37 files changed, 899 insertions, 827 deletions

diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index cdb1b70ddad0..c887cd944f0c 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -32,6 +32,7 @@ obj-$(CONFIG_X86_32)	+= i386_ksyms_32.o
 obj-$(CONFIG_X86_64)    += sys_x86_64.o x8664_ksyms_64.o
 obj-$(CONFIG_X86_64)    += mcount_64.o
 obj-y                   += syscall_$(BITS).o vsyscall_gtod.o
+obj-$(CONFIG_IA32_EMULATION)    += syscall_32.o
 obj-$(CONFIG_X86_VSYSCALL_EMULATION)    += vsyscall_64.o vsyscall_emu_64.o
 obj-$(CONFIG_X86_ESPFIX64)      += espfix_64.o
 obj-$(CONFIG_SYSFS)     += ksysfs.o
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index 703130f469ec..aef653193160 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -52,10 +52,25 @@ static int __init setup_noreplace_paravirt(char *str)
 __setup("noreplace-paravirt", setup_noreplace_paravirt);
 #endif
 
-#define DPRINTK(fmt, ...)                               \
-do {                                                    \
-        if (debug_alternative)                          \
-                printk(KERN_DEBUG fmt, ##__VA_ARGS__);  \
+#define DPRINTK(fmt, args...)                                           \
+do {                                                                    \
+        if (debug_alternative)                                          \
+                printk(KERN_DEBUG "%s: " fmt "\n", __func__, ##args);   \
+} while (0)
+
+#define DUMP_BYTES(buf, len, fmt, args...)                              \
+do {                                                                    \
+        if (unlikely(debug_alternative)) {                              \
+                int j;                                                  \
+                                                                        \
+                if (!(len))                                             \
+                        break;                                          \
+                                                                        \
+                printk(KERN_DEBUG fmt, ##args);                         \
+                for (j = 0; j < (len) - 1; j++)                         \
+                        printk(KERN_CONT "%02hhx ", buf[j]);            \
+                printk(KERN_CONT "%02hhx\n", buf[j]);                   \
+        }                                                               \
 } while (0)
 
 /*
@@ -243,12 +258,89 @@ extern struct alt_instr __alt_instructions[], __alt_instructions_end[];
 extern s32 __smp_locks[], __smp_locks_end[];
 void *text_poke_early(void *addr, const void *opcode, size_t len);
 
-/* Replace instructions with better alternatives for this CPU type.
-   This runs before SMP is initialized to avoid SMP problems with
-   self modifying code. This implies that asymmetric systems where
-   APs have less capabilities than the boot processor are not handled.
-   Tough. Make sure you disable such features by hand. */
+/*
+ * Are we looking at a near JMP with a 1 or 4-byte displacement.
+ */
+static inline bool is_jmp(const u8 opcode)
+{
+        return opcode == 0xeb || opcode == 0xe9;
+}
+
+static void __init_or_module
+recompute_jump(struct alt_instr *a, u8 *orig_insn, u8 *repl_insn, u8 *insnbuf)
+{
+        u8 *next_rip, *tgt_rip;
+        s32 n_dspl, o_dspl;
+        int repl_len;
+
+        if (a->replacementlen != 5)
+                return;
+
+        o_dspl = *(s32 *)(insnbuf + 1);
+
+        /* next_rip of the replacement JMP */
+        next_rip = repl_insn + a->replacementlen;
+        /* target rip of the replacement JMP */
+        tgt_rip  = next_rip + o_dspl;
+        n_dspl = tgt_rip - orig_insn;
+
+        DPRINTK("target RIP: %p, new_displ: 0x%x", tgt_rip, n_dspl);
+
+        if (tgt_rip - orig_insn >= 0) {
+                if (n_dspl - 2 <= 127)
+                        goto two_byte_jmp;
+                else
+                        goto five_byte_jmp;
+        /* negative offset */
+        } else {
+                if (((n_dspl - 2) & 0xff) == (n_dspl - 2))
+                        goto two_byte_jmp;
+                else
+                        goto five_byte_jmp;
+        }
+
+two_byte_jmp:
+        n_dspl -= 2;
+
+        insnbuf[0] = 0xeb;
+        insnbuf[1] = (s8)n_dspl;
+        add_nops(insnbuf + 2, 3);
+
+        repl_len = 2;
+        goto done;
+
+five_byte_jmp:
+        n_dspl -= 5;
+
+        insnbuf[0] = 0xe9;
+        *(s32 *)&insnbuf[1] = n_dspl;
 
+        repl_len = 5;
+
+done:
+
+        DPRINTK("final displ: 0x%08x, JMP 0x%lx",
+                n_dspl, (unsigned long)orig_insn + n_dspl + repl_len);
+}
+
+static void __init_or_module optimize_nops(struct alt_instr *a, u8 *instr)
+{
+        if (instr[0] != 0x90)
+                return;
+
+        add_nops(instr + (a->instrlen - a->padlen), a->padlen);
+
+        DUMP_BYTES(instr, a->instrlen, "%p: [%d:%d) optimized NOPs: ",
+                   instr, a->instrlen - a->padlen, a->padlen);
+}
+
+/*
+ * Replace instructions with better alternatives for this CPU type. This runs
+ * before SMP is initialized to avoid SMP problems with self modifying code.
+ * This implies that asymmetric systems where APs have less capabilities than
+ * the boot processor are not handled. Tough. Make sure you disable such
+ * features by hand.
+ */
 void __init_or_module apply_alternatives(struct alt_instr *start,
                                          struct alt_instr *end)
 {
@@ -256,10 +348,10 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
         u8 *instr, *replacement;
         u8 insnbuf[MAX_PATCH_LEN];
 
-        DPRINTK("%s: alt table %p -> %p\n", __func__, start, end);
+        DPRINTK("alt table %p -> %p", start, end);
         /*
          * The scan order should be from start to end. A later scanned
-         * alternative code can overwrite a previous scanned alternative code.
+         * alternative code can overwrite previously scanned alternative code.
          * Some kernel functions (e.g. memcpy, memset, etc) use this order to
          * patch code.
          *
@@ -267,29 +359,54 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
          * order.
          */
         for (a = start; a < end; a++) {
+                int insnbuf_sz = 0;
+
                 instr = (u8 *)&a->instr_offset + a->instr_offset;
                 replacement = (u8 *)&a->repl_offset + a->repl_offset;
-                BUG_ON(a->replacementlen > a->instrlen);
                 BUG_ON(a->instrlen > sizeof(insnbuf));
                 BUG_ON(a->cpuid >= (NCAPINTS + NBUGINTS) * 32);
-                if (!boot_cpu_has(a->cpuid))
+                if (!boot_cpu_has(a->cpuid)) {
+                        if (a->padlen > 1)
+                                optimize_nops(a, instr);
+
                         continue;
+                }
+
+                DPRINTK("feat: %d*32+%d, old: (%p, len: %d), repl: (%p, len: %d), pad: %d",
+                        a->cpuid >> 5,
+                        a->cpuid & 0x1f,
+                        instr, a->instrlen,
+                        replacement, a->replacementlen, a->padlen);
+
+                DUMP_BYTES(instr, a->instrlen, "%p: old_insn: ", instr);
+                DUMP_BYTES(replacement, a->replacementlen, "%p: rpl_insn: ", replacement);
 
                 memcpy(insnbuf, replacement, a->replacementlen);
+                insnbuf_sz = a->replacementlen;
 
                 /* 0xe8 is a relative jump; fix the offset. */
-                if (*insnbuf == 0xe8 && a->replacementlen == 5)
-                    *(s32 *)(insnbuf + 1) += replacement - instr;
+                if (*insnbuf == 0xe8 && a->replacementlen == 5) {
+                        *(s32 *)(insnbuf + 1) += replacement - instr;
+                        DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx",
+                                *(s32 *)(insnbuf + 1),
+                                (unsigned long)instr + *(s32 *)(insnbuf + 1) + 5);
+                }
+
+                if (a->replacementlen && is_jmp(replacement[0]))
+                        recompute_jump(a, instr, replacement, insnbuf);
 
-                add_nops(insnbuf + a->replacementlen,
-                         a->instrlen - a->replacementlen);
+                if (a->instrlen > a->replacementlen) {
+                        add_nops(insnbuf + a->replacementlen,
+                                 a->instrlen - a->replacementlen);
+                        insnbuf_sz += a->instrlen - a->replacementlen;
+                }
+                DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", instr);
 
-                text_poke_early(instr, insnbuf, a->instrlen);
+                text_poke_early(instr, insnbuf, insnbuf_sz);
         }
 }
 
 #ifdef CONFIG_SMP
-
 static void alternatives_smp_lock(const s32 *start, const s32 *end,
                                   u8 *text, u8 *text_end)
 {
@@ -371,8 +488,8 @@ void __init_or_module alternatives_smp_module_add(struct module *mod,
         smp->locks_end  = locks_end;
         smp->text       = text;
         smp->text_end   = text_end;
-        DPRINTK("%s: locks %p -> %p, text %p -> %p, name %s\n",
-                __func__, smp->locks, smp->locks_end,
+        DPRINTK("locks %p -> %p, text %p -> %p, name %s\n",
+                smp->locks, smp->locks_end,
                 smp->text, smp->text_end, smp->name);
 
         list_add_tail(&smp->next, &smp_alt_modules);
@@ -440,7 +557,7 @@ int alternatives_text_reserved(void *start, void *end)
 
         return 0;
 }
-#endif
+#endif /* CONFIG_SMP */
 
 #ifdef CONFIG_PARAVIRT
 void __init_or_module apply_paravirt(struct paravirt_patch_site *start,
@@ -601,7 +718,7 @@ int poke_int3_handler(struct pt_regs *regs)
         if (likely(!bp_patching_in_progress))
                 return 0;
 
-        if (user_mode_vm(regs) || regs->ip != (unsigned long)bp_int3_addr)
+        if (user_mode(regs) || regs->ip != (unsigned long)bp_int3_addr)
                 return 0;
 
         /* set up the specified breakpoint handler */
diff --git a/arch/x86/kernel/asm-offsets_32.c b/arch/x86/kernel/asm-offsets_32.c
index 3b3b9d33ac1d..47703aed74cf 100644
--- a/arch/x86/kernel/asm-offsets_32.c
+++ b/arch/x86/kernel/asm-offsets_32.c
@@ -68,7 +68,7 @@ void foo(void)
 
         /* Offset from the sysenter stack to tss.sp0 */
         DEFINE(TSS_sysenter_sp0, offsetof(struct tss_struct, x86_tss.sp0) -
-                 sizeof(struct tss_struct));
+               offsetofend(struct tss_struct, SYSENTER_stack));
 
 #if defined(CONFIG_LGUEST) || defined(CONFIG_LGUEST_GUEST) || defined(CONFIG_LGUEST_MODULE)
         BLANK();
diff --git a/arch/x86/kernel/asm-offsets_64.c b/arch/x86/kernel/asm-offsets_64.c
index fdcbb4d27c9f..5ce6f2da8763 100644
--- a/arch/x86/kernel/asm-offsets_64.c
+++ b/arch/x86/kernel/asm-offsets_64.c
@@ -81,6 +81,7 @@ int main(void)
 #undef ENTRY
 
         OFFSET(TSS_ist, tss_struct, x86_tss.ist);
+        OFFSET(TSS_sp0, tss_struct, x86_tss.sp0);
         BLANK();
 
         DEFINE(__NR_syscall_max, sizeof(syscalls_64) - 1);
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index a220239cea65..dd9e50500297 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -711,6 +711,11 @@ static void init_amd(struct cpuinfo_x86 *c)
                 set_cpu_bug(c, X86_BUG_AMD_APIC_C1E);
 
         rdmsr_safe(MSR_AMD64_PATCH_LEVEL, &c->microcode, &dummy);
+
+        /* 3DNow or LM implies PREFETCHW */
+        if (!cpu_has(c, X86_FEATURE_3DNOWPREFETCH))
+                if (cpu_has(c, X86_FEATURE_3DNOW) || cpu_has(c, X86_FEATURE_LM))
+                        set_cpu_cap(c, X86_FEATURE_3DNOWPREFETCH);
 }
 
 #ifdef CONFIG_X86_32
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 2346c95c6ab1..3f70538012e2 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -959,38 +959,37 @@ static void identify_cpu(struct cpuinfo_x86 *c)
 #endif
 }
 
-#ifdef CONFIG_X86_64
-#ifdef CONFIG_IA32_EMULATION
-/* May not be __init: called during resume */
-static void syscall32_cpu_init(void)
-{
-        /* Load these always in case some future AMD CPU supports
-           SYSENTER from compat mode too. */
-        wrmsrl_safe(MSR_IA32_SYSENTER_CS, (u64)__KERNEL_CS);
-        wrmsrl_safe(MSR_IA32_SYSENTER_ESP, 0ULL);
-        wrmsrl_safe(MSR_IA32_SYSENTER_EIP, (u64)ia32_sysenter_target);
-
-        wrmsrl(MSR_CSTAR, ia32_cstar_target);
-}
-#endif          /* CONFIG_IA32_EMULATION */
-#endif          /* CONFIG_X86_64 */
-
+/*
+ * Set up the CPU state needed to execute SYSENTER/SYSEXIT instructions
+ * on 32-bit kernels:
+ */
 #ifdef CONFIG_X86_32
 void enable_sep_cpu(void)
 {
-        int cpu = get_cpu();
-        struct tss_struct *tss = &per_cpu(init_tss, cpu);
+        struct tss_struct *tss;
+        int cpu;
 
-        if (!boot_cpu_has(X86_FEATURE_SEP)) {
-                put_cpu();
-                return;
-        }
+        cpu = get_cpu();
+        tss = &per_cpu(cpu_tss, cpu);
+
+        if (!boot_cpu_has(X86_FEATURE_SEP))
+                goto out;
+
+        /*
+         * We cache MSR_IA32_SYSENTER_CS's value in the TSS's ss1 field --
+         * see the big comment in struct x86_hw_tss's definition.
+         */
 
         tss->x86_tss.ss1 = __KERNEL_CS;
-        tss->x86_tss.sp1 = sizeof(struct tss_struct) + (unsigned long) tss;
-        wrmsr(MSR_IA32_SYSENTER_CS, __KERNEL_CS, 0);
-        wrmsr(MSR_IA32_SYSENTER_ESP, tss->x86_tss.sp1, 0);
-        wrmsr(MSR_IA32_SYSENTER_EIP, (unsigned long) ia32_sysenter_target, 0);
+        wrmsr(MSR_IA32_SYSENTER_CS, tss->x86_tss.ss1, 0);
+
+        wrmsr(MSR_IA32_SYSENTER_ESP,
+              (unsigned long)tss + offsetofend(struct tss_struct, SYSENTER_stack),
+              0);
+
+        wrmsr(MSR_IA32_SYSENTER_EIP, (unsigned long)ia32_sysenter_target, 0);
+
+out:
         put_cpu();
 }
 #endif
@@ -1118,7 +1117,7 @@ static __init int setup_disablecpuid(char *arg)
 __setup("clearcpuid=", setup_disablecpuid);
 
 DEFINE_PER_CPU(unsigned long, kernel_stack) =
-        (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
+        (unsigned long)&init_thread_union + THREAD_SIZE;
 EXPORT_PER_CPU_SYMBOL(kernel_stack);
 
 #ifdef CONFIG_X86_64
@@ -1130,8 +1129,8 @@ DEFINE_PER_CPU_FIRST(union irq_stack_union,
                      irq_stack_union) __aligned(PAGE_SIZE) __visible;
 
 /*
- * The following four percpu variables are hot.  Align current_task to
- * cacheline size such that all four fall in the same cacheline.
+ * The following percpu variables are hot.  Align current_task to
+ * cacheline size such that they fall in the same cacheline.
  */
 DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned =
         &init_task;
@@ -1171,10 +1170,23 @@ void syscall_init(void)
          */
         wrmsrl(MSR_STAR,  ((u64)__USER32_CS)<<48  | ((u64)__KERNEL_CS)<<32);
         wrmsrl(MSR_LSTAR, system_call);
-        wrmsrl(MSR_CSTAR, ignore_sysret);
 
