Merge branch 'iov_iter' into for-next

44 files changed, 355 insertions, 349 deletions

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index f2327e88e07c..41a503c15862 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -142,6 +142,10 @@ config INSTRUCTION_DECODER
         def_bool y
         depends on KPROBES || PERF_EVENTS || UPROBES
 
+config PERF_EVENTS_INTEL_UNCORE
+        def_bool y
+        depends on PERF_EVENTS && CPU_SUP_INTEL && PCI
+
 config OUTPUT_FORMAT
         string
         default "elf32-i386" if X86_32
diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
index 704f58aa79cd..be1e07d4b596 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -76,8 +76,10 @@ suffix-$(CONFIG_KERNEL_XZ)	:= xz
 suffix-$(CONFIG_KERNEL_LZO)     := lzo
 suffix-$(CONFIG_KERNEL_LZ4)     := lz4
 
+RUN_SIZE = $(shell objdump -h vmlinux | \
+             perl $(srctree)/arch/x86/tools/calc_run_size.pl)
 quiet_cmd_mkpiggy = MKPIGGY $@
-      cmd_mkpiggy = $(obj)/mkpiggy $< > $@ || ( rm -f $@ ; false )
+      cmd_mkpiggy = $(obj)/mkpiggy $< $(RUN_SIZE) > $@ || ( rm -f $@ ; false )
 
 targets += piggy.S
 $(obj)/piggy.S: $(obj)/vmlinux.bin.$(suffix-y) $(obj)/mkpiggy FORCE
diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
index cbed1407a5cd..1d7fbbcc196d 100644
--- a/arch/x86/boot/compressed/head_32.S
+++ b/arch/x86/boot/compressed/head_32.S
@@ -207,7 +207,8 @@ relocated:
  * Do the decompression, and jump to the new kernel..
  */
                                 /* push arguments for decompress_kernel: */
-        pushl   $z_output_len   /* decompressed length */
+        pushl   $z_run_size     /* size of kernel with .bss and .brk */
+        pushl   $z_output_len   /* decompressed length, end of relocs */
         leal    z_extract_offset_negative(%ebx), %ebp
         pushl   %ebp            /* output address */
         pushl   $z_input_len    /* input_len */
@@ -217,7 +218,7 @@ relocated:
         pushl   %eax            /* heap area */
         pushl   %esi            /* real mode pointer */
         call    decompress_kernel /* returns kernel location in %eax */
-        addl    $24, %esp
+        addl    $28, %esp
 
 /*
  * Jump to the decompressed kernel.
diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
index 2884e0c3e8a5..6b1766c6c082 100644
--- a/arch/x86/boot/compressed/head_64.S
+++ b/arch/x86/boot/compressed/head_64.S
@@ -402,13 +402,16 @@ relocated:
  * Do the decompression, and jump to the new kernel..
  */
         pushq   %rsi                    /* Save the real mode argument */
+        movq    $z_run_size, %r9        /* size of kernel with .bss and .brk */
+        pushq   %r9
         movq    %rsi, %rdi              /* real mode address */
         leaq    boot_heap(%rip), %rsi   /* malloc area for uncompression */
         leaq    input_data(%rip), %rdx  /* input_data */
         movl    $z_input_len, %ecx      /* input_len */
         movq    %rbp, %r8               /* output target address */
-        movq    $z_output_len, %r9      /* decompressed length */
+        movq    $z_output_len, %r9      /* decompressed length, end of relocs */
         call    decompress_kernel       /* returns kernel location in %rax */
+        popq    %r9
         popq    %rsi
 
 /*
diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
index 57ab74df7eea..30dd59a9f0b4 100644
--- a/arch/x86/boot/compressed/misc.c
+++ b/arch/x86/boot/compressed/misc.c
@@ -358,7 +358,8 @@ asmlinkage __visible void *decompress_kernel(void *rmode, memptr heap,
                                   unsigned char *input_data,
                                   unsigned long input_len,
                                   unsigned char *output,
-                                  unsigned long output_len)
+                                  unsigned long output_len,
+                                  unsigned long run_size)
 {
         real_mode = rmode;
 
@@ -381,8 +382,14 @@ asmlinkage __visible void *decompress_kernel(void *rmode, memptr heap,
         free_mem_ptr     = heap;        /* Heap */
         free_mem_end_ptr = heap + BOOT_HEAP_SIZE;
 
-        output = choose_kernel_location(input_data, input_len,
-                                        output, output_len);
+        /*
+         * The memory hole needed for the kernel is the larger of either
+         * the entire decompressed kernel plus relocation table, or the
+         * entire decompressed kernel plus .bss and .brk sections.
+         */
+        output = choose_kernel_location(input_data, input_len, output,
+                                        output_len > run_size ? output_len
+                                                              : run_size);
 
         /* Validate memory location choices. */
         if ((unsigned long)output & (MIN_KERNEL_ALIGN - 1))
diff --git a/arch/x86/boot/compressed/mkpiggy.c b/arch/x86/boot/compressed/mkpiggy.c
index b669ab65bf6c..d8222f213182 100644
--- a/arch/x86/boot/compressed/mkpiggy.c
+++ b/arch/x86/boot/compressed/mkpiggy.c
@@ -36,11 +36,13 @@ int main(int argc, char *argv[])
         uint32_t olen;
         long ilen;
         unsigned long offs;
+        unsigned long run_size;
         FILE *f = NULL;
         int retval = 1;
 
-        if (argc < 2) {
-                fprintf(stderr, "Usage: %s compressed_file\n", argv[0]);
+        if (argc < 3) {
+                fprintf(stderr, "Usage: %s compressed_file run_size\n",
+                                argv[0]);
                 goto bail;
         }
 
@@ -74,6 +76,7 @@ int main(int argc, char *argv[])
         offs += olen >> 12;     /* Add 8 bytes for each 32K block */
         offs += 64*1024 + 128;  /* Add 64K + 128 bytes slack */
         offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
+        run_size = atoi(argv[2]);
 
         printf(".section \".rodata..compressed\",\"a\",@progbits\n");
         printf(".globl z_input_len\n");
@@ -85,6 +88,8 @@ int main(int argc, char *argv[])
         /* z_extract_offset_negative allows simplification of head_32.S */
         printf(".globl z_extract_offset_negative\n");
         printf("z_extract_offset_negative = -0x%lx\n", offs);
+        printf(".globl z_run_size\n");
+        printf("z_run_size = %lu\n", run_size);
 
         printf(".globl input_data, input_data_end\n");
         printf("input_data:\n");
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 8ffba18395c8..ffe71228fc10 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -157,7 +157,7 @@ ENTRY(ia32_sysenter_target)
          * ourselves.  To save a few cycles, we can check whether
          * NT was set instead of doing an unconditional popfq.
          */
-        testl $X86_EFLAGS_NT,EFLAGS(%rsp)       /* saved EFLAGS match cpu */
+        testl $X86_EFLAGS_NT,EFLAGS-ARGOFFSET(%rsp)
         jnz sysenter_fix_flags
 sysenter_flags_fixed:
 
diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
index f48b17df4224..3a52ee0e726d 100644
--- a/arch/x86/include/asm/page_32_types.h
+++ b/arch/x86/include/asm/page_32_types.h
@@ -20,7 +20,6 @@
 #define THREAD_SIZE_ORDER       1
 #define THREAD_SIZE             (PAGE_SIZE << THREAD_SIZE_ORDER)
 
-#define STACKFAULT_STACK 0
 #define DOUBLEFAULT_STACK 1
 #define NMI_STACK 0
 #define DEBUG_STACK 0
diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h
index 678205195ae1..75450b2c7be4 100644
--- a/arch/x86/include/asm/page_64_types.h
+++ b/arch/x86/include/asm/page_64_types.h
@@ -14,12 +14,11 @@
 #define IRQ_STACK_ORDER 2
 #define IRQ_STACK_SIZE (PAGE_SIZE << IRQ_STACK_ORDER)
 
-#define STACKFAULT_STACK 1
-#define DOUBLEFAULT_STACK 2
-#define NMI_STACK 3
-#define DEBUG_STACK 4
-#define MCE_STACK 5
-#define N_EXCEPTION_STACKS 5  /* hw limit: 7 */
+#define DOUBLEFAULT_STACK 1
+#define NMI_STACK 2
+#define DEBUG_STACK 3
+#define MCE_STACK 4
+#define N_EXCEPTION_STACKS 4  /* hw limit: 7 */
 
