21 files changed, 305 insertions, 128 deletions

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index a8f749ef0fdc..d24887b645dc 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -131,6 +131,7 @@ config X86
         select HAVE_CC_STACKPROTECTOR
         select GENERIC_CPU_AUTOPROBE
         select HAVE_ARCH_AUDITSYSCALL
+        select ARCH_SUPPORTS_ATOMIC_RMW
 
 config INSTRUCTION_DECODER
         def_bool y
diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
index 84c223479e3c..7a6d43a554d7 100644
--- a/arch/x86/boot/header.S
+++ b/arch/x86/boot/header.S
@@ -91,10 +91,9 @@ bs_die:
 
         .section ".bsdata", "a"
 bugger_off_msg:
-        .ascii  "Direct floppy boot is not supported. "
-        .ascii  "Use a boot loader program instead.\r\n"
+        .ascii  "Use a boot loader.\r\n"
         .ascii  "\n"
-        .ascii  "Remove disk and press any key to reboot ...\r\n"
+        .ascii  "Remove disk and press any key to reboot...\r\n"
         .byte   0
 
 #ifdef CONFIG_EFI_STUB
@@ -108,7 +107,7 @@ coff_header:
 #else
         .word   0x8664                          # x86-64
 #endif
-        .word   3                               # nr_sections
+        .word   4                               # nr_sections
         .long   0                               # TimeDateStamp
         .long   0                               # PointerToSymbolTable
         .long   1                               # NumberOfSymbols
@@ -250,6 +249,25 @@ section_table:
         .word   0                               # NumberOfLineNumbers
         .long   0x60500020                      # Characteristics (section flags)
 
+        #
+        # The offset & size fields are filled in by build.c.
+        #
+        .ascii  ".bss"
+        .byte   0
+        .byte   0
+        .byte   0
+        .byte   0
+        .long   0
+        .long   0x0
+        .long   0                               # Size of initialized data
+                                                # on disk
+        .long   0x0
+        .long   0                               # PointerToRelocations
+        .long   0                               # PointerToLineNumbers
+        .word   0                               # NumberOfRelocations
+        .word   0                               # NumberOfLineNumbers
+        .long   0xc8000080                      # Characteristics (section flags)
+
 #endif /* CONFIG_EFI_STUB */
 
         # Kernel attributes; used by setup.  This is part 1 of the
diff --git a/arch/x86/boot/tools/build.c b/arch/x86/boot/tools/build.c
index 1a2f2121cada..a7661c430cd9 100644
--- a/arch/x86/boot/tools/build.c
+++ b/arch/x86/boot/tools/build.c
@@ -143,7 +143,7 @@ static void usage(void)
 
 #ifdef CONFIG_EFI_STUB
 
-static void update_pecoff_section_header(char *section_name, u32 offset, u32 size)
+static void update_pecoff_section_header_fields(char *section_name, u32 vma, u32 size, u32 datasz, u32 offset)
 {
         unsigned int pe_header;
         unsigned short num_sections;
@@ -164,10 +164,10 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz
                         put_unaligned_le32(size, section + 0x8);
 
                         /* section header vma field */
-                        put_unaligned_le32(offset, section + 0xc);
+                        put_unaligned_le32(vma, section + 0xc);
 
                         /* section header 'size of initialised data' field */
-                        put_unaligned_le32(size, section + 0x10);
+                        put_unaligned_le32(datasz, section + 0x10);
 
                         /* section header 'file offset' field */
                         put_unaligned_le32(offset, section + 0x14);
@@ -179,6 +179,11 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz
         }
 }
 
+static void update_pecoff_section_header(char *section_name, u32 offset, u32 size)
+{
+        update_pecoff_section_header_fields(section_name, offset, size, size, offset);
+}
+
 static void update_pecoff_setup_and_reloc(unsigned int size)
 {
         u32 setup_offset = 0x200;
@@ -203,9 +208,6 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz)
 
         pe_header = get_unaligned_le32(&buf[0x3c]);
 
-        /* Size of image */
-        put_unaligned_le32(file_sz, &buf[pe_header + 0x50]);
-
         /*
          * Size of code: Subtract the size of the first sector (512 bytes)
          * which includes the header.
@@ -220,6 +222,22 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz)
         update_pecoff_section_header(".text", text_start, text_sz);
 }
 
