10 files changed, 210 insertions, 53 deletions

diff --git a/arch/x86/kernel/cpu/cpufreq/Kconfig b/arch/x86/kernel/cpu/cpufreq/Kconfig
index cb7a5715596d..efae3b22a0ff 100644
--- a/arch/x86/kernel/cpu/cpufreq/Kconfig
+++ b/arch/x86/kernel/cpu/cpufreq/Kconfig
@@ -235,9 +235,9 @@ config X86_LONGHAUL
           If in doubt, say N.
 
 config X86_E_POWERSAVER
-        tristate "VIA C7 Enhanced PowerSaver (EXPERIMENTAL)"
+        tristate "VIA C7 Enhanced PowerSaver"
         select CPU_FREQ_TABLE
-        depends on X86_32 && EXPERIMENTAL
+        depends on X86_32
         help
           This adds the CPUFreq driver for VIA C7 processors.
 
diff --git a/arch/x86/kernel/cpu/cpufreq/elanfreq.c b/arch/x86/kernel/cpu/cpufreq/elanfreq.c
index 94619c22f563..e4a4bf870e94 100644
--- a/arch/x86/kernel/cpu/cpufreq/elanfreq.c
+++ b/arch/x86/kernel/cpu/cpufreq/elanfreq.c
@@ -44,7 +44,7 @@ struct s_elan_multiplier {
  * It is important that the frequencies
  * are listed in ascending order here!
  */
-struct s_elan_multiplier elan_multiplier[] = {
+static struct s_elan_multiplier elan_multiplier[] = {
         {1000,  0x02,   0x18},
         {2000,  0x02,   0x10},
         {4000,  0x02,   0x08},
diff --git a/arch/x86/kernel/cpu/cpufreq/powernow-k8.c b/arch/x86/kernel/cpu/cpufreq/powernow-k8.c
index c45ca6d4dce1..4e7271999a74 100644
--- a/arch/x86/kernel/cpu/cpufreq/powernow-k8.c
+++ b/arch/x86/kernel/cpu/cpufreq/powernow-k8.c
@@ -66,7 +66,6 @@ static u32 find_freq_from_fid(u32 fid)
         return 800 + (fid * 100);
 }
 
-
 /* Return a frequency in KHz, given an input fid */
 static u32 find_khz_freq_from_fid(u32 fid)
 {
@@ -78,7 +77,6 @@ static u32 find_khz_freq_from_pstate(struct cpufreq_frequency_table *data, u32 p
         return data[pstate].frequency;
 }
 
-
 /* Return the vco fid for an input fid
  *
  * Each "low" fid has corresponding "high" fid, and you can get to "low" fids
@@ -166,7 +164,6 @@ static void fidvid_msr_init(void)
         wrmsr(MSR_FIDVID_CTL, lo, hi);
 }
 
-
 /* write the new fid value along with the other control fields to the msr */
 static int write_new_fid(struct powernow_k8_data *data, u32 fid)
 {
@@ -740,44 +737,63 @@ static int find_psb_table(struct powernow_k8_data *data)
 #ifdef CONFIG_X86_POWERNOW_K8_ACPI
 static void powernow_k8_acpi_pst_values(struct powernow_k8_data *data, unsigned int index)
 {
-        if (!data->acpi_data.state_count || (cpu_family == CPU_HW_PSTATE))
+        if (!data->acpi_data->state_count || (cpu_family == CPU_HW_PSTATE))
                 return;
 