 #define PUD_PAGE_SIZE           (_AC(1, UL) << PUD_SHIFT)
 #define PUD_PAGE_MASK           (~(PUD_PAGE_SIZE-1))
diff --git a/arch/x86/include/asm/preempt.h b/arch/x86/include/asm/preempt.h
index 7024c12f7bfe..400873450e33 100644
--- a/arch/x86/include/asm/preempt.h
+++ b/arch/x86/include/asm/preempt.h
@@ -105,6 +105,7 @@ static __always_inline bool should_resched(void)
 # ifdef CONFIG_CONTEXT_TRACKING
     extern asmlinkage void ___preempt_schedule_context(void);
 #   define __preempt_schedule_context() asm ("call ___preempt_schedule_context")
+    extern asmlinkage void preempt_schedule_context(void);
 # endif
 #endif
 
diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
index 8cd27e08e23c..8cd1cc3bc835 100644
--- a/arch/x86/include/asm/smp.h
+++ b/arch/x86/include/asm/smp.h
@@ -150,6 +150,7 @@ static inline void arch_send_call_function_ipi_mask(const struct cpumask *mask)
 }
 
 void cpu_disable_common(void);
+void cpu_die_common(unsigned int cpu);
 void native_smp_prepare_boot_cpu(void);
 void native_smp_prepare_cpus(unsigned int max_cpus);
 void native_smp_cpus_done(unsigned int max_cpus);
diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
index 854053889d4d..547e344a6dc6 100644
--- a/arch/x86/include/asm/thread_info.h
+++ b/arch/x86/include/asm/thread_info.h
@@ -141,7 +141,7 @@ struct thread_info {
 /* Only used for 64 bit */
 #define _TIF_DO_NOTIFY_MASK                                             \
         (_TIF_SIGPENDING | _TIF_MCE_NOTIFY | _TIF_NOTIFY_RESUME |       \
-         _TIF_USER_RETURN_NOTIFY)
+         _TIF_USER_RETURN_NOTIFY | _TIF_UPROBE)
 
 /* flags to check in __switch_to() */
 #define _TIF_WORK_CTXSW                                                 \
diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h
index bc8352e7010a..707adc6549d8 100644
--- a/arch/x86/include/asm/traps.h
+++ b/arch/x86/include/asm/traps.h
@@ -39,6 +39,7 @@ asmlinkage void simd_coprocessor_error(void);
 
 #ifdef CONFIG_TRACING
 asmlinkage void trace_page_fault(void);
+#define trace_stack_segment stack_segment
 #define trace_divide_error divide_error
 #define trace_bounds bounds
 #define trace_invalid_op invalid_op
diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
index b436fc735aa4..a142e77693e1 100644
--- a/arch/x86/kernel/acpi/boot.c
+++ b/arch/x86/kernel/acpi/boot.c
@@ -397,7 +397,7 @@ static int mp_register_gsi(struct device *dev, u32 gsi, int trigger,
 
         /* Don't set up the ACPI SCI because it's already set up */
         if (acpi_gbl_FADT.sci_interrupt == gsi)
-                return gsi;
+                return mp_map_gsi_to_irq(gsi, IOAPIC_MAP_ALLOC);
 
         trigger = trigger == ACPI_EDGE_SENSITIVE ? 0 : 1;
         polarity = polarity == ACPI_ACTIVE_HIGH ? 0 : 1;
@@ -604,14 +604,18 @@ void __init acpi_pic_sci_set_trigger(unsigned int irq, u16 trigger)
 
 int acpi_gsi_to_irq(u32 gsi, unsigned int *irqp)
 {
-        int irq = mp_map_gsi_to_irq(gsi, IOAPIC_MAP_ALLOC | IOAPIC_MAP_CHECK);
+        int irq;
 
-        if (irq >= 0) {
+        if (acpi_irq_model == ACPI_IRQ_MODEL_PIC) {
+                *irqp = gsi;
+        } else {
+                irq = mp_map_gsi_to_irq(gsi,
+                                        IOAPIC_MAP_ALLOC | IOAPIC_MAP_CHECK);
+                if (irq < 0)
+                        return -1;
                 *irqp = irq;
-                return 0;
         }
-
-        return -1;
+        return 0;
 }
 EXPORT_SYMBOL_GPL(acpi_gsi_to_irq);
 
diff --git a/arch/x86/kernel/apb_timer.c b/arch/x86/kernel/apb_timer.c
index 5972b108f15a..b708738d016e 100644
--- a/arch/x86/kernel/apb_timer.c
+++ b/arch/x86/kernel/apb_timer.c
@@ -185,8 +185,6 @@ static void apbt_setup_irq(struct apbt_dev *adev)
 
         irq_modify_status(adev->irq, 0, IRQ_MOVE_PCNTXT);
         irq_set_affinity(adev->irq, cpumask_of(adev->cpu));
-        /* APB timer irqs are set up as mp_irqs, timer is edge type */
-        __irq_set_handler(adev->irq, handle_edge_irq, 0, "edge");
 }
 
 /* Should be called with per cpu */
diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
index 00853b254ab0..ba6cc041edb1 100644
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1297,7 +1297,7 @@ void setup_local_APIC(void)
         unsigned int value, queued;
         int i, j, acked = 0;
         unsigned long long tsc = 0, ntsc;
-        long long max_loops = cpu_khz;
+        long long max_loops = cpu_khz ? cpu_khz : 1000000;
 
         if (cpu_has_tsc)
                 rdtscll(tsc);
@@ -1383,7 +1383,7 @@ void setup_local_APIC(void)
                         break;
                 }
                 if (queued) {
-                        if (cpu_has_tsc) {
+                        if (cpu_has_tsc && cpu_khz) {
                                 rdtscll(ntsc);
                                 max_loops = (cpu_khz << 10) - (ntsc - tsc);
                         } else
diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
index 01d5453b5502..e27b49d7c922 100644
--- a/arch/x86/kernel/cpu/Makefile
+++ b/arch/x86/kernel/cpu/Makefile
@@ -39,9 +39,12 @@ obj-$(CONFIG_CPU_SUP_AMD)		+= perf_event_amd_iommu.o
 endif
 obj-$(CONFIG_CPU_SUP_INTEL)             += perf_event_p6.o perf_event_knc.o perf_event_p4.o
 obj-$(CONFIG_CPU_SUP_INTEL)             += perf_event_intel_lbr.o perf_event_intel_ds.o perf_event_intel.o
-obj-$(CONFIG_CPU_SUP_INTEL)             += perf_event_intel_uncore.o perf_event_intel_uncore_snb.o
-obj-$(CONFIG_CPU_SUP_INTEL)             += perf_event_intel_uncore_snbep.o perf_event_intel_uncore_nhmex.o
 obj-$(CONFIG_CPU_SUP_INTEL)             += perf_event_intel_rapl.o
+
+obj-$(CONFIG_PERF_EVENTS_INTEL_UNCORE)  += perf_event_intel_uncore.o \
+                                           perf_event_intel_uncore_snb.o \
+                                           perf_event_intel_uncore_snbep.o \
+                                           perf_event_intel_uncore_nhmex.o
 endif
 
 
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 4b4f78c9ba19..cfa9b5b2c27a 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -146,6 +146,8 @@ EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
 
 static int __init x86_xsave_setup(char *s)
 {
+        if (strlen(s))
+                return 0;
         setup_clear_cpu_cap(X86_FEATURE_XSAVE);
         setup_clear_cpu_cap(X86_FEATURE_XSAVEOPT);
         setup_clear_cpu_cap(X86_FEATURE_XSAVES);
diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index 1ef456273172..9cc6b6f25f42 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -213,12 +213,13 @@ static void intel_workarounds(struct cpuinfo_x86 *c)
 {
 #ifdef CONFIG_X86_F00F_BUG
         /*
-         * All current models of Pentium and Pentium with MMX technology CPUs
+         * All models of Pentium and Pentium with MMX technology CPUs
          * have the F0 0F bug, which lets nonprivileged users lock up the
          * system. Announce that the fault handler will be checking for it.
+         * The Quark is also family 5, but does not have the same bug.
          */
         clear_cpu_bug(c, X86_BUG_F00F);
-        if (!paravirt_enabled() && c->x86 == 5) {
+        if (!paravirt_enabled() && c->x86 == 5 && c->x86_model < 9) {
                 static int f00f_workaround_enabled;
 
                 set_cpu_bug(c, X86_BUG_F00F);
diff --git a/arch/x86/kernel/cpu/microcode/amd_early.c b/arch/x86/kernel/cpu/microcode/amd_early.c
index 7aa1acc79789..06674473b0e6 100644
--- a/arch/x86/kernel/cpu/microcode/amd_early.c
+++ b/arch/x86/kernel/cpu/microcode/amd_early.c
@@ -108,12 +108,13 @@ static size_t compute_container_size(u8 *data, u32 total_size)
  * load_microcode_amd() to save equivalent cpu table and microcode patches in
  * kernel heap memory.
  */
-static void apply_ucode_in_initrd(void *ucode, size_t size)
+static void apply_ucode_in_initrd(void *ucode, size_t size, bool save_patch)
 {
         struct equiv_cpu_entry *eq;
         size_t *cont_sz;
         u32 *header;
         u8  *data, **cont;
+        u8 (*patch)[PATCH_MAX_SIZE];
         u16 eq_id = 0;
         int offset, left;
         u32 rev, eax, ebx, ecx, edx;
@@ -123,10 +124,12 @@ static void apply_ucode_in_initrd(void *ucode, size_t size)
         new_rev = (u32 *)__pa_nodebug(&ucode_new_rev);
         cont_sz = (size_t *)__pa_nodebug(&container_size);
         cont    = (u8 **)__pa_nodebug(&container);
+        patch   = (u8 (*)[PATCH_MAX_SIZE])__pa_nodebug(&amd_ucode_patch);
 #else
         new_rev = &ucode_new_rev;
         cont_sz = &container_size;
         cont    = &container;
+        patch   = &amd_ucode_patch;
 #endif
 
         data   = ucode;
@@ -213,9 +216,9 @@ static void apply_ucode_in_initrd(void *ucode, size_t size)
                                 rev = mc->hdr.patch_id;
                                 *new_rev = rev;
 
