13 files changed, 649 insertions, 408 deletions

diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
index 1a7fe868f375..a28f338843ea 100644
--- a/arch/x86/kvm/Kconfig
+++ b/arch/x86/kvm/Kconfig
@@ -36,6 +36,7 @@ config KVM
         select TASKSTATS
         select TASK_DELAY_ACCT
         select PERF_EVENTS
+        select HAVE_KVM_MSI
         ---help---
           Support hosting fully virtualized guest machines using hardware
           virtualization extensions.  You will need a fairly recent
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 9fed5bedaad6..7df1c6d839fb 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -247,7 +247,8 @@ static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
 
         /* cpuid 7.0.ebx */
         const u32 kvm_supported_word9_x86_features =
-                F(FSGSBASE) | F(BMI1) | F(AVX2) | F(SMEP) | F(BMI2) | F(ERMS);
+                F(FSGSBASE) | F(BMI1) | F(HLE) | F(AVX2) | F(SMEP) |
+                F(BMI2) | F(ERMS) | F(RTM);
 
         /* all calls to cpuid_count() should be made on the same cpu */
         get_cpu();
@@ -397,7 +398,7 @@ static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
         case KVM_CPUID_SIGNATURE: {
                 char signature[12] = "KVMKVMKVM\0\0";
                 u32 *sigptr = (u32 *)signature;
-                entry->eax = 0;
+                entry->eax = KVM_CPUID_FEATURES;
                 entry->ebx = sigptr[0];
                 entry->ecx = sigptr[1];
                 entry->edx = sigptr[2];
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 83756223f8aa..f95d242ee9f7 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -142,6 +142,10 @@
 #define Src2FS      (OpFS << Src2Shift)
 #define Src2GS      (OpGS << Src2Shift)
 #define Src2Mask    (OpMask << Src2Shift)
+#define Mmx         ((u64)1 << 40)  /* MMX Vector instruction */
+#define Aligned     ((u64)1 << 41)  /* Explicitly aligned (e.g. MOVDQA) */
+#define Unaligned   ((u64)1 << 42)  /* Explicitly unaligned (e.g. MOVDQU) */
+#define Avx         ((u64)1 << 43)  /* Advanced Vector Extensions */
 
 #define X2(x...) x, x
 #define X3(x...) X2(x), x
@@ -557,6 +561,29 @@ static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
         ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
 }
 
+/*
+ * x86 defines three classes of vector instructions: explicitly
+ * aligned, explicitly unaligned, and the rest, which change behaviour
+ * depending on whether they're AVX encoded or not.
+ *
+ * Also included is CMPXCHG16B which is not a vector instruction, yet it is
+ * subject to the same check.
+ */
+static bool insn_aligned(struct x86_emulate_ctxt *ctxt, unsigned size)
+{
+        if (likely(size < 16))
+                return false;
+
+        if (ctxt->d & Aligned)
+                return true;
+        else if (ctxt->d & Unaligned)
+                return false;
+        else if (ctxt->d & Avx)
+                return false;
+        else
+                return true;
+}
+
 static int __linearize(struct x86_emulate_ctxt *ctxt,
                      struct segmented_address addr,
                      unsigned size, bool write, bool fetch,
@@ -621,6 +648,8 @@ static int __linearize(struct x86_emulate_ctxt *ctxt,
         }
         if (fetch ? ctxt->mode != X86EMUL_MODE_PROT64 : ctxt->ad_bytes != 8)
                 la &= (u32)-1;
+        if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
+                return emulate_gp(ctxt, 0);
         *linear = la;
         return X86EMUL_CONTINUE;
 bad:
@@ -859,6 +888,40 @@ static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
         ctxt->ops->put_fpu(ctxt);
 }
 
+static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
+{
+        ctxt->ops->get_fpu(ctxt);
+        switch (reg) {
+        case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
+        case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
+        case 2: asm("movq %%mm2, %0" : "=m"(*data)); break;
+        case 3: asm("movq %%mm3, %0" : "=m"(*data)); break;
+        case 4: asm("movq %%mm4, %0" : "=m"(*data)); break;
+        case 5: asm("movq %%mm5, %0" : "=m"(*data)); break;
+        case 6: asm("movq %%mm6, %0" : "=m"(*data)); break;
+        case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
+        default: BUG();
+        }
+        ctxt->ops->put_fpu(ctxt);
+}
+
+static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
+{
+        ctxt->ops->get_fpu(ctxt);
+        switch (reg) {
+        case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
+        case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
+        case 2: asm("movq %0, %%mm2" : : "m"(*data)); break;
+        case 3: asm("movq %0, %%mm3" : : "m"(*data)); break;
+        case 4: asm("movq %0, %%mm4" : : "m"(*data)); break;
+        case 5: asm("movq %0, %%mm5" : : "m"(*data)); break;
+        case 6: asm("movq %0, %%mm6" : : "m"(*data)); break;
+        case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
+        default: BUG();
+        }
+        ctxt->ops->put_fpu(ctxt);
+}
+
 static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
                                     struct operand *op)
 {
@@ -875,6 +938,13 @@ static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
                 read_sse_reg(ctxt, &op->vec_val, reg);
                 return;
         }
+        if (ctxt->d & Mmx) {
+                reg &= 7;
+                op->type = OP_MM;
+                op->bytes = 8;
+                op->addr.mm = reg;
+                return;
+        }
 
         op->type = OP_REG;
         if (ctxt->d & ByteOp) {
@@ -902,7 +972,6 @@ static int decode_modrm(struct x86_emulate_ctxt *ctxt,
                 ctxt->modrm_rm = base_reg = (ctxt->rex_prefix & 1) << 3; /* REG.B */
         }
 
-        ctxt->modrm = insn_fetch(u8, ctxt);
         ctxt->modrm_mod |= (ctxt->modrm & 0xc0) >> 6;
         ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3;
         ctxt->modrm_rm |= (ctxt->modrm & 0x07);
@@ -920,6 +989,12 @@ static int decode_modrm(struct x86_emulate_ctxt *ctxt,
                         read_sse_reg(ctxt, &op->vec_val, ctxt->modrm_rm);
                         return rc;
                 }
+                if (ctxt->d & Mmx) {
+                        op->type = OP_MM;
+                        op->bytes = 8;
+                        op->addr.xmm = ctxt->modrm_rm & 7;
+                        return rc;
+                }
                 fetch_register_operand(op);
                 return rc;
         }
@@ -1387,6 +1462,9 @@ static int writeback(struct x86_emulate_ctxt *ctxt)
         case OP_XMM:
                 write_sse_reg(ctxt, &ctxt->dst.vec_val, ctxt->dst.addr.xmm);
                 break;
+        case OP_MM:
+                write_mmx_reg(ctxt, &ctxt->dst.mm_val, ctxt->dst.addr.mm);
+                break;
         case OP_NONE:
                 /* no writeback */
                 break;
@@ -2790,7 +2868,7 @@ static int em_rdpmc(struct x86_emulate_ctxt *ctxt)
 
 static int em_mov(struct x86_emulate_ctxt *ctxt)
 {
-        ctxt->dst.val = ctxt->src.val;
+        memcpy(ctxt->dst.valptr, ctxt->src.valptr, ctxt->op_bytes);
         return X86EMUL_CONTINUE;
 }
 
@@ -2870,12 +2948,6 @@ static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
         return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
 }
 
-static int em_movdqu(struct x86_emulate_ctxt *ctxt)
-{
-        memcpy(&ctxt->dst.vec_val, &ctxt->src.vec_val, ctxt->op_bytes);
-        return X86EMUL_CONTINUE;
-}
-
 static int em_invlpg(struct x86_emulate_ctxt *ctxt)
 {
         int rc;
@@ -3061,35 +3133,13 @@ static int em_btc(struct x86_emulate_ctxt *ctxt)
 
 static int em_bsf(struct x86_emulate_ctxt *ctxt)
 {
-        u8 zf;
-
-        __asm__ ("bsf %2, %0; setz %1"
-                 : "=r"(ctxt->dst.val), "=q"(zf)
-                 : "r"(ctxt->src.val));
-
-        ctxt->eflags &= ~X86_EFLAGS_ZF;
-        if (zf) {
-                ctxt->eflags |= X86_EFLAGS_ZF;
-                /* Disable writeback. */
-                ctxt->dst.type = OP_NONE;
-        }
+        emulate_2op_SrcV_nobyte(ctxt, "bsf");
         return X86EMUL_CONTINUE;
 }
 
 static int em_bsr(struct x86_emulate_ctxt *ctxt)
 {
-        u8 zf;
-
-        __asm__ ("bsr %2, %0; setz %1"
-                 : "=r"(ctxt->dst.val), "=q"(zf)
-                 : "r"(ctxt->src.val));
-
-        ctxt->eflags &= ~X86_EFLAGS_ZF;
-        if (zf) {
-                ctxt->eflags |= X86_EFLAGS_ZF;
-                /* Disable writeback. */
-                ctxt->dst.type = OP_NONE;
-        }
+        emulate_2op_SrcV_nobyte(ctxt, "bsr");
         return X86EMUL_CONTINUE;
 }
 