+static void update_pecoff_bss(unsigned int file_sz, unsigned int init_sz)
+{
+        unsigned int pe_header;
+        unsigned int bss_sz = init_sz - file_sz;
+
+        pe_header = get_unaligned_le32(&buf[0x3c]);
+
+        /* Size of uninitialized data */
+        put_unaligned_le32(bss_sz, &buf[pe_header + 0x24]);
+
+        /* Size of image */
+        put_unaligned_le32(init_sz, &buf[pe_header + 0x50]);
+
+        update_pecoff_section_header_fields(".bss", file_sz, bss_sz, 0, 0);
+}
+
 static int reserve_pecoff_reloc_section(int c)
 {
         /* Reserve 0x20 bytes for .reloc section */
@@ -259,6 +277,8 @@ static void efi_stub_entry_update(void)
 static inline void update_pecoff_setup_and_reloc(unsigned int size) {}
 static inline void update_pecoff_text(unsigned int text_start,
                                       unsigned int file_sz) {}
+static inline void update_pecoff_bss(unsigned int file_sz,
+                                     unsigned int init_sz) {}
 static inline void efi_stub_defaults(void) {}
 static inline void efi_stub_entry_update(void) {}
 
@@ -310,7 +330,7 @@ static void parse_zoffset(char *fname)
 
 int main(int argc, char ** argv)
 {
-        unsigned int i, sz, setup_sectors;
+        unsigned int i, sz, setup_sectors, init_sz;
         int c;
         u32 sys_size;
         struct stat sb;
@@ -376,7 +396,9 @@ int main(int argc, char ** argv)
         buf[0x1f1] = setup_sectors-1;
         put_unaligned_le32(sys_size, &buf[0x1f4]);
 
-        update_pecoff_text(setup_sectors * 512, sz + i + ((sys_size * 16) - sz));
+        update_pecoff_text(setup_sectors * 512, i + (sys_size * 16));
+        init_sz = get_unaligned_le32(&buf[0x260]);
+        update_pecoff_bss(i + (sys_size * 16), init_sz);
 
         efi_stub_entry_update();
 
diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h
index bba3cf88e624..0a8b519226b8 100644
--- a/arch/x86/include/asm/irqflags.h
+++ b/arch/x86/include/asm/irqflags.h
@@ -129,7 +129,7 @@ static inline notrace unsigned long arch_local_irq_save(void)
 
 #define PARAVIRT_ADJUST_EXCEPTION_FRAME /*  */
 
-#define INTERRUPT_RETURN        iretq
+#define INTERRUPT_RETURN        jmp native_iret
 #define USERGS_SYSRET64                         \
         swapgs;                                 \
         sysretq;
diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c
index f3a1f04ed4cb..584874451414 100644
--- a/arch/x86/kernel/apm_32.c
+++ b/arch/x86/kernel/apm_32.c
@@ -841,7 +841,6 @@ static int apm_do_idle(void)
         u32 eax;
         u8 ret = 0;
         int idled = 0;
-        int polling;
         int err = 0;
 
         if (!need_resched()) {
diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index a80029035bf2..f9e4fdd3b877 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -370,6 +370,17 @@ static void init_intel(struct cpuinfo_x86 *c)
          */
         detect_extended_topology(c);
 
+        if (!cpu_has(c, X86_FEATURE_XTOPOLOGY)) {
+                /*
+                 * let's use the legacy cpuid vector 0x1 and 0x4 for topology
+                 * detection.
+                 */
+                c->x86_max_cores = intel_num_cpu_cores(c);
+#ifdef CONFIG_X86_32
+                detect_ht(c);
+#endif
+        }
+
         l2 = init_intel_cacheinfo(c);
         if (c->cpuid_level > 9) {
                 unsigned eax = cpuid_eax(10);
@@ -438,17 +449,6 @@ static void init_intel(struct cpuinfo_x86 *c)
                 set_cpu_cap(c, X86_FEATURE_P3);
 #endif
 
-        if (!cpu_has(c, X86_FEATURE_XTOPOLOGY)) {
-                /*
-                 * let's use the legacy cpuid vector 0x1 and 0x4 for topology
-                 * detection.
-                 */
-                c->x86_max_cores = intel_num_cpu_cores(c);
-#ifdef CONFIG_X86_32
-                detect_ht(c);
-#endif
-        }
-
         /* Work around errata */
         srat_detect_node(c);
 
diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c
index a952e9c85b6f..9c8f7394c612 100644
--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
+++ b/arch/x86/kernel/cpu/intel_cacheinfo.c
@@ -730,6 +730,18 @@ unsigned int init_intel_cacheinfo(struct cpuinfo_x86 *c)
 #endif
         }
 
