry.fields.remote_irr))
                                 ret = ioapic_service(ioapic, irq);
                 }
         }
diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
index a8bd466d00c..ddc17f0e2f3 100644
--- a/virt/kvm/irq_comm.c
+++ b/virt/kvm/irq_comm.c
@@ -160,7 +160,8 @@ void kvm_notify_acked_irq(struct kvm *kvm, unsigned irqchip, unsigned pin)
         unsigned gsi = pin;
 
         list_for_each_entry(e, &kvm->irq_routing, link)
-                if (e->irqchip.irqchip == irqchip &&
+                if (e->type == KVM_IRQ_ROUTING_IRQCHIP &&
+                    e->irqchip.irqchip == irqchip &&
                     e->irqchip.pin == pin) {
                         gsi = e->gsi;
                         break;
@@ -259,6 +260,7 @@ static int setup_routing_entry(struct kvm_kernel_irq_routing_entry *e,
         int delta;
 
         e->gsi = ue->gsi;
+        e->type = ue->type;
         switch (ue->type) {
         case KVM_IRQ_ROUTING_IRQCHIP:
                 delta = 0;