@@ -3286,8 +3336,8 @@ static int check_perm_out(struct x86_emulate_ctxt *ctxt)
                       .check_perm = (_p) }
 #define N    D(0)
 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
-#define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
-#define GD(_f, _g) { .flags = ((_f) | GroupDual), .u.gdual = (_g) }
+#define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
+#define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
 #define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
 #define II(_f, _e, _i) \
         { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
@@ -3307,25 +3357,25 @@ static int check_perm_out(struct x86_emulate_ctxt *ctxt)
                 I2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
 
 static struct opcode group7_rm1[] = {
-        DI(SrcNone | ModRM | Priv, monitor),
-        DI(SrcNone | ModRM | Priv, mwait),
+        DI(SrcNone | Priv, monitor),
+        DI(SrcNone | Priv, mwait),
         N, N, N, N, N, N,
 };
 
 static struct opcode group7_rm3[] = {
-        DIP(SrcNone | ModRM | Prot | Priv, vmrun,   check_svme_pa),
-        II(SrcNone | ModRM | Prot | VendorSpecific, em_vmmcall, vmmcall),
-        DIP(SrcNone | ModRM | Prot | Priv, vmload,  check_svme_pa),
-        DIP(SrcNone | ModRM | Prot | Priv, vmsave,  check_svme_pa),
-        DIP(SrcNone | ModRM | Prot | Priv, stgi,    check_svme),
-        DIP(SrcNone | ModRM | Prot | Priv, clgi,    check_svme),
-        DIP(SrcNone | ModRM | Prot | Priv, skinit,  check_svme),
-        DIP(SrcNone | ModRM | Prot | Priv, invlpga, check_svme),
+        DIP(SrcNone | Prot | Priv,              vmrun,          check_svme_pa),
+        II(SrcNone  | Prot | VendorSpecific,    em_vmmcall,     vmmcall),
+        DIP(SrcNone | Prot | Priv,              vmload,         check_svme_pa),
+        DIP(SrcNone | Prot | Priv,              vmsave,         check_svme_pa),
+        DIP(SrcNone | Prot | Priv,              stgi,           check_svme),
+        DIP(SrcNone | Prot | Priv,              clgi,           check_svme),
+        DIP(SrcNone | Prot | Priv,              skinit,         check_svme),
+        DIP(SrcNone | Prot | Priv,              invlpga,        check_svme),
 };
 
 static struct opcode group7_rm7[] = {
         N,
-        DIP(SrcNone | ModRM, rdtscp, check_rdtsc),
+        DIP(SrcNone, rdtscp, check_rdtsc),
         N, N, N, N, N, N,
 };
 
@@ -3341,81 +3391,86 @@ static struct opcode group1[] = {
 };
 
 static struct opcode group1A[] = {
-        I(DstMem | SrcNone | ModRM | Mov | Stack, em_pop), N, N, N, N, N, N, N,
+        I(DstMem | SrcNone | Mov | Stack, em_pop), N, N, N, N, N, N, N,
 };
 
 static struct opcode group3[] = {
-        I(DstMem | SrcImm | ModRM, em_test),
-        I(DstMem | SrcImm | ModRM, em_test),
-        I(DstMem | SrcNone | ModRM | Lock, em_not),
-        I(DstMem | SrcNone | ModRM | Lock, em_neg),
-        I(SrcMem | ModRM, em_mul_ex),
-        I(SrcMem | ModRM, em_imul_ex),
-        I(SrcMem | ModRM, em_div_ex),
-        I(SrcMem | ModRM, em_idiv_ex),
+        I(DstMem | SrcImm, em_test),
+        I(DstMem | SrcImm, em_test),
+        I(DstMem | SrcNone | Lock, em_not),
+        I(DstMem | SrcNone | Lock, em_neg),
+        I(SrcMem, em_mul_ex),
+        I(SrcMem, em_imul_ex),
+        I(SrcMem, em_div_ex),
+        I(SrcMem, em_idiv_ex),
 };
 
 static struct opcode group4[] = {
-        I(ByteOp | DstMem | SrcNone | ModRM | Lock, em_grp45),
-        I(ByteOp | DstMem | SrcNone | ModRM | Lock, em_grp45),
+        I(ByteOp | DstMem | SrcNone | Lock, em_grp45),
+        I(ByteOp | DstMem | SrcNone | Lock, em_grp45),
         N, N, N, N, N, N,
 };
 
 static struct opcode group5[] = {
-        I(DstMem | SrcNone | ModRM | Lock, em_grp45),
-        I(DstMem | SrcNone | ModRM | Lock, em_grp45),
-        I(SrcMem | ModRM | Stack, em_grp45),
-        I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
-        I(SrcMem | ModRM | Stack, em_grp45),
-        I(SrcMemFAddr | ModRM | ImplicitOps, em_grp45),
-        I(SrcMem | ModRM | Stack, em_grp45), N,
+        I(DstMem | SrcNone | Lock,              em_grp45),
+        I(DstMem | SrcNone | Lock,              em_grp45),
+        I(SrcMem | Stack,                       em_grp45),
+        I(SrcMemFAddr | ImplicitOps | Stack,    em_call_far),
+        I(SrcMem | Stack,                       em_grp45),
+        I(SrcMemFAddr | ImplicitOps,            em_grp45),
+        I(SrcMem | Stack,                       em_grp45), N,
 };
 
 static struct opcode group6[] = {
-        DI(ModRM | Prot,        sldt),
-        DI(ModRM | Prot,        str),
-        DI(ModRM | Prot | Priv, lldt),
-        DI(ModRM | Prot | Priv, ltr),
+        DI(Prot,        sldt),
+        DI(Prot,        str),
+        DI(Prot | Priv, lldt),
+        DI(Prot | Priv, ltr),
         N, N, N, N,
 };
 
 static struct group_dual group7 = { {
-        DI(ModRM | Mov | DstMem | Priv, sgdt),
-        DI(ModRM | Mov | DstMem | Priv, sidt),
-        II(ModRM | SrcMem | Priv, em_lgdt, lgdt),
-        II(ModRM | SrcMem | Priv, em_lidt, lidt),
-        II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
-        II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw),
-        II(SrcMem | ModRM | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
+        DI(Mov | DstMem | Priv,                 sgdt),
+        DI(Mov | DstMem | Priv,                 sidt),
+        II(SrcMem | Priv,                       em_lgdt, lgdt),
+        II(SrcMem | Priv,                       em_lidt, lidt),
+        II(SrcNone | DstMem | Mov,              em_smsw, smsw), N,
+        II(SrcMem16 | Mov | Priv,               em_lmsw, lmsw),
+        II(SrcMem | ByteOp | Priv | NoAccess,   em_invlpg, invlpg),
 }, {
-        I(SrcNone | ModRM | Priv | VendorSpecific, em_vmcall),
+        I(SrcNone | Priv | VendorSpecific,      em_vmcall),
         EXT(0, group7_rm1),
         N, EXT(0, group7_rm3),
-        II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
-        II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw), EXT(0, group7_rm7),
+        II(SrcNone | DstMem | Mov,              em_smsw, smsw), N,
+        II(SrcMem16 | Mov | Priv,               em_lmsw, lmsw),
+        EXT(0, group7_rm7),
 } };
 
 static struct opcode group8[] = {
         N, N, N, N,
-        I(DstMem | SrcImmByte | ModRM, em_bt),
-        I(DstMem | SrcImmByte | ModRM | Lock | PageTable, em_bts),
-        I(DstMem | SrcImmByte | ModRM | Lock, em_btr),
-        I(DstMem | SrcImmByte | ModRM | Lock | PageTable, em_btc),
+        I(DstMem | SrcImmByte,                          em_bt),
+        I(DstMem | SrcImmByte | Lock | PageTable,       em_bts),
+        I(DstMem | SrcImmByte | Lock,                   em_btr),
+        I(DstMem | SrcImmByte | Lock | PageTable,       em_btc),
 };
 
 static struct group_dual group9 = { {
-        N, I(DstMem64 | ModRM | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
+        N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
 }, {
         N, N, N, N, N, N, N, N,
 } };
 
 static struct opcode group11[] = {
-        I(DstMem | SrcImm | ModRM | Mov | PageTable, em_mov),
+        I(DstMem | SrcImm | Mov | PageTable, em_mov),
         X7(D(Undefined)),
 };
 
 static struct gprefix pfx_0f_6f_0f_7f = {
-        N, N, N, I(Sse, em_movdqu),
+        I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
+};
+
+static struct gprefix pfx_vmovntpx = {
+        I(0, em_mov), N, N, N,
 };
 
 static struct opcode opcode_table[256] = {
@@ -3464,10 +3519,10 @@ static struct opcode opcode_table[256] = {
         /* 0x70 - 0x7F */
         X16(D(SrcImmByte)),
         /* 0x80 - 0x87 */
-        G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
-        G(DstMem | SrcImm | ModRM | Group, group1),
-        G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
-        G(DstMem | SrcImmByte | ModRM | Group, group1),
+        G(ByteOp | DstMem | SrcImm, group1),
+        G(DstMem | SrcImm, group1),
+        G(ByteOp | DstMem | SrcImm | No64, group1),
+        G(DstMem | SrcImmByte, group1),
         I2bv(DstMem | SrcReg | ModRM, em_test),
         I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_xchg),
         /* 0x88 - 0x8F */
@@ -3549,7 +3604,8 @@ static struct opcode twobyte_table[256] = {
         IIP(ModRM | SrcMem | Priv | Op3264, em_cr_write, cr_write, check_cr_write),
         IIP(ModRM | SrcMem | Priv | Op3264, em_dr_write, dr_write, check_dr_write),
         N, N, N, N,
-        N, N, N, N, N, N, N, N,
+        N, N, N, GP(ModRM | DstMem | SrcReg | Sse | Mov | Aligned, &pfx_vmovntpx),
+        N, N, N, N,
         /* 0x30 - 0x3F */
         II(ImplicitOps | Priv, em_wrmsr, wrmsr),
         IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
@@ -3897,17 +3953,16 @@ done_prefixes:
         }
         ctxt->d = opcode.flags;
 