 #ifdef CONFIG_IA32_EMULATION
-        syscall32_cpu_init();
+        wrmsrl(MSR_CSTAR, ia32_cstar_target);
+        /*
+         * This only works on Intel CPUs.
+         * On AMD CPUs these MSRs are 32-bit, CPU truncates MSR_IA32_SYSENTER_EIP.
+         * This does not cause SYSENTER to jump to the wrong location, because
+         * AMD doesn't allow SYSENTER in long mode (either 32- or 64-bit).
+         */
+        wrmsrl_safe(MSR_IA32_SYSENTER_CS, (u64)__KERNEL_CS);
+        wrmsrl_safe(MSR_IA32_SYSENTER_ESP, 0ULL);
+        wrmsrl_safe(MSR_IA32_SYSENTER_EIP, (u64)ia32_sysenter_target);
+#else
+        wrmsrl(MSR_CSTAR, ignore_sysret);
+        wrmsrl_safe(MSR_IA32_SYSENTER_CS, (u64)GDT_ENTRY_INVALID_SEG);
+        wrmsrl_safe(MSR_IA32_SYSENTER_ESP, 0ULL);
+        wrmsrl_safe(MSR_IA32_SYSENTER_EIP, 0ULL);
 #endif
 
         /* Flags to clear on syscall */
@@ -1226,6 +1238,15 @@ DEFINE_PER_CPU(int, __preempt_count) = INIT_PREEMPT_COUNT;
 EXPORT_PER_CPU_SYMBOL(__preempt_count);
 DEFINE_PER_CPU(struct task_struct *, fpu_owner_task);
 
+/*
+ * On x86_32, vm86 modifies tss.sp0, so sp0 isn't a reliable way to find
+ * the top of the kernel stack.  Use an extra percpu variable to track the
+ * top of the kernel stack directly.
+ */
+DEFINE_PER_CPU(unsigned long, cpu_current_top_of_stack) =
+        (unsigned long)&init_thread_union + THREAD_SIZE;
+EXPORT_PER_CPU_SYMBOL(cpu_current_top_of_stack);
+
 #ifdef CONFIG_CC_STACKPROTECTOR
 DEFINE_PER_CPU_ALIGNED(struct stack_canary, stack_canary);
 #endif
@@ -1307,7 +1328,7 @@ void cpu_init(void)
          */
         load_ucode_ap();
 
-        t = &per_cpu(init_tss, cpu);
+        t = &per_cpu(cpu_tss, cpu);
         oist = &per_cpu(orig_ist, cpu);
 
 #ifdef CONFIG_NUMA
@@ -1391,7 +1412,7 @@ void cpu_init(void)
 {
         int cpu = smp_processor_id();
         struct task_struct *curr = current;
-        struct tss_struct *t = &per_cpu(init_tss, cpu);
+        struct tss_struct *t = &per_cpu(cpu_tss, cpu);
         struct thread_struct *thread = &curr->thread;
 
         wait_for_master_cpu(cpu);
diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
index b71a7f86d68a..e2888a3ad1e3 100644
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -2147,24 +2147,24 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs)
 static unsigned long code_segment_base(struct pt_regs *regs)
 {
         /*
+         * For IA32 we look at the GDT/LDT segment base to convert the
+         * effective IP to a linear address.
+         */
+
+#ifdef CONFIG_X86_32
+        /*
          * If we are in VM86 mode, add the segment offset to convert to a
          * linear address.
          */
         if (regs->flags & X86_VM_MASK)
                 return 0x10 * regs->cs;
 
-        /*
-         * For IA32 we look at the GDT/LDT segment base to convert the
-         * effective IP to a linear address.
-         */
-#ifdef CONFIG_X86_32
         if (user_mode(regs) && regs->cs != __USER_CS)
                 return get_segment_base(regs->cs);
 #else
-        if (test_thread_flag(TIF_IA32)) {
-                if (user_mode(regs) && regs->cs != __USER32_CS)
-                        return get_segment_base(regs->cs);
-        }
+        if (user_mode(regs) && !user_64bit_mode(regs) &&
+            regs->cs != __USER32_CS)
+                return get_segment_base(regs->cs);
 #endif
         return 0;
 }
diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
index aceb2f90c716..c76d3e37c6e1 100644
--- a/arch/x86/kernel/crash.c
+++ b/arch/x86/kernel/crash.c
@@ -105,7 +105,7 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs)
 #ifdef CONFIG_X86_32
         struct pt_regs fixed_regs;
 
-        if (!user_mode_vm(regs)) {
+        if (!user_mode(regs)) {
                 crash_fixup_ss_esp(&fixed_regs, regs);
                 regs = &fixed_regs;
         }
diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
index cf3df1d8d039..ab3b65639a3e 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -278,7 +278,7 @@ int __die(const char *str, struct pt_regs *regs, long err)
         print_modules();
         show_regs(regs);
 #ifdef CONFIG_X86_32
-        if (user_mode_vm(regs)) {
+        if (user_mode(regs)) {
                 sp = regs->sp;
                 ss = regs->ss & 0xffff;
         } else {
@@ -307,7 +307,7 @@ void die(const char *str, struct pt_regs *regs, long err)
         unsigned long flags = oops_begin();
         int sig = SIGSEGV;
 
-        if (!user_mode_vm(regs))
+        if (!user_mode(regs))
                 report_bug(regs->ip, regs);
 
         if (__die(str, regs, err))
diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
index 5abd4cd4230c..39891ff50d03 100644
--- a/arch/x86/kernel/dumpstack_32.c
+++ b/arch/x86/kernel/dumpstack_32.c
@@ -123,13 +123,13 @@ void show_regs(struct pt_regs *regs)
         int i;
 
         show_regs_print_info(KERN_EMERG);
-        __show_regs(regs, !user_mode_vm(regs));
+        __show_regs(regs, !user_mode(regs));
 
         /*
          * When in-kernel, we also print out the stack and code at the
          * time of the fault..
          */
-        if (!user_mode_vm(regs)) {
+        if (!user_mode(regs)) {
                 unsigned int code_prologue = code_bytes * 43 / 64;
                 unsigned int code_len = code_bytes;
                 unsigned char c;
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index 31e2d5bf3e38..1c309763e321 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -395,10 +395,13 @@ sysenter_past_esp:
         /*CFI_REL_OFFSET cs, 0*/
         /*
          * Push current_thread_info()->sysenter_return to the stack.
-         * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
-         * pushed above; +8 corresponds to copy_thread's esp0 setting.
+         * A tiny bit of offset fixup is necessary: TI_sysenter_return
+         * is relative to thread_info, which is at the bottom of the
+         * kernel stack page.  4*4 means the 4 words pushed above;
+         * TOP_OF_KERNEL_STACK_PADDING takes us to the top of the stack;
+         * and THREAD_SIZE takes us to the bottom.
          */
-        pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp)
+        pushl_cfi ((TI_sysenter_return) - THREAD_SIZE + TOP_OF_KERNEL_STACK_PADDING + 4*4)(%esp)
         CFI_REL_OFFSET eip, 0
 
         pushl_cfi %eax
@@ -432,7 +435,7 @@ sysenter_after_call:
         TRACE_IRQS_OFF
         movl TI_flags(%ebp), %ecx
         testl $_TIF_ALLWORK_MASK, %ecx
-        jne sysexit_audit
+        jnz sysexit_audit
 sysenter_exit:
 /* if something modifies registers it must also disable sysexit */
         movl PT_EIP(%esp), %edx
@@ -460,7 +463,7 @@ sysenter_audit:
 
 sysexit_audit:
         testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), %ecx
-        jne syscall_exit_work
+        jnz syscall_exit_work
         TRACE_IRQS_ON
         ENABLE_INTERRUPTS(CLBR_ANY)
         movl %eax,%edx          /* second arg, syscall return value */
@@ -472,7 +475,7 @@ sysexit_audit:
         TRACE_IRQS_OFF
         movl TI_flags(%ebp), %ecx
         testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), %ecx
-        jne syscall_exit_work
+        jnz syscall_exit_work
         movl PT_EAX(%esp),%eax  /* reload syscall return value */
         jmp sysenter_exit
 #endif
@@ -510,7 +513,7 @@ syscall_exit:
         TRACE_IRQS_OFF
         movl TI_flags(%ebp), %ecx
         testl $_TIF_ALLWORK_MASK, %ecx  # current->work
-        jne syscall_exit_work
+        jnz syscall_exit_work
 
 restore_all:
         TRACE_IRQS_IRET
@@ -612,7 +615,7 @@ work_notifysig:				# deal with pending signals and
 #ifdef CONFIG_VM86
         testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
         movl %esp, %eax
-        jne work_notifysig_v86          # returning to kernel-space or
+        jnz work_notifysig_v86          # returning to kernel-space or
                                         # vm86-space
 1:
 #else
@@ -720,43 +723,22 @@ END(sysenter_badsys)
 .endm
 
 /*
- * Build the entry stubs and pointer table with some assembler magic.
- * We pack 7 stubs into a single 32-byte chunk, which will fit in a
- * single cache line on all modern x86 implementations.
+ * Build the entry stubs with some assembler magic.
+ * We pack 1 stub into every 8-byte block.
  */
-.section .init.rodata,"a"
-ENTRY(interrupt)
-.section .entry.text, "ax"
-        .p2align 5
-        .p2align CONFIG_X86_L1_CACHE_SHIFT
+        .align 8
 ENTRY(irq_entries_start)
         RING0_INT_FRAME
-vector=FIRST_EXTERNAL_VECTOR
-.rept (FIRST_SYSTEM_VECTOR-FIRST_EXTERNAL_VECTOR+6)/7
-        .balign 32
-  .rept 7
-    .if vector < FIRST_SYSTEM_VECTOR
-      .if vector <> FIRST_EXTERNAL_VECTOR
+    vector=FIRST_EXTERNAL_VECTOR
+    .rept (FIRST_SYSTEM_VECTOR - FIRST_EXTERNAL_VECTOR)
+        pushl_cfi $(~vector+0x80)       /* Note: always in signed byte range */
+    vector=vector+1
+        jmp     common_interrupt
         CFI_ADJUST_CFA_OFFSET -4
-      .endif
-1:      pushl_cfi $(~vector+0x80)       /* Note: always in signed byte range */
-      .if ((vector-FIRST_EXTERNAL_VECTOR)%7) <> 6
-        jmp 2f
-      .endif
-      .previous
-        .long 1b
-      .section .entry.text, "ax"
-vector=vector+1
-    .endif
-  .endr
-2:      jmp common_interrupt
-.endr
+        .align  8
+    .endr
 END(irq_entries_start)
 
-.previous
-END(interrupt)
-.previous
-
 /*
  * the CPU automatically disables interrupts when executing an IRQ vector,
  * so IRQ-flags tracing has to follow that:
@@ -816,15 +798,9 @@ ENTRY(simd_coprocessor_error)
         pushl_cfi $0
 #ifdef CONFIG_X86_INVD_BUG
         /* AMD 486 bug: invd from userspace calls exception 19 instead of #GP */
-661:    pushl_cfi $do_general_protection
-662:
-.section .altinstructions,"a"
-        altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f
-.previous
-.section .altinstr_replacement,"ax"
-663:    pushl $do_simd_coprocessor_error
-664:
-.previous
+        ALTERNATIVE "pushl_cfi $do_general_protection", \
+                    "pushl $do_simd_coprocessor_error", \
+                    X86_FEATURE_XMM
 #else
         pushl_cfi $do_simd_coprocessor_error
 #endif
@@ -1240,20 +1216,13 @@ error_code:
         /*CFI_REL_OFFSET es, 0*/
         pushl_cfi %ds
         /*CFI_REL_OFFSET ds, 0*/
-        pushl_cfi %eax
-        CFI_REL_OFFSET eax, 0
-        pushl_cfi %ebp
-        CFI_REL_OFFSET ebp, 0
-        pushl_cfi %edi
-        CFI_REL_OFFSET edi, 0
-        pushl_cfi %esi
-        CFI_REL_OFFSET esi, 0
-        pushl_cfi %edx
-        CFI_REL_OFFSET edx, 0
-        pushl_cfi %ecx
-        CFI_REL_OFFSET ecx, 0
-        pushl_cfi %ebx
-        CFI_REL_OFFSET ebx, 0
+        pushl_cfi_reg eax
+        pushl_cfi_reg ebp
+        pushl_cfi_reg edi
+        pushl_cfi_reg esi
+        pushl_cfi_reg edx
+        pushl_cfi_reg ecx
+        pushl_cfi_reg ebx
         cld
         movl $(__KERNEL_PERCPU), %ecx
         movl %ecx, %fs
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index f0095a76c182..c7b238494b31 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -14,27 +14,14 @@
  * NOTE: This code handles signal-recognition, which happens every time
  * after an interrupt and after each system call.
  *
- * Normal syscalls and interrupts don't save a full stack frame, this is
- * only done for syscall tracing, signals or fork/exec et.al.
- *
  * A note on terminology:
- * - top of stack: Architecture defined interrupt frame from SS to RIP
+ * - iret frame: Architecture defined interrupt frame from SS to RIP
  * at the top of the kernel process stack.
- * - partial stack frame: partially saved registers up to R11.
- * - full stack frame: Like partial stack frame, but all register saved.
  *
  * Some macro usage:
  * - CFI macros are used to generate dwarf2 unwind information for better
  * backtraces. They don't change any code.
- * - SAVE_ALL/RESTORE_ALL - Save/restore all registers
- * - SAVE_ARGS/RESTORE_ARGS - Save/restore registers that C functions modify.
- * There are unfortunately lots of special cases where some registers
- * not touched. The macro is a big mess that should be cleaned up.
- * - SAVE_REST/RESTORE_REST - Handle the registers not saved by SAVE_ARGS.
- * Gives a full stack frame.
  * - ENTRY/END Define functions in the symbol table.
- * - FIXUP_TOP_OF_STACK/RESTORE_TOP_OF_STACK - Fix up the hardware stack
- * frame that is otherwise undefined after a SYSCALL
  * - TRACE_IRQ_* - Trace hard interrupt state for lock debugging.
  * - idtentry - Define exception entry points.
  */
@@ -70,10 +57,6 @@
         .section .entry.text, "ax"
 
 
-#ifndef CONFIG_PREEMPT
-#define retint_kernel retint_restore_args
-#endif
-
 #ifdef CONFIG_PARAVIRT
 ENTRY(native_usergs_sysret64)
         swapgs
@@ -82,9 +65,9 @@ ENDPROC(native_usergs_sysret64)
 #endif /* CONFIG_PARAVIRT */
 
 
-.macro TRACE_IRQS_IRETQ offset=ARGOFFSET
+.macro TRACE_IRQS_IRETQ
 #ifdef CONFIG_TRACE_IRQFLAGS
-        bt   $9,EFLAGS-\offset(%rsp)    /* interrupts off? */
+        bt   $9,EFLAGS(%rsp)    /* interrupts off? */
         jnc  1f
         TRACE_IRQS_ON
 1:
@@ -116,8 +99,8 @@ ENDPROC(native_usergs_sysret64)
         call debug_stack_reset
 .endm
 
-.macro TRACE_IRQS_IRETQ_DEBUG offset=ARGOFFSET
-        bt   $9,EFLAGS-\offset(%rsp)    /* interrupts off? */
+.macro TRACE_IRQS_IRETQ_DEBUG
+        bt   $9,EFLAGS(%rsp)    /* interrupts off? */
         jnc  1f
         TRACE_IRQS_ON_DEBUG
 1:
@@ -130,34 +113,7 @@ ENDPROC(native_usergs_sysret64)
 #endif
 
