144 files changed, 3222 insertions, 1751 deletions
diff --git a/arch/Kconfig b/arch/Kconfig
index eef3bbb97075..d82875820a15 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -83,6 +83,13 @@ config KRETPROBES
        def_bool y
        depends on KPROBES && HAVE_KRETPROBES
+config USER_RETURN_NOTIFIER
+        bool
+        depends on HAVE_USER_RETURN_NOTIFIER
+        help
+          Provide a kernel-internal notification when a cpu is about to
+          switch to user mode.
 config HAVE_IOREMAP_PROT
        bool
@@ -132,5 +139,7 @@ config HAVE_HW_BREAKPOINT
        select ANON_INODES
        select PERF_EVENTS
+config HAVE_USER_RETURN_NOTIFIER
+        bool
 source "kernel/gcov/Kconfig"
diff --git a/arch/alpha/include/asm/socket.h b/arch/alpha/include/asm/socket.h
index 26773e3246e2..06edfefc3373 100644
--- a/arch/alpha/include/asm/socket.h
+++ b/arch/alpha/include/asm/socket.h
@@ -67,6 +67,8 @@
 #define SO_TIMESTAMPING         37
 #define SCM_TIMESTAMPING        SO_TIMESTAMPING
+#define SO_RXQ_OVFL             40
 /* O_NONBLOCK clashes with the bits used for socket types.  Therefore we
 * have to define SOCK_NONBLOCK to a different value here.
 */
diff --git a/arch/alpha/include/asm/unistd.h b/arch/alpha/include/asm/unistd.h
index 5b5c17485942..7f23665122df 100644
--- a/arch/alpha/include/asm/unistd.h
+++ b/arch/alpha/include/asm/unistd.h
@@ -433,10 +433,11 @@
 #define __NR_signalfd                   476
 #define __NR_timerfd                    477
 #define __NR_eventfd                    478
+#define __NR_recvmmsg                   479
 #ifdef __KERNEL__
-#define NR_SYSCALLS                     479
+#define NR_SYSCALLS                     480
 #define __ARCH_WANT_IPC_PARSE_VERSION
 #define __ARCH_WANT_OLD_READDIR
diff --git a/arch/alpha/kernel/systbls.S b/arch/alpha/kernel/systbls.S
index 95c9aef1c106..cda6b8b3d573 100644
--- a/arch/alpha/kernel/systbls.S
+++ b/arch/alpha/kernel/systbls.S
@@ -497,6 +497,7 @@ sys_call_table:
        .quad sys_signalfd
        .quad sys_ni_syscall
        .quad sys_eventfd
+        .quad sys_recvmmsg
        .size sys_call_table, . - sys_call_table
        .type sys_call_table, @object
diff --git a/arch/arm/include/asm/socket.h b/arch/arm/include/asm/socket.h
index 92ac61d294fd..90ffd04b8e74 100644
--- a/arch/arm/include/asm/socket.h
+++ b/arch/arm/include/asm/socket.h
@@ -60,4 +60,6 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif /* _ASM_SOCKET_H */
diff --git a/arch/arm/kernel/calls.S b/arch/arm/kernel/calls.S
index fafce1b5c69f..f58c1156e779 100644
--- a/arch/arm/kernel/calls.S
+++ b/arch/arm/kernel/calls.S
@@ -374,6 +374,7 @@
                CALL(sys_pwritev)
                CALL(sys_rt_tgsigqueueinfo)
                CALL(sys_perf_event_open)
+/* 365 */       CALL(sys_recvmmsg)
 #ifndef syscalls_counted
 .equ syscalls_padding, ((NR_syscalls + 3) & ~3) - NR_syscalls
 #define syscalls_counted
diff --git a/arch/arm/kernel/isa.c b/arch/arm/kernel/isa.c
index 8ac9b8424007..346485910732 100644
--- a/arch/arm/kernel/isa.c
+++ b/arch/arm/kernel/isa.c
@@ -22,47 +22,42 @@ static unsigned int isa_membase, isa_portbase, isa_portshift;
 static ctl_table ctl_isa_vars[4] = {
        {
-                .ctl_name       = BUS_ISA_MEM_BASE,
                .procname       = "membase",
                .data           = &isa_membase, 
                .maxlen         = sizeof(isa_membase),
                .mode           = 0444,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
        }, {
-                .ctl_name       = BUS_ISA_PORT_BASE,
                .procname       = "portbase",
                .data           = &isa_portbase, 
                .maxlen         = sizeof(isa_portbase),
                .mode           = 0444,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
        }, {
-                .ctl_name       = BUS_ISA_PORT_SHIFT,
                .procname       = "portshift",
                .data           = &isa_portshift, 
                .maxlen         = sizeof(isa_portshift),
                .mode           = 0444,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
-        }, {0}
+        }, {}
 };
 static struct ctl_table_header *isa_sysctl_header;
 static ctl_table ctl_isa[2] = {
        {
-                .ctl_name       = CTL_BUS_ISA,
                .procname       = "isa",
                .mode           = 0555,
                .child          = ctl_isa_vars,
-        }, {0}
+        }, {}
 };
 static ctl_table ctl_bus[2] = {
        {
-                .ctl_name       = CTL_BUS,
                .procname       = "bus",
                .mode           = 0555,
                .child          = ctl_isa,
-        }, {0}
+        }, {}
 };
 void __init
diff --git a/arch/arm/mach-bcmring/arch.c b/arch/arm/mach-bcmring/arch.c
index 0da693b0f7e1..fbe6fa02c882 100644
--- a/arch/arm/mach-bcmring/arch.c
+++ b/arch/arm/mach-bcmring/arch.c
@@ -47,10 +47,6 @@ HW_DECLARE_SPINLOCK(gpio)
    EXPORT_SYMBOL(bcmring_gpio_reg_lock);
 #endif
-/* FIXME: temporary solution */
-#define BCM_SYSCTL_REBOOT_WARM               1
-#define CTL_BCM_REBOOT                 112
 /* sysctl */
 int bcmring_arch_warm_reboot;   /* do a warm reboot on hard reset */
@@ -58,18 +54,16 @@ static struct ctl_table_header *bcmring_sysctl_header;
 static struct ctl_table bcmring_sysctl_warm_reboot[] = {
        {
-         .ctl_name = BCM_SYSCTL_REBOOT_WARM,
         .procname = "warm",
         .data = &bcmring_arch_warm_reboot,
         .maxlen = sizeof(int),
         .mode = 0644,
-         .proc_handler = &proc_dointvec},
+         .proc_handler = proc_dointvec},
        {}
 };
 static struct ctl_table bcmring_sysctl_reboot[] = {
        {
-         .ctl_name = CTL_BCM_REBOOT,
         .procname = "reboot",
         .mode = 0555,
         .child = bcmring_sysctl_warm_reboot},
diff --git a/arch/arm/mach-davinci/include/mach/asp.h b/arch/arm/mach-davinci/include/mach/asp.h
index 18e4ce34ece6..e07f70ed7c53 100644
--- a/arch/arm/mach-davinci/include/mach/asp.h
+++ b/arch/arm/mach-davinci/include/mach/asp.h
@@ -51,6 +51,14 @@ struct snd_platform_data {
        u32 rx_dma_offset;
        enum dma_event_q eventq_no;     /* event queue number */
        unsigned int codec_fmt;
+        /*
+         * Allowing this is more efficient and eliminates left and right swaps
+         * caused by underruns, but will swap the left and right channels
+         * when compared to previous behavior.
+         */
+        unsigned enable_channel_combine:1;
+        unsigned sram_size_playback;
+        unsigned sram_size_capture;
        /* McASP specific fields */
        int tdm_slots;
diff --git a/arch/arm/mach-omap2/board-3430sdp.c b/arch/arm/mach-omap2/board-3430sdp.c
index 0acb5560229c..08e535d92c06 100644
--- a/arch/arm/mach-omap2/board-3430sdp.c
+++ b/arch/arm/mach-omap2/board-3430sdp.c
@@ -410,6 +410,15 @@ static struct regulator_init_data sdp3430_vpll2 = {
        .consumer_supplies      = &sdp3430_vdvi_supply,
 };
+static struct twl4030_codec_audio_data sdp3430_audio = {
+        .audio_mclk = 26000000,
+};
+static struct twl4030_codec_data sdp3430_codec = {
+        .audio_mclk = 26000000,
+        .audio = &sdp3430_audio,
+};
 static struct twl4030_platform_data sdp3430_twldata = {
        .irq_base       = TWL4030_IRQ_BASE,
        .irq_end        = TWL4030_IRQ_END,
@@ -420,6 +429,7 @@ static struct twl4030_platform_data sdp3430_twldata = {
        .madc           = &sdp3430_madc_data,
        .keypad         = &sdp3430_kp_data,
        .usb            = &sdp3430_usb_data,
+        .codec          = &sdp3430_codec,
        .vaux1          = &sdp3430_vaux1,
        .vaux2          = &sdp3430_vaux2,
diff --git a/arch/arm/mach-omap2/board-omap3beagle.c b/arch/arm/mach-omap2/board-omap3beagle.c
index 08b0816afa61..af411e11dddf 100644
--- a/arch/arm/mach-omap2/board-omap3beagle.c
+++ b/arch/arm/mach-omap2/board-omap3beagle.c
@@ -254,6 +254,15 @@ static struct twl4030_usb_data beagle_usb_data = {
        .usb_mode       = T2_USB_MODE_ULPI,
 };
+static struct twl4030_codec_audio_data beagle_audio_data = {
+        .audio_mclk = 26000000,
+};
+static struct twl4030_codec_data beagle_codec_data = {
+        .audio_mclk = 26000000,
+        .audio = &beagle_audio_data,
+};
 static struct twl4030_platform_data beagle_twldata = {
        .irq_base       = TWL4030_IRQ_BASE,
        .irq_end        = TWL4030_IRQ_END,
@@ -261,6 +270,7 @@ static struct twl4030_platform_data beagle_twldata = {
        /* platform_data for children goes here */
        .usb            = &beagle_usb_data,
        .gpio           = &beagle_gpio_data,
+        .codec          = &beagle_codec_data,
        .vmmc1          = &beagle_vmmc1,
        .vsim           = &beagle_vsim,
        .vdac           = &beagle_vdac,
diff --git a/arch/arm/mach-omap2/board-omap3evm.c b/arch/arm/mach-omap2/board-omap3evm.c
index 4c4d7f8dbd72..25ca5f6a0d3d 100644
--- a/arch/arm/mach-omap2/board-omap3evm.c
+++ b/arch/arm/mach-omap2/board-omap3evm.c
@@ -194,6 +194,15 @@ static struct twl4030_madc_platform_data omap3evm_madc_data = {
        .irq_line       = 1,
 };
+static struct twl4030_codec_audio_data omap3evm_audio_data = {
+        .audio_mclk = 26000000,
+};
+static struct twl4030_codec_data omap3evm_codec_data = {
+        .audio_mclk = 26000000,
+        .audio = &omap3evm_audio_data,
+};
 static struct twl4030_platform_data omap3evm_twldata = {
        .irq_base       = TWL4030_IRQ_BASE,
        .irq_end        = TWL4030_IRQ_END,
@@ -203,6 +212,7 @@ static struct twl4030_platform_data omap3evm_twldata = {
        .madc           = &omap3evm_madc_data,
        .usb            = &omap3evm_usb_data,
        .gpio           = &omap3evm_gpio_data,
+        .codec          = &omap3evm_codec_data,
 };
 static struct i2c_board_info __initdata omap3evm_i2c_boardinfo[] = {
diff --git a/arch/arm/mach-omap2/board-omap3pandora.c b/arch/arm/mach-omap2/board-omap3pandora.c
index 7519edb69155..c4be626c8422 100644
--- a/arch/arm/mach-omap2/board-omap3pandora.c
+++ b/arch/arm/mach-omap2/board-omap3pandora.c
@@ -281,11 +281,21 @@ static struct twl4030_usb_data omap3pandora_usb_data = {
        .usb_mode       = T2_USB_MODE_ULPI,
 };
+static struct twl4030_codec_audio_data omap3pandora_audio_data = {
+        .audio_mclk = 26000000,
+};
+static struct twl4030_codec_data omap3pandora_codec_data = {
+        .audio_mclk = 26000000,
+        .audio = &omap3pandora_audio_data,
+};
 static struct twl4030_platform_data omap3pandora_twldata = {
        .irq_base       = TWL4030_IRQ_BASE,
        .irq_end        = TWL4030_IRQ_END,
        .gpio           = &omap3pandora_gpio_data,
        .usb            = &omap3pandora_usb_data,
+        .codec          = &omap3pandora_codec_data,
        .vmmc1          = &pandora_vmmc1,
        .vmmc2          = &pandora_vmmc2,
        .keypad         = &pandora_kp_data,
diff --git a/arch/arm/mach-omap2/board-overo.c b/arch/arm/mach-omap2/board-overo.c
index 9917d2fddc2f..e1fb50451e19 100644
--- a/arch/arm/mach-omap2/board-overo.c
+++ b/arch/arm/mach-omap2/board-overo.c
@@ -329,6 +329,15 @@ static struct regulator_init_data overo_vmmc1 = {
        .consumer_supplies      = &overo_vmmc1_supply,
 };
+static struct twl4030_codec_audio_data overo_audio_data = {
+        .audio_mclk = 26000000,
+};
+static struct twl4030_codec_data overo_codec_data = {
+        .audio_mclk = 26000000,
+        .audio = &overo_audio_data,
+};
 /* mmc2 (WLAN) and Bluetooth don't use twl4030 regulators */
 static struct twl4030_platform_data overo_twldata = {
@@ -336,6 +345,7 @@ static struct twl4030_platform_data overo_twldata = {
        .irq_end        = TWL4030_IRQ_END,
        .gpio           = &overo_gpio_data,
        .usb            = &overo_usb_data,
+        .codec          = &overo_codec_data,
        .vmmc1          = &overo_vmmc1,
 };
diff --git a/arch/arm/mach-omap2/board-zoom2.c b/arch/arm/mach-omap2/board-zoom2.c
index 51e0b3ba5f3a..51df584728f6 100644
--- a/arch/arm/mach-omap2/board-zoom2.c
+++ b/arch/arm/mach-omap2/board-zoom2.c
@@ -230,6 +230,15 @@ static struct twl4030_madc_platform_data zoom2_madc_data = {
        .irq_line       = 1,
 };
+static struct twl4030_codec_audio_data zoom2_audio_data = {
+        .audio_mclk = 26000000,
+};
+static struct twl4030_codec_data zoom2_codec_data = {
+        .audio_mclk = 26000000,
+        .audio = &zoom2_audio_data,
+};
 static struct twl4030_platform_data zoom2_twldata = {
        .irq_base       = TWL4030_IRQ_BASE,
        .irq_end        = TWL4030_IRQ_END,
@@ -240,6 +249,7 @@ static struct twl4030_platform_data zoom2_twldata = {
        .usb            = &zoom2_usb_data,
        .gpio           = &zoom2_gpio_data,
        .keypad         = &zoom2_kp_twl4030_data,
+        .codec          = &zoom2_codec_data,
        .vmmc1          = &zoom2_vmmc1,
        .vmmc2          = &zoom2_vmmc2,
        .vsim           = &zoom2_vsim,
diff --git a/arch/arm/mach-s3c6400/include/mach/map.h b/arch/arm/mach-s3c6400/include/mach/map.h
index f3b48f841d84..106ee13581e2 100644
--- a/arch/arm/mach-s3c6400/include/mach/map.h
+++ b/arch/arm/mach-s3c6400/include/mach/map.h
@@ -48,6 +48,8 @@
 #define S3C64XX_PA_IIS1         (0x7F003000)
 #define S3C64XX_PA_TIMER        (0x7F006000)
 #define S3C64XX_PA_IIC0         (0x7F004000)
+#define S3C64XX_PA_PCM0         (0x7F009000)
+#define S3C64XX_PA_PCM1         (0x7F00A000)
 #define S3C64XX_PA_IISV4        (0x7F00D000)
 #define S3C64XX_PA_IIC1         (0x7F00F000)
diff --git a/arch/arm/plat-s3c/include/plat/audio.h b/arch/arm/plat-s3c/include/plat/audio.h
index de0e8da48bc3..f22d23bb6271 100644
--- a/arch/arm/plat-s3c/include/plat/audio.h
+++ b/arch/arm/plat-s3c/include/plat/audio.h
@@ -1,45 +1,17 @@
-/* arch/arm/mach-s3c2410/include/mach/audio.h
+/* arch/arm/plat-s3c/include/plat/audio.h
 *
- * Copyright (c) 2004-2005 Simtec Electronics
+ * Copyright (c) 2009 Samsung Electronics Co. Ltd
- *      http://www.simtec.co.uk/products/SWLINUX/
+ * Author: Jaswinder Singh <jassi.brar@samsung.com>
- *      Ben Dooks <ben@simtec.co.uk>
- *
- * S3C24XX - Audio platfrom_device info
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
-*/
+ */
-#ifndef __ASM_ARCH_AUDIO_H
-#define __ASM_ARCH_AUDIO_H __FILE__
-/* struct s3c24xx_iis_ops
- *
- * called from the s3c24xx audio core to deal with the architecture
- * or the codec's setup and control.
- *
- * the pointer to itself is passed through in case the caller wants to
- * embed this in an larger structure for easy reference to it's context.
-*/
-struct s3c24xx_iis_ops {
+/**
-        struct module *owner;
+ * struct s3c_audio_pdata - common platform data for audio device drivers
+ * @cfg_gpio: Callback function to setup mux'ed pins in I2S/PCM/AC97 mode
-        int     (*startup)(struct s3c24xx_iis_ops *me);
+ */
-        void    (*shutdown)(struct s3c24xx_iis_ops *me);
+struct s3c_audio_pdata {
-        int     (*suspend)(struct s3c24xx_iis_ops *me);
+        int (*cfg_gpio)(struct platform_device *);
-        int     (*resume)(struct s3c24xx_iis_ops *me);
-        int     (*open)(struct s3c24xx_iis_ops *me, struct snd_pcm_substream *strm);
-        int     (*close)(struct s3c24xx_iis_ops *me, struct snd_pcm_substream *strm);
-        int     (*prepare)(struct s3c24xx_iis_ops *me, struct snd_pcm_substream *strm, struct snd_pcm_runtime *rt);
 };
-struct s3c24xx_platdata_iis {
-        const char              *codec_clk;
-        struct s3c24xx_iis_ops  *ops;
-        int                     (*match_dev)(struct device *dev);
-};
-#endif /* __ASM_ARCH_AUDIO_H */
diff --git a/arch/arm/plat-s3c/include/plat/devs.h b/arch/arm/plat-s3c/include/plat/devs.h
index 0f540ea1e999..932cbbbb4273 100644
--- a/arch/arm/plat-s3c/include/plat/devs.h
+++ b/arch/arm/plat-s3c/include/plat/devs.h
@@ -28,6 +28,9 @@ extern struct platform_device s3c64xx_device_iis0;
 extern struct platform_device s3c64xx_device_iis1;
 extern struct platform_device s3c64xx_device_iisv4;
+extern struct platform_device s3c64xx_device_pcm0;
+extern struct platform_device s3c64xx_device_pcm1;
 extern struct platform_device s3c_device_fb;
 extern struct platform_device s3c_device_usb;
 extern struct platform_device s3c_device_lcd;
diff --git a/arch/arm/plat-s3c/include/plat/regs-s3c2412-iis.h b/arch/arm/plat-s3c/include/plat/regs-s3c2412-iis.h
index 07659dad1748..abf2fbc2eb2f 100644
--- a/arch/arm/plat-s3c/include/plat/regs-s3c2412-iis.h
+++ b/arch/arm/plat-s3c/include/plat/regs-s3c2412-iis.h
@@ -67,6 +67,8 @@
 #define S3C2412_IISMOD_BCLK_MASK        (3 << 1)
 #define S3C2412_IISMOD_8BIT             (1 << 0)
+#define S3C64XX_IISMOD_CDCLKCON         (1 << 12)
 #define S3C2412_IISPSR_PSREN            (1 << 15)
 #define S3C2412_IISFIC_TXFLUSH          (1 << 15)
diff --git a/arch/arm/plat-s3c64xx/dev-audio.c b/arch/arm/plat-s3c64xx/dev-audio.c
index 1322beb40dd7..a21a88fbb7e3 100644
--- a/arch/arm/plat-s3c64xx/dev-audio.c
+++ b/arch/arm/plat-s3c64xx/dev-audio.c
@@ -15,9 +15,14 @@
 #include <mach/irqs.h>
 #include <mach/map.h>
+#include <mach/dma.h>
+#include <mach/gpio.h>
 #include <plat/devs.h>
+#include <plat/audio.h>
+#include <plat/gpio-bank-d.h>
+#include <plat/gpio-bank-e.h>
+#include <plat/gpio-cfg.h>
 static struct resource s3c64xx_iis0_resource[] = {
        [0] = {
@@ -66,3 +71,97 @@ struct platform_device s3c64xx_device_iisv4 = {
        .resource         = s3c64xx_iisv4_resource,
 };
 EXPORT_SYMBOL(s3c64xx_device_iisv4);
+/* PCM Controller platform_devices */
+static int s3c64xx_pcm_cfg_gpio(struct platform_device *pdev)
+{
+        switch (pdev->id) {
+        case 0:
+                s3c_gpio_cfgpin(S3C64XX_GPD(0), S3C64XX_GPD0_PCM0_SCLK);
+                s3c_gpio_cfgpin(S3C64XX_GPD(1), S3C64XX_GPD1_PCM0_EXTCLK);
+                s3c_gpio_cfgpin(S3C64XX_GPD(2), S3C64XX_GPD2_PCM0_FSYNC);
+                s3c_gpio_cfgpin(S3C64XX_GPD(3), S3C64XX_GPD3_PCM0_SIN);
+                s3c_gpio_cfgpin(S3C64XX_GPD(4), S3C64XX_GPD4_PCM0_SOUT);
+                break;
+        case 1:
+                s3c_gpio_cfgpin(S3C64XX_GPE(0), S3C64XX_GPE0_PCM1_SCLK);
+                s3c_gpio_cfgpin(S3C64XX_GPE(1), S3C64XX_GPE1_PCM1_EXTCLK);
+                s3c_gpio_cfgpin(S3C64XX_GPE(2), S3C64XX_GPE2_PCM1_FSYNC);
+                s3c_gpio_cfgpin(S3C64XX_GPE(3), S3C64XX_GPE3_PCM1_SIN);
+                s3c_gpio_cfgpin(S3C64XX_GPE(4), S3C64XX_GPE4_PCM1_SOUT);
+                break;
+        default:
+                printk(KERN_DEBUG "Invalid PCM Controller number!");
+                return -EINVAL;
+        }
+        return 0;
+}
+static struct resource s3c64xx_pcm0_resource[] = {
+        [0] = {
+                .start = S3C64XX_PA_PCM0,
+                .end   = S3C64XX_PA_PCM0 + 0x100 - 1,
+                .flags = IORESOURCE_MEM,
+        },
+        [1] = {
+                .start = DMACH_PCM0_TX,
+                .end   = DMACH_PCM0_TX,
+                .flags = IORESOURCE_DMA,
+        },
+        [2] = {
+                .start = DMACH_PCM0_RX,
+                .end   = DMACH_PCM0_RX,
+                .flags = IORESOURCE_DMA,
+        },
+};
+static struct s3c_audio_pdata s3c_pcm0_pdata = {
+        .cfg_gpio = s3c64xx_pcm_cfg_gpio,
+};
+struct platform_device s3c64xx_device_pcm0 = {
+        .name             = "samsung-pcm",
+        .id               = 0,
+        .num_resources    = ARRAY_SIZE(s3c64xx_pcm0_resource),
+        .resource         = s3c64xx_pcm0_resource,
+        .dev = {
+                .platform_data = &s3c_pcm0_pdata,
+        },
+};
+EXPORT_SYMBOL(s3c64xx_device_pcm0);
+static struct resource s3c64xx_pcm1_resource[] = {
+        [0] = {
+                .start = S3C64XX_PA_PCM1,
+                .end   = S3C64XX_PA_PCM1 + 0x100 - 1,
+                .flags = IORESOURCE_MEM,
+        },
+        [1] = {
+                .start = DMACH_PCM1_TX,
+                .end   = DMACH_PCM1_TX,
+                .flags = IORESOURCE_DMA,
+        },
+        [2] = {
+                .start = DMACH_PCM1_RX,
+                .end   = DMACH_PCM1_RX,
+                .flags = IORESOURCE_DMA,
+        },
+};
+static struct s3c_audio_pdata s3c_pcm1_pdata = {
+        .cfg_gpio = s3c64xx_pcm_cfg_gpio,
+};
+struct platform_device s3c64xx_device_pcm1 = {
+        .name             = "samsung-pcm",
+        .id               = 1,
+        .num_resources    = ARRAY_SIZE(s3c64xx_pcm1_resource),
+        .resource         = s3c64xx_pcm1_resource,
+        .dev = {
+                .platform_data = &s3c_pcm1_pdata,
+        },
+};
+EXPORT_SYMBOL(s3c64xx_device_pcm1);
diff --git a/arch/avr32/include/asm/socket.h b/arch/avr32/include/asm/socket.h
index fe863f9794d5..c8d1fae49476 100644
--- a/arch/avr32/include/asm/socket.h
+++ b/arch/avr32/include/asm/socket.h
@@ -60,4 +60,6 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif /* __ASM_AVR32_SOCKET_H */
diff --git a/arch/avr32/kernel/syscall_table.S b/arch/avr32/kernel/syscall_table.S
index 7ee0057613b3..e76bad16b0f0 100644
--- a/arch/avr32/kernel/syscall_table.S
+++ b/arch/avr32/kernel/syscall_table.S
@@ -295,4 +295,5 @@ sys_call_table:
        .long   sys_signalfd
        .long   sys_ni_syscall          /* 280, was sys_timerfd */
        .long   sys_eventfd
+        .long   sys_recvmmsg
        .long   sys_ni_syscall          /* r8 is saturated at nr_syscalls */
diff --git a/arch/blackfin/mach-common/entry.S b/arch/blackfin/mach-common/entry.S
index 94a0375cbdcf..a50637a8b9bd 100644
--- a/arch/blackfin/mach-common/entry.S
+++ b/arch/blackfin/mach-common/entry.S
@@ -1600,6 +1600,7 @@ ENTRY(_sys_call_table)
        .long _sys_pwritev
        .long _sys_rt_tgsigqueueinfo
        .long _sys_perf_event_open
+        .long _sys_recvmmsg             /* 370 */
        .rept NR_syscalls-(.-_sys_call_table)/4
        .long _sys_ni_syscall
diff --git a/arch/cris/include/asm/socket.h b/arch/cris/include/asm/socket.h
index 45ec49bdb7b1..1a4a61909ca8 100644
--- a/arch/cris/include/asm/socket.h
+++ b/arch/cris/include/asm/socket.h
@@ -62,6 +62,8 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif /* _ASM_SOCKET_H */
diff --git a/arch/frv/include/asm/socket.h b/arch/frv/include/asm/socket.h
index 2dea726095c2..a6b26880c1ec 100644
--- a/arch/frv/include/asm/socket.h
+++ b/arch/frv/include/asm/socket.h
@@ -60,5 +60,7 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif /* _ASM_SOCKET_H */
diff --git a/arch/frv/kernel/pm.c b/arch/frv/kernel/pm.c
index 0d4d3e3a4cfc..5fa3889d858b 100644
--- a/arch/frv/kernel/pm.c
+++ b/arch/frv/kernel/pm.c
@@ -211,37 +211,6 @@ static int cmode_procctl(ctl_table *ctl, int write,
        return try_set_cmode(new_cmode)?:*lenp;
 }
-static int cmode_sysctl(ctl_table *table,
-                        void __user *oldval, size_t __user *oldlenp,
-                        void __user *newval, size_t newlen)
-{
-        if (oldval && oldlenp) {
-                size_t oldlen;
-                if (get_user(oldlen, oldlenp))
-                        return -EFAULT;
-                if (oldlen != sizeof(int))
-                        return -EINVAL;
-                if (put_user(clock_cmode_current, (unsigned __user *)oldval) ||
-                    put_user(sizeof(int), oldlenp))
-                        return -EFAULT;
-        }
-        if (newval && newlen) {
-                int new_cmode;
-                if (newlen != sizeof(int))
-                        return -EINVAL;
-                if (get_user(new_cmode, (int __user *)newval))
-                        return -EFAULT;
-                return try_set_cmode(new_cmode)?:1;
-        }
-        return 1;
-}
 static int try_set_p0(int new_p0)
 {
        unsigned long flags, clkc;
@@ -314,37 +283,6 @@ static int p0_procctl(ctl_table *ctl, int write,
        return try_set_p0(new_p0)?:*lenp;
 }
-static int p0_sysctl(ctl_table *table,
-                     void __user *oldval, size_t __user *oldlenp,
-                     void __user *newval, size_t newlen)
-{
-        if (oldval && oldlenp) {
-                size_t oldlen;
-                if (get_user(oldlen, oldlenp))
-                        return -EFAULT;
-                if (oldlen != sizeof(int))
-                        return -EINVAL;
-                if (put_user(clock_p0_current, (unsigned __user *)oldval) ||
-                    put_user(sizeof(int), oldlenp))
-                        return -EFAULT;
-        }
-        if (newval && newlen) {
-                int new_p0;
-                if (newlen != sizeof(int))
-                        return -EINVAL;
-                if (get_user(new_p0, (int __user *)newval))
-                        return -EFAULT;
-                return try_set_p0(new_p0)?:1;
-        }
-        return 1;
-}
 static int cm_procctl(ctl_table *ctl, int write,
                      void __user *buffer, size_t *lenp, loff_t *fpos)
 {
@@ -358,87 +296,47 @@ static int cm_procctl(ctl_table *ctl, int write,
        return try_set_cm(new_cm)?:*lenp;
 }
-static int cm_sysctl(ctl_table *table,
-                     void __user *oldval, size_t __user *oldlenp,
-                     void __user *newval, size_t newlen)
-{
-        if (oldval && oldlenp) {
-                size_t oldlen;
-                if (get_user(oldlen, oldlenp))
-                        return -EFAULT;
-                if (oldlen != sizeof(int))
-                        return -EINVAL;
-                if (put_user(clock_cm_current, (unsigned __user *)oldval) ||
-                    put_user(sizeof(int), oldlenp))
-                        return -EFAULT;
-        }
-        if (newval && newlen) {
-                int new_cm;
-                if (newlen != sizeof(int))
-                        return -EINVAL;
-                if (get_user(new_cm, (int __user *)newval))
-                        return -EFAULT;
-                return try_set_cm(new_cm)?:1;
-        }
-        return 1;
-}
 static struct ctl_table pm_table[] =
 {
        {
-                .ctl_name       = CTL_PM_SUSPEND,
                .procname       = "suspend",
                .data           = NULL,
                .maxlen         = 0,
                .mode           = 0200,
-                .proc_handler   = &sysctl_pm_do_suspend,
+                .proc_handler   = sysctl_pm_do_suspend,
        },
        {
-                .ctl_name       = CTL_PM_CMODE,
                .procname       = "cmode",
                .data           = &clock_cmode_current,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &cmode_procctl,
+                .proc_handler   = cmode_procctl,
-                .strategy       = &cmode_sysctl,
        },
        {
-                .ctl_name       = CTL_PM_P0,
                .procname       = "p0",
                .data           = &clock_p0_current,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &p0_procctl,
+                .proc_handler   = p0_procctl,
-                .strategy       = &p0_sysctl,
        },
        {
-                .ctl_name       = CTL_PM_CM,
                .procname       = "cm",
                .data           = &clock_cm_current,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &cm_procctl,
+                .proc_handler   = cm_procctl,
-                .strategy       = &cm_sysctl,
        },
-        { .ctl_name = 0}
+        { }
 };
 static struct ctl_table pm_dir_table[] =
 {
        {
-                .ctl_name       = CTL_PM,
                .procname       = "pm",
                .mode           = 0555,
                .child          = pm_table,
        },
-        { .ctl_name = 0}
+        { }
 };
 /*
diff --git a/arch/frv/kernel/sysctl.c b/arch/frv/kernel/sysctl.c
index 3e9d7e03fb95..035516cb7a97 100644
--- a/arch/frv/kernel/sysctl.c
+++ b/arch/frv/kernel/sysctl.c
@@ -176,21 +176,19 @@ static int procctl_frv_pin_cxnr(ctl_table *table, int write, struct file *filp,
 static struct ctl_table frv_table[] =
 {
        {
-                .ctl_name       = 1,
                .procname       = "cache-mode",
                .data           = NULL,
                .maxlen         = 0,
                .mode           = 0644,
-                .proc_handler   = &procctl_frv_cachemode,
+                .proc_handler   = procctl_frv_cachemode,
        },
 #ifdef CONFIG_MMU
        {
-                .ctl_name       = 2,
                .procname       = "pin-cxnr",
                .data           = NULL,
                .maxlen         = 0,
                .mode           = 0644,
-                .proc_handler   = &procctl_frv_pin_cxnr
+                .proc_handler   = procctl_frv_pin_cxnr
        },
 #endif
        {}
@@ -203,7 +201,6 @@ static struct ctl_table frv_table[] =
 static struct ctl_table frv_dir_table[] =
 {
        {
-                .ctl_name       = CTL_FRV,
                .procname       = "frv",
                .mode           = 0555,
                .child          = frv_table
diff --git a/arch/h8300/include/asm/socket.h b/arch/h8300/include/asm/socket.h
index 1547f01c8e22..04c0f4596eb5 100644
--- a/arch/h8300/include/asm/socket.h
+++ b/arch/h8300/include/asm/socket.h
@@ -60,4 +60,6 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif /* _ASM_SOCKET_H */
diff --git a/arch/ia64/ia32/ia32_entry.S b/arch/ia64/ia32/ia32_entry.S
index af9405cd70e5..10c37510f4b4 100644
--- a/arch/ia64/ia32/ia32_entry.S
+++ b/arch/ia64/ia32/ia32_entry.S
@@ -327,7 +327,7 @@ ia32_syscall_table:
        data8 compat_sys_writev
        data8 sys_getsid
        data8 sys_fdatasync
-        data8 sys32_sysctl
+        data8 compat_sys_sysctl
        data8 sys_mlock           /* 150 */
        data8 sys_munlock
        data8 sys_mlockall
diff --git a/arch/ia64/ia32/sys_ia32.c b/arch/ia64/ia32/sys_ia32.c
index 625ed8f76fce..429ec968c9ee 100644
--- a/arch/ia64/ia32/sys_ia32.c
+++ b/arch/ia64/ia32/sys_ia32.c
@@ -1628,61 +1628,6 @@ sys32_msync (unsigned int start, unsigned int len, int flags)
        return sys_msync(addr, len + (start - addr), flags);
 }
-struct sysctl32 {
-        unsigned int    name;
-        int             nlen;
-        unsigned int    oldval;
-        unsigned int    oldlenp;
-        unsigned int    newval;
-        unsigned int    newlen;
-        unsigned int    __unused[4];
-};
-#ifdef CONFIG_SYSCTL_SYSCALL
-asmlinkage long
-sys32_sysctl (struct sysctl32 __user *args)
-{
-        struct sysctl32 a32;
-        mm_segment_t old_fs = get_fs ();
-        void __user *oldvalp, *newvalp;
-        size_t oldlen;
-        int __user *namep;
-        long ret;
-        if (copy_from_user(&a32, args, sizeof(a32)))
-                return -EFAULT;
-        /*
-         * We need to pre-validate these because we have to disable address checking
-         * before calling do_sysctl() because of OLDLEN but we can't run the risk of the
-         * user specifying bad addresses here.  Well, since we're dealing with 32 bit
-         * addresses, we KNOW that access_ok() will always succeed, so this is an
-         * expensive NOP, but so what...