+        if (ctxt->d & ModRM)
+                ctxt->modrm = insn_fetch(u8, ctxt);
+
         while (ctxt->d & GroupMask) {
                 switch (ctxt->d & GroupMask) {
                 case Group:
-                        ctxt->modrm = insn_fetch(u8, ctxt);
-                        --ctxt->_eip;
                         goffset = (ctxt->modrm >> 3) & 7;
                         opcode = opcode.u.group[goffset];
                         break;
                 case GroupDual:
-                        ctxt->modrm = insn_fetch(u8, ctxt);
-                        --ctxt->_eip;
                         goffset = (ctxt->modrm >> 3) & 7;
                         if ((ctxt->modrm >> 6) == 3)
                                 opcode = opcode.u.gdual->mod3[goffset];
@@ -3960,6 +4015,8 @@ done_prefixes:
 
         if (ctxt->d & Sse)
                 ctxt->op_bytes = 16;
+        else if (ctxt->d & Mmx)
+                ctxt->op_bytes = 8;
 
         /* ModRM and SIB bytes. */
         if (ctxt->d & ModRM) {
@@ -4030,6 +4087,35 @@ static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
         return false;
 }
 
+static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
+{
+        bool fault = false;
+
+        ctxt->ops->get_fpu(ctxt);
+        asm volatile("1: fwait \n\t"
+                     "2: \n\t"
+                     ".pushsection .fixup,\"ax\" \n\t"
+                     "3: \n\t"
+                     "movb $1, %[fault] \n\t"
+                     "jmp 2b \n\t"
+                     ".popsection \n\t"
+                     _ASM_EXTABLE(1b, 3b)
+                     : [fault]"+qm"(fault));
+        ctxt->ops->put_fpu(ctxt);
+
+        if (unlikely(fault))
+                return emulate_exception(ctxt, MF_VECTOR, 0, false);
+
+        return X86EMUL_CONTINUE;
+}
+
+static void fetch_possible_mmx_operand(struct x86_emulate_ctxt *ctxt,
+                                       struct operand *op)
+{
+        if (op->type == OP_MM)
+                read_mmx_reg(ctxt, &op->mm_val, op->addr.mm);
+}
+
 int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
 {
         struct x86_emulate_ops *ops = ctxt->ops;
@@ -4054,18 +4140,31 @@ int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
                 goto done;
         }
 
-        if ((ctxt->d & Sse)
-            && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)
-                || !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
+        if (((ctxt->d & (Sse|Mmx)) && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)))
+            || ((ctxt->d & Sse) && !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
                 rc = emulate_ud(ctxt);
                 goto done;
         }
 
-        if ((ctxt->d & Sse) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
+        if ((ctxt->d & (Sse|Mmx)) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
                 rc = emulate_nm(ctxt);
                 goto done;
         }
 
+        if (ctxt->d & Mmx) {
+                rc = flush_pending_x87_faults(ctxt);
+                if (rc != X86EMUL_CONTINUE)
+                        goto done;
+                /*
+                 * Now that we know the fpu is exception safe, we can fetch
+                 * operands from it.
+                 */
+                fetch_possible_mmx_operand(ctxt, &ctxt->src);
+                fetch_possible_mmx_operand(ctxt, &ctxt->src2);
+                if (!(ctxt->d & Mov))
+                        fetch_possible_mmx_operand(ctxt, &ctxt->dst);
+        }
+
         if (unlikely(ctxt->guest_mode) && ctxt->intercept) {
                 rc = emulator_check_intercept(ctxt, ctxt->intercept,
                                               X86_ICPT_PRE_EXCEPT);
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index d68f99df690c..adba28f88d1a 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -34,7 +34,6 @@
 
 #include <linux/kvm_host.h>
 #include <linux/slab.h>
-#include <linux/workqueue.h>
 
 #include "irq.h"
 #include "i8254.h"
@@ -249,7 +248,7 @@ static void kvm_pit_ack_irq(struct kvm_irq_ack_notifier *kian)
                 /* in this case, we had multiple outstanding pit interrupts
                  * that we needed to inject.  Reinject
                  */
-                queue_work(ps->pit->wq, &ps->pit->expired);
+                queue_kthread_work(&ps->pit->worker, &ps->pit->expired);
         ps->irq_ack = 1;
         spin_unlock(&ps->inject_lock);
 }
@@ -270,7 +269,7 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu)
 static void destroy_pit_timer(struct kvm_pit *pit)
 {
         hrtimer_cancel(&pit->pit_state.pit_timer.timer);
-        cancel_work_sync(&pit->expired);
+        flush_kthread_work(&pit->expired);
 }
 
 static bool kpit_is_periodic(struct kvm_timer *ktimer)
@@ -284,7 +283,7 @@ static struct kvm_timer_ops kpit_ops = {
         .is_periodic = kpit_is_periodic,
 };
 
-static void pit_do_work(struct work_struct *work)
+static void pit_do_work(struct kthread_work *work)
 {
         struct kvm_pit *pit = container_of(work, struct kvm_pit, expired);
         struct kvm *kvm = pit->kvm;
@@ -328,7 +327,7 @@ static enum hrtimer_restart pit_timer_fn(struct hrtimer *data)
 
         if (ktimer->reinject || !atomic_read(&ktimer->pending)) {
                 atomic_inc(&ktimer->pending);
-                queue_work(pt->wq, &pt->expired);
+                queue_kthread_work(&pt->worker, &pt->expired);
         }
 
         if (ktimer->t_ops->is_periodic(ktimer)) {
@@ -353,7 +352,7 @@ static void create_pit_timer(struct kvm *kvm, u32 val, int is_period)
 
         /* TODO The new value only affected after the retriggered */
         hrtimer_cancel(&pt->timer);
-        cancel_work_sync(&ps->pit->expired);
+        flush_kthread_work(&ps->pit->expired);
         pt->period = interval;
         ps->is_periodic = is_period;
 
@@ -669,6 +668,8 @@ struct kvm_pit *kvm_create_pit(struct kvm *kvm, u32 flags)
 {
         struct kvm_pit *pit;
         struct kvm_kpit_state *pit_state;
+        struct pid *pid;
+        pid_t pid_nr;
         int ret;
 
         pit = kzalloc(sizeof(struct kvm_pit), GFP_KERNEL);
@@ -685,14 +686,20 @@ struct kvm_pit *kvm_create_pit(struct kvm *kvm, u32 flags)
         mutex_lock(&pit->pit_state.lock);
         spin_lock_init(&pit->pit_state.inject_lock);
 
-        pit->wq = create_singlethread_workqueue("kvm-pit-wq");
-        if (!pit->wq) {
+        pid = get_pid(task_tgid(current));
+        pid_nr = pid_vnr(pid);
+        put_pid(pid);
+
+        init_kthread_worker(&pit->worker);
+        pit->worker_task = kthread_run(kthread_worker_fn, &pit->worker,
+                                       "kvm-pit/%d", pid_nr);
+        if (IS_ERR(pit->worker_task)) {
                 mutex_unlock(&pit->pit_state.lock);
                 kvm_free_irq_source_id(kvm, pit->irq_source_id);
                 kfree(pit);
                 return NULL;
         }
-        INIT_WORK(&pit->expired, pit_do_work);
+        init_kthread_work(&pit->expired, pit_do_work);
 
         kvm->arch.vpit = pit;
         pit->kvm = kvm;
@@ -736,7 +743,7 @@ fail:
         kvm_unregister_irq_mask_notifier(kvm, 0, &pit->mask_notifier);
         kvm_unregister_irq_ack_notifier(kvm, &pit_state->irq_ack_notifier);
         kvm_free_irq_source_id(kvm, pit->irq_source_id);
-        destroy_workqueue(pit->wq);
+        kthread_stop(pit->worker_task);
         kfree(pit);
         return NULL;
 }
@@ -756,10 +763,10 @@ void kvm_free_pit(struct kvm *kvm)
                 mutex_lock(&kvm->arch.vpit->pit_state.lock);
                 timer = &kvm->arch.vpit->pit_state.pit_timer.timer;
                 hrtimer_cancel(timer);
-                cancel_work_sync(&kvm->arch.vpit->expired);
+                flush_kthread_work(&kvm->arch.vpit->expired);
+                kthread_stop(kvm->arch.vpit->worker_task);
                 kvm_free_irq_source_id(kvm, kvm->arch.vpit->irq_source_id);
                 mutex_unlock(&kvm->arch.vpit->pit_state.lock);
-                destroy_workqueue(kvm->arch.vpit->wq);
                 kfree(kvm->arch.vpit);
         }
 }
diff --git a/arch/x86/kvm/i8254.h b/arch/x86/kvm/i8254.h
index 51a97426e791..fdf40425ea1d 100644
--- a/arch/x86/kvm/i8254.h
+++ b/arch/x86/kvm/i8254.h
@@ -1,6 +1,8 @@
 #ifndef __I8254_H
 #define __I8254_H
 
+#include <linux/kthread.h>
+
 #include "iodev.h"
 
 struct kvm_kpit_channel_state {
@@ -39,8 +41,9 @@ struct kvm_pit {
         struct kvm_kpit_state pit_state;
         int irq_source_id;
         struct kvm_irq_mask_notifier mask_notifier;
-        struct workqueue_struct *wq;
-        struct work_struct expired;
+        struct kthread_worker worker;
+        struct task_struct *worker_task;
+        struct kthread_work expired;
 };
 