 /*
- * C code is not supposed to know about undefined top of stack. Every time
- * a C function with an pt_regs argument is called from the SYSCALL based
- * fast path FIXUP_TOP_OF_STACK is needed.
- * RESTORE_TOP_OF_STACK syncs the syscall state after any possible ptregs
- * manipulation.
- */
-
-        /* %rsp:at FRAMEEND */
-        .macro FIXUP_TOP_OF_STACK tmp offset=0
-        movq PER_CPU_VAR(old_rsp),\tmp
-        movq \tmp,RSP+\offset(%rsp)
-        movq $__USER_DS,SS+\offset(%rsp)
-        movq $__USER_CS,CS+\offset(%rsp)
-        movq RIP+\offset(%rsp),\tmp  /* get rip */
-        movq \tmp,RCX+\offset(%rsp)  /* copy it to rcx as sysret would do */
-        movq R11+\offset(%rsp),\tmp  /* get eflags */
-        movq \tmp,EFLAGS+\offset(%rsp)
-        .endm
-
-        .macro RESTORE_TOP_OF_STACK tmp offset=0
-        movq RSP+\offset(%rsp),\tmp
-        movq \tmp,PER_CPU_VAR(old_rsp)
-        movq EFLAGS+\offset(%rsp),\tmp
-        movq \tmp,R11+\offset(%rsp)
-        .endm
-
-/*
- * initial frame state for interrupts (and exceptions without error code)
+ * empty frame
  */
         .macro EMPTY_FRAME start=1 offset=0
         .if \start
@@ -173,12 +129,12 @@ ENDPROC(native_usergs_sysret64)
  * initial frame state for interrupts (and exceptions without error code)
  */
         .macro INTR_FRAME start=1 offset=0
-        EMPTY_FRAME \start, SS+8+\offset-RIP
-        /*CFI_REL_OFFSET ss, SS+\offset-RIP*/
-        CFI_REL_OFFSET rsp, RSP+\offset-RIP
-        /*CFI_REL_OFFSET rflags, EFLAGS+\offset-RIP*/
-        /*CFI_REL_OFFSET cs, CS+\offset-RIP*/
-        CFI_REL_OFFSET rip, RIP+\offset-RIP
+        EMPTY_FRAME \start, 5*8+\offset
+        /*CFI_REL_OFFSET ss, 4*8+\offset*/
+        CFI_REL_OFFSET rsp, 3*8+\offset
+        /*CFI_REL_OFFSET rflags, 2*8+\offset*/
+        /*CFI_REL_OFFSET cs, 1*8+\offset*/
+        CFI_REL_OFFSET rip, 0*8+\offset
         .endm
 
 /*
@@ -186,30 +142,23 @@ ENDPROC(native_usergs_sysret64)
  * with vector already pushed)
  */
         .macro XCPT_FRAME start=1 offset=0
-        INTR_FRAME \start, RIP+\offset-ORIG_RAX
-        .endm
-
-/*
- * frame that enables calling into C.
- */
-        .macro PARTIAL_FRAME start=1 offset=0
-        XCPT_FRAME \start, ORIG_RAX+\offset-ARGOFFSET
-        CFI_REL_OFFSET rdi, RDI+\offset-ARGOFFSET
-        CFI_REL_OFFSET rsi, RSI+\offset-ARGOFFSET
-        CFI_REL_OFFSET rdx, RDX+\offset-ARGOFFSET
-        CFI_REL_OFFSET rcx, RCX+\offset-ARGOFFSET
-        CFI_REL_OFFSET rax, RAX+\offset-ARGOFFSET
-        CFI_REL_OFFSET r8, R8+\offset-ARGOFFSET
-        CFI_REL_OFFSET r9, R9+\offset-ARGOFFSET
-        CFI_REL_OFFSET r10, R10+\offset-ARGOFFSET
-        CFI_REL_OFFSET r11, R11+\offset-ARGOFFSET
+        INTR_FRAME \start, 1*8+\offset
         .endm
 
 /*
  * frame that enables passing a complete pt_regs to a C function.
  */
         .macro DEFAULT_FRAME start=1 offset=0
-        PARTIAL_FRAME \start, R11+\offset-R15
+        XCPT_FRAME \start, ORIG_RAX+\offset
+        CFI_REL_OFFSET rdi, RDI+\offset
+        CFI_REL_OFFSET rsi, RSI+\offset
+        CFI_REL_OFFSET rdx, RDX+\offset
+        CFI_REL_OFFSET rcx, RCX+\offset
+        CFI_REL_OFFSET rax, RAX+\offset
+        CFI_REL_OFFSET r8, R8+\offset
+        CFI_REL_OFFSET r9, R9+\offset
+        CFI_REL_OFFSET r10, R10+\offset
+        CFI_REL_OFFSET r11, R11+\offset
         CFI_REL_OFFSET rbx, RBX+\offset
         CFI_REL_OFFSET rbp, RBP+\offset
         CFI_REL_OFFSET r12, R12+\offset
@@ -218,105 +167,30 @@ ENDPROC(native_usergs_sysret64)
         CFI_REL_OFFSET r15, R15+\offset
         .endm
 
-ENTRY(save_paranoid)
-        XCPT_FRAME 1 RDI+8
-        cld
-        movq %rdi, RDI+8(%rsp)
-        movq %rsi, RSI+8(%rsp)
-        movq_cfi rdx, RDX+8
-        movq_cfi rcx, RCX+8
-        movq_cfi rax, RAX+8
-        movq %r8, R8+8(%rsp)
-        movq %r9, R9+8(%rsp)
-        movq %r10, R10+8(%rsp)
-        movq %r11, R11+8(%rsp)
-        movq_cfi rbx, RBX+8
-        movq %rbp, RBP+8(%rsp)
-        movq %r12, R12+8(%rsp)
-        movq %r13, R13+8(%rsp)
-        movq %r14, R14+8(%rsp)
-        movq %r15, R15+8(%rsp)
-        movl $1,%ebx
-        movl $MSR_GS_BASE,%ecx
-        rdmsr
-        testl %edx,%edx
-        js 1f   /* negative -> in kernel */
-        SWAPGS
-        xorl %ebx,%ebx
-1:      ret
-        CFI_ENDPROC
-END(save_paranoid)
-
 /*
- * A newly forked process directly context switches into this address.
+ * 64bit SYSCALL instruction entry. Up to 6 arguments in registers.
  *
- * rdi: prev task we switched from
- */
-ENTRY(ret_from_fork)
-        DEFAULT_FRAME
-
-        LOCK ; btr $TIF_FORK,TI_flags(%r8)
-
-        pushq_cfi $0x0002
-        popfq_cfi                               # reset kernel eflags
-
-        call schedule_tail                      # rdi: 'prev' task parameter
-
-        GET_THREAD_INFO(%rcx)
-
-        RESTORE_REST
-
-        testl $3, CS-ARGOFFSET(%rsp)            # from kernel_thread?
-        jz   1f
-
-        /*
-         * By the time we get here, we have no idea whether our pt_regs,
-         * ti flags, and ti status came from the 64-bit SYSCALL fast path,
-         * the slow path, or one of the ia32entry paths.
-         * Use int_ret_from_sys_call to return, since it can safely handle
-         * all of the above.
-         */
-        jmp  int_ret_from_sys_call
-
-1:
-        subq $REST_SKIP, %rsp   # leave space for volatiles
-        CFI_ADJUST_CFA_OFFSET   REST_SKIP
-        movq %rbp, %rdi
-        call *%rbx
-        movl $0, RAX(%rsp)
-        RESTORE_REST
-        jmp int_ret_from_sys_call
-        CFI_ENDPROC
-END(ret_from_fork)
-
-/*
- * System call entry. Up to 6 arguments in registers are supported.
+ * 64bit SYSCALL saves rip to rcx, clears rflags.RF, then saves rflags to r11,
+ * then loads new ss, cs, and rip from previously programmed MSRs.
+ * rflags gets masked by a value from another MSR (so CLD and CLAC
+ * are not needed). SYSCALL does not save anything on the stack
+ * and does not change rsp.
  *
- * SYSCALL does not save anything on the stack and does not change the
- * stack pointer.  However, it does mask the flags register for us, so
- * CLD and CLAC are not needed.
- */
-
-/*
- * Register setup:
+ * Registers on entry:
  * rax  system call number
+ * rcx  return address
+ * r11  saved rflags (note: r11 is callee-clobbered register in C ABI)
  * rdi  arg0
- * rcx  return address for syscall/sysret, C arg3
  * rsi  arg1
  * rdx  arg2
- * r10  arg3    (--> moved to rcx for C)
+ * r10  arg3 (needs to be moved to rcx to conform to C ABI)
  * r8   arg4
  * r9   arg5
- * r11  eflags for syscall/sysret, temporary for C
- * r12-r15,rbp,rbx saved by C code, not touched.
+ * (note: r12-r15,rbp,rbx are callee-preserved in C ABI)
  *
- * Interrupts are off on entry.
  * Only called from user space.
  *
- * XXX  if we had a free scratch register we could save the RSP into the stack frame
- *      and report it properly in ps. Unfortunately we haven't.
- *
- * When user can change the frames always force IRET. That is because
+ * When user can change pt_regs->foo always force IRET. That is because
  * it deals with uncanonical addresses better. SYSRET has trouble
  * with them due to bugs in both AMD and Intel CPUs.
  */
@@ -324,9 +198,15 @@ END(ret_from_fork)
 ENTRY(system_call)
         CFI_STARTPROC   simple
         CFI_SIGNAL_FRAME
-        CFI_DEF_CFA     rsp,KERNEL_STACK_OFFSET
+        CFI_DEF_CFA     rsp,0
         CFI_REGISTER    rip,rcx
         /*CFI_REGISTER  rflags,r11*/
+
+        /*
+         * Interrupts are off on entry.
+         * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
+         * it is too small to ever cause noticeable irq latency.
+         */
         SWAPGS_UNSAFE_STACK
         /*
          * A hypervisor implementation might want to use a label
@@ -335,18 +215,38 @@ ENTRY(system_call)
          */
 GLOBAL(system_call_after_swapgs)
 
-        movq    %rsp,PER_CPU_VAR(old_rsp)
+        movq    %rsp,PER_CPU_VAR(rsp_scratch)
         movq    PER_CPU_VAR(kernel_stack),%rsp
+
+        /* Construct struct pt_regs on stack */
+        pushq_cfi $__USER_DS                    /* pt_regs->ss */
+        pushq_cfi PER_CPU_VAR(rsp_scratch)      /* pt_regs->sp */
         /*
-         * No need to follow this irqs off/on section - it's straight
-         * and short:
+         * Re-enable interrupts.
+         * We use 'rsp_scratch' as a scratch space, hence irq-off block above
+         * must execute atomically in the face of possible interrupt-driven
+         * task preemption. We must enable interrupts only after we're done
+         * with using rsp_scratch:
          */
         ENABLE_INTERRUPTS(CLBR_NONE)
-        SAVE_ARGS 8, 0, rax_enosys=1
-        movq_cfi rax,(ORIG_RAX-ARGOFFSET)
-        movq  %rcx,RIP-ARGOFFSET(%rsp)
-        CFI_REL_OFFSET rip,RIP-ARGOFFSET
-        testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
+        pushq_cfi       %r11                    /* pt_regs->flags */
+        pushq_cfi       $__USER_CS              /* pt_regs->cs */
+        pushq_cfi       %rcx                    /* pt_regs->ip */
+        CFI_REL_OFFSET rip,0
+        pushq_cfi_reg   rax                     /* pt_regs->orig_ax */
+        pushq_cfi_reg   rdi                     /* pt_regs->di */
+        pushq_cfi_reg   rsi                     /* pt_regs->si */
+        pushq_cfi_reg   rdx                     /* pt_regs->dx */
+        pushq_cfi_reg   rcx                     /* pt_regs->cx */
+        pushq_cfi       $-ENOSYS                /* pt_regs->ax */
+        pushq_cfi_reg   r8                      /* pt_regs->r8 */
+        pushq_cfi_reg   r9                      /* pt_regs->r9 */
+        pushq_cfi_reg   r10                     /* pt_regs->r10 */
+        pushq_cfi_reg   r11                     /* pt_regs->r11 */
+        sub     $(6*8),%rsp /* pt_regs->bp,bx,r12-15 not saved */
+        CFI_ADJUST_CFA_OFFSET 6*8
+
+        testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
         jnz tracesys
 system_call_fastpath:
 #if __SYSCALL_MASK == ~0
@@ -355,18 +255,21 @@ system_call_fastpath:
         andl $__SYSCALL_MASK,%eax
         cmpl $__NR_syscall_max,%eax
 #endif
-        ja ret_from_sys_call  /* and return regs->ax */
+        ja      1f      /* return -ENOSYS (already in pt_regs->ax) */
         movq %r10,%rcx
-        call *sys_call_table(,%rax,8)  # XXX:    rip relative
-        movq %rax,RAX-ARGOFFSET(%rsp)
+        call *sys_call_table(,%rax,8)
+        movq %rax,RAX(%rsp)
+1:
 /*
- * Syscall return path ending with SYSRET (fast path)
- * Has incomplete stack frame and undefined top of stack.
+ * Syscall return path ending with SYSRET (fast path).
+ * Has incompletely filled pt_regs.
  */
-ret_from_sys_call:
         LOCKDEP_SYS_EXIT
+        /*
+         * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
+         * it is too small to ever cause noticeable irq latency.
+         */
         DISABLE_INTERRUPTS(CLBR_NONE)
-        TRACE_IRQS_OFF
 
         /*
          * We must check ti flags with interrupts (or at least preemption)
@@ -376,72 +279,73 @@ ret_from_sys_call:
          * flags (TIF_NOTIFY_RESUME, TIF_USER_RETURN_NOTIFY, etc) set is
          * very bad.
          */
-        testl $_TIF_ALLWORK_MASK,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
-        jnz int_ret_from_sys_call_fixup /* Go the the slow path */
+        testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
+        jnz int_ret_from_sys_call_irqs_off      /* Go to the slow path */
 
         CFI_REMEMBER_STATE
-        /*
-         * sysretq will re-enable interrupts:
-         */
-        TRACE_IRQS_ON
-        movq RIP-ARGOFFSET(%rsp),%rcx
+
+        RESTORE_C_REGS_EXCEPT_RCX_R11
+        movq    RIP(%rsp),%rcx
         CFI_REGISTER    rip,rcx
-        RESTORE_ARGS 1,-ARG_SKIP,0
+        movq    EFLAGS(%rsp),%r11
         /*CFI_REGISTER  rflags,r11*/
-        movq    PER_CPU_VAR(old_rsp), %rsp
+        movq    RSP(%rsp),%rsp
+        /*
+         * 64bit SYSRET restores rip from rcx,
+         * rflags from r11 (but RF and VM bits are forced to 0),
+         * cs and ss are loaded from MSRs.
+         * Restoration of rflags re-enables interrupts.
+         */
         USERGS_SYSRET64
 
         CFI_RESTORE_STATE
 
-int_ret_from_sys_call_fixup:
-        FIXUP_TOP_OF_STACK %r11, -ARGOFFSET
-        jmp int_ret_from_sys_call_irqs_off
-
-        /* Do syscall tracing */
+        /* Do syscall entry tracing */
 tracesys:
-        leaq -REST_SKIP(%rsp), %rdi
-        movq $AUDIT_ARCH_X86_64, %rsi
+        movq %rsp, %rdi
+        movl $AUDIT_ARCH_X86_64, %esi
         call syscall_trace_enter_phase1
         test %rax, %rax
         jnz tracesys_phase2             /* if needed, run the slow path */
-        LOAD_ARGS 0                     /* else restore clobbered regs */
+        RESTORE_C_REGS_EXCEPT_RAX       /* else restore clobbered regs */
+        movq ORIG_RAX(%rsp), %rax
         jmp system_call_fastpath        /*      and return to the fast path */
 
 tracesys_phase2:
-        SAVE_REST
-        FIXUP_TOP_OF_STACK %rdi
+        SAVE_EXTRA_REGS
         movq %rsp, %rdi
-        movq $AUDIT_ARCH_X86_64, %rsi
+        movl $AUDIT_ARCH_X86_64, %esi
         movq %rax,%rdx
         call syscall_trace_enter_phase2
 