-         */
-        namep = (int __user *) compat_ptr(a32.name);
-        oldvalp = compat_ptr(a32.oldval);
-        newvalp = compat_ptr(a32.newval);
-        if ((oldvalp && get_user(oldlen, (int __user *) compat_ptr(a32.oldlenp)))
-            || !access_ok(VERIFY_WRITE, namep, 0)
-            || !access_ok(VERIFY_WRITE, oldvalp, 0)
-            || !access_ok(VERIFY_WRITE, newvalp, 0))
-                return -EFAULT;
-        set_fs(KERNEL_DS);
-        lock_kernel();
-        ret = do_sysctl(namep, a32.nlen, oldvalp, (size_t __user *) &oldlen,
-                        newvalp, (size_t) a32.newlen);
-        unlock_kernel();
-        set_fs(old_fs);
-        if (oldvalp && put_user (oldlen, (int __user *) compat_ptr(a32.oldlenp)))
-                return -EFAULT;
-        return ret;
-}
-#endif
 asmlinkage long
 sys32_newuname (struct new_utsname __user *name)
 {
diff --git a/arch/ia64/include/asm/kvm.h b/arch/ia64/include/asm/kvm.h
index 18a7e49abbc5..bc90c75adf67 100644
--- a/arch/ia64/include/asm/kvm.h
+++ b/arch/ia64/include/asm/kvm.h
@@ -60,6 +60,7 @@ struct kvm_ioapic_state {
 #define KVM_IRQCHIP_PIC_MASTER   0
 #define KVM_IRQCHIP_PIC_SLAVE    1
 #define KVM_IRQCHIP_IOAPIC       2
+#define KVM_NR_IRQCHIPS          3
 #define KVM_CONTEXT_SIZE        8*1024
diff --git a/arch/ia64/include/asm/kvm_host.h b/arch/ia64/include/asm/kvm_host.h
index d9b6325a9328..a362e67e0ca6 100644
--- a/arch/ia64/include/asm/kvm_host.h
+++ b/arch/ia64/include/asm/kvm_host.h
@@ -475,7 +475,6 @@ struct kvm_arch {
        struct list_head assigned_dev_head;
        struct iommu_domain *iommu_domain;
        int iommu_flags;
-        struct hlist_head irq_ack_notifier_list;
        unsigned long irq_sources_bitmap;
        unsigned long irq_states[KVM_IOAPIC_NUM_PINS];
diff --git a/arch/ia64/include/asm/socket.h b/arch/ia64/include/asm/socket.h
index 0b0d5ff062e5..51427eaa51ba 100644
--- a/arch/ia64/include/asm/socket.h
+++ b/arch/ia64/include/asm/socket.h
@@ -69,4 +69,6 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif /* _ASM_IA64_SOCKET_H */
diff --git a/arch/ia64/include/asm/unistd.h b/arch/ia64/include/asm/unistd.h
index 5a5347f5c4e4..9c72e36c5281 100644
--- a/arch/ia64/include/asm/unistd.h
+++ b/arch/ia64/include/asm/unistd.h
@@ -311,11 +311,12 @@
 #define __NR_preadv                     1319
 #define __NR_pwritev                    1320
 #define __NR_rt_tgsigqueueinfo          1321
+#define __NR_rt_recvmmsg                1322
 #ifdef __KERNEL__
-#define NR_syscalls                     298 /* length of syscall table */
+#define NR_syscalls                     299 /* length of syscall table */
 /*
 * The following defines stop scripts/checksyscalls.sh from complaining about
diff --git a/arch/ia64/kernel/crash.c b/arch/ia64/kernel/crash.c
index 6631a9dfafdc..b942f4032d7a 100644
--- a/arch/ia64/kernel/crash.c
+++ b/arch/ia64/kernel/crash.c
@@ -239,32 +239,29 @@ kdump_init_notifier(struct notifier_block *self, unsigned long val, void *data)
 #ifdef CONFIG_SYSCTL
 static ctl_table kdump_ctl_table[] = {
        {
-                .ctl_name = CTL_UNNUMBERED,
                .procname = "kdump_on_init",
                .data = &kdump_on_init,
                .maxlen = sizeof(int),
                .mode = 0644,
-                .proc_handler = &proc_dointvec,
+                .proc_handler = proc_dointvec,
        },
        {
-                .ctl_name = CTL_UNNUMBERED,
                .procname = "kdump_on_fatal_mca",
                .data = &kdump_on_fatal_mca,
                .maxlen = sizeof(int),
                .mode = 0644,
-                .proc_handler = &proc_dointvec,
+                .proc_handler = proc_dointvec,
        },
-        { .ctl_name = 0 }
+        { }
 };
 static ctl_table sys_table[] = {
        {
-          .ctl_name = CTL_KERN,
          .procname = "kernel",
          .mode = 0555,
          .child = kdump_ctl_table,
        },
-        { .ctl_name = 0 }
+        { }
 };
 #endif
diff --git a/arch/ia64/kernel/entry.S b/arch/ia64/kernel/entry.S
index d0e7d37017b4..d75b872ca4dc 100644
--- a/arch/ia64/kernel/entry.S
+++ b/arch/ia64/kernel/entry.S
@@ -1806,6 +1806,7 @@ sys_call_table:
        data8 sys_preadv
        data8 sys_pwritev                       // 1320
        data8 sys_rt_tgsigqueueinfo
+        data8 sys_recvmmsg
        .org sys_call_table + 8*NR_syscalls     // guard against failures to increase NR_syscalls
 #endif /* __IA64_ASM_PARAVIRTUALIZED_NATIVE */
diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c
index f1782705b1f7..402698b6689f 100644
--- a/arch/ia64/kernel/perfmon.c
+++ b/arch/ia64/kernel/perfmon.c
@@ -522,42 +522,37 @@ EXPORT_SYMBOL(pfm_sysctl);
 static ctl_table pfm_ctl_table[]={
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "debug",
                .data           = &pfm_sysctl.debug,
                .maxlen         = sizeof(int),
                .mode           = 0666,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
        },
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "debug_ovfl",
                .data           = &pfm_sysctl.debug_ovfl,
                .maxlen         = sizeof(int),
                .mode           = 0666,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
        },
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "fastctxsw",
                .data           = &pfm_sysctl.fastctxsw,
                .maxlen         = sizeof(int),
                .mode           = 0600,
-                .proc_handler   =  &proc_dointvec,
+                .proc_handler   = proc_dointvec,
        },
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "expert_mode",
                .data           = &pfm_sysctl.expert_mode,
                .maxlen         = sizeof(int),
                .mode           = 0600,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
        },
        {}
 };
 static ctl_table pfm_sysctl_dir[] = {
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "perfmon",
                .mode           = 0555,
                .child          = pfm_ctl_table,
@@ -566,7 +561,6 @@ static ctl_table pfm_sysctl_dir[] = {
 };
 static ctl_table pfm_sysctl_root[] = {
        {
-                .ctl_name       = CTL_KERN,
                .procname       = "kernel",
                .mode           = 0555,
                .child          = pfm_sysctl_dir,
diff --git a/arch/ia64/kvm/Makefile b/arch/ia64/kvm/Makefile
index 0bb99b732908..1089b3e918ac 100644
--- a/arch/ia64/kvm/Makefile
+++ b/arch/ia64/kvm/Makefile
@@ -49,7 +49,7 @@ EXTRA_CFLAGS += -Ivirt/kvm -Iarch/ia64/kvm/
 EXTRA_AFLAGS += -Ivirt/kvm -Iarch/ia64/kvm/
 common-objs = $(addprefix ../../../virt/kvm/, kvm_main.o ioapic.o \
-                coalesced_mmio.o irq_comm.o)
+                coalesced_mmio.o irq_comm.o assigned-dev.o)
 ifeq ($(CONFIG_IOMMU_API),y)
 common-objs += $(addprefix ../../../virt/kvm/, iommu.o)
diff --git a/arch/ia64/kvm/kvm-ia64.c b/arch/ia64/kvm/kvm-ia64.c
index 0ad09f05efa9..5fdeec5fddcf 100644
--- a/arch/ia64/kvm/kvm-ia64.c
+++ b/arch/ia64/kvm/kvm-ia64.c
@@ -124,7 +124,7 @@ long ia64_pal_vp_create(u64 *vpd, u64 *host_iva, u64 *opt_handler)
 static  DEFINE_SPINLOCK(vp_lock);
-void kvm_arch_hardware_enable(void *garbage)
+int kvm_arch_hardware_enable(void *garbage)
 {
        long  status;
        long  tmp_base;
@@ -137,7 +137,7 @@ void kvm_arch_hardware_enable(void *garbage)
        slot = ia64_itr_entry(0x3, KVM_VMM_BASE, pte, KVM_VMM_SHIFT);
        local_irq_restore(saved_psr);
        if (slot < 0)
-                return;
+                return -EINVAL;
        spin_lock(&vp_lock);
        status = ia64_pal_vp_init_env(kvm_vsa_base ?
@@ -145,7 +145,7 @@ void kvm_arch_hardware_enable(void *garbage)
                        __pa(kvm_vm_buffer), KVM_VM_BUFFER_BASE, &tmp_base);
        if (status != 0) {
                printk(KERN_WARNING"kvm: Failed to Enable VT Support!!!!\n");
-                return ;
+                return -EINVAL;
        }
        if (!kvm_vsa_base) {
@@ -154,6 +154,8 @@ void kvm_arch_hardware_enable(void *garbage)
        }
        spin_unlock(&vp_lock);
        ia64_ptr_entry(0x3, slot);
+        return 0;
 }
 void kvm_arch_hardware_disable(void *garbage)
@@ -851,8 +853,7 @@ static int kvm_vm_ioctl_get_irqchip(struct kvm *kvm,
        r = 0;
        switch (chip->chip_id) {
        case KVM_IRQCHIP_IOAPIC:
-                memcpy(&chip->chip.ioapic, ioapic_irqchip(kvm),
+                r = kvm_get_ioapic(kvm, &chip->chip.ioapic);
-                                sizeof(struct kvm_ioapic_state));
                break;
        default:
                r = -EINVAL;
@@ -868,9 +869,7 @@ static int kvm_vm_ioctl_set_irqchip(struct kvm *kvm, struct kvm_irqchip *chip)
        r = 0;
        switch (chip->chip_id) {
        case KVM_IRQCHIP_IOAPIC:
-                memcpy(ioapic_irqchip(kvm),
+                r = kvm_set_ioapic(kvm, &chip->chip.ioapic);
-                                &chip->chip.ioapic,
-                                sizeof(struct kvm_ioapic_state));
                break;
        default:
                r = -EINVAL;
@@ -944,7 +943,7 @@ long kvm_arch_vm_ioctl(struct file *filp,
 {
        struct kvm *kvm = filp->private_data;
        void __user *argp = (void __user *)arg;
-        int r = -EINVAL;
+        int r = -ENOTTY;
        switch (ioctl) {
        case KVM_SET_MEMORY_REGION: {
@@ -985,10 +984,8 @@ long kvm_arch_vm_ioctl(struct file *filp,
                        goto out;
                if (irqchip_in_kernel(kvm)) {
                        __s32 status;
-                        mutex_lock(&kvm->irq_lock);
                        status = kvm_set_irq(kvm, KVM_USERSPACE_IRQ_SOURCE_ID,
                                    irq_event.irq, irq_event.level);
-                        mutex_unlock(&kvm->irq_lock);
                        if (ioctl == KVM_IRQ_LINE_STATUS) {
                                irq_event.status = status;
                                if (copy_to_user(argp, &irq_event,
diff --git a/arch/m32r/include/asm/socket.h b/arch/m32r/include/asm/socket.h
index 3390a864f224..469787c30098 100644
--- a/arch/m32r/include/asm/socket.h
+++ b/arch/m32r/include/asm/socket.h
@@ -60,4 +60,6 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif /* _ASM_M32R_SOCKET_H */
diff --git a/arch/m68k/include/asm/socket.h b/arch/m68k/include/asm/socket.h
index eee01cce921b..9bf49c87d954 100644
--- a/arch/m68k/include/asm/socket.h
+++ b/arch/m68k/include/asm/socket.h
@@ -60,4 +60,6 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif /* _ASM_SOCKET_H */
diff --git a/arch/microblaze/include/asm/prom.h b/arch/microblaze/include/asm/prom.h
index 37e6f305a68e..ef3ec1d6ceb3 100644
--- a/arch/microblaze/include/asm/prom.h
+++ b/arch/microblaze/include/asm/prom.h
@@ -12,23 +12,15 @@
 * 2 of the License, or (at your option) any later version.
 */
+#include <linux/of.h>   /* linux/of.h gets to determine #include ordering */
 #ifndef _ASM_MICROBLAZE_PROM_H
 #define _ASM_MICROBLAZE_PROM_H
 #ifdef __KERNEL__
-/* Definitions used by the flattened device tree */
-#define OF_DT_HEADER            0xd00dfeed /* marker */
-#define OF_DT_BEGIN_NODE        0x1 /* Start of node, full name */
-#define OF_DT_END_NODE          0x2 /* End node */
-#define OF_DT_PROP              0x3 /* Property: name off, size, content */
-#define OF_DT_NOP               0x4 /* nop */
-#define OF_DT_END               0x9
-#define OF_DT_VERSION           0x10
 #ifndef __ASSEMBLY__
 #include <linux/types.h>
+#include <linux/of_fdt.h>
 #include <linux/proc_fs.h>
 #include <linux/platform_device.h>
 #include <asm/irq.h>
@@ -41,122 +33,19 @@
 #define of_prop_cmp(s1, s2)             strcmp((s1), (s2))
 #define of_node_cmp(s1, s2)             strcasecmp((s1), (s2))
-/*
- * This is what gets passed to the kernel by prom_init or kexec
- *
- * The dt struct contains the device tree structure, full pathes and
- * property contents. The dt strings contain a separate block with just
- * the strings for the property names, and is fully page aligned and
- * self contained in a page, so that it can be kept around by the kernel,
- * each property name appears only once in this page (cheap compression)
- *
- * the mem_rsvmap contains a map of reserved ranges of physical memory,
- * passing it here instead of in the device-tree itself greatly simplifies
- * the job of everybody. It's just a list of u64 pairs (base/size) that
- * ends when size is 0
- */
-struct boot_param_header {
-        u32     magic; /* magic word OF_DT_HEADER */
-        u32     totalsize; /* total size of DT block */
-        u32     off_dt_struct; /* offset to structure */
-        u32     off_dt_strings; /* offset to strings */
-        u32     off_mem_rsvmap; /* offset to memory reserve map */
-        u32     version; /* format version */
-        u32     last_comp_version; /* last compatible version */
-        /* version 2 fields below */
-        u32     boot_cpuid_phys; /* Physical CPU id we're booting on */
-        /* version 3 fields below */
-        u32     dt_strings_size; /* size of the DT strings block */
-        /* version 17 fields below */
-        u32     dt_struct_size; /* size of the DT structure block */
-};
-typedef u32 phandle;
-typedef u32 ihandle;
-struct property {
-        char    *name;
-        int     length;
-        void    *value;
-        struct property *next;
-};
-struct device_node {
-        const char *name;
-        const char *type;
-        phandle node;
-        phandle linux_phandle;
-        char    *full_name;
-        struct  property *properties;
-        struct  property *deadprops; /* removed properties */
-        struct  device_node *parent;
-        struct  device_node *child;
-        struct  device_node *sibling;
-        struct  device_node *next; /* next device of same type */
-        struct  device_node *allnext; /* next in list of all nodes */
-        struct  proc_dir_entry *pde; /* this node's proc directory */
-        struct  kref kref;
-        unsigned long _flags;
-        void    *data;
-};
 extern struct device_node *of_chosen;
-static inline int of_node_check_flag(struct device_node *n, unsigned long flag)
-{
-        return test_bit(flag, &n->_flags);
-}
-static inline void of_node_set_flag(struct device_node *n, unsigned long flag)
-{
-        set_bit(flag, &n->_flags);
-}
 #define HAVE_ARCH_DEVTREE_FIXUPS
-static inline void set_node_proc_entry(struct device_node *dn,
-                                        struct proc_dir_entry *de)
-{
-        dn->pde = de;
-}
 extern struct device_node *allnodes;    /* temporary while merging */
 extern rwlock_t devtree_lock;   /* temporary while merging */
-extern struct device_node *of_find_all_nodes(struct device_node *prev);
-extern struct device_node *of_node_get(struct device_node *node);
-extern void of_node_put(struct device_node *node);
-/* For scanning the flat device-tree at boot time */
-extern int __init of_scan_flat_dt(int (*it)(unsigned long node,
-                                        const char *uname, int depth,
-                                        void *data),
-                                void *data);
-extern void *__init of_get_flat_dt_prop(unsigned long node, const char *name,
-                                        unsigned long *size);
-extern int __init
-                of_flat_dt_is_compatible(unsigned long node, const char *name);
-extern unsigned long __init of_get_flat_dt_root(void);
 /* For updating the device tree at runtime */
 extern void of_attach_node(struct device_node *);
 extern void of_detach_node(struct device_node *);
 /* Other Prototypes */
-extern void finish_device_tree(void);
-extern void unflatten_device_tree(void);
 extern int early_uartlite_console(void);
-extern void early_init_devtree(void *);
-extern int machine_is_compatible(const char *compat);
-extern void print_properties(struct device_node *node);
-extern int prom_n_intr_cells(struct device_node *np);
-extern void prom_get_irq_senses(unsigned char *senses, int off, int max);
-extern int prom_add_property(struct device_node *np, struct property *prop);
-extern int prom_remove_property(struct device_node *np, struct property *prop);
-extern int prom_update_property(struct device_node *np,
-                                struct property *newprop,
-                                struct property *oldprop);
 extern struct resource *request_OF_resource(struct device_node *node,
                                int index, const char *name_postfix);
@@ -166,18 +55,6 @@ extern int release_OF_resource(struct device_node *node, int index);
 * OF address retreival & translation
 */
-/* Helper to read a big number; size is in cells (not bytes) */
-static inline u64 of_read_number(const u32 *cell, int size)
-{
-        u64 r = 0;
-        while (size--)
-                r = (r << 32) | *(cell++);
-        return r;
-}
-/* Like of_read_number, but we want an unsigned long result */
-#define of_read_ulong(cell, size)       of_read_number(cell, size)
 /* Translate an OF address block into a CPU physical address
 */
 extern u64 of_translate_address(struct device_node *np, const u32 *addr);
@@ -305,12 +182,6 @@ extern int of_irq_to_resource(struct device_node *dev, int index,
 */
 extern void __iomem *of_iomap(struct device_node *device, int index);
-/*
- * NB: This is here while we transition from using asm/prom.h
- * to linux/of.h
- */
-#include <linux/of.h>
 #endif /* __ASSEMBLY__ */
 #endif /* __KERNEL__ */
 #endif /* _ASM_MICROBLAZE_PROM_H */
diff --git a/arch/microblaze/kernel/head.S b/arch/microblaze/kernel/head.S
index 697ce3007f30..30916193fcc7 100644
--- a/arch/microblaze/kernel/head.S
+++ b/arch/microblaze/kernel/head.S
@@ -31,7 +31,7 @@
 #include <linux/linkage.h>
 #include <asm/thread_info.h>
 #include <asm/page.h>
-#include <asm/prom.h>           /* for OF_DT_HEADER */
+#include <linux/of_fdt.h>               /* for OF_DT_HEADER */
 #ifdef CONFIG_MMU
 #include <asm/setup.h> /* COMMAND_LINE_SIZE */
diff --git a/arch/microblaze/kernel/prom.c b/arch/microblaze/kernel/prom.c
index c005cc6f1aaf..b817df172aa9 100644
--- a/arch/microblaze/kernel/prom.c
+++ b/arch/microblaze/kernel/prom.c
@@ -860,29 +860,6 @@ struct device_node *of_find_node_by_phandle(phandle handle)
 EXPORT_SYMBOL(of_find_node_by_phandle);
 /**
- *      of_find_all_nodes - Get next node in global list
- *      @prev:  Previous node or NULL to start iteration
- *              of_node_put() will be called on it
- *
- *      Returns a node pointer with refcount incremented, use
- *      of_node_put() on it when done.