 #define KVM_PIT_BASE_ADDRESS        0x40
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 858432287ab6..93c15743f1ee 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -92,6 +92,11 @@ static inline int apic_test_and_clear_vector(int vec, void *bitmap)
         return test_and_clear_bit(VEC_POS(vec), (bitmap) + REG_POS(vec));
 }
 
+static inline int apic_test_vector(int vec, void *bitmap)
+{
+        return test_bit(VEC_POS(vec), (bitmap) + REG_POS(vec));
+}
+
 static inline void apic_set_vector(int vec, void *bitmap)
 {
         set_bit(VEC_POS(vec), (bitmap) + REG_POS(vec));
@@ -480,7 +485,6 @@ int kvm_apic_compare_prio(struct kvm_vcpu *vcpu1, struct kvm_vcpu *vcpu2)
 static void apic_set_eoi(struct kvm_lapic *apic)
 {
         int vector = apic_find_highest_isr(apic);
-        int trigger_mode;
         /*
          * Not every write EOI will has corresponding ISR,
          * one example is when Kernel check timer on setup_IO_APIC
@@ -491,12 +495,15 @@ static void apic_set_eoi(struct kvm_lapic *apic)
         apic_clear_vector(vector, apic->regs + APIC_ISR);
         apic_update_ppr(apic);
 
-        if (apic_test_and_clear_vector(vector, apic->regs + APIC_TMR))
-                trigger_mode = IOAPIC_LEVEL_TRIG;
-        else
-                trigger_mode = IOAPIC_EDGE_TRIG;
-        if (!(apic_get_reg(apic, APIC_SPIV) & APIC_SPIV_DIRECTED_EOI))
+        if (!(apic_get_reg(apic, APIC_SPIV) & APIC_SPIV_DIRECTED_EOI) &&
+            kvm_ioapic_handles_vector(apic->vcpu->kvm, vector)) {
+                int trigger_mode;
+                if (apic_test_vector(vector, apic->regs + APIC_TMR))
+                        trigger_mode = IOAPIC_LEVEL_TRIG;
+                else
+                        trigger_mode = IOAPIC_EDGE_TRIG;
                 kvm_ioapic_update_eoi(apic->vcpu->kvm, vector, trigger_mode);
+        }
         kvm_make_request(KVM_REQ_EVENT, apic->vcpu);
 }
 
@@ -1081,6 +1088,7 @@ void kvm_lapic_reset(struct kvm_vcpu *vcpu)
         apic_update_ppr(apic);
 
         vcpu->arch.apic_arb_prio = 0;
+        vcpu->arch.apic_attention = 0;
 
         apic_debug(KERN_INFO "%s: vcpu=%p, id=%d, base_msr="
                    "0x%016" PRIx64 ", base_address=0x%0lx.\n", __func__,
@@ -1280,7 +1288,7 @@ void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu)
         u32 data;
         void *vapic;
 
-        if (!irqchip_in_kernel(vcpu->kvm) || !vcpu->arch.apic->vapic_addr)
+        if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention))
                 return;
 
         vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
@@ -1297,7 +1305,7 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu)
         struct kvm_lapic *apic;
         void *vapic;
 
-        if (!irqchip_in_kernel(vcpu->kvm) || !vcpu->arch.apic->vapic_addr)
+        if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention))
                 return;
 
         apic = vcpu->arch.apic;
@@ -1317,10 +1325,11 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu)
 
 void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
 {
-        if (!irqchip_in_kernel(vcpu->kvm))
-                return;
-
         vcpu->arch.apic->vapic_addr = vapic_addr;
+        if (vapic_addr)
+                __set_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
+        else
+                __clear_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
 }
 
 int kvm_x2apic_msr_write(struct kvm_vcpu *vcpu, u32 msr, u64 data)
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 4cb164268846..72102e0ab7cb 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -135,8 +135,6 @@ module_param(dbg, bool, 0644);
 #define PT64_PERM_MASK (PT_PRESENT_MASK | PT_WRITABLE_MASK | PT_USER_MASK \
                         | PT64_NX_MASK)
 
-#define PTE_LIST_EXT 4
-
 #define ACC_EXEC_MASK    1
 #define ACC_WRITE_MASK   PT_WRITABLE_MASK
 #define ACC_USER_MASK    PT_USER_MASK
@@ -151,6 +149,9 @@ module_param(dbg, bool, 0644);
 
 #define SHADOW_PT_INDEX(addr, level) PT64_INDEX(addr, level)
 
+/* make pte_list_desc fit well in cache line */
+#define PTE_LIST_EXT 3
+
 struct pte_list_desc {
         u64 *sptes[PTE_LIST_EXT];
         struct pte_list_desc *more;
@@ -550,19 +551,29 @@ static u64 mmu_spte_get_lockless(u64 *sptep)
 
 static void walk_shadow_page_lockless_begin(struct kvm_vcpu *vcpu)
 {
-        rcu_read_lock();
-        atomic_inc(&vcpu->kvm->arch.reader_counter);
-
-        /* Increase the counter before walking shadow page table */
-        smp_mb__after_atomic_inc();
+        /*
+         * Prevent page table teardown by making any free-er wait during
+         * kvm_flush_remote_tlbs() IPI to all active vcpus.
+         */
+        local_irq_disable();
+        vcpu->mode = READING_SHADOW_PAGE_TABLES;
+        /*
+         * Make sure a following spte read is not reordered ahead of the write
+         * to vcpu->mode.
+         */
+        smp_mb();
 }
 
 static void walk_shadow_page_lockless_end(struct kvm_vcpu *vcpu)
 {
-        /* Decrease the counter after walking shadow page table finished */
-        smp_mb__before_atomic_dec();
-        atomic_dec(&vcpu->kvm->arch.reader_counter);
-        rcu_read_unlock();
+        /*
+         * Make sure the write to vcpu->mode is not reordered in front of
+         * reads to sptes.  If it does, kvm_commit_zap_page() can see us
+         * OUTSIDE_GUEST_MODE and proceed to free the shadow page table.
+         */
+        smp_mb();
+        vcpu->mode = OUTSIDE_GUEST_MODE;
+        local_irq_enable();
 }
 
 static int mmu_topup_memory_cache(struct kvm_mmu_memory_cache *cache,
@@ -841,32 +852,6 @@ static int pte_list_add(struct kvm_vcpu *vcpu, u64 *spte,
         return count;
 }
 
-static u64 *pte_list_next(unsigned long *pte_list, u64 *spte)
-{
-        struct pte_list_desc *desc;
-        u64 *prev_spte;
-        int i;
-
-        if (!*pte_list)
-                return NULL;
-        else if (!(*pte_list & 1)) {
-                if (!spte)
-                        return (u64 *)*pte_list;
-                return NULL;
-        }
-        desc = (struct pte_list_desc *)(*pte_list & ~1ul);
-        prev_spte = NULL;
-        while (desc) {
-                for (i = 0; i < PTE_LIST_EXT && desc->sptes[i]; ++i) {
-                        if (prev_spte == spte)
-                                return desc->sptes[i];
-                        prev_spte = desc->sptes[i];
-                }
-                desc = desc->more;
-        }
-        return NULL;
-}
-
 static void
 pte_list_desc_remove_entry(unsigned long *pte_list, struct pte_list_desc *desc,
                            int i, struct pte_list_desc *prev_desc)
@@ -987,11 +972,6 @@ static int rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn)
         return pte_list_add(vcpu, spte, rmapp);
 }
 
-static u64 *rmap_next(unsigned long *rmapp, u64 *spte)
-{
-        return pte_list_next(rmapp, spte);
-}
-
 static void rmap_remove(struct kvm *kvm, u64 *spte)
 {
         struct kvm_mmu_page *sp;
@@ -1004,106 +984,201 @@ static void rmap_remove(struct kvm *kvm, u64 *spte)
         pte_list_remove(spte, rmapp);
 }
 
+/*
+ * Used by the following functions to iterate through the sptes linked by a
+ * rmap.  All fields are private and not assumed to be used outside.
+ */
+struct rmap_iterator {
+        /* private fields */
+        struct pte_list_desc *desc;     /* holds the sptep if not NULL */
+        int pos;                        /* index of the sptep */
+};
+
+/*
+ * Iteration must be started by this function.  This should also be used after
+ * removing/dropping sptes from the rmap link because in such cases the
+ * information in the itererator may not be valid.
+ *
+ * Returns sptep if found, NULL otherwise.
+ */
+static u64 *rmap_get_first(unsigned long rmap, struct rmap_iterator *iter)
+{
+        if (!rmap)
+                return NULL;
+
+        if (!(rmap & 1)) {
+                iter->desc = NULL;
+                return (u64 *)rmap;
+        }
+
+        iter->desc = (struct pte_list_desc *)(rmap & ~1ul);
+        iter->pos = 0;
+        return iter->desc->sptes[iter->pos];
+}
+
+/*
+ * Must be used with a valid iterator: e.g. after rmap_get_first().
+ *
+ * Returns sptep if found, NULL otherwise.
+ */
+static u64 *rmap_get_next(struct rmap_iterator *iter)
+{
+        if (iter->desc) {
+                if (iter->pos < PTE_LIST_EXT - 1) {
+                        u64 *sptep;
+
+                        ++iter->pos;
+                        sptep = iter->desc->sptes[iter->pos];
+                        if (sptep)
+                                return sptep;
+                }
+
+                iter->desc = iter->desc->more;
+
+                if (iter->desc) {
+                        iter->pos = 0;
+                        /* desc->sptes[0] cannot be NULL */
+                        return iter->desc->sptes[iter->pos];
+                }
+        }
+
+        return NULL;
+}
+
 static void drop_spte(struct kvm *kvm, u64 *sptep)
 {
         if (mmu_spte_clear_track_bits(sptep))
                 rmap_remove(kvm, sptep);
 }
 