-        data->irt = (data->acpi_data.states[index].control >> IRT_SHIFT) & IRT_MASK;
-        data->rvo = (data->acpi_data.states[index].control >> RVO_SHIFT) & RVO_MASK;
-        data->exttype = (data->acpi_data.states[index].control >> EXT_TYPE_SHIFT) & EXT_TYPE_MASK;
-        data->plllock = (data->acpi_data.states[index].control >> PLL_L_SHIFT) & PLL_L_MASK;
-        data->vidmvs = 1 << ((data->acpi_data.states[index].control >> MVS_SHIFT) & MVS_MASK);
-        data->vstable = (data->acpi_data.states[index].control >> VST_SHIFT) & VST_MASK;
+        data->irt = (data->acpi_data->states[index].control >> IRT_SHIFT) & IRT_MASK;
+        data->rvo = (data->acpi_data->states[index].control >> RVO_SHIFT) & RVO_MASK;
+        data->exttype = (data->acpi_data->states[index].control >> EXT_TYPE_SHIFT) & EXT_TYPE_MASK;
+        data->plllock = (data->acpi_data->states[index].control >> PLL_L_SHIFT) & PLL_L_MASK;
+        data->vidmvs = 1 << ((data->acpi_data->states[index].control >> MVS_SHIFT) & MVS_MASK);
+        data->vstable = (data->acpi_data->states[index].control >> VST_SHIFT) & VST_MASK;
+}
+
+
+static struct acpi_processor_performance *acpi_perf_data;
+static int preregister_valid;
+
+static int powernow_k8_cpu_preinit_acpi(void)
+{
+        acpi_perf_data = alloc_percpu(struct acpi_processor_performance);
+        if (!acpi_perf_data)
+                return -ENODEV;
+
+        if (acpi_processor_preregister_performance(acpi_perf_data))
+                return -ENODEV;
+        else
+                preregister_valid = 1;
+        return 0;
 }
 
 static int powernow_k8_cpu_init_acpi(struct powernow_k8_data *data)
 {
         struct cpufreq_frequency_table *powernow_table;
         int ret_val;
+        int cpu = 0;
 
-        if (acpi_processor_register_performance(&data->acpi_data, data->cpu)) {
+        data->acpi_data = percpu_ptr(acpi_perf_data, cpu);
+        if (acpi_processor_register_performance(data->acpi_data, data->cpu)) {
                 dprintk("register performance failed: bad ACPI data\n");
                 return -EIO;
         }
 
         /* verify the data contained in the ACPI structures */
-        if (data->acpi_data.state_count <= 1) {
+        if (data->acpi_data->state_count <= 1) {
                 dprintk("No ACPI P-States\n");
                 goto err_out;
         }
 
-        if ((data->acpi_data.control_register.space_id != ACPI_ADR_SPACE_FIXED_HARDWARE) ||
-                (data->acpi_data.status_register.space_id != ACPI_ADR_SPACE_FIXED_HARDWARE)) {
+        if ((data->acpi_data->control_register.space_id != ACPI_ADR_SPACE_FIXED_HARDWARE) ||
+                (data->acpi_data->status_register.space_id != ACPI_ADR_SPACE_FIXED_HARDWARE)) {
                 dprintk("Invalid control/status registers (%x - %x)\n",
-                        data->acpi_data.control_register.space_id,
-                        data->acpi_data.status_register.space_id);
+                        data->acpi_data->control_register.space_id,
+                        data->acpi_data->status_register.space_id);
                 goto err_out;
         }
 
         /* fill in data->powernow_table */
         powernow_table = kmalloc((sizeof(struct cpufreq_frequency_table)
-                * (data->acpi_data.state_count + 1)), GFP_KERNEL);
+                * (data->acpi_data->state_count + 1)), GFP_KERNEL);
         if (!powernow_table) {
                 dprintk("powernow_table memory alloc failure\n");
                 goto err_out;
@@ -790,12 +806,12 @@ static int powernow_k8_cpu_init_acpi(struct powernow_k8_data *data)
         if (ret_val)
                 goto err_out_mem;
 
-        powernow_table[data->acpi_data.state_count].frequency = CPUFREQ_TABLE_END;
-        powernow_table[data->acpi_data.state_count].index = 0;
+        powernow_table[data->acpi_data->state_count].frequency = CPUFREQ_TABLE_END;
+        powernow_table[data->acpi_data->state_count].index = 0;
         data->powernow_table = powernow_table;
 
         /* fill in data */
-        data->numps = data->acpi_data.state_count;
+        data->numps = data->acpi_data->state_count;
         if (first_cpu(per_cpu(cpu_core_map, data->cpu)) == data->cpu)
                 print_basics(data);
         powernow_k8_acpi_pst_values(data, 0);
@@ -803,16 +819,31 @@ static int powernow_k8_cpu_init_acpi(struct powernow_k8_data *data)
         /* notify BIOS that we exist */
         acpi_processor_notify_smm(THIS_MODULE);
 