+#ifdef CONFIG_X86_HT
+        /*
+         * If cpu_llc_id is not yet set, this means cpuid_level < 4 which in
+         * turns means that the only possibility is SMT (as indicated in
+         * cpuid1). Since cpuid2 doesn't specify shared caches, and we know
+         * that SMT shares all caches, we can unconditionally set cpu_llc_id to
+         * c->phys_proc_id.
+         */
+        if (per_cpu(cpu_llc_id, cpu) == BAD_APICID)
+                per_cpu(cpu_llc_id, cpu) = c->phys_proc_id;
+#endif
+
         c->x86_cache_size = l3 ? l3 : (l2 ? l2 : (l1i+l1d));
 
         return l2;
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
index bb92f38153b2..9a79c8dbd8e8 100644
--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -2451,6 +2451,12 @@ static __init int mcheck_init_device(void)
         for_each_online_cpu(i) {
                 err = mce_device_create(i);
                 if (err) {
+                        /*
+                         * Register notifier anyway (and do not unreg it) so
+                         * that we don't leave undeleted timers, see notifier
+                         * callback above.
+                         */
+                        __register_hotcpu_notifier(&mce_cpu_notifier);
                         cpu_notifier_register_done();
                         goto err_device_create;
                 }
@@ -2471,10 +2477,6 @@ static __init int mcheck_init_device(void)
 err_register:
         unregister_syscore_ops(&mce_syscore_ops);
 
-        cpu_notifier_register_begin();
-        __unregister_hotcpu_notifier(&mce_cpu_notifier);
-        cpu_notifier_register_done();
-
 err_device_create:
         /*
          * We didn't keep track of which devices were created above, but
diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
index 2bdfbff8a4f6..2879ecdaac43 100644
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -118,6 +118,9 @@ static int x86_pmu_extra_regs(u64 config, struct perf_event *event)
                         continue;
                 if (event->attr.config1 & ~er->valid_mask)
                         return -EINVAL;
+                /* Check if the extra msrs can be safely accessed*/
+                if (!er->extra_msr_access)
+                        return -ENXIO;
 
                 reg->idx = er->idx;
                 reg->config = event->attr.config1;
diff --git a/arch/x86/kernel/cpu/perf_event.h b/arch/x86/kernel/cpu/perf_event.h
index 3b2f9bdd974b..8ade93111e03 100644
--- a/arch/x86/kernel/cpu/perf_event.h
+++ b/arch/x86/kernel/cpu/perf_event.h
@@ -295,14 +295,16 @@ struct extra_reg {
         u64                     config_mask;
         u64                     valid_mask;
         int                     idx;  /* per_xxx->regs[] reg index */
+        bool                    extra_msr_access;
 };
 
 #define EVENT_EXTRA_REG(e, ms, m, vm, i) {      \
-        .event = (e),           \
-        .msr = (ms),            \
-        .config_mask = (m),     \
-        .valid_mask = (vm),     \
-        .idx = EXTRA_REG_##i,   \
+        .event = (e),                   \
+        .msr = (ms),                    \
+        .config_mask = (m),             \
+        .valid_mask = (vm),             \
+        .idx = EXTRA_REG_##i,           \
+        .extra_msr_access = true,       \
         }
 
 #define INTEL_EVENT_EXTRA_REG(event, msr, vm, idx)      \
diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
index adb02aa62af5..2502d0d9d246 100644
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -1382,6 +1382,15 @@ again:
         intel_pmu_lbr_read();
 
         /*
+         * CondChgd bit 63 doesn't mean any overflow status. Ignore
+         * and clear the bit.
+         */
+        if (__test_and_clear_bit(63, (unsigned long *)&status)) {
+                if (!status)
+                        goto done;
+        }
+
+        /*
          * PEBS overflow sets bit 62 in the global status register
          */
         if (__test_and_clear_bit(62, (unsigned long *)&status)) {
@@ -2173,6 +2182,41 @@ static void intel_snb_check_microcode(void)
         }
 }
 
+/*
+ * Under certain circumstances, access certain MSR may cause #GP.
+ * The function tests if the input MSR can be safely accessed.
+ */
+static bool check_msr(unsigned long msr, u64 mask)
+{
+        u64 val_old, val_new, val_tmp;
+
+        /*
+         * Read the current value, change it and read it back to see if it
+         * matches, this is needed to detect certain hardware emulators
+         * (qemu/kvm) that don't trap on the MSR access and always return 0s.
+         */
+        if (rdmsrl_safe(msr, &val_old))
+                return false;
+
+        /*
+         * Only change the bits which can be updated by wrmsrl.
+         */
+        val_tmp = val_old ^ mask;
+        if (wrmsrl_safe(msr, val_tmp) ||
+            rdmsrl_safe(msr, &val_new))
+                return false;
+
+        if (val_new != val_tmp)
+                return false;
+
+        /* Here it's sure that the MSR can be safely accessed.
+         * Restore the old value and return.
+         */
+        wrmsrl(msr, val_old);
+
+        return true;
+}
+
 static __init void intel_sandybridge_quirk(void)
 {
         x86_pmu.check_microcode = intel_snb_check_microcode;
@@ -2262,7 +2306,8 @@ __init int intel_pmu_init(void)
         union cpuid10_ebx ebx;
         struct event_constraint *c;
         unsigned int unused;
-        int version;
+        struct extra_reg *er;
+        int version, i;
 