         /*
-         * Reload arg registers from stack in case ptrace changed them.
+         * Reload registers from stack in case ptrace changed them.
          * We don't reload %rax because syscall_trace_entry_phase2() returned
          * the value it wants us to use in the table lookup.
          */
-        LOAD_ARGS ARGOFFSET, 1
-        RESTORE_REST
+        RESTORE_C_REGS_EXCEPT_RAX
+        RESTORE_EXTRA_REGS
 #if __SYSCALL_MASK == ~0
         cmpq $__NR_syscall_max,%rax
 #else
         andl $__SYSCALL_MASK,%eax
         cmpl $__NR_syscall_max,%eax
 #endif
-        ja   int_ret_from_sys_call      /* RAX(%rsp) is already set */
+        ja      1f      /* return -ENOSYS (already in pt_regs->ax) */
         movq %r10,%rcx  /* fixup for C */
         call *sys_call_table(,%rax,8)
-        movq %rax,RAX-ARGOFFSET(%rsp)
-        /* Use IRET because user could have changed frame */
+        movq %rax,RAX(%rsp)
+1:
+        /* Use IRET because user could have changed pt_regs->foo */
 
 /*
  * Syscall return path ending with IRET.
- * Has correct top of stack, but partial stack frame.
+ * Has correct iret frame.
  */
 GLOBAL(int_ret_from_sys_call)
         DISABLE_INTERRUPTS(CLBR_NONE)
+int_ret_from_sys_call_irqs_off: /* jumps come here from the irqs-off SYSRET path */
         TRACE_IRQS_OFF
-int_ret_from_sys_call_irqs_off:
         movl $_TIF_ALLWORK_MASK,%edi
         /* edi: mask to check */
 GLOBAL(int_with_check)
@@ -450,8 +354,8 @@ GLOBAL(int_with_check)
         movl TI_flags(%rcx),%edx
         andl %edi,%edx
         jnz   int_careful
-        andl    $~TS_COMPAT,TI_status(%rcx)
-        jmp   retint_swapgs
+        andl    $~TS_COMPAT,TI_status(%rcx)
+        jmp     syscall_return
 
         /* Either reschedule or signal or syscall exit tracking needed. */
         /* First do a reschedule test. */
@@ -468,12 +372,11 @@ int_careful:
         TRACE_IRQS_OFF
         jmp int_with_check
 
-        /* handle signals and tracing -- both require a full stack frame */
+        /* handle signals and tracing -- both require a full pt_regs */
 int_very_careful:
         TRACE_IRQS_ON
         ENABLE_INTERRUPTS(CLBR_NONE)
-int_check_syscall_exit_work:
-        SAVE_REST
+        SAVE_EXTRA_REGS
         /* Check for syscall exit trace */
         testl $_TIF_WORK_SYSCALL_EXIT,%edx
         jz int_signal
@@ -492,86 +395,192 @@ int_signal:
         call do_notify_resume
 1:      movl $_TIF_WORK_MASK,%edi
 int_restore_rest:
-        RESTORE_REST
+        RESTORE_EXTRA_REGS
         DISABLE_INTERRUPTS(CLBR_NONE)
         TRACE_IRQS_OFF
         jmp int_with_check
+
+syscall_return:
+        /* The IRETQ could re-enable interrupts: */
+        DISABLE_INTERRUPTS(CLBR_ANY)
+        TRACE_IRQS_IRETQ
+
+        /*
+         * Try to use SYSRET instead of IRET if we're returning to
+         * a completely clean 64-bit userspace context.
+         */
+        movq RCX(%rsp),%rcx
+        cmpq %rcx,RIP(%rsp)             /* RCX == RIP */
+        jne opportunistic_sysret_failed
+
+        /*
+         * On Intel CPUs, SYSRET with non-canonical RCX/RIP will #GP
+         * in kernel space.  This essentially lets the user take over
+         * the kernel, since userspace controls RSP.  It's not worth
+         * testing for canonicalness exactly -- this check detects any
+         * of the 17 high bits set, which is true for non-canonical
+         * or kernel addresses.  (This will pessimize vsyscall=native.
+         * Big deal.)
+         *
+         * If virtual addresses ever become wider, this will need
+         * to be updated to remain correct on both old and new CPUs.
+         */
+        .ifne __VIRTUAL_MASK_SHIFT - 47
+        .error "virtual address width changed -- SYSRET checks need update"
+        .endif
+        shr $__VIRTUAL_MASK_SHIFT, %rcx
+        jnz opportunistic_sysret_failed
+
+        cmpq $__USER_CS,CS(%rsp)        /* CS must match SYSRET */
+        jne opportunistic_sysret_failed
+
+        movq R11(%rsp),%r11
+        cmpq %r11,EFLAGS(%rsp)          /* R11 == RFLAGS */
+        jne opportunistic_sysret_failed
+
+        /*
+         * SYSRET can't restore RF.  SYSRET can restore TF, but unlike IRET,
+         * restoring TF results in a trap from userspace immediately after
+         * SYSRET.  This would cause an infinite loop whenever #DB happens
+         * with register state that satisfies the opportunistic SYSRET
+         * conditions.  For example, single-stepping this user code:
+         *
+         *           movq $stuck_here,%rcx
+         *           pushfq
+         *           popq %r11
+         *   stuck_here:
+         *
+         * would never get past 'stuck_here'.
+         */
+        testq $(X86_EFLAGS_RF|X86_EFLAGS_TF), %r11
+        jnz opportunistic_sysret_failed
+
+        /* nothing to check for RSP */
+
+        cmpq $__USER_DS,SS(%rsp)        /* SS must match SYSRET */
+        jne opportunistic_sysret_failed
+
+        /*
+         * We win!  This label is here just for ease of understanding
+         * perf profiles.  Nothing jumps here.
+         */
+syscall_return_via_sysret:
+        CFI_REMEMBER_STATE
+        /* r11 is already restored (see code above) */
+        RESTORE_C_REGS_EXCEPT_R11
+        movq RSP(%rsp),%rsp
+        USERGS_SYSRET64
+        CFI_RESTORE_STATE
+
+opportunistic_sysret_failed:
+        SWAPGS
+        jmp     restore_c_regs_and_iret
         CFI_ENDPROC
 END(system_call)
 
+
         .macro FORK_LIKE func
 ENTRY(stub_\func)
         CFI_STARTPROC
-        popq    %r11                    /* save return address */
-        PARTIAL_FRAME 0
-        SAVE_REST
-        pushq   %r11                    /* put it back on stack */
-        FIXUP_TOP_OF_STACK %r11, 8
-        DEFAULT_FRAME 0 8               /* offset 8: return address */
-        call sys_\func
-        RESTORE_TOP_OF_STACK %r11, 8
-        ret $REST_SKIP          /* pop extended registers */
+        DEFAULT_FRAME 0, 8              /* offset 8: return address */
+        SAVE_EXTRA_REGS 8
+        jmp sys_\func
         CFI_ENDPROC
 END(stub_\func)
         .endm
 
-        .macro FIXED_FRAME label,func
-ENTRY(\label)
-        CFI_STARTPROC
-        PARTIAL_FRAME 0 8               /* offset 8: return address */
-        FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET
-        call \func
-        RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET
-        ret
-        CFI_ENDPROC
-END(\label)
-        .endm
-
         FORK_LIKE  clone
         FORK_LIKE  fork
         FORK_LIKE  vfork
-        FIXED_FRAME stub_iopl, sys_iopl
 
 ENTRY(stub_execve)
         CFI_STARTPROC
-        addq $8, %rsp
-        PARTIAL_FRAME 0
-        SAVE_REST
-        FIXUP_TOP_OF_STACK %r11
-        call sys_execve
-        movq %rax,RAX(%rsp)
-        RESTORE_REST
-        jmp int_ret_from_sys_call
+        DEFAULT_FRAME 0, 8
+        call    sys_execve
+return_from_execve:
+        testl   %eax, %eax
+        jz      1f
+        /* exec failed, can use fast SYSRET code path in this case */
+        ret
+1:
+        /* must use IRET code path (pt_regs->cs may have changed) */
+        addq    $8, %rsp
+        CFI_ADJUST_CFA_OFFSET -8
+        ZERO_EXTRA_REGS
+        movq    %rax,RAX(%rsp)
+        jmp     int_ret_from_sys_call
         CFI_ENDPROC
 END(stub_execve)
-
-ENTRY(stub_execveat)
+/*
+ * Remaining execve stubs are only 7 bytes long.
+ * ENTRY() often aligns to 16 bytes, which in this case has no benefits.
+ */
+        .align  8
+GLOBAL(stub_execveat)
         CFI_STARTPROC
-        addq $8, %rsp
-        PARTIAL_FRAME 0
-        SAVE_REST
-        FIXUP_TOP_OF_STACK %r11
-        call sys_execveat
-        RESTORE_TOP_OF_STACK %r11
-        movq %rax,RAX(%rsp)
-        RESTORE_REST
-        jmp int_ret_from_sys_call
+        DEFAULT_FRAME 0, 8
+        call    sys_execveat
+        jmp     return_from_execve
         CFI_ENDPROC
 END(stub_execveat)
 
+#ifdef CONFIG_X86_X32_ABI
+        .align  8
+GLOBAL(stub_x32_execve)
+        CFI_STARTPROC
+        DEFAULT_FRAME 0, 8
+        call    compat_sys_execve
+        jmp     return_from_execve
+        CFI_ENDPROC
+END(stub_x32_execve)
+        .align  8
+GLOBAL(stub_x32_execveat)
+        CFI_STARTPROC
+        DEFAULT_FRAME 0, 8
+        call    compat_sys_execveat
+        jmp     return_from_execve
+        CFI_ENDPROC
+END(stub_x32_execveat)
+#endif
+
+#ifdef CONFIG_IA32_EMULATION
+        .align  8
+GLOBAL(stub32_execve)
+        CFI_STARTPROC
+        call    compat_sys_execve
+        jmp     return_from_execve
+        CFI_ENDPROC
+END(stub32_execve)
+        .align  8
+GLOBAL(stub32_execveat)
+        CFI_STARTPROC
+        call    compat_sys_execveat
+        jmp     return_from_execve
+        CFI_ENDPROC
+END(stub32_execveat)
+#endif
+
 /*
  * sigreturn is special because it needs to restore all registers on return.
  * This cannot be done with SYSRET, so use the IRET return path instead.
  */
 ENTRY(stub_rt_sigreturn)
         CFI_STARTPROC
-        addq $8, %rsp
-        PARTIAL_FRAME 0
-        SAVE_REST
-        FIXUP_TOP_OF_STACK %r11
+        DEFAULT_FRAME 0, 8
+        /*
+         * SAVE_EXTRA_REGS result is not normally needed:
+         * sigreturn overwrites all pt_regs->GPREGS.
+         * But sigreturn can fail (!), and there is no easy way to detect that.
+         * To make sure RESTORE_EXTRA_REGS doesn't restore garbage on error,
+         * we SAVE_EXTRA_REGS here.
+         */
+        SAVE_EXTRA_REGS 8
         call sys_rt_sigreturn
-        movq %rax,RAX(%rsp) # fixme, this could be done at the higher layer
-        RESTORE_REST
+return_from_stub:
+        addq    $8, %rsp
+        CFI_ADJUST_CFA_OFFSET -8
+        RESTORE_EXTRA_REGS
+        movq %rax,RAX(%rsp)
         jmp int_ret_from_sys_call
         CFI_ENDPROC
 END(stub_rt_sigreturn)
@@ -579,86 +588,70 @@ END(stub_rt_sigreturn)
 #ifdef CONFIG_X86_X32_ABI
 ENTRY(stub_x32_rt_sigreturn)
         CFI_STARTPROC
-        addq $8, %rsp
-        PARTIAL_FRAME 0
-        SAVE_REST
-        FIXUP_TOP_OF_STACK %r11
+        DEFAULT_FRAME 0, 8
+        SAVE_EXTRA_REGS 8
         call sys32_x32_rt_sigreturn
-        movq %rax,RAX(%rsp) # fixme, this could be done at the higher layer
-        RESTORE_REST
-        jmp int_ret_from_sys_call
+        jmp  return_from_stub
         CFI_ENDPROC
 END(stub_x32_rt_sigreturn)
+#endif
 
-ENTRY(stub_x32_execve)
-        CFI_STARTPROC
-        addq $8, %rsp
-        PARTIAL_FRAME 0
-        SAVE_REST
-        FIXUP_TOP_OF_STACK %r11
-        call compat_sys_execve
-        RESTORE_TOP_OF_STACK %r11
-        movq %rax,RAX(%rsp)
-        RESTORE_REST
-        jmp int_ret_from_sys_call
-        CFI_ENDPROC
-END(stub_x32_execve)
+/*
+ * A newly forked process directly context switches into this address.
+ *
+ * rdi: prev task we switched from
+ */
+ENTRY(ret_from_fork)
+        DEFAULT_FRAME
 
-ENTRY(stub_x32_execveat)
-        CFI_STARTPROC
-        addq $8, %rsp
-        PARTIAL_FRAME 0
-        SAVE_REST
-        FIXUP_TOP_OF_STACK %r11
-        call compat_sys_execveat
-        RESTORE_TOP_OF_STACK %r11
-        movq %rax,RAX(%rsp)
-        RESTORE_REST
+        LOCK ; btr $TIF_FORK,TI_flags(%r8)
+
+        pushq_cfi $0x0002
+        popfq_cfi                               # reset kernel eflags
+
+        call schedule_tail                      # rdi: 'prev' task parameter
+
+        RESTORE_EXTRA_REGS
+
+        testl $3,CS(%rsp)                       # from kernel_thread?
+
+        /*
+         * By the time we get here, we have no idea whether our pt_regs,
+         * ti flags, and ti status came from the 64-bit SYSCALL fast path,
+         * the slow path, or one of the ia32entry paths.
+         * Use IRET code path to return, since it can safely handle
+         * all of the above.
+         */
+        jnz     int_ret_from_sys_call
+
+        /* We came from kernel_thread */
+        /* nb: we depend on RESTORE_EXTRA_REGS above */
+        movq %rbp, %rdi
+        call *%rbx
+        movl $0, RAX(%rsp)
+        RESTORE_EXTRA_REGS
         jmp int_ret_from_sys_call
         CFI_ENDPROC
-END(stub_x32_execveat)
-
-#endif
+END(ret_from_fork)
 
 /*
- * Build the entry stubs and pointer table with some assembler magic.
- * We pack 7 stubs into a single 32-byte chunk, which will fit in a
- * single cache line on all modern x86 implementations.
+ * Build the entry stubs with some assembler magic.
+ * We pack 1 stub into every 8-byte block.
  */
-        .section .init.rodata,"a"
-ENTRY(interrupt)
-        .section .entry.text
-        .p2align 5
-        .p2align CONFIG_X86_L1_CACHE_SHIFT
+        .align 8
 ENTRY(irq_entries_start)
         INTR_FRAME
-vector=FIRST_EXTERNAL_VECTOR
-.rept (FIRST_SYSTEM_VECTOR-FIRST_EXTERNAL_VECTOR+6)/7
-        .balign 32
-  .rept 7
-    .if vector < FIRST_SYSTEM_VECTOR
-      .if vector <> FIRST_EXTERNAL_VECTOR
+    vector=FIRST_EXTERNAL_VECTOR
+    .rept (FIRST_SYSTEM_VECTOR - FIRST_EXTERNAL_VECTOR)
+        pushq_cfi $(~vector+0x80)       /* Note: always in signed byte range */
+    vector=vector+1
+        jmp     common_interrupt
         CFI_ADJUST_CFA_OFFSET -8
-      .endif
-1:      pushq_cfi $(~vector+0x80)       /* Note: always in signed byte range */
-      .if ((vector-FIRST_EXTERNAL_VECTOR)%7) <> 6
-        jmp 2f
-      .endif
-      .previous
-        .quad 1b
-      .section .entry.text
-vector=vector+1
-    .endif
-  .endr
-2:      jmp common_interrupt
-.endr
+        .align  8
+    .endr
         CFI_ENDPROC
 END(irq_entries_start)
 
-.previous
-END(interrupt)
-.previous
-
 /*
  * Interrupt entry/exit.
  *
@@ -669,47 +662,45 @@ END(interrupt)
 