+        /* determine affinity, from ACPI if available */
+        if (preregister_valid) {
+                if ((data->acpi_data->shared_type == CPUFREQ_SHARED_TYPE_ALL) ||
+                        (data->acpi_data->shared_type == CPUFREQ_SHARED_TYPE_ANY))
+                        data->starting_core_affinity = data->acpi_data->shared_cpu_map;
+                else
+                        data->starting_core_affinity = cpumask_of_cpu(data->cpu);
+        } else {
+        /* best guess from family if not */
+                if (cpu_family == CPU_HW_PSTATE)
+                        data->starting_core_affinity = cpumask_of_cpu(data->cpu);
+                else
+                        data->starting_core_affinity = per_cpu(cpu_core_map, data->cpu);
+        }
+
         return 0;
 
 err_out_mem:
         kfree(powernow_table);
 
 err_out:
-        acpi_processor_unregister_performance(&data->acpi_data, data->cpu);
+        acpi_processor_unregister_performance(data->acpi_data, data->cpu);
 
         /* data->acpi_data.state_count informs us at ->exit() whether ACPI was used */
-        data->acpi_data.state_count = 0;
+        data->acpi_data->state_count = 0;
 
         return -ENODEV;
 }
@@ -824,10 +855,10 @@ static int fill_powernow_table_pstate(struct powernow_k8_data *data, struct cpuf
         rdmsr(MSR_PSTATE_CUR_LIMIT, hi, lo);
         data->max_hw_pstate = (hi & HW_PSTATE_MAX_MASK) >> HW_PSTATE_MAX_SHIFT;
 
-        for (i = 0; i < data->acpi_data.state_count; i++) {
+        for (i = 0; i < data->acpi_data->state_count; i++) {
                 u32 index;
 
-                index = data->acpi_data.states[i].control & HW_PSTATE_MASK;
+                index = data->acpi_data->states[i].control & HW_PSTATE_MASK;
                 if (index > data->max_hw_pstate) {
                         printk(KERN_ERR PFX "invalid pstate %d - bad value %d.\n", i, index);
                         printk(KERN_ERR PFX "Please report to BIOS manufacturer\n");
@@ -843,7 +874,7 @@ static int fill_powernow_table_pstate(struct powernow_k8_data *data, struct cpuf
 
                 powernow_table[i].index = index;
 
-                powernow_table[i].frequency = data->acpi_data.states[i].core_frequency * 1000;
+                powernow_table[i].frequency = data->acpi_data->states[i].core_frequency * 1000;
         }
         return 0;
 }
@@ -852,16 +883,16 @@ static int fill_powernow_table_fidvid(struct powernow_k8_data *data, struct cpuf
 {
         int i;
         int cntlofreq = 0;
-        for (i = 0; i < data->acpi_data.state_count; i++) {
+        for (i = 0; i < data->acpi_data->state_count; i++) {
                 u32 fid;
                 u32 vid;
 
                 if (data->exttype) {
-                        fid = data->acpi_data.states[i].status & EXT_FID_MASK;
-                        vid = (data->acpi_data.states[i].status >> VID_SHIFT) & EXT_VID_MASK;
+                        fid = data->acpi_data->states[i].status & EXT_FID_MASK;
+                        vid = (data->acpi_data->states[i].status >> VID_SHIFT) & EXT_VID_MASK;
                 } else {
-                        fid = data->acpi_data.states[i].control & FID_MASK;
-                        vid = (data->acpi_data.states[i].control >> VID_SHIFT) & VID_MASK;
+                        fid = data->acpi_data->states[i].control & FID_MASK;
+                        vid = (data->acpi_data->states[i].control >> VID_SHIFT) & VID_MASK;
                 }
 
                 dprintk("   %d : fid 0x%x, vid 0x%x\n", i, fid, vid);
@@ -902,10 +933,10 @@ static int fill_powernow_table_fidvid(struct powernow_k8_data *data, struct cpuf
                                 cntlofreq = i;
                 }
 
