21 files changed, 218 insertions, 98 deletions

diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 602f57e590b5..d1b7c377a234 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -250,8 +250,8 @@ archclean:
 PHONY += kvmconfig
 kvmconfig:
         $(if $(wildcard $(objtree)/.config),, $(error You need an existing .config for this target))
-        $(Q)$(CONFIG_SHELL) $(srctree)/scripts/kconfig/merge_config.sh -m -O $(objtree) $(objtree)/.config arch/x86/configs/kvm_guest.config
-        $(Q)yes "" | $(MAKE) oldconfig
+        $(Q)$(CONFIG_SHELL) $(srctree)/scripts/kconfig/merge_config.sh -m -O $(objtree) $(objtree)/.config $(srctree)/arch/x86/configs/kvm_guest.config
+        $(Q)yes "" | $(MAKE) -f $(srctree)/Makefile oldconfig
 
 define archhelp
   echo  '* bzImage      - Compressed kernel image (arch/x86/boot/bzImage)'
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index fcaf9c961265..7de069afb382 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -60,7 +60,7 @@
                           | X86_CR4_PSE | X86_CR4_PAE | X86_CR4_MCE     \
                           | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_PCIDE \
                           | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_FSGSBASE \
-                          | X86_CR4_OSXMMEXCPT | X86_CR4_VMXE))
+                          | X86_CR4_OSXMMEXCPT | X86_CR4_VMXE | X86_CR4_SMAP))
 
 #define CR8_RESERVED_BITS (~(unsigned long)X86_CR8_TPR)
 
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
index eeee23ff75ef..68317c80de7f 100644
--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -598,7 +598,6 @@ void machine_check_poll(enum mcp_flags flags, mce_banks_t *b)
 {
         struct mce m;
         int i;
-        unsigned long *v;
 
         this_cpu_inc(mce_poll_count);
 
@@ -618,8 +617,7 @@ void machine_check_poll(enum mcp_flags flags, mce_banks_t *b)
                 if (!(m.status & MCI_STATUS_VAL))
                         continue;
 
-                v = &get_cpu_var(mce_polled_error);
-                set_bit(0, v);
+                this_cpu_write(mce_polled_error, 1);
                 /*
                  * Uncorrected or signalled events are handled by the exception
                  * handler when it is enabled, so don't process those here.
diff --git a/arch/x86/kernel/cpu/mcheck/mce_intel.c b/arch/x86/kernel/cpu/mcheck/mce_intel.c
index 3bdb95ae8c43..9a316b21df8b 100644
--- a/arch/x86/kernel/cpu/mcheck/mce_intel.c
+++ b/arch/x86/kernel/cpu/mcheck/mce_intel.c
@@ -42,7 +42,7 @@ static DEFINE_PER_CPU(mce_banks_t, mce_banks_owned);
  * cmci_discover_lock protects against parallel discovery attempts
  * which could race against each other.
  */
-static DEFINE_RAW_SPINLOCK(cmci_discover_lock);
+static DEFINE_SPINLOCK(cmci_discover_lock);
 
 #define CMCI_THRESHOLD          1
 #define CMCI_POLL_INTERVAL      (30 * HZ)
@@ -144,14 +144,14 @@ static void cmci_storm_disable_banks(void)
         int bank;
         u64 val;
 
-        raw_spin_lock_irqsave(&cmci_discover_lock, flags);
+        spin_lock_irqsave(&cmci_discover_lock, flags);
         owned = __get_cpu_var(mce_banks_owned);
         for_each_set_bit(bank, owned, MAX_NR_BANKS) {
                 rdmsrl(MSR_IA32_MCx_CTL2(bank), val);
                 val &= ~MCI_CTL2_CMCI_EN;
                 wrmsrl(MSR_IA32_MCx_CTL2(bank), val);
         }
-        raw_spin_unlock_irqrestore(&cmci_discover_lock, flags);
+        spin_unlock_irqrestore(&cmci_discover_lock, flags);
 }
 
 static bool cmci_storm_detect(void)
@@ -211,7 +211,7 @@ static void cmci_discover(int banks)
         int i;
         int bios_wrong_thresh = 0;
 
