Merge branch 'perfcounters/urgent' into perfcounters/core

Conflicts:
	kernel/perf_counter.c

Merge reason: update to latest upstream (-rc6) and resolve
              the conflict with urgent fixes.

Signed-off-by: Ingo Molnar <mingo@elte.hu>

16 files changed, 207 insertions, 80 deletions

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 738bdc6b0f8b..13ffa5df37d7 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -24,6 +24,7 @@ config X86
         select HAVE_UNSTABLE_SCHED_CLOCK
         select HAVE_IDE
         select HAVE_OPROFILE
+        select HAVE_PERF_COUNTERS if (!M386 && !M486)
         select HAVE_IOREMAP_PROT
         select HAVE_KPROBES
         select ARCH_WANT_OPTIONAL_GPIOLIB
@@ -742,7 +743,6 @@ config X86_UP_IOAPIC
 config X86_LOCAL_APIC
         def_bool y
         depends on X86_64 || SMP || X86_32_NON_STANDARD || X86_UP_APIC
-        select HAVE_PERF_COUNTERS if (!M386 && !M486)
 
 config X86_IO_APIC
         def_bool y
diff --git a/arch/x86/kernel/apic/x2apic_cluster.c b/arch/x86/kernel/apic/x2apic_cluster.c
index 2ed4e2bb3b32..a5371ec36776 100644
--- a/arch/x86/kernel/apic/x2apic_cluster.c
+++ b/arch/x86/kernel/apic/x2apic_cluster.c
@@ -17,11 +17,13 @@ static int x2apic_acpi_madt_oem_check(char *oem_id, char *oem_table_id)
         return x2apic_enabled();
 }
 
-/* Start with all IRQs pointing to boot CPU.  IRQ balancing will shift them. */
-
+/*
+ * need to use more than cpu 0, because we need more vectors when
+ * MSI-X are used.
+ */
 static const struct cpumask *x2apic_target_cpus(void)
 {
-        return cpumask_of(0);
+        return cpu_online_mask;
 }
 
 /*
diff --git a/arch/x86/kernel/apic/x2apic_phys.c b/arch/x86/kernel/apic/x2apic_phys.c
index 0b631c6a2e00..a8989aadc99a 100644
--- a/arch/x86/kernel/apic/x2apic_phys.c
+++ b/arch/x86/kernel/apic/x2apic_phys.c
@@ -27,11 +27,13 @@ static int x2apic_acpi_madt_oem_check(char *oem_id, char *oem_table_id)
                 return 0;
 }
 
-/* Start with all IRQs pointing to boot CPU.  IRQ balancing will shift them. */
-
+/*
+ * need to use more than cpu 0, because we need more vectors when
+ * MSI-X are used.
+ */
 static const struct cpumask *x2apic_target_cpus(void)
 {
-        return cpumask_of(0);
+        return cpu_online_mask;
 }
 
 static void x2apic_vector_allocation_domain(int cpu, struct cpumask *retmask)
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index e2485b03f1cf..63fddcd082cd 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -400,6 +400,13 @@ static void __cpuinit init_amd(struct cpuinfo_x86 *c)
                 level = cpuid_eax(1);
                 if((level >= 0x0f48 && level < 0x0f50) || level >= 0x0f58)
                         set_cpu_cap(c, X86_FEATURE_REP_GOOD);
+
+                /*
+                 * Some BIOSes incorrectly force this feature, but only K8
+                 * revision D (model = 0x14) and later actually support it.
+                 */
+                if (c->x86_model < 0x14)
+                        clear_cpu_cap(c, X86_FEATURE_LAHF_LM);
         }
         if (c->x86 == 0x10 || c->x86 == 0x11)
                 set_cpu_cap(c, X86_FEATURE_REP_GOOD);
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index f1961c07af9a..5ce60a88027b 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -59,7 +59,30 @@ void __init setup_cpu_local_masks(void)
         alloc_bootmem_cpumask_var(&cpu_sibling_setup_mask);
 }
 