-int kvm_mmu_rmap_write_protect(struct kvm *kvm, u64 gfn,
-                               struct kvm_memory_slot *slot)
+static int __rmap_write_protect(struct kvm *kvm, unsigned long *rmapp, int level)
 {
-        unsigned long *rmapp;
-        u64 *spte;
-        int i, write_protected = 0;
-
-        rmapp = __gfn_to_rmap(gfn, PT_PAGE_TABLE_LEVEL, slot);
-        spte = rmap_next(rmapp, NULL);
-        while (spte) {
-                BUG_ON(!(*spte & PT_PRESENT_MASK));
-                rmap_printk("rmap_write_protect: spte %p %llx\n", spte, *spte);
-                if (is_writable_pte(*spte)) {
-                        mmu_spte_update(spte, *spte & ~PT_WRITABLE_MASK);
-                        write_protected = 1;
+        u64 *sptep;
+        struct rmap_iterator iter;
+        int write_protected = 0;
+
+        for (sptep = rmap_get_first(*rmapp, &iter); sptep;) {
+                BUG_ON(!(*sptep & PT_PRESENT_MASK));
+                rmap_printk("rmap_write_protect: spte %p %llx\n", sptep, *sptep);
+
+                if (!is_writable_pte(*sptep)) {
+                        sptep = rmap_get_next(&iter);
+                        continue;
                 }
-                spte = rmap_next(rmapp, spte);
-        }
 
-        /* check for huge page mappings */
-        for (i = PT_DIRECTORY_LEVEL;
-             i < PT_PAGE_TABLE_LEVEL + KVM_NR_PAGE_SIZES; ++i) {
-                rmapp = __gfn_to_rmap(gfn, i, slot);
-                spte = rmap_next(rmapp, NULL);
-                while (spte) {
-                        BUG_ON(!(*spte & PT_PRESENT_MASK));
-                        BUG_ON(!is_large_pte(*spte));
-                        pgprintk("rmap_write_protect(large): spte %p %llx %lld\n", spte, *spte, gfn);
-                        if (is_writable_pte(*spte)) {
-                                drop_spte(kvm, spte);
-                                --kvm->stat.lpages;
-                                spte = NULL;
-                                write_protected = 1;
-                        }
-                        spte = rmap_next(rmapp, spte);
+                if (level == PT_PAGE_TABLE_LEVEL) {
+                        mmu_spte_update(sptep, *sptep & ~PT_WRITABLE_MASK);
+                        sptep = rmap_get_next(&iter);
+                } else {
+                        BUG_ON(!is_large_pte(*sptep));
+                        drop_spte(kvm, sptep);
+                        --kvm->stat.lpages;
+                        sptep = rmap_get_first(*rmapp, &iter);
                 }
+
+                write_protected = 1;
         }
 
         return write_protected;
 }
 
+/**
+ * kvm_mmu_write_protect_pt_masked - write protect selected PT level pages
+ * @kvm: kvm instance
+ * @slot: slot to protect
+ * @gfn_offset: start of the BITS_PER_LONG pages we care about
+ * @mask: indicates which pages we should protect
+ *
+ * Used when we do not need to care about huge page mappings: e.g. during dirty
+ * logging we do not have any such mappings.
+ */
+void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
+                                     struct kvm_memory_slot *slot,
+                                     gfn_t gfn_offset, unsigned long mask)
+{
+        unsigned long *rmapp;
+
+        while (mask) {
+                rmapp = &slot->rmap[gfn_offset + __ffs(mask)];
+                __rmap_write_protect(kvm, rmapp, PT_PAGE_TABLE_LEVEL);
+
+                /* clear the first set bit */
+                mask &= mask - 1;
+        }
+}
+
 static int rmap_write_protect(struct kvm *kvm, u64 gfn)
 {
         struct kvm_memory_slot *slot;
+        unsigned long *rmapp;
+        int i;
+        int write_protected = 0;
 
         slot = gfn_to_memslot(kvm, gfn);
-        return kvm_mmu_rmap_write_protect(kvm, gfn, slot);
+
+        for (i = PT_PAGE_TABLE_LEVEL;
+             i < PT_PAGE_TABLE_LEVEL + KVM_NR_PAGE_SIZES; ++i) {
+                rmapp = __gfn_to_rmap(gfn, i, slot);
+                write_protected |= __rmap_write_protect(kvm, rmapp, i);
+        }
+
+        return write_protected;
 }
 
 static int kvm_unmap_rmapp(struct kvm *kvm, unsigned long *rmapp,
                            unsigned long data)
 {
-        u64 *spte;
+        u64 *sptep;
+        struct rmap_iterator iter;
         int need_tlb_flush = 0;
 
-        while ((spte = rmap_next(rmapp, NULL))) {
-                BUG_ON(!(*spte & PT_PRESENT_MASK));
-                rmap_printk("kvm_rmap_unmap_hva: spte %p %llx\n", spte, *spte);
-                drop_spte(kvm, spte);
+        while ((sptep = rmap_get_first(*rmapp, &iter))) {
+                BUG_ON(!(*sptep & PT_PRESENT_MASK));
+                rmap_printk("kvm_rmap_unmap_hva: spte %p %llx\n", sptep, *sptep);
+
+                drop_spte(kvm, sptep);
                 need_tlb_flush = 1;
         }
+
         return need_tlb_flush;
 }
 
 static int kvm_set_pte_rmapp(struct kvm *kvm, unsigned long *rmapp,
                              unsigned long data)
 {
+        u64 *sptep;
+        struct rmap_iterator iter;
         int need_flush = 0;
-        u64 *spte, new_spte;
+        u64 new_spte;
         pte_t *ptep = (pte_t *)data;
         pfn_t new_pfn;
 
         WARN_ON(pte_huge(*ptep));
         new_pfn = pte_pfn(*ptep);
-        spte = rmap_next(rmapp, NULL);
-        while (spte) {
-                BUG_ON(!is_shadow_present_pte(*spte));
-                rmap_printk("kvm_set_pte_rmapp: spte %p %llx\n", spte, *spte);
+
+        for (sptep = rmap_get_first(*rmapp, &iter); sptep;) {
+                BUG_ON(!is_shadow_present_pte(*sptep));
+                rmap_printk("kvm_set_pte_rmapp: spte %p %llx\n", sptep, *sptep);
+
                 need_flush = 1;
+
                 if (pte_write(*ptep)) {
-                        drop_spte(kvm, spte);
-                        spte = rmap_next(rmapp, NULL);
+                        drop_spte(kvm, sptep);
+                        sptep = rmap_get_first(*rmapp, &iter);
                 } else {
-                        new_spte = *spte &~ (PT64_BASE_ADDR_MASK);
+                        new_spte = *sptep & ~PT64_BASE_ADDR_MASK;
                         new_spte |= (u64)new_pfn << PAGE_SHIFT;
 
                         new_spte &= ~PT_WRITABLE_MASK;
                         new_spte &= ~SPTE_HOST_WRITEABLE;
                         new_spte &= ~shadow_accessed_mask;
-                        mmu_spte_clear_track_bits(spte);
-                        mmu_spte_set(spte, new_spte);
-                        spte = rmap_next(rmapp, spte);
+
+                        mmu_spte_clear_track_bits(sptep);
+                        mmu_spte_set(sptep, new_spte);
+                        sptep = rmap_get_next(&iter);
                 }
         }
+
         if (need_flush)
                 kvm_flush_remote_tlbs(kvm);
 
@@ -1162,7 +1237,8 @@ void kvm_set_spte_hva(struct kvm *kvm, unsigned long hva, pte_t pte)
 static int kvm_age_rmapp(struct kvm *kvm, unsigned long *rmapp,
                          unsigned long data)
 {
-        u64 *spte;
+        u64 *sptep;
+        struct rmap_iterator iter;
         int young = 0;
 
         /*
@@ -1175,25 +1251,24 @@ static int kvm_age_rmapp(struct kvm *kvm, unsigned long *rmapp,
         if (!shadow_accessed_mask)
                 return kvm_unmap_rmapp(kvm, rmapp, data);
 
-        spte = rmap_next(rmapp, NULL);
-        while (spte) {
-                int _young;
-                u64 _spte = *spte;
-                BUG_ON(!(_spte & PT_PRESENT_MASK));
-                _young = _spte & PT_ACCESSED_MASK;
-                if (_young) {
+        for (sptep = rmap_get_first(*rmapp, &iter); sptep;
+             sptep = rmap_get_next(&iter)) {
+                BUG_ON(!(*sptep & PT_PRESENT_MASK));
+
+                if (*sptep & PT_ACCESSED_MASK) {
                         young = 1;
-                        clear_bit(PT_ACCESSED_SHIFT, (unsigned long *)spte);
+                        clear_bit(PT_ACCESSED_SHIFT, (unsigned long *)sptep);
                 }
-                spte = rmap_next(rmapp, spte);
         }
+
         return young;
 }
 
 static int kvm_test_age_rmapp(struct kvm *kvm, unsigned long *rmapp,
                               unsigned long data)
 {
-        u64 *spte;
+        u64 *sptep;
+        struct rmap_iterator iter;
         int young = 0;
 
         /*
@@ -1204,16 +1279,14 @@ static int kvm_test_age_rmapp(struct kvm *kvm, unsigned long *rmapp,
         if (!shadow_accessed_mask)
                 goto out;
 