 /* 0(%rsp): ~(interrupt number) */
         .macro interrupt func
-        /* reserve pt_regs for scratch regs and rbp */
-        subq $ORIG_RAX-RBP, %rsp
-        CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
         cld
-        /* start from rbp in pt_regs and jump over */
-        movq_cfi rdi, (RDI-RBP)
-        movq_cfi rsi, (RSI-RBP)
-        movq_cfi rdx, (RDX-RBP)
-        movq_cfi rcx, (RCX-RBP)
-        movq_cfi rax, (RAX-RBP)
-        movq_cfi  r8,  (R8-RBP)
-        movq_cfi  r9,  (R9-RBP)
-        movq_cfi r10, (R10-RBP)
-        movq_cfi r11, (R11-RBP)
-
-        /* Save rbp so that we can unwind from get_irq_regs() */
-        movq_cfi rbp, 0
-
-        /* Save previous stack value */
-        movq %rsp, %rsi
+        /*
+         * Since nothing in interrupt handling code touches r12...r15 members
+         * of "struct pt_regs", and since interrupts can nest, we can save
+         * four stack slots and simultaneously provide
+         * an unwind-friendly stack layout by saving "truncated" pt_regs
+         * exactly up to rbp slot, without these members.
+         */
+        ALLOC_PT_GPREGS_ON_STACK -RBP
+        SAVE_C_REGS -RBP
+        /* this goes to 0(%rsp) for unwinder, not for saving the value: */
+        SAVE_EXTRA_REGS_RBP -RBP
 
-        leaq -RBP(%rsp),%rdi    /* arg1 for handler */
-        testl $3, CS-RBP(%rsi)
+        leaq -RBP(%rsp),%rdi    /* arg1 for \func (pointer to pt_regs) */
+
+        testl $3, CS-RBP(%rsp)
         je 1f
         SWAPGS
+1:
         /*
+         * Save previous stack pointer, optionally switch to interrupt stack.
          * irq_count is used to check if a CPU is already on an interrupt stack
          * or not. While this is essentially redundant with preempt_count it is
          * a little cheaper to use a separate counter in the PDA (short of
          * moving irq_enter into assembly, which would be too much work)
          */
-1:      incl PER_CPU_VAR(irq_count)
+        movq %rsp, %rsi
+        incl PER_CPU_VAR(irq_count)
         cmovzq PER_CPU_VAR(irq_stack_ptr),%rsp
         CFI_DEF_CFA_REGISTER    rsi
-
-        /* Store previous stack value */
         pushq %rsi
+        /*
+         * For debugger:
+         * "CFA (Current Frame Address) is the value on stack + offset"
+         */
         CFI_ESCAPE      0x0f /* DW_CFA_def_cfa_expression */, 6, \
-                        0x77 /* DW_OP_breg7 */, 0, \
+                        0x77 /* DW_OP_breg7 (rsp) */, 0, \
                         0x06 /* DW_OP_deref */, \
-                        0x08 /* DW_OP_const1u */, SS+8-RBP, \
+                        0x08 /* DW_OP_const1u */, SIZEOF_PTREGS-RBP, \
                         0x22 /* DW_OP_plus */
         /* We entered an interrupt context - irqs are off: */
         TRACE_IRQS_OFF
@@ -727,7 +718,7 @@ common_interrupt:
         ASM_CLAC
         addq $-0x80,(%rsp)              /* Adjust vector to [-256,-1] range */
         interrupt do_IRQ
-        /* 0(%rsp): old_rsp-ARGOFFSET */
+        /* 0(%rsp): old RSP */
 ret_from_intr:
         DISABLE_INTERRUPTS(CLBR_NONE)
         TRACE_IRQS_OFF
@@ -735,19 +726,18 @@ ret_from_intr:
 
         /* Restore saved previous stack */
         popq %rsi
-        CFI_DEF_CFA rsi,SS+8-RBP        /* reg/off reset after def_cfa_expr */
-        leaq ARGOFFSET-RBP(%rsi), %rsp
+        CFI_DEF_CFA rsi,SIZEOF_PTREGS-RBP /* reg/off reset after def_cfa_expr */
+        /* return code expects complete pt_regs - adjust rsp accordingly: */
+        leaq -RBP(%rsi),%rsp
         CFI_DEF_CFA_REGISTER    rsp
-        CFI_ADJUST_CFA_OFFSET   RBP-ARGOFFSET
+        CFI_ADJUST_CFA_OFFSET   RBP
 
-exit_intr:
-        GET_THREAD_INFO(%rcx)
-        testl $3,CS-ARGOFFSET(%rsp)
+        testl $3,CS(%rsp)
         je retint_kernel
-
         /* Interrupt came from user space */
+
+        GET_THREAD_INFO(%rcx)
         /*
-         * Has a correct top of stack, but a partial stack frame
          * %rcx: thread info. Interrupts off.
          */
 retint_with_reschedule:
@@ -766,84 +756,34 @@ retint_swapgs:		/* return to user-space */
         DISABLE_INTERRUPTS(CLBR_ANY)
         TRACE_IRQS_IRETQ
 
-        /*
-         * Try to use SYSRET instead of IRET if we're returning to
-         * a completely clean 64-bit userspace context.
-         */
-        movq (RCX-R11)(%rsp), %rcx
-        cmpq %rcx,(RIP-R11)(%rsp)               /* RCX == RIP */
-        jne opportunistic_sysret_failed
-
-        /*
-         * On Intel CPUs, sysret with non-canonical RCX/RIP will #GP
-         * in kernel space.  This essentially lets the user take over
-         * the kernel, since userspace controls RSP.  It's not worth
-         * testing for canonicalness exactly -- this check detects any
-         * of the 17 high bits set, which is true for non-canonical
-         * or kernel addresses.  (This will pessimize vsyscall=native.
-         * Big deal.)
-         *
-         * If virtual addresses ever become wider, this will need
-         * to be updated to remain correct on both old and new CPUs.
-         */
-        .ifne __VIRTUAL_MASK_SHIFT - 47
-        .error "virtual address width changed -- sysret checks need update"
-        .endif
-        shr $__VIRTUAL_MASK_SHIFT, %rcx
-        jnz opportunistic_sysret_failed
-
-        cmpq $__USER_CS,(CS-R11)(%rsp)          /* CS must match SYSRET */
-        jne opportunistic_sysret_failed
-
-        movq (R11-ARGOFFSET)(%rsp), %r11
-        cmpq %r11,(EFLAGS-ARGOFFSET)(%rsp)      /* R11 == RFLAGS */
-        jne opportunistic_sysret_failed
-
-        /*
-         * SYSRET can't restore RF.  SYSRET can restore TF, but unlike IRET,
-         * restoring TF results in a trap from userspace immediately after
-         * SYSRET.  This would cause an infinite loop whenever #DB happens
-         * with register state that satisfies the opportunistic SYSRET
-         * conditions.  For example, single-stepping this user code:
-         *
-         *           movq $stuck_here,%rcx
-         *           pushfq
-         *           popq %r11
-         *   stuck_here:
-         *
-         * would never get past 'stuck_here'.
-         */
-        testq $(X86_EFLAGS_RF|X86_EFLAGS_TF), %r11
-        jnz opportunistic_sysret_failed
-
-        /* nothing to check for RSP */
-
-        cmpq $__USER_DS,(SS-ARGOFFSET)(%rsp)    /* SS must match SYSRET */
-        jne opportunistic_sysret_failed
-
-        /*
-         * We win!  This label is here just for ease of understanding
-         * perf profiles.  Nothing jumps here.
-         */
-irq_return_via_sysret:
-        CFI_REMEMBER_STATE
-        RESTORE_ARGS 1,8,1
-        movq (RSP-RIP)(%rsp),%rsp
-        USERGS_SYSRET64
-        CFI_RESTORE_STATE
-
-opportunistic_sysret_failed:
         SWAPGS
-        jmp restore_args
+        jmp     restore_c_regs_and_iret
 
-retint_restore_args:    /* return to kernel space */
-        DISABLE_INTERRUPTS(CLBR_ANY)
+/* Returning to kernel space */
+retint_kernel:
+#ifdef CONFIG_PREEMPT
+        /* Interrupts are off */
+        /* Check if we need preemption */
+        bt      $9,EFLAGS(%rsp) /* interrupts were off? */
+        jnc     1f
+0:      cmpl    $0,PER_CPU_VAR(__preempt_count)
+        jnz     1f
+        call    preempt_schedule_irq
+        jmp     0b
+1:
+#endif
         /*
          * The iretq could re-enable interrupts:
          */
         TRACE_IRQS_IRETQ
-restore_args:
-        RESTORE_ARGS 1,8,1
+
+/*
+ * At this label, code paths which return to kernel and to user,
+ * which come from interrupts/exception and from syscalls, merge.
+ */
+restore_c_regs_and_iret:
+        RESTORE_C_REGS
+        REMOVE_PT_GPREGS_FROM_STACK 8
 
 irq_return:
         INTERRUPT_RETURN
@@ -914,28 +854,17 @@ retint_signal:
         jz    retint_swapgs
         TRACE_IRQS_ON
         ENABLE_INTERRUPTS(CLBR_NONE)
-        SAVE_REST
+        SAVE_EXTRA_REGS
         movq $-1,ORIG_RAX(%rsp)
         xorl %esi,%esi          # oldset
         movq %rsp,%rdi          # &pt_regs
         call do_notify_resume
-        RESTORE_REST
+        RESTORE_EXTRA_REGS
         DISABLE_INTERRUPTS(CLBR_NONE)
         TRACE_IRQS_OFF
         GET_THREAD_INFO(%rcx)
         jmp retint_with_reschedule
 
-#ifdef CONFIG_PREEMPT
-        /* Returning to kernel space. Check if we need preemption */
-        /* rcx:  threadinfo. interrupts off. */
-ENTRY(retint_kernel)
-        cmpl $0,PER_CPU_VAR(__preempt_count)
-        jnz  retint_restore_args
-        bt   $9,EFLAGS-ARGOFFSET(%rsp)  /* interrupts off? */
-        jnc  retint_restore_args
-        call preempt_schedule_irq
-        jmp exit_intr
-#endif
         CFI_ENDPROC
 END(common_interrupt)
 
@@ -1024,7 +953,7 @@ apicinterrupt IRQ_WORK_VECTOR \
 /*
  * Exception entry points.
  */
-#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
+#define CPU_TSS_IST(x) PER_CPU_VAR(cpu_tss) + (TSS_ist + ((x) - 1) * 8)
 
 .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1
 ENTRY(\sym)
@@ -1046,8 +975,7 @@ ENTRY(\sym)
         pushq_cfi $-1                   /* ORIG_RAX: no syscall to restart */
         .endif
 
-        subq $ORIG_RAX-R15, %rsp
-        CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
+        ALLOC_PT_GPREGS_ON_STACK
 
         .if \paranoid
         .if \paranoid == 1
@@ -1055,10 +983,11 @@ ENTRY(\sym)
         testl $3, CS(%rsp)              /* If coming from userspace, switch */
         jnz 1f                          /* stacks. */
         .endif
-        call save_paranoid
+        call paranoid_entry
         .else
         call error_entry
         .endif
+        /* returned flag: ebx=0: need swapgs on exit, ebx=1: don't need it */
 
         DEFAULT_FRAME 0
 
@@ -1080,19 +1009,20 @@ ENTRY(\sym)
         .endif
 
         .if \shift_ist != -1
-        subq $EXCEPTION_STKSZ, INIT_TSS_IST(\shift_ist)
+        subq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist)
         .endif
 
         call \do_sym
 
         .if \shift_ist != -1
-        addq $EXCEPTION_STKSZ, INIT_TSS_IST(\shift_ist)
+        addq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist)
         .endif
 
+        /* these procedures expect "no swapgs" flag in ebx */
         .if \paranoid
-        jmp paranoid_exit               /* %ebx: no swapgs flag */
+        jmp paranoid_exit
         .else
-        jmp error_exit                  /* %ebx: no swapgs flag */
+        jmp error_exit
         .endif
 
         .if \paranoid == 1
@@ -1296,7 +1226,9 @@ ENTRY(xen_failsafe_callback)
         addq $0x30,%rsp
         CFI_ADJUST_CFA_OFFSET -0x30
         pushq_cfi $-1 /* orig_ax = -1 => not a system call */
-        SAVE_ALL
+        ALLOC_PT_GPREGS_ON_STACK
+        SAVE_C_REGS
+        SAVE_EXTRA_REGS
         jmp error_exit
         CFI_ENDPROC
 END(xen_failsafe_callback)
@@ -1328,59 +1260,66 @@ idtentry async_page_fault do_async_page_fault has_error_code=1
 idtentry machine_check has_error_code=0 paranoid=1 do_sym=*machine_check_vector(%rip)
 #endif
 
-        /*
-         * "Paranoid" exit path from exception stack.  This is invoked
-         * only on return from non-NMI IST interrupts that came
-         * from kernel space.
-         *
-         * We may be returning to very strange contexts (e.g. very early
-         * in syscall entry), so checking for preemption here would
-         * be complicated.  Fortunately, we there's no good reason
-         * to try to handle preemption here.
-         */
+/*
+ * Save all registers in pt_regs, and switch gs if needed.
+ * Use slow, but surefire "are we in kernel?" check.
+ * Return: ebx=0: need swapgs on exit, ebx=1: otherwise
+ */
+ENTRY(paranoid_entry)
+        XCPT_FRAME 1 15*8
+        cld
+        SAVE_C_REGS 8
+        SAVE_EXTRA_REGS 8
+        movl $1,%ebx
+        movl $MSR_GS_BASE,%ecx
+        rdmsr
+        testl %edx,%edx
+        js 1f   /* negative -> in kernel */
+        SWAPGS
+        xorl %ebx,%ebx
+1:      ret
+        CFI_ENDPROC
+END(paranoid_entry)
 
-        /* ebx: no swapgs flag */
+/*
+ * "Paranoid" exit path from exception stack.  This is invoked
+ * only on return from non-NMI IST interrupts that came
+ * from kernel space.
+ *
+ * We may be returning to very strange contexts (e.g. very early
+ * in syscall entry), so checking for preemption here would
+ * be complicated.  Fortunately, we there's no good reason
+ * to try to handle preemption here.
+ */
+/* On entry, ebx is "no swapgs" flag (1: don't need swapgs, 0: need it) */
 ENTRY(paranoid_exit)
         DEFAULT_FRAME
         DISABLE_INTERRUPTS(CLBR_NONE)
         TRACE_IRQS_OFF_DEBUG
         testl %ebx,%ebx                         /* swapgs needed? */
-        jnz paranoid_restore
-        TRACE_IRQS_IRETQ 0
+        jnz paranoid_exit_no_swapgs
+        TRACE_IRQS_IRETQ
         SWAPGS_UNSAFE_STACK
-        RESTORE_ALL 8
-        INTERRUPT_RETURN
-paranoid_restore:
-        TRACE_IRQS_IRETQ_DEBUG 0
-        RESTORE_ALL 8
+        jmp paranoid_exit_restore
+paranoid_exit_no_swapgs:
+        TRACE_IRQS_IRETQ_DEBUG
+paranoid_exit_restore:
+        RESTORE_EXTRA_REGS
+        RESTORE_C_REGS
+        REMOVE_PT_GPREGS_FROM_STACK 8
         INTERRUPT_RETURN
         CFI_ENDPROC
 END(paranoid_exit)
 
 /*
- * Exception entry point. This expects an error code/orig_rax on the stack.
- * returns in "no swapgs flag" in %ebx.
+ * Save all registers in pt_regs, and switch gs if needed.
+ * Return: ebx=0: need swapgs on exit, ebx=1: otherwise
  */
 ENTRY(error_entry)
-        XCPT_FRAME
-        CFI_ADJUST_CFA_OFFSET 15*8
-        /* oldrax contains error code */
+        XCPT_FRAME 1 15*8
         cld
-        movq %rdi, RDI+8(%rsp)
-        movq %rsi, RSI+8(%rsp)
-        movq %rdx, RDX+8(%rsp)
-        movq %rcx, RCX+8(%rsp)
-        movq %rax, RAX+8(%rsp)
-        movq  %r8,  R8+8(%rsp)
-        movq  %r9,  R9+8(%rsp)
-        movq %r10, R10+8(%rsp)
-        movq %r11, R11+8(%rsp)
-        movq_cfi rbx, RBX+8
-        movq %rbp, RBP+8(%rsp)
-        movq %r12, R12+8(%rsp)
-        movq %r13, R13+8(%rsp)
-        movq %r14, R14+8(%rsp)
-        movq %r15, R15+8(%rsp)
+        SAVE_C_REGS 8
+        SAVE_EXTRA_REGS 8
         xorl %ebx,%ebx
         testl $3,CS+8(%rsp)
         je error_kernelspace
@@ -1390,12 +1329,12 @@ error_sti:
         TRACE_IRQS_OFF
         ret
 