-        raw_spin_lock_irqsave(&cmci_discover_lock, flags);
+        spin_lock_irqsave(&cmci_discover_lock, flags);
         for (i = 0; i < banks; i++) {
                 u64 val;
                 int bios_zero_thresh = 0;
@@ -266,7 +266,7 @@ static void cmci_discover(int banks)
                         WARN_ON(!test_bit(i, __get_cpu_var(mce_poll_banks)));
                 }
         }
-        raw_spin_unlock_irqrestore(&cmci_discover_lock, flags);
+        spin_unlock_irqrestore(&cmci_discover_lock, flags);
         if (mca_cfg.bios_cmci_threshold && bios_wrong_thresh) {
                 pr_info_once(
                         "bios_cmci_threshold: Some banks do not have valid thresholds set\n");
@@ -316,10 +316,10 @@ void cmci_clear(void)
 
         if (!cmci_supported(&banks))
                 return;
-        raw_spin_lock_irqsave(&cmci_discover_lock, flags);
+        spin_lock_irqsave(&cmci_discover_lock, flags);
         for (i = 0; i < banks; i++)
                 __cmci_disable_bank(i);
-        raw_spin_unlock_irqrestore(&cmci_discover_lock, flags);
+        spin_unlock_irqrestore(&cmci_discover_lock, flags);
 }
 
 static void cmci_rediscover_work_func(void *arg)
@@ -360,9 +360,9 @@ void cmci_disable_bank(int bank)
         if (!cmci_supported(&banks))
                 return;
 
-        raw_spin_lock_irqsave(&cmci_discover_lock, flags);
+        spin_lock_irqsave(&cmci_discover_lock, flags);
         __cmci_disable_bank(bank);
-        raw_spin_unlock_irqrestore(&cmci_discover_lock, flags);
+        spin_unlock_irqrestore(&cmci_discover_lock, flags);
 }
 
 static void intel_init_cmci(void)
diff --git a/arch/x86/kernel/cpu/perf_event_intel_rapl.c b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
index 059218ed5208..7c87424d4140 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_rapl.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
@@ -59,7 +59,7 @@
 #define INTEL_RAPL_PKG          0x2     /* pseudo-encoding */
 #define RAPL_IDX_RAM_NRG_STAT   2       /* DRAM */
 #define INTEL_RAPL_RAM          0x3     /* pseudo-encoding */
-#define RAPL_IDX_PP1_NRG_STAT   3       /* DRAM */
+#define RAPL_IDX_PP1_NRG_STAT   3       /* gpu */
 #define INTEL_RAPL_PP1          0x4     /* pseudo-encoding */
 
 /* Clients have PP0, PKG */
@@ -72,6 +72,12 @@
                          1<<RAPL_IDX_PKG_NRG_STAT|\
                          1<<RAPL_IDX_RAM_NRG_STAT)
 
+/* Servers have PP0, PKG, RAM, PP1 */
+#define RAPL_IDX_HSW    (1<<RAPL_IDX_PP0_NRG_STAT|\
+                         1<<RAPL_IDX_PKG_NRG_STAT|\
+                         1<<RAPL_IDX_RAM_NRG_STAT|\
+                         1<<RAPL_IDX_PP1_NRG_STAT)
+
 /*
  * event code: LSB 8 bits, passed in attr->config
  * any other bit is reserved
@@ -425,6 +431,24 @@ static struct attribute *rapl_events_cln_attr[] = {
         NULL,
 };
 
+static struct attribute *rapl_events_hsw_attr[] = {
+        EVENT_PTR(rapl_cores),
+        EVENT_PTR(rapl_pkg),
+        EVENT_PTR(rapl_gpu),
+        EVENT_PTR(rapl_ram),
+
+        EVENT_PTR(rapl_cores_unit),
+        EVENT_PTR(rapl_pkg_unit),
+        EVENT_PTR(rapl_gpu_unit),
+        EVENT_PTR(rapl_ram_unit),
+
+        EVENT_PTR(rapl_cores_scale),
+        EVENT_PTR(rapl_pkg_scale),
+        EVENT_PTR(rapl_gpu_scale),
+        EVENT_PTR(rapl_ram_scale),
+        NULL,
+};
+
 static struct attribute_group rapl_pmu_events_group = {
         .name = "events",
         .attrs = NULL, /* patched at runtime */
@@ -511,6 +535,7 @@ static int rapl_cpu_prepare(int cpu)
         struct rapl_pmu *pmu = per_cpu(rapl_pmu, cpu);
         int phys_id = topology_physical_package_id(cpu);
         u64 ms;
+        u64 msr_rapl_power_unit_bits;
 
         if (pmu)
                 return 0;
@@ -518,6 +543,9 @@ static int rapl_cpu_prepare(int cpu)
         if (phys_id < 0)
                 return -1;
 