- */
-struct device_node *of_find_all_nodes(struct device_node *prev)
-{
-        struct device_node *np;
-        read_lock(&devtree_lock);
-        np = prev ? prev->allnext : allnodes;
-        for (; np != NULL; np = np->allnext)
-                if (of_node_get(np))
-                        break;
-        of_node_put(prev);
-        read_unlock(&devtree_lock);
-        return np;
-}
-EXPORT_SYMBOL(of_find_all_nodes);
-/**
 *      of_node_get - Increment refcount of a node
 *      @node:  Node to inc refcount, NULL is supported to
 *              simplify writing of callers
diff --git a/arch/microblaze/kernel/syscall_table.S b/arch/microblaze/kernel/syscall_table.S
index ecec19155135..c1ab1dc10898 100644
--- a/arch/microblaze/kernel/syscall_table.S
+++ b/arch/microblaze/kernel/syscall_table.S
@@ -371,3 +371,4 @@ ENTRY(sys_call_table)
        .long sys_ni_syscall
        .long sys_rt_tgsigqueueinfo     /* 365 */
        .long sys_perf_event_open
+        .long sys_recvmmsg
diff --git a/arch/mips/include/asm/socket.h b/arch/mips/include/asm/socket.h
index ae05accd9fe4..9de5190f2487 100644
--- a/arch/mips/include/asm/socket.h
+++ b/arch/mips/include/asm/socket.h
@@ -80,6 +80,8 @@ To add: #define SO_REUSEPORT 0x0200	/* Allow local address and port reuse.  */
 #define SO_TIMESTAMPING         37
 #define SCM_TIMESTAMPING        SO_TIMESTAMPING
+#define SO_RXQ_OVFL             40
 #ifdef __KERNEL__
 /** sock_type - Socket types
diff --git a/arch/mips/include/asm/unistd.h b/arch/mips/include/asm/unistd.h
index 8c9dfa9e9018..65c679ecbe6b 100644
--- a/arch/mips/include/asm/unistd.h
+++ b/arch/mips/include/asm/unistd.h
@@ -355,16 +355,17 @@
 #define __NR_rt_tgsigqueueinfo          (__NR_Linux + 332)
 #define __NR_perf_event_open            (__NR_Linux + 333)
 #define __NR_accept4                    (__NR_Linux + 334)
+#define __NR_recvmmsg                   (__NR_Linux + 335)
 /*
 * Offset of the last Linux o32 flavoured syscall
 */
-#define __NR_Linux_syscalls             334
+#define __NR_Linux_syscalls             335
 #endif /* _MIPS_SIM == _MIPS_SIM_ABI32 */
 #define __NR_O32_Linux                  4000
-#define __NR_O32_Linux_syscalls         334
+#define __NR_O32_Linux_syscalls         335
 #if _MIPS_SIM == _MIPS_SIM_ABI64
@@ -666,16 +667,17 @@
 #define __NR_rt_tgsigqueueinfo          (__NR_Linux + 291)
 #define __NR_perf_event_open            (__NR_Linux + 292)
 #define __NR_accept4                    (__NR_Linux + 293)
+#define __NR_recvmmsg                   (__NR_Linux + 294)
 /*
 * Offset of the last Linux 64-bit flavoured syscall
 */
-#define __NR_Linux_syscalls             293
+#define __NR_Linux_syscalls             294
 #endif /* _MIPS_SIM == _MIPS_SIM_ABI64 */
 #define __NR_64_Linux                   5000
-#define __NR_64_Linux_syscalls          293
+#define __NR_64_Linux_syscalls          294
 #if _MIPS_SIM == _MIPS_SIM_NABI32
@@ -981,16 +983,17 @@
 #define __NR_rt_tgsigqueueinfo          (__NR_Linux + 295)
 #define __NR_perf_event_open            (__NR_Linux + 296)
 #define __NR_accept4                    (__NR_Linux + 297)
+#define __NR_recvmmsg                   (__NR_Linux + 298)
 /*
 * Offset of the last N32 flavoured syscall
 */
-#define __NR_Linux_syscalls             297
+#define __NR_Linux_syscalls             298
 #endif /* _MIPS_SIM == _MIPS_SIM_NABI32 */
 #define __NR_N32_Linux                  6000
-#define __NR_N32_Linux_syscalls         297
+#define __NR_N32_Linux_syscalls         298
 #ifdef __KERNEL__
diff --git a/arch/mips/kernel/linux32.c b/arch/mips/kernel/linux32.c
index b77fefaff9da..1a2793efdc4e 100644
--- a/arch/mips/kernel/linux32.c
+++ b/arch/mips/kernel/linux32.c
@@ -265,67 +265,6 @@ SYSCALL_DEFINE5(n32_msgrcv, int, msqid, u32, msgp, size_t, msgsz,
 }
 #endif
-struct sysctl_args32
-{
-        compat_caddr_t name;
-        int nlen;
-        compat_caddr_t oldval;
-        compat_caddr_t oldlenp;
-        compat_caddr_t newval;
-        compat_size_t newlen;
-        unsigned int __unused[4];
-};
-#ifdef CONFIG_SYSCTL_SYSCALL
-SYSCALL_DEFINE1(32_sysctl, struct sysctl_args32 __user *, args)
-{
-        struct sysctl_args32 tmp;
-        int error;
-        size_t oldlen;
-        size_t __user *oldlenp = NULL;
-        unsigned long addr = (((unsigned long)&args->__unused[0]) + 7) & ~7;
-        if (copy_from_user(&tmp, args, sizeof(tmp)))
-                return -EFAULT;
-        if (tmp.oldval && tmp.oldlenp) {
-                /* Duh, this is ugly and might not work if sysctl_args
-                   is in read-only memory, but do_sysctl does indirectly
-                   a lot of uaccess in both directions and we'd have to
-                   basically copy the whole sysctl.c here, and
-                   glibc's __sysctl uses rw memory for the structure
-                   anyway.  */
-                if (get_user(oldlen, (u32 __user *)A(tmp.oldlenp)) ||
-                    put_user(oldlen, (size_t __user *)addr))
-                        return -EFAULT;
-                oldlenp = (size_t __user *)addr;
-        }
-        lock_kernel();
-        error = do_sysctl((int __user *)A(tmp.name), tmp.nlen, (void __user *)A(tmp.oldval),
-                          oldlenp, (void __user *)A(tmp.newval), tmp.newlen);
-        unlock_kernel();
-        if (oldlenp) {
-                if (!error) {
-                        if (get_user(oldlen, (size_t __user *)addr) ||
-                            put_user(oldlen, (u32 __user *)A(tmp.oldlenp)))
-                                error = -EFAULT;
-                }
-                copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused));
-        }
-        return error;
-}
-#else
-SYSCALL_DEFINE1(32_sysctl, struct sysctl_args32 __user *, args)
-{
-        return -ENOSYS;
-}
-#endif /* CONFIG_SYSCTL_SYSCALL */
 SYSCALL_DEFINE1(32_newuname, struct new_utsname __user *, name)
 {
        int ret = 0;
diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
index fd2a9bb620d6..17202bbe843f 100644
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -583,6 +583,7 @@ einval:	li	v0, -ENOSYS
        sys     sys_rt_tgsigqueueinfo   4
        sys     sys_perf_event_open     5
        sys     sys_accept4             4
+        sys     sys_recvmmsg            5
        .endm
        /* We pre-compute the number of _instruction_ bytes needed to
diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
index 18bf7f32c5e4..a8a6c596eb04 100644
--- a/arch/mips/kernel/scall64-64.S
+++ b/arch/mips/kernel/scall64-64.S
@@ -420,4 +420,5 @@ sys_call_table:
        PTR     sys_rt_tgsigqueueinfo
        PTR     sys_perf_event_open
        PTR     sys_accept4
+        PTR     sys_recvmmsg
        .size   sys_call_table,.-sys_call_table
diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
index 6ebc07976694..66b5a48676dd 100644
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -272,7 +272,7 @@ EXPORT(sysn32_call_table)
        PTR     sys_munlockall
        PTR     sys_vhangup                     /* 6150 */
        PTR     sys_pivot_root
-        PTR     sys_32_sysctl
+        PTR     compat_sys_sysctl
        PTR     sys_prctl
        PTR     compat_sys_adjtimex
        PTR     compat_sys_setrlimit            /* 6155 */
@@ -418,4 +418,5 @@ EXPORT(sysn32_call_table)
        PTR     compat_sys_rt_tgsigqueueinfo    /* 5295 */
        PTR     sys_perf_event_open
        PTR     sys_accept4
+        PTR     compat_sys_recvmmsg
        .size   sysn32_call_table,.-sysn32_call_table
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 14dde4ca932e..515f9eab2b28 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -356,7 +356,7 @@ sys_call_table:
        PTR     sys_ni_syscall                  /* 4150 */
        PTR     sys_getsid
        PTR     sys_fdatasync
-        PTR     sys_32_sysctl
+        PTR     compat_sys_sysctl
        PTR     sys_mlock
        PTR     sys_munlock                     /* 4155 */
        PTR     sys_mlockall
@@ -538,4 +538,5 @@ sys_call_table:
        PTR     compat_sys_rt_tgsigqueueinfo
        PTR     sys_perf_event_open
        PTR     sys_accept4
+        PTR     compat_sys_recvmmsg
        .size   sys_call_table,.-sys_call_table
diff --git a/arch/mips/lasat/sysctl.c b/arch/mips/lasat/sysctl.c
index b3deed8db619..14b9a28a4aec 100644
--- a/arch/mips/lasat/sysctl.c
+++ b/arch/mips/lasat/sysctl.c
@@ -37,23 +37,6 @@
 #include "ds1603.h"
 #endif
-/* Strategy function to write EEPROM after changing string entry */
-int sysctl_lasatstring(ctl_table *table,
-                void *oldval, size_t *oldlenp,
-                void *newval, size_t newlen)
-{
-        int r;
-        r = sysctl_string(table, oldval, oldlenp, newval, newlen);
-        if (r < 0)
-                return r;
-        if (newval && newlen)
-                lasat_write_eeprom_info();
-        return 0;
-}
 /* And the same for proc */
 int proc_dolasatstring(ctl_table *table, int write,
@@ -113,46 +96,6 @@ int proc_dolasatrtc(ctl_table *table, int write,
 }
 #endif
-/* Sysctl for setting the IP addresses */
-int sysctl_lasat_intvec(ctl_table *table,
-                    void *oldval, size_t *oldlenp,
-                    void *newval, size_t newlen)
-{
-        int r;
-        r = sysctl_intvec(table, oldval, oldlenp, newval, newlen);
-        if (r < 0)
-                return r;
-        if (newval && newlen)
-                lasat_write_eeprom_info();
-        return 0;
-}
-#ifdef CONFIG_DS1603
-/* Same for RTC */
-int sysctl_lasat_rtc(ctl_table *table,
-                    void *oldval, size_t *oldlenp,
-                    void *newval, size_t newlen)
-{
-        struct timespec ts;
-        int r;
-        read_persistent_clock(&ts);
-        rtctmp = ts.tv_sec;
-        if (rtctmp < 0)
-                rtctmp = 0;
-        r = sysctl_intvec(table, oldval, oldlenp, newval, newlen);
-        if (r < 0)
-                return r;
-        if (newval && newlen)
-                rtc_mips_set_mmss(rtctmp);
-        return r;
-}
-#endif
 #ifdef CONFIG_INET
 int proc_lasat_ip(ctl_table *table, int write,
                       void *buffer, size_t *lenp, loff_t *ppos)
@@ -214,23 +157,6 @@ int proc_lasat_ip(ctl_table *table, int write,
 }
 #endif
-static int sysctl_lasat_prid(ctl_table *table,
-                                     void *oldval, size_t *oldlenp,
-                                     void *newval, size_t newlen)
-{
-        int r;
-        r = sysctl_intvec(table, oldval, oldlenp, newval, newlen);
-        if (r < 0)
-                return r;
-        if (newval && newlen) {
-                lasat_board_info.li_eeprom_info.prid = *(int *)newval;
-                lasat_write_eeprom_info();
-                lasat_init_board_info();
-        }
-        return 0;
-}
 int proc_lasat_prid(ctl_table *table, int write,
                       void *buffer, size_t *lenp, loff_t *ppos)
 {
@@ -252,115 +178,92 @@ extern int lasat_boot_to_service;
 static ctl_table lasat_table[] = {
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "cpu-hz",
                .data           = &lasat_board_info.li_cpu_hz,
                .maxlen         = sizeof(int),
                .mode           = 0444,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
-                .strategy       = &sysctl_intvec
        },
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "bus-hz",
                .data           = &lasat_board_info.li_bus_hz,
                .maxlen         = sizeof(int),
                .mode           = 0444,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
-                .strategy       = &sysctl_intvec
        },
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "bmid",
                .data           = &lasat_board_info.li_bmid,
                .maxlen         = sizeof(int),
                .mode           = 0444,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
-                .strategy       = &sysctl_intvec
        },
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "prid",
                .data           = &lasat_board_info.li_prid,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &proc_lasat_prid,
+                .proc_handler   = proc_lasat_prid,
-                .strategy       = &sysctl_lasat_prid
+.       },
-        },
 #ifdef CONFIG_INET
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "ipaddr",
                .data           = &lasat_board_info.li_eeprom_info.ipaddr,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &proc_lasat_ip,
+                .proc_handler   = proc_lasat_ip,
-                .strategy       = &sysctl_lasat_intvec
        },
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "netmask",
                .data           = &lasat_board_info.li_eeprom_info.netmask,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &proc_lasat_ip,
+                .proc_handler   = proc_lasat_ip,
-                .strategy       = &sysctl_lasat_intvec
        },
 #endif
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "passwd_hash",
                .data           = &lasat_board_info.li_eeprom_info.passwd_hash,
                .maxlen         =
                        sizeof(lasat_board_info.li_eeprom_info.passwd_hash),
                .mode           = 0600,
-                .proc_handler   = &proc_dolasatstring,
+                .proc_handler   = proc_dolasatstring,
-                .strategy       = &sysctl_lasatstring
        },
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "boot-service",
                .data           = &lasat_boot_to_service,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
-                .strategy       = &sysctl_intvec
        },
 #ifdef CONFIG_DS1603
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "rtc",
                .data           = &rtctmp,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &proc_dolasatrtc,
+                .proc_handler   = proc_dolasatrtc,
-                .strategy       = &sysctl_lasat_rtc
        },
 #endif
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "namestr",
                .data           = &lasat_board_info.li_namestr,
                .maxlen         = sizeof(lasat_board_info.li_namestr),
                .mode           = 0444,
-                .proc_handler   = &proc_dostring,
+                .proc_handler   = proc_dostring,
-                .strategy       = &sysctl_string
        },
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "typestr",
                .data           = &lasat_board_info.li_typestr,
                .maxlen         = sizeof(lasat_board_info.li_typestr),
                .mode           = 0444,
-                .proc_handler   = &proc_dostring,
+                .proc_handler   = proc_dostring,
-                .strategy       = &sysctl_string
        },
        {}
 };
 static ctl_table lasat_root_table[] = {
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "lasat",
                .mode           =  0555,
                .child          = lasat_table
diff --git a/arch/mn10300/include/asm/socket.h b/arch/mn10300/include/asm/socket.h
index 4df75af29d76..4e60c4281288 100644
--- a/arch/mn10300/include/asm/socket.h
+++ b/arch/mn10300/include/asm/socket.h
@@ -60,4 +60,6 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif /* _ASM_SOCKET_H */
diff --git a/arch/parisc/include/asm/socket.h b/arch/parisc/include/asm/socket.h
index 960b1e5d8e16..225b7d6a1a0a 100644
--- a/arch/parisc/include/asm/socket.h
+++ b/arch/parisc/include/asm/socket.h
@@ -59,6 +59,8 @@
 #define SO_TIMESTAMPING         0x4020
 #define SCM_TIMESTAMPING        SO_TIMESTAMPING
+#define SO_RXQ_OVFL             0x4021
 /* O_NONBLOCK clashes with the bits used for socket types.  Therefore we
 * have to define SOCK_NONBLOCK to a different value here.
 */
diff --git a/arch/parisc/kernel/sys_parisc32.c b/arch/parisc/kernel/sys_parisc32.c
index 561388b17c91..76d23ec8dfaa 100644
--- a/arch/parisc/kernel/sys_parisc32.c
+++ b/arch/parisc/kernel/sys_parisc32.c
@@ -90,77 +90,6 @@ asmlinkage long sys32_unimplemented(int r26, int r25, int r24, int r23,
    return -ENOSYS;
 }
-#ifdef CONFIG_SYSCTL
-struct __sysctl_args32 {
-        u32 name;
-        int nlen;
-        u32 oldval;
-        u32 oldlenp;
-        u32 newval;
-        u32 newlen;
-        u32 __unused[4];
-};
-asmlinkage long sys32_sysctl(struct __sysctl_args32 __user *args)
-{
-#ifndef CONFIG_SYSCTL_SYSCALL
-        return -ENOSYS;
-#else
-        struct __sysctl_args32 tmp;
-        int error;
-        unsigned int oldlen32;
-        size_t oldlen, __user *oldlenp = NULL;
-        unsigned long addr = (((long __force)&args->__unused[0]) + 7) & ~7;
-        DBG(("sysctl32(%p)\n", args));
-        if (copy_from_user(&tmp, args, sizeof(tmp)))
-                return -EFAULT;
-        if (tmp.oldval && tmp.oldlenp) {
-                /* Duh, this is ugly and might not work if sysctl_args
-                   is in read-only memory, but do_sysctl does indirectly
-                   a lot of uaccess in both directions and we'd have to
-                   basically copy the whole sysctl.c here, and
-                   glibc's __sysctl uses rw memory for the structure
-                   anyway.  */
-                /* a possibly better hack than this, which will avoid the
-                 * problem if the struct is read only, is to push the
-                 * 'oldlen' value out to the user's stack instead. -PB
-                 */
-                if (get_user(oldlen32, (u32 *)(u64)tmp.oldlenp))
-                        return -EFAULT;
-                oldlen = oldlen32;
-                if (put_user(oldlen, (size_t *)addr))
-                        return -EFAULT;
-                oldlenp = (size_t *)addr;
-        }
-        lock_kernel();
-        error = do_sysctl((int __user *)(u64)tmp.name, tmp.nlen,
-                          (void __user *)(u64)tmp.oldval, oldlenp,
-                          (void __user *)(u64)tmp.newval, tmp.newlen);
-        unlock_kernel();
-        if (oldlenp) {
-                if (!error) {
-                        if (get_user(oldlen, (size_t *)addr)) {
-                                error = -EFAULT;
-                        } else {
-                                oldlen32 = oldlen;
-                                if (put_user(oldlen32, (u32 *)(u64)tmp.oldlenp))
-                                        error = -EFAULT;
-                        }
-                }
-                if (copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused)))
-                        error = -EFAULT;
-        }
-        return error;
-#endif
-}
-#endif /* CONFIG_SYSCTL */
 asmlinkage long sys32_sched_rr_get_interval(pid_t pid,
        struct compat_timespec __user *interval)
 {
diff --git a/arch/parisc/kernel/syscall_table.S b/arch/parisc/kernel/syscall_table.S
index 843f423dec67..01c4fcf8f481 100644
--- a/arch/parisc/kernel/syscall_table.S
+++ b/arch/parisc/kernel/syscall_table.S
@@ -234,7 +234,7 @@
        ENTRY_SAME(getsid)
        ENTRY_SAME(fdatasync)
        /* struct __sysctl_args is a mess */
-        ENTRY_DIFF(sysctl)
+        ENTRY_COMP(sysctl)
        ENTRY_SAME(mlock)               /* 150 */
        ENTRY_SAME(munlock)
        ENTRY_SAME(mlockall)
diff --git a/arch/powerpc/include/asm/pmac_low_i2c.h b/arch/powerpc/include/asm/pmac_low_i2c.h
index 131011bd7e76..01d71826d92f 100644
--- a/arch/powerpc/include/asm/pmac_low_i2c.h
+++ b/arch/powerpc/include/asm/pmac_low_i2c.h
@@ -72,11 +72,7 @@ extern int pmac_i2c_get_type(struct pmac_i2c_bus *bus);
 extern int pmac_i2c_get_flags(struct pmac_i2c_bus *bus);
 extern int pmac_i2c_get_channel(struct pmac_i2c_bus *bus);
-/* i2c layer adapter attach/detach */
+/* i2c layer adapter helpers */
-extern void pmac_i2c_attach_adapter(struct pmac_i2c_bus *bus,
-                                    struct i2c_adapter *adapter);
-extern void pmac_i2c_detach_adapter(struct pmac_i2c_bus *bus,
-                                    struct i2c_adapter *adapter);
 extern struct i2c_adapter *pmac_i2c_get_adapter(struct pmac_i2c_bus *bus);
 extern struct pmac_i2c_bus *pmac_i2c_adapter_to_bus(struct i2c_adapter *adapter);
diff --git a/arch/powerpc/include/asm/prom.h b/arch/powerpc/include/asm/prom.h
index 6ff04185d2aa..2ab9cbd98826 100644
--- a/arch/powerpc/include/asm/prom.h
+++ b/arch/powerpc/include/asm/prom.h
@@ -1,3 +1,4 @@
+#include <linux/of.h>   /* linux/of.h gets to determine #include ordering */
 #ifndef _POWERPC_PROM_H
 #define _POWERPC_PROM_H
 #ifdef __KERNEL__
@@ -16,6 +17,7 @@
 * 2 of the License, or (at your option) any later version.
 */
 #include <linux/types.h>
+#include <linux/of_fdt.h>
 #include <linux/proc_fs.h>
 #include <linux/platform_device.h>
 #include <asm/irq.h>
@@ -28,133 +30,14 @@
 #define of_prop_cmp(s1, s2)             strcmp((s1), (s2))
 #define of_node_cmp(s1, s2)             strcasecmp((s1), (s2))
-/* Definitions used by the flattened device tree */
-#define OF_DT_HEADER            0xd00dfeed      /* marker */
-#define OF_DT_BEGIN_NODE        0x1             /* Start of node, full name */
-#define OF_DT_END_NODE          0x2             /* End node */
-#define OF_DT_PROP              0x3             /* Property: name off, size,
-                                                 * content */
-#define OF_DT_NOP               0x4             /* nop */
-#define OF_DT_END               0x9
-#define OF_DT_VERSION           0x10
-/*
- * This is what gets passed to the kernel by prom_init or kexec
- *
- * The dt struct contains the device tree structure, full pathes and
- * property contents. The dt strings contain a separate block with just
- * the strings for the property names, and is fully page aligned and
- * self contained in a page, so that it can be kept around by the kernel,
- * each property name appears only once in this page (cheap compression)
- *
- * the mem_rsvmap contains a map of reserved ranges of physical memory,
- * passing it here instead of in the device-tree itself greatly simplifies
- * the job of everybody. It's just a list of u64 pairs (base/size) that
- * ends when size is 0
- */
-struct boot_param_header
-{
-        u32     magic;                  /* magic word OF_DT_HEADER */
-        u32     totalsize;              /* total size of DT block */
-        u32     off_dt_struct;          /* offset to structure */
-        u32     off_dt_strings;         /* offset to strings */
-        u32     off_mem_rsvmap;         /* offset to memory reserve map */
-        u32     version;                /* format version */
-        u32     last_comp_version;      /* last compatible version */
-        /* version 2 fields below */
-        u32     boot_cpuid_phys;        /* Physical CPU id we're booting on */
-        /* version 3 fields below */
-        u32     dt_strings_size;        /* size of the DT strings block */
-        /* version 17 fields below */
-        u32     dt_struct_size;         /* size of the DT structure block */
-};
-typedef u32 phandle;
-typedef u32 ihandle;
-struct property {
-        char    *name;
-        int     length;
-        void    *value;
-        struct property *next;
-};
-struct device_node {
-        const char *name;
-        const char *type;
-        phandle node;
-        phandle linux_phandle;
-        char    *full_name;
-        struct  property *properties;
-        struct  property *deadprops; /* removed properties */
-        struct  device_node *parent;
-        struct  device_node *child;
-        struct  device_node *sibling;
-        struct  device_node *next;      /* next device of same type */
-        struct  device_node *allnext;   /* next in list of all nodes */
-        struct  proc_dir_entry *pde;    /* this node's proc directory */
-        struct  kref kref;
-        unsigned long _flags;
-        void    *data;
-};
 extern struct device_node *of_chosen;
-static inline int of_node_check_flag(struct device_node *n, unsigned long flag)
-{
-        return test_bit(flag, &n->_flags);
-}
-static inline void of_node_set_flag(struct device_node *n, unsigned long flag)
-{
-        set_bit(flag, &n->_flags);
-}
 #define HAVE_ARCH_DEVTREE_FIXUPS
-static inline void set_node_proc_entry(struct device_node *dn, struct proc_dir_entry *de)
-{
-        dn->pde = de;
-}
-extern struct device_node *of_find_all_nodes(struct device_node *prev);
-extern struct device_node *of_node_get(struct device_node *node);
-extern void of_node_put(struct device_node *node);
-/* For scanning the flat device-tree at boot time */
-extern int __init of_scan_flat_dt(int (*it)(unsigned long node,
-                                            const char *uname, int depth,
-                                            void *data),
-                                  void *data);
-extern void* __init of_get_flat_dt_prop(unsigned long node, const char *name,
-                                        unsigned long *size);
-extern int __init of_flat_dt_is_compatible(unsigned long node, const char *name);
-extern unsigned long __init of_get_flat_dt_root(void);
 /* For updating the device tree at runtime */
 extern void of_attach_node(struct device_node *);
 extern void of_detach_node(struct device_node *);
-/* Other Prototypes */
-extern void finish_device_tree(void);
-extern void unflatten_device_tree(void);
-extern void early_init_devtree(void *);
-extern int machine_is_compatible(const char *compat);
-extern void print_properties(struct device_node *node);
-extern int prom_n_intr_cells(struct device_node* np);
-extern void prom_get_irq_senses(unsigned char *senses, int off, int max);
-extern int prom_add_property(struct device_node* np, struct property* prop);
-extern int prom_remove_property(struct device_node *np, struct property *prop);
-extern int prom_update_property(struct device_node *np,
-                                struct property *newprop,
-                                struct property *oldprop);
 #ifdef CONFIG_PPC32
 /*
 * PCI <-> OF matching functions
@@ -178,26 +61,6 @@ extern int release_OF_resource(struct device_node* node, int index);
 * OF address retreival & translation
 */
-/* Helper to read a big number; size is in cells (not bytes) */
-static inline u64 of_read_number(const u32 *cell, int size)
-{
-        u64 r = 0;
-        while (size--)
-                r = (r << 32) | *(cell++);
-        return r;
-}
-/* Like of_read_number, but we want an unsigned long result */
-#ifdef CONFIG_PPC32
-static inline unsigned long of_read_ulong(const u32 *cell, int size)
-{
-        return cell[size-1];
-}
-#else
-#define of_read_ulong(cell, size)       of_read_number(cell, size)
-#endif
 /* Translate an OF address block into a CPU physical address
 */
 extern u64 of_translate_address(struct device_node *np, const u32 *addr);
@@ -349,11 +212,5 @@ extern int of_irq_to_resource(struct device_node *dev, int index,
 */
 extern void __iomem *of_iomap(struct device_node *device, int index);
-/*
- * NB:  This is here while we transition from using asm/prom.h
- * to linux/of.h
- */
-#include <linux/of.h>
 #endif /* __KERNEL__ */
 #endif /* _POWERPC_PROM_H */
diff --git a/arch/powerpc/include/asm/socket.h b/arch/powerpc/include/asm/socket.h
index 3ab8b3e6feb0..866f7606da68 100644
--- a/arch/powerpc/include/asm/socket.h
+++ b/arch/powerpc/include/asm/socket.h
@@ -67,4 +67,6 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif  /* _ASM_POWERPC_SOCKET_H */
diff --git a/arch/powerpc/kernel/idle.c b/arch/powerpc/kernel/idle.c
index 88d9c1d5e5fb..049dda60e475 100644
--- a/arch/powerpc/kernel/idle.c
+++ b/arch/powerpc/kernel/idle.c
@@ -110,18 +110,16 @@ int powersave_nap;
 */
 static ctl_table powersave_nap_ctl_table[]={
        {
-                .ctl_name       = KERN_PPC_POWERSAVE_NAP,
                .procname       = "powersave-nap",
                .data           = &powersave_nap,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
        },
        {}
 };
 static ctl_table powersave_nap_sysctl_root[] = {
        {
-                .ctl_name       = CTL_KERN,
                .procname       = "kernel",
                .mode           = 0555,
                .child          = powersave_nap_ctl_table,
diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c
index d4405b95bfaa..4ec300862466 100644
--- a/arch/powerpc/kernel/prom.c
+++ b/arch/powerpc/kernel/prom.c
@@ -1317,29 +1317,6 @@ struct device_node *of_find_next_cache_node(struct device_node *np)
 }
 /**
- *      of_find_all_nodes - Get next node in global list
- *      @prev:  Previous node or NULL to start iteration
- *              of_node_put() will be called on it
- *
- *      Returns a node pointer with refcount incremented, use
- *      of_node_put() on it when done.