-/*
- * There are two places in the kernel that can potentially fault with
- * usergs. Handle them here.  B stepping K8s sometimes report a
- * truncated RIP for IRET exceptions returning to compat mode. Check
- * for these here too.
- */
+        /*
+         * There are two places in the kernel that can potentially fault with
+         * usergs. Handle them here.  B stepping K8s sometimes report a
+         * truncated RIP for IRET exceptions returning to compat mode. Check
+         * for these here too.
+         */
 error_kernelspace:
         CFI_REL_OFFSET rcx, RCX+8
         incl %ebx
@@ -1425,11 +1364,11 @@ error_bad_iret:
 END(error_entry)
 
 
-/* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
+/* On entry, ebx is "no swapgs" flag (1: don't need swapgs, 0: need it) */
 ENTRY(error_exit)
         DEFAULT_FRAME
         movl %ebx,%eax
-        RESTORE_REST
+        RESTORE_EXTRA_REGS
         DISABLE_INTERRUPTS(CLBR_NONE)
         TRACE_IRQS_OFF
         GET_THREAD_INFO(%rcx)
@@ -1444,19 +1383,7 @@ ENTRY(error_exit)
         CFI_ENDPROC
 END(error_exit)
 
-/*
- * Test if a given stack is an NMI stack or not.
- */
-        .macro test_in_nmi reg stack nmi_ret normal_ret
-        cmpq %\reg, \stack
-        ja \normal_ret
-        subq $EXCEPTION_STKSZ, %\reg
-        cmpq %\reg, \stack
-        jb \normal_ret
-        jmp \nmi_ret
-        .endm
-
-        /* runs on exception stack */
+/* Runs on exception stack */
 ENTRY(nmi)
         INTR_FRAME
         PARAVIRT_ADJUST_EXCEPTION_FRAME
@@ -1492,7 +1419,7 @@ ENTRY(nmi)
          * NMI.
          */
 
-        /* Use %rdx as out temp variable throughout */
+        /* Use %rdx as our temp variable throughout */
         pushq_cfi %rdx
         CFI_REL_OFFSET rdx, 0
 
@@ -1517,8 +1444,17 @@ ENTRY(nmi)
          * We check the variable because the first NMI could be in a
          * breakpoint routine using a breakpoint stack.
          */
-        lea 6*8(%rsp), %rdx
-        test_in_nmi rdx, 4*8(%rsp), nested_nmi, first_nmi
+        lea     6*8(%rsp), %rdx
+        /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
+        cmpq    %rdx, 4*8(%rsp)
+        /* If the stack pointer is above the NMI stack, this is a normal NMI */
+        ja      first_nmi
+        subq    $EXCEPTION_STKSZ, %rdx
+        cmpq    %rdx, 4*8(%rsp)
+        /* If it is below the NMI stack, it is a normal NMI */
+        jb      first_nmi
+        /* Ah, it is within the NMI stack, treat it as nested */
+
         CFI_REMEMBER_STATE
 
 nested_nmi:
@@ -1611,7 +1547,7 @@ first_nmi:
         .rept 5
         pushq_cfi 11*8(%rsp)
         .endr
-        CFI_DEF_CFA_OFFSET SS+8-RIP
+        CFI_DEF_CFA_OFFSET 5*8
 
         /* Everything up to here is safe from nested NMIs */
 
@@ -1639,7 +1575,7 @@ repeat_nmi:
         pushq_cfi -6*8(%rsp)
         .endr
         subq $(5*8), %rsp
-        CFI_DEF_CFA_OFFSET SS+8-RIP
+        CFI_DEF_CFA_OFFSET 5*8
 end_repeat_nmi:
 
         /*
@@ -1648,16 +1584,16 @@ end_repeat_nmi:
          * so that we repeat another NMI.
          */
         pushq_cfi $-1           /* ORIG_RAX: no syscall to restart */
-        subq $ORIG_RAX-R15, %rsp
-        CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
+        ALLOC_PT_GPREGS_ON_STACK
+
         /*
-         * Use save_paranoid to handle SWAPGS, but no need to use paranoid_exit
+         * Use paranoid_entry to handle SWAPGS, but no need to use paranoid_exit
          * as we should not be calling schedule in NMI context.
          * Even with normal interrupts enabled. An NMI should not be
          * setting NEED_RESCHED or anything that normal interrupts and
          * exceptions might do.
          */
-        call save_paranoid
+        call paranoid_entry
         DEFAULT_FRAME 0
 
         /*
@@ -1688,8 +1624,10 @@ end_repeat_nmi:
 nmi_swapgs:
         SWAPGS_UNSAFE_STACK
 nmi_restore:
+        RESTORE_EXTRA_REGS
+        RESTORE_C_REGS
         /* Pop the extra iret frame at once */
-        RESTORE_ALL 6*8
+        REMOVE_PT_GPREGS_FROM_STACK 6*8
 
         /* Clear the NMI executing stack variable */
         movq $0, 5*8(%rsp)
diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
index f36bd42d6f0c..d031bad9e07e 100644
--- a/arch/x86/kernel/head_32.S
+++ b/arch/x86/kernel/head_32.S
@@ -22,6 +22,7 @@
 #include <asm/cpufeature.h>
 #include <asm/percpu.h>
 #include <asm/nops.h>
+#include <asm/bootparam.h>
 
 /* Physical address */
 #define pa(X) ((X) - __PAGE_OFFSET)
@@ -90,7 +91,7 @@ ENTRY(startup_32)
         
         /* test KEEP_SEGMENTS flag to see if the bootloader is asking
                 us to not reload segments */
-        testb $(1<<6), BP_loadflags(%esi)
+        testb $KEEP_SEGMENTS, BP_loadflags(%esi)
         jnz 2f
 
 /*
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
index 6fd514d9f69a..ae6588b301c2 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -1,5 +1,5 @@
 /*
- *  linux/arch/x86_64/kernel/head.S -- start in 32bit and switch to 64bit
+ *  linux/arch/x86/kernel/head_64.S -- start in 32bit and switch to 64bit
  *
  *  Copyright (C) 2000 Andrea Arcangeli <andrea@suse.de> SuSE
  *  Copyright (C) 2000 Pavel Machek <pavel@suse.cz>
@@ -56,7 +56,7 @@ startup_64:
          * %rsi holds a physical pointer to real_mode_data.
          *
          * We come here either directly from a 64bit bootloader, or from
-         * arch/x86_64/boot/compressed/head.S.
+         * arch/x86/boot/compressed/head_64.S.
          *
          * We only come here initially at boot nothing else comes here.
          *
@@ -146,7 +146,7 @@ startup_64:
         leaq    level2_kernel_pgt(%rip), %rdi
         leaq    4096(%rdi), %r8
         /* See if it is a valid page table entry */
-1:      testq   $1, 0(%rdi)
+1:      testb   $1, 0(%rdi)
         jz      2f
         addq    %rbp, 0(%rdi)
         /* Go to the next page */
diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
index d5651fce0b71..29c740deafec 100644
--- a/arch/x86/kernel/i387.c
+++ b/arch/x86/kernel/i387.c
@@ -68,7 +68,7 @@ static inline bool interrupted_kernel_fpu_idle(void)
 static inline bool interrupted_user_mode(void)
 {
         struct pt_regs *regs = get_irq_regs();
-        return regs && user_mode_vm(regs);
+        return regs && user_mode(regs);
 }
 
 /*
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 4ddaf66ea35f..37dae792dbbe 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -54,7 +54,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
          * because the ->io_bitmap_max value must match the bitmap
          * contents:
          */
-        tss = &per_cpu(init_tss, get_cpu());
+        tss = &per_cpu(cpu_tss, get_cpu());
 
         if (turn_on)
                 bitmap_clear(t->io_bitmap_ptr, from, num);
diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
index 28d28f5eb8f4..f9fd86a7fcc7 100644
--- a/arch/x86/kernel/irq_32.c
+++ b/arch/x86/kernel/irq_32.c
@@ -165,7 +165,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs)
         if (unlikely(!desc))
                 return false;
 
-        if (user_mode_vm(regs) || !execute_on_irq_stack(overflow, desc, irq)) {
+        if (user_mode(regs) || !execute_on_irq_stack(overflow, desc, irq)) {
                 if (unlikely(overflow))
                         print_stack_overflow();
                 desc->handle_irq(irq, desc);
diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
index e4b503d5558c..394e643d7830 100644
--- a/arch/x86/kernel/irq_64.c
+++ b/arch/x86/kernel/irq_64.c
@@ -44,7 +44,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
         u64 estack_top, estack_bottom;
         u64 curbase = (u64)task_stack_page(current);
 
-        if (user_mode_vm(regs))
+        if (user_mode(regs))
                 return;
 
         if (regs->sp >= curbase + sizeof(struct thread_info) +
diff --git a/arch/x86/kernel/irqinit.c b/arch/x86/kernel/irqinit.c
index 70e181ea1eac..cd10a6437264 100644
--- a/arch/x86/kernel/irqinit.c
+++ b/arch/x86/kernel/irqinit.c
@@ -178,7 +178,8 @@ void __init native_init_IRQ(void)
 #endif
         for_each_clear_bit_from(i, used_vectors, first_system_vector) {
                 /* IA32_SYSCALL_VECTOR could be used in trap_init already. */
-                set_intr_gate(i, interrupt[i - FIRST_EXTERNAL_VECTOR]);
+                set_intr_gate(i, irq_entries_start +
+                                8 * (i - FIRST_EXTERNAL_VECTOR));
         }
 #ifdef CONFIG_X86_LOCAL_APIC
         for_each_clear_bit_from(i, used_vectors, NR_VECTORS)
diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c
index 25ecd56cefa8..d6178d9791db 100644
--- a/arch/x86/kernel/kgdb.c
+++ b/arch/x86/kernel/kgdb.c
@@ -126,11 +126,11 @@ char *dbg_get_reg(int regno, void *mem, struct pt_regs *regs)
 #ifdef CONFIG_X86_32
         switch (regno) {
         case GDB_SS:
-                if (!user_mode_vm(regs))
+                if (!user_mode(regs))
                         *(unsigned long *)mem = __KERNEL_DS;
                 break;
         case GDB_SP:
-                if (!user_mode_vm(regs))
+                if (!user_mode(regs))
                         *(unsigned long *)mem = kernel_stack_pointer(regs);
                 break;
         case GDB_GS:
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 4e3d5a9621fe..24d079604fd5 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -602,7 +602,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
         struct kprobe *p;
         struct kprobe_ctlblk *kcb;
 
-        if (user_mode_vm(regs))
+        if (user_mode(regs))
                 return 0;
 
         addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
@@ -1007,7 +1007,7 @@ int kprobe_exceptions_notify(struct notifier_block *self, unsigned long val,
         struct die_args *args = data;
         int ret = NOTIFY_DONE;
 
-        if (args->regs && user_mode_vm(args->regs))
+        if (args->regs && user_mode(args->regs))
                 return ret;
 
         if (val == DIE_GPF) {
diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
index d1ac80b72c72..005c03e93fc5 100644
--- a/arch/x86/kernel/module.c
+++ b/arch/x86/kernel/module.c
@@ -33,6 +33,7 @@
 
 #include <asm/page.h>
 #include <asm/pgtable.h>
+#include <asm/setup.h>
 
 #if 0
 #define DEBUGP(fmt, ...)                                \
@@ -47,21 +48,13 @@ do {							\
 
 #ifdef CONFIG_RANDOMIZE_BASE
 static unsigned long module_load_offset;
-static int randomize_modules = 1;
 
 /* Mutex protects the module_load_offset. */
 static DEFINE_MUTEX(module_kaslr_mutex);
 
-static int __init parse_nokaslr(char *p)
-{
-        randomize_modules = 0;
-        return 0;
-}
-early_param("nokaslr", parse_nokaslr);
-
 static unsigned long int get_module_load_offset(void)
 {
-        if (randomize_modules) {
+        if (kaslr_enabled()) {
                 mutex_lock(&module_kaslr_mutex);
                 /*
                  * Calculate the module_load_offset the first time this
diff --git a/arch/x86/kernel/perf_regs.c b/arch/x86/kernel/perf_regs.c
index 781861cc5ee8..da8cb987b973 100644
--- a/arch/x86/kernel/perf_regs.c
+++ b/arch/x86/kernel/perf_regs.c
@@ -131,10 +131,11 @@ void perf_get_regs_user(struct perf_regs *regs_user,
         }
 
         /*
-         * RIP, flags, and the argument registers are usually saved.
-         * orig_ax is probably okay, too.
+         * These registers are always saved on 64-bit syscall entry.
+         * On 32-bit entry points, they are saved too except r8..r11.
          */
         regs_user_copy->ip = user_regs->ip;
+        regs_user_copy->ax = user_regs->ax;
         regs_user_copy->cx = user_regs->cx;
         regs_user_copy->dx = user_regs->dx;
         regs_user_copy->si = user_regs->si;
@@ -145,9 +146,12 @@ void perf_get_regs_user(struct perf_regs *regs_user,
         regs_user_copy->r11 = user_regs->r11;
         regs_user_copy->orig_ax = user_regs->orig_ax;
         regs_user_copy->flags = user_regs->flags;
+        regs_user_copy->sp = user_regs->sp;
+        regs_user_copy->cs = user_regs->cs;
+        regs_user_copy->ss = user_regs->ss;
 
         /*
-         * Don't even try to report the "rest" regs.
+         * Most system calls don't save these registers, don't report them.
          */
         regs_user_copy->bx = -1;
         regs_user_copy->bp = -1;
@@ -158,37 +162,13 @@ void perf_get_regs_user(struct perf_regs *regs_user,
 
         /*
          * For this to be at all useful, we need a reasonable guess for
-         * sp and the ABI.  Be careful: we're in NMI context, and we're
+         * the ABI.  Be careful: we're in NMI context, and we're
          * considering current to be the current task, so we should
          * be careful not to look at any other percpu variables that might
          * change during context switches.
          */
-        if (IS_ENABLED(CONFIG_IA32_EMULATION) &&
-            task_thread_info(current)->status & TS_COMPAT) {
-                /* Easy case: we're in a compat syscall. */
-                regs_user->abi = PERF_SAMPLE_REGS_ABI_32;
-                regs_user_copy->sp = user_regs->sp;
-                regs_user_copy->cs = user_regs->cs;
-                regs_user_copy->ss = user_regs->ss;
-        } else if (user_regs->orig_ax != -1) {
-                /*
-                 * We're probably in a 64-bit syscall.
-                 * Warning: this code is severely racy.  At least it's better
-                 * than just blindly copying user_regs.
-                 */
-                regs_user->abi = PERF_SAMPLE_REGS_ABI_64;
-                regs_user_copy->sp = this_cpu_read(old_rsp);
-                regs_user_copy->cs = __USER_CS;
-                regs_user_copy->ss = __USER_DS;
-                regs_user_copy->cx = -1;  /* usually contains garbage */
-        } else {
-                /* We're probably in an interrupt or exception. */
-                regs_user->abi = user_64bit_mode(user_regs) ?
-                        PERF_SAMPLE_REGS_ABI_64 : PERF_SAMPLE_REGS_ABI_32;
-                regs_user_copy->sp = user_regs->sp;
-                regs_user_copy->cs = user_regs->cs;
-                regs_user_copy->ss = user_regs->ss;
-        }
+        regs_user->abi = user_64bit_mode(user_regs) ?
+                PERF_SAMPLE_REGS_ABI_64 : PERF_SAMPLE_REGS_ABI_32;
 
         regs_user->regs = regs_user_copy;
 }
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 7af7b6478637..0c8992dbead5 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -38,7 +38,26 @@
  * section. Since TSS's are completely CPU-local, we want them
  * on exact cacheline boundaries, to eliminate cacheline ping-pong.
  */
-__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
+__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
+        .x86_tss = {
+                .sp0 = TOP_OF_INIT_STACK,
+#ifdef CONFIG_X86_32
+                .ss0 = __KERNEL_DS,
+                .ss1 = __KERNEL_CS,
+                .io_bitmap_base = INVALID_IO_BITMAP_OFFSET,
+#endif
+         },
+#ifdef CONFIG_X86_32
+         /*
+          * Note that the .io_bitmap member must be extra-big. This is because
+          * the CPU will access an additional byte beyond the end of the IO
+          * permission bitmap. The extra byte must be all 1 bits, and must
+          * be within the limit.
+          */
+        .io_bitmap              = { [0 ... IO_BITMAP_LONGS] = ~0 },
+#endif
+};
+EXPORT_PER_CPU_SYMBOL_GPL(cpu_tss);
 