-static const struct cpu_dev *this_cpu __cpuinitdata;
+static void __cpuinit default_init(struct cpuinfo_x86 *c)
+{
+#ifdef CONFIG_X86_64
+        display_cacheinfo(c);
+#else
+        /* Not much we can do here... */
+        /* Check if at least it has cpuid */
+        if (c->cpuid_level == -1) {
+                /* No cpuid. It must be an ancient CPU */
+                if (c->x86 == 4)
+                        strcpy(c->x86_model_id, "486");
+                else if (c->x86 == 3)
+                        strcpy(c->x86_model_id, "386");
+        }
+#endif
+}
+
+static const struct cpu_dev __cpuinitconst default_cpu = {
+        .c_init         = default_init,
+        .c_vendor       = "Unknown",
+        .c_x86_vendor   = X86_VENDOR_UNKNOWN,
+};
+
+static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
 
 DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
 #ifdef CONFIG_X86_64
@@ -332,29 +355,6 @@ void switch_to_new_gdt(int cpu)
 
 static const struct cpu_dev *__cpuinitdata cpu_devs[X86_VENDOR_NUM] = {};
 
-static void __cpuinit default_init(struct cpuinfo_x86 *c)
-{
-#ifdef CONFIG_X86_64
-        display_cacheinfo(c);
-#else
-        /* Not much we can do here... */
-        /* Check if at least it has cpuid */
-        if (c->cpuid_level == -1) {
-                /* No cpuid. It must be an ancient CPU */
-                if (c->x86 == 4)
-                        strcpy(c->x86_model_id, "486");
-                else if (c->x86 == 3)
-                        strcpy(c->x86_model_id, "386");
-        }
-#endif
-}
-
-static const struct cpu_dev __cpuinitconst default_cpu = {
-        .c_init = default_init,
-        .c_vendor = "Unknown",
-        .c_x86_vendor = X86_VENDOR_UNKNOWN,
-};
-
 static void __cpuinit get_model_name(struct cpuinfo_x86 *c)
 {
         unsigned int *v;
diff --git a/arch/x86/kernel/cpu/mcheck/therm_throt.c b/arch/x86/kernel/cpu/mcheck/therm_throt.c
index bff8dd191dd5..8bc64cfbe936 100644
--- a/arch/x86/kernel/cpu/mcheck/therm_throt.c
+++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c
@@ -36,6 +36,7 @@
 
 static DEFINE_PER_CPU(__u64, next_check) = INITIAL_JIFFIES;
 static DEFINE_PER_CPU(unsigned long, thermal_throttle_count);
+static DEFINE_PER_CPU(bool, thermal_throttle_active);
 
 static atomic_t therm_throt_en          = ATOMIC_INIT(0);
 
@@ -96,24 +97,27 @@ static int therm_throt_process(int curr)
 {
         unsigned int cpu = smp_processor_id();
         __u64 tmp_jiffs = get_jiffies_64();
+        bool was_throttled = __get_cpu_var(thermal_throttle_active);
+        bool is_throttled = __get_cpu_var(thermal_throttle_active) = curr;
 
-        if (curr)
+        if (is_throttled)
                 __get_cpu_var(thermal_throttle_count)++;
 
-        if (time_before64(tmp_jiffs, __get_cpu_var(next_check)))
+        if (!(was_throttled ^ is_throttled) &&
+            time_before64(tmp_jiffs, __get_cpu_var(next_check)))
                 return 0;
 
         __get_cpu_var(next_check) = tmp_jiffs + CHECK_INTERVAL;
 
         /* if we just entered the thermal event */
-        if (curr) {
+        if (is_throttled) {
                 printk(KERN_CRIT "CPU%d: Temperature above threshold, "
-                       "cpu clock throttled (total events = %lu)\n", cpu,
-                       __get_cpu_var(thermal_throttle_count));
+                       "cpu clock throttled (total events = %lu)\n",
+                       cpu, __get_cpu_var(thermal_throttle_count));
 
                 add_taint(TAINT_MACHINE_CHECK);
-        } else {
-                printk(KERN_CRIT "CPU%d: Temperature/speed normal\n", cpu);
+        } else if (was_throttled) {
+                printk(KERN_INFO "CPU%d: Temperature/speed normal\n", cpu);
         }
 