-                if (powernow_table[i].frequency != (data->acpi_data.states[i].core_frequency * 1000)) {
+                if (powernow_table[i].frequency != (data->acpi_data->states[i].core_frequency * 1000)) {
                         printk(KERN_INFO PFX "invalid freq entries %u kHz vs. %u kHz\n",
                                 powernow_table[i].frequency,
-                                (unsigned int) (data->acpi_data.states[i].core_frequency * 1000));
+                                (unsigned int) (data->acpi_data->states[i].core_frequency * 1000));
                         powernow_table[i].frequency = CPUFREQ_ENTRY_INVALID;
                         continue;
                 }
@@ -915,11 +946,12 @@ static int fill_powernow_table_fidvid(struct powernow_k8_data *data, struct cpuf
 
 static void powernow_k8_cpu_exit_acpi(struct powernow_k8_data *data)
 {
-        if (data->acpi_data.state_count)
-                acpi_processor_unregister_performance(&data->acpi_data, data->cpu);
+        if (data->acpi_data->state_count)
+                acpi_processor_unregister_performance(data->acpi_data, data->cpu);
 }
 
 #else
+static int powernow_k8_cpu_preinit_acpi(void) { return -ENODEV; }
 static int powernow_k8_cpu_init_acpi(struct powernow_k8_data *data) { return -ENODEV; }
 static void powernow_k8_cpu_exit_acpi(struct powernow_k8_data *data) { return; }
 static void powernow_k8_acpi_pst_values(struct powernow_k8_data *data, unsigned int index) { return; }
@@ -1104,7 +1136,7 @@ static int powernowk8_verify(struct cpufreq_policy *pol)
 static int __cpuinit powernowk8_cpu_init(struct cpufreq_policy *pol)
 {
         struct powernow_k8_data *data;
-        cpumask_t oldmask;
+        cpumask_t oldmask = CPU_MASK_ALL;
         int rc;
 
         if (!cpu_online(pol->cpu))
@@ -1177,10 +1209,7 @@ static int __cpuinit powernowk8_cpu_init(struct cpufreq_policy *pol)
         /* run on any CPU again */
         set_cpus_allowed_ptr(current, &oldmask);
 
-        if (cpu_family == CPU_HW_PSTATE)
-                pol->cpus = cpumask_of_cpu(pol->cpu);
-        else
-                pol->cpus = per_cpu(cpu_core_map, pol->cpu);
+        pol->cpus = data->starting_core_affinity;
         data->available_cores = &(pol->cpus);
 
         /* Take a crude guess here.
@@ -1303,6 +1332,7 @@ static int __cpuinit powernowk8_init(void)
         }
 
         if (supported_cpus == num_online_cpus()) {
+                powernow_k8_cpu_preinit_acpi();
                 printk(KERN_INFO PFX "Found %d %s "
                         "processors (%d cpu cores) (" VERSION ")\n",
                         num_online_nodes(),
@@ -1319,6 +1349,10 @@ static void __exit powernowk8_exit(void)
         dprintk("exit\n");
 
         cpufreq_unregister_driver(&cpufreq_amd64_driver);
+
+#ifdef CONFIG_X86_POWERNOW_K8_ACPI
+        free_percpu(acpi_perf_data);
+#endif
 }
 
 MODULE_AUTHOR("Paul Devriendt <paul.devriendt@amd.com> and Mark Langsdorf <mark.langsdorf@amd.com>");
diff --git a/arch/x86/kernel/cpu/cpufreq/powernow-k8.h b/arch/x86/kernel/cpu/cpufreq/powernow-k8.h
index ab48cfed4d96..a62612cd4be8 100644
--- a/arch/x86/kernel/cpu/cpufreq/powernow-k8.h
+++ b/arch/x86/kernel/cpu/cpufreq/powernow-k8.h
@@ -33,12 +33,13 @@ struct powernow_k8_data {
 #ifdef CONFIG_X86_POWERNOW_K8_ACPI
         /* the acpi table needs to be kept. it's only available if ACPI was
          * used to determine valid frequency/vid/fid states */
-        struct acpi_processor_performance acpi_data;
+        struct acpi_processor_performance *acpi_data;
 #endif
         /* we need to keep track of associated cores, but let cpufreq
          * handle hotplug events - so just point at cpufreq pol->cpus
          * structure */
         cpumask_t *available_cores;
+        cpumask_t starting_core_affinity;
 };
 
 
diff --git a/arch/x86/kernel/genapic_64.c b/arch/x86/kernel/genapic_64.c
index 1fa8be5bd217..eaff0bbb1444 100644
--- a/arch/x86/kernel/genapic_64.c
+++ b/arch/x86/kernel/genapic_64.c
@@ -99,3 +99,4 @@ int is_uv_system(void)
 {
         return uv_system_type != UV_NONE;
 }
+EXPORT_SYMBOL_GPL(is_uv_system);
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 2fa231923cf7..0bfe2bd305eb 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -653,6 +653,84 @@ static void rmap_write_protect(struct kvm *kvm, u64 gfn)
         account_shadowed(kvm, gfn);
 }
 