-                                /* save ucode patch */
-                                memcpy(amd_ucode_patch, mc,
-                                       min_t(u32, header[1], PATCH_MAX_SIZE));
+                                if (save_patch)
+                                        memcpy(patch, mc,
+                                               min_t(u32, header[1], PATCH_MAX_SIZE));
                         }
                 }
 
@@ -246,7 +249,7 @@ void __init load_ucode_amd_bsp(void)
         *data = cp.data;
         *size = cp.size;
 
-        apply_ucode_in_initrd(cp.data, cp.size);
+        apply_ucode_in_initrd(cp.data, cp.size, true);
 }
 
 #ifdef CONFIG_X86_32
@@ -263,7 +266,7 @@ void load_ucode_amd_ap(void)
         size_t *usize;
         void **ucode;
 
-        mc = (struct microcode_amd *)__pa(amd_ucode_patch);
+        mc = (struct microcode_amd *)__pa_nodebug(amd_ucode_patch);
         if (mc->hdr.patch_id && mc->hdr.processor_rev_id) {
                 __apply_microcode_amd(mc);
                 return;
@@ -275,7 +278,7 @@ void load_ucode_amd_ap(void)
         if (!*ucode || !*usize)
                 return;
 
-        apply_ucode_in_initrd(*ucode, *usize);
+        apply_ucode_in_initrd(*ucode, *usize, false);
 }
 
 static void __init collect_cpu_sig_on_bsp(void *arg)
@@ -339,7 +342,7 @@ void load_ucode_amd_ap(void)
                  * AP has a different equivalence ID than BSP, looks like
                  * mixed-steppings silicon so go through the ucode blob anew.
                  */
-                apply_ucode_in_initrd(ucode_cpio.data, ucode_cpio.size);
+                apply_ucode_in_initrd(ucode_cpio.data, ucode_cpio.size, false);
         }
 }
 #endif
@@ -347,7 +350,9 @@ void load_ucode_amd_ap(void)
 int __init save_microcode_in_initrd_amd(void)
 {
         unsigned long cont;
+        int retval = 0;
         enum ucode_state ret;
+        u8 *cont_va;
         u32 eax;
 
         if (!container)
@@ -355,13 +360,15 @@ int __init save_microcode_in_initrd_amd(void)
 
 #ifdef CONFIG_X86_32
         get_bsp_sig();
-        cont = (unsigned long)container;
+        cont    = (unsigned long)container;
+        cont_va = __va(container);
 #else
         /*
          * We need the physical address of the container for both bitness since
          * boot_params.hdr.ramdisk_image is a physical address.
          */
-        cont = __pa(container);
+        cont    = __pa(container);
+        cont_va = container;
 #endif
 
         /*
@@ -372,6 +379,8 @@ int __init save_microcode_in_initrd_amd(void)
         if (relocated_ramdisk)
                 container = (u8 *)(__va(relocated_ramdisk) +
                              (cont - boot_params.hdr.ramdisk_image));
+        else
+                container = cont_va;
 
         if (ucode_new_rev)
                 pr_info("microcode: updated early to new patch_level=0x%08x\n",
@@ -382,7 +391,7 @@ int __init save_microcode_in_initrd_amd(void)
 
         ret = load_microcode_amd(eax, container, container_size);
         if (ret != UCODE_OK)
-                return -EINVAL;
+                retval = -EINVAL;
 
         /*
          * This will be freed any msec now, stash patches for the current
@@ -391,5 +400,5 @@ int __init save_microcode_in_initrd_amd(void)
         container = NULL;
         container_size = 0;
 
-        return 0;
+        return retval;
 }
diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
index dd9d6190b08d..2ce9051174e6 100644
--- a/arch/x86/kernel/cpu/microcode/core.c
+++ b/arch/x86/kernel/cpu/microcode/core.c
@@ -465,6 +465,14 @@ static void mc_bp_resume(void)
 
         if (uci->valid && uci->mc)
                 microcode_ops->apply_microcode(cpu);
+        else if (!uci->mc)
+                /*
+                 * We might resume and not have applied late microcode but still
+                 * have a newer patch stashed from the early loader. We don't
+                 * have it in uci->mc so we have to load it the same way we're
+                 * applying patches early on the APs.
+                 */
+                load_ucode_ap();
 }
 
 static struct syscore_ops mc_syscore_ops = {
diff --git a/arch/x86/kernel/cpu/microcode/core_early.c b/arch/x86/kernel/cpu/microcode/core_early.c
index 5f28a64e71ea..2c017f242a78 100644
--- a/arch/x86/kernel/cpu/microcode/core_early.c
+++ b/arch/x86/kernel/cpu/microcode/core_early.c
@@ -124,7 +124,7 @@ void __init load_ucode_bsp(void)
 static bool check_loader_disabled_ap(void)
 {
 #ifdef CONFIG_X86_32
-        return __pa_nodebug(dis_ucode_ldr);
+        return *((bool *)__pa_nodebug(&dis_ucode_ldr));
 #else
         return dis_ucode_ldr;
 #endif
diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
index 1b8299dd3d91..143e5f5dc855 100644
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -243,8 +243,9 @@ static bool check_hw_exists(void)
 
 msr_fail:
         printk(KERN_CONT "Broken PMU hardware detected, using software events only.\n");
-        printk(boot_cpu_has(X86_FEATURE_HYPERVISOR) ? KERN_INFO : KERN_ERR
-               "Failed to access perfctr msr (MSR %x is %Lx)\n", reg, val_new);
+        printk("%sFailed to access perfctr msr (MSR %x is %Lx)\n",
+                boot_cpu_has(X86_FEATURE_HYPERVISOR) ? KERN_INFO : KERN_ERR,
+                reg, val_new);
 
         return false;
 }
@@ -444,12 +445,6 @@ int x86_pmu_hw_config(struct perf_event *event)
         if (event->attr.type == PERF_TYPE_RAW)
                 event->hw.config |= event->attr.config & X86_RAW_EVENT_MASK;
 
-        if (event->attr.sample_period && x86_pmu.limit_period) {
-                if (x86_pmu.limit_period(event, event->attr.sample_period) >
-                                event->attr.sample_period)
-                        return -EINVAL;
-        }
-
         return x86_setup_perfctr(event);
 }
 
@@ -987,9 +982,6 @@ int x86_perf_event_set_period(struct perf_event *event)
         if (left > x86_pmu.max_period)
                 left = x86_pmu.max_period;
 
-        if (x86_pmu.limit_period)
-                left = x86_pmu.limit_period(event, left);
-
         per_cpu(pmc_prev_left[idx], smp_processor_id()) = left;
 
         /*
diff --git a/arch/x86/kernel/cpu/perf_event.h b/arch/x86/kernel/cpu/perf_event.h
index d98a34d435d7..fc5eb390b368 100644
--- a/arch/x86/kernel/cpu/perf_event.h
+++ b/arch/x86/kernel/cpu/perf_event.h
@@ -445,7 +445,6 @@ struct x86_pmu {
         struct x86_pmu_quirk *quirks;
         int             perfctr_second_write;
         bool            late_ack;
-        unsigned        (*limit_period)(struct perf_event *event, unsigned l);
 
         /*
          * sysfs attrs
diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
index a73947c53b65..944bf019b74f 100644
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -220,15 +220,6 @@ static struct event_constraint intel_hsw_event_constraints[] = {
         EVENT_CONSTRAINT_END
 };
 
-static struct event_constraint intel_bdw_event_constraints[] = {
-        FIXED_EVENT_CONSTRAINT(0x00c0, 0),      /* INST_RETIRED.ANY */
-        FIXED_EVENT_CONSTRAINT(0x003c, 1),      /* CPU_CLK_UNHALTED.CORE */
-        FIXED_EVENT_CONSTRAINT(0x0300, 2),      /* CPU_CLK_UNHALTED.REF */
-        INTEL_UEVENT_CONSTRAINT(0x148, 0x4),    /* L1D_PEND_MISS.PENDING */
-        INTEL_EVENT_CONSTRAINT(0xa3, 0x4),      /* CYCLE_ACTIVITY.* */
-        EVENT_CONSTRAINT_END
-};
-
 static u64 intel_pmu_event_map(int hw_event)
 {
         return intel_perfmon_event_map[hw_event];
@@ -424,126 +415,6 @@ static __initconst const u64 snb_hw_cache_event_ids
 
 };
 