         return 1;
diff --git a/arch/x86/kernel/cpu/perf_counter.c b/arch/x86/kernel/cpu/perf_counter.c
index b237c181aa41..396e35db7058 100644
--- a/arch/x86/kernel/cpu/perf_counter.c
+++ b/arch/x86/kernel/cpu/perf_counter.c
@@ -97,6 +97,7 @@ struct x86_pmu {
         int             num_counters_fixed;
         int             counter_bits;
         u64             counter_mask;
+        int             apic;
         u64             max_period;
         u64             intel_ctrl;
         void            (*enable_bts)(u64 config);
@@ -116,8 +117,8 @@ static const u64 p6_perfmon_event_map[] =
 {
   [PERF_COUNT_HW_CPU_CYCLES]            = 0x0079,
   [PERF_COUNT_HW_INSTRUCTIONS]          = 0x00c0,
-  [PERF_COUNT_HW_CACHE_REFERENCES]      = 0x0000,
-  [PERF_COUNT_HW_CACHE_MISSES]          = 0x0000,
+  [PERF_COUNT_HW_CACHE_REFERENCES]      = 0x0f2e,
+  [PERF_COUNT_HW_CACHE_MISSES]          = 0x012e,
   [PERF_COUNT_HW_BRANCH_INSTRUCTIONS]   = 0x00c4,
   [PERF_COUNT_HW_BRANCH_MISSES]         = 0x00c5,
   [PERF_COUNT_HW_BUS_CYCLES]            = 0x0062,
@@ -660,6 +661,7 @@ static DEFINE_MUTEX(pmc_reserve_mutex);
 
 static bool reserve_pmc_hardware(void)
 {
+#ifdef CONFIG_X86_LOCAL_APIC
         int i;
 
         if (nmi_watchdog == NMI_LOCAL_APIC)
@@ -674,9 +676,11 @@ static bool reserve_pmc_hardware(void)
                 if (!reserve_evntsel_nmi(x86_pmu.eventsel + i))
                         goto eventsel_fail;
         }
+#endif
 
         return true;
 
+#ifdef CONFIG_X86_LOCAL_APIC
 eventsel_fail:
         for (i--; i >= 0; i--)
                 release_evntsel_nmi(x86_pmu.eventsel + i);
@@ -691,10 +695,12 @@ perfctr_fail:
                 enable_lapic_nmi_watchdog();
 
         return false;
+#endif
 }
 
 static void release_pmc_hardware(void)
 {
+#ifdef CONFIG_X86_LOCAL_APIC
         int i;
 
         for (i = 0; i < x86_pmu.num_counters; i++) {
@@ -704,6 +710,7 @@ static void release_pmc_hardware(void)
 
         if (nmi_watchdog == NMI_LOCAL_APIC)
                 enable_lapic_nmi_watchdog();
+#endif
 }
 
 static inline bool bts_available(void)
@@ -934,6 +941,15 @@ static int __hw_perf_counter_init(struct perf_counter *counter)
                 hwc->sample_period = x86_pmu.max_period;
                 hwc->last_period = hwc->sample_period;
                 atomic64_set(&hwc->period_left, hwc->sample_period);
+        } else {
+                /*
+                 * If we have a PMU initialized but no APIC
+                 * interrupts, we cannot sample hardware
+                 * counters (user-space has to fall back and
+                 * sample via a hrtimer based software counter):
+                 */
+                if (!x86_pmu.apic)
+                        return -EOPNOTSUPP;
         }
 
         counter->destroy = hw_perf_counter_destroy;
@@ -1755,18 +1771,22 @@ void smp_perf_pending_interrupt(struct pt_regs *regs)
 
 void set_perf_counter_pending(void)
 {
+#ifdef CONFIG_X86_LOCAL_APIC
         apic->send_IPI_self(LOCAL_PENDING_VECTOR);
+#endif
 }
 
 void perf_counters_lapic_init(void)
 {
-        if (!x86_pmu_initialized())
+#ifdef CONFIG_X86_LOCAL_APIC
+        if (!x86_pmu.apic || !x86_pmu_initialized())
                 return;
 
         /*
          * Always use NMI for PMU
          */
         apic_write(APIC_LVTPC, APIC_DM_NMI);
+#endif
 }
 
 static int __kprobes
@@ -1790,7 +1810,9 @@ perf_counter_nmi_handler(struct notifier_block *self,
 
         regs = args->regs;
 