+static int kvm_unmap_rmapp(struct kvm *kvm, unsigned long *rmapp)
+{
+        u64 *spte;
+        int need_tlb_flush = 0;
+
+        while ((spte = rmap_next(kvm, rmapp, NULL))) {
+                BUG_ON(!(*spte & PT_PRESENT_MASK));
+                rmap_printk("kvm_rmap_unmap_hva: spte %p %llx\n", spte, *spte);
+                rmap_remove(kvm, spte);
+                set_shadow_pte(spte, shadow_trap_nonpresent_pte);
+                need_tlb_flush = 1;
+        }
+        return need_tlb_flush;
+}
+
+static int kvm_handle_hva(struct kvm *kvm, unsigned long hva,
+                          int (*handler)(struct kvm *kvm, unsigned long *rmapp))
+{
+        int i;
+        int retval = 0;
+
+        /*
+         * If mmap_sem isn't taken, we can look the memslots with only
+         * the mmu_lock by skipping over the slots with userspace_addr == 0.
+         */
+        for (i = 0; i < kvm->nmemslots; i++) {
+                struct kvm_memory_slot *memslot = &kvm->memslots[i];
+                unsigned long start = memslot->userspace_addr;
+                unsigned long end;
+
+                /* mmu_lock protects userspace_addr */
+                if (!start)
+                        continue;
+
+                end = start + (memslot->npages << PAGE_SHIFT);
+                if (hva >= start && hva < end) {
+                        gfn_t gfn_offset = (hva - start) >> PAGE_SHIFT;
+                        retval |= handler(kvm, &memslot->rmap[gfn_offset]);
+                        retval |= handler(kvm,
+                                          &memslot->lpage_info[
+                                                  gfn_offset /
+                                                  KVM_PAGES_PER_HPAGE].rmap_pde);
+                }
+        }
+
+        return retval;
+}
+
+int kvm_unmap_hva(struct kvm *kvm, unsigned long hva)
+{
+        return kvm_handle_hva(kvm, hva, kvm_unmap_rmapp);
+}
+
+static int kvm_age_rmapp(struct kvm *kvm, unsigned long *rmapp)
+{
+        u64 *spte;
+        int young = 0;
+
+        spte = rmap_next(kvm, rmapp, NULL);
+        while (spte) {
+                int _young;
+                u64 _spte = *spte;
+                BUG_ON(!(_spte & PT_PRESENT_MASK));
+                _young = _spte & PT_ACCESSED_MASK;
+                if (_young) {
+                        young = 1;
+                        clear_bit(PT_ACCESSED_SHIFT, (unsigned long *)spte);
+                }
+                spte = rmap_next(kvm, rmapp, spte);
+        }
+        return young;
+}
+
+int kvm_age_hva(struct kvm *kvm, unsigned long hva)
+{
+        return kvm_handle_hva(kvm, hva, kvm_age_rmapp);
+}
+
 #ifdef MMU_DEBUG
 static int is_empty_shadow_page(u64 *spt)
 {
@@ -1203,6 +1281,7 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, int write, gfn_t gfn)
         int r;
         int largepage = 0;
         pfn_t pfn;
+        unsigned long mmu_seq;
 
         down_read(&current->mm->mmap_sem);
         if (is_largepage_backed(vcpu, gfn & ~(KVM_PAGES_PER_HPAGE-1))) {
@@ -1210,6 +1289,8 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, int write, gfn_t gfn)
                 largepage = 1;
         }
 
+        mmu_seq = vcpu->kvm->mmu_notifier_seq;
+        /* implicit mb(), we'll read before PT lock is unlocked */
         pfn = gfn_to_pfn(vcpu->kvm, gfn);
         up_read(&current->mm->mmap_sem);
 