- */
-struct device_node *of_find_all_nodes(struct device_node *prev)
-{
-        struct device_node *np;
-        read_lock(&devtree_lock);
-        np = prev ? prev->allnext : allnodes;
-        for (; np != 0; np = np->allnext)
-                if (of_node_get(np))
-                        break;
-        of_node_put(prev);
-        read_unlock(&devtree_lock);
-        return np;
-}
-EXPORT_SYMBOL(of_find_all_nodes);
-/**
 *      of_node_get - Increment refcount of a node
 *      @node:  Node to inc refcount, NULL is supported to
 *              simplify writing of callers
diff --git a/arch/powerpc/kernel/sys_ppc32.c b/arch/powerpc/kernel/sys_ppc32.c
index b97c2d67f4ac..c5a4732bcc48 100644
--- a/arch/powerpc/kernel/sys_ppc32.c
+++ b/arch/powerpc/kernel/sys_ppc32.c
@@ -520,58 +520,6 @@ asmlinkage long compat_sys_umask(u32 mask)
        return sys_umask((int)mask);
 }
-#ifdef CONFIG_SYSCTL_SYSCALL
-struct __sysctl_args32 {
-        u32 name;
-        int nlen;
-        u32 oldval;
-        u32 oldlenp;
-        u32 newval;
-        u32 newlen;
-        u32 __unused[4];
-};
-asmlinkage long compat_sys_sysctl(struct __sysctl_args32 __user *args)
-{
-        struct __sysctl_args32 tmp;
-        int error;
-        size_t oldlen;
-        size_t __user *oldlenp = NULL;
-        unsigned long addr = (((unsigned long)&args->__unused[0]) + 7) & ~7;
-        if (copy_from_user(&tmp, args, sizeof(tmp)))
-                return -EFAULT;
-        if (tmp.oldval && tmp.oldlenp) {
-                /* Duh, this is ugly and might not work if sysctl_args
-                   is in read-only memory, but do_sysctl does indirectly
-                   a lot of uaccess in both directions and we'd have to
-                   basically copy the whole sysctl.c here, and
-                   glibc's __sysctl uses rw memory for the structure
-                   anyway.  */
-                oldlenp = (size_t __user *)addr;
-                if (get_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)) ||
-                    put_user(oldlen, oldlenp))
-                        return -EFAULT;
-        }
-        lock_kernel();
-        error = do_sysctl(compat_ptr(tmp.name), tmp.nlen,
-                          compat_ptr(tmp.oldval), oldlenp,
-                          compat_ptr(tmp.newval), tmp.newlen);
-        unlock_kernel();
-        if (oldlenp) {
-                if (!error) {
-                        if (get_user(oldlen, oldlenp) ||
-                            put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)))
-                                error = -EFAULT;
-                }
-                copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused));
-        }
-        return error;
-}
-#endif
 unsigned long compat_sys_mmap2(unsigned long addr, size_t len,
                          unsigned long prot, unsigned long flags,
                          unsigned long fd, unsigned long pgoff)
diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
index 2a4551f78f60..5902bbc2411e 100644
--- a/arch/powerpc/kvm/powerpc.c
+++ b/arch/powerpc/kvm/powerpc.c
@@ -78,8 +78,9 @@ int kvmppc_emulate_mmio(struct kvm_run *run, struct kvm_vcpu *vcpu)
        return r;
 }
-void kvm_arch_hardware_enable(void *garbage)
+int kvm_arch_hardware_enable(void *garbage)
 {
+        return 0;
 }
 void kvm_arch_hardware_disable(void *garbage)
@@ -421,7 +422,7 @@ long kvm_arch_vm_ioctl(struct file *filp,
        switch (ioctl) {
        default:
-                r = -EINVAL;
+                r = -ENOTTY;
        }
        return r;
diff --git a/arch/powerpc/kvm/timing.h b/arch/powerpc/kvm/timing.h
index 806ef67868bd..8167d42a776f 100644
--- a/arch/powerpc/kvm/timing.h
+++ b/arch/powerpc/kvm/timing.h
@@ -51,7 +51,7 @@ static inline void kvmppc_account_exit_stat(struct kvm_vcpu *vcpu, int type)
        /* The BUILD_BUG_ON below breaks in funny ways, commented out
         * for now ... -BenH
-        BUILD_BUG_ON(__builtin_constant_p(type));
+        BUILD_BUG_ON(!__builtin_constant_p(type));
        */
        switch (type) {
        case EXT_INTR_EXITS:
diff --git a/arch/powerpc/platforms/powermac/low_i2c.c b/arch/powerpc/platforms/powermac/low_i2c.c
index 414ca9849f23..345e2da56767 100644
--- a/arch/powerpc/platforms/powermac/low_i2c.c
+++ b/arch/powerpc/platforms/powermac/low_i2c.c
@@ -42,6 +42,7 @@
 #include <linux/interrupt.h>
 #include <linux/timer.h>
 #include <linux/mutex.h>
+#include <linux/i2c.h>
 #include <asm/keylargo.h>
 #include <asm/uninorth.h>
 #include <asm/io.h>
@@ -80,7 +81,7 @@ struct pmac_i2c_bus
        struct device_node      *busnode;
        int                     type;
        int                     flags;
-        struct i2c_adapter      *adapter;
+        struct i2c_adapter      adapter;
        void                    *hostdata;
        int                     channel;        /* some hosts have multiple */
        int                     mode;           /* current mode */
@@ -1014,25 +1015,9 @@ int pmac_i2c_get_channel(struct pmac_i2c_bus *bus)
 EXPORT_SYMBOL_GPL(pmac_i2c_get_channel);
-void pmac_i2c_attach_adapter(struct pmac_i2c_bus *bus,
-                             struct i2c_adapter *adapter)
-{
-        WARN_ON(bus->adapter != NULL);
-        bus->adapter = adapter;
-}
-EXPORT_SYMBOL_GPL(pmac_i2c_attach_adapter);
-void pmac_i2c_detach_adapter(struct pmac_i2c_bus *bus,
-                             struct i2c_adapter *adapter)
-{
-        WARN_ON(bus->adapter != adapter);
-        bus->adapter = NULL;
-}
-EXPORT_SYMBOL_GPL(pmac_i2c_detach_adapter);
 struct i2c_adapter *pmac_i2c_get_adapter(struct pmac_i2c_bus *bus)
 {
-        return bus->adapter;
+        return &bus->adapter;
 }
 EXPORT_SYMBOL_GPL(pmac_i2c_get_adapter);
@@ -1041,7 +1026,7 @@ struct pmac_i2c_bus *pmac_i2c_adapter_to_bus(struct i2c_adapter *adapter)
        struct pmac_i2c_bus *bus;
        list_for_each_entry(bus, &pmac_i2c_busses, link)
-                if (bus->adapter == adapter)
+                if (&bus->adapter == adapter)
                        return bus;
        return NULL;
 }
@@ -1053,7 +1038,7 @@ int pmac_i2c_match_adapter(struct device_node *dev, struct i2c_adapter *adapter)
        if (bus == NULL)
                return 0;
-        return (bus->adapter == adapter);
+        return (&bus->adapter == adapter);
 }
 EXPORT_SYMBOL_GPL(pmac_i2c_match_adapter);
diff --git a/arch/s390/appldata/appldata_base.c b/arch/s390/appldata/appldata_base.c
index b55fd7ed1c31..495589950dc7 100644
--- a/arch/s390/appldata/appldata_base.c
+++ b/arch/s390/appldata/appldata_base.c
@@ -61,12 +61,12 @@ static struct ctl_table appldata_table[] = {
        {
                .procname       = "timer",
                .mode           = S_IRUGO | S_IWUSR,
-                .proc_handler   = &appldata_timer_handler,
+                .proc_handler   = appldata_timer_handler,
        },
        {
                .procname       = "interval",
                .mode           = S_IRUGO | S_IWUSR,
-                .proc_handler   = &appldata_interval_handler,
+                .proc_handler   = appldata_interval_handler,
        },
        { },
 };
diff --git a/arch/s390/appldata/appldata_net_sum.c b/arch/s390/appldata/appldata_net_sum.c
index fa741f84c5b9..4ce7fa95880f 100644
--- a/arch/s390/appldata/appldata_net_sum.c
+++ b/arch/s390/appldata/appldata_net_sum.c
@@ -83,8 +83,9 @@ static void appldata_get_net_sum_data(void *data)
        rx_dropped = 0;
        tx_dropped = 0;
        collisions = 0;
-        read_lock(&dev_base_lock);
-        for_each_netdev(&init_net, dev) {
+        rcu_read_lock();
+        for_each_netdev_rcu(&init_net, dev) {
                const struct net_device_stats *stats = dev_get_stats(dev);
                rx_packets += stats->rx_packets;
@@ -98,7 +99,8 @@ static void appldata_get_net_sum_data(void *data)
                collisions += stats->collisions;
                i++;
        }
-        read_unlock(&dev_base_lock);
+        rcu_read_unlock();
        net_data->nr_interfaces = i;
        net_data->rx_packets = rx_packets;
        net_data->tx_packets = tx_packets;
diff --git a/arch/s390/include/asm/kvm.h b/arch/s390/include/asm/kvm.h
index 3dfcaeb5d7f4..82b32a100c7d 100644
--- a/arch/s390/include/asm/kvm.h
+++ b/arch/s390/include/asm/kvm.h
@@ -1,6 +1,5 @@
 #ifndef __LINUX_KVM_S390_H
 #define __LINUX_KVM_S390_H
 /*
 * asm-s390/kvm.h - KVM s390 specific structures and definitions
 *
@@ -15,6 +14,8 @@
 */
 #include <linux/types.h>
+#define __KVM_S390
 /* for KVM_GET_REGS and KVM_SET_REGS */
 struct kvm_regs {
        /* general purpose regs for s390 */
diff --git a/arch/s390/include/asm/socket.h b/arch/s390/include/asm/socket.h
index e42df89a0b85..fdff1e995c73 100644
--- a/arch/s390/include/asm/socket.h
+++ b/arch/s390/include/asm/socket.h
@@ -68,4 +68,6 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif /* _ASM_SOCKET_H */
diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c
index 0debcec23a39..fda1a8123f9b 100644
--- a/arch/s390/kernel/compat_linux.c
+++ b/arch/s390/kernel/compat_linux.c
@@ -527,59 +527,6 @@ asmlinkage long sys32_sendfile64(int out_fd, int in_fd,
        return ret;
 }
-#ifdef CONFIG_SYSCTL_SYSCALL
-struct __sysctl_args32 {
-        u32 name;
-        int nlen;
-        u32 oldval;
-        u32 oldlenp;
-        u32 newval;
-        u32 newlen;
-        u32 __unused[4];
-};
-asmlinkage long sys32_sysctl(struct __sysctl_args32 __user *args)
-{
-        struct __sysctl_args32 tmp;
-        int error;
-        size_t oldlen;
-        size_t __user *oldlenp = NULL;
-        unsigned long addr = (((unsigned long)&args->__unused[0]) + 7) & ~7;
-        if (copy_from_user(&tmp, args, sizeof(tmp)))
-                return -EFAULT;
-        if (tmp.oldval && tmp.oldlenp) {
-                /* Duh, this is ugly and might not work if sysctl_args
-                   is in read-only memory, but do_sysctl does indirectly
-                   a lot of uaccess in both directions and we'd have to
-                   basically copy the whole sysctl.c here, and
-                   glibc's __sysctl uses rw memory for the structure
-                   anyway.  */
-                if (get_user(oldlen, (u32 __user *)compat_ptr(tmp.oldlenp)) ||
-                    put_user(oldlen, (size_t __user *)addr))
-                        return -EFAULT;
-                oldlenp = (size_t __user *)addr;
-        }
-        lock_kernel();
-        error = do_sysctl(compat_ptr(tmp.name), tmp.nlen, compat_ptr(tmp.oldval),
-                          oldlenp, compat_ptr(tmp.newval), tmp.newlen);
-        unlock_kernel();
-        if (oldlenp) {
-                if (!error) {
-                        if (get_user(oldlen, (size_t __user *)addr) ||
-                            put_user(oldlen, (u32 __user *)compat_ptr(tmp.oldlenp)))
-                                error = -EFAULT;
-                }
-                if (copy_to_user(args->__unused, tmp.__unused,
-                                 sizeof(tmp.__unused)))
-                        error = -EFAULT;
-        }
-        return error;
-}
-#endif
 struct stat64_emu31 {
        unsigned long long  st_dev;
        unsigned int    __pad1;
diff --git a/arch/s390/kernel/compat_linux.h b/arch/s390/kernel/compat_linux.h
index c07f9ca05ade..45e9092b3aad 100644
--- a/arch/s390/kernel/compat_linux.h
+++ b/arch/s390/kernel/compat_linux.h
@@ -162,7 +162,6 @@ struct ucontext32 {
        compat_sigset_t         uc_sigmask;     /* mask last for extensibility */
 };
-struct __sysctl_args32;
 struct stat64_emu31;
 struct mmap_arg_struct_emu31;
 struct fadvise64_64_args;
@@ -212,7 +211,6 @@ long sys32_sendfile(int out_fd, int in_fd, compat_off_t __user *offset,
                    size_t count);
 long sys32_sendfile64(int out_fd, int in_fd, compat_loff_t __user *offset,
                      s32 count);
-long sys32_sysctl(struct __sysctl_args32 __user *args);
 long sys32_stat64(char __user * filename, struct stat64_emu31 __user * statbuf);
 long sys32_lstat64(char __user * filename,
                   struct stat64_emu31 __user * statbuf);
diff --git a/arch/s390/kernel/compat_wrapper.S b/arch/s390/kernel/compat_wrapper.S
index cbd9901dc0f8..30de2d0e52bb 100644
--- a/arch/s390/kernel/compat_wrapper.S
+++ b/arch/s390/kernel/compat_wrapper.S
@@ -689,8 +689,6 @@ sys32_fdatasync_wrapper:
        llgfr   %r2,%r2                 # unsigned int
        jg      sys_fdatasync           # branch to system call
-#sys32_sysctl_wrapper                   # tbd
        .globl  sys32_mlock_wrapper
 sys32_mlock_wrapper:
        llgfr   %r2,%r2                 # unsigned long
@@ -1087,8 +1085,8 @@ sys32_stime_wrapper:
        .globl  sys32_sysctl_wrapper
 sys32_sysctl_wrapper:
-        llgtr   %r2,%r2                 # struct __sysctl_args32 *
+        llgtr   %r2,%r2                 # struct compat_sysctl_args *
-        jg      sys32_sysctl
+        jg      compat_sys_sysctl
        .globl  sys32_fstat64_wrapper
 sys32_fstat64_wrapper:
diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
index 20f282c911c2..071c81f179ef 100644
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -893,35 +893,30 @@ s390dbf_procactive(ctl_table *table, int write,
 static struct ctl_table s390dbf_table[] = {
        {
-                .ctl_name       = CTL_S390DBF_STOPPABLE,
                .procname       = "debug_stoppable",
                .data           = &debug_stoppable,
                .maxlen         = sizeof(int),
                .mode           = S_IRUGO | S_IWUSR,
-                .proc_handler   = &proc_dointvec,
+                .proc_handler   = proc_dointvec,
-                .strategy       = &sysctl_intvec,
        },
         {
-                .ctl_name       = CTL_S390DBF_ACTIVE,
                .procname       = "debug_active",
                .data           = &debug_active,
                .maxlen         = sizeof(int),
                .mode           = S_IRUGO | S_IWUSR,
-                .proc_handler   = &s390dbf_procactive,
+                .proc_handler   = s390dbf_procactive,
-                .strategy       = &sysctl_intvec,
        },
-        { .ctl_name = 0 }
+        { }
 };
 static struct ctl_table s390dbf_dir_table[] = {
        {
-                .ctl_name       = CTL_S390DBF,
                .procname       = "s390dbf",
                .maxlen         = 0,
                .mode           = S_IRUGO | S_IXUGO,
                .child          = s390dbf_table,
        },
-        { .ctl_name = 0 }
+        { }
 };
 static struct ctl_table_header *s390dbf_sysctl_header;
diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index 07ced89740d7..f8bcaefd7d34 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -74,9 +74,10 @@ struct kvm_stats_debugfs_item debugfs_entries[] = {
 static unsigned long long *facilities;
 /* Section: not file related */
-void kvm_arch_hardware_enable(void *garbage)
+int kvm_arch_hardware_enable(void *garbage)
 {
        /* every s390 is virtualization enabled ;-) */
+        return 0;
 }
 void kvm_arch_hardware_disable(void *garbage)
@@ -116,10 +117,16 @@ long kvm_arch_dev_ioctl(struct file *filp,
 int kvm_dev_ioctl_check_extension(long ext)
 {
+        int r;
        switch (ext) {
+        case KVM_CAP_S390_PSW:
+                r = 1;
+                break;
        default:
-                return 0;
+                r = 0;
        }
+        return r;
 }
 /* Section: vm related */
@@ -150,7 +157,7 @@ long kvm_arch_vm_ioctl(struct file *filp,
                break;
        }
        default:
-                r = -EINVAL;
+                r = -ENOTTY;
        }
        return r;
@@ -419,8 +426,10 @@ static int kvm_arch_vcpu_ioctl_set_initial_psw(struct kvm_vcpu *vcpu, psw_t psw)
        vcpu_load(vcpu);
        if (atomic_read(&vcpu->arch.sie_block->cpuflags) & CPUSTAT_RUNNING)
                rc = -EBUSY;
-        else
+        else {
-                vcpu->arch.sie_block->gpsw = psw;
+                vcpu->run->psw_mask = psw.mask;
+                vcpu->run->psw_addr = psw.addr;
+        }
        vcpu_put(vcpu);
        return rc;
 }
@@ -508,9 +517,6 @@ rerun_vcpu:
        switch (kvm_run->exit_reason) {
        case KVM_EXIT_S390_SIEIC:
-                vcpu->arch.sie_block->gpsw.mask = kvm_run->s390_sieic.mask;
-                vcpu->arch.sie_block->gpsw.addr = kvm_run->s390_sieic.addr;
-                break;
        case KVM_EXIT_UNKNOWN:
        case KVM_EXIT_INTR:
        case KVM_EXIT_S390_RESET:
@@ -519,6 +525,9 @@ rerun_vcpu:
                BUG();
        }
+        vcpu->arch.sie_block->gpsw.mask = kvm_run->psw_mask;
+        vcpu->arch.sie_block->gpsw.addr = kvm_run->psw_addr;
        might_fault();
        do {
@@ -538,8 +547,6 @@ rerun_vcpu:
                /* intercept cannot be handled in-kernel, prepare kvm-run */
                kvm_run->exit_reason         = KVM_EXIT_S390_SIEIC;
                kvm_run->s390_sieic.icptcode = vcpu->arch.sie_block->icptcode;
-                kvm_run->s390_sieic.mask     = vcpu->arch.sie_block->gpsw.mask;
-                kvm_run->s390_sieic.addr     = vcpu->arch.sie_block->gpsw.addr;
                kvm_run->s390_sieic.ipa      = vcpu->arch.sie_block->ipa;
                kvm_run->s390_sieic.ipb      = vcpu->arch.sie_block->ipb;
                rc = 0;
@@ -551,6 +558,9 @@ rerun_vcpu:
                rc = 0;
        }
+        kvm_run->psw_mask     = vcpu->arch.sie_block->gpsw.mask;
+        kvm_run->psw_addr     = vcpu->arch.sie_block->gpsw.addr;
        if (vcpu->sigset_active)
                sigprocmask(SIG_SETMASK, &sigsaved, NULL);
diff --git a/arch/s390/kvm/sigp.c b/arch/s390/kvm/sigp.c
index 40c8c6748cfe..15ee1111de58 100644
--- a/arch/s390/kvm/sigp.c
+++ b/arch/s390/kvm/sigp.c
@@ -188,9 +188,9 @@ static int __sigp_set_prefix(struct kvm_vcpu *vcpu, u16 cpu_addr, u32 address,
        /* make sure that the new value is valid memory */
        address = address & 0x7fffe000u;
-        if ((copy_from_guest(vcpu, &tmp,
+        if ((copy_from_user(&tmp, (void __user *)
-                (u64) (address + vcpu->arch.sie_block->gmsor) , 1)) ||
+                (address + vcpu->arch.sie_block->gmsor) , 1)) ||
-           (copy_from_guest(vcpu, &tmp, (u64) (address +
+           (copy_from_user(&tmp, (void __user *)(address +
                        vcpu->arch.sie_block->gmsor + PAGE_SIZE), 1))) {
                *reg |= SIGP_STAT_INVALID_PARAMETER;
                return 1; /* invalid parameter */
diff --git a/arch/s390/mm/cmm.c b/arch/s390/mm/cmm.c
index b201135cc18c..ff58779bf7e9 100644
--- a/arch/s390/mm/cmm.c
+++ b/arch/s390/mm/cmm.c
@@ -343,30 +343,29 @@ static struct ctl_table cmm_table[] = {
        {
                .procname       = "cmm_pages",
                .mode           = 0644,
-                .proc_handler   = &cmm_pages_handler,
+                .proc_handler   = cmm_pages_handler,
        },
        {
                .procname       = "cmm_timed_pages",
                .mode           = 0644,
-                .proc_handler   = &cmm_pages_handler,
+                .proc_handler   = cmm_pages_handler,
        },
        {
                .procname       = "cmm_timeout",
                .mode           = 0644,
-                .proc_handler   = &cmm_timeout_handler,
+                .proc_handler   = cmm_timeout_handler,
        },
-        { .ctl_name = 0 }
+        { }
 };
 static struct ctl_table cmm_dir_table[] = {
        {
-                .ctl_name       = CTL_VM,
                .procname       = "vm",
                .maxlen         = 0,
                .mode           = 0555,
                .child          = cmm_table,
        },
-        { .ctl_name = 0 }
+        { }
 };
 #endif
diff --git a/arch/sh/boards/mach-hp6xx/setup.c b/arch/sh/boards/mach-hp6xx/setup.c
index 8f305b36358b..e6dd5e96321e 100644
--- a/arch/sh/boards/mach-hp6xx/setup.c
+++ b/arch/sh/boards/mach-hp6xx/setup.c
@@ -13,6 +13,7 @@
 #include <linux/init.h>
 #include <linux/platform_device.h>
 #include <linux/irq.h>
+#include <sound/sh_dac_audio.h>
 #include <asm/hd64461.h>
 #include <asm/io.h>
 #include <mach/hp6xx.h>
@@ -51,9 +52,63 @@ static struct platform_device jornadakbd_device = {
        .id             = -1,
 };
+static void dac_audio_start(struct dac_audio_pdata *pdata)
+{
+        u16 v;
+        u8 v8;
+        /* HP Jornada 680/690 speaker on */
+        v = inw(HD64461_GPADR);
+        v &= ~HD64461_GPADR_SPEAKER;
+        outw(v, HD64461_GPADR);
+        /* HP Palmtop 620lx/660lx speaker on */
+        v8 = inb(PKDR);
+        v8 &= ~PKDR_SPEAKER;
+        outb(v8, PKDR);
+        sh_dac_enable(pdata->channel);
+}
+static void dac_audio_stop(struct dac_audio_pdata *pdata)
+{
+        u16 v;
+        u8 v8;
+        /* HP Jornada 680/690 speaker off */
+        v = inw(HD64461_GPADR);
+        v |= HD64461_GPADR_SPEAKER;
+        outw(v, HD64461_GPADR);
+        /* HP Palmtop 620lx/660lx speaker off */
+        v8 = inb(PKDR);
+        v8 |= PKDR_SPEAKER;
+        outb(v8, PKDR);
+        sh_dac_output(0, pdata->channel);
+        sh_dac_disable(pdata->channel);
+}
+static struct dac_audio_pdata dac_audio_platform_data = {
+        .buffer_size            = 64000,
+        .channel                = 1,
+        .start                  = dac_audio_start,
+        .stop                   = dac_audio_stop,
+};
+static struct platform_device dac_audio_device = {
+        .name           = "dac_audio",
+        .id             = -1,
+        .dev            = {
+                .platform_data  = &dac_audio_platform_data,
+        }
+};
 static struct platform_device *hp6xx_devices[] __initdata = {
        &cf_ide_device,
        &jornadakbd_device,
+        &dac_audio_device,
 };
 static void __init hp6xx_init_irq(void)
diff --git a/arch/sh/boards/mach-se/7724/setup.c b/arch/sh/boards/mach-se/7724/setup.c
index e78c3be8ad2f..0894bba9fade 100644
--- a/arch/sh/boards/mach-se/7724/setup.c
+++ b/arch/sh/boards/mach-se/7724/setup.c
@@ -313,6 +313,9 @@ static struct platform_device fsi_device = {
        .dev    = {
                .platform_data  = &fsi_info,
        },
+        .archdata = {
+                .hwblk_id = HWBLK_SPU, /* FSI needs SPU hwblk */
+        },
 };
 /* KEYSC in SoC (Needs SW33-2 set to ON) */
diff --git a/arch/sh/include/asm/sh_eth.h b/arch/sh/include/asm/sh_eth.h
index acf99700deed..f739061e2ee4 100644
--- a/arch/sh/include/asm/sh_eth.h
+++ b/arch/sh/include/asm/sh_eth.h
@@ -7,6 +7,7 @@ struct sh_eth_plat_data {
        int phy;
        int edmac_endian;
+        unsigned char mac_addr[6];
        unsigned no_ether_link:1;
        unsigned ether_link_active_low:1;
 };
diff --git a/arch/sh/include/mach-common/mach/hp6xx.h b/arch/sh/include/mach-common/mach/hp6xx.h
index 0d4165a32dcd..bcc301ac12f4 100644
--- a/arch/sh/include/mach-common/mach/hp6xx.h
+++ b/arch/sh/include/mach-common/mach/hp6xx.h
@@ -29,6 +29,9 @@
 #define PKDR_LED_GREEN          0x10
+/* HP Palmtop 620lx/660lx speaker on/off */
+#define PKDR_SPEAKER            0x20
 #define SCPDR_TS_SCAN_ENABLE    0x20
 #define SCPDR_TS_SCAN_Y         0x02
 #define SCPDR_TS_SCAN_X         0x01
@@ -42,6 +45,7 @@
 #define ADC_CHANNEL_BACKUP      4
 #define ADC_CHANNEL_CHARGE      5
+/* HP Jornada 680/690 speaker on/off */
 #define HD64461_GPADR_SPEAKER   0x01
 #define HD64461_GPADR_PCMCIA0   (0x02|0x08)
diff --git a/arch/sh/kernel/syscalls_64.S b/arch/sh/kernel/syscalls_64.S
index 5bfde6c77498..07d2aaea9ae8 100644
--- a/arch/sh/kernel/syscalls_64.S
+++ b/arch/sh/kernel/syscalls_64.S
@@ -391,3 +391,4 @@ sys_call_table:
        .long sys_pwritev
        .long sys_rt_tgsigqueueinfo
        .long sys_perf_event_open
+        .long sys_recvmmsg              /* 365 */
diff --git a/arch/sh/kernel/traps_64.c b/arch/sh/kernel/traps_64.c
index 267e5ebbb475..75c0cbe2eda0 100644
--- a/arch/sh/kernel/traps_64.c
+++ b/arch/sh/kernel/traps_64.c
@@ -877,44 +877,39 @@ static int misaligned_fixup(struct pt_regs *regs)
 static ctl_table unaligned_table[] = {
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "kernel_reports",
                .data           = &kernel_mode_unaligned_fixup_count,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &proc_dointvec
+                .proc_handler   = proc_dointvec
        },
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "user_reports",
                .data           = &user_mode_unaligned_fixup_count,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &proc_dointvec
+                .proc_handler   = proc_dointvec
        },
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "user_enable",
                .data           = &user_mode_unaligned_fixup_enable,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = &proc_dointvec},
+                .proc_handler   = proc_dointvec},
        {}
 };
 static ctl_table unaligned_root[] = {
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "unaligned_fixup",
                .mode           = 0555,
-                unaligned_table
+                .child          = unaligned_table
        },
        {}
 };
 static ctl_table sh64_root[] = {
        {
-                .ctl_name       = CTL_UNNUMBERED,
                .procname       = "sh64",
                .mode           = 0555,
                .child          = unaligned_root
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index 05ef5380a687..33ac1a9ac881 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -221,6 +221,13 @@ config SPARC64_SMP
        default y
        depends on SPARC64 && SMP
+config EARLYFB
+        bool "Support for early boot text console"
+        default y
+        depends on SPARC64
+        help
+          Say Y here to enable a faster early framebuffer boot console.