+#ifdef CONFIG_X86_LOCAL_APIC
         apic_write(APIC_LVTPC, APIC_DM_NMI);
+#endif
         /*
          * Can't rely on the handled return value to say it was our NMI, two
          * counters could trigger 'simultaneously' raising two back-to-back NMIs.
@@ -1821,6 +1843,7 @@ static struct x86_pmu p6_pmu = {
         .event_map              = p6_pmu_event_map,
         .raw_event              = p6_pmu_raw_event,
         .max_events             = ARRAY_SIZE(p6_perfmon_event_map),
+        .apic                   = 1,
         .max_period             = (1ULL << 31) - 1,
         .version                = 0,
         .num_counters           = 2,
@@ -1847,6 +1870,7 @@ static struct x86_pmu intel_pmu = {
         .event_map              = intel_pmu_event_map,
         .raw_event              = intel_pmu_raw_event,
         .max_events             = ARRAY_SIZE(intel_perfmon_event_map),
+        .apic                   = 1,
         /*
          * Intel PMCs cannot be accessed sanely above 32 bit width,
          * so we install an artificial 1<<31 period regardless of
@@ -1872,6 +1896,7 @@ static struct x86_pmu amd_pmu = {
         .num_counters           = 4,
         .counter_bits           = 48,
         .counter_mask           = (1ULL << 48) - 1,
+        .apic                   = 1,
         /* use highest bit to detect overflow */
         .max_period             = (1ULL << 47) - 1,
 };
@@ -1897,13 +1922,14 @@ static int p6_pmu_init(void)
                 return -ENODEV;
         }
 
+        x86_pmu = p6_pmu;
+
         if (!cpu_has_apic) {
-                pr_info("no Local APIC, try rebooting with lapic");
-                return -ENODEV;
+                pr_info("no APIC, boot with the \"lapic\" boot parameter to force-enable it.\n");
+                pr_info("no hardware sampling interrupt available.\n");
+                x86_pmu.apic = 0;
         }
 
-        x86_pmu                         = p6_pmu;
-
         return 0;
 }
 
diff --git a/arch/x86/kernel/efi.c b/arch/x86/kernel/efi.c
index 19ccf6d0dccf..fe26ba3e3451 100644
--- a/arch/x86/kernel/efi.c
+++ b/arch/x86/kernel/efi.c
@@ -354,7 +354,7 @@ void __init efi_init(void)
          */
         c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2);
         if (c16) {
-                for (i = 0; i < sizeof(vendor) && *c16; ++i)
+                for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
                         vendor[i] = *c16++;
                 vendor[i] = '\0';
         } else
diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
index 834c9da8bf9d..a06e8d101844 100644
--- a/arch/x86/kernel/reboot.c
+++ b/arch/x86/kernel/reboot.c
@@ -405,7 +405,7 @@ EXPORT_SYMBOL(machine_real_restart);
 #endif /* CONFIG_X86_32 */
 
 /*
- * Apple MacBook5,2 (2009 MacBook) needs reboot=p
+ * Some Apple MacBook and MacBookPro's needs reboot=p to be able to reboot
  */
 static int __init set_pci_reboot(const struct dmi_system_id *d)
 {
@@ -418,12 +418,20 @@ static int __init set_pci_reboot(const struct dmi_system_id *d)
 }
 
 static struct dmi_system_id __initdata pci_reboot_dmi_table[] = {
-        {       /* Handle problems with rebooting on Apple MacBook5,2 */
+        {       /* Handle problems with rebooting on Apple MacBook5 */
                 .callback = set_pci_reboot,
-                .ident = "Apple MacBook",
+                .ident = "Apple MacBook5",
                 .matches = {
                         DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."),
-                        DMI_MATCH(DMI_PRODUCT_NAME, "MacBook5,2"),
+                        DMI_MATCH(DMI_PRODUCT_NAME, "MacBook5"),
+                },
+        },
+        {       /* Handle problems with rebooting on Apple MacBookPro5 */
+                .callback = set_pci_reboot,
+                .ident = "Apple MacBookPro5",
+                .matches = {
+                        DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."),
+                        DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro5"),
                 },
         },
         { }
diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
index 6e1a368d21d4..71f4368b357e 100644
--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -275,15 +275,20 @@ static unsigned long pit_calibrate_tsc(u32 latch, unsigned long ms, int loopmin)
  * use the TSC value at the transitions to calculate a pretty
  * good value for the TSC frequencty.
  */
+static inline int pit_verify_msb(unsigned char val)
+{
+        /* Ignore LSB */
+        inb(0x42);
+        return inb(0x42) == val;
+}
+
 static inline int pit_expect_msb(unsigned char val, u64 *tscp, unsigned long *deltap)
 {
         int count;
         u64 tsc = 0;
 