         if (!cpu_has(&boot_cpu_data, X86_FEATURE_ARCH_PERFMON)) {
                 switch (boot_cpu_data.x86) {
@@ -2465,6 +2510,9 @@ __init int intel_pmu_init(void)
         case 62: /* IvyBridge EP */
                 memcpy(hw_cache_event_ids, snb_hw_cache_event_ids,
                        sizeof(hw_cache_event_ids));
+                /* dTLB-load-misses on IVB is different than SNB */
+                hw_cache_event_ids[C(DTLB)][C(OP_READ)][C(RESULT_MISS)] = 0x8108; /* DTLB_LOAD_MISSES.DEMAND_LD_MISS_CAUSES_A_WALK */
+
                 memcpy(hw_cache_extra_regs, snb_hw_cache_extra_regs,
                        sizeof(hw_cache_extra_regs));
 
@@ -2565,6 +2613,34 @@ __init int intel_pmu_init(void)
                 }
         }
 
+        /*
+         * Access LBR MSR may cause #GP under certain circumstances.
+         * E.g. KVM doesn't support LBR MSR
+         * Check all LBT MSR here.
+         * Disable LBR access if any LBR MSRs can not be accessed.
+         */
+        if (x86_pmu.lbr_nr && !check_msr(x86_pmu.lbr_tos, 0x3UL))
+                x86_pmu.lbr_nr = 0;
+        for (i = 0; i < x86_pmu.lbr_nr; i++) {
+                if (!(check_msr(x86_pmu.lbr_from + i, 0xffffUL) &&
+                      check_msr(x86_pmu.lbr_to + i, 0xffffUL)))
+                        x86_pmu.lbr_nr = 0;
+        }
+
+        /*
+         * Access extra MSR may cause #GP under certain circumstances.
+         * E.g. KVM doesn't support offcore event
+         * Check all extra_regs here.
+         */
+        if (x86_pmu.extra_regs) {
+                for (er = x86_pmu.extra_regs; er->msr; er++) {
+                        er->extra_msr_access = check_msr(er->msr, 0x1ffUL);
+                        /* Disable LBR select mapping */
+                        if ((er->idx == EXTRA_REG_LBR) && !er->extra_msr_access)
+                                x86_pmu.lbr_sel_map = NULL;
+                }
+        }
+
         /* Support full width counters using alternative MSR range */
         if (x86_pmu.intel_cap.full_width_write) {
                 x86_pmu.max_period = x86_pmu.cntval_mask;
diff --git a/arch/x86/kernel/cpu/perf_event_intel_ds.c b/arch/x86/kernel/cpu/perf_event_intel_ds.c
index 980970cb744d..696ade311ded 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_ds.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c
@@ -311,9 +311,11 @@ static int alloc_bts_buffer(int cpu)
         if (!x86_pmu.bts)
                 return 0;
 
-        buffer = kzalloc_node(BTS_BUFFER_SIZE, GFP_KERNEL, node);
-        if (unlikely(!buffer))
+        buffer = kzalloc_node(BTS_BUFFER_SIZE, GFP_KERNEL | __GFP_NOWARN, node);
+        if (unlikely(!buffer)) {
+                WARN_ONCE(1, "%s: BTS buffer allocation failure\n", __func__);
                 return -ENOMEM;
+        }
 