-        spte = rmap_next(rmapp, NULL);
-        while (spte) {
-                u64 _spte = *spte;
-                BUG_ON(!(_spte & PT_PRESENT_MASK));
-                young = _spte & PT_ACCESSED_MASK;
-                if (young) {
+        for (sptep = rmap_get_first(*rmapp, &iter); sptep;
+             sptep = rmap_get_next(&iter)) {
+                BUG_ON(!(*sptep & PT_PRESENT_MASK));
+
+                if (*sptep & PT_ACCESSED_MASK) {
                         young = 1;
                         break;
                 }
-                spte = rmap_next(rmapp, spte);
         }
 out:
         return young;
@@ -1865,10 +1938,11 @@ static void kvm_mmu_put_page(struct kvm_mmu_page *sp, u64 *parent_pte)
 
 static void kvm_mmu_unlink_parents(struct kvm *kvm, struct kvm_mmu_page *sp)
 {
-        u64 *parent_pte;
+        u64 *sptep;
+        struct rmap_iterator iter;
 
-        while ((parent_pte = pte_list_next(&sp->parent_ptes, NULL)))
-                drop_parent_pte(sp, parent_pte);
+        while ((sptep = rmap_get_first(sp->parent_ptes, &iter)))
+                drop_parent_pte(sp, sptep);
 }
 
 static int mmu_zap_unsync_children(struct kvm *kvm,
@@ -1925,30 +1999,6 @@ static int kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
         return ret;
 }
 
-static void kvm_mmu_isolate_pages(struct list_head *invalid_list)
-{
-        struct kvm_mmu_page *sp;
-
-        list_for_each_entry(sp, invalid_list, link)
-                kvm_mmu_isolate_page(sp);
-}
-
-static void free_pages_rcu(struct rcu_head *head)
-{
-        struct kvm_mmu_page *next, *sp;
-
-        sp = container_of(head, struct kvm_mmu_page, rcu);
-        while (sp) {
-                if (!list_empty(&sp->link))
-                        next = list_first_entry(&sp->link,
-                                      struct kvm_mmu_page, link);
-                else
-                        next = NULL;
-                kvm_mmu_free_page(sp);
-                sp = next;
-        }
-}
-
 static void kvm_mmu_commit_zap_page(struct kvm *kvm,
                                     struct list_head *invalid_list)
 {
@@ -1957,17 +2007,17 @@ static void kvm_mmu_commit_zap_page(struct kvm *kvm,
         if (list_empty(invalid_list))
                 return;
 
-        kvm_flush_remote_tlbs(kvm);
-
-        if (atomic_read(&kvm->arch.reader_counter)) {
-                kvm_mmu_isolate_pages(invalid_list);
-                sp = list_first_entry(invalid_list, struct kvm_mmu_page, link);
-                list_del_init(invalid_list);
+        /*
+         * wmb: make sure everyone sees our modifications to the page tables
+         * rmb: make sure we see changes to vcpu->mode
+         */
+        smp_mb();
 
-                trace_kvm_mmu_delay_free_pages(sp);
-                call_rcu(&sp->rcu, free_pages_rcu);
-                return;
-        }
+        /*
+         * Wait for all vcpus to exit guest mode and/or lockless shadow
+         * page table walks.
+         */
+        kvm_flush_remote_tlbs(kvm);
 
         do {
                 sp = list_first_entry(invalid_list, struct kvm_mmu_page, link);
@@ -1975,7 +2025,6 @@ static void kvm_mmu_commit_zap_page(struct kvm *kvm,
                 kvm_mmu_isolate_page(sp);
                 kvm_mmu_free_page(sp);
         } while (!list_empty(invalid_list));
-
 }
 
 /*
@@ -3554,7 +3603,7 @@ static bool detect_write_flooding(struct kvm_mmu_page *sp)
          * Skip write-flooding detected for the sp whose level is 1, because
          * it can become unsync, then the guest page is not write-protected.
          */
-        if (sp->role.level == 1)
+        if (sp->role.level == PT_PAGE_TABLE_LEVEL)
                 return false;
 
         return ++sp->write_flooding_count >= 3;
diff --git a/arch/x86/kvm/mmu_audit.c b/arch/x86/kvm/mmu_audit.c
index 715da5a19a5b..7d7d0b9e23eb 100644
--- a/arch/x86/kvm/mmu_audit.c
+++ b/arch/x86/kvm/mmu_audit.c
@@ -192,7 +192,8 @@ static void audit_write_protection(struct kvm *kvm, struct kvm_mmu_page *sp)
 {
         struct kvm_memory_slot *slot;
         unsigned long *rmapp;
-        u64 *spte;
+        u64 *sptep;
+        struct rmap_iterator iter;
 
         if (sp->role.direct || sp->unsync || sp->role.invalid)
                 return;
@@ -200,13 +201,12 @@ static void audit_write_protection(struct kvm *kvm, struct kvm_mmu_page *sp)
         slot = gfn_to_memslot(kvm, sp->gfn);
         rmapp = &slot->rmap[sp->gfn - slot->base_gfn];
 
-        spte = rmap_next(rmapp, NULL);
-        while (spte) {
-                if (is_writable_pte(*spte))
+        for (sptep = rmap_get_first(*rmapp, &iter); sptep;
+             sptep = rmap_get_next(&iter)) {
+                if (is_writable_pte(*sptep))
                         audit_printk(kvm, "shadow page has writable "
                                      "mappings: gfn %llx role %x\n",
                                      sp->gfn, sp->role.word);
-                spte = rmap_next(rmapp, spte);
         }
 }
 
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index df5a70311be8..34f970937ef1 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -658,7 +658,7 @@ static gpa_t FNAME(get_level1_sp_gpa)(struct kvm_mmu_page *sp)
 {
         int offset = 0;
 
-        WARN_ON(sp->role.level != 1);
+        WARN_ON(sp->role.level != PT_PAGE_TABLE_LEVEL);
 
         if (PTTYPE == 32)
                 offset = sp->role.quadrant << PT64_LEVEL_BITS;
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index e334389e1c75..f75af406b268 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -22,6 +22,7 @@
 #include "x86.h"
 
 #include <linux/module.h>
+#include <linux/mod_devicetable.h>
 #include <linux/kernel.h>
 #include <linux/vmalloc.h>
 #include <linux/highmem.h>
@@ -42,6 +43,12 @@
 MODULE_AUTHOR("Qumranet");
 MODULE_LICENSE("GPL");
 
+static const struct x86_cpu_id svm_cpu_id[] = {
+        X86_FEATURE_MATCH(X86_FEATURE_SVM),
+        {}
+};
+MODULE_DEVICE_TABLE(x86cpu, svm_cpu_id);
+
 #define IOPM_ALLOC_ORDER 2
 #define MSRPM_ALLOC_ORDER 1
 
@@ -3240,6 +3247,7 @@ static int interrupt_window_interception(struct vcpu_svm *svm)
         svm_clear_vintr(svm);
         svm->vmcb->control.int_ctl &= ~V_IRQ_MASK;
         mark_dirty(svm->vmcb, VMCB_INTR);
+        ++svm->vcpu.stat.irq_window_exits;
         /*
          * If the user space waits to inject interrupts, exit as soon as
          * possible
@@ -3247,7 +3255,6 @@ static int interrupt_window_interception(struct vcpu_svm *svm)
         if (!irqchip_in_kernel(svm->vcpu.kvm) &&
             kvm_run->request_interrupt_window &&
             !kvm_cpu_has_interrupt(&svm->vcpu)) {
-                ++svm->vcpu.stat.irq_window_exits;
                 kvm_run->exit_reason = KVM_EXIT_IRQ_WINDOW_OPEN;
                 return 0;
         }
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 4ff0ab9bc3c8..32eb58866292 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -27,6 +27,7 @@
 #include <linux/highmem.h>
 #include <linux/sched.h>
 #include <linux/moduleparam.h>
+#include <linux/mod_devicetable.h>
 #include <linux/ftrace_event.h>
 #include <linux/slab.h>
 #include <linux/tboot.h>
@@ -51,6 +52,12 @@
 MODULE_AUTHOR("Qumranet");
 MODULE_LICENSE("GPL");
 
+static const struct x86_cpu_id vmx_cpu_id[] = {
+        X86_FEATURE_MATCH(X86_FEATURE_VMX),
+        {}
+};
+MODULE_DEVICE_TABLE(x86cpu, vmx_cpu_id);
+
 static bool __read_mostly enable_vpid = 1;
 module_param_named(vpid, enable_vpid, bool, 0444);
 
@@ -386,6 +393,9 @@ struct vcpu_vmx {
         struct {
                 int           loaded;
                 u16           fs_sel, gs_sel, ldt_sel;
+#ifdef CONFIG_X86_64
+                u16           ds_sel, es_sel;
+#endif
                 int           gs_ldt_reload_needed;
                 int           fs_reload_needed;
         } host_state;
@@ -1411,6 +1421,11 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
         }
 