-static __initconst const u64 hsw_hw_cache_event_ids
-                                [PERF_COUNT_HW_CACHE_MAX]
-                                [PERF_COUNT_HW_CACHE_OP_MAX]
-                                [PERF_COUNT_HW_CACHE_RESULT_MAX] =
-{
- [ C(L1D ) ] = {
-        [ C(OP_READ) ] = {
-                [ C(RESULT_ACCESS) ] = 0x81d0,  /* MEM_UOPS_RETIRED.ALL_LOADS */
-                [ C(RESULT_MISS)   ] = 0x151,   /* L1D.REPLACEMENT */
-        },
-        [ C(OP_WRITE) ] = {
-                [ C(RESULT_ACCESS) ] = 0x82d0,  /* MEM_UOPS_RETIRED.ALL_STORES */
-                [ C(RESULT_MISS)   ] = 0x0,
-        },
-        [ C(OP_PREFETCH) ] = {
-                [ C(RESULT_ACCESS) ] = 0x0,
-                [ C(RESULT_MISS)   ] = 0x0,
-        },
- },
- [ C(L1I ) ] = {
-        [ C(OP_READ) ] = {
-                [ C(RESULT_ACCESS) ] = 0x0,
-                [ C(RESULT_MISS)   ] = 0x280,   /* ICACHE.MISSES */
-        },
-        [ C(OP_WRITE) ] = {
-                [ C(RESULT_ACCESS) ] = -1,
-                [ C(RESULT_MISS)   ] = -1,
-        },
-        [ C(OP_PREFETCH) ] = {
-                [ C(RESULT_ACCESS) ] = 0x0,
-                [ C(RESULT_MISS)   ] = 0x0,
-        },
- },
- [ C(LL  ) ] = {
-        [ C(OP_READ) ] = {
-                /* OFFCORE_RESPONSE:ALL_DATA_RD|ALL_CODE_RD */
-                [ C(RESULT_ACCESS) ] = 0x1b7,
-                /* OFFCORE_RESPONSE:ALL_DATA_RD|ALL_CODE_RD|SUPPLIER_NONE|
-                   L3_MISS|ANY_SNOOP */
-                [ C(RESULT_MISS)   ] = 0x1b7,
-        },
-        [ C(OP_WRITE) ] = {
-                [ C(RESULT_ACCESS) ] = 0x1b7,   /* OFFCORE_RESPONSE:ALL_RFO */
-                /* OFFCORE_RESPONSE:ALL_RFO|SUPPLIER_NONE|L3_MISS|ANY_SNOOP */
-                [ C(RESULT_MISS)   ] = 0x1b7,
-        },
-        [ C(OP_PREFETCH) ] = {
-                [ C(RESULT_ACCESS) ] = 0x0,
-                [ C(RESULT_MISS)   ] = 0x0,
-        },
- },
- [ C(DTLB) ] = {
-        [ C(OP_READ) ] = {
-                [ C(RESULT_ACCESS) ] = 0x81d0,  /* MEM_UOPS_RETIRED.ALL_LOADS */
-                [ C(RESULT_MISS)   ] = 0x108,   /* DTLB_LOAD_MISSES.MISS_CAUSES_A_WALK */
-        },
-        [ C(OP_WRITE) ] = {
-                [ C(RESULT_ACCESS) ] = 0x82d0,  /* MEM_UOPS_RETIRED.ALL_STORES */
-                [ C(RESULT_MISS)   ] = 0x149,   /* DTLB_STORE_MISSES.MISS_CAUSES_A_WALK */
-        },
-        [ C(OP_PREFETCH) ] = {
-                [ C(RESULT_ACCESS) ] = 0x0,
-                [ C(RESULT_MISS)   ] = 0x0,
-        },
- },
- [ C(ITLB) ] = {
-        [ C(OP_READ) ] = {
-                [ C(RESULT_ACCESS) ] = 0x6085,  /* ITLB_MISSES.STLB_HIT */
-                [ C(RESULT_MISS)   ] = 0x185,   /* ITLB_MISSES.MISS_CAUSES_A_WALK */
-        },
-        [ C(OP_WRITE) ] = {
-                [ C(RESULT_ACCESS) ] = -1,
-                [ C(RESULT_MISS)   ] = -1,
-        },
-        [ C(OP_PREFETCH) ] = {
-                [ C(RESULT_ACCESS) ] = -1,
-                [ C(RESULT_MISS)   ] = -1,
-        },
- },
- [ C(BPU ) ] = {
-        [ C(OP_READ) ] = {
-                [ C(RESULT_ACCESS) ] = 0xc4,    /* BR_INST_RETIRED.ALL_BRANCHES */
-                [ C(RESULT_MISS)   ] = 0xc5,    /* BR_MISP_RETIRED.ALL_BRANCHES */
-        },
-        [ C(OP_WRITE) ] = {
-                [ C(RESULT_ACCESS) ] = -1,
-                [ C(RESULT_MISS)   ] = -1,
-        },
-        [ C(OP_PREFETCH) ] = {
-                [ C(RESULT_ACCESS) ] = -1,
-                [ C(RESULT_MISS)   ] = -1,
-        },
- },
-};
-
-static __initconst const u64 hsw_hw_cache_extra_regs
-                                [PERF_COUNT_HW_CACHE_MAX]
-                                [PERF_COUNT_HW_CACHE_OP_MAX]
-                                [PERF_COUNT_HW_CACHE_RESULT_MAX] =
-{
- [ C(LL  ) ] = {
-        [ C(OP_READ) ] = {
-                /* OFFCORE_RESPONSE:ALL_DATA_RD|ALL_CODE_RD */
-                [ C(RESULT_ACCESS) ] = 0x2d5,
-                /* OFFCORE_RESPONSE:ALL_DATA_RD|ALL_CODE_RD|SUPPLIER_NONE|
-                   L3_MISS|ANY_SNOOP */
-                [ C(RESULT_MISS)   ] = 0x3fbc0202d5ull,
-        },
-        [ C(OP_WRITE) ] = {
-                [ C(RESULT_ACCESS) ] = 0x122,   /* OFFCORE_RESPONSE:ALL_RFO */
-                /* OFFCORE_RESPONSE:ALL_RFO|SUPPLIER_NONE|L3_MISS|ANY_SNOOP */
-                [ C(RESULT_MISS)   ] = 0x3fbc020122ull,
-        },
-        [ C(OP_PREFETCH) ] = {
-                [ C(RESULT_ACCESS) ] = 0x0,
-                [ C(RESULT_MISS)   ] = 0x0,
-        },
- },
-};
-
 static __initconst const u64 westmere_hw_cache_event_ids
                                 [PERF_COUNT_HW_CACHE_MAX]
                                 [PERF_COUNT_HW_CACHE_OP_MAX]
@@ -2034,24 +1905,6 @@ hsw_get_event_constraints(struct cpu_hw_events *cpuc, struct perf_event *event)
         return c;
 }
 
-/*
- * Broadwell:
- * The INST_RETIRED.ALL period always needs to have lowest
- * 6bits cleared (BDM57). It shall not use a period smaller
- * than 100 (BDM11). We combine the two to enforce
- * a min-period of 128.
- */
-static unsigned bdw_limit_period(struct perf_event *event, unsigned left)
-{
-        if ((event->hw.config & INTEL_ARCH_EVENT_MASK) ==
-                        X86_CONFIG(.event=0xc0, .umask=0x01)) {
-                if (left < 128)
-                        left = 128;
-                left &= ~0x3fu;
-        }
-        return left;
-}
-
 PMU_FORMAT_ATTR(event,  "config:0-7"    );
 PMU_FORMAT_ATTR(umask,  "config:8-15"   );
 PMU_FORMAT_ATTR(edge,   "config:18"     );
@@ -2692,8 +2545,8 @@ __init int intel_pmu_init(void)
         case 69: /* 22nm Haswell ULT */
         case 70: /* 22nm Haswell + GT3e (Intel Iris Pro graphics) */
                 x86_pmu.late_ack = true;
-                memcpy(hw_cache_event_ids, hsw_hw_cache_event_ids, sizeof(hw_cache_event_ids));
-                memcpy(hw_cache_extra_regs, hsw_hw_cache_extra_regs, sizeof(hw_cache_extra_regs));
+                memcpy(hw_cache_event_ids, snb_hw_cache_event_ids, sizeof(hw_cache_event_ids));
+                memcpy(hw_cache_extra_regs, snb_hw_cache_extra_regs, sizeof(hw_cache_extra_regs));
 
                 intel_pmu_lbr_init_snb();
 
@@ -2712,28 +2565,6 @@ __init int intel_pmu_init(void)
                 pr_cont("Haswell events, ");
                 break;
 