         max = BTS_BUFFER_SIZE / BTS_RECORD_SIZE;
         thresh = max / 16;
diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
index 65bbbea38b9c..ae6552a0701f 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
@@ -550,16 +550,16 @@ static struct extra_reg snbep_uncore_cbox_extra_regs[] = {
         SNBEP_CBO_EVENT_EXTRA_REG(0x4134, 0xffff, 0x6),
         SNBEP_CBO_EVENT_EXTRA_REG(0x0135, 0xffff, 0x8),
         SNBEP_CBO_EVENT_EXTRA_REG(0x0335, 0xffff, 0x8),
-        SNBEP_CBO_EVENT_EXTRA_REG(0x4135, 0xffff, 0xc),
-        SNBEP_CBO_EVENT_EXTRA_REG(0x4335, 0xffff, 0xc),
+        SNBEP_CBO_EVENT_EXTRA_REG(0x4135, 0xffff, 0xa),
+        SNBEP_CBO_EVENT_EXTRA_REG(0x4335, 0xffff, 0xa),
         SNBEP_CBO_EVENT_EXTRA_REG(0x4435, 0xffff, 0x2),
         SNBEP_CBO_EVENT_EXTRA_REG(0x4835, 0xffff, 0x2),
         SNBEP_CBO_EVENT_EXTRA_REG(0x4a35, 0xffff, 0x2),
         SNBEP_CBO_EVENT_EXTRA_REG(0x5035, 0xffff, 0x2),
         SNBEP_CBO_EVENT_EXTRA_REG(0x0136, 0xffff, 0x8),
         SNBEP_CBO_EVENT_EXTRA_REG(0x0336, 0xffff, 0x8),
-        SNBEP_CBO_EVENT_EXTRA_REG(0x4136, 0xffff, 0xc),
-        SNBEP_CBO_EVENT_EXTRA_REG(0x4336, 0xffff, 0xc),
+        SNBEP_CBO_EVENT_EXTRA_REG(0x4136, 0xffff, 0xa),
+        SNBEP_CBO_EVENT_EXTRA_REG(0x4336, 0xffff, 0xa),
         SNBEP_CBO_EVENT_EXTRA_REG(0x4436, 0xffff, 0x2),
         SNBEP_CBO_EVENT_EXTRA_REG(0x4836, 0xffff, 0x2),
         SNBEP_CBO_EVENT_EXTRA_REG(0x4a36, 0xffff, 0x2),
@@ -1222,6 +1222,7 @@ static struct extra_reg ivt_uncore_cbox_extra_regs[] = {
         SNBEP_CBO_EVENT_EXTRA_REG(SNBEP_CBO_PMON_CTL_TID_EN,
                                   SNBEP_CBO_PMON_CTL_TID_EN, 0x1),
         SNBEP_CBO_EVENT_EXTRA_REG(0x1031, 0x10ff, 0x2),
+
         SNBEP_CBO_EVENT_EXTRA_REG(0x1134, 0xffff, 0x4),
         SNBEP_CBO_EVENT_EXTRA_REG(0x4134, 0xffff, 0xc),
         SNBEP_CBO_EVENT_EXTRA_REG(0x5134, 0xffff, 0xc),
@@ -1245,7 +1246,7 @@ static struct extra_reg ivt_uncore_cbox_extra_regs[] = {
         SNBEP_CBO_EVENT_EXTRA_REG(0x8335, 0xffff, 0x10),
         SNBEP_CBO_EVENT_EXTRA_REG(0x0136, 0xffff, 0x10),
         SNBEP_CBO_EVENT_EXTRA_REG(0x0336, 0xffff, 0x10),
-        SNBEP_CBO_EVENT_EXTRA_REG(0x2336, 0xffff, 0x10),
+        SNBEP_CBO_EVENT_EXTRA_REG(0x2136, 0xffff, 0x10),
         SNBEP_CBO_EVENT_EXTRA_REG(0x2336, 0xffff, 0x10),
         SNBEP_CBO_EVENT_EXTRA_REG(0x4136, 0xffff, 0x18),
         SNBEP_CBO_EVENT_EXTRA_REG(0x4336, 0xffff, 0x18),
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index dbaa23e78b36..0d0c9d4ab6d5 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -425,8 +425,8 @@ sysenter_do_call:
         cmpl $(NR_syscalls), %eax
         jae sysenter_badsys
         call *sys_call_table(,%eax,4)
-        movl %eax,PT_EAX(%esp)
 sysenter_after_call:
+        movl %eax,PT_EAX(%esp)
         LOCKDEP_SYS_EXIT
         DISABLE_INTERRUPTS(CLBR_ANY)
         TRACE_IRQS_OFF
@@ -502,6 +502,7 @@ ENTRY(system_call)
         jae syscall_badsys
 syscall_call:
         call *sys_call_table(,%eax,4)
+syscall_after_call:
         movl %eax,PT_EAX(%esp)          # store the return value
 syscall_exit:
         LOCKDEP_SYS_EXIT
@@ -675,12 +676,12 @@ syscall_fault:
 END(syscall_fault)
 
 syscall_badsys:
-        movl $-ENOSYS,PT_EAX(%esp)
-        jmp syscall_exit
+        movl $-ENOSYS,%eax
+        jmp syscall_after_call
 END(syscall_badsys)
 
 sysenter_badsys:
-        movl $-ENOSYS,PT_EAX(%esp)
+        movl $-ENOSYS,%eax
         jmp sysenter_after_call
 END(syscall_badsys)
         CFI_ENDPROC
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index b25ca969edd2..c844f0816ab8 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -830,27 +830,24 @@ restore_args:
         RESTORE_ARGS 1,8,1
 
 irq_return:
+        INTERRUPT_RETURN
+
+ENTRY(native_iret)
         /*
          * Are we returning to a stack segment from the LDT?  Note: in
          * 64-bit mode SS:RSP on the exception stack is always valid.
          */
 #ifdef CONFIG_X86_ESPFIX64
         testb $4,(SS-RIP)(%rsp)
-        jnz irq_return_ldt
+        jnz native_irq_return_ldt
 #endif
 