+        if (!rdmsrl_safe(MSR_RAPL_POWER_UNIT, &msr_rapl_power_unit_bits))
+                return -1;
+
         pmu = kzalloc_node(sizeof(*pmu), GFP_KERNEL, cpu_to_node(cpu));
         if (!pmu)
                 return -1;
@@ -531,8 +559,7 @@ static int rapl_cpu_prepare(int cpu)
          *
          * we cache in local PMU instance
          */
-        rdmsrl(MSR_RAPL_POWER_UNIT, pmu->hw_unit);
-        pmu->hw_unit = (pmu->hw_unit >> 8) & 0x1FULL;
+        pmu->hw_unit = (msr_rapl_power_unit_bits >> 8) & 0x1FULL;
         pmu->pmu = &rapl_pmu_class;
 
         /*
@@ -631,11 +658,14 @@ static int __init rapl_pmu_init(void)
         switch (boot_cpu_data.x86_model) {
         case 42: /* Sandy Bridge */
         case 58: /* Ivy Bridge */
-        case 60: /* Haswell */
-        case 69: /* Haswell-Celeron */
                 rapl_cntr_mask = RAPL_IDX_CLN;
                 rapl_pmu_events_group.attrs = rapl_events_cln_attr;
                 break;
+        case 60: /* Haswell */
+        case 69: /* Haswell-Celeron */
+                rapl_cntr_mask = RAPL_IDX_HSW;
+                rapl_pmu_events_group.attrs = rapl_events_hsw_attr;
+                break;
         case 45: /* Sandy Bridge-EP */
         case 62: /* IvyTown */
                 rapl_cntr_mask = RAPL_IDX_SRV;
@@ -650,7 +680,9 @@ static int __init rapl_pmu_init(void)
         cpu_notifier_register_begin();
 
         for_each_online_cpu(cpu) {
-                rapl_cpu_prepare(cpu);
+                ret = rapl_cpu_prepare(cpu);
+                if (ret)
+                        goto out;
                 rapl_cpu_init(cpu);
         }
 
@@ -673,6 +705,7 @@ static int __init rapl_pmu_init(void)
                 hweight32(rapl_cntr_mask),
                 ktime_to_ms(pmu->timer_interval));
 
+out:
         cpu_notifier_register_done();
 
         return 0;
diff --git a/arch/x86/kernel/early-quirks.c b/arch/x86/kernel/early-quirks.c
index b0cc3809723d..6e2537c32190 100644
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -240,7 +240,7 @@ static u32 __init intel_stolen_base(int num, int slot, int func, size_t stolen_s
         return base;
 }
 
-#define KB(x)   ((x) * 1024)
+#define KB(x)   ((x) * 1024UL)
 #define MB(x)   (KB (KB (x)))
 #define GB(x)   (MB (KB (x)))
 
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 79a3f9682871..61b17dc2c277 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -897,9 +897,10 @@ int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr)
         struct kprobe *cur = kprobe_running();
         struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
 
-        switch (kcb->kprobe_status) {
-        case KPROBE_HIT_SS:
-        case KPROBE_REENTER:
+        if (unlikely(regs->ip == (unsigned long)cur->ainsn.insn)) {
+                /* This must happen on single-stepping */
+                WARN_ON(kcb->kprobe_status != KPROBE_HIT_SS &&
+                        kcb->kprobe_status != KPROBE_REENTER);
                 /*
                  * We are here because the instruction being single
                  * stepped caused a page fault. We reset the current
@@ -914,9 +915,8 @@ int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr)
                 else
                         reset_current_kprobe();
                 preempt_enable_no_resched();
-                break;
-        case KPROBE_HIT_ACTIVE:
-        case KPROBE_HIT_SSDONE:
+        } else if (kcb->kprobe_status == KPROBE_HIT_ACTIVE ||
+                   kcb->kprobe_status == KPROBE_HIT_SSDONE) {
                 /*
                  * We increment the nmissed count for accounting,
                  * we can also use npre/npostfault count for accounting
@@ -945,10 +945,8 @@ int __kprobes kprobe_fault_handler(struct pt_regs *regs, int trapnr)
                  * fixup routine could not handle it,
                  * Let do_page_fault() fix it.
                  */
-                break;
-        default:
-                break;
         }
+
         return 0;
 }
 
diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
index 654b46574b91..3399d3a99730 100644
--- a/arch/x86/kernel/reboot.c
+++ b/arch/x86/kernel/reboot.c
@@ -114,8 +114,8 @@ EXPORT_SYMBOL(machine_real_restart);
  */
 static int __init set_pci_reboot(const struct dmi_system_id *d)
 {
-        if (reboot_type != BOOT_CF9) {
-                reboot_type = BOOT_CF9;
+        if (reboot_type != BOOT_CF9_FORCE) {
+                reboot_type = BOOT_CF9_FORCE;
                 pr_info("%s series board detected. Selecting %s-method for reboots.\n",
                         d->ident, "PCI");
         }
@@ -458,20 +458,23 @@ void __attribute__((weak)) mach_reboot_fixups(void)
 }
 
 /*
- * Windows compatible x86 hardware expects the following on reboot:
+ * To the best of our knowledge Windows compatible x86 hardware expects
+ * the following on reboot:
  *
  * 1) If the FADT has the ACPI reboot register flag set, try it
  * 2) If still alive, write to the keyboard controller
  * 3) If still alive, write to the ACPI reboot register again
  * 4) If still alive, write to the keyboard controller again
  * 5) If still alive, call the EFI runtime service to reboot
- * 6) If still alive, write to the PCI IO port 0xCF9 to reboot
- * 7) If still alive, inform BIOS to do a proper reboot
+ * 6) If no EFI runtime service, call the BIOS to do a reboot
  *
- * If the machine is still alive at this stage, it gives up. We default to
- * following the same pattern, except that if we're still alive after (7) we'll
- * try to force a triple fault and then cycle between hitting the keyboard
- * controller and doing that
+ * We default to following the same pattern. We also have
+ * two other reboot methods: 'triple fault' and 'PCI', which
+ * can be triggered via the reboot= kernel boot option or
+ * via quirks.
+ *
+ * This means that this function can never return, it can misbehave
+ * by not rebooting properly and hanging.
  */
 static void native_machine_emergency_restart(void)
 {
@@ -492,6 +495,11 @@ static void native_machine_emergency_restart(void)
         for (;;) {
                 /* Could also try the reset bit in the Hammer NB */
                 switch (reboot_type) {
+                case BOOT_ACPI:
+                        acpi_reboot();
+                        reboot_type = BOOT_KBD;
+                        break;
+
                 case BOOT_KBD:
                         mach_reboot_fixups(); /* For board specific fixups */
 
@@ -509,43 +517,29 @@ static void native_machine_emergency_restart(void)
                         }
                         break;
 
-                case BOOT_TRIPLE:
-                        load_idt(&no_idt);
-                        __asm__ __volatile__("int3");
-
-                        /* We're probably dead after this, but... */
-                        reboot_type = BOOT_KBD;
-                        break;
-
-                case BOOT_BIOS:
-                        machine_real_restart(MRR_BIOS);
-
-                        /* We're probably dead after this, but... */
-                        reboot_type = BOOT_TRIPLE;
-                        break;
-
-                case BOOT_ACPI:
-                        acpi_reboot();
-                        reboot_type = BOOT_KBD;
-                        break;
-
                 case BOOT_EFI:
                         if (efi_enabled(EFI_RUNTIME_SERVICES))
                                 efi.reset_system(reboot_mode == REBOOT_WARM ?
                                                  EFI_RESET_WARM :
                                                  EFI_RESET_COLD,
                                                  EFI_SUCCESS, 0, NULL);
-                        reboot_type = BOOT_CF9_COND;
+                        reboot_type = BOOT_BIOS;
+                        break;
+
+                case BOOT_BIOS:
+                        machine_real_restart(MRR_BIOS);
+
+                        /* We're probably dead after this, but... */
+                        reboot_type = BOOT_CF9_SAFE;
                         break;
 
-                case BOOT_CF9:
+                case BOOT_CF9_FORCE:
                         port_cf9_safe = true;
                         /* Fall through */
 