-        case 61: /* 14nm Broadwell Core-M */
-                x86_pmu.late_ack = true;
-                memcpy(hw_cache_event_ids, hsw_hw_cache_event_ids, sizeof(hw_cache_event_ids));
-                memcpy(hw_cache_extra_regs, hsw_hw_cache_extra_regs, sizeof(hw_cache_extra_regs));
-
-                intel_pmu_lbr_init_snb();
-
-                x86_pmu.event_constraints = intel_bdw_event_constraints;
-                x86_pmu.pebs_constraints = intel_hsw_pebs_event_constraints;
-                x86_pmu.extra_regs = intel_snbep_extra_regs;
-                x86_pmu.pebs_aliases = intel_pebs_aliases_snb;
-                /* all extra regs are per-cpu when HT is on */
-                x86_pmu.er_flags |= ERF_HAS_RSP_1;
-                x86_pmu.er_flags |= ERF_NO_HT_SHARING;
-
-                x86_pmu.hw_config = hsw_hw_config;
-                x86_pmu.get_event_constraints = hsw_get_event_constraints;
-                x86_pmu.cpu_events = hsw_events_attrs;
-                x86_pmu.limit_period = bdw_limit_period;
-                pr_cont("Broadwell events, ");
-                break;
-
         default:
                 switch (x86_pmu.version) {
                 case 1:
diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c b/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c
index adf138eac85c..f9ed429d6e4f 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c
@@ -486,14 +486,17 @@ static struct attribute_group snbep_uncore_qpi_format_group = {
         .attrs = snbep_uncore_qpi_formats_attr,
 };
 
-#define SNBEP_UNCORE_MSR_OPS_COMMON_INIT()                      \
-        .init_box       = snbep_uncore_msr_init_box,            \
+#define __SNBEP_UNCORE_MSR_OPS_COMMON_INIT()                    \
         .disable_box    = snbep_uncore_msr_disable_box,         \
         .enable_box     = snbep_uncore_msr_enable_box,          \
         .disable_event  = snbep_uncore_msr_disable_event,       \
         .enable_event   = snbep_uncore_msr_enable_event,        \
         .read_counter   = uncore_msr_read_counter
 
+#define SNBEP_UNCORE_MSR_OPS_COMMON_INIT()                      \
+        __SNBEP_UNCORE_MSR_OPS_COMMON_INIT(),                   \
+        .init_box       = snbep_uncore_msr_init_box             \
+
 static struct intel_uncore_ops snbep_uncore_msr_ops = {
         SNBEP_UNCORE_MSR_OPS_COMMON_INIT(),
 };
@@ -1919,6 +1922,30 @@ static struct intel_uncore_type hswep_uncore_cbox = {
         .format_group           = &hswep_uncore_cbox_format_group,
 };
 
+/*
+ * Write SBOX Initialization register bit by bit to avoid spurious #GPs
+ */
+static void hswep_uncore_sbox_msr_init_box(struct intel_uncore_box *box)
+{
+        unsigned msr = uncore_msr_box_ctl(box);
+
+        if (msr) {
+                u64 init = SNBEP_PMON_BOX_CTL_INT;
+                u64 flags = 0;
+                int i;
+
+                for_each_set_bit(i, (unsigned long *)&init, 64) {
+                        flags |= (1ULL << i);
+                        wrmsrl(msr, flags);
+                }
+        }
+}
+
+static struct intel_uncore_ops hswep_uncore_sbox_msr_ops = {
+        __SNBEP_UNCORE_MSR_OPS_COMMON_INIT(),
+        .init_box               = hswep_uncore_sbox_msr_init_box
+};
+
 static struct attribute *hswep_uncore_sbox_formats_attr[] = {
         &format_attr_event.attr,
         &format_attr_umask.attr,
@@ -1944,7 +1971,7 @@ static struct intel_uncore_type hswep_uncore_sbox = {
         .event_mask             = HSWEP_S_MSR_PMON_RAW_EVENT_MASK,
         .box_ctl                = HSWEP_S0_MSR_PMON_BOX_CTL,
         .msr_offset             = HSWEP_SBOX_MSR_OFFSET,
-        .ops                    = &snbep_uncore_msr_ops,
+        .ops                    = &hswep_uncore_sbox_msr_ops,
         .format_group           = &hswep_uncore_sbox_format_group,
 };
 
@@ -2025,13 +2052,27 @@ static struct intel_uncore_type hswep_uncore_imc = {
         SNBEP_UNCORE_PCI_COMMON_INIT(),
 };
 
+static unsigned hswep_uncore_irp_ctrs[] = {0xa0, 0xa8, 0xb0, 0xb8};
+
+static u64 hswep_uncore_irp_read_counter(struct intel_uncore_box *box, struct perf_event *event)
+{
+        struct pci_dev *pdev = box->pci_dev;
+        struct hw_perf_event *hwc = &event->hw;
+        u64 count = 0;
+
+        pci_read_config_dword(pdev, hswep_uncore_irp_ctrs[hwc->idx], (u32 *)&count);
+        pci_read_config_dword(pdev, hswep_uncore_irp_ctrs[hwc->idx] + 4, (u32 *)&count + 1);
+
+        return count;
+}
+
 static struct intel_uncore_ops hswep_uncore_irp_ops = {
         .init_box       = snbep_uncore_pci_init_box,
         .disable_box    = snbep_uncore_pci_disable_box,
         .enable_box     = snbep_uncore_pci_enable_box,
         .disable_event  = ivbep_uncore_irp_disable_event,
         .enable_event   = ivbep_uncore_irp_enable_event,
-        .read_counter   = ivbep_uncore_irp_read_counter,
+        .read_counter   = hswep_uncore_irp_read_counter,
 };
 
 static struct intel_uncore_type hswep_uncore_irp = {
diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
index 1abcb50b48ae..ff86f19b5758 100644
--- a/arch/x86/kernel/dumpstack_64.c
+++ b/arch/x86/kernel/dumpstack_64.c
@@ -24,7 +24,6 @@ static char x86_stack_ids[][8] = {
                 [ DEBUG_STACK-1                 ]       = "#DB",
                 [ NMI_STACK-1                   ]       = "NMI",
                 [ DOUBLEFAULT_STACK-1           ]       = "#DF",
-                [ STACKFAULT_STACK-1            ]       = "#SS",
                 [ MCE_STACK-1                   ]       = "#MC",
 #if DEBUG_STKSZ > EXCEPTION_STKSZ
                 [ N_EXCEPTION_STACKS ...
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index b553ed89e5f5..344b63f18d14 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -447,15 +447,14 @@ sysenter_exit:
 sysenter_audit:
         testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
         jnz syscall_trace_entry
-        addl $4,%esp
-        CFI_ADJUST_CFA_OFFSET -4
-        movl %esi,4(%esp)               /* 5th arg: 4th syscall arg */
-        movl %edx,(%esp)                /* 4th arg: 3rd syscall arg */
-        /* %ecx already in %ecx            3rd arg: 2nd syscall arg */
-        movl %ebx,%edx                  /* 2nd arg: 1st syscall arg */
-        /* %eax already in %eax            1st arg: syscall number */
+        /* movl PT_EAX(%esp), %eax      already set, syscall number: 1st arg to audit */
+        movl PT_EBX(%esp), %edx         /* ebx/a0: 2nd arg to audit */
+        /* movl PT_ECX(%esp), %ecx      already set, a1: 3nd arg to audit */
+        pushl_cfi PT_ESI(%esp)          /* a3: 5th arg */
+        pushl_cfi PT_EDX+4(%esp)        /* a2: 4th arg */
         call __audit_syscall_entry
-        pushl_cfi %ebx
+        popl_cfi %ecx /* get that remapped edx off the stack */
+        popl_cfi %ecx /* get that remapped esi off the stack */
         movl PT_EAX(%esp),%eax          /* reload syscall number */
         jmp sysenter_do_call
 
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index df088bb03fb3..c0226ab54106 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -828,9 +828,15 @@ ENTRY(native_iret)
         jnz native_irq_return_ldt
 #endif
 
+.global native_irq_return_iret
 native_irq_return_iret:
+        /*
+         * This may fault.  Non-paranoid faults on return to userspace are
+         * handled by fixup_bad_iret.  These include #SS, #GP, and #NP.
+         * Double-faults due to espfix64 are handled in do_double_fault.
+         * Other faults here are fatal.
+         */
         iretq
-        _ASM_EXTABLE(native_irq_return_iret, bad_iret)
 
 #ifdef CONFIG_X86_ESPFIX64
 native_irq_return_ldt:
@@ -858,25 +864,6 @@ native_irq_return_ldt:
         jmp native_irq_return_iret
 #endif
 
-        .section .fixup,"ax"
-bad_iret:
-        /*
-         * The iret traps when the %cs or %ss being restored is bogus.
-         * We've lost the original trap vector and error code.
-         * #GPF is the most likely one to get for an invalid selector.
-         * So pretend we completed the iret and took the #GPF in user mode.
-         *
-         * We are now running with the kernel GS after exception recovery.
-         * But error_entry expects us to have user GS to match the user %cs,
-         * so swap back.
-         */
-        pushq $0
-
-        SWAPGS
-        jmp general_protection
-
-        .previous
-
         /* edi: workmask, edx: work */
 retint_careful:
         CFI_RESTORE_STATE
@@ -922,37 +909,6 @@ ENTRY(retint_kernel)
         CFI_ENDPROC
 END(common_interrupt)
 