 #ifdef CONFIG_X86_64
+        savesegment(ds, vmx->host_state.ds_sel);
+        savesegment(es, vmx->host_state.es_sel);
+#endif
+
+#ifdef CONFIG_X86_64
         vmcs_writel(HOST_FS_BASE, read_msr(MSR_FS_BASE));
         vmcs_writel(HOST_GS_BASE, read_msr(MSR_GS_BASE));
 #else
@@ -1450,6 +1465,19 @@ static void __vmx_load_host_state(struct vcpu_vmx *vmx)
         }
         if (vmx->host_state.fs_reload_needed)
                 loadsegment(fs, vmx->host_state.fs_sel);
+#ifdef CONFIG_X86_64
+        if (unlikely(vmx->host_state.ds_sel | vmx->host_state.es_sel)) {
+                loadsegment(ds, vmx->host_state.ds_sel);
+                loadsegment(es, vmx->host_state.es_sel);
+        }
+#else
+        /*
+         * The sysexit path does not restore ds/es, so we must set them to
+         * a reasonable value ourselves.
+         */
+        loadsegment(ds, __USER_DS);
+        loadsegment(es, __USER_DS);
+#endif
         reload_tss();
 #ifdef CONFIG_X86_64
         wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
@@ -3633,8 +3661,18 @@ static void vmx_set_constant_host_state(void)
         vmcs_writel(HOST_CR3, read_cr3());  /* 22.2.3  FIXME: shadow tables */
 
         vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS);  /* 22.2.4 */
+#ifdef CONFIG_X86_64
+        /*
+         * Load null selectors, so we can avoid reloading them in
+         * __vmx_load_host_state(), in case userspace uses the null selectors
+         * too (the expected case).
+         */
+        vmcs_write16(HOST_DS_SELECTOR, 0);
+        vmcs_write16(HOST_ES_SELECTOR, 0);
+#else
         vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS);  /* 22.2.4 */
         vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS);  /* 22.2.4 */
+#endif
         vmcs_write16(HOST_SS_SELECTOR, __KERNEL_DS);  /* 22.2.4 */
         vmcs_write16(HOST_TR_SELECTOR, GDT_ENTRY_TSS*8);  /* 22.2.4 */
 
@@ -6256,7 +6294,6 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
                 }
         }
 
-        asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
         vmx->loaded_vmcs->launched = 1;
 
         vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
@@ -6343,7 +6380,7 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
         return &vmx->vcpu;
 
 free_vmcs:
-        free_vmcs(vmx->loaded_vmcs->vmcs);
+        free_loaded_vmcs(vmx->loaded_vmcs);
 free_msrs:
         kfree(vmx->guest_msrs);
 uninit_vcpu:
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 185a2b823a2d..be6d54929fa7 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2147,6 +2147,7 @@ int kvm_dev_ioctl_check_extension(long ext)
         case KVM_CAP_ASYNC_PF:
         case KVM_CAP_GET_TSC_KHZ:
         case KVM_CAP_PCI_2_3:
+        case KVM_CAP_KVMCLOCK_CTRL:
                 r = 1;
                 break;
         case KVM_CAP_COALESCED_MMIO:
@@ -2597,6 +2598,23 @@ static int kvm_vcpu_ioctl_x86_set_xcrs(struct kvm_vcpu *vcpu,
         return r;
 }
 
+/*
+ * kvm_set_guest_paused() indicates to the guest kernel that it has been
+ * stopped by the hypervisor.  This function will be called from the host only.
+ * EINVAL is returned when the host attempts to set the flag for a guest that
+ * does not support pv clocks.
+ */
+static int kvm_set_guest_paused(struct kvm_vcpu *vcpu)
+{
+        struct pvclock_vcpu_time_info *src = &vcpu->arch.hv_clock;
+        if (!vcpu->arch.time_page)
+                return -EINVAL;
+        src->flags |= PVCLOCK_GUEST_STOPPED;
+        mark_page_dirty(vcpu->kvm, vcpu->arch.time >> PAGE_SHIFT);
+        kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);
+        return 0;
+}
+
 long kvm_arch_vcpu_ioctl(struct file *filp,
                          unsigned int ioctl, unsigned long arg)
 {
@@ -2873,6 +2891,10 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
                 r = vcpu->arch.virtual_tsc_khz;
                 goto out;
         }
+        case KVM_KVMCLOCK_CTRL: {
+                r = kvm_set_guest_paused(vcpu);
+                goto out;
+        }
         default:
                 r = -EINVAL;
         }
@@ -3045,57 +3067,32 @@ static int kvm_vm_ioctl_reinject(struct kvm *kvm,
 }
 
 /**
- * write_protect_slot - write protect a slot for dirty logging
- * @kvm: the kvm instance
- * @memslot: the slot we protect
- * @dirty_bitmap: the bitmap indicating which pages are dirty
- * @nr_dirty_pages: the number of dirty pages
+ * kvm_vm_ioctl_get_dirty_log - get and clear the log of dirty pages in a slot
+ * @kvm: kvm instance
+ * @log: slot id and address to which we copy the log
  *
- * We have two ways to find all sptes to protect:
- * 1. Use kvm_mmu_slot_remove_write_access() which walks all shadow pages and
- *    checks ones that have a spte mapping a page in the slot.
- * 2. Use kvm_mmu_rmap_write_protect() for each gfn found in the bitmap.
+ * We need to keep it in mind that VCPU threads can write to the bitmap
+ * concurrently.  So, to avoid losing data, we keep the following order for
+ * each bit:
  *
- * Generally speaking, if there are not so many dirty pages compared to the
- * number of shadow pages, we should use the latter.
+ *   1. Take a snapshot of the bit and clear it if needed.
+ *   2. Write protect the corresponding page.
+ *   3. Flush TLB's if needed.
+ *   4. Copy the snapshot to the userspace.
  *
- * Note that letting others write into a page marked dirty in the old bitmap
- * by using the remaining tlb entry is not a problem.  That page will become
- * write protected again when we flush the tlb and then be reported dirty to
- * the user space by copying the old bitmap.
- */
-static void write_protect_slot(struct kvm *kvm,
-                               struct kvm_memory_slot *memslot,
-                               unsigned long *dirty_bitmap,
-                               unsigned long nr_dirty_pages)
-{
-        spin_lock(&kvm->mmu_lock);
-
-        /* Not many dirty pages compared to # of shadow pages. */
-        if (nr_dirty_pages < kvm->arch.n_used_mmu_pages) {
-                unsigned long gfn_offset;
-
-                for_each_set_bit(gfn_offset, dirty_bitmap, memslot->npages) {
-                        unsigned long gfn = memslot->base_gfn + gfn_offset;
-
-                        kvm_mmu_rmap_write_protect(kvm, gfn, memslot);
-                }
-                kvm_flush_remote_tlbs(kvm);
-        } else
-                kvm_mmu_slot_remove_write_access(kvm, memslot->id);
-
-        spin_unlock(&kvm->mmu_lock);
-}
-
-/*
- * Get (and clear) the dirty memory log for a memory slot.
+ * Between 2 and 3, the guest may write to the page using the remaining TLB
+ * entry.  This is not a problem because the page will be reported dirty at
+ * step 4 using the snapshot taken before and step 3 ensures that successive
+ * writes will be logged for the next call.
  */
-int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm,
-                                      struct kvm_dirty_log *log)
+int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm, struct kvm_dirty_log *log)
 {
         int r;
         struct kvm_memory_slot *memslot;
-        unsigned long n, nr_dirty_pages;
+        unsigned long n, i;
+        unsigned long *dirty_bitmap;
+        unsigned long *dirty_bitmap_buffer;
+        bool is_dirty = false;
 
         mutex_lock(&kvm->slots_lock);
 
@@ -3104,49 +3101,42 @@ int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm,
                 goto out;
 
         memslot = id_to_memslot(kvm->memslots, log->slot);
+
+        dirty_bitmap = memslot->dirty_bitmap;
         r = -ENOENT;
-        if (!memslot->dirty_bitmap)
+        if (!dirty_bitmap)
                 goto out;
 
         n = kvm_dirty_bitmap_bytes(memslot);
-        nr_dirty_pages = memslot->nr_dirty_pages;
 
-        /* If nothing is dirty, don't bother messing with page tables. */
-        if (nr_dirty_pages) {
-                struct kvm_memslots *slots, *old_slots;
-                unsigned long *dirty_bitmap, *dirty_bitmap_head;
+        dirty_bitmap_buffer = dirty_bitmap + n / sizeof(long);
+        memset(dirty_bitmap_buffer, 0, n);
 
-                dirty_bitmap = memslot->dirty_bitmap;
-                dirty_bitmap_head = memslot->dirty_bitmap_head;
-                if (dirty_bitmap == dirty_bitmap_head)
-                        dirty_bitmap_head += n / sizeof(long);
-                memset(dirty_bitmap_head, 0, n);
+        spin_lock(&kvm->mmu_lock);
 
-                r = -ENOMEM;
-                slots = kmemdup(kvm->memslots, sizeof(*kvm->memslots), GFP_KERNEL);
-                if (!slots)
-                        goto out;
+        for (i = 0; i < n / sizeof(long); i++) {
+                unsigned long mask;
+                gfn_t offset;
 
-                memslot = id_to_memslot(slots, log->slot);
-                memslot->nr_dirty_pages = 0;
-                memslot->dirty_bitmap = dirty_bitmap_head;
-                update_memslots(slots, NULL);
+                if (!dirty_bitmap[i])
+                        continue;
 
-                old_slots = kvm->memslots;
-                rcu_assign_pointer(kvm->memslots, slots);
-                synchronize_srcu_expedited(&kvm->srcu);
-                kfree(old_slots);
+                is_dirty = true;
 
-                write_protect_slot(kvm, memslot, dirty_bitmap, nr_dirty_pages);
+                mask = xchg(&dirty_bitmap[i], 0);
+                dirty_bitmap_buffer[i] = mask;
 