         for (count = 0; count < 50000; count++) {
-                /* Ignore LSB */
-                inb(0x42);
-                if (inb(0x42) != val)
+                if (!pit_verify_msb(val))
                         break;
                 tsc = get_cycles();
         }
@@ -336,8 +341,7 @@ static unsigned long quick_pit_calibrate(void)
          * to do that is to just read back the 16-bit counter
          * once from the PIT.
          */
-        inb(0x42);
-        inb(0x42);
+        pit_verify_msb(0);
 
         if (pit_expect_msb(0xff, &tsc, &d1)) {
                 for (i = 1; i <= MAX_QUICK_PIT_ITERATIONS; i++) {
@@ -348,8 +352,19 @@ static unsigned long quick_pit_calibrate(void)
                          * Iterate until the error is less than 500 ppm
                          */
                         delta -= tsc;
-                        if (d1+d2 < delta >> 11)
-                                goto success;
+                        if (d1+d2 >= delta >> 11)
+                                continue;
+
+                        /*
+                         * Check the PIT one more time to verify that
+                         * all TSC reads were stable wrt the PIT.
+                         *
+                         * This also guarantees serialization of the
+                         * last cycle read ('d2') in pit_expect_msb.
+                         */
+                        if (!pit_verify_msb(0xfe - i))
+                                break;
+                        goto success;
                 }
         }
         printk("Fast TSC calibration failed\n");
diff --git a/arch/x86/kernel/vmi_32.c b/arch/x86/kernel/vmi_32.c
index b263423fbe2a..95a7289e4b0c 100644
--- a/arch/x86/kernel/vmi_32.c
+++ b/arch/x86/kernel/vmi_32.c
@@ -441,7 +441,7 @@ vmi_startup_ipi_hook(int phys_apicid, unsigned long start_eip,
         ap.ds = __USER_DS;
         ap.es = __USER_DS;
         ap.fs = __KERNEL_PERCPU;
-        ap.gs = 0;
+        ap.gs = __KERNEL_STACK_CANARY;
 
         ap.eflags = 0;
 
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 4d6f0d293ee2..21f68e00524f 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -104,6 +104,9 @@ static s64 __kpit_elapsed(struct kvm *kvm)
         ktime_t remaining;
         struct kvm_kpit_state *ps = &kvm->arch.vpit->pit_state;
 
+        if (!ps->pit_timer.period)
+                return 0;
+
         /*
          * The Counter does not stop when it reaches zero. In
          * Modes 0, 1, 4, and 5 the Counter ``wraps around'' to
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 7030b5f911bf..0ef5bb2b4043 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -489,16 +489,20 @@ static unsigned long *gfn_to_rmap(struct kvm *kvm, gfn_t gfn, int lpage)
  *
  * If rmapp bit zero is one, (then rmap & ~1) points to a struct kvm_rmap_desc
  * containing more mappings.
+ *
+ * Returns the number of rmap entries before the spte was added or zero if
+ * the spte was not added.
+ *
  */
-static void rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn, int lpage)
+static int rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn, int lpage)
 {
         struct kvm_mmu_page *sp;
         struct kvm_rmap_desc *desc;
         unsigned long *rmapp;
-        int i;
+        int i, count = 0;
 
         if (!is_rmap_pte(*spte))
-                return;
+                return count;
         gfn = unalias_gfn(vcpu->kvm, gfn);
         sp = page_header(__pa(spte));
         sp->gfns[spte - sp->spt] = gfn;
@@ -515,8 +519,10 @@ static void rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn, int lpage)
         } else {
                 rmap_printk("rmap_add: %p %llx many->many\n", spte, *spte);
                 desc = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
-                while (desc->shadow_ptes[RMAP_EXT-1] && desc->more)
+                while (desc->shadow_ptes[RMAP_EXT-1] && desc->more) {
                         desc = desc->more;
+                        count += RMAP_EXT;
+                }
                 if (desc->shadow_ptes[RMAP_EXT-1]) {
                         desc->more = mmu_alloc_rmap_desc(vcpu);
                         desc = desc->more;
@@ -525,6 +531,7 @@ static void rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn, int lpage)
                         ;
                 desc->shadow_ptes[i] = spte;
         }
+        return count;
 }
 
 static void rmap_desc_remove_entry(unsigned long *rmapp,
@@ -754,6 +761,19 @@ static int kvm_age_rmapp(struct kvm *kvm, unsigned long *rmapp)
         return young;
 }
 