-        /*
-         * If IRET takes a fault on the espfix stack, then we
-         * end up promoting it to a doublefault.  In that case,
-         * modify the stack to make it look like we just entered
-         * the #GP handler from user space, similar to bad_iret.
-         */
-#ifdef CONFIG_X86_ESPFIX64
-        ALIGN
-__do_double_fault:
-        XCPT_FRAME 1 RDI+8
-        movq RSP(%rdi),%rax             /* Trap on the espfix stack? */
-        sarq $PGDIR_SHIFT,%rax
-        cmpl $ESPFIX_PGD_ENTRY,%eax
-        jne do_double_fault             /* No, just deliver the fault */
-        cmpl $__KERNEL_CS,CS(%rdi)
-        jne do_double_fault
-        movq RIP(%rdi),%rax
-        cmpq $native_irq_return_iret,%rax
-        jne do_double_fault             /* This shouldn't happen... */
-        movq PER_CPU_VAR(kernel_stack),%rax
-        subq $(6*8-KERNEL_STACK_OFFSET),%rax    /* Reset to original stack */
-        movq %rax,RSP(%rdi)
-        movq $0,(%rax)                  /* Missing (lost) #GP error code */
-        movq $general_protection,RIP(%rdi)
-        retq
-        CFI_ENDPROC
-END(__do_double_fault)
-#else
-# define __do_double_fault do_double_fault
-#endif
-
 /*
  * APIC interrupts.
  */
@@ -1124,7 +1080,7 @@ idtentry overflow do_overflow has_error_code=0
 idtentry bounds do_bounds has_error_code=0
 idtentry invalid_op do_invalid_op has_error_code=0
 idtentry device_not_available do_device_not_available has_error_code=0
-idtentry double_fault __do_double_fault has_error_code=1 paranoid=1
+idtentry double_fault do_double_fault has_error_code=1 paranoid=1
 idtentry coprocessor_segment_overrun do_coprocessor_segment_overrun has_error_code=0
 idtentry invalid_TSS do_invalid_TSS has_error_code=1
 idtentry segment_not_present do_segment_not_present has_error_code=1
@@ -1289,7 +1245,7 @@ apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
 
 idtentry debug do_debug has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
 idtentry int3 do_int3 has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
-idtentry stack_segment do_stack_segment has_error_code=1 paranoid=1
+idtentry stack_segment do_stack_segment has_error_code=1
 #ifdef CONFIG_XEN
 idtentry xen_debug do_debug has_error_code=0
 idtentry xen_int3 do_int3 has_error_code=0
@@ -1399,17 +1355,16 @@ error_sti:
 
 /*
  * There are two places in the kernel that can potentially fault with
- * usergs. Handle them here. The exception handlers after iret run with
- * kernel gs again, so don't set the user space flag. B stepping K8s
- * sometimes report an truncated RIP for IRET exceptions returning to
- * compat mode. Check for these here too.
+ * usergs. Handle them here.  B stepping K8s sometimes report a
+ * truncated RIP for IRET exceptions returning to compat mode. Check
+ * for these here too.
  */
 error_kernelspace:
         CFI_REL_OFFSET rcx, RCX+8
         incl %ebx
         leaq native_irq_return_iret(%rip),%rcx
         cmpq %rcx,RIP+8(%rsp)
-        je error_swapgs
+        je error_bad_iret
         movl %ecx,%eax  /* zero extend */
         cmpq %rax,RIP+8(%rsp)
         je bstep_iret
@@ -1420,7 +1375,15 @@ error_kernelspace:
 bstep_iret:
         /* Fix truncated RIP */
         movq %rcx,RIP+8(%rsp)
-        jmp error_swapgs
+        /* fall through */
+
+error_bad_iret:
+        SWAPGS
+        mov %rsp,%rdi
+        call fixup_bad_iret
+        mov %rax,%rsp
+        decl %ebx       /* Return to usergs */
+        jmp error_sti
         CFI_ENDPROC
 END(error_entry)
 
diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c
index 8af817105e29..e7cc5370cd2f 100644
--- a/arch/x86/kernel/i8259.c
+++ b/arch/x86/kernel/i8259.c
@@ -111,8 +111,7 @@ static void make_8259A_irq(unsigned int irq)
 {
         disable_irq_nosync(irq);
         io_apic_irqs &= ~(1<<irq);
-        irq_set_chip_and_handler_name(irq, &i8259A_chip, handle_level_irq,
-                                      i8259A_chip.name);
+        irq_set_chip_and_handler(irq, &i8259A_chip, handle_level_irq);
         enable_irq(irq);
 }
 
diff --git a/arch/x86/kernel/irqinit.c b/arch/x86/kernel/irqinit.c
index 44f1ed42fdf2..4de73ee78361 100644
--- a/arch/x86/kernel/irqinit.c
+++ b/arch/x86/kernel/irqinit.c
@@ -70,7 +70,6 @@ int vector_used_by_percpu_irq(unsigned int vector)
 void __init init_ISA_irqs(void)
 {
         struct irq_chip *chip = legacy_pic->chip;
-        const char *name = chip->name;
         int i;
 
 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_LOCAL_APIC)
@@ -79,7 +78,7 @@ void __init init_ISA_irqs(void)
         legacy_pic->init(0);
 
         for (i = 0; i < nr_legacy_irqs(); i++)
-                irq_set_chip_and_handler_name(i, chip, handle_level_irq, name);
+                irq_set_chip_and_handler(i, chip, handle_level_irq);
 }
 
 void __init init_IRQ(void)
diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
index 749b0e423419..e510618b2e91 100644
--- a/arch/x86/kernel/ptrace.c
+++ b/arch/x86/kernel/ptrace.c
@@ -1484,7 +1484,7 @@ unsigned long syscall_trace_enter_phase1(struct pt_regs *regs, u32 arch)
          */
         if (work & _TIF_NOHZ) {
                 user_exit();
-                work &= ~TIF_NOHZ;
+                work &= ~_TIF_NOHZ;
         }
 
 #ifdef CONFIG_SECCOMP
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 235cfd39e0d7..ab08aa2276fb 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1128,7 +1128,6 @@ void __init setup_arch(char **cmdline_p)
         setup_real_mode();
 
         memblock_set_current_limit(get_max_mapped());
-        dma_contiguous_reserve(max_pfn_mapped << PAGE_SHIFT);
 
         /*
          * NOTE: On x86-32, only from this point on, fixmaps are ready for use.
@@ -1159,6 +1158,7 @@ void __init setup_arch(char **cmdline_p)
         early_acpi_boot_init();
 
         initmem_init();
+        dma_contiguous_reserve(max_pfn_mapped << PAGE_SHIFT);
 
         /*
          * Reserve memory for crash kernel after SRAT is parsed so that it
diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
index 2d5200e56357..668d8f2a8781 100644
--- a/arch/x86/kernel/smpboot.c
+++ b/arch/x86/kernel/smpboot.c
@@ -102,8 +102,6 @@ DEFINE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_llc_shared_map);
 DEFINE_PER_CPU_SHARED_ALIGNED(struct cpuinfo_x86, cpu_info);
 EXPORT_PER_CPU_SYMBOL(cpu_info);
 
-static DEFINE_PER_CPU(struct completion, die_complete);
-
 atomic_t init_deasserted;
 
 /*
@@ -1305,10 +1303,14 @@ static void __ref remove_cpu_from_maps(int cpu)
         numa_remove_cpu(cpu);
 }
 
+static DEFINE_PER_CPU(struct completion, die_complete);
+
 void cpu_disable_common(void)
 {
         int cpu = smp_processor_id();
 
+        init_completion(&per_cpu(die_complete, smp_processor_id()));
+
         remove_siblinginfo(cpu);
 
         /* It's now safe to remove this processor from the online map */
@@ -1327,16 +1329,21 @@ int native_cpu_disable(void)
                 return ret;
 
         clear_local_APIC();
-        init_completion(&per_cpu(die_complete, smp_processor_id()));
         cpu_disable_common();
 
         return 0;
 }
 
+void cpu_die_common(unsigned int cpu)
+{
+        wait_for_completion_timeout(&per_cpu(die_complete, cpu), HZ);
+}
+
 void native_cpu_die(unsigned int cpu)
 {
         /* We don't do anything here: idle task is faking death itself. */
-        wait_for_completion_timeout(&per_cpu(die_complete, cpu), HZ);
+
+        cpu_die_common(cpu);
 
         /* They ack this in play_dead() by setting CPU_DEAD */
         if (per_cpu(cpu_state, cpu) == CPU_DEAD) {
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 0d0e922fafc1..de801f22128a 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -233,32 +233,40 @@ DO_ERROR(X86_TRAP_UD,     SIGILL,  "invalid opcode",		invalid_op)
 DO_ERROR(X86_TRAP_OLD_MF, SIGFPE,  "coprocessor segment overrun",coprocessor_segment_overrun)
 DO_ERROR(X86_TRAP_TS,     SIGSEGV, "invalid TSS",               invalid_TSS)
 DO_ERROR(X86_TRAP_NP,     SIGBUS,  "segment not present",       segment_not_present)
-#ifdef CONFIG_X86_32
 DO_ERROR(X86_TRAP_SS,     SIGBUS,  "stack segment",             stack_segment)
-#endif
 DO_ERROR(X86_TRAP_AC,     SIGBUS,  "alignment check",           alignment_check)
 