-irq_return_iret:
-        INTERRUPT_RETURN
-        _ASM_EXTABLE(irq_return_iret, bad_iret)
-
-#ifdef CONFIG_PARAVIRT
-ENTRY(native_iret)
+native_irq_return_iret:
         iretq
-        _ASM_EXTABLE(native_iret, bad_iret)
-#endif
+        _ASM_EXTABLE(native_irq_return_iret, bad_iret)
 
 #ifdef CONFIG_X86_ESPFIX64
-irq_return_ldt:
+native_irq_return_ldt:
         pushq_cfi %rax
         pushq_cfi %rdi
         SWAPGS
@@ -872,7 +869,7 @@ irq_return_ldt:
         SWAPGS
         movq %rax,%rsp
         popq_cfi %rax
-        jmp irq_return_iret
+        jmp native_irq_return_iret
 #endif
 
         .section .fixup,"ax"
@@ -956,13 +953,8 @@ __do_double_fault:
         cmpl $__KERNEL_CS,CS(%rdi)
         jne do_double_fault
         movq RIP(%rdi),%rax
-        cmpq $irq_return_iret,%rax
-#ifdef CONFIG_PARAVIRT
-        je 1f
-        cmpq $native_iret,%rax
-#endif
+        cmpq $native_irq_return_iret,%rax
         jne do_double_fault             /* This shouldn't happen... */
-1:
         movq PER_CPU_VAR(kernel_stack),%rax
         subq $(6*8-KERNEL_STACK_OFFSET),%rax    /* Reset to original stack */
         movq %rax,RSP(%rdi)
@@ -1428,7 +1420,7 @@ error_sti:
  */
 error_kernelspace:
         incl %ebx
-        leaq irq_return_iret(%rip),%rcx
+        leaq native_irq_return_iret(%rip),%rcx
         cmpq %rcx,RIP+8(%rsp)
         je error_swapgs
         movl %ecx,%eax  /* zero extend */
diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
index 6afbb16e9b79..94d857fb1033 100644
--- a/arch/x86/kernel/espfix_64.c
+++ b/arch/x86/kernel/espfix_64.c
@@ -175,7 +175,7 @@ void init_espfix_ap(void)
         if (!pud_present(pud)) {
                 pmd_p = (pmd_t *)__get_free_page(PGALLOC_GFP);
                 pud = __pud(__pa(pmd_p) | (PGTABLE_PROT & ptemask));
-                paravirt_alloc_pud(&init_mm, __pa(pmd_p) >> PAGE_SHIFT);
+                paravirt_alloc_pmd(&init_mm, __pa(pmd_p) >> PAGE_SHIFT);
                 for (n = 0; n < ESPFIX_PUD_CLONES; n++)
                         set_pud(&pud_p[n], pud);
         }
@@ -185,7 +185,7 @@ void init_espfix_ap(void)
         if (!pmd_present(pmd)) {
                 pte_p = (pte_t *)__get_free_page(PGALLOC_GFP);
                 pmd = __pmd(__pa(pte_p) | (PGTABLE_PROT & ptemask));
-                paravirt_alloc_pmd(&init_mm, __pa(pte_p) >> PAGE_SHIFT);
+                paravirt_alloc_pte(&init_mm, __pa(pte_p) >> PAGE_SHIFT);
                 for (n = 0; n < ESPFIX_PMD_CLONES; n++)
                         set_pmd(&pmd_p[n], pmd);
         }
@@ -193,7 +193,6 @@ void init_espfix_ap(void)
         pte_p = pte_offset_kernel(&pmd, addr);
         stack_page = (void *)__get_free_page(GFP_KERNEL);
         pte = __pte(__pa(stack_page) | (__PAGE_KERNEL_RO & ptemask));
-        paravirt_alloc_pte(&init_mm, __pa(stack_page) >> PAGE_SHIFT);
         for (n = 0; n < ESPFIX_PTE_CLONES; n++)
                 set_pte(&pte_p[n*PTE_STRIDE], pte);
 
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 7596df664901..67e6d19ef1be 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -574,6 +574,9 @@ int kprobe_int3_handler(struct pt_regs *regs)
         struct kprobe *p;
         struct kprobe_ctlblk *kcb;
 