 #ifdef CONFIG_X86_64
 static DEFINE_PER_CPU(unsigned char, is_idle);
@@ -110,7 +129,7 @@ void exit_thread(void)
         unsigned long *bp = t->io_bitmap_ptr;
 
         if (bp) {
-                struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
+                struct tss_struct *tss = &per_cpu(cpu_tss, get_cpu());
 
                 t->io_bitmap_ptr = NULL;
                 clear_thread_flag(TIF_IO_BITMAP);
diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c
index 603c4f99cb5a..8ed2106b06da 100644
--- a/arch/x86/kernel/process_32.c
+++ b/arch/x86/kernel/process_32.c
@@ -73,7 +73,7 @@ void __show_regs(struct pt_regs *regs, int all)
         unsigned long sp;
         unsigned short ss, gs;
 
-        if (user_mode_vm(regs)) {
+        if (user_mode(regs)) {
                 sp = regs->sp;
                 ss = regs->ss & 0xffff;
                 gs = get_user_gs(regs);
@@ -206,11 +206,7 @@ start_thread(struct pt_regs *regs, unsigned long new_ip, unsigned long new_sp)
         regs->ip                = new_ip;
         regs->sp                = new_sp;
         regs->flags             = X86_EFLAGS_IF;
-        /*
-         * force it to the iret return path by making it look as if there was
-         * some work pending.
-         */
-        set_thread_flag(TIF_NOTIFY_RESUME);
+        force_iret();
 }
 EXPORT_SYMBOL_GPL(start_thread);
 
@@ -248,7 +244,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
         struct thread_struct *prev = &prev_p->thread,
                                  *next = &next_p->thread;
         int cpu = smp_processor_id();
-        struct tss_struct *tss = &per_cpu(init_tss, cpu);
+        struct tss_struct *tss = &per_cpu(cpu_tss, cpu);
         fpu_switch_t fpu;
 
         /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
@@ -256,11 +252,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
         fpu = switch_fpu_prepare(prev_p, next_p, cpu);
 
         /*
-         * Reload esp0.
-         */
-        load_sp0(tss, next);
-
-        /*
          * Save away %gs. No need to save %fs, as it was saved on the
          * stack on entry.  No need to save %es and %ds, as those are
          * always kernel segments while inside the kernel.  Doing this
@@ -310,9 +301,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
          */
         arch_end_context_switch(next_p);
 
+        /*
+         * Reload esp0, kernel_stack, and current_top_of_stack.  This changes
+         * current_thread_info().
+         */
+        load_sp0(tss, next);
         this_cpu_write(kernel_stack,
-                  (unsigned long)task_stack_page(next_p) +
-                  THREAD_SIZE - KERNEL_STACK_OFFSET);
+                       (unsigned long)task_stack_page(next_p) +
+                       THREAD_SIZE);
+        this_cpu_write(cpu_current_top_of_stack,
+                       (unsigned long)task_stack_page(next_p) +
+                       THREAD_SIZE);
 
         /*
          * Restore %gs if needed (which is common)
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 67fcc43577d2..4baaa972f52a 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -52,7 +52,7 @@
 
 asmlinkage extern void ret_from_fork(void);
 
-__visible DEFINE_PER_CPU(unsigned long, old_rsp);
+__visible DEFINE_PER_CPU(unsigned long, rsp_scratch);
 
 /* Prints also some state that isn't saved in the pt_regs */
 void __show_regs(struct pt_regs *regs, int all)
@@ -161,7 +161,6 @@ int copy_thread(unsigned long clone_flags, unsigned long sp,
         p->thread.sp0 = (unsigned long)task_stack_page(p) + THREAD_SIZE;
         childregs = task_pt_regs(p);
         p->thread.sp = (unsigned long) childregs;
-        p->thread.usersp = me->thread.usersp;
         set_tsk_thread_flag(p, TIF_FORK);
         p->thread.io_bitmap_ptr = NULL;
 
@@ -207,7 +206,7 @@ int copy_thread(unsigned long clone_flags, unsigned long sp,
          */
         if (clone_flags & CLONE_SETTLS) {
 #ifdef CONFIG_IA32_EMULATION
-                if (test_thread_flag(TIF_IA32))
+                if (is_ia32_task())
                         err = do_set_thread_area(p, -1,
                                 (struct user_desc __user *)childregs->si, 0);
                 else
@@ -235,13 +234,12 @@ start_thread_common(struct pt_regs *regs, unsigned long new_ip,
         loadsegment(es, _ds);
         loadsegment(ds, _ds);
         load_gs_index(0);
-        current->thread.usersp  = new_sp;
         regs->ip                = new_ip;
         regs->sp                = new_sp;
-        this_cpu_write(old_rsp, new_sp);
         regs->cs                = _cs;
         regs->ss                = _ss;
         regs->flags             = X86_EFLAGS_IF;
+        force_iret();
 }
 
 void
@@ -277,15 +275,12 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
         struct thread_struct *prev = &prev_p->thread;
         struct thread_struct *next = &next_p->thread;
         int cpu = smp_processor_id();
-        struct tss_struct *tss = &per_cpu(init_tss, cpu);
+        struct tss_struct *tss = &per_cpu(cpu_tss, cpu);
         unsigned fsindex, gsindex;
         fpu_switch_t fpu;
 
         fpu = switch_fpu_prepare(prev_p, next_p, cpu);
 
-        /* Reload esp0 and ss1. */
-        load_sp0(tss, next);
-
         /* We must save %fs and %gs before load_TLS() because
          * %fs and %gs may be cleared by load_TLS().
          *
@@ -401,8 +396,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
         /*
          * Switch the PDA and FPU contexts.
          */
-        prev->usersp = this_cpu_read(old_rsp);
-        this_cpu_write(old_rsp, next->usersp);
         this_cpu_write(current_task, next_p);
 
         /*
@@ -413,9 +406,11 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
         task_thread_info(prev_p)->saved_preempt_count = this_cpu_read(__preempt_count);
         this_cpu_write(__preempt_count, task_thread_info(next_p)->saved_preempt_count);
 
+        /* Reload esp0 and ss1.  This changes current_thread_info(). */
+        load_sp0(tss, next);
+
         this_cpu_write(kernel_stack,
-                  (unsigned long)task_stack_page(next_p) +
-                  THREAD_SIZE - KERNEL_STACK_OFFSET);
+                (unsigned long)task_stack_page(next_p) + THREAD_SIZE);
 
         /*
          * Now maybe reload the debug registers and handle I/O bitmaps
@@ -602,6 +597,5 @@ long sys_arch_prctl(int code, unsigned long addr)
 
 unsigned long KSTK_ESP(struct task_struct *task)
 {
-        return (test_tsk_thread_flag(task, TIF_IA32)) ?
-                        (task_pt_regs(task)->sp) : ((task)->thread.usersp);
+        return task_pt_regs(task)->sp;
 }
diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
index e510618b2e91..a7bc79480719 100644
--- a/arch/x86/kernel/ptrace.c
+++ b/arch/x86/kernel/ptrace.c
@@ -364,18 +364,12 @@ static int set_segment_reg(struct task_struct *task,
         case offsetof(struct user_regs_struct,cs):
                 if (unlikely(value == 0))
                         return -EIO;
-#ifdef CONFIG_IA32_EMULATION
-                if (test_tsk_thread_flag(task, TIF_IA32))
-                        task_pt_regs(task)->cs = value;
-#endif
+                task_pt_regs(task)->cs = value;
                 break;
         case offsetof(struct user_regs_struct,ss):
                 if (unlikely(value == 0))
                         return -EIO;
-#ifdef CONFIG_IA32_EMULATION
-                if (test_tsk_thread_flag(task, TIF_IA32))
-                        task_pt_regs(task)->ss = value;
-#endif
+                task_pt_regs(task)->ss = value;
                 break;
         }
 
@@ -1421,7 +1415,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
         memset(info, 0, sizeof(*info));
         info->si_signo = SIGTRAP;
         info->si_code = si_code;
-        info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
+        info->si_addr = user_mode(regs) ? (void __user *)regs->ip : NULL;
 }
 
 void user_single_step_siginfo(struct task_struct *tsk,
diff --git a/arch/x86/kernel/relocate_kernel_32.S b/arch/x86/kernel/relocate_kernel_32.S
index e13f8e7c22a6..77630d57e7bf 100644
--- a/arch/x86/kernel/relocate_kernel_32.S
+++ b/arch/x86/kernel/relocate_kernel_32.S
@@ -226,23 +226,23 @@ swap_pages:
         movl    (%ebx), %ecx
         addl    $4, %ebx
 1:
-        testl   $0x1,   %ecx  /* is it a destination page */
+        testb   $0x1, %cl     /* is it a destination page */
         jz      2f
         movl    %ecx,   %edi
         andl    $0xfffff000, %edi
         jmp     0b
 2:
-        testl   $0x2,   %ecx  /* is it an indirection page */
+        testb   $0x2, %cl    /* is it an indirection page */
         jz      2f
         movl    %ecx,   %ebx
         andl    $0xfffff000, %ebx
         jmp     0b
 2:
-        testl   $0x4,   %ecx /* is it the done indicator */
+        testb   $0x4, %cl    /* is it the done indicator */
         jz      2f
         jmp     3f
 2:
-        testl   $0x8,   %ecx /* is it the source indicator */
+        testb   $0x8, %cl    /* is it the source indicator */
         jz      0b           /* Ignore it otherwise */
         movl    %ecx,   %esi /* For every source page do a copy */
         andl    $0xfffff000, %esi
diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S
index 3fd2c693e475..98111b38ebfd 100644
--- a/arch/x86/kernel/relocate_kernel_64.S
+++ b/arch/x86/kernel/relocate_kernel_64.S
@@ -123,7 +123,7 @@ identity_mapped:
          * Set cr4 to a known state:
          *  - physical address extension enabled
          */
-        movq    $X86_CR4_PAE, %rax
+        movl    $X86_CR4_PAE, %eax
         movq    %rax, %cr4
 
         jmp 1f
@@ -221,23 +221,23 @@ swap_pages:
         movq    (%rbx), %rcx
         addq    $8,     %rbx
 1:
-        testq   $0x1,   %rcx  /* is it a destination page? */
+        testb   $0x1,   %cl   /* is it a destination page? */
         jz      2f
         movq    %rcx,   %rdi
         andq    $0xfffffffffffff000, %rdi
         jmp     0b
 2:
-        testq   $0x2,   %rcx  /* is it an indirection page? */
+        testb   $0x2,   %cl   /* is it an indirection page? */
         jz      2f
         movq    %rcx,   %rbx
         andq    $0xfffffffffffff000, %rbx
         jmp     0b
 2:
-        testq   $0x4,   %rcx  /* is it the done indicator? */
+        testb   $0x4,   %cl   /* is it the done indicator? */
         jz      2f
         jmp     3f
 2:
-        testq   $0x8,   %rcx  /* is it the source indicator? */
+        testb   $0x8,   %cl   /* is it the source indicator? */
         jz      0b            /* Ignore it otherwise */
         movq    %rcx,   %rsi  /* For ever source page do a copy */
         andq    $0xfffffffffffff000, %rsi
@@ -246,17 +246,17 @@ swap_pages:
         movq    %rsi, %rax
 
         movq    %r10, %rdi
-        movq    $512,   %rcx
+        movl    $512, %ecx
         rep ; movsq
 
         movq    %rax, %rdi
         movq    %rdx, %rsi
-        movq    $512,   %rcx
+        movl    $512, %ecx
         rep ; movsq
 
         movq    %rdx, %rdi
         movq    %r10, %rsi
-        movq    $512,   %rcx
+        movl    $512, %ecx
         rep ; movsq
 
         lea     PAGE_SIZE(%rax), %rsi
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 0a2421cca01f..014466b152b5 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -832,10 +832,15 @@ static void __init trim_low_memory_range(void)
 static int
 dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p)
 {
-        pr_emerg("Kernel Offset: 0x%lx from 0x%lx "
-                 "(relocation range: 0x%lx-0x%lx)\n",
-                 (unsigned long)&_text - __START_KERNEL, __START_KERNEL,
-                 __START_KERNEL_map, MODULES_VADDR-1);
+        if (kaslr_enabled()) {
+                pr_emerg("Kernel Offset: 0x%lx from 0x%lx (relocation range: 0x%lx-0x%lx)\n",
+                         (unsigned long)&_text - __START_KERNEL,
+                         __START_KERNEL,
+                         __START_KERNEL_map,
+                         MODULES_VADDR-1);
+        } else {
+                pr_emerg("Kernel Offset: disabled\n");
+        }
 
         return 0;
 }
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index e5042463c1bc..53cc4085c3d7 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -61,8 +61,7 @@
         regs->seg = GET_SEG(seg) | 3;                   \
 } while (0)
 
-int restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc,
-                       unsigned long *pax)
+int restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc)
 {
         void __user *buf;
         unsigned int tmpflags;
@@ -81,7 +80,7 @@ int restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc,
 #endif /* CONFIG_X86_32 */
 
                 COPY(di); COPY(si); COPY(bp); COPY(sp); COPY(bx);
-                COPY(dx); COPY(cx); COPY(ip);
+                COPY(dx); COPY(cx); COPY(ip); COPY(ax);
 
 #ifdef CONFIG_X86_64
                 COPY(r8);
@@ -94,27 +93,20 @@ int restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc,
                 COPY(r15);
 #endif /* CONFIG_X86_64 */
 
-#ifdef CONFIG_X86_32
                 COPY_SEG_CPL3(cs);
                 COPY_SEG_CPL3(ss);
-#else /* !CONFIG_X86_32 */
-                /* Kernel saves and restores only the CS segment register on signals,
-                 * which is the bare minimum needed to allow mixed 32/64-bit code.
-                 * App's signal handler can save/restore other segments if needed. */
-                COPY_SEG_CPL3(cs);
-#endif /* CONFIG_X86_32 */
 
                 get_user_ex(tmpflags, &sc->flags);
                 regs->flags = (regs->flags & ~FIX_EFLAGS) | (tmpflags & FIX_EFLAGS);
                 regs->orig_ax = -1;             /* disable syscall checks */
 
                 get_user_ex(buf, &sc->fpstate);
-
-                get_user_ex(*pax, &sc->ax);
         } get_user_catch(err);
 
         err |= restore_xstate_sig(buf, config_enabled(CONFIG_X86_32));
 
+        force_iret();
+
         return err;
 }
 
@@ -162,8 +154,9 @@ int setup_sigcontext(struct sigcontext __user *sc, void __user *fpstate,
 #else /* !CONFIG_X86_32 */
                 put_user_ex(regs->flags, &sc->flags);
                 put_user_ex(regs->cs, &sc->cs);
-                put_user_ex(0, &sc->gs);
-                put_user_ex(0, &sc->fs);
+                put_user_ex(0, &sc->__pad2);
+                put_user_ex(0, &sc->__pad1);
+                put_user_ex(regs->ss, &sc->ss);
 #endif /* CONFIG_X86_32 */
 
                 put_user_ex(fpstate, &sc->fpstate);
@@ -457,9 +450,19 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
 
         regs->sp = (unsigned long)frame;
 