@@ -1220,6 +1301,8 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, int write, gfn_t gfn)
         }
 
         spin_lock(&vcpu->kvm->mmu_lock);
+        if (mmu_notifier_retry(vcpu, mmu_seq))
+                goto out_unlock;
         kvm_mmu_free_some_pages(vcpu);
         r = __direct_map(vcpu, v, write, largepage, gfn, pfn,
                          PT32E_ROOT_LEVEL);
@@ -1227,6 +1310,11 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, int write, gfn_t gfn)
 
 
         return r;
+
+out_unlock:
+        spin_unlock(&vcpu->kvm->mmu_lock);
+        kvm_release_pfn_clean(pfn);
+        return 0;
 }
 
 
@@ -1345,6 +1433,7 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa,
         int r;
         int largepage = 0;
         gfn_t gfn = gpa >> PAGE_SHIFT;
+        unsigned long mmu_seq;
 
         ASSERT(vcpu);
         ASSERT(VALID_PAGE(vcpu->arch.mmu.root_hpa));
@@ -1358,6 +1447,8 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa,
                 gfn &= ~(KVM_PAGES_PER_HPAGE-1);
                 largepage = 1;
         }
+        mmu_seq = vcpu->kvm->mmu_notifier_seq;
+        /* implicit mb(), we'll read before PT lock is unlocked */
         pfn = gfn_to_pfn(vcpu->kvm, gfn);
         up_read(&current->mm->mmap_sem);
         if (is_error_pfn(pfn)) {
@@ -1365,12 +1456,19 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa,
                 return 1;
         }
         spin_lock(&vcpu->kvm->mmu_lock);
+        if (mmu_notifier_retry(vcpu, mmu_seq))
+                goto out_unlock;
         kvm_mmu_free_some_pages(vcpu);
         r = __direct_map(vcpu, gpa, error_code & PFERR_WRITE_MASK,
                          largepage, gfn, pfn, kvm_x86_ops->get_tdp_level());
         spin_unlock(&vcpu->kvm->mmu_lock);
 
         return r;
+
+out_unlock:
+        spin_unlock(&vcpu->kvm->mmu_lock);
+        kvm_release_pfn_clean(pfn);
+        return 0;
 }
 
 static void nonpaging_free(struct kvm_vcpu *vcpu)
@@ -1670,6 +1768,8 @@ static void mmu_guess_page_from_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
                 gfn &= ~(KVM_PAGES_PER_HPAGE-1);
                 vcpu->arch.update_pte.largepage = 1;
         }
+        vcpu->arch.update_pte.mmu_seq = vcpu->kvm->mmu_notifier_seq;
+        /* implicit mb(), we'll read before PT lock is unlocked */
         pfn = gfn_to_pfn(vcpu->kvm, gfn);
         up_read(&current->mm->mmap_sem);
 
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index 4d918220baeb..f72ac1fa35f0 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -263,6 +263,8 @@ static void FNAME(update_pte)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *page,
         pfn = vcpu->arch.update_pte.pfn;
         if (is_error_pfn(pfn))
                 return;
+        if (mmu_notifier_retry(vcpu, vcpu->arch.update_pte.mmu_seq))
+                return;
         kvm_get_pfn(pfn);
         mmu_set_spte(vcpu, spte, page->role.access, pte_access, 0, 0,
                      gpte & PT_DIRTY_MASK, NULL, largepage, gpte_to_gfn(gpte),
@@ -380,6 +382,7 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr,
         int r;
         pfn_t pfn;
         int largepage = 0;
+        unsigned long mmu_seq;
 
         pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
         kvm_mmu_audit(vcpu, "pre page fault");
@@ -413,6 +416,8 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr,
                         largepage = 1;
                 }
         }
+        mmu_seq = vcpu->kvm->mmu_notifier_seq;
+        /* implicit mb(), we'll read before PT lock is unlocked */
         pfn = gfn_to_pfn(vcpu->kvm, walker.gfn);
         up_read(&current->mm->mmap_sem);
 