+        if (user_mode_vm(regs))
+                return 0;
+
         addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
         /*
          * We don't want to be preempted for the entire
diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c
index 3f08f34f93eb..a1da6737ba5b 100644
--- a/arch/x86/kernel/paravirt_patch_64.c
+++ b/arch/x86/kernel/paravirt_patch_64.c
@@ -6,7 +6,6 @@ DEF_NATIVE(pv_irq_ops, irq_disable, "cli");
 DEF_NATIVE(pv_irq_ops, irq_enable, "sti");
 DEF_NATIVE(pv_irq_ops, restore_fl, "pushq %rdi; popfq");
 DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
-DEF_NATIVE(pv_cpu_ops, iret, "iretq");
 DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax");
 DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax");
 DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3");
@@ -50,7 +49,6 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf,
                 PATCH_SITE(pv_irq_ops, save_fl);
                 PATCH_SITE(pv_irq_ops, irq_enable);
                 PATCH_SITE(pv_irq_ops, irq_disable);
-                PATCH_SITE(pv_cpu_ops, iret);
                 PATCH_SITE(pv_cpu_ops, irq_enable_sysexit);
                 PATCH_SITE(pv_cpu_ops, usergs_sysret32);
                 PATCH_SITE(pv_cpu_ops, usergs_sysret64);
diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
index 57e5ce126d5a..ea030319b321 100644
--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -920,9 +920,9 @@ static int time_cpufreq_notifier(struct notifier_block *nb, unsigned long val,
                 tsc_khz = cpufreq_scale(tsc_khz_ref, ref_freq, freq->new);
                 if (!(freq->flags & CPUFREQ_CONST_LOOPS))
                         mark_tsc_unstable("cpufreq changes");
-        }
 
-        set_cyc2ns_scale(tsc_khz, freq->cpu);
+                set_cyc2ns_scale(tsc_khz, freq->cpu);
+        }
 
         return 0;
 }
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index f6449334ec45..ef432f891d30 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5887,6 +5887,18 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool req_int_win)
                         kvm_x86_ops->set_nmi(vcpu);
                 }
         } else if (kvm_cpu_has_injectable_intr(vcpu)) {
+                /*
+                 * Because interrupts can be injected asynchronously, we are
+                 * calling check_nested_events again here to avoid a race condition.
+                 * See https://lkml.org/lkml/2014/7/2/60 for discussion about this
+                 * proposal and current concerns.  Perhaps we should be setting
+                 * KVM_REQ_EVENT only on certain events and not unconditionally?
+                 */
+                if (is_guest_mode(vcpu) && kvm_x86_ops->check_nested_events) {
+                        r = kvm_x86_ops->check_nested_events(vcpu, req_int_win);
+                        if (r != 0)
+                                return r;
+                }
                 if (kvm_x86_ops->interrupt_allowed(vcpu)) {
                         kvm_queue_interrupt(vcpu, kvm_cpu_get_interrupt(vcpu),
                                             false);
diff --git a/arch/x86/xen/grant-table.c b/arch/x86/xen/grant-table.c
index c98583588580..ebfa9b2c871d 100644
--- a/arch/x86/xen/grant-table.c
+++ b/arch/x86/xen/grant-table.c
@@ -36,99 +36,133 @@
 
 #include <linux/sched.h>
 #include <linux/mm.h>
+#include <linux/slab.h>
 #include <linux/vmalloc.h>
 
 #include <xen/interface/xen.h>
 #include <xen/page.h>
 #include <xen/grant_table.h>
+#include <xen/xen.h>
 
 #include <asm/pgtable.h>
 
-static int map_pte_fn(pte_t *pte, struct page *pmd_page,
-                      unsigned long addr, void *data)
+static struct gnttab_vm_area {
+        struct vm_struct *area;
+        pte_t **ptes;
+} gnttab_shared_vm_area, gnttab_status_vm_area;
+
+int arch_gnttab_map_shared(unsigned long *frames, unsigned long nr_gframes,
+                           unsigned long max_nr_gframes,
+                           void **__shared)
 {
-        unsigned long **frames = (unsigned long **)data;
+        void *shared = *__shared;
+        unsigned long addr;
+        unsigned long i;
 
-        set_pte_at(&init_mm, addr, pte, mfn_pte((*frames)[0], PAGE_KERNEL));
-        (*frames)++;
-        return 0;
-}
+        if (shared == NULL)
+                *__shared = shared = gnttab_shared_vm_area.area->addr;
 
-/*
- * This function is used to map shared frames to store grant status. It is
- * different from map_pte_fn above, the frames type here is uint64_t.
- */
-static int map_pte_fn_status(pte_t *pte, struct page *pmd_page,
-                             unsigned long addr, void *data)
-{
-        uint64_t **frames = (uint64_t **)data;
+        addr = (unsigned long)shared;
+
+        for (i = 0; i < nr_gframes; i++) {
+                set_pte_at(&init_mm, addr, gnttab_shared_vm_area.ptes[i],
+                           mfn_pte(frames[i], PAGE_KERNEL));
+                addr += PAGE_SIZE;
+        }
 
-        set_pte_at(&init_mm, addr, pte, mfn_pte((*frames)[0], PAGE_KERNEL));
-        (*frames)++;
         return 0;
 }
 