-        /* Set up the CS register to run signal handlers in 64-bit mode,
-           even if the handler happens to be interrupting 32-bit code. */
+        /*
+         * Set up the CS and SS registers to run signal handlers in
+         * 64-bit mode, even if the handler happens to be interrupting
+         * 32-bit or 16-bit code.
+         *
+         * SS is subtle.  In 64-bit mode, we don't need any particular
+         * SS descriptor, but we do need SS to be valid.  It's possible
+         * that the old SS is entirely bogus -- this can happen if the
+         * signal we're trying to deliver is #GP or #SS caused by a bad
+         * SS value.
+         */
         regs->cs = __USER_CS;
+        regs->ss = __USER_DS;
 
         return 0;
 }
@@ -539,7 +542,6 @@ asmlinkage unsigned long sys_sigreturn(void)
 {
         struct pt_regs *regs = current_pt_regs();
         struct sigframe __user *frame;
-        unsigned long ax;
         sigset_t set;
 
         frame = (struct sigframe __user *)(regs->sp - 8);
@@ -553,9 +555,9 @@ asmlinkage unsigned long sys_sigreturn(void)
 
         set_current_blocked(&set);
 
-        if (restore_sigcontext(regs, &frame->sc, &ax))
+        if (restore_sigcontext(regs, &frame->sc))
                 goto badframe;
-        return ax;
+        return regs->ax;
 
 badframe:
         signal_fault(regs, frame, "sigreturn");
@@ -568,7 +570,6 @@ asmlinkage long sys_rt_sigreturn(void)
 {
         struct pt_regs *regs = current_pt_regs();
         struct rt_sigframe __user *frame;
-        unsigned long ax;
         sigset_t set;
 
         frame = (struct rt_sigframe __user *)(regs->sp - sizeof(long));
@@ -579,13 +580,13 @@ asmlinkage long sys_rt_sigreturn(void)
 
         set_current_blocked(&set);
 
-        if (restore_sigcontext(regs, &frame->uc.uc_mcontext, &ax))
+        if (restore_sigcontext(regs, &frame->uc.uc_mcontext))
                 goto badframe;
 
         if (restore_altstack(&frame->uc.uc_stack))
                 goto badframe;
 
-        return ax;
+        return regs->ax;
 
 badframe:
         signal_fault(regs, frame, "rt_sigreturn");
@@ -780,7 +781,6 @@ asmlinkage long sys32_x32_rt_sigreturn(void)
         struct pt_regs *regs = current_pt_regs();
         struct rt_sigframe_x32 __user *frame;
         sigset_t set;
-        unsigned long ax;
 
         frame = (struct rt_sigframe_x32 __user *)(regs->sp - 8);
 
@@ -791,13 +791,13 @@ asmlinkage long sys32_x32_rt_sigreturn(void)
 
         set_current_blocked(&set);
 
-        if (restore_sigcontext(regs, &frame->uc.uc_mcontext, &ax))
+        if (restore_sigcontext(regs, &frame->uc.uc_mcontext))
                 goto badframe;
 
         if (compat_restore_altstack(&frame->uc.uc_stack))
                 goto badframe;
 
-        return ax;
+        return regs->ax;
 
 badframe:
         signal_fault(regs, frame, "x32 rt_sigreturn");
diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
index ddd2c0674cda..7035f6b21c3f 100644
--- a/arch/x86/kernel/smpboot.c
+++ b/arch/x86/kernel/smpboot.c
@@ -779,6 +779,26 @@ out:
         return boot_error;
 }
 
+void common_cpu_up(unsigned int cpu, struct task_struct *idle)
+{
+        /* Just in case we booted with a single CPU. */
+        alternatives_enable_smp();
+
+        per_cpu(current_task, cpu) = idle;
+
+#ifdef CONFIG_X86_32
+        /* Stack for startup_32 can be just as for start_secondary onwards */
+        irq_ctx_init(cpu);
+        per_cpu(cpu_current_top_of_stack, cpu) =
+                (unsigned long)task_stack_page(idle) + THREAD_SIZE;
+#else
+        clear_tsk_thread_flag(idle, TIF_FORK);
+        initial_gs = per_cpu_offset(cpu);
+#endif
+        per_cpu(kernel_stack, cpu) =
+                (unsigned long)task_stack_page(idle) + THREAD_SIZE;
+}
+
 /*
  * NOTE - on most systems this is a PHYSICAL apic ID, but on multiquad
  * (ie clustered apic addressing mode), this is a LOGICAL apic ID.
@@ -796,23 +816,9 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle)
         int cpu0_nmi_registered = 0;
         unsigned long timeout;
 
-        /* Just in case we booted with a single CPU. */
-        alternatives_enable_smp();
-
         idle->thread.sp = (unsigned long) (((struct pt_regs *)
                           (THREAD_SIZE +  task_stack_page(idle))) - 1);
-        per_cpu(current_task, cpu) = idle;
 
-#ifdef CONFIG_X86_32
-        /* Stack for startup_32 can be just as for start_secondary onwards */
-        irq_ctx_init(cpu);
-#else
-        clear_tsk_thread_flag(idle, TIF_FORK);
-        initial_gs = per_cpu_offset(cpu);
-#endif
-        per_cpu(kernel_stack, cpu) =
-                (unsigned long)task_stack_page(idle) -
-                KERNEL_STACK_OFFSET + THREAD_SIZE;
         early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
         initial_code = (unsigned long)start_secondary;
         stack_start  = idle->thread.sp;
@@ -953,6 +959,8 @@ int native_cpu_up(unsigned int cpu, struct task_struct *tidle)
         /* the FPU context is blank, nobody can own it */
         __cpu_disable_lazy_restore(cpu);
 
+        common_cpu_up(cpu, tidle);
+
         err = do_boot_cpu(apicid, cpu, tidle);
         if (err) {
                 pr_err("do_boot_cpu failed(%d) to wakeup CPU#%u\n", err, cpu);
diff --git a/arch/x86/kernel/syscall_32.c b/arch/x86/kernel/syscall_32.c
index e9bcd57d8a9e..3777189c4a19 100644
--- a/arch/x86/kernel/syscall_32.c
+++ b/arch/x86/kernel/syscall_32.c
@@ -5,21 +5,29 @@
 #include <linux/cache.h>
 #include <asm/asm-offsets.h>
 
-#define __SYSCALL_I386(nr, sym, compat) extern asmlinkage void sym(void) ;
+#ifdef CONFIG_IA32_EMULATION
+#define SYM(sym, compat) compat
+#else
+#define SYM(sym, compat) sym
+#define ia32_sys_call_table sys_call_table
+#define __NR_ia32_syscall_max __NR_syscall_max
+#endif
+
+#define __SYSCALL_I386(nr, sym, compat) extern asmlinkage void SYM(sym, compat)(void) ;
 #include <asm/syscalls_32.h>
 #undef __SYSCALL_I386
 
-#define __SYSCALL_I386(nr, sym, compat) [nr] = sym,
+#define __SYSCALL_I386(nr, sym, compat) [nr] = SYM(sym, compat),
 
 typedef asmlinkage void (*sys_call_ptr_t)(void);
 
 extern asmlinkage void sys_ni_syscall(void);
 
-__visible const sys_call_ptr_t sys_call_table[__NR_syscall_max+1] = {
+__visible const sys_call_ptr_t ia32_sys_call_table[__NR_ia32_syscall_max+1] = {
         /*
          * Smells like a compiler bug -- it doesn't work
          * when the & below is removed.
          */
-        [0 ... __NR_syscall_max] = &sys_ni_syscall,
+        [0 ... __NR_ia32_syscall_max] = &sys_ni_syscall,
 #include <asm/syscalls_32.h>
 };
diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c
index 25adc0e16eaa..d39c09119db6 100644
--- a/arch/x86/kernel/time.c
+++ b/arch/x86/kernel/time.c
@@ -30,7 +30,7 @@ unsigned long profile_pc(struct pt_regs *regs)
 {
         unsigned long pc = instruction_pointer(regs);
 
-        if (!user_mode_vm(regs) && in_lock_functions(pc)) {
+        if (!user_mode(regs) && in_lock_functions(pc)) {
 #ifdef CONFIG_FRAME_POINTER
                 return *(unsigned long *)(regs->bp + sizeof(long));
 #else
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 4ff5d162ff9f..6751c5c58eec 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -112,7 +112,7 @@ enum ctx_state ist_enter(struct pt_regs *regs)
 {
         enum ctx_state prev_state;
 
-        if (user_mode_vm(regs)) {
+        if (user_mode(regs)) {
                 /* Other than that, we're just an exception. */
                 prev_state = exception_enter();
         } else {
@@ -146,7 +146,7 @@ void ist_exit(struct pt_regs *regs, enum ctx_state prev_state)
         /* Must be before exception_exit. */
         preempt_count_sub(HARDIRQ_OFFSET);
 
-        if (user_mode_vm(regs))
+        if (user_mode(regs))
                 return exception_exit(prev_state);
         else
                 rcu_nmi_exit();
@@ -158,7 +158,7 @@ void ist_exit(struct pt_regs *regs, enum ctx_state prev_state)
  *
  * IST exception handlers normally cannot schedule.  As a special
  * exception, if the exception interrupted userspace code (i.e.
- * user_mode_vm(regs) would return true) and the exception was not
+ * user_mode(regs) would return true) and the exception was not
  * a double fault, it can be safe to schedule.  ist_begin_non_atomic()
  * begins a non-atomic section within an ist_enter()/ist_exit() region.
  * Callers are responsible for enabling interrupts themselves inside
@@ -167,15 +167,15 @@ void ist_exit(struct pt_regs *regs, enum ctx_state prev_state)
  */
 void ist_begin_non_atomic(struct pt_regs *regs)
 {
-        BUG_ON(!user_mode_vm(regs));
+        BUG_ON(!user_mode(regs));
 
         /*
          * Sanity check: we need to be on the normal thread stack.  This
          * will catch asm bugs and any attempt to use ist_preempt_enable
          * from double_fault.
          */
-        BUG_ON(((current_stack_pointer() ^ this_cpu_read_stable(kernel_stack))
-                & ~(THREAD_SIZE - 1)) != 0);
+        BUG_ON((unsigned long)(current_top_of_stack() -
+                               current_stack_pointer()) >= THREAD_SIZE);
 
         preempt_count_sub(HARDIRQ_OFFSET);
 }
@@ -194,8 +194,7 @@ static nokprobe_inline int
 do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
                   struct pt_regs *regs, long error_code)
 {
-#ifdef CONFIG_X86_32
-        if (regs->flags & X86_VM_MASK) {
+        if (v8086_mode(regs)) {
                 /*
                  * Traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
                  * On nmi (interrupt 2), do_trap should not be called.
@@ -207,7 +206,7 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
                 }
                 return -1;
         }
-#endif
+
         if (!user_mode(regs)) {
                 if (!fixup_exception(regs)) {
                         tsk->thread.error_code = error_code;
@@ -384,7 +383,7 @@ dotraplinkage void do_bounds(struct pt_regs *regs, long error_code)
                 goto exit;
         conditional_sti(regs);
 
-        if (!user_mode_vm(regs))
+        if (!user_mode(regs))
                 die("bounds", regs, error_code);
 
         if (!cpu_feature_enabled(X86_FEATURE_MPX)) {
@@ -462,13 +461,11 @@ do_general_protection(struct pt_regs *regs, long error_code)
         prev_state = exception_enter();
         conditional_sti(regs);
 
-#ifdef CONFIG_X86_32
-        if (regs->flags & X86_VM_MASK) {
+        if (v8086_mode(regs)) {
                 local_irq_enable();
                 handle_vm86_fault((struct kernel_vm86_regs *) regs, error_code);
                 goto exit;
         }
-#endif
 
         tsk = current;
         if (!user_mode(regs)) {
@@ -587,7 +584,7 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
         /* Copy the remainder of the stack from the current stack. */
         memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
 
-        BUG_ON(!user_mode_vm(&new_stack->regs));
+        BUG_ON(!user_mode(&new_stack->regs));
         return new_stack;
 }
 NOKPROBE_SYMBOL(fixup_bad_iret);
@@ -637,7 +634,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code)
          * then it's very likely the result of an icebp/int01 trap.
          * User wants a sigtrap for that.
          */
-        if (!dr6 && user_mode_vm(regs))
+        if (!dr6 && user_mode(regs))
                 user_icebp = 1;
 
         /* Catch kmemcheck conditions first of all! */
@@ -673,7 +670,7 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code)
         /* It's safe to allow irq's after DR6 has been saved */
         preempt_conditional_sti(regs);
 
-        if (regs->flags & X86_VM_MASK) {
+        if (v8086_mode(regs)) {
                 handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code,
                                         X86_TRAP_DB);
                 preempt_conditional_cli(regs);
@@ -721,7 +718,7 @@ static void math_error(struct pt_regs *regs, int error_code, int trapnr)
                 return;
         conditional_sti(regs);
 
-        if (!user_mode_vm(regs))
+        if (!user_mode(regs))
         {
                 if (!fixup_exception(regs)) {
                         task->thread.error_code = error_code;
@@ -925,9 +922,21 @@ dotraplinkage void do_iret_error(struct pt_regs *regs, long error_code)
 /* Set of traps needed for early debugging. */
 void __init early_trap_init(void)
 {
-        set_intr_gate_ist(X86_TRAP_DB, &debug, DEBUG_STACK);
+        /*
+         * Don't use IST to set DEBUG_STACK as it doesn't work until TSS
+         * is ready in cpu_init() <-- trap_init(). Before trap_init(),
+         * CPU runs at ring 0 so it is impossible to hit an invalid
+         * stack.  Using the original stack works well enough at this
+         * early stage. DEBUG_STACK will be equipped after cpu_init() in
+         * trap_init().
+         *
+         * We don't need to set trace_idt_table like set_intr_gate(),
+         * since we don't have trace_debug and it will be reset to
+         * 'debug' in trap_init() by set_intr_gate_ist().
+         */
+        set_intr_gate_notrace(X86_TRAP_DB, debug);
         /* int3 can be called from all */
-        set_system_intr_gate_ist(X86_TRAP_BP, &int3, DEBUG_STACK);
+        set_system_intr_gate(X86_TRAP_BP, &int3);
 #ifdef CONFIG_X86_32
         set_intr_gate(X86_TRAP_PF, page_fault);
 #endif
@@ -1005,6 +1014,15 @@ void __init trap_init(void)
          */
         cpu_init();
 
+        /*
+         * X86_TRAP_DB and X86_TRAP_BP have been set
+         * in early_trap_init(). However, ITS works only after
+         * cpu_init() loads TSS. See comments in early_trap_init().
+         */
+        set_intr_gate_ist(X86_TRAP_DB, &debug, DEBUG_STACK);
+        /* int3 can be called from all */
+        set_system_intr_gate_ist(X86_TRAP_BP, &int3, DEBUG_STACK);
+
         x86_init.irqs.trap_init();
 
 #ifdef CONFIG_X86_64
diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
index 81f8adb0679e..0b81ad67da07 100644
--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -912,7 +912,7 @@ int arch_uprobe_exception_notify(struct notifier_block *self, unsigned long val,
         int ret = NOTIFY_DONE;
 
         /* We are only interested in userspace traps */
-        if (regs && !user_mode_vm(regs))
+        if (regs && !user_mode(regs))
                 return NOTIFY_DONE;
 
         switch (val) {
diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
index e8edcf52e069..fc9db6ef2a95 100644
--- a/arch/x86/kernel/vm86_32.c
+++ b/arch/x86/kernel/vm86_32.c
@@ -150,7 +150,7 @@ struct pt_regs *save_v86_state(struct kernel_vm86_regs *regs)
                 do_exit(SIGSEGV);
         }
 
-        tss = &per_cpu(init_tss, get_cpu());
+        tss = &per_cpu(cpu_tss, get_cpu());
         current->thread.sp0 = current->thread.saved_sp0;
         current->thread.sysenter_cs = __KERNEL_CS;
         load_sp0(tss, &current->thread);
@@ -318,7 +318,7 @@ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk
         tsk->thread.saved_fs = info->regs32->fs;
         tsk->thread.saved_gs = get_user_gs(info->regs32);
 
-        tss = &per_cpu(init_tss, get_cpu());
+        tss = &per_cpu(cpu_tss, get_cpu());
         tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
         if (cpu_has_sep)
                 tsk->thread.sysenter_cs = 0;