-                case BOOT_CF9_COND:
+                case BOOT_CF9_SAFE:
                         if (port_cf9_safe) {
-                                u8 reboot_code = reboot_mode == REBOOT_WARM ?
-                                        0x06 : 0x0E;
+                                u8 reboot_code = reboot_mode == REBOOT_WARM ?  0x06 : 0x0E;
                                 u8 cf9 = inb(0xcf9) & ~reboot_code;
                                 outb(cf9|2, 0xcf9); /* Request hard reset */
                                 udelay(50);
@@ -553,7 +547,15 @@ static void native_machine_emergency_restart(void)
                                 outb(cf9|reboot_code, 0xcf9);
                                 udelay(50);
                         }
-                        reboot_type = BOOT_BIOS;
+                        reboot_type = BOOT_TRIPLE;
+                        break;
+
+                case BOOT_TRIPLE:
+                        load_idt(&no_idt);
+                        __asm__ __volatile__("int3");
+
+                        /* We're probably dead after this, but... */
+                        reboot_type = BOOT_KBD;
                         break;
                 }
         }
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index bea60671ef8a..f47a104a749c 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -308,7 +308,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
         const u32 kvm_supported_word9_x86_features =
                 F(FSGSBASE) | F(BMI1) | F(HLE) | F(AVX2) | F(SMEP) |
                 F(BMI2) | F(ERMS) | f_invpcid | F(RTM) | f_mpx | F(RDSEED) |
-                F(ADX);
+                F(ADX) | F(SMAP);
 
         /* all calls to cpuid_count() should be made on the same cpu */
         get_cpu();
diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
index a2a1bb7ed8c1..eeecbed26ac7 100644
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -48,6 +48,14 @@ static inline bool guest_cpuid_has_smep(struct kvm_vcpu *vcpu)
         return best && (best->ebx & bit(X86_FEATURE_SMEP));
 }
 
+static inline bool guest_cpuid_has_smap(struct kvm_vcpu *vcpu)
+{
+        struct kvm_cpuid_entry2 *best;
+
+        best = kvm_find_cpuid_entry(vcpu, 7, 0);
+        return best && (best->ebx & bit(X86_FEATURE_SMAP));
+}
+
 static inline bool guest_cpuid_has_fsgsbase(struct kvm_vcpu *vcpu)
 {
         struct kvm_cpuid_entry2 *best;
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index f5704d9e5ddc..813d31038b93 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3601,20 +3601,27 @@ static void reset_rsvds_bits_mask_ept(struct kvm_vcpu *vcpu,
         }
 }
 
-static void update_permission_bitmask(struct kvm_vcpu *vcpu,
+void update_permission_bitmask(struct kvm_vcpu *vcpu,
                 struct kvm_mmu *mmu, bool ept)
 {
         unsigned bit, byte, pfec;
         u8 map;
-        bool fault, x, w, u, wf, uf, ff, smep;
+        bool fault, x, w, u, wf, uf, ff, smapf, cr4_smap, cr4_smep, smap = 0;
 
-        smep = kvm_read_cr4_bits(vcpu, X86_CR4_SMEP);
+        cr4_smep = kvm_read_cr4_bits(vcpu, X86_CR4_SMEP);
+        cr4_smap = kvm_read_cr4_bits(vcpu, X86_CR4_SMAP);
         for (byte = 0; byte < ARRAY_SIZE(mmu->permissions); ++byte) {
                 pfec = byte << 1;
                 map = 0;
                 wf = pfec & PFERR_WRITE_MASK;
                 uf = pfec & PFERR_USER_MASK;
                 ff = pfec & PFERR_FETCH_MASK;
+                /*
+                 * PFERR_RSVD_MASK bit is set in PFEC if the access is not
+                 * subject to SMAP restrictions, and cleared otherwise. The
+                 * bit is only meaningful if the SMAP bit is set in CR4.
+                 */
+                smapf = !(pfec & PFERR_RSVD_MASK);
                 for (bit = 0; bit < 8; ++bit) {
                         x = bit & ACC_EXEC_MASK;
                         w = bit & ACC_WRITE_MASK;
@@ -3626,12 +3633,33 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu,
                                 /* Allow supervisor writes if !cr0.wp */
                                 w |= !is_write_protection(vcpu) && !uf;
                                 /* Disallow supervisor fetches of user code if cr4.smep */
-                                x &= !(smep && u && !uf);
+                                x &= !(cr4_smep && u && !uf);
+
+                                /*
+                                 * SMAP:kernel-mode data accesses from user-mode
+                                 * mappings should fault. A fault is considered
+                                 * as a SMAP violation if all of the following
+                                 * conditions are ture:
+                                 *   - X86_CR4_SMAP is set in CR4
+                                 *   - An user page is accessed
+                                 *   - Page fault in kernel mode
+                                 *   - if CPL = 3 or X86_EFLAGS_AC is clear
+                                 *
+                                 *   Here, we cover the first three conditions.
+                                 *   The fourth is computed dynamically in
+                                 *   permission_fault() and is in smapf.
+                                 *
+                                 *   Also, SMAP does not affect instruction
+                                 *   fetches, add the !ff check here to make it
+                                 *   clearer.
+                                 */
+                                smap = cr4_smap && u && !uf && !ff;
                         } else
                                 /* Not really needed: no U/S accesses on ept  */
                                 u = 1;
 