 choice
        prompt "Kernel page size" if SPARC64
        default SPARC64_PAGE_SIZE_8KB
diff --git a/arch/sparc/Makefile b/arch/sparc/Makefile
index dfe272d14465..113225b241e0 100644
--- a/arch/sparc/Makefile
+++ b/arch/sparc/Makefile
@@ -27,6 +27,7 @@ AS             := $(AS) -32
 LDFLAGS        := -m elf32_sparc
 CHECKFLAGS     += -D__sparc__
 export BITS    := 32
+UTS_MACHINE    := sparc
 #KBUILD_CFLAGS += -g -pipe -fcall-used-g5 -fcall-used-g7
 KBUILD_CFLAGS += -m32 -pipe -mno-fpu -fcall-used-g5 -fcall-used-g7
@@ -46,6 +47,7 @@ CHECKFLAGS      += -D__sparc__ -D__sparc_v9__ -D__arch64__ -m64
 LDFLAGS              := -m elf64_sparc
 export BITS          := 64
+UTS_MACHINE          := sparc64
 KBUILD_CFLAGS += -m64 -pipe -mno-fpu -mcpu=ultrasparc -mcmodel=medlow   \
                 -ffixed-g4 -ffixed-g5 -fcall-used-g7 -Wno-sign-compare \
diff --git a/arch/sparc/include/asm/btext.h b/arch/sparc/include/asm/btext.h
new file mode 100644
index 000000000000..9b2bc6b6ed0a
--- /dev/null
+++ b/arch/sparc/include/asm/btext.h
@@ -0,0 +1,6 @@
+#ifndef _SPARC_BTEXT_H
+#define _SPARC_BTEXT_H
+extern int btext_find_display(void);
+#endif /* _SPARC_BTEXT_H */
diff --git a/arch/sparc/include/asm/leon.h b/arch/sparc/include/asm/leon.h
index 28a42b73f64f..3ea5964c43b4 100644
--- a/arch/sparc/include/asm/leon.h
+++ b/arch/sparc/include/asm/leon.h
@@ -148,7 +148,7 @@ static inline unsigned long leon_load_reg(unsigned long paddr)
        return retval;
 }
-extern inline void leon_srmmu_disabletlb(void)
+static inline void leon_srmmu_disabletlb(void)
 {
        unsigned int retval;
        __asm__ __volatile__("lda [%%g0] %2, %0\n\t" : "=r"(retval) : "r"(0),
@@ -158,7 +158,7 @@ extern inline void leon_srmmu_disabletlb(void)
                             "i"(ASI_LEON_MMUREGS) : "memory");
 }
-extern inline void leon_srmmu_enabletlb(void)
+static inline void leon_srmmu_enabletlb(void)
 {
        unsigned int retval;
        __asm__ __volatile__("lda [%%g0] %2, %0\n\t" : "=r"(retval) : "r"(0),
@@ -190,7 +190,7 @@ extern void leon_init_IRQ(void);
 extern unsigned long last_valid_pfn;
-extern inline unsigned long sparc_leon3_get_dcachecfg(void)
+static inline unsigned long sparc_leon3_get_dcachecfg(void)
 {
        unsigned int retval;
        __asm__ __volatile__("lda [%1] %2, %0\n\t" :
@@ -201,7 +201,7 @@ extern inline unsigned long sparc_leon3_get_dcachecfg(void)
 }
 /* enable snooping */
-extern inline void sparc_leon3_enable_snooping(void)
+static inline void sparc_leon3_enable_snooping(void)
 {
        __asm__ __volatile__ ("lda [%%g0] 2, %%l1\n\t"
                          "set 0x800000, %%l2\n\t"
@@ -209,7 +209,14 @@ extern inline void sparc_leon3_enable_snooping(void)
                          "sta %%l2, [%%g0] 2\n\t" : : : "l1", "l2");
 };
-extern inline void sparc_leon3_disable_cache(void)
+static inline int sparc_leon3_snooping_enabled(void)
+{
+        u32 cctrl;
+        __asm__ __volatile__("lda [%%g0] 2, %0\n\t" : "=r"(cctrl));
+        return (cctrl >> 23) & 1;
+};
+static inline void sparc_leon3_disable_cache(void)
 {
        __asm__ __volatile__ ("lda [%%g0] 2, %%l1\n\t"
                          "set 0x00000f, %%l2\n\t"
@@ -340,6 +347,30 @@ extern int leon_flush_needed(void);
 extern void leon_switch_mm(void);
 extern int srmmu_swprobe_trace;
+#ifdef CONFIG_SMP
+extern int leon_smp_nrcpus(void);
+extern void leon_clear_profile_irq(int cpu);
+extern void leon_smp_done(void);
+extern void leon_boot_cpus(void);
+extern int leon_boot_one_cpu(int i);
+void leon_init_smp(void);
+extern void cpu_probe(void);
+extern void cpu_idle(void);
+extern void init_IRQ(void);
+extern void cpu_panic(void);
+extern int __leon_processor_id(void);
+void leon_enable_irq_cpu(unsigned int irq_nr, unsigned int cpu);
+extern unsigned int real_irq_entry[], smpleon_ticker[];
+extern unsigned int patchme_maybe_smp_msg[];
+extern unsigned long trapbase_cpu1[];
+extern unsigned long trapbase_cpu2[];
+extern unsigned long trapbase_cpu3[];
+extern unsigned int t_nmi[], linux_trap_ipi15_leon[];
+extern unsigned int linux_trap_ipi15_sun4m[];
+#endif /* CONFIG_SMP */
 #endif /* __KERNEL__ */
 #endif /* __ASSEMBLY__ */
@@ -356,6 +387,10 @@ extern int srmmu_swprobe_trace;
 #define leon_switch_mm() do {} while (0)
 #define leon_init_IRQ() do {} while (0)
 #define init_leon() do {} while (0)
+#define leon_smp_done() do {} while (0)
+#define leon_boot_cpus() do {} while (0)
+#define leon_boot_one_cpu(i) 1
+#define leon_init_smp() do {} while (0)
 #endif /* !defined(CONFIG_SPARC_LEON) */
diff --git a/arch/sparc/include/asm/prom.h b/arch/sparc/include/asm/prom.h
index 82a190d7efc1..f845828ca4c6 100644
--- a/arch/sparc/include/asm/prom.h
+++ b/arch/sparc/include/asm/prom.h
@@ -1,3 +1,4 @@
+#include <linux/of.h>   /* linux/of.h gets to determine #include ordering */
 #ifndef _SPARC_PROM_H
 #define _SPARC_PROM_H
 #ifdef __KERNEL__
@@ -28,50 +29,11 @@
 #define of_prop_cmp(s1, s2)             strcasecmp((s1), (s2))
 #define of_node_cmp(s1, s2)             strcmp((s1), (s2))
-typedef u32 phandle;
-typedef u32 ihandle;
-struct property {
-        char    *name;
-        int     length;
-        void    *value;
-        struct property *next;
-        unsigned long _flags;
-        unsigned int unique_id;
-};
-struct of_irq_controller;
-struct device_node {
-        const char      *name;
-        const char      *type;
-        phandle node;
-        char    *path_component_name;
-        char    *full_name;
-        struct  property *properties;
-        struct  property *deadprops; /* removed properties */
-        struct  device_node *parent;
-        struct  device_node *child;
-        struct  device_node *sibling;
-        struct  device_node *next;      /* next device of same type */
-        struct  device_node *allnext;   /* next in list of all nodes */
-        struct  proc_dir_entry *pde;    /* this node's proc directory */
-        struct  kref kref;
-        unsigned long _flags;
-        void    *data;
-        unsigned int unique_id;
-        struct of_irq_controller *irq_trans;
-};
 struct of_irq_controller {
        unsigned int    (*irq_build)(struct device_node *, unsigned int, void *);
        void            *data;
 };
-#define OF_IS_DYNAMIC(x) test_bit(OF_DYNAMIC, &x->_flags)
-#define OF_MARK_DYNAMIC(x) set_bit(OF_DYNAMIC, &x->_flags)
 extern struct device_node *of_find_node_by_cpuid(int cpuid);
 extern int of_set_property(struct device_node *node, const char *name, void *val, int len);
 extern struct mutex of_set_property_mutex;
@@ -89,15 +51,6 @@ extern void prom_build_devicetree(void);
 extern void of_populate_present_mask(void);
 extern void of_fill_in_cpu_data(void);
-/* Dummy ref counting routines - to be implemented later */
-static inline struct device_node *of_node_get(struct device_node *node)
-{
-        return node;
-}
-static inline void of_node_put(struct device_node *node)
-{
-}
 /* These routines are here to provide compatibility with how powerpc
 * handles IRQ mapping for OF device nodes.  We precompute and permanently
 * register them in the of_device objects, whereas powerpc computes them
@@ -108,12 +61,6 @@ static inline void irq_dispose_mapping(unsigned int virq)
 {
 }
-/*
- * NB:  This is here while we transition from using asm/prom.h
- * to linux/of.h
- */
-#include <linux/of.h>
 extern struct device_node *of_console_device;
 extern char *of_console_path;
 extern char *of_console_options;
diff --git a/arch/sparc/include/asm/rwsem.h b/arch/sparc/include/asm/rwsem.h
index 1dc129ac2feb..6e5621006f85 100644
--- a/arch/sparc/include/asm/rwsem.h
+++ b/arch/sparc/include/asm/rwsem.h
@@ -35,8 +35,8 @@ struct rw_semaphore {
 #endif
 #define __RWSEM_INITIALIZER(name) \
-{ RWSEM_UNLOCKED_VALUE, SPIN_LOCK_UNLOCKED, LIST_HEAD_INIT((name).wait_list) \
+{ RWSEM_UNLOCKED_VALUE, __SPIN_LOCK_UNLOCKED((name).wait_lock), \
-  __RWSEM_DEP_MAP_INIT(name) }
+  LIST_HEAD_INIT((name).wait_list) __RWSEM_DEP_MAP_INIT(name) }
 #define DECLARE_RWSEM(name) \
        struct rw_semaphore name = __RWSEM_INITIALIZER(name)
diff --git a/arch/sparc/include/asm/smp_32.h b/arch/sparc/include/asm/smp_32.h
index 58101dc70493..841905c10215 100644
--- a/arch/sparc/include/asm/smp_32.h
+++ b/arch/sparc/include/asm/smp_32.h
@@ -106,6 +106,15 @@ static inline int hard_smp4d_processor_id(void)
        return cpuid;
 }
+extern inline int hard_smpleon_processor_id(void)
+{
+        int cpuid;
+        __asm__ __volatile__("rd     %%asr17,%0\n\t"
+                             "srl    %0,28,%0" :
+                             "=&r" (cpuid) : );
+        return cpuid;
+}
 #ifndef MODULE
 static inline int hard_smp_processor_id(void)
 {
diff --git a/arch/sparc/include/asm/socket.h b/arch/sparc/include/asm/socket.h
index 3a5ae3d12088..9d3fefcff2f5 100644
--- a/arch/sparc/include/asm/socket.h
+++ b/arch/sparc/include/asm/socket.h
@@ -56,6 +56,8 @@
 #define SO_TIMESTAMPING         0x0023
 #define SCM_TIMESTAMPING        SO_TIMESTAMPING
+#define SO_RXQ_OVFL             0x0024
 /* Security levels - as per NRL IPv6 - don't actually do anything */
 #define SO_SECURITY_AUTHENTICATION              0x5001
 #define SO_SECURITY_ENCRYPTION_TRANSPORT        0x5002
diff --git a/arch/sparc/include/asm/unistd.h b/arch/sparc/include/asm/unistd.h
index 42f2316c3eaa..d8d25bd97121 100644
--- a/arch/sparc/include/asm/unistd.h
+++ b/arch/sparc/include/asm/unistd.h
@@ -396,8 +396,9 @@
 #define __NR_pwritev            325
 #define __NR_rt_tgsigqueueinfo  326
 #define __NR_perf_event_open    327
+#define __NR_recvmmsg           328
-#define NR_SYSCALLS             328
+#define NR_SYSCALLS             329
 #ifdef __32bit_syscall_numbers__
 /* Sparc 32-bit only has the "setresuid32", "getresuid32" variants,
diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile
index 5b47fab9966e..c6316142db4e 100644
--- a/arch/sparc/kernel/Makefile
+++ b/arch/sparc/kernel/Makefile
@@ -72,7 +72,7 @@ obj-y                     += dma.o
 obj-$(CONFIG_SPARC32_PCI) += pcic.o
 obj-$(CONFIG_SMP)         += trampoline_$(BITS).o smp_$(BITS).o
-obj-$(CONFIG_SPARC32_SMP) += sun4m_smp.o sun4d_smp.o
+obj-$(CONFIG_SPARC32_SMP) += sun4m_smp.o sun4d_smp.o leon_smp.o
 obj-$(CONFIG_SPARC64_SMP) += hvtramp.o
 obj-y                     += auxio_$(BITS).o
@@ -87,6 +87,7 @@ obj-$(CONFIG_KGDB)        += kgdb_$(BITS).o
 obj-$(CONFIG_DYNAMIC_FTRACE) += ftrace.o
 CFLAGS_REMOVE_ftrace.o := -pg
+obj-$(CONFIG_EARLYFB) += btext.o
 obj-$(CONFIG_STACKTRACE)     += stacktrace.o
 # sparc64 PCI
 obj-$(CONFIG_SPARC64_PCI)    += pci.o pci_common.o psycho_common.o
diff --git a/arch/sparc/kernel/apc.c b/arch/sparc/kernel/apc.c
index 9c115823c4b5..71ec90b9e316 100644
--- a/arch/sparc/kernel/apc.c
+++ b/arch/sparc/kernel/apc.c
@@ -10,7 +10,6 @@
 #include <linux/errno.h>
 #include <linux/init.h>
 #include <linux/miscdevice.h>
-#include <linux/smp_lock.h>
 #include <linux/pm.h>
 #include <linux/of.h>
 #include <linux/of_device.h>
@@ -76,7 +75,6 @@ static inline void apc_free(struct of_device *op)
 static int apc_open(struct inode *inode, struct file *f)
 {
-        cycle_kernel_lock();
        return 0;
 }
@@ -87,61 +85,46 @@ static int apc_release(struct inode *inode, struct file *f)
 static long apc_ioctl(struct file *f, unsigned int cmd, unsigned long __arg)
 {
-        __u8 inarg, __user *arg;
+        __u8 inarg, __user *arg = (__u8 __user *) __arg;
-        arg = (__u8 __user *) __arg;
-        lock_kernel();
        switch (cmd) {
        case APCIOCGFANCTL:
-                if (put_user(apc_readb(APC_FANCTL_REG) & APC_REGMASK, arg)) {
+                if (put_user(apc_readb(APC_FANCTL_REG) & APC_REGMASK, arg))
-                        unlock_kernel();
                        return -EFAULT;
-                }
                break;
        case APCIOCGCPWR:
-                if (put_user(apc_readb(APC_CPOWER_REG) & APC_REGMASK, arg)) {
+                if (put_user(apc_readb(APC_CPOWER_REG) & APC_REGMASK, arg))
-                        unlock_kernel();
                        return -EFAULT;
-                }
                break;
        case APCIOCGBPORT:
-                if (put_user(apc_readb(APC_BPORT_REG) & APC_BPMASK, arg)) {
+                if (put_user(apc_readb(APC_BPORT_REG) & APC_BPMASK, arg))
-                        unlock_kernel();
                        return -EFAULT;
-                }
                break;
        case APCIOCSFANCTL:
-                if (get_user(inarg, arg)) {
+                if (get_user(inarg, arg))
-                        unlock_kernel();
                        return -EFAULT;
-                }
                apc_writeb(inarg & APC_REGMASK, APC_FANCTL_REG);
                break;
        case APCIOCSCPWR:
-                if (get_user(inarg, arg)) {
+                if (get_user(inarg, arg))
-                        unlock_kernel();
                        return -EFAULT;
-                }
                apc_writeb(inarg & APC_REGMASK, APC_CPOWER_REG);
                break;
        case APCIOCSBPORT:
-                if (get_user(inarg, arg)) {
+                if (get_user(inarg, arg))
-                        unlock_kernel();
                        return -EFAULT;
-                }
                apc_writeb(inarg & APC_BPMASK, APC_BPORT_REG);
                break;
        default:
-                unlock_kernel();
                return -EINVAL;
        };
-        unlock_kernel();
        return 0;
 }
diff --git a/arch/sparc/kernel/auxio_32.c b/arch/sparc/kernel/auxio_32.c
index 45c41232fc4c..ee8d214cae1e 100644
--- a/arch/sparc/kernel/auxio_32.c
+++ b/arch/sparc/kernel/auxio_32.c
@@ -28,6 +28,7 @@ void __init auxio_probe(void)
        struct resource r;
        switch (sparc_cpu_model) {
+        case sparc_leon:
        case sun4d:
        case sun4:
                return;
diff --git a/arch/sparc/kernel/btext.c b/arch/sparc/kernel/btext.c
new file mode 100644
index 000000000000..8cc2d56ffe9a
--- /dev/null
+++ b/arch/sparc/kernel/btext.c
@@ -0,0 +1,673 @@
+/*
+ * Procedures for drawing on the screen early on in the boot process.
+ *
+ * Benjamin Herrenschmidt <benh@kernel.crashing.org>
+ */
+#include <linux/kernel.h>
+#include <linux/string.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/console.h>
+#include <asm/btext.h>
+#include <asm/oplib.h>
+#include <asm/io.h>
+#define NO_SCROLL
+#ifndef NO_SCROLL
+static void scrollscreen(void);
+#endif
+static void draw_byte(unsigned char c, long locX, long locY);
+static void draw_byte_32(unsigned char *bits, unsigned int *base, int rb);
+static void draw_byte_16(unsigned char *bits, unsigned int *base, int rb);
+static void draw_byte_8(unsigned char *bits, unsigned int *base, int rb);
+#define __force_data __attribute__((__section__(".data")))
+static int g_loc_X __force_data;
+static int g_loc_Y __force_data;
+static int g_max_loc_X __force_data;
+static int g_max_loc_Y __force_data;
+static int dispDeviceRowBytes __force_data;
+static int dispDeviceDepth  __force_data;
+static int dispDeviceRect[4] __force_data;
+static unsigned char *dispDeviceBase __force_data;
+#define cmapsz  (16*256)
+static unsigned char vga_font[cmapsz];
+static int __init btext_initialize(unsigned int node)
+{
+        unsigned int width, height, depth, pitch;
+        unsigned long address = 0;
+        u32 prop;
+        if (prom_getproperty(node, "width", (char *)&width, 4) < 0)
+                return -EINVAL;
+        if (prom_getproperty(node, "height", (char *)&height, 4) < 0)
+                return -EINVAL;
+        if (prom_getproperty(node, "depth", (char *)&depth, 4) < 0)
+                return -EINVAL;
+        pitch = width * ((depth + 7) / 8);
+        if (prom_getproperty(node, "linebytes", (char *)&prop, 4) >= 0 &&
+            prop != 0xffffffffu)
+                pitch = prop;
+        if (pitch == 1)
+                pitch = 0x1000;
+        if (prom_getproperty(node, "address", (char *)&prop, 4) >= 0)
+                address = prop;
+        /* FIXME: Add support for PCI reg properties. Right now, only
+         * reliable on macs
+         */
+        if (address == 0)
+                return -EINVAL;
+        g_loc_X = 0;
+        g_loc_Y = 0;
+        g_max_loc_X = width / 8;
+        g_max_loc_Y = height / 16;
+        dispDeviceBase = (unsigned char *)address;
+        dispDeviceRowBytes = pitch;
+        dispDeviceDepth = depth == 15 ? 16 : depth;
+        dispDeviceRect[0] = dispDeviceRect[1] = 0;
+        dispDeviceRect[2] = width;
+        dispDeviceRect[3] = height;
+        return 0;
+}
+/* Calc the base address of a given point (x,y) */
+static unsigned char * calc_base(int x, int y)
+{
+        unsigned char *base = dispDeviceBase;
+        base += (x + dispDeviceRect[0]) * (dispDeviceDepth >> 3);
+        base += (y + dispDeviceRect[1]) * dispDeviceRowBytes;
+        return base;
+}
+static void btext_clearscreen(void)
+{
+        unsigned int *base      = (unsigned int *)calc_base(0, 0);
+        unsigned long width     = ((dispDeviceRect[2] - dispDeviceRect[0]) *
+                                        (dispDeviceDepth >> 3)) >> 2;
+        int i,j;
+        for (i=0; i<(dispDeviceRect[3] - dispDeviceRect[1]); i++)
+        {
+                unsigned int *ptr = base;
+                for(j=width; j; --j)
+                        *(ptr++) = 0;
+                base += (dispDeviceRowBytes >> 2);
+        }
+}
+#ifndef NO_SCROLL
+static void scrollscreen(void)
+{
+        unsigned int *src       = (unsigned int *)calc_base(0,16);
+        unsigned int *dst       = (unsigned int *)calc_base(0,0);
+        unsigned long width     = ((dispDeviceRect[2] - dispDeviceRect[0]) *
+                                   (dispDeviceDepth >> 3)) >> 2;
+        int i,j;
+        for (i=0; i<(dispDeviceRect[3] - dispDeviceRect[1] - 16); i++)
+        {
+                unsigned int *src_ptr = src;
+                unsigned int *dst_ptr = dst;
+                for(j=width; j; --j)
+                        *(dst_ptr++) = *(src_ptr++);
+                src += (dispDeviceRowBytes >> 2);
+                dst += (dispDeviceRowBytes >> 2);
+        }
+        for (i=0; i<16; i++)
+        {
+                unsigned int *dst_ptr = dst;
+                for(j=width; j; --j)
+                        *(dst_ptr++) = 0;
+                dst += (dispDeviceRowBytes >> 2);
+        }
+}
+#endif /* ndef NO_SCROLL */
+void btext_drawchar(char c)
+{
+        int cline = 0;
+#ifdef NO_SCROLL
+        int x;
+#endif
+        switch (c) {
+        case '\b':
+                if (g_loc_X > 0)
+                        --g_loc_X;
+                break;
+        case '\t':
+                g_loc_X = (g_loc_X & -8) + 8;
+                break;
+        case '\r':
+                g_loc_X = 0;
+                break;
+        case '\n':
+                g_loc_X = 0;
+                g_loc_Y++;
+                cline = 1;
+                break;
+        default:
+                draw_byte(c, g_loc_X++, g_loc_Y);
+        }
+        if (g_loc_X >= g_max_loc_X) {
+                g_loc_X = 0;
+                g_loc_Y++;
+                cline = 1;
+        }
+#ifndef NO_SCROLL
+        while (g_loc_Y >= g_max_loc_Y) {
+                scrollscreen();
+                g_loc_Y--;
+        }
+#else
+        /* wrap around from bottom to top of screen so we don't
+           waste time scrolling each line.  -- paulus. */
+        if (g_loc_Y >= g_max_loc_Y)
+                g_loc_Y = 0;
+        if (cline) {
+                for (x = 0; x < g_max_loc_X; ++x)
+                        draw_byte(' ', x, g_loc_Y);
+        }
+#endif
+}
+static void btext_drawtext(const char *c, unsigned int len)
+{
+        while (len--)
+                btext_drawchar(*c++);
+}
+static void draw_byte(unsigned char c, long locX, long locY)
+{
+        unsigned char *base     = calc_base(locX << 3, locY << 4);
+        unsigned char *font     = &vga_font[((unsigned int)c) * 16];
+        int rb                  = dispDeviceRowBytes;
+        switch(dispDeviceDepth) {
+        case 24:
+        case 32:
+                draw_byte_32(font, (unsigned int *)base, rb);
+                break;
+        case 15:
+        case 16:
+                draw_byte_16(font, (unsigned int *)base, rb);
+                break;
+        case 8:
+                draw_byte_8(font, (unsigned int *)base, rb);
+                break;
+        }
+}
+static unsigned int expand_bits_8[16] = {
+        0x00000000,
+        0x000000ff,
+        0x0000ff00,
+        0x0000ffff,
+        0x00ff0000,
+        0x00ff00ff,
+        0x00ffff00,
+        0x00ffffff,
+        0xff000000,
+        0xff0000ff,
+        0xff00ff00,
+        0xff00ffff,
+        0xffff0000,
+        0xffff00ff,
+        0xffffff00,
+        0xffffffff
+};
+static unsigned int expand_bits_16[4] = {
+        0x00000000,
+        0x0000ffff,
+        0xffff0000,
+        0xffffffff
+};
+static void draw_byte_32(unsigned char *font, unsigned int *base, int rb)
+{
+        int l, bits;
+        int fg = 0xFFFFFFFFUL;
+        int bg = 0x00000000UL;
+        for (l = 0; l < 16; ++l)
+        {
+                bits = *font++;
+                base[0] = (-(bits >> 7) & fg) ^ bg;
+                base[1] = (-((bits >> 6) & 1) & fg) ^ bg;
+                base[2] = (-((bits >> 5) & 1) & fg) ^ bg;
+                base[3] = (-((bits >> 4) & 1) & fg) ^ bg;
+                base[4] = (-((bits >> 3) & 1) & fg) ^ bg;
+                base[5] = (-((bits >> 2) & 1) & fg) ^ bg;
+                base[6] = (-((bits >> 1) & 1) & fg) ^ bg;
+                base[7] = (-(bits & 1) & fg) ^ bg;
+                base = (unsigned int *) ((char *)base + rb);
+        }
+}
+static void draw_byte_16(unsigned char *font, unsigned int *base, int rb)
+{
+        int l, bits;
+        int fg = 0xFFFFFFFFUL;
+        int bg = 0x00000000UL;
+        unsigned int *eb = (int *)expand_bits_16;
+        for (l = 0; l < 16; ++l)
+        {
+                bits = *font++;
+                base[0] = (eb[bits >> 6] & fg) ^ bg;
+                base[1] = (eb[(bits >> 4) & 3] & fg) ^ bg;
+                base[2] = (eb[(bits >> 2) & 3] & fg) ^ bg;
+                base[3] = (eb[bits & 3] & fg) ^ bg;
+                base = (unsigned int *) ((char *)base + rb);
+        }
+}
+static void draw_byte_8(unsigned char *font, unsigned int *base, int rb)
+{
+        int l, bits;
+        int fg = 0x0F0F0F0FUL;
+        int bg = 0x00000000UL;
+        unsigned int *eb = (int *)expand_bits_8;
+        for (l = 0; l < 16; ++l)
+        {
+                bits = *font++;
+                base[0] = (eb[bits >> 4] & fg) ^ bg;
+                base[1] = (eb[bits & 0xf] & fg) ^ bg;
+                base = (unsigned int *) ((char *)base + rb);
+        }
+}
+static void btext_console_write(struct console *con, const char *s,
+                                unsigned int n)
+{
+        btext_drawtext(s, n);
+}
+static struct console btext_console = {
+        .name   = "btext",
+        .write  = btext_console_write,
+        .flags  = CON_PRINTBUFFER | CON_ENABLED | CON_BOOT | CON_ANYTIME,
+        .index  = 0,
+};
+int __init btext_find_display(void)
+{
+        unsigned int node;
+        char type[32];
+        int ret;
+        node = prom_inst2pkg(prom_stdout);
+        if (prom_getproperty(node, "device_type", type, 32) < 0)
+                return -ENODEV;
+        if (strcmp(type, "display"))
+                return -ENODEV;
+        ret = btext_initialize(node);
+        if (!ret) {
+                btext_clearscreen();
+                register_console(&btext_console);
+        }
+        return ret;
+}
+static unsigned char vga_font[cmapsz] = {
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7e, 0x81, 0xa5, 0x81, 0x81, 0xbd,
+0x99, 0x81, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7e, 0xff,
+0xdb, 0xff, 0xff, 0xc3, 0xe7, 0xff, 0xff, 0x7e, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x6c, 0xfe, 0xfe, 0xfe, 0xfe, 0x7c, 0x38, 0x10,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x38, 0x7c, 0xfe,
+0x7c, 0x38, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18,
+0x3c, 0x3c, 0xe7, 0xe7, 0xe7, 0x18, 0x18, 0x3c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x18, 0x3c, 0x7e, 0xff, 0xff, 0x7e, 0x18, 0x18, 0x3c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x3c,
+0x3c, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
+0xff, 0xff, 0xe7, 0xc3, 0xc3, 0xe7, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x66, 0x42, 0x42, 0x66, 0x3c, 0x00,
+0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc3, 0x99, 0xbd,
+0xbd, 0x99, 0xc3, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x1e, 0x0e,
+0x1a, 0x32, 0x78, 0xcc, 0xcc, 0xcc, 0xcc, 0x78, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x3c, 0x66, 0x66, 0x66, 0x66, 0x3c, 0x18, 0x7e, 0x18, 0x18,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3f, 0x33, 0x3f, 0x30, 0x30, 0x30,
+0x30, 0x70, 0xf0, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7f, 0x63,
+0x7f, 0x63, 0x63, 0x63, 0x63, 0x67, 0xe7, 0xe6, 0xc0, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x18, 0x18, 0xdb, 0x3c, 0xe7, 0x3c, 0xdb, 0x18, 0x18,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfe, 0xf8,
+0xf0, 0xe0, 0xc0, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x06, 0x0e,
+0x1e, 0x3e, 0xfe, 0x3e, 0x1e, 0x0e, 0x06, 0x02, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x18, 0x3c, 0x7e, 0x18, 0x18, 0x18, 0x7e, 0x3c, 0x18, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+0x66, 0x00, 0x66, 0x66, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7f, 0xdb,
+0xdb, 0xdb, 0x7b, 0x1b, 0x1b, 0x1b, 0x1b, 0x1b, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x7c, 0xc6, 0x60, 0x38, 0x6c, 0xc6, 0xc6, 0x6c, 0x38, 0x0c, 0xc6,
+0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0xfe, 0xfe, 0xfe, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x3c,
+0x7e, 0x18, 0x18, 0x18, 0x7e, 0x3c, 0x18, 0x7e, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x18, 0x3c, 0x7e, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x7e, 0x3c, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x18, 0x0c, 0xfe, 0x0c, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x60, 0xfe, 0x60, 0x30, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0xc0,
+0xc0, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x24, 0x66, 0xff, 0x66, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x10, 0x38, 0x38, 0x7c, 0x7c, 0xfe, 0xfe, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xfe, 0x7c, 0x7c,
+0x38, 0x38, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x18, 0x3c, 0x3c, 0x3c, 0x18, 0x18, 0x18, 0x00, 0x18, 0x18,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x66, 0x66, 0x24, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c,
+0x6c, 0xfe, 0x6c, 0x6c, 0x6c, 0xfe, 0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00,
+0x18, 0x18, 0x7c, 0xc6, 0xc2, 0xc0, 0x7c, 0x06, 0x06, 0x86, 0xc6, 0x7c,
+0x18, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc2, 0xc6, 0x0c, 0x18,
+0x30, 0x60, 0xc6, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x6c,
+0x6c, 0x38, 0x76, 0xdc, 0xcc, 0xcc, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x30, 0x30, 0x30, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x18, 0x30, 0x30, 0x30, 0x30,
+0x30, 0x30, 0x18, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x18,
+0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x18, 0x30, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x3c, 0xff, 0x3c, 0x66, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x7e,
+0x18, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x18, 0x30, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7e, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x18, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x02, 0x06, 0x0c, 0x18, 0x30, 0x60, 0xc0, 0x80, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x7c, 0xc6, 0xc6, 0xce, 0xde, 0xf6, 0xe6, 0xc6, 0xc6, 0x7c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x38, 0x78, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0xc6,