-                r = -EFAULT;
-                if (copy_to_user(log->dirty_bitmap, dirty_bitmap, n))
-                        goto out;
-        } else {
-                r = -EFAULT;
-                if (clear_user(log->dirty_bitmap, n))
-                        goto out;
+                offset = i * BITS_PER_LONG;
+                kvm_mmu_write_protect_pt_masked(kvm, memslot, offset, mask);
         }
+        if (is_dirty)
+                kvm_flush_remote_tlbs(kvm);
+
+        spin_unlock(&kvm->mmu_lock);
+
+        r = -EFAULT;
+        if (copy_to_user(log->dirty_bitmap, dirty_bitmap_buffer, n))
+                goto out;
 
         r = 0;
 out:
@@ -3728,9 +3718,8 @@ struct read_write_emulator_ops {
 static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes)
 {
         if (vcpu->mmio_read_completed) {
-                memcpy(val, vcpu->mmio_data, bytes);
                 trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
-                               vcpu->mmio_phys_addr, *(u64 *)val);
+                               vcpu->mmio_fragments[0].gpa, *(u64 *)val);
                 vcpu->mmio_read_completed = 0;
                 return 1;
         }
@@ -3766,8 +3755,9 @@ static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
 static int write_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
                            void *val, int bytes)
 {
-        memcpy(vcpu->mmio_data, val, bytes);
-        memcpy(vcpu->run->mmio.data, vcpu->mmio_data, 8);
+        struct kvm_mmio_fragment *frag = &vcpu->mmio_fragments[0];
+
+        memcpy(vcpu->run->mmio.data, frag->data, frag->len);
         return X86EMUL_CONTINUE;
 }
 
@@ -3794,10 +3784,7 @@ static int emulator_read_write_onepage(unsigned long addr, void *val,
         gpa_t gpa;
         int handled, ret;
         bool write = ops->write;
-
-        if (ops->read_write_prepare &&
-                  ops->read_write_prepare(vcpu, val, bytes))
-                return X86EMUL_CONTINUE;
+        struct kvm_mmio_fragment *frag;
 
         ret = vcpu_mmio_gva_to_gpa(vcpu, addr, &gpa, exception, write);
 
@@ -3823,15 +3810,19 @@ mmio:
         bytes -= handled;
         val += handled;
 
-        vcpu->mmio_needed = 1;
-        vcpu->run->exit_reason = KVM_EXIT_MMIO;
-        vcpu->run->mmio.phys_addr = vcpu->mmio_phys_addr = gpa;
-        vcpu->mmio_size = bytes;
-        vcpu->run->mmio.len = min(vcpu->mmio_size, 8);
-        vcpu->run->mmio.is_write = vcpu->mmio_is_write = write;
-        vcpu->mmio_index = 0;
+        while (bytes) {
+                unsigned now = min(bytes, 8U);
 
-        return ops->read_write_exit_mmio(vcpu, gpa, val, bytes);
+                frag = &vcpu->mmio_fragments[vcpu->mmio_nr_fragments++];
+                frag->gpa = gpa;
+                frag->data = val;
+                frag->len = now;
+
+                gpa += now;
+                val += now;
+                bytes -= now;
+        }
+        return X86EMUL_CONTINUE;
 }
 
 int emulator_read_write(struct x86_emulate_ctxt *ctxt, unsigned long addr,
@@ -3840,10 +3831,18 @@ int emulator_read_write(struct x86_emulate_ctxt *ctxt, unsigned long addr,
                         struct read_write_emulator_ops *ops)
 {
         struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+        gpa_t gpa;
+        int rc;
+
+        if (ops->read_write_prepare &&
+                  ops->read_write_prepare(vcpu, val, bytes))
+                return X86EMUL_CONTINUE;
+
+        vcpu->mmio_nr_fragments = 0;
 
         /* Crossing a page boundary? */
         if (((addr + bytes - 1) ^ addr) & PAGE_MASK) {
-                int rc, now;
+                int now;
 
                 now = -addr & ~PAGE_MASK;
                 rc = emulator_read_write_onepage(addr, val, now, exception,
@@ -3856,8 +3855,25 @@ int emulator_read_write(struct x86_emulate_ctxt *ctxt, unsigned long addr,
                 bytes -= now;
         }
 
-        return emulator_read_write_onepage(addr, val, bytes, exception,
-                                           vcpu, ops);
+        rc = emulator_read_write_onepage(addr, val, bytes, exception,
+                                         vcpu, ops);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+
+        if (!vcpu->mmio_nr_fragments)
+                return rc;
+
+        gpa = vcpu->mmio_fragments[0].gpa;
+
+        vcpu->mmio_needed = 1;
+        vcpu->mmio_cur_fragment = 0;
+
+        vcpu->run->mmio.len = vcpu->mmio_fragments[0].len;
+        vcpu->run->mmio.is_write = vcpu->mmio_is_write = ops->write;
+        vcpu->run->exit_reason = KVM_EXIT_MMIO;
+        vcpu->run->mmio.phys_addr = gpa;
+
+        return ops->read_write_exit_mmio(vcpu, gpa, val, bytes);
 }
 
 static int emulator_read_emulated(struct x86_emulate_ctxt *ctxt,
@@ -5263,10 +5279,6 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
                         kvm_deliver_pmi(vcpu);
         }
 
-        r = kvm_mmu_reload(vcpu);
-        if (unlikely(r))
-                goto out;
-
         if (kvm_check_request(KVM_REQ_EVENT, vcpu) || req_int_win) {
                 inject_pending_event(vcpu);
 
@@ -5282,6 +5294,12 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
                 }
         }
 
+        r = kvm_mmu_reload(vcpu);
+        if (unlikely(r)) {
+                kvm_x86_ops->cancel_injection(vcpu);
+                goto out;
+        }
+
         preempt_disable();
 
         kvm_x86_ops->prepare_guest_switch(vcpu);
@@ -5456,33 +5474,55 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
         return r;
 }
 
+/*
+ * Implements the following, as a state machine:
+ *
+ * read:
+ *   for each fragment
+ *     write gpa, len
+ *     exit
+ *     copy data
+ *   execute insn
+ *
+ * write:
+ *   for each fragment
+ *      write gpa, len
+ *      copy data
+ *      exit
+ */
 static int complete_mmio(struct kvm_vcpu *vcpu)
 {
         struct kvm_run *run = vcpu->run;
+        struct kvm_mmio_fragment *frag;
         int r;
 
         if (!(vcpu->arch.pio.count || vcpu->mmio_needed))
                 return 1;
 
         if (vcpu->mmio_needed) {
-                vcpu->mmio_needed = 0;
+                /* Complete previous fragment */
+                frag = &vcpu->mmio_fragments[vcpu->mmio_cur_fragment++];
                 if (!vcpu->mmio_is_write)
-                        memcpy(vcpu->mmio_data + vcpu->mmio_index,
-                               run->mmio.data, 8);
-                vcpu->mmio_index += 8;
-                if (vcpu->mmio_index < vcpu->mmio_size) {
-                        run->exit_reason = KVM_EXIT_MMIO;
-                        run->mmio.phys_addr = vcpu->mmio_phys_addr + vcpu->mmio_index;
-                        memcpy(run->mmio.data, vcpu->mmio_data + vcpu->mmio_index, 8);
-                        run->mmio.len = min(vcpu->mmio_size - vcpu->mmio_index, 8);
-                        run->mmio.is_write = vcpu->mmio_is_write;
-                        vcpu->mmio_needed = 1;
-                        return 0;
+                        memcpy(frag->data, run->mmio.data, frag->len);
+                if (vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments) {
+                        vcpu->mmio_needed = 0;
+                        if (vcpu->mmio_is_write)
+                                return 1;
+                        vcpu->mmio_read_completed = 1;
+                        goto done;
                 }
+                /* Initiate next fragment */
+                ++frag;
+                run->exit_reason = KVM_EXIT_MMIO;
+                run->mmio.phys_addr = frag->gpa;
                 if (vcpu->mmio_is_write)
-                        return 1;
-                vcpu->mmio_read_completed = 1;
+                        memcpy(run->mmio.data, frag->data, frag->len);
+                run->mmio.len = frag->len;
+                run->mmio.is_write = vcpu->mmio_is_write;
+                return 0;
+
         }
+done:
         vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
         r = emulate_instruction(vcpu, EMULTYPE_NO_DECODE);
         srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
@@ -6399,21 +6439,9 @@ int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu)
                  kvm_cpu_has_interrupt(vcpu));
 }
 
-void kvm_vcpu_kick(struct kvm_vcpu *vcpu)
+int kvm_arch_vcpu_should_kick(struct kvm_vcpu *vcpu)
 {
-        int me;
-        int cpu = vcpu->cpu;
-
-        if (waitqueue_active(&vcpu->wq)) {
-                wake_up_interruptible(&vcpu->wq);
-                ++vcpu->stat.halt_wakeup;
-        }
-
-        me = get_cpu();
-        if (cpu != me && (unsigned)cpu < nr_cpu_ids && cpu_online(cpu))
-                if (kvm_vcpu_exiting_guest_mode(vcpu) == IN_GUEST_MODE)
-                        smp_send_reschedule(cpu);
-        put_cpu();
+        return kvm_vcpu_exiting_guest_mode(vcpu) == IN_GUEST_MODE;
 }
 
 int kvm_arch_interrupt_allowed(struct kvm_vcpu *vcpu)
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index cb80c293cdd8..3d1134ddb885 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -64,7 +64,7 @@ static inline int is_pse(struct kvm_vcpu *vcpu)
 
 static inline int is_paging(struct kvm_vcpu *vcpu)
 {
-        return kvm_read_cr0_bits(vcpu, X86_CR0_PG);
+        return likely(kvm_read_cr0_bits(vcpu, X86_CR0_PG));
 }
 
 static inline u32 bit(int bitno)