 #ifdef CONFIG_X86_64
 /* Runs on IST stack */
-dotraplinkage void do_stack_segment(struct pt_regs *regs, long error_code)
-{
-        enum ctx_state prev_state;
-
-        prev_state = exception_enter();
-        if (notify_die(DIE_TRAP, "stack segment", regs, error_code,
-                       X86_TRAP_SS, SIGBUS) != NOTIFY_STOP) {
-                preempt_conditional_sti(regs);
-                do_trap(X86_TRAP_SS, SIGBUS, "stack segment", regs, error_code, NULL);
-                preempt_conditional_cli(regs);
-        }
-        exception_exit(prev_state);
-}
-
 dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
 {
         static const char str[] = "double fault";
         struct task_struct *tsk = current;
 
+#ifdef CONFIG_X86_ESPFIX64
+        extern unsigned char native_irq_return_iret[];
+
+        /*
+         * If IRET takes a non-IST fault on the espfix64 stack, then we
+         * end up promoting it to a doublefault.  In that case, modify
+         * the stack to make it look like we just entered the #GP
+         * handler from user space, similar to bad_iret.
+         */
+        if (((long)regs->sp >> PGDIR_SHIFT) == ESPFIX_PGD_ENTRY &&
+                regs->cs == __KERNEL_CS &&
+                regs->ip == (unsigned long)native_irq_return_iret)
+        {
+                struct pt_regs *normal_regs = task_pt_regs(current);
+
+                /* Fake a #GP(0) from userspace. */
+                memmove(&normal_regs->ip, (void *)regs->sp, 5*8);
+                normal_regs->orig_ax = 0;  /* Missing (lost) #GP error code */
+                regs->ip = (unsigned long)general_protection;
+                regs->sp = (unsigned long)&normal_regs->orig_ax;
+                return;
+        }
+#endif
+
         exception_enter();
         /* Return not checked because double check cannot be ignored */
         notify_die(DIE_TRAP, str, regs, error_code, X86_TRAP_DF, SIGSEGV);
@@ -399,6 +407,35 @@ asmlinkage __visible struct pt_regs *sync_regs(struct pt_regs *eregs)
         return regs;
 }
 NOKPROBE_SYMBOL(sync_regs);
+
+struct bad_iret_stack {
+        void *error_entry_ret;
+        struct pt_regs regs;
+};
+
+asmlinkage __visible
+struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
+{
+        /*
+         * This is called from entry_64.S early in handling a fault
+         * caused by a bad iret to user mode.  To handle the fault
+         * correctly, we want move our stack frame to task_pt_regs
+         * and we want to pretend that the exception came from the
+         * iret target.
+         */
+        struct bad_iret_stack *new_stack =
+                container_of(task_pt_regs(current),
+                             struct bad_iret_stack, regs);
+
+        /* Copy the IRET target to the new stack. */
+        memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
+
+        /* Copy the remainder of the stack from the current stack. */
+        memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
+
+        BUG_ON(!user_mode_vm(&new_stack->regs));
+        return new_stack;
+}
 #endif
 
 /*
@@ -778,7 +815,7 @@ void __init trap_init(void)
         set_intr_gate(X86_TRAP_OLD_MF, coprocessor_segment_overrun);
         set_intr_gate(X86_TRAP_TS, invalid_TSS);
         set_intr_gate(X86_TRAP_NP, segment_not_present);
-        set_intr_gate_ist(X86_TRAP_SS, &stack_segment, STACKFAULT_STACK);
+        set_intr_gate(X86_TRAP_SS, stack_segment);
         set_intr_gate(X86_TRAP_GP, general_protection);
         set_intr_gate(X86_TRAP_SPURIOUS, spurious_interrupt_bug);
         set_intr_gate(X86_TRAP_MF, coprocessor_error);
diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
index b6025f9e36c6..b7e50bba3bbb 100644
--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -1166,14 +1166,17 @@ void __init tsc_init(void)
 
         x86_init.timers.tsc_pre_init();
 
-        if (!cpu_has_tsc)
+        if (!cpu_has_tsc) {
+                setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
                 return;
+        }
 
         tsc_khz = x86_platform.calibrate_tsc();
         cpu_khz = tsc_khz;
 
         if (!tsc_khz) {
                 mark_tsc_unstable("could not calculate TSC khz");
+                setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
                 return;
         }
 
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 749f9fa38254..9f8a2faf5040 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -574,12 +574,14 @@ static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
         case 4:
                 ctxt->_eip = (u32)dst;
                 break;
+#ifdef CONFIG_X86_64
         case 8:
                 if ((cs_l && is_noncanonical_address(dst)) ||
-                    (!cs_l && (dst & ~(u32)-1)))
+                    (!cs_l && (dst >> 32) != 0))
                         return emulate_gp(ctxt, 0);
                 ctxt->_eip = dst;
                 break;
+#endif
         default:
                 WARN(1, "unsupported eip assignment size\n");
         }
@@ -641,7 +643,8 @@ static bool insn_aligned(struct x86_emulate_ctxt *ctxt, unsigned size)
 
 static int __linearize(struct x86_emulate_ctxt *ctxt,
                      struct segmented_address addr,
-                     unsigned size, bool write, bool fetch,
+                     unsigned *max_size, unsigned size,
+                     bool write, bool fetch,
                      ulong *linear)
 {
         struct desc_struct desc;
@@ -652,10 +655,15 @@ static int __linearize(struct x86_emulate_ctxt *ctxt,
         unsigned cpl;
 
         la = seg_base(ctxt, addr.seg) + addr.ea;
+        *max_size = 0;
         switch (ctxt->mode) {
         case X86EMUL_MODE_PROT64:
                 if (((signed long)la << 16) >> 16 != la)
                         return emulate_gp(ctxt, 0);
+
+                *max_size = min_t(u64, ~0u, (1ull << 48) - la);
+                if (size > *max_size)
+                        goto bad;
                 break;
         default:
                 usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
@@ -673,20 +681,25 @@ static int __linearize(struct x86_emulate_ctxt *ctxt,
                 if ((ctxt->mode == X86EMUL_MODE_REAL) && !fetch &&
                     (ctxt->d & NoBigReal)) {
                         /* la is between zero and 0xffff */
-                        if (la > 0xffff || (u32)(la + size - 1) > 0xffff)
+                        if (la > 0xffff)
                                 goto bad;
+                        *max_size = 0x10000 - la;
                 } else if ((desc.type & 8) || !(desc.type & 4)) {
                         /* expand-up segment */
-                        if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
+                        if (addr.ea > lim)
                                 goto bad;
+                        *max_size = min_t(u64, ~0u, (u64)lim + 1 - addr.ea);
                 } else {
                         /* expand-down segment */
-                        if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim)
+                        if (addr.ea <= lim)
                                 goto bad;
                         lim = desc.d ? 0xffffffff : 0xffff;
-                        if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
+                        if (addr.ea > lim)
                                 goto bad;
+                        *max_size = min_t(u64, ~0u, (u64)lim + 1 - addr.ea);
                 }
+                if (size > *max_size)
+                        goto bad;
                 cpl = ctxt->ops->cpl(ctxt);
                 if (!(desc.type & 8)) {
                         /* data segment */
@@ -711,9 +724,9 @@ static int __linearize(struct x86_emulate_ctxt *ctxt,
         return X86EMUL_CONTINUE;
 bad:
         if (addr.seg == VCPU_SREG_SS)
-                return emulate_ss(ctxt, sel);
+                return emulate_ss(ctxt, 0);
         else
-                return emulate_gp(ctxt, sel);
+                return emulate_gp(ctxt, 0);
 }
 
 static int linearize(struct x86_emulate_ctxt *ctxt,
@@ -721,7 +734,8 @@ static int linearize(struct x86_emulate_ctxt *ctxt,
                      unsigned size, bool write,
                      ulong *linear)
 {
-        return __linearize(ctxt, addr, size, write, false, linear);
+        unsigned max_size;
+        return __linearize(ctxt, addr, &max_size, size, write, false, linear);
 }
 
 
@@ -746,17 +760,27 @@ static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
 static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
 {
         int rc;
-        unsigned size;
+        unsigned size, max_size;
         unsigned long linear;
         int cur_size = ctxt->fetch.end - ctxt->fetch.data;
         struct segmented_address addr = { .seg = VCPU_SREG_CS,
                                            .ea = ctxt->eip + cur_size };
 
-        size = 15UL ^ cur_size;
-        rc = __linearize(ctxt, addr, size, false, true, &linear);
+        /*
+         * We do not know exactly how many bytes will be needed, and
+         * __linearize is expensive, so fetch as much as possible.  We
+         * just have to avoid going beyond the 15 byte limit, the end
+         * of the segment, or the end of the page.
+         *
+         * __linearize is called with size 0 so that it does not do any
+         * boundary check itself.  Instead, we use max_size to check
+         * against op_size.
+         */
+        rc = __linearize(ctxt, addr, &max_size, 0, false, true, &linear);
         if (unlikely(rc != X86EMUL_CONTINUE))
                 return rc;
 
+        size = min_t(unsigned, 15UL ^ cur_size, max_size);
         size = min_t(unsigned, size, PAGE_SIZE - offset_in_page(linear));
 