+0x06, 0x0c, 0x18, 0x30, 0x60, 0xc0, 0xc6, 0xfe, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x7c, 0xc6, 0x06, 0x06, 0x3c, 0x06, 0x06, 0x06, 0xc6, 0x7c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x1c, 0x3c, 0x6c, 0xcc, 0xfe,
+0x0c, 0x0c, 0x0c, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xc0,
+0xc0, 0xc0, 0xfc, 0x06, 0x06, 0x06, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x38, 0x60, 0xc0, 0xc0, 0xfc, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xc6, 0x06, 0x06, 0x0c, 0x18,
+0x30, 0x30, 0x30, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0xc6,
+0xc6, 0xc6, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0x7e, 0x06, 0x06, 0x06, 0x0c, 0x78,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x00, 0x00,
+0x00, 0x18, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x18, 0x18, 0x00, 0x00, 0x00, 0x18, 0x18, 0x30, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x06, 0x0c, 0x18, 0x30, 0x60, 0x30, 0x18, 0x0c, 0x06,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7e, 0x00, 0x00,
+0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60,
+0x30, 0x18, 0x0c, 0x06, 0x0c, 0x18, 0x30, 0x60, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x7c, 0xc6, 0xc6, 0x0c, 0x18, 0x18, 0x18, 0x00, 0x18, 0x18,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xde, 0xde,
+0xde, 0xdc, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x38,
+0x6c, 0xc6, 0xc6, 0xfe, 0xc6, 0xc6, 0xc6, 0xc6, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0xfc, 0x66, 0x66, 0x66, 0x7c, 0x66, 0x66, 0x66, 0x66, 0xfc,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x66, 0xc2, 0xc0, 0xc0, 0xc0,
+0xc0, 0xc2, 0x66, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0x6c,
+0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x6c, 0xf8, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0xfe, 0x66, 0x62, 0x68, 0x78, 0x68, 0x60, 0x62, 0x66, 0xfe,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x66, 0x62, 0x68, 0x78, 0x68,
+0x60, 0x60, 0x60, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x66,
+0xc2, 0xc0, 0xc0, 0xde, 0xc6, 0xc6, 0x66, 0x3a, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0xc6, 0xc6, 0xc6, 0xc6, 0xfe, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x18, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x0c,
+0x0c, 0x0c, 0x0c, 0x0c, 0xcc, 0xcc, 0xcc, 0x78, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0xe6, 0x66, 0x66, 0x6c, 0x78, 0x78, 0x6c, 0x66, 0x66, 0xe6,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x60, 0x60, 0x60, 0x60, 0x60,
+0x60, 0x62, 0x66, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc3, 0xe7,
+0xff, 0xff, 0xdb, 0xc3, 0xc3, 0xc3, 0xc3, 0xc3, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0xc6, 0xe6, 0xf6, 0xfe, 0xde, 0xce, 0xc6, 0xc6, 0xc6, 0xc6,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6,
+0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0x66,
+0x66, 0x66, 0x7c, 0x60, 0x60, 0x60, 0x60, 0xf0, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0xd6, 0xde, 0x7c,
+0x0c, 0x0e, 0x00, 0x00, 0x00, 0x00, 0xfc, 0x66, 0x66, 0x66, 0x7c, 0x6c,
+0x66, 0x66, 0x66, 0xe6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0xc6,
+0xc6, 0x60, 0x38, 0x0c, 0x06, 0xc6, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0xff, 0xdb, 0x99, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x3c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6,
+0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc3, 0xc3,
+0xc3, 0xc3, 0xc3, 0xc3, 0xc3, 0x66, 0x3c, 0x18, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0xc3, 0xc3, 0xc3, 0xc3, 0xc3, 0xdb, 0xdb, 0xff, 0x66, 0x66,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc3, 0xc3, 0x66, 0x3c, 0x18, 0x18,
+0x3c, 0x66, 0xc3, 0xc3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc3, 0xc3,
+0xc3, 0x66, 0x3c, 0x18, 0x18, 0x18, 0x18, 0x3c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0xff, 0xc3, 0x86, 0x0c, 0x18, 0x30, 0x60, 0xc1, 0xc3, 0xff,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x30, 0x30, 0x30, 0x30, 0x30,
+0x30, 0x30, 0x30, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
+0xc0, 0xe0, 0x70, 0x38, 0x1c, 0x0e, 0x06, 0x02, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x3c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x3c,
+0x00, 0x00, 0x00, 0x00, 0x10, 0x38, 0x6c, 0xc6, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00,
+0x30, 0x30, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x0c, 0x7c,
+0xcc, 0xcc, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x60,
+0x60, 0x78, 0x6c, 0x66, 0x66, 0x66, 0x66, 0x7c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0xc6, 0xc0, 0xc0, 0xc0, 0xc6, 0x7c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c, 0x0c, 0x0c, 0x3c, 0x6c, 0xcc,
+0xcc, 0xcc, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x7c, 0xc6, 0xfe, 0xc0, 0xc0, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x38, 0x6c, 0x64, 0x60, 0xf0, 0x60, 0x60, 0x60, 0x60, 0xf0,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xcc, 0xcc,
+0xcc, 0xcc, 0xcc, 0x7c, 0x0c, 0xcc, 0x78, 0x00, 0x00, 0x00, 0xe0, 0x60,
+0x60, 0x6c, 0x76, 0x66, 0x66, 0x66, 0x66, 0xe6, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x18, 0x18, 0x00, 0x38, 0x18, 0x18, 0x18, 0x18, 0x18, 0x3c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x06, 0x00, 0x0e, 0x06, 0x06,
+0x06, 0x06, 0x06, 0x06, 0x66, 0x66, 0x3c, 0x00, 0x00, 0x00, 0xe0, 0x60,
+0x60, 0x66, 0x6c, 0x78, 0x78, 0x6c, 0x66, 0xe6, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x38, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x3c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe6, 0xff, 0xdb,
+0xdb, 0xdb, 0xdb, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0xdc, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xdc, 0x66, 0x66,
+0x66, 0x66, 0x66, 0x7c, 0x60, 0x60, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x76, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x7c, 0x0c, 0x0c, 0x1e, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0xdc, 0x76, 0x66, 0x60, 0x60, 0x60, 0xf0,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0xc6, 0x60,
+0x38, 0x0c, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x30,
+0x30, 0xfc, 0x30, 0x30, 0x30, 0x30, 0x36, 0x1c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x76,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc3, 0xc3, 0xc3,
+0xc3, 0x66, 0x3c, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0xc3, 0xc3, 0xc3, 0xdb, 0xdb, 0xff, 0x66, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0xc3, 0x66, 0x3c, 0x18, 0x3c, 0x66, 0xc3,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc6, 0xc6, 0xc6,
+0xc6, 0xc6, 0xc6, 0x7e, 0x06, 0x0c, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0xfe, 0xcc, 0x18, 0x30, 0x60, 0xc6, 0xfe, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x0e, 0x18, 0x18, 0x18, 0x70, 0x18, 0x18, 0x18, 0x18, 0x0e,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x18, 0x18, 0x00, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x18,
+0x18, 0x18, 0x0e, 0x18, 0x18, 0x18, 0x18, 0x70, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x76, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x38, 0x6c, 0xc6,
+0xc6, 0xc6, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x66,
+0xc2, 0xc0, 0xc0, 0xc0, 0xc2, 0x66, 0x3c, 0x0c, 0x06, 0x7c, 0x00, 0x00,
+0x00, 0x00, 0xcc, 0x00, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x76,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x18, 0x30, 0x00, 0x7c, 0xc6, 0xfe,
+0xc0, 0xc0, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x38, 0x6c,
+0x00, 0x78, 0x0c, 0x7c, 0xcc, 0xcc, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0xcc, 0x00, 0x00, 0x78, 0x0c, 0x7c, 0xcc, 0xcc, 0xcc, 0x76,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x30, 0x18, 0x00, 0x78, 0x0c, 0x7c,
+0xcc, 0xcc, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x6c, 0x38,
+0x00, 0x78, 0x0c, 0x7c, 0xcc, 0xcc, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x3c, 0x66, 0x60, 0x60, 0x66, 0x3c, 0x0c, 0x06,
+0x3c, 0x00, 0x00, 0x00, 0x00, 0x10, 0x38, 0x6c, 0x00, 0x7c, 0xc6, 0xfe,
+0xc0, 0xc0, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc6, 0x00,
+0x00, 0x7c, 0xc6, 0xfe, 0xc0, 0xc0, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x60, 0x30, 0x18, 0x00, 0x7c, 0xc6, 0xfe, 0xc0, 0xc0, 0xc6, 0x7c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x00, 0x00, 0x38, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x3c, 0x66,
+0x00, 0x38, 0x18, 0x18, 0x18, 0x18, 0x18, 0x3c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x60, 0x30, 0x18, 0x00, 0x38, 0x18, 0x18, 0x18, 0x18, 0x18, 0x3c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0xc6, 0x00, 0x10, 0x38, 0x6c, 0xc6, 0xc6,
+0xfe, 0xc6, 0xc6, 0xc6, 0x00, 0x00, 0x00, 0x00, 0x38, 0x6c, 0x38, 0x00,
+0x38, 0x6c, 0xc6, 0xc6, 0xfe, 0xc6, 0xc6, 0xc6, 0x00, 0x00, 0x00, 0x00,
+0x18, 0x30, 0x60, 0x00, 0xfe, 0x66, 0x60, 0x7c, 0x60, 0x60, 0x66, 0xfe,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6e, 0x3b, 0x1b,
+0x7e, 0xd8, 0xdc, 0x77, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3e, 0x6c,
+0xcc, 0xcc, 0xfe, 0xcc, 0xcc, 0xcc, 0xcc, 0xce, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x10, 0x38, 0x6c, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc6, 0x00, 0x00, 0x7c, 0xc6, 0xc6,
+0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x30, 0x18,
+0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x30, 0x78, 0xcc, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x76,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x30, 0x18, 0x00, 0xcc, 0xcc, 0xcc,
+0xcc, 0xcc, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc6, 0x00,
+0x00, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x7e, 0x06, 0x0c, 0x78, 0x00,
+0x00, 0xc6, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0xc6, 0x00, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6,
+0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x7e,
+0xc3, 0xc0, 0xc0, 0xc0, 0xc3, 0x7e, 0x18, 0x18, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x38, 0x6c, 0x64, 0x60, 0xf0, 0x60, 0x60, 0x60, 0x60, 0xe6, 0xfc,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc3, 0x66, 0x3c, 0x18, 0xff, 0x18,
+0xff, 0x18, 0x18, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0x66, 0x66,
+0x7c, 0x62, 0x66, 0x6f, 0x66, 0x66, 0x66, 0xf3, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x0e, 0x1b, 0x18, 0x18, 0x18, 0x7e, 0x18, 0x18, 0x18, 0x18, 0x18,
+0xd8, 0x70, 0x00, 0x00, 0x00, 0x18, 0x30, 0x60, 0x00, 0x78, 0x0c, 0x7c,
+0xcc, 0xcc, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x18, 0x30,
+0x00, 0x38, 0x18, 0x18, 0x18, 0x18, 0x18, 0x3c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x18, 0x30, 0x60, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x30, 0x60, 0x00, 0xcc, 0xcc, 0xcc,
+0xcc, 0xcc, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdc,
+0x00, 0xdc, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x00, 0x00, 0x00, 0x00,
+0x76, 0xdc, 0x00, 0xc6, 0xe6, 0xf6, 0xfe, 0xde, 0xce, 0xc6, 0xc6, 0xc6,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x6c, 0x6c, 0x3e, 0x00, 0x7e, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x6c, 0x6c,
+0x38, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x30, 0x30, 0x00, 0x30, 0x30, 0x60, 0xc0, 0xc6, 0xc6, 0x7c,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xc0,
+0xc0, 0xc0, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0xfe, 0x06, 0x06, 0x06, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0xc0, 0xc0, 0xc2, 0xc6, 0xcc, 0x18, 0x30, 0x60, 0xce, 0x9b, 0x06,
+0x0c, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xc0, 0xc2, 0xc6, 0xcc, 0x18, 0x30,
+0x66, 0xce, 0x96, 0x3e, 0x06, 0x06, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18,
+0x00, 0x18, 0x18, 0x18, 0x3c, 0x3c, 0x3c, 0x18, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x36, 0x6c, 0xd8, 0x6c, 0x36, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd8, 0x6c, 0x36,
+0x6c, 0xd8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x44, 0x11, 0x44,
+0x11, 0x44, 0x11, 0x44, 0x11, 0x44, 0x11, 0x44, 0x11, 0x44, 0x11, 0x44,
+0x55, 0xaa, 0x55, 0xaa, 0x55, 0xaa, 0x55, 0xaa, 0x55, 0xaa, 0x55, 0xaa,
+0x55, 0xaa, 0x55, 0xaa, 0xdd, 0x77, 0xdd, 0x77, 0xdd, 0x77, 0xdd, 0x77,
+0xdd, 0x77, 0xdd, 0x77, 0xdd, 0x77, 0xdd, 0x77, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0xf8, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0xf8, 0x18, 0xf8,
+0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x36, 0x36, 0x36, 0x36,
+0x36, 0x36, 0x36, 0xf6, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x36, 0x36, 0x36, 0x36,
+0x36, 0x36, 0x36, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0x18, 0xf8,
+0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x36, 0x36, 0x36, 0x36,
+0x36, 0xf6, 0x06, 0xf6, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+0x36, 0x36, 0x36, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x06, 0xf6,
+0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+0x36, 0xf6, 0x06, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0xfe, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x18, 0x18, 0x18, 0xf8, 0x18, 0xf8,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0xf8, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x1f, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0xff,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0xff, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x1f, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0xff, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x18, 0x1f, 0x18, 0x1f, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x37,
+0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+0x36, 0x37, 0x30, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x3f, 0x30, 0x37, 0x36, 0x36, 0x36, 0x36,
+0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0xf7, 0x00, 0xff,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0xff, 0x00, 0xf7, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+0x36, 0x36, 0x36, 0x36, 0x36, 0x37, 0x30, 0x37, 0x36, 0x36, 0x36, 0x36,
+0x36, 0x36, 0x36, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0xff,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x36, 0x36, 0x36, 0x36,
+0x36, 0xf7, 0x00, 0xf7, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+0x18, 0x18, 0x18, 0x18, 0x18, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0xff,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0xff, 0x00, 0xff, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x36, 0x36, 0x36, 0x36,
+0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x3f,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x1f, 0x18, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x18, 0x1f, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3f,
+0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+0x36, 0x36, 0x36, 0xff, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+0x18, 0x18, 0x18, 0x18, 0x18, 0xff, 0x18, 0xff, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0xf8,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x1f, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18,
+0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
+0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf0, 0xf0, 0xf0, 0xf0,
+0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0,
+0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f,
+0x0f, 0x0f, 0x0f, 0x0f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x76, 0xdc, 0xd8, 0xd8, 0xd8, 0xdc, 0x76, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x78, 0xcc, 0xcc, 0xcc, 0xd8, 0xcc, 0xc6, 0xc6, 0xc6, 0xcc,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xc6, 0xc6, 0xc0, 0xc0, 0xc0,
+0xc0, 0xc0, 0xc0, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0xfe, 0x6c, 0x6c, 0x6c, 0x6c, 0x6c, 0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0xfe, 0xc6, 0x60, 0x30, 0x18, 0x30, 0x60, 0xc6, 0xfe,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7e, 0xd8, 0xd8,
+0xd8, 0xd8, 0xd8, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x66, 0x66, 0x66, 0x66, 0x66, 0x7c, 0x60, 0x60, 0xc0, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x76, 0xdc, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7e, 0x18, 0x3c, 0x66, 0x66,
+0x66, 0x3c, 0x18, 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38,
+0x6c, 0xc6, 0xc6, 0xfe, 0xc6, 0xc6, 0x6c, 0x38, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x38, 0x6c, 0xc6, 0xc6, 0xc6, 0x6c, 0x6c, 0x6c, 0x6c, 0xee,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x30, 0x18, 0x0c, 0x3e, 0x66,
+0x66, 0x66, 0x66, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x7e, 0xdb, 0xdb, 0xdb, 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x03, 0x06, 0x7e, 0xdb, 0xdb, 0xf3, 0x7e, 0x60, 0xc0,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c, 0x30, 0x60, 0x60, 0x7c, 0x60,
+0x60, 0x60, 0x30, 0x1c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c,
+0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0xfe, 0x00, 0x00, 0xfe, 0x00, 0x00, 0xfe, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x7e, 0x18,
+0x18, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30,
+0x18, 0x0c, 0x06, 0x0c, 0x18, 0x30, 0x00, 0x7e, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x0c, 0x18, 0x30, 0x60, 0x30, 0x18, 0x0c, 0x00, 0x7e,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0x1b, 0x1b, 0x1b, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18,
+0x18, 0x18, 0x18, 0x18, 0xd8, 0xd8, 0xd8, 0x70, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x00, 0x7e, 0x00, 0x18, 0x18, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdc, 0x00,
+0x76, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x6c, 0x6c,
+0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x0c, 0x0c,
+0x0c, 0x0c, 0x0c, 0xec, 0x6c, 0x6c, 0x3c, 0x1c, 0x00, 0x00, 0x00, 0x00,
+0x00, 0xd8, 0x6c, 0x6c, 0x6c, 0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0xd8, 0x30, 0x60, 0xc8, 0xf8, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x7c, 0x7c, 0x7c, 0x7c, 0x7c, 0x7c, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00,
+};
diff --git a/arch/sparc/kernel/cpu.c b/arch/sparc/kernel/cpu.c
index 1446df90ef85..e447938d39cf 100644
--- a/arch/sparc/kernel/cpu.c
+++ b/arch/sparc/kernel/cpu.c
@@ -185,6 +185,17 @@ static const struct manufacturer_info __initconst manufacturer_info[] = {
                FPU(-1, NULL)
        }
 },{
+        0xF,            /* Aeroflex Gaisler */
+        .cpu_info = {
+                CPU(3, "LEON"),
+                CPU(-1, NULL)
+        },
+        .fpu_info = {
+                FPU(2, "GRFPU"),
+                FPU(3, "GRFPU-Lite"),
+                FPU(-1, NULL)
+        }
+},{
        0x17,
        .cpu_info = {
                CPU_PMU(0x10, "TI UltraSparc I   (SpitFire)", "ultra12"),
diff --git a/arch/sparc/kernel/entry.S b/arch/sparc/kernel/entry.S
index f41ecc5ac0b4..ec9c7bc67d21 100644
--- a/arch/sparc/kernel/entry.S
+++ b/arch/sparc/kernel/entry.S
@@ -400,6 +400,39 @@ linux_trap_ipi15_sun4d:
        /* FIXME */
 1:      b,a     1b
+#ifdef CONFIG_SPARC_LEON
+        .globl  smpleon_ticker
+        /* SMP per-cpu ticker interrupts are handled specially. */
+smpleon_ticker:
+        SAVE_ALL
+        or      %l0, PSR_PIL, %g2
+        wr      %g2, 0x0, %psr
+        WRITE_PAUSE
+        wr      %g2, PSR_ET, %psr
+        WRITE_PAUSE
+        call    leon_percpu_timer_interrupt
+         add    %sp, STACKFRAME_SZ, %o0
+        wr      %l0, PSR_ET, %psr
+        WRITE_PAUSE
+        RESTORE_ALL
+        .align  4
+        .globl  linux_trap_ipi15_leon
+linux_trap_ipi15_leon:
+        SAVE_ALL
+        or      %l0, PSR_PIL, %l4
+        wr      %l4, 0x0, %psr
+        WRITE_PAUSE
+        wr      %l4, PSR_ET, %psr
+        WRITE_PAUSE
+        call    leon_cross_call_irq
+         nop
+        b       ret_trap_lockless_ipi
+         clr    %l6
+#endif /* CONFIG_SPARC_LEON */
 #endif /* CONFIG_SMP */
        /* This routine handles illegal instructions and privileged
diff --git a/arch/sparc/kernel/head_32.S b/arch/sparc/kernel/head_32.S
index 439d82a95ac9..21bb2590d4ae 100644
--- a/arch/sparc/kernel/head_32.S
+++ b/arch/sparc/kernel/head_32.S
@@ -811,9 +811,31 @@ found_version:
 got_prop:
 #ifdef CONFIG_SPARC_LEON
                /* no cpu-type check is needed, it is a SPARC-LEON */
+#ifdef CONFIG_SMP
+                ba leon_smp_init
+                 nop
+                .global leon_smp_init
+leon_smp_init:
+                sethi   %hi(boot_cpu_id), %g1    ! master always 0
+                stb     %g0, [%g1 + %lo(boot_cpu_id)]
+                sethi   %hi(boot_cpu_id4), %g1   ! master always 0
+                stb     %g0, [%g1 + %lo(boot_cpu_id4)]
+                rd     %asr17,%g1
+                srl    %g1,28,%g1
+                cmp %g0,%g1
+                 beq sun4c_continue_boot         !continue with master
+                nop
+                ba leon_smp_cpu_startup
+                 nop
+#else
                ba sun4c_continue_boot
                 nop
 #endif
+#endif
                set     cputypval, %o2
                ldub    [%o2 + 0x4], %l1
diff --git a/arch/sparc/kernel/ioport.c b/arch/sparc/kernel/ioport.c
index 9f61fd8cbb7b..3c8c44f6a41c 100644
--- a/arch/sparc/kernel/ioport.c
+++ b/arch/sparc/kernel/ioport.c
@@ -48,8 +48,13 @@
 #include <asm/dma.h>
 #include <asm/iommu.h>
 #include <asm/io-unit.h>
+#include <asm/leon.h>
+#ifdef CONFIG_SPARC_LEON
+#define mmu_inval_dma_area(p, l) leon_flush_dcache_all()
+#else
 #define mmu_inval_dma_area(p, l)        /* Anton pulled it out for 2.4.0-xx */
+#endif
 static struct resource *_sparc_find_resource(struct resource *r,
                                             unsigned long);
diff --git a/arch/sparc/kernel/irq_64.c b/arch/sparc/kernel/irq_64.c
index 8ab1d4728a4b..ce996f97855f 100644
--- a/arch/sparc/kernel/irq_64.c
+++ b/arch/sparc/kernel/irq_64.c
@@ -187,7 +187,7 @@ int show_interrupts(struct seq_file *p, void *v)
                for_each_online_cpu(j)
                        seq_printf(p, "%10u ", kstat_irqs_cpu(i, j));
 #endif
-                seq_printf(p, " %9s", irq_desc[i].chip->typename);
+                seq_printf(p, " %9s", irq_desc[i].chip->name);
                seq_printf(p, "  %s", action->name);
                for (action=action->next; action; action = action->next)
@@ -484,7 +484,7 @@ static void sun4v_virq_eoi(unsigned int virt_irq)
 }
 static struct irq_chip sun4u_irq = {
-        .typename       = "sun4u",
+        .name           = "sun4u",
        .enable         = sun4u_irq_enable,
        .disable        = sun4u_irq_disable,
        .eoi            = sun4u_irq_eoi,
@@ -492,7 +492,7 @@ static struct irq_chip sun4u_irq = {
 };
 static struct irq_chip sun4v_irq = {
-        .typename       = "sun4v",
+        .name           = "sun4v",
        .enable         = sun4v_irq_enable,
        .disable        = sun4v_irq_disable,
        .eoi            = sun4v_irq_eoi,
@@ -500,7 +500,7 @@ static struct irq_chip sun4v_irq = {
 };
 static struct irq_chip sun4v_virq = {
-        .typename       = "vsun4v",
+        .name           = "vsun4v",
        .enable         = sun4v_virq_enable,
        .disable        = sun4v_virq_disable,
        .eoi            = sun4v_virq_eoi,
diff --git a/arch/sparc/kernel/leon_kernel.c b/arch/sparc/kernel/leon_kernel.c
index 54d8a5bd4824..87f1760c0aa2 100644
--- a/arch/sparc/kernel/leon_kernel.c
+++ b/arch/sparc/kernel/leon_kernel.c
@@ -12,11 +12,14 @@
 #include <linux/of_platform.h>
 #include <linux/interrupt.h>
 #include <linux/of_device.h>
 #include <asm/oplib.h>
 #include <asm/timer.h>
 #include <asm/prom.h>
 #include <asm/leon.h>
 #include <asm/leon_amba.h>
+#include <asm/traps.h>
+#include <asm/cacheflush.h>
 #include "prom.h"
 #include "irq.h"
@@ -115,6 +118,21 @@ void __init leon_init_timers(irq_handler_t counter_fn)
                                      (((1000000 / 100) - 1)));
                LEON3_BYPASS_STORE_PA(&leon3_gptimer_regs->e[0].ctrl, 0);
+#ifdef CONFIG_SMP
+                leon_percpu_timer_dev[0].start = (int)leon3_gptimer_regs;
+                leon_percpu_timer_dev[0].irq = leon3_gptimer_irq+1;
+                if (!(LEON3_BYPASS_LOAD_PA(&leon3_gptimer_regs->config) &
+                      (1<<LEON3_GPTIMER_SEPIRQ))) {
+                        prom_printf("irq timer not configured with seperate irqs \n");
+                        BUG();
+                }
+                LEON3_BYPASS_STORE_PA(&leon3_gptimer_regs->e[1].val, 0);
+                LEON3_BYPASS_STORE_PA(&leon3_gptimer_regs->e[1].rld, (((1000000/100) - 1)));
+                LEON3_BYPASS_STORE_PA(&leon3_gptimer_regs->e[1].ctrl, 0);
+# endif
        } else {
                printk(KERN_ERR "No Timer/irqctrl found\n");
                BUG();
@@ -130,11 +148,41 @@ void __init leon_init_timers(irq_handler_t counter_fn)
                prom_halt();
        }
+# ifdef CONFIG_SMP
+        {
+                unsigned long flags;
+                struct tt_entry *trap_table = &sparc_ttable[SP_TRAP_IRQ1 + (leon_percpu_timer_dev[0].irq - 1)];
+                /* For SMP we use the level 14 ticker, however the bootup code
+                 * has copied the firmwares level 14 vector into boot cpu's
+                 * trap table, we must fix this now or we get squashed.
+                 */
+                local_irq_save(flags);
+                patchme_maybe_smp_msg[0] = 0x01000000; /* NOP out the branch */
+                /* Adjust so that we jump directly to smpleon_ticker */
+                trap_table->inst_three += smpleon_ticker - real_irq_entry;
+                local_flush_cache_all();
+                local_irq_restore(flags);
+        }
+# endif
        if (leon3_gptimer_regs) {
                LEON3_BYPASS_STORE_PA(&leon3_gptimer_regs->e[0].ctrl,
                                      LEON3_GPTIMER_EN |
                                      LEON3_GPTIMER_RL |
                                      LEON3_GPTIMER_LD | LEON3_GPTIMER_IRQEN);
+#ifdef CONFIG_SMP
+                LEON3_BYPASS_STORE_PA(&leon3_gptimer_regs->e[1].ctrl,
+                                      LEON3_GPTIMER_EN |
+                                      LEON3_GPTIMER_RL |
+                                      LEON3_GPTIMER_LD |
+                                      LEON3_GPTIMER_IRQEN);
+#endif
        }
 }
@@ -175,6 +223,42 @@ void __init leon_node_init(struct device_node *dp, struct device_node ***nextp)
        }
 }
+#ifdef CONFIG_SMP
+void leon_set_cpu_int(int cpu, int level)
+{
+        unsigned long mask;
+        mask = get_irqmask(level);
+        LEON3_BYPASS_STORE_PA(&leon3_irqctrl_regs->force[cpu], mask);
+}
+static void leon_clear_ipi(int cpu, int level)
+{
+        unsigned long mask;
+        mask = get_irqmask(level);
+        LEON3_BYPASS_STORE_PA(&leon3_irqctrl_regs->force[cpu], mask<<16);
+}
+static void leon_set_udt(int cpu)
+{
+}
+void leon_clear_profile_irq(int cpu)
+{
+}
+void leon_enable_irq_cpu(unsigned int irq_nr, unsigned int cpu)
+{
+        unsigned long mask, flags, *addr;
+        mask = get_irqmask(irq_nr);
+        local_irq_save(flags);
+        addr = (unsigned long *)&(leon3_irqctrl_regs->mask[cpu]);
+        LEON3_BYPASS_STORE_PA(addr, (LEON3_BYPASS_LOAD_PA(addr) | (mask)));
+        local_irq_restore(flags);
+}
+#endif
 void __init leon_init_IRQ(void)
 {
        sparc_init_timers = leon_init_timers;
diff --git a/arch/sparc/kernel/leon_smp.c b/arch/sparc/kernel/leon_smp.c
new file mode 100644
index 000000000000..05c0dadd6371
--- /dev/null
+++ b/arch/sparc/kernel/leon_smp.c
@@ -0,0 +1,468 @@
+/* leon_smp.c: Sparc-Leon SMP support.