+#define RMAP_RECYCLE_THRESHOLD 1000
+
+static void rmap_recycle(struct kvm_vcpu *vcpu, gfn_t gfn, int lpage)
+{
+        unsigned long *rmapp;
+
+        gfn = unalias_gfn(vcpu->kvm, gfn);
+        rmapp = gfn_to_rmap(vcpu->kvm, gfn, lpage);
+
+        kvm_unmap_rmapp(vcpu->kvm, rmapp);
+        kvm_flush_remote_tlbs(vcpu->kvm);
+}
+
 int kvm_age_hva(struct kvm *kvm, unsigned long hva)
 {
         return kvm_handle_hva(kvm, hva, kvm_age_rmapp);
@@ -1407,24 +1427,25 @@ static int kvm_mmu_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp)
  */
 void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages)
 {
+        int used_pages;
+
+        used_pages = kvm->arch.n_alloc_mmu_pages - kvm->arch.n_free_mmu_pages;
+        used_pages = max(0, used_pages);
+
         /*
          * If we set the number of mmu pages to be smaller be than the
          * number of actived pages , we must to free some mmu pages before we
          * change the value
          */
 
-        if ((kvm->arch.n_alloc_mmu_pages - kvm->arch.n_free_mmu_pages) >
-            kvm_nr_mmu_pages) {
-                int n_used_mmu_pages = kvm->arch.n_alloc_mmu_pages
-                                       - kvm->arch.n_free_mmu_pages;
-
-                while (n_used_mmu_pages > kvm_nr_mmu_pages) {
+        if (used_pages > kvm_nr_mmu_pages) {
+                while (used_pages > kvm_nr_mmu_pages) {
                         struct kvm_mmu_page *page;
 
                         page = container_of(kvm->arch.active_mmu_pages.prev,
                                             struct kvm_mmu_page, link);
                         kvm_mmu_zap_page(kvm, page);
-                        n_used_mmu_pages--;
+                        used_pages--;
                 }
                 kvm->arch.n_free_mmu_pages = 0;
         }
@@ -1740,6 +1761,7 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *shadow_pte,
 {
         int was_rmapped = 0;
         int was_writeble = is_writeble_pte(*shadow_pte);
+        int rmap_count;
 
         pgprintk("%s: spte %llx access %x write_fault %d"
                  " user_fault %d gfn %lx\n",
@@ -1781,9 +1803,11 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *shadow_pte,
 
         page_header_update_slot(vcpu->kvm, shadow_pte, gfn);
         if (!was_rmapped) {
-                rmap_add(vcpu, shadow_pte, gfn, largepage);
+                rmap_count = rmap_add(vcpu, shadow_pte, gfn, largepage);
                 if (!is_rmap_pte(*shadow_pte))
                         kvm_release_pfn_clean(pfn);
+                if (rmap_count > RMAP_RECYCLE_THRESHOLD)
+                        rmap_recycle(vcpu, gfn, largepage);
         } else {
                 if (was_writeble)
                         kvm_release_pfn_dirty(pfn);
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 71510e07e69e..b1f658ad2f06 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -711,6 +711,7 @@ static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
                 svm->vmcb->control.tsc_offset += delta;
                 vcpu->cpu = cpu;
                 kvm_migrate_timers(vcpu);
+                svm->asid_generation = 0;
         }
 
         for (i = 0; i < NR_HOST_SAVE_USER_MSRS; i++)
@@ -1031,7 +1032,6 @@ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *svm_data)
                 svm->vmcb->control.tlb_ctl = TLB_CONTROL_FLUSH_ALL_ASID;
         }
 