-static int unmap_pte_fn(pte_t *pte, struct page *pmd_page,
-                        unsigned long addr, void *data)
+int arch_gnttab_map_status(uint64_t *frames, unsigned long nr_gframes,
+                           unsigned long max_nr_gframes,
+                           grant_status_t **__shared)
 {
+        grant_status_t *shared = *__shared;
+        unsigned long addr;
+        unsigned long i;
+
+        if (shared == NULL)
+                *__shared = shared = gnttab_status_vm_area.area->addr;
+
+        addr = (unsigned long)shared;
+
+        for (i = 0; i < nr_gframes; i++) {
+                set_pte_at(&init_mm, addr, gnttab_status_vm_area.ptes[i],
+                           mfn_pte(frames[i], PAGE_KERNEL));
+                addr += PAGE_SIZE;
+        }
 
-        set_pte_at(&init_mm, addr, pte, __pte(0));
         return 0;
 }
 
-int arch_gnttab_map_shared(unsigned long *frames, unsigned long nr_gframes,
-                           unsigned long max_nr_gframes,
-                           void **__shared)
+void arch_gnttab_unmap(void *shared, unsigned long nr_gframes)
 {
-        int rc;
-        void *shared = *__shared;
+        pte_t **ptes;
+        unsigned long addr;
+        unsigned long i;
 
-        if (shared == NULL) {
-                struct vm_struct *area =
-                        alloc_vm_area(PAGE_SIZE * max_nr_gframes, NULL);
-                BUG_ON(area == NULL);
-                shared = area->addr;
-                *__shared = shared;
-        }
+        if (shared == gnttab_status_vm_area.area->addr)
+                ptes = gnttab_status_vm_area.ptes;
+        else
+                ptes = gnttab_shared_vm_area.ptes;
 
-        rc = apply_to_page_range(&init_mm, (unsigned long)shared,
-                                 PAGE_SIZE * nr_gframes,
-                                 map_pte_fn, &frames);
-        return rc;
+        addr = (unsigned long)shared;
+
+        for (i = 0; i < nr_gframes; i++) {
+                set_pte_at(&init_mm, addr, ptes[i], __pte(0));
+                addr += PAGE_SIZE;
+        }
 }
 
-int arch_gnttab_map_status(uint64_t *frames, unsigned long nr_gframes,
-                           unsigned long max_nr_gframes,
-                           grant_status_t **__shared)
+static int arch_gnttab_valloc(struct gnttab_vm_area *area, unsigned nr_frames)
 {
-        int rc;
-        grant_status_t *shared = *__shared;
+        area->ptes = kmalloc(sizeof(pte_t *) * nr_frames, GFP_KERNEL);
+        if (area->ptes == NULL)
+                return -ENOMEM;
 
-        if (shared == NULL) {
-                /* No need to pass in PTE as we are going to do it
-                 * in apply_to_page_range anyhow. */
-                struct vm_struct *area =
-                        alloc_vm_area(PAGE_SIZE * max_nr_gframes, NULL);
-                BUG_ON(area == NULL);
-                shared = area->addr;
-                *__shared = shared;
+        area->area = alloc_vm_area(PAGE_SIZE * nr_frames, area->ptes);
+        if (area->area == NULL) {
+                kfree(area->ptes);
+                return -ENOMEM;
         }
 
-        rc = apply_to_page_range(&init_mm, (unsigned long)shared,
-                                 PAGE_SIZE * nr_gframes,
-                                 map_pte_fn_status, &frames);
-        return rc;
+        return 0;
 }
 
-void arch_gnttab_unmap(void *shared, unsigned long nr_gframes)
+static void arch_gnttab_vfree(struct gnttab_vm_area *area)
+{
+        free_vm_area(area->area);
+        kfree(area->ptes);
+}
+
+int arch_gnttab_init(unsigned long nr_shared, unsigned long nr_status)
 {
-        apply_to_page_range(&init_mm, (unsigned long)shared,
-                            PAGE_SIZE * nr_gframes, unmap_pte_fn, NULL);
+        int ret;
+
+        if (!xen_pv_domain())
+                return 0;
+
+        ret = arch_gnttab_valloc(&gnttab_shared_vm_area, nr_shared);
+        if (ret < 0)
+                return ret;
+
+        /*
+         * Always allocate the space for the status frames in case
+         * we're migrated to a host with V2 support.
+         */
+        ret = arch_gnttab_valloc(&gnttab_status_vm_area, nr_status);
+        if (ret < 0)
+                goto err;
+
+        return 0;
+  err:
+        arch_gnttab_vfree(&gnttab_shared_vm_area);
+        return -ENOMEM;
 }
+
 #ifdef CONFIG_XEN_PVH
 #include <xen/balloon.h>
 #include <xen/events.h>
-#include <xen/xen.h>
 #include <linux/slab.h>
 static int __init xlated_setup_gnttab_pages(void)
 {