+ *
+ * based on sun4m_smp.c
+ * Copyright (C) 1996 David S. Miller (davem@caip.rutgers.edu)
+ * Copyright (C) 2009 Daniel Hellstrom (daniel@gaisler.com) Aeroflex Gaisler AB
+ * Copyright (C) 2009 Konrad Eisele (konrad@gaisler.com) Aeroflex Gaisler AB
+ */
+#include <asm/head.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/threads.h>
+#include <linux/smp.h>
+#include <linux/smp_lock.h>
+#include <linux/interrupt.h>
+#include <linux/kernel_stat.h>
+#include <linux/init.h>
+#include <linux/spinlock.h>
+#include <linux/mm.h>
+#include <linux/swap.h>
+#include <linux/profile.h>
+#include <linux/pm.h>
+#include <linux/delay.h>
+#include <asm/cacheflush.h>
+#include <asm/tlbflush.h>
+#include <asm/ptrace.h>
+#include <asm/atomic.h>
+#include <asm/irq_regs.h>
+#include <asm/delay.h>
+#include <asm/irq.h>
+#include <asm/page.h>
+#include <asm/pgalloc.h>
+#include <asm/pgtable.h>
+#include <asm/oplib.h>
+#include <asm/cpudata.h>
+#include <asm/asi.h>
+#include <asm/leon.h>
+#include <asm/leon_amba.h>
+#ifdef CONFIG_SPARC_LEON
+#include "irq.h"
+extern ctxd_t *srmmu_ctx_table_phys;
+static int smp_processors_ready;
+extern volatile unsigned long cpu_callin_map[NR_CPUS];
+extern unsigned char boot_cpu_id;
+extern cpumask_t smp_commenced_mask;
+void __init leon_configure_cache_smp(void);
+static inline unsigned long do_swap(volatile unsigned long *ptr,
+                                    unsigned long val)
+{
+        __asm__ __volatile__("swapa [%1] %2, %0\n\t" : "=&r"(val)
+                             : "r"(ptr), "i"(ASI_LEON_DCACHE_MISS)
+                             : "memory");
+        return val;
+}
+static void smp_setup_percpu_timer(void);
+void __cpuinit leon_callin(void)
+{
+        int cpuid = hard_smpleon_processor_id();
+        local_flush_cache_all();
+        local_flush_tlb_all();
+        leon_configure_cache_smp();
+        /* Get our local ticker going. */
+        smp_setup_percpu_timer();
+        calibrate_delay();
+        smp_store_cpu_info(cpuid);
+        local_flush_cache_all();
+        local_flush_tlb_all();
+        /*
+         * Unblock the master CPU _only_ when the scheduler state
+         * of all secondary CPUs will be up-to-date, so after
+         * the SMP initialization the master will be just allowed
+         * to call the scheduler code.
+         * Allow master to continue.
+         */
+        do_swap(&cpu_callin_map[cpuid], 1);
+        local_flush_cache_all();
+        local_flush_tlb_all();
+        cpu_probe();
+        /* Fix idle thread fields. */
+        __asm__ __volatile__("ld [%0], %%g6\n\t" : : "r"(&current_set[cpuid])
+                             : "memory" /* paranoid */);
+        /* Attach to the address space of init_task. */
+        atomic_inc(&init_mm.mm_count);
+        current->active_mm = &init_mm;
+        while (!cpu_isset(cpuid, smp_commenced_mask))
+                mb();
+        local_irq_enable();
+        cpu_set(cpuid, cpu_online_map);
+}
+/*
+ *      Cycle through the processors asking the PROM to start each one.
+ */
+extern struct linux_prom_registers smp_penguin_ctable;
+void __init leon_configure_cache_smp(void)
+{
+        unsigned long cfg = sparc_leon3_get_dcachecfg();
+        int me = smp_processor_id();
+        if (ASI_LEON3_SYSCTRL_CFG_SSIZE(cfg) > 4) {
+                printk(KERN_INFO "Note: SMP with snooping only works on 4k cache, found %dk(0x%x) on cpu %d, disabling caches\n",
+                     (unsigned int)ASI_LEON3_SYSCTRL_CFG_SSIZE(cfg),
+                     (unsigned int)cfg, (unsigned int)me);
+                sparc_leon3_disable_cache();
+        } else {
+                if (cfg & ASI_LEON3_SYSCTRL_CFG_SNOOPING) {
+                        sparc_leon3_enable_snooping();
+                } else {
+                        printk(KERN_INFO "Note: You have to enable snooping in the vhdl model cpu %d, disabling caches\n",
+                             me);
+                        sparc_leon3_disable_cache();
+                }
+        }
+        local_flush_cache_all();
+        local_flush_tlb_all();
+}
+void leon_smp_setbroadcast(unsigned int mask)
+{
+        int broadcast =
+            ((LEON3_BYPASS_LOAD_PA(&(leon3_irqctrl_regs->mpstatus)) >>
+              LEON3_IRQMPSTATUS_BROADCAST) & 1);
+        if (!broadcast) {
+                prom_printf("######## !!!! The irqmp-ctrl must have broadcast enabled, smp wont work !!!!! ####### nr cpus: %d\n",
+                     leon_smp_nrcpus());
+                if (leon_smp_nrcpus() > 1) {
+                        BUG();
+                } else {
+                        prom_printf("continue anyway\n");
+                        return;
+                }
+        }
+        LEON_BYPASS_STORE_PA(&(leon3_irqctrl_regs->mpbroadcast), mask);
+}
+unsigned int leon_smp_getbroadcast(void)
+{
+        unsigned int mask;
+        mask = LEON_BYPASS_LOAD_PA(&(leon3_irqctrl_regs->mpbroadcast));
+        return mask;
+}
+int leon_smp_nrcpus(void)
+{
+        int nrcpu =
+            ((LEON3_BYPASS_LOAD_PA(&(leon3_irqctrl_regs->mpstatus)) >>
+              LEON3_IRQMPSTATUS_CPUNR) & 0xf) + 1;
+        return nrcpu;
+}
+void __init leon_boot_cpus(void)
+{
+        int nrcpu = leon_smp_nrcpus();
+        int me = smp_processor_id();
+        printk(KERN_INFO "%d:(%d:%d) cpus mpirq at 0x%x \n", (unsigned int)me,
+               (unsigned int)nrcpu, (unsigned int)NR_CPUS,
+               (unsigned int)&(leon3_irqctrl_regs->mpstatus));
+        leon_enable_irq_cpu(LEON3_IRQ_CROSS_CALL, me);
+        leon_enable_irq_cpu(LEON3_IRQ_TICKER, me);
+        leon_enable_irq_cpu(LEON3_IRQ_RESCHEDULE, me);
+        leon_smp_setbroadcast(1 << LEON3_IRQ_TICKER);
+        leon_configure_cache_smp();
+        smp_setup_percpu_timer();
+        local_flush_cache_all();
+}
+int __cpuinit leon_boot_one_cpu(int i)
+{
+        struct task_struct *p;
+        int timeout;
+        /* Cook up an idler for this guy. */
+        p = fork_idle(i);
+        current_set[i] = task_thread_info(p);
+        /* See trampoline.S:leon_smp_cpu_startup for details...
+         * Initialize the contexts table
+         * Since the call to prom_startcpu() trashes the structure,
+         * we need to re-initialize it for each cpu
+         */
+        smp_penguin_ctable.which_io = 0;
+        smp_penguin_ctable.phys_addr = (unsigned int)srmmu_ctx_table_phys;
+        smp_penguin_ctable.reg_size = 0;
+        /* whirrr, whirrr, whirrrrrrrrr... */
+        printk(KERN_INFO "Starting CPU %d : (irqmp: 0x%x)\n", (unsigned int)i,
+               (unsigned int)&leon3_irqctrl_regs->mpstatus);
+        local_flush_cache_all();
+        LEON_BYPASS_STORE_PA(&(leon3_irqctrl_regs->mpstatus), 1 << i);
+        /* wheee... it's going... */
+        for (timeout = 0; timeout < 10000; timeout++) {
+                if (cpu_callin_map[i])
+                        break;
+                udelay(200);
+        }
+        printk(KERN_INFO "Started CPU %d \n", (unsigned int)i);
+        if (!(cpu_callin_map[i])) {
+                printk(KERN_ERR "Processor %d is stuck.\n", i);
+                return -ENODEV;
+        } else {
+                leon_enable_irq_cpu(LEON3_IRQ_CROSS_CALL, i);
+                leon_enable_irq_cpu(LEON3_IRQ_TICKER, i);
+                leon_enable_irq_cpu(LEON3_IRQ_RESCHEDULE, i);
+        }
+        local_flush_cache_all();
+        return 0;
+}
+void __init leon_smp_done(void)
+{
+        int i, first;
+        int *prev;
+        /* setup cpu list for irq rotation */
+        first = 0;
+        prev = &first;
+        for (i = 0; i < NR_CPUS; i++) {
+                if (cpu_online(i)) {
+                        *prev = i;
+                        prev = &cpu_data(i).next;
+                }
+        }
+        *prev = first;
+        local_flush_cache_all();
+        /* Free unneeded trap tables */
+        if (!cpu_isset(1, cpu_present_map)) {
+                ClearPageReserved(virt_to_page(trapbase_cpu1));
+                init_page_count(virt_to_page(trapbase_cpu1));
+                free_page((unsigned long)trapbase_cpu1);
+                totalram_pages++;
+                num_physpages++;
+        }
+        if (!cpu_isset(2, cpu_present_map)) {
+                ClearPageReserved(virt_to_page(trapbase_cpu2));
+                init_page_count(virt_to_page(trapbase_cpu2));
+                free_page((unsigned long)trapbase_cpu2);
+                totalram_pages++;
+                num_physpages++;
+        }
+        if (!cpu_isset(3, cpu_present_map)) {
+                ClearPageReserved(virt_to_page(trapbase_cpu3));
+                init_page_count(virt_to_page(trapbase_cpu3));
+                free_page((unsigned long)trapbase_cpu3);
+                totalram_pages++;
+                num_physpages++;
+        }
+        /* Ok, they are spinning and ready to go. */
+        smp_processors_ready = 1;
+}
+void leon_irq_rotate(int cpu)
+{
+}
+static struct smp_funcall {
+        smpfunc_t func;
+        unsigned long arg1;
+        unsigned long arg2;
+        unsigned long arg3;
+        unsigned long arg4;
+        unsigned long arg5;
+        unsigned long processors_in[NR_CPUS];   /* Set when ipi entered. */
+        unsigned long processors_out[NR_CPUS];  /* Set when ipi exited. */
+} ccall_info;
+static DEFINE_SPINLOCK(cross_call_lock);
+/* Cross calls must be serialized, at least currently. */
+static void leon_cross_call(smpfunc_t func, cpumask_t mask, unsigned long arg1,
+                            unsigned long arg2, unsigned long arg3,
+                            unsigned long arg4)
+{
+        if (smp_processors_ready) {
+                register int high = NR_CPUS - 1;
+                unsigned long flags;
+                spin_lock_irqsave(&cross_call_lock, flags);
+                {
+                        /* If you make changes here, make sure gcc generates proper code... */
+                        register smpfunc_t f asm("i0") = func;
+                        register unsigned long a1 asm("i1") = arg1;
+                        register unsigned long a2 asm("i2") = arg2;
+                        register unsigned long a3 asm("i3") = arg3;
+                        register unsigned long a4 asm("i4") = arg4;
+                        register unsigned long a5 asm("i5") = 0;
+                        __asm__ __volatile__("std %0, [%6]\n\t"
+                                             "std %2, [%6 + 8]\n\t"
+                                             "std %4, [%6 + 16]\n\t" : :
+                                             "r"(f), "r"(a1), "r"(a2), "r"(a3),
+                                             "r"(a4), "r"(a5),
+                                             "r"(&ccall_info.func));
+                }
+                /* Init receive/complete mapping, plus fire the IPI's off. */
+                {
+                        register int i;
+                        cpu_clear(smp_processor_id(), mask);
+                        cpus_and(mask, cpu_online_map, mask);
+                        for (i = 0; i <= high; i++) {
+                                if (cpu_isset(i, mask)) {
+                                        ccall_info.processors_in[i] = 0;
+                                        ccall_info.processors_out[i] = 0;
+                                        set_cpu_int(i, LEON3_IRQ_CROSS_CALL);
+                                }
+                        }
+                }
+                {
+                        register int i;
+                        i = 0;
+                        do {
+                                if (!cpu_isset(i, mask))
+                                        continue;
+                                while (!ccall_info.processors_in[i])
+                                        barrier();
+                        } while (++i <= high);
+                        i = 0;
+                        do {
+                                if (!cpu_isset(i, mask))
+                                        continue;
+                                while (!ccall_info.processors_out[i])
+                                        barrier();
+                        } while (++i <= high);
+                }
+                spin_unlock_irqrestore(&cross_call_lock, flags);
+        }
+}
+/* Running cross calls. */
+void leon_cross_call_irq(void)
+{
+        int i = smp_processor_id();
+        ccall_info.processors_in[i] = 1;
+        ccall_info.func(ccall_info.arg1, ccall_info.arg2, ccall_info.arg3,
+                        ccall_info.arg4, ccall_info.arg5);
+        ccall_info.processors_out[i] = 1;
+}
+void leon_percpu_timer_interrupt(struct pt_regs *regs)
+{
+        struct pt_regs *old_regs;
+        int cpu = smp_processor_id();
+        old_regs = set_irq_regs(regs);
+        leon_clear_profile_irq(cpu);
+        profile_tick(CPU_PROFILING);
+        if (!--prof_counter(cpu)) {
+                int user = user_mode(regs);
+                irq_enter();
+                update_process_times(user);
+                irq_exit();
+                prof_counter(cpu) = prof_multiplier(cpu);
+        }
+        set_irq_regs(old_regs);
+}
+static void __init smp_setup_percpu_timer(void)
+{
+        int cpu = smp_processor_id();
+        prof_counter(cpu) = prof_multiplier(cpu) = 1;
+}
+void __init leon_blackbox_id(unsigned *addr)
+{
+        int rd = *addr & 0x3e000000;
+        int rs1 = rd >> 11;
+        /* patch places where ___b_hard_smp_processor_id appears */
+        addr[0] = 0x81444000 | rd;      /* rd %asr17, reg */
+        addr[1] = 0x8130201c | rd | rs1;        /* srl reg, 0x1c, reg */
+        addr[2] = 0x01000000;   /* nop */
+}
+void __init leon_blackbox_current(unsigned *addr)
+{
+        int rd = *addr & 0x3e000000;
+        int rs1 = rd >> 11;
+        /* patch LOAD_CURRENT macro where ___b_load_current appears */
+        addr[0] = 0x81444000 | rd;      /* rd %asr17, reg */
+        addr[2] = 0x8130201c | rd | rs1;        /* srl reg, 0x1c, reg */
+        addr[4] = 0x81282002 | rd | rs1;        /* sll reg, 0x2, reg */
+}
+/*
+ * CPU idle callback function
+ * See .../arch/sparc/kernel/process.c
+ */
+void pmc_leon_idle(void)
+{
+        __asm__ volatile ("mov %g0, %asr19");
+}
+void __init leon_init_smp(void)
+{
+        /* Patch ipi15 trap table */
+        t_nmi[1] = t_nmi[1] + (linux_trap_ipi15_leon - linux_trap_ipi15_sun4m);
+        BTFIXUPSET_BLACKBOX(hard_smp_processor_id, leon_blackbox_id);
+        BTFIXUPSET_BLACKBOX(load_current, leon_blackbox_current);
+        BTFIXUPSET_CALL(smp_cross_call, leon_cross_call, BTFIXUPCALL_NORM);
+        BTFIXUPSET_CALL(__hard_smp_processor_id, __leon_processor_id,
+                        BTFIXUPCALL_NORM);
+#ifndef PMC_NO_IDLE
+        /* Assign power management IDLE handler */
+        pm_idle = pmc_leon_idle;
+        printk(KERN_INFO "leon: power management initialized\n");
+#endif
+}
+#endif /* CONFIG_SPARC_LEON */
diff --git a/arch/sparc/kernel/pci_msi.c b/arch/sparc/kernel/pci_msi.c
index f1be37a7b123..e1b0541feb19 100644
--- a/arch/sparc/kernel/pci_msi.c
+++ b/arch/sparc/kernel/pci_msi.c
@@ -112,7 +112,7 @@ static void free_msi(struct pci_pbm_info *pbm, int msi_num)
 }
 static struct irq_chip msi_irq = {
-        .typename       = "PCI-MSI",
+        .name           = "PCI-MSI",
        .mask           = mask_msi_irq,
        .unmask         = unmask_msi_irq,
        .enable         = unmask_msi_irq,
diff --git a/arch/sparc/kernel/setup_64.c b/arch/sparc/kernel/setup_64.c
index 21180339cb09..a2a79e76344f 100644
--- a/arch/sparc/kernel/setup_64.c
+++ b/arch/sparc/kernel/setup_64.c
@@ -46,6 +46,7 @@
 #include <asm/setup.h>
 #include <asm/mmu.h>
 #include <asm/ns87303.h>
+#include <asm/btext.h>
 #ifdef CONFIG_IP_PNP
 #include <net/ipconfig.h>
@@ -286,7 +287,10 @@ void __init setup_arch(char **cmdline_p)
        parse_early_param();
        boot_flags_init(*cmdline_p);
-        register_console(&prom_early_console);
+#ifdef CONFIG_EARLYFB
+        if (btext_find_display())
+#endif
+                register_console(&prom_early_console);
        if (tlb_type == hypervisor)
                printk("ARCH: SUN4V\n");
diff --git a/arch/sparc/kernel/smp_32.c b/arch/sparc/kernel/smp_32.c
index 132d81fb2616..91c10fb70858 100644
--- a/arch/sparc/kernel/smp_32.c
+++ b/arch/sparc/kernel/smp_32.c
@@ -32,6 +32,7 @@
 #include <asm/cacheflush.h>
 #include <asm/tlbflush.h>
 #include <asm/cpudata.h>
+#include <asm/leon.h>
 #include "irq.h"
@@ -96,6 +97,9 @@ void __init smp_cpus_done(unsigned int max_cpus)
        case sun4d:
                smp4d_smp_done();
                break;
+        case sparc_leon:
+                leon_smp_done();
+                break;
        case sun4e:
                printk("SUN4E\n");
                BUG();
@@ -306,6 +310,9 @@ void __init smp_prepare_cpus(unsigned int max_cpus)
        case sun4d:
                smp4d_boot_cpus();
                break;
+        case sparc_leon:
+                leon_boot_cpus();
+                break;
        case sun4e:
                printk("SUN4E\n");
                BUG();
@@ -376,6 +383,9 @@ int __cpuinit __cpu_up(unsigned int cpu)
        case sun4d:
                ret = smp4d_boot_one_cpu(cpu);
                break;
+        case sparc_leon:
+                ret = leon_boot_one_cpu(cpu);
+                break;
        case sun4e:
                printk("SUN4E\n");
                BUG();
diff --git a/arch/sparc/kernel/sys_sparc32.c b/arch/sparc/kernel/sys_sparc32.c
index 04e28b2671c8..00abe87e5b51 100644
--- a/arch/sparc/kernel/sys_sparc32.c
+++ b/arch/sparc/kernel/sys_sparc32.c
@@ -26,11 +26,6 @@
 #include <linux/nfs_fs.h>
 #include <linux/quota.h>
 #include <linux/module.h>
-#include <linux/sunrpc/svc.h>
-#include <linux/nfsd/nfsd.h>
-#include <linux/nfsd/cache.h>
-#include <linux/nfsd/xdr.h>
-#include <linux/nfsd/syscall.h>
 #include <linux/poll.h>
 #include <linux/personality.h>
 #include <linux/stat.h>
@@ -591,63 +586,6 @@ out:
        return ret;       
 }
-struct __sysctl_args32 {
-        u32 name;
-        int nlen;
-        u32 oldval;
-        u32 oldlenp;
-        u32 newval;
-        u32 newlen;
-        u32 __unused[4];
-};
-asmlinkage long sys32_sysctl(struct __sysctl_args32 __user *args)
-{
-#ifndef CONFIG_SYSCTL_SYSCALL
-        return -ENOSYS;
-#else
-        struct __sysctl_args32 tmp;
-        int error;
-        size_t oldlen, __user *oldlenp = NULL;
-        unsigned long addr = (((unsigned long)&args->__unused[0]) + 7UL) & ~7UL;
-        if (copy_from_user(&tmp, args, sizeof(tmp)))
-                return -EFAULT;
-        if (tmp.oldval && tmp.oldlenp) {
-                /* Duh, this is ugly and might not work if sysctl_args
-                   is in read-only memory, but do_sysctl does indirectly
-                   a lot of uaccess in both directions and we'd have to
-                   basically copy the whole sysctl.c here, and
-                   glibc's __sysctl uses rw memory for the structure
-                   anyway.  */
-                if (get_user(oldlen, (u32 __user *)(unsigned long)tmp.oldlenp) ||
-                    put_user(oldlen, (size_t __user *)addr))
-                        return -EFAULT;
-                oldlenp = (size_t __user *)addr;
-        }
-        lock_kernel();
-        error = do_sysctl((int __user *)(unsigned long) tmp.name,
-                          tmp.nlen,
-                          (void __user *)(unsigned long) tmp.oldval,
-                          oldlenp,
-                          (void __user *)(unsigned long) tmp.newval,
-                          tmp.newlen);
-        unlock_kernel();
-        if (oldlenp) {
-                if (!error) {
-                        if (get_user(oldlen, (size_t __user *)addr) ||
-                            put_user(oldlen, (u32 __user *)(unsigned long) tmp.oldlenp))
-                                error = -EFAULT;
-                }
-                if (copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused)))
-                        error = -EFAULT;
-        }
-        return error;
-#endif
-}
 long sys32_lookup_dcookie(unsigned long cookie_high,
                          unsigned long cookie_low,
                          char __user *buf, size_t len)
diff --git a/arch/sparc/kernel/systbls_32.S b/arch/sparc/kernel/systbls_32.S
index 0f1658d37490..ceb1530f8aa6 100644
--- a/arch/sparc/kernel/systbls_32.S
+++ b/arch/sparc/kernel/systbls_32.S
@@ -82,5 +82,5 @@ sys_call_table:
 /*310*/ .long sys_utimensat, sys_signalfd, sys_timerfd_create, sys_eventfd, sys_fallocate
 /*315*/ .long sys_timerfd_settime, sys_timerfd_gettime, sys_signalfd4, sys_eventfd2, sys_epoll_create1
 /*320*/ .long sys_dup3, sys_pipe2, sys_inotify_init1, sys_accept4, sys_preadv
-/*325*/ .long sys_pwritev, sys_rt_tgsigqueueinfo, sys_perf_event_open
+/*325*/ .long sys_pwritev, sys_rt_tgsigqueueinfo, sys_perf_event_open, sys_recvmmsg
diff --git a/arch/sparc/kernel/systbls_64.S b/arch/sparc/kernel/systbls_64.S
index 009825f6e73c..cc8e7862e95a 100644
--- a/arch/sparc/kernel/systbls_64.S
+++ b/arch/sparc/kernel/systbls_64.S
@@ -68,7 +68,7 @@ sys_call_table32:
        .word compat_sys_fstatfs64, sys_llseek, sys_mlock, sys_munlock, sys32_mlockall
 /*240*/ .word sys_munlockall, sys32_sched_setparam, sys32_sched_getparam, sys32_sched_setscheduler, sys32_sched_getscheduler
        .word sys_sched_yield, sys32_sched_get_priority_max, sys32_sched_get_priority_min, sys32_sched_rr_get_interval, compat_sys_nanosleep
-/*250*/ .word sys32_mremap, sys32_sysctl, sys32_getsid, sys_fdatasync, sys32_nfsservctl
+/*250*/ .word sys32_mremap, compat_sys_sysctl, sys32_getsid, sys_fdatasync, sys32_nfsservctl
        .word sys32_sync_file_range, compat_sys_clock_settime, compat_sys_clock_gettime, compat_sys_clock_getres, sys32_clock_nanosleep
 /*260*/ .word compat_sys_sched_getaffinity, compat_sys_sched_setaffinity, sys32_timer_settime, compat_sys_timer_gettime, sys_timer_getoverrun
        .word sys_timer_delete, compat_sys_timer_create, sys_ni_syscall, compat_sys_io_setup, sys_io_destroy
@@ -83,7 +83,7 @@ sys_call_table32:
 /*310*/ .word compat_sys_utimensat, compat_sys_signalfd, sys_timerfd_create, sys_eventfd, compat_sys_fallocate
        .word compat_sys_timerfd_settime, compat_sys_timerfd_gettime, compat_sys_signalfd4, sys_eventfd2, sys_epoll_create1
 /*320*/ .word sys_dup3, sys_pipe2, sys_inotify_init1, sys_accept4, compat_sys_preadv
-        .word compat_sys_pwritev, compat_sys_rt_tgsigqueueinfo, sys_perf_event_open
+        .word compat_sys_pwritev, compat_sys_rt_tgsigqueueinfo, sys_perf_event_open, compat_sys_recvmmsg
 #endif /* CONFIG_COMPAT */
@@ -158,4 +158,4 @@ sys_call_table:
 /*310*/ .word sys_utimensat, sys_signalfd, sys_timerfd_create, sys_eventfd, sys_fallocate
        .word sys_timerfd_settime, sys_timerfd_gettime, sys_signalfd4, sys_eventfd2, sys_epoll_create1
 /*320*/ .word sys_dup3, sys_pipe2, sys_inotify_init1, sys_accept4, sys_preadv
-        .word sys_pwritev, sys_rt_tgsigqueueinfo, sys_perf_event_open
+        .word sys_pwritev, sys_rt_tgsigqueueinfo, sys_perf_event_open, sys_recvmmsg
diff --git a/arch/sparc/kernel/time_32.c b/arch/sparc/kernel/time_32.c
index 614ac7b4a9dd..5b2f595fe65b 100644
--- a/arch/sparc/kernel/time_32.c
+++ b/arch/sparc/kernel/time_32.c
@@ -210,9 +210,6 @@ static void __init sbus_time_init(void)
        btfixup();
        sparc_init_timers(timer_interrupt);
-        
-        /* Now that OBP ticker has been silenced, it is safe to enable IRQ. */
-        local_irq_enable();
 }
 void __init time_init(void)
diff --git a/arch/sparc/kernel/trampoline_32.S b/arch/sparc/kernel/trampoline_32.S
index 5e235c52d667..691f484e03b3 100644
--- a/arch/sparc/kernel/trampoline_32.S
+++ b/arch/sparc/kernel/trampoline_32.S
@@ -15,7 +15,7 @@
 #include <asm/contregs.h>
 #include <asm/thread_info.h>
-        .globl sun4m_cpu_startup, __smp4m_processor_id
+        .globl sun4m_cpu_startup, __smp4m_processor_id, __leon_processor_id
        .globl sun4d_cpu_startup, __smp4d_processor_id
        __CPUINIT
@@ -106,6 +106,12 @@ __smp4d_processor_id:
        retl
         mov    %g1, %o7
+__leon_processor_id:
+        rd     %asr17,%g2
+        srl    %g2,28,%g2
+        retl
+         mov    %g1, %o7
 /* CPUID in bootbus can be found at PA 0xff0140000 */
 #define SUN4D_BOOTBUS_CPUID     0xf0140000
@@ -160,3 +166,64 @@ sun4d_cpu_startup:
         nop
        b,a     smp_do_cpu_idle
+#ifdef CONFIG_SPARC_LEON
+        __CPUINIT
+        .align  4
+        .global leon_smp_cpu_startup, smp_penguin_ctable
+leon_smp_cpu_startup:
+        set smp_penguin_ctable,%g1
+        ld [%g1+4],%g1
+        srl %g1,4,%g1
+        set 0x00000100,%g5 /* SRMMU_CTXTBL_PTR */
+        sta %g1, [%g5] ASI_M_MMUREGS
+        /* Set up a sane %psr -- PIL<0xf> S<0x1> PS<0x1> CWP<0x0> */
+        set     (PSR_PIL | PSR_S | PSR_PS), %g1
+        wr      %g1, 0x0, %psr          ! traps off though
+        WRITE_PAUSE
+        /* Our %wim is one behind CWP */
+        mov     2, %g1
+        wr      %g1, 0x0, %wim
+        WRITE_PAUSE
+        /* Set tbr - we use just one trap table. */
+        set     trapbase, %g1
+        wr      %g1, 0x0, %tbr
+        WRITE_PAUSE
+        /* Get our CPU id */
+        rd     %asr17,%g3
+        /* Give ourselves a stack and curptr. */
+        set     current_set, %g5
+        srl     %g3, 28, %g4
+        sll     %g4, 2, %g4
+        ld      [%g5 + %g4], %g6
+        sethi   %hi(THREAD_SIZE - STACKFRAME_SZ), %sp
+        or      %sp, %lo(THREAD_SIZE - STACKFRAME_SZ), %sp
+        add     %g6, %sp, %sp
+        /* Turn on traps (PSR_ET). */
+        rd      %psr, %g1
+        wr      %g1, PSR_ET, %psr       ! traps on
+        WRITE_PAUSE
+        /* Init our caches, etc. */
+        set     poke_srmmu, %g5
+        ld      [%g5], %g5
+        call    %g5
+         nop
+        /* Start this processor. */
+        call    leon_callin
+         nop
+        b,a     smp_do_cpu_idle
+#endif
diff --git a/arch/sparc/mm/srmmu.c b/arch/sparc/mm/srmmu.c
index 509b1ffeba66..367321a030dd 100644
--- a/arch/sparc/mm/srmmu.c
+++ b/arch/sparc/mm/srmmu.c
@@ -1990,7 +1990,7 @@ void __init poke_leonsparc(void)
 void __init init_leon(void)
 {
-        srmmu_name = "Leon";
+        srmmu_name = "LEON";
        BTFIXUPSET_CALL(flush_cache_all, leon_flush_cache_all,
                        BTFIXUPCALL_NORM);
@@ -2037,8 +2037,6 @@ static void __init get_srmmu_type(void)
        /* First, check for sparc-leon. */
        if (sparc_cpu_model == sparc_leon) {
-                psr_typ = 0xf;  /* hardcoded ids for older models/simulators */
-                psr_vers = 2;
                init_leon();
                return;
        }
@@ -2301,7 +2299,8 @@ void __init ld_mmu_srmmu(void)
        BTFIXUPSET_CALL(flush_cache_mm, smp_flush_cache_mm, BTFIXUPCALL_NORM);
        BTFIXUPSET_CALL(flush_cache_range, smp_flush_cache_range, BTFIXUPCALL_NORM);
        BTFIXUPSET_CALL(flush_cache_page, smp_flush_cache_page, BTFIXUPCALL_NORM);
-        if (sparc_cpu_model != sun4d) {
+        if (sparc_cpu_model != sun4d &&
+            sparc_cpu_model != sparc_leon) {
                BTFIXUPSET_CALL(flush_tlb_all, smp_flush_tlb_all, BTFIXUPCALL_NORM);
                BTFIXUPSET_CALL(flush_tlb_mm, smp_flush_tlb_mm, BTFIXUPCALL_NORM);
                BTFIXUPSET_CALL(flush_tlb_range, smp_flush_tlb_range, BTFIXUPCALL_NORM);
@@ -2330,6 +2329,8 @@ void __init ld_mmu_srmmu(void)
 #ifdef CONFIG_SMP
        if (sparc_cpu_model == sun4d)
                sun4d_init_smp();
+        else if (sparc_cpu_model == sparc_leon)
+                leon_init_smp();
        else
                sun4m_init_smp();
 #endif
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 178084b4377c..1b2182b4d5c8 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -51,6 +51,7 @@ config X86
        select HAVE_KERNEL_LZMA
        select HAVE_HW_BREAKPOINT
        select HAVE_ARCH_KMEMCHECK
+        select HAVE_USER_RETURN_NOTIFIER
 config OUTPUT_FORMAT
        string
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 581b0568fe19..4eefdca9832b 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -653,7 +653,7 @@ ia32_sys_call_table:
        .quad compat_sys_writev
        .quad sys_getsid
        .quad sys_fdatasync
-        .quad sys32_sysctl      /* sysctl */
+        .quad compat_sys_sysctl /* sysctl */
        .quad sys_mlock         /* 150 */
        .quad sys_munlock
        .quad sys_mlockall
@@ -841,4 +841,5 @@ ia32_sys_call_table:
        .quad compat_sys_pwritev
        .quad compat_sys_rt_tgsigqueueinfo      /* 335 */
        .quad sys_perf_event_open
+        .quad compat_sys_recvmmsg
 ia32_syscall_end:
diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c
index 9f5527198825..df82c0e48ded 100644
--- a/arch/x86/ia32/sys_ia32.c
+++ b/arch/x86/ia32/sys_ia32.c
@@ -434,62 +434,6 @@ asmlinkage long sys32_rt_sigqueueinfo(int pid, int sig,
        return ret;
 }
-#ifdef CONFIG_SYSCTL_SYSCALL
-struct sysctl_ia32 {
-        unsigned int    name;
-        int             nlen;
-        unsigned int    oldval;
-        unsigned int    oldlenp;
-        unsigned int    newval;
-        unsigned int    newlen;
-        unsigned int    __unused[4];
-};
-asmlinkage long sys32_sysctl(struct sysctl_ia32 __user *args32)
-{
-        struct sysctl_ia32 a32;
-        mm_segment_t old_fs = get_fs();
-        void __user *oldvalp, *newvalp;
-        size_t oldlen;
-        int __user *namep;
-        long ret;
-        if (copy_from_user(&a32, args32, sizeof(a32)))
-                return -EFAULT;
-        /*
-         * We need to pre-validate these because we have to disable
-         * address checking before calling do_sysctl() because of
-         * OLDLEN but we can't run the risk of the user specifying bad
-         * addresses here.  Well, since we're dealing with 32 bit
-         * addresses, we KNOW that access_ok() will always succeed, so
-         * this is an expensive NOP, but so what...