         /*
@@ -766,7 +790,8 @@ static int __do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, int op_size)
          * still, we must have hit the 15-byte boundary.
          */
         if (unlikely(size < op_size))
-                return X86EMUL_UNHANDLEABLE;
+                return emulate_gp(ctxt, 0);
+
         rc = ctxt->ops->fetch(ctxt, linear, ctxt->fetch.end,
                               size, &ctxt->exception);
         if (unlikely(rc != X86EMUL_CONTINUE))
@@ -2012,7 +2037,7 @@ static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
 
         rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
         if (rc != X86EMUL_CONTINUE) {
-                WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64);
+                WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
                 /* assigning eip failed; restore the old cs */
                 ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
                 return rc;
@@ -2109,7 +2134,7 @@ static int em_ret_far(struct x86_emulate_ctxt *ctxt)
                 return rc;
         rc = assign_eip_far(ctxt, eip, new_desc.l);
         if (rc != X86EMUL_CONTINUE) {
-                WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64);
+                WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
                 ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
         }
         return rc;
@@ -4262,6 +4287,7 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
                 fetch_register_operand(op);
                 break;
         case OpCL:
+                op->type = OP_IMM;
                 op->bytes = 1;
                 op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff;
                 break;
@@ -4269,6 +4295,7 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
                 rc = decode_imm(ctxt, op, 1, true);
                 break;
         case OpOne:
+                op->type = OP_IMM;
                 op->bytes = 1;
                 op->val = 1;
                 break;
@@ -4327,21 +4354,27 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
                 ctxt->memop.bytes = ctxt->op_bytes + 2;
                 goto mem_common;
         case OpES:
+                op->type = OP_IMM;
                 op->val = VCPU_SREG_ES;
                 break;
         case OpCS:
+                op->type = OP_IMM;
                 op->val = VCPU_SREG_CS;
                 break;
         case OpSS:
+                op->type = OP_IMM;
                 op->val = VCPU_SREG_SS;
                 break;
         case OpDS:
+                op->type = OP_IMM;
                 op->val = VCPU_SREG_DS;
                 break;
         case OpFS:
+                op->type = OP_IMM;
                 op->val = VCPU_SREG_FS;
                 break;
         case OpGS:
+                op->type = OP_IMM;
                 op->val = VCPU_SREG_GS;
                 break;
         case OpImplicit:
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index a8b76c4c95e2..3e556c68351b 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -4579,7 +4579,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu)
                 vmcs_write32(TPR_THRESHOLD, 0);
         }
 
-        kvm_vcpu_reload_apic_access_page(vcpu);
+        kvm_make_request(KVM_REQ_APIC_PAGE_RELOAD, vcpu);
 
         if (vmx_vm_has_apicv(vcpu->kvm))
                 memset(&vmx->pi_desc, 0, sizeof(struct pi_desc));
@@ -6426,6 +6426,8 @@ static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx)
         const unsigned long *fields = shadow_read_write_fields;
         const int num_fields = max_shadow_read_write_fields;
 
+        preempt_disable();
+
         vmcs_load(shadow_vmcs);
 
         for (i = 0; i < num_fields; i++) {
@@ -6449,6 +6451,8 @@ static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx)
 
         vmcs_clear(shadow_vmcs);
         vmcs_load(vmx->loaded_vmcs->vmcs);
+
+        preempt_enable();
 }
 
 static void copy_vmcs12_to_shadow(struct vcpu_vmx *vmx)
diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c
index 7609e0e421ec..1318f75d56e4 100644
--- a/arch/x86/lib/csum-wrappers_64.c
+++ b/arch/x86/lib/csum-wrappers_64.c
@@ -41,9 +41,8 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
                 while (((unsigned long)src & 6) && len >= 2) {
                         __u16 val16;
 
-                        *errp = __get_user(val16, (const __u16 __user *)src);
-                        if (*errp)
-                                return isum;
+                        if (__get_user(val16, (const __u16 __user *)src))
+                                goto out_err;
 
                         *(__u16 *)dst = val16;
                         isum = (__force __wsum)add32_with_carry(
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index 4cb8763868fc..4e5dfec750fc 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1123,7 +1123,7 @@ void mark_rodata_ro(void)
         unsigned long end = (unsigned long) &__end_rodata_hpage_align;
         unsigned long text_end = PFN_ALIGN(&__stop___ex_table);
         unsigned long rodata_end = PFN_ALIGN(&__end_rodata);
-        unsigned long all_end = PFN_ALIGN(&_end);
+        unsigned long all_end;
 
         printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n",
                (end - start) >> 10);
@@ -1134,7 +1134,16 @@ void mark_rodata_ro(void)
         /*
          * The rodata/data/bss/brk section (but not the kernel text!)
          * should also be not-executable.
+         *
+         * We align all_end to PMD_SIZE because the existing mapping
+         * is a full PMD. If we would align _brk_end to PAGE_SIZE we
+         * split the PMD and the reminder between _brk_end and the end
+         * of the PMD will remain mapped executable.
+         *
+         * Any PMD which was setup after the one which covers _brk_end
+         * has been zapped already via cleanup_highmem().
          */
+        all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
         set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
 
         rodata_test();
diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
index ae242a7c11c7..36de293caf25 100644
--- a/arch/x86/mm/pageattr.c
+++ b/arch/x86/mm/pageattr.c
@@ -409,7 +409,7 @@ phys_addr_t slow_virt_to_phys(void *__virt_addr)
         psize = page_level_size(level);
         pmask = page_level_mask(level);
         offset = virt_addr & ~pmask;
-        phys_addr = pte_pfn(*pte) << PAGE_SHIFT;
+        phys_addr = (phys_addr_t)pte_pfn(*pte) << PAGE_SHIFT;
         return (phys_addr | offset);
 }
 EXPORT_SYMBOL_GPL(slow_virt_to_phys);
diff --git a/arch/x86/platform/intel-mid/sfi.c b/arch/x86/platform/intel-mid/sfi.c
index 3c53a90fdb18..c14ad34776c4 100644
--- a/arch/x86/platform/intel-mid/sfi.c
+++ b/arch/x86/platform/intel-mid/sfi.c
@@ -106,6 +106,7 @@ int __init sfi_parse_mtmr(struct sfi_table_header *table)
                         mp_irq.dstapic = MP_APIC_ALL;
                         mp_irq.dstirq = pentry->irq;
                         mp_save_irq(&mp_irq);
+                        mp_map_gsi_to_irq(pentry->irq, IOAPIC_MAP_ALLOC);
         }
 
         return 0;
@@ -176,6 +177,7 @@ int __init sfi_parse_mrtc(struct sfi_table_header *table)
                 mp_irq.dstapic = MP_APIC_ALL;
                 mp_irq.dstirq = pentry->irq;
                 mp_save_irq(&mp_irq);
+                mp_map_gsi_to_irq(pentry->irq, IOAPIC_MAP_ALLOC);
         }
         return 0;
 }
diff --git a/arch/x86/tools/calc_run_size.pl b/arch/x86/tools/calc_run_size.pl
new file mode 100644
index 000000000000..23210baade2d
--- /dev/null
+++ b/arch/x86/tools/calc_run_size.pl
@@ -0,0 +1,39 @@
+#!/usr/bin/perl
+#
+# Calculate the amount of space needed to run the kernel, including room for
+# the .bss and .brk sections.
+#
+# Usage:
+# objdump -h a.out | perl calc_run_size.pl
+use strict;
+
+my $mem_size = 0;
+my $file_offset = 0;
+
+my $sections=" *[0-9]+ \.(?:bss|brk) +";
+while (<>) {
+        if (/^$sections([0-9a-f]+) +(?:[0-9a-f]+ +){2}([0-9a-f]+)/) {
+                my $size = hex($1);
+                my $offset = hex($2);
+                $mem_size += $size;
+                if ($file_offset == 0) {
+                        $file_offset = $offset;
+                } elsif ($file_offset != $offset) {
+                        # BFD linker shows the same file offset in ELF.
+                        # Gold linker shows them as consecutive.
+                        next if ($file_offset + $mem_size == $offset + $size);
+
+                        printf STDERR "file_offset: 0x%lx\n", $file_offset;
+                        printf STDERR "mem_size: 0x%lx\n", $mem_size;
+                        printf STDERR "offset: 0x%lx\n", $offset;
+                        printf STDERR "size: 0x%lx\n", $size;
+
+                        die ".bss and .brk are non-contiguous\n";
+                }
+        }
+}
+
+if ($file_offset == 0) {
+        die "Never found .bss or .brk file offset\n";
+}
+printf("%d\n", $mem_size + $file_offset);
diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
index 8650cdb53209..4c071aeb8417 100644
--- a/arch/x86/xen/smp.c
+++ b/arch/x86/xen/smp.c
@@ -510,6 +510,9 @@ static void xen_cpu_die(unsigned int cpu)
                 current->state = TASK_UNINTERRUPTIBLE;
                 schedule_timeout(HZ/10);
         }
+
+        cpu_die_common(cpu);
+
         xen_smp_intr_free(cpu);
         xen_uninit_lock_cpu(cpu);
         xen_teardown_timer(cpu);