-                        fault = (ff && !x) || (uf && !u) || (wf && !w);
+                        fault = (ff && !x) || (uf && !u) || (wf && !w) ||
+                                (smapf && smap);
                         map |= fault << bit;
                 }
                 mmu->permissions[byte] = map;
diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
index 292615274358..3842e70bdb7c 100644
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -44,11 +44,17 @@
 #define PT_DIRECTORY_LEVEL 2
 #define PT_PAGE_TABLE_LEVEL 1
 
-#define PFERR_PRESENT_MASK (1U << 0)
-#define PFERR_WRITE_MASK (1U << 1)
-#define PFERR_USER_MASK (1U << 2)
-#define PFERR_RSVD_MASK (1U << 3)
-#define PFERR_FETCH_MASK (1U << 4)
+#define PFERR_PRESENT_BIT 0
+#define PFERR_WRITE_BIT 1
+#define PFERR_USER_BIT 2
+#define PFERR_RSVD_BIT 3
+#define PFERR_FETCH_BIT 4
+
+#define PFERR_PRESENT_MASK (1U << PFERR_PRESENT_BIT)
+#define PFERR_WRITE_MASK (1U << PFERR_WRITE_BIT)
+#define PFERR_USER_MASK (1U << PFERR_USER_BIT)
+#define PFERR_RSVD_MASK (1U << PFERR_RSVD_BIT)
+#define PFERR_FETCH_MASK (1U << PFERR_FETCH_BIT)
 
 int kvm_mmu_get_spte_hierarchy(struct kvm_vcpu *vcpu, u64 addr, u64 sptes[4]);
 void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask);
@@ -73,6 +79,8 @@ int handle_mmio_page_fault_common(struct kvm_vcpu *vcpu, u64 addr, bool direct);
 void kvm_init_shadow_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context);
 void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context,
                 bool execonly);
+void update_permission_bitmask(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
+                bool ept);
 
 static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
 {
@@ -110,10 +118,30 @@ static inline bool is_write_protection(struct kvm_vcpu *vcpu)
  * Will a fault with a given page-fault error code (pfec) cause a permission
  * fault with the given access (in ACC_* format)?
  */
-static inline bool permission_fault(struct kvm_mmu *mmu, unsigned pte_access,
-                                    unsigned pfec)
+static inline bool permission_fault(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
+                                    unsigned pte_access, unsigned pfec)
 {
-        return (mmu->permissions[pfec >> 1] >> pte_access) & 1;
+        int cpl = kvm_x86_ops->get_cpl(vcpu);
+        unsigned long rflags = kvm_x86_ops->get_rflags(vcpu);
+
+        /*
+         * If CPL < 3, SMAP prevention are disabled if EFLAGS.AC = 1.
+         *
+         * If CPL = 3, SMAP applies to all supervisor-mode data accesses
+         * (these are implicit supervisor accesses) regardless of the value
+         * of EFLAGS.AC.
+         *
+         * This computes (cpl < 3) && (rflags & X86_EFLAGS_AC), leaving
+         * the result in X86_EFLAGS_AC. We then insert it in place of
+         * the PFERR_RSVD_MASK bit; this bit will always be zero in pfec,
+         * but it will be one in index if SMAP checks are being overridden.
+         * It is important to keep this branchless.
+         */
+        unsigned long smap = (cpl - 3) & (rflags & X86_EFLAGS_AC);
+        int index = (pfec >> 1) +
+                    (smap >> (X86_EFLAGS_AC_BIT - PFERR_RSVD_BIT + 1));
+
+        return (mmu->permissions[index] >> pte_access) & 1;
 }
 
 void kvm_mmu_invalidate_zap_all_pages(struct kvm *kvm);
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index b1e6c1bf68d3..123efd3ec29f 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -353,7 +353,7 @@ retry_walk:
                 walker->ptes[walker->level - 1] = pte;
         } while (!is_last_gpte(mmu, walker->level, pte));
 