-         */
-        namep = compat_ptr(a32.name);
-        oldvalp = compat_ptr(a32.oldval);
-        newvalp =  compat_ptr(a32.newval);
-        if ((oldvalp && get_user(oldlen, (int __user *)compat_ptr(a32.oldlenp)))
-            || !access_ok(VERIFY_WRITE, namep, 0)
-            || !access_ok(VERIFY_WRITE, oldvalp, 0)
-            || !access_ok(VERIFY_WRITE, newvalp, 0))
-                return -EFAULT;
-        set_fs(KERNEL_DS);
-        lock_kernel();
-        ret = do_sysctl(namep, a32.nlen, oldvalp, (size_t __user *)&oldlen,
-                        newvalp, (size_t) a32.newlen);
-        unlock_kernel();
-        set_fs(old_fs);
-        if (oldvalp && put_user(oldlen, (int __user *)compat_ptr(a32.oldlenp)))
-                return -EFAULT;
-        return ret;
-}
-#endif
 /* warning: next two assume little endian */
 asmlinkage long sys32_pread(unsigned int fd, char __user *ubuf, u32 count,
                            u32 poslo, u32 poshi)
diff --git a/arch/x86/include/asm/kvm.h b/arch/x86/include/asm/kvm.h
index 4a5fe914dc59..950df434763f 100644
--- a/arch/x86/include/asm/kvm.h
+++ b/arch/x86/include/asm/kvm.h
@@ -19,6 +19,8 @@
 #define __KVM_HAVE_MSIX
 #define __KVM_HAVE_MCE
 #define __KVM_HAVE_PIT_STATE2
+#define __KVM_HAVE_XEN_HVM
+#define __KVM_HAVE_VCPU_EVENTS
 /* Architectural interrupt line count. */
 #define KVM_NR_INTERRUPTS 256
@@ -79,6 +81,7 @@ struct kvm_ioapic_state {
 #define KVM_IRQCHIP_PIC_MASTER   0
 #define KVM_IRQCHIP_PIC_SLAVE    1
 #define KVM_IRQCHIP_IOAPIC       2
+#define KVM_NR_IRQCHIPS          3
 /* for KVM_GET_REGS and KVM_SET_REGS */
 struct kvm_regs {
@@ -250,4 +253,31 @@ struct kvm_reinject_control {
        __u8 pit_reinject;
        __u8 reserved[31];
 };
+/* for KVM_GET/SET_VCPU_EVENTS */
+struct kvm_vcpu_events {
+        struct {
+                __u8 injected;
+                __u8 nr;
+                __u8 has_error_code;
+                __u8 pad;
+                __u32 error_code;
+        } exception;
+        struct {
+                __u8 injected;
+                __u8 nr;
+                __u8 soft;
+                __u8 pad;
+        } interrupt;
+        struct {
+                __u8 injected;
+                __u8 pending;
+                __u8 masked;
+                __u8 pad;
+        } nmi;
+        __u32 sipi_vector;
+        __u32 flags;
+        __u32 reserved[10];
+};
 #endif /* _ASM_X86_KVM_H */
diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
index b7ed2c423116..7c18e1230f54 100644
--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
@@ -129,7 +129,7 @@ struct decode_cache {
        u8 seg_override;
        unsigned int d;
        unsigned long regs[NR_VCPU_REGS];
-        unsigned long eip;
+        unsigned long eip, eip_orig;
        /* modrm */
        u8 modrm;
        u8 modrm_mod;
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index d83892226f73..4f865e8b8540 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -354,7 +354,6 @@ struct kvm_vcpu_arch {
        unsigned int time_offset;
        struct page *time_page;
-        bool singlestep; /* guest is single stepped by KVM */
        bool nmi_pending;
        bool nmi_injected;
@@ -371,6 +370,10 @@ struct kvm_vcpu_arch {
        u64 mcg_status;
        u64 mcg_ctl;
        u64 *mce_banks;
+        /* used for guest single stepping over the given code position */
+        u16 singlestep_cs;
+        unsigned long singlestep_rip;
 };
 struct kvm_mem_alias {
@@ -397,7 +400,6 @@ struct kvm_arch{
        struct kvm_pic *vpic;
        struct kvm_ioapic *vioapic;
        struct kvm_pit *vpit;
-        struct hlist_head irq_ack_notifier_list;
        int vapics_in_nmi_mode;
        unsigned int tss_addr;
@@ -410,8 +412,10 @@ struct kvm_arch{
        gpa_t ept_identity_map_addr;
        unsigned long irq_sources_bitmap;
-        unsigned long irq_states[KVM_IOAPIC_NUM_PINS];
        u64 vm_init_tsc;
+        s64 kvmclock_offset;
+        struct kvm_xen_hvm_config xen_hvm_config;
 };
 struct kvm_vm_stat {
@@ -461,7 +465,7 @@ struct descriptor_table {
 struct kvm_x86_ops {
        int (*cpu_has_kvm_support)(void);          /* __init */
        int (*disabled_by_bios)(void);             /* __init */
-        void (*hardware_enable)(void *dummy);      /* __init */
+        int (*hardware_enable)(void *dummy);
        void (*hardware_disable)(void *dummy);
        void (*check_processor_compatibility)(void *rtn);
        int (*hardware_setup)(void);               /* __init */
@@ -477,8 +481,8 @@ struct kvm_x86_ops {
        void (*vcpu_load)(struct kvm_vcpu *vcpu, int cpu);
        void (*vcpu_put)(struct kvm_vcpu *vcpu);
-        int (*set_guest_debug)(struct kvm_vcpu *vcpu,
+        void (*set_guest_debug)(struct kvm_vcpu *vcpu,
-                               struct kvm_guest_debug *dbg);
+                                struct kvm_guest_debug *dbg);
        int (*get_msr)(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata);
        int (*set_msr)(struct kvm_vcpu *vcpu, u32 msr_index, u64 data);
        u64 (*get_segment_base)(struct kvm_vcpu *vcpu, int seg);
@@ -506,8 +510,8 @@ struct kvm_x86_ops {
        void (*tlb_flush)(struct kvm_vcpu *vcpu);
-        void (*run)(struct kvm_vcpu *vcpu, struct kvm_run *run);
+        void (*run)(struct kvm_vcpu *vcpu);
-        int (*handle_exit)(struct kvm_run *run, struct kvm_vcpu *vcpu);
+        int (*handle_exit)(struct kvm_vcpu *vcpu);
        void (*skip_emulated_instruction)(struct kvm_vcpu *vcpu);
        void (*set_interrupt_shadow)(struct kvm_vcpu *vcpu, int mask);
        u32 (*get_interrupt_shadow)(struct kvm_vcpu *vcpu, int mask);
@@ -519,6 +523,8 @@ struct kvm_x86_ops {
                                bool has_error_code, u32 error_code);
        int (*interrupt_allowed)(struct kvm_vcpu *vcpu);
        int (*nmi_allowed)(struct kvm_vcpu *vcpu);
+        bool (*get_nmi_mask)(struct kvm_vcpu *vcpu);
+        void (*set_nmi_mask)(struct kvm_vcpu *vcpu, bool masked);
        void (*enable_nmi_window)(struct kvm_vcpu *vcpu);
        void (*enable_irq_window)(struct kvm_vcpu *vcpu);
        void (*update_cr8_intercept)(struct kvm_vcpu *vcpu, int tpr, int irr);
@@ -568,7 +574,7 @@ enum emulation_result {
 #define EMULTYPE_NO_DECODE          (1 << 0)
 #define EMULTYPE_TRAP_UD            (1 << 1)
 #define EMULTYPE_SKIP               (1 << 2)
-int emulate_instruction(struct kvm_vcpu *vcpu, struct kvm_run *run,
+int emulate_instruction(struct kvm_vcpu *vcpu,
                        unsigned long cr2, u16 error_code, int emulation_type);
 void kvm_report_emulation_failure(struct kvm_vcpu *cvpu, const char *context);
 void realmode_lgdt(struct kvm_vcpu *vcpu, u16 size, unsigned long address);
@@ -585,9 +591,9 @@ int kvm_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data);
 struct x86_emulate_ctxt;
-int kvm_emulate_pio(struct kvm_vcpu *vcpu, struct kvm_run *run, int in,
+int kvm_emulate_pio(struct kvm_vcpu *vcpu, int in,
                     int size, unsigned port);
-int kvm_emulate_pio_string(struct kvm_vcpu *vcpu, struct kvm_run *run, int in,
+int kvm_emulate_pio_string(struct kvm_vcpu *vcpu, int in,
                           int size, unsigned long count, int down,
                            gva_t address, int rep, unsigned port);
 void kvm_emulate_cpuid(struct kvm_vcpu *vcpu);
@@ -616,6 +622,9 @@ void kvm_get_cs_db_l_bits(struct kvm_vcpu *vcpu, int *db, int *l);
 int kvm_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata);
 int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data);
+unsigned long kvm_get_rflags(struct kvm_vcpu *vcpu);
+void kvm_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags);
 void kvm_queue_exception(struct kvm_vcpu *vcpu, unsigned nr);
 void kvm_queue_exception_e(struct kvm_vcpu *vcpu, unsigned nr, u32 error_code);
 void kvm_inject_page_fault(struct kvm_vcpu *vcpu, unsigned long cr2,
@@ -802,4 +811,7 @@ int kvm_cpu_has_interrupt(struct kvm_vcpu *vcpu);
 int kvm_arch_interrupt_allowed(struct kvm_vcpu *vcpu);
 int kvm_cpu_get_interrupt(struct kvm_vcpu *v);
+void kvm_define_shared_msr(unsigned index, u32 msr);
+void kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
 #endif /* _ASM_X86_KVM_HOST_H */
diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
index 85574b7c1bc1..1fecb7e61130 100644
--- a/arch/x86/include/asm/svm.h
+++ b/arch/x86/include/asm/svm.h
@@ -57,7 +57,8 @@ struct __attribute__ ((__packed__)) vmcb_control_area {
        u16 intercept_dr_write;
        u32 intercept_exceptions;
        u64 intercept;
-        u8 reserved_1[44];
+        u8 reserved_1[42];
+        u16 pause_filter_count;
        u64 iopm_base_pa;
        u64 msrpm_base_pa;
        u64 tsc_offset;
diff --git a/arch/x86/include/asm/sys_ia32.h b/arch/x86/include/asm/sys_ia32.h
index 72a6dcd1299b..9af9decb38c3 100644
--- a/arch/x86/include/asm/sys_ia32.h
+++ b/arch/x86/include/asm/sys_ia32.h
@@ -51,11 +51,6 @@ asmlinkage long sys32_sched_rr_get_interval(compat_pid_t,
 asmlinkage long sys32_rt_sigpending(compat_sigset_t __user *, compat_size_t);
 asmlinkage long sys32_rt_sigqueueinfo(int, int, compat_siginfo_t __user *);
-#ifdef CONFIG_SYSCTL_SYSCALL
-struct sysctl_ia32;
-asmlinkage long sys32_sysctl(struct sysctl_ia32 __user *);
-#endif
 asmlinkage long sys32_pread(unsigned int, char __user *, u32, u32, u32);
 asmlinkage long sys32_pwrite(unsigned int, char __user *, u32, u32, u32);
diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
index d27d0a2fec4c..375c917c37d2 100644
--- a/arch/x86/include/asm/thread_info.h
+++ b/arch/x86/include/asm/thread_info.h
@@ -83,6 +83,7 @@ struct thread_info {
 #define TIF_SYSCALL_AUDIT       7       /* syscall auditing active */
 #define TIF_SECCOMP             8       /* secure computing */
 #define TIF_MCE_NOTIFY          10      /* notify userspace of an MCE */
+#define TIF_USER_RETURN_NOTIFY  11      /* notify kernel of userspace return */
 #define TIF_NOTSC               16      /* TSC is not accessible in userland */
 #define TIF_IA32                17      /* 32bit process */
 #define TIF_FORK                18      /* ret_from_fork */
@@ -107,6 +108,7 @@ struct thread_info {
 #define _TIF_SYSCALL_AUDIT      (1 << TIF_SYSCALL_AUDIT)
 #define _TIF_SECCOMP            (1 << TIF_SECCOMP)
 #define _TIF_MCE_NOTIFY         (1 << TIF_MCE_NOTIFY)
+#define _TIF_USER_RETURN_NOTIFY (1 << TIF_USER_RETURN_NOTIFY)
 #define _TIF_NOTSC              (1 << TIF_NOTSC)
 #define _TIF_IA32               (1 << TIF_IA32)
 #define _TIF_FORK               (1 << TIF_FORK)
@@ -142,13 +144,14 @@ struct thread_info {
 /* Only used for 64 bit */
 #define _TIF_DO_NOTIFY_MASK                                             \
-        (_TIF_SIGPENDING|_TIF_MCE_NOTIFY|_TIF_NOTIFY_RESUME)
+        (_TIF_SIGPENDING | _TIF_MCE_NOTIFY | _TIF_NOTIFY_RESUME |       \
+         _TIF_USER_RETURN_NOTIFY)
 /* flags to check in __switch_to() */
 #define _TIF_WORK_CTXSW                                                 \
        (_TIF_IO_BITMAP|_TIF_DEBUGCTLMSR|_TIF_DS_AREA_MSR|_TIF_NOTSC)
-#define _TIF_WORK_CTXSW_PREV _TIF_WORK_CTXSW
+#define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY)
 #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW|_TIF_DEBUG)
 #define PREEMPT_ACTIVE          0x10000000
diff --git a/arch/x86/include/asm/unistd_32.h b/arch/x86/include/asm/unistd_32.h
index 6fb3c209a7e3..3baf379fa840 100644
--- a/arch/x86/include/asm/unistd_32.h
+++ b/arch/x86/include/asm/unistd_32.h
@@ -342,10 +342,11 @@
 #define __NR_pwritev            334
 #define __NR_rt_tgsigqueueinfo  335
 #define __NR_perf_event_open    336
+#define __NR_recvmmsg           337
 #ifdef __KERNEL__
-#define NR_syscalls 337
+#define NR_syscalls 338
 #define __ARCH_WANT_IPC_PARSE_VERSION
 #define __ARCH_WANT_OLD_READDIR
diff --git a/arch/x86/include/asm/unistd_64.h b/arch/x86/include/asm/unistd_64.h
index 8d3ad0adbc68..4843f7ba754a 100644
--- a/arch/x86/include/asm/unistd_64.h
+++ b/arch/x86/include/asm/unistd_64.h
@@ -661,6 +661,8 @@ __SYSCALL(__NR_pwritev, sys_pwritev)
 __SYSCALL(__NR_rt_tgsigqueueinfo, sys_rt_tgsigqueueinfo)
 #define __NR_perf_event_open                    298
 __SYSCALL(__NR_perf_event_open, sys_perf_event_open)
+#define __NR_recvmmsg                           299
+__SYSCALL(__NR_recvmmsg, sys_recvmmsg)
 #ifndef __NO_STUBS
 #define __ARCH_WANT_OLD_READDIR
diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index 272514c2d456..2b4945419a84 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -56,6 +56,7 @@
 #define SECONDARY_EXEC_ENABLE_VPID              0x00000020
 #define SECONDARY_EXEC_WBINVD_EXITING           0x00000040
 #define SECONDARY_EXEC_UNRESTRICTED_GUEST       0x00000080
+#define SECONDARY_EXEC_PAUSE_LOOP_EXITING       0x00000400
 #define PIN_BASED_EXT_INTR_MASK                 0x00000001
@@ -144,6 +145,8 @@ enum vmcs_field {
        VM_ENTRY_INSTRUCTION_LEN        = 0x0000401a,
        TPR_THRESHOLD                   = 0x0000401c,
        SECONDARY_VM_EXEC_CONTROL       = 0x0000401e,
+        PLE_GAP                         = 0x00004020,
+        PLE_WINDOW                      = 0x00004022,
        VM_INSTRUCTION_ERROR            = 0x00004400,
        VM_EXIT_REASON                  = 0x00004402,
        VM_EXIT_INTR_INFO               = 0x00004404,
@@ -248,6 +251,7 @@ enum vmcs_field {
 #define EXIT_REASON_MSR_READ            31
 #define EXIT_REASON_MSR_WRITE           32
 #define EXIT_REASON_MWAIT_INSTRUCTION   36
+#define EXIT_REASON_PAUSE_INSTRUCTION   40
 #define EXIT_REASON_MCE_DURING_VMENTRY   41
 #define EXIT_REASON_TPR_BELOW_THRESHOLD 43
 #define EXIT_REASON_APIC_ACCESS         44
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 744508e7cfdd..5e2ba634ea15 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -9,6 +9,7 @@
 #include <linux/pm.h>
 #include <linux/clockchips.h>
 #include <linux/random.h>
+#include <linux/user-return-notifier.h>
 #include <trace/events/power.h>
 #include <linux/hw_breakpoint.h>
 #include <asm/system.h>
@@ -209,6 +210,7 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
                 */
                memset(tss->io_bitmap, 0xff, prev->io_bitmap_max);
        }
+        propagate_user_return_notify(prev_p, next_p);
 }
 int sys_fork(struct pt_regs *regs)
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index fbf3b07c8567..74fe6d86dc5d 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -19,6 +19,7 @@
 #include <linux/stddef.h>
 #include <linux/personality.h>
 #include <linux/uaccess.h>
+#include <linux/user-return-notifier.h>
 #include <asm/processor.h>
 #include <asm/ucontext.h>
@@ -863,6 +864,8 @@ do_notify_resume(struct pt_regs *regs, void *unused, __u32 thread_info_flags)
                if (current->replacement_session_keyring)
                        key_replace_session_keyring();
        }
+        if (thread_info_flags & _TIF_USER_RETURN_NOTIFY)
+                fire_user_return_notifiers();
 #ifdef CONFIG_X86_32
        clear_thread_flag(TIF_IRET);
diff --git a/arch/x86/kernel/syscall_table_32.S b/arch/x86/kernel/syscall_table_32.S
index 0157cd26d7cc..70c2125d55b9 100644
--- a/arch/x86/kernel/syscall_table_32.S
+++ b/arch/x86/kernel/syscall_table_32.S
@@ -336,3 +336,4 @@ ENTRY(sys_call_table)
        .long sys_pwritev
        .long sys_rt_tgsigqueueinfo     /* 335 */
        .long sys_perf_event_open
+        .long sys_recvmmsg
diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
index 8cb4974ff599..e02d92d12bcd 100644
--- a/arch/x86/kernel/vsyscall_64.c
+++ b/arch/x86/kernel/vsyscall_64.c
@@ -237,7 +237,7 @@ static ctl_table kernel_table2[] = {
 };
 static ctl_table kernel_root_table2[] = {
-        { .ctl_name = CTL_KERN, .procname = "kernel", .mode = 0555,
+        { .procname = "kernel", .mode = 0555,
          .child = kernel_table2 },
        {}
 };
diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
index b84e571f4175..4cd498332466 100644
--- a/arch/x86/kvm/Kconfig
+++ b/arch/x86/kvm/Kconfig
@@ -28,6 +28,7 @@ config KVM
        select HAVE_KVM_IRQCHIP
        select HAVE_KVM_EVENTFD
        select KVM_APIC_ARCHITECTURE
+        select USER_RETURN_NOTIFIER
        ---help---
          Support hosting fully virtualized guest machines using hardware
          virtualization extensions.  You will need a fairly recent
diff --git a/arch/x86/kvm/Makefile b/arch/x86/kvm/Makefile
index 0e7fe78d0f74..31a7035c4bd9 100644
--- a/arch/x86/kvm/Makefile
+++ b/arch/x86/kvm/Makefile
@@ -6,7 +6,8 @@ CFLAGS_svm.o := -I.
 CFLAGS_vmx.o := -I.
 kvm-y                   += $(addprefix ../../../virt/kvm/, kvm_main.o ioapic.o \
-                                coalesced_mmio.o irq_comm.o eventfd.o)
+                                coalesced_mmio.o irq_comm.o eventfd.o \
+                                assigned-dev.o)
 kvm-$(CONFIG_IOMMU_API) += $(addprefix ../../../virt/kvm/, iommu.o)
 kvm-y                   += x86.o mmu.o emulate.o i8259.o irq.o lapic.o \
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 1be5cd640e93..7e8faea4651e 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -75,6 +75,8 @@
 #define Group       (1<<14)     /* Bits 3:5 of modrm byte extend opcode */
 #define GroupDual   (1<<15)     /* Alternate decoding of mod == 3 */
 #define GroupMask   0xff        /* Group number stored in bits 0:7 */
+/* Misc flags */
+#define No64        (1<<28)
 /* Source 2 operand type */
 #define Src2None    (0<<29)
 #define Src2CL      (1<<29)
@@ -92,19 +94,23 @@ static u32 opcode_table[256] = {
        /* 0x00 - 0x07 */
        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
-        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm, 0, 0,
+        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
+        ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
        /* 0x08 - 0x0F */
        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
-        0, 0, 0, 0,
+        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
+        ImplicitOps | Stack | No64, 0,
        /* 0x10 - 0x17 */
        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
-        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm, 0, 0,
+        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
+        ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
        /* 0x18 - 0x1F */
        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
-        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm, 0, 0,
+        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
+        ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
        /* 0x20 - 0x27 */
        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
@@ -133,7 +139,8 @@ static u32 opcode_table[256] = {
        DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
        DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
        /* 0x60 - 0x67 */
-        0, 0, 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
+        ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
+        0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
        0, 0, 0, 0,
        /* 0x68 - 0x6F */
        SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
@@ -158,7 +165,7 @@ static u32 opcode_table[256] = {
        /* 0x90 - 0x97 */
        DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
        /* 0x98 - 0x9F */
-        0, 0, SrcImm | Src2Imm16, 0,
+        0, 0, SrcImm | Src2Imm16 | No64, 0,
        ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
        /* 0xA0 - 0xA7 */
        ByteOp | DstReg | SrcMem | Mov | MemAbs, DstReg | SrcMem | Mov | MemAbs,
@@ -185,7 +192,7 @@ static u32 opcode_table[256] = {
        ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
        /* 0xC8 - 0xCF */
        0, 0, 0, ImplicitOps | Stack,
-        ImplicitOps, SrcImmByte, ImplicitOps, ImplicitOps,
+        ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
        /* 0xD0 - 0xD7 */
        ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
        ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
@@ -198,7 +205,7 @@ static u32 opcode_table[256] = {
        ByteOp | SrcImmUByte, SrcImmUByte,
        /* 0xE8 - 0xEF */
        SrcImm | Stack, SrcImm | ImplicitOps,
-        SrcImmU | Src2Imm16, SrcImmByte | ImplicitOps,
+        SrcImmU | Src2Imm16 | No64, SrcImmByte | ImplicitOps,
        SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps,
        SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps,
        /* 0xF0 - 0xF7 */
@@ -244,11 +251,13 @@ static u32 twobyte_table[256] = {
        /* 0x90 - 0x9F */
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
        /* 0xA0 - 0xA7 */
-        0, 0, 0, DstMem | SrcReg | ModRM | BitOp,
+        ImplicitOps | Stack, ImplicitOps | Stack,
+        0, DstMem | SrcReg | ModRM | BitOp,
        DstMem | SrcReg | Src2ImmByte | ModRM,
        DstMem | SrcReg | Src2CL | ModRM, 0, 0,
        /* 0xA8 - 0xAF */
-        0, 0, 0, DstMem | SrcReg | ModRM | BitOp,
+        ImplicitOps | Stack, ImplicitOps | Stack,
+        0, DstMem | SrcReg | ModRM | BitOp,
        DstMem | SrcReg | Src2ImmByte | ModRM,
        DstMem | SrcReg | Src2CL | ModRM,
        ModRM, 0,
@@ -613,6 +622,9 @@ static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
 {
        int rc = 0;
+        /* x86 instructions are limited to 15 bytes. */
+        if (eip + size - ctxt->decode.eip_orig > 15)
+                return X86EMUL_UNHANDLEABLE;
        eip += ctxt->cs_base;
        while (size--) {
                rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
@@ -871,7 +883,7 @@ x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
        /* Shadow copy of register state. Committed on successful emulation. */
        memset(c, 0, sizeof(struct decode_cache));
-        c->eip = kvm_rip_read(ctxt->vcpu);
+        c->eip = c->eip_orig = kvm_rip_read(ctxt->vcpu);
        ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