-        svm->vcpu.cpu = svm_data->cpu;
         svm->asid_generation = svm_data->asid_generation;
         svm->vmcb->control.asid = svm_data->next_asid++;
 }
@@ -2300,8 +2300,8 @@ static void pre_svm_run(struct vcpu_svm *svm)
         struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
 
         svm->vmcb->control.tlb_ctl = TLB_CONTROL_DO_NOTHING;
-        if (svm->vcpu.cpu != cpu ||
-            svm->asid_generation != svm_data->asid_generation)
+        /* FIXME: handle wraparound of asid_generation */
+        if (svm->asid_generation != svm_data->asid_generation)
                 new_asid(svm, svm_data);
 }
 
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 356a0ce85c68..29f912927a58 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -3157,8 +3157,8 @@ static void handle_invalid_guest_state(struct kvm_vcpu *vcpu,
         struct vcpu_vmx *vmx = to_vmx(vcpu);
         enum emulation_result err = EMULATE_DONE;
 
-        preempt_enable();
         local_irq_enable();
+        preempt_enable();
 
         while (!guest_state_valid(vcpu)) {
                 err = emulate_instruction(vcpu, kvm_run, 0, 0, 0);
@@ -3168,7 +3168,7 @@ static void handle_invalid_guest_state(struct kvm_vcpu *vcpu,
 
                 if (err != EMULATE_DONE) {
                         kvm_report_emulation_failure(vcpu, "emulation failure");
-                        return;
+                        break;
                 }
 
                 if (signal_pending(current))
@@ -3177,8 +3177,8 @@ static void handle_invalid_guest_state(struct kvm_vcpu *vcpu,
                         schedule();
         }
 
-        local_irq_disable();
         preempt_disable();
+        local_irq_disable();
 
         vmx->invalid_state_emulation_result = err;
 }
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index fe5474aec41a..3d4529011828 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -704,11 +704,48 @@ static bool msr_mtrr_valid(unsigned msr)
         return false;
 }
 
+static bool valid_pat_type(unsigned t)
+{
+        return t < 8 && (1 << t) & 0xf3; /* 0, 1, 4, 5, 6, 7 */
+}
+
+static bool valid_mtrr_type(unsigned t)
+{
+        return t < 8 && (1 << t) & 0x73; /* 0, 1, 4, 5, 6 */
+}
+
+static bool mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+{
+        int i;
+
+        if (!msr_mtrr_valid(msr))
+                return false;
+
+        if (msr == MSR_IA32_CR_PAT) {
+                for (i = 0; i < 8; i++)
+                        if (!valid_pat_type((data >> (i * 8)) & 0xff))
+                                return false;
+                return true;
+        } else if (msr == MSR_MTRRdefType) {
+                if (data & ~0xcff)
+                        return false;
+                return valid_mtrr_type(data & 0xff);
+        } else if (msr >= MSR_MTRRfix64K_00000 && msr <= MSR_MTRRfix4K_F8000) {
+                for (i = 0; i < 8 ; i++)
+                        if (!valid_mtrr_type((data >> (i * 8)) & 0xff))
+                                return false;
+                return true;
+        }
+
+        /* variable MTRRs */
+        return valid_mtrr_type(data & 0xff);
+}
+
 static int set_msr_mtrr(struct kvm_vcpu *vcpu, u32 msr, u64 data)
 {
         u64 *p = (u64 *)&vcpu->arch.mtrr_state.fixed_ranges;
 
-        if (!msr_mtrr_valid(msr))
+        if (!mtrr_valid(vcpu, msr, data))
                 return 1;
 
         if (msr == MSR_MTRRdefType) {
@@ -1079,14 +1116,13 @@ long kvm_arch_dev_ioctl(struct file *filp,
                 if (copy_to_user(user_msr_list, &msr_list, sizeof msr_list))
                         goto out;
                 r = -E2BIG;
-                if (n < num_msrs_to_save)
+                if (n < msr_list.nmsrs)
                         goto out;
                 r = -EFAULT;
                 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
                                  num_msrs_to_save * sizeof(u32)))
                         goto out;
-                if (copy_to_user(user_msr_list->indices
-                                 + num_msrs_to_save * sizeof(u32),
+                if (copy_to_user(user_msr_list->indices + num_msrs_to_save,
                                  &emulated_msrs,
                                  ARRAY_SIZE(emulated_msrs) * sizeof(u32)))
                         goto out;