-        if (unlikely(permission_fault(mmu, pte_access, access))) {
+        if (unlikely(permission_fault(vcpu, mmu, pte_access, access))) {
                 errcode |= PFERR_PRESENT_MASK;
                 goto error;
         }
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 1320e0f8e611..1f68c5831924 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -3484,13 +3484,14 @@ static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
                         hw_cr4 &= ~X86_CR4_PAE;
                         hw_cr4 |= X86_CR4_PSE;
                         /*
-                         * SMEP is disabled if CPU is in non-paging mode in
-                         * hardware. However KVM always uses paging mode to
+                         * SMEP/SMAP is disabled if CPU is in non-paging mode
+                         * in hardware. However KVM always uses paging mode to
                          * emulate guest non-paging mode with TDP.
-                         * To emulate this behavior, SMEP needs to be manually
-                         * disabled when guest switches to non-paging mode.
+                         * To emulate this behavior, SMEP/SMAP needs to be
+                         * manually disabled when guest switches to non-paging
+                         * mode.
                          */
-                        hw_cr4 &= ~X86_CR4_SMEP;
+                        hw_cr4 &= ~(X86_CR4_SMEP | X86_CR4_SMAP);
                 } else if (!(cr4 & X86_CR4_PAE)) {
                         hw_cr4 &= ~X86_CR4_PAE;
                 }
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 9d1b5cd4d34c..8b8fc0b792ba 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -652,6 +652,9 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
         if (!guest_cpuid_has_smep(vcpu) && (cr4 & X86_CR4_SMEP))
                 return 1;
 
+        if (!guest_cpuid_has_smap(vcpu) && (cr4 & X86_CR4_SMAP))
+                return 1;
+
         if (!guest_cpuid_has_fsgsbase(vcpu) && (cr4 & X86_CR4_FSGSBASE))
                 return 1;
 
@@ -680,6 +683,9 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
             (!(cr4 & X86_CR4_PCIDE) && (old_cr4 & X86_CR4_PCIDE)))
                 kvm_mmu_reset_context(vcpu);
 
+        if ((cr4 ^ old_cr4) & X86_CR4_SMAP)
+                update_permission_bitmask(vcpu, vcpu->arch.walk_mmu, false);
+
         if ((cr4 ^ old_cr4) & X86_CR4_OSXSAVE)
                 kvm_update_cpuid(vcpu);
 
@@ -1117,7 +1123,6 @@ static inline u64 get_kernel_ns(void)
 {
         struct timespec ts;
 
-        WARN_ON(preemptible());
         ktime_get_ts(&ts);
         monotonic_to_bootbased(&ts);
         return timespec_to_ns(&ts);
@@ -4164,7 +4169,8 @@ static int vcpu_mmio_gva_to_gpa(struct kvm_vcpu *vcpu, unsigned long gva,
                 | (write ? PFERR_WRITE_MASK : 0);
 
         if (vcpu_match_mmio_gva(vcpu, gva)
-            && !permission_fault(vcpu->arch.walk_mmu, vcpu->arch.access, access)) {
+            && !permission_fault(vcpu, vcpu->arch.walk_mmu,
+                                 vcpu->arch.access, access)) {
                 *gpa = vcpu->arch.mmio_gfn << PAGE_SHIFT |
                                         (gva & (PAGE_SIZE - 1));
                 trace_vcpu_match_mmio(gva, *gpa, write, false);
diff --git a/arch/x86/syscalls/Makefile b/arch/x86/syscalls/Makefile
index f325af26107c..3323c2745248 100644
--- a/arch/x86/syscalls/Makefile
+++ b/arch/x86/syscalls/Makefile
@@ -54,5 +54,7 @@ syshdr-$(CONFIG_X86_64)		+= syscalls_64.h
 
 targets += $(uapisyshdr-y) $(syshdr-y)
 