@@ -424,6 +429,8 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr,
         }
 
         spin_lock(&vcpu->kvm->mmu_lock);
+        if (mmu_notifier_retry(vcpu, mmu_seq))
+                goto out_unlock;
         kvm_mmu_free_some_pages(vcpu);
         shadow_pte = FNAME(fetch)(vcpu, addr, &walker, user_fault, write_fault,
                                   largepage, &write_pt, pfn);
@@ -439,6 +446,11 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr,
         spin_unlock(&vcpu->kvm->mmu_lock);
 
         return write_pt;
+
+out_unlock:
+        spin_unlock(&vcpu->kvm->mmu_lock);
+        kvm_release_pfn_clean(pfn);
+        return 0;
 }
 
 static gpa_t FNAME(gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t vaddr)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 5916191420c7..0d682fc6aeb3 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -883,6 +883,7 @@ int kvm_dev_ioctl_check_extension(long ext)
         case KVM_CAP_PIT:
         case KVM_CAP_NOP_IO_DELAY:
         case KVM_CAP_MP_STATE:
+        case KVM_CAP_SYNC_MMU:
                 r = 1;
                 break;
         case KVM_CAP_COALESCED_MMIO:
@@ -1495,6 +1496,7 @@ static int kvm_vm_ioctl_set_memory_alias(struct kvm *kvm,
                 goto out;
 
         down_write(&kvm->slots_lock);
+        spin_lock(&kvm->mmu_lock);
 
         p = &kvm->arch.aliases[alias->slot];
         p->base_gfn = alias->guest_phys_addr >> PAGE_SHIFT;
@@ -1506,6 +1508,7 @@ static int kvm_vm_ioctl_set_memory_alias(struct kvm *kvm,
                         break;
         kvm->arch.naliases = n;
 
+        spin_unlock(&kvm->mmu_lock);
         kvm_mmu_zap_all(kvm);
 
         up_write(&kvm->slots_lock);
@@ -3972,16 +3975,23 @@ int kvm_arch_set_memory_region(struct kvm *kvm,
          */
         if (!user_alloc) {
                 if (npages && !old.rmap) {
+                        unsigned long userspace_addr;
+
                         down_write(&current->mm->mmap_sem);
-                        memslot->userspace_addr = do_mmap(NULL, 0,
-                                                     npages * PAGE_SIZE,
-                                                     PROT_READ | PROT_WRITE,
-                                                     MAP_SHARED | MAP_ANONYMOUS,
-                                                     0);
+                        userspace_addr = do_mmap(NULL, 0,
+                                                 npages * PAGE_SIZE,
+                                                 PROT_READ | PROT_WRITE,
+                                                 MAP_SHARED | MAP_ANONYMOUS,
+                                                 0);
                         up_write(&current->mm->mmap_sem);
 
-                        if (IS_ERR((void *)memslot->userspace_addr))
-                                return PTR_ERR((void *)memslot->userspace_addr);
+                        if (IS_ERR((void *)userspace_addr))
+                                return PTR_ERR((void *)userspace_addr);
+
+                        /* set userspace_addr atomically for kvm_hva_to_rmapp */
+                        spin_lock(&kvm->mmu_lock);
+                        memslot->userspace_addr = userspace_addr;
+                        spin_unlock(&kvm->mmu_lock);
                 } else {
                         if (!old.user_alloc && old.rmap) {
                                 int ret;
diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
index dfdf428975c0..f118c110af32 100644
--- a/arch/x86/lib/copy_user_64.S
+++ b/arch/x86/lib/copy_user_64.S
@@ -52,7 +52,7 @@
         jnz 100b
 102:
         .section .fixup,"ax"
-103:    addl %r8d,%edx                  /* ecx is zerorest also */
+103:    addl %ecx,%edx                  /* ecx is zerorest also */
         jmp copy_user_handle_tail
         .previous
 
diff --git a/arch/x86/lib/copy_user_nocache_64.S b/arch/x86/lib/copy_user_nocache_64.S
index 40e0e309d27e..cb0c112386fb 100644
--- a/arch/x86/lib/copy_user_nocache_64.S
+++ b/arch/x86/lib/copy_user_nocache_64.S
@@ -32,7 +32,7 @@
         jnz 100b
 102:
         .section .fixup,"ax"
-103:    addl %r8d,%edx                  /* ecx is zerorest also */
+103:    addl %ecx,%edx                  /* ecx is zerorest also */
         jmp copy_user_handle_tail
         .previous
 
@@ -108,7 +108,6 @@ ENTRY(__copy_user_nocache)
         jmp 60f
 50:     movl %ecx,%edx
 60:     sfence
-        movl %r8d,%ecx
         jmp copy_user_handle_tail
         .previous