+PHONY += all
 all: $(addprefix $(uapi)/,$(uapisyshdr-y))
 all: $(addprefix $(out)/,$(syshdr-y))
+        @:
diff --git a/arch/x86/syscalls/syscall_32.tbl b/arch/x86/syscalls/syscall_32.tbl
index 96bc506ac6de..d6b867921612 100644
--- a/arch/x86/syscalls/syscall_32.tbl
+++ b/arch/x86/syscalls/syscall_32.tbl
@@ -359,3 +359,4 @@
 350     i386    finit_module            sys_finit_module
 351     i386    sched_setattr           sys_sched_setattr
 352     i386    sched_getattr           sys_sched_getattr
+353     i386    renameat2               sys_renameat2
diff --git a/arch/x86/tools/Makefile b/arch/x86/tools/Makefile
index e8120346903b..604a37efd4d5 100644
--- a/arch/x86/tools/Makefile
+++ b/arch/x86/tools/Makefile
@@ -40,4 +40,6 @@ $(obj)/insn_sanity.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/ina
 HOST_EXTRACFLAGS += -I$(srctree)/tools/include
 hostprogs-y     += relocs
 relocs-objs     := relocs_32.o relocs_64.o relocs_common.o
+PHONY += relocs
 relocs: $(obj)/relocs
+        @:
diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
index a18eadd8bb40..7005974c3ff3 100644
--- a/arch/x86/xen/smp.c
+++ b/arch/x86/xen/smp.c
@@ -441,10 +441,11 @@ static int xen_cpu_up(unsigned int cpu, struct task_struct *idle)
         irq_ctx_init(cpu);
 #else
         clear_tsk_thread_flag(idle, TIF_FORK);
+#endif
         per_cpu(kernel_stack, cpu) =
                 (unsigned long)task_stack_page(idle) -
                 KERNEL_STACK_OFFSET + THREAD_SIZE;
-#endif
+
         xen_setup_runstate_info(cpu);
         xen_setup_timer(cpu);
         xen_init_lock_cpu(cpu);
diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c
index 4d3acc34a998..0ba5f3b967f0 100644
--- a/arch/x86/xen/spinlock.c
+++ b/arch/x86/xen/spinlock.c
@@ -274,7 +274,7 @@ void __init xen_init_spinlocks(void)
                 printk(KERN_DEBUG "xen: PV spinlocks disabled\n");
                 return;
         }
-
+        printk(KERN_DEBUG "xen: PV spinlocks enabled\n");
         pv_lock_ops.lock_spinning = PV_CALLEE_SAVE(xen_lock_spinning);
         pv_lock_ops.unlock_kick = xen_unlock_kick;
 }
@@ -290,6 +290,9 @@ static __init int xen_init_spinlocks_jump(void)
         if (!xen_pvspin)
                 return 0;
 
+        if (!xen_domain())
+                return 0;
+
         static_key_slow_inc(&paravirt_ticketlocks_enabled);
         return 0;
 }
diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S
index 33ca6e42a4ca..fd92a64d748e 100644
--- a/arch/x86/xen/xen-asm_32.S
+++ b/arch/x86/xen/xen-asm_32.S
@@ -75,6 +75,17 @@ ENDPROC(xen_sysexit)
  * stack state in whatever form its in, we keep things simple by only
  * using a single register which is pushed/popped on the stack.
  */
+
+.macro POP_FS
+1:
+        popw %fs
+.pushsection .fixup, "ax"
+2:      movw $0, (%esp)
+        jmp 1b
+.popsection
+        _ASM_EXTABLE(1b,2b)
+.endm
+
 ENTRY(xen_iret)
         /* test eflags for special cases */
         testl $(X86_EFLAGS_VM | XEN_EFLAGS_NMI), 8(%esp)
@@ -83,15 +94,13 @@ ENTRY(xen_iret)
         push %eax
         ESP_OFFSET=4    # bytes pushed onto stack
 
-        /*
-         * Store vcpu_info pointer for easy access.  Do it this way to
-         * avoid having to reload %fs
-         */
+        /* Store vcpu_info pointer for easy access */
 #ifdef CONFIG_SMP
-        GET_THREAD_INFO(%eax)
-        movl %ss:TI_cpu(%eax), %eax
-        movl %ss:__per_cpu_offset(,%eax,4), %eax
-        mov %ss:xen_vcpu(%eax), %eax
+        pushw %fs
+        movl $(__KERNEL_PERCPU), %eax
+        movl %eax, %fs
+        movl %fs:xen_vcpu, %eax
+        POP_FS
 #else
         movl %ss:xen_vcpu, %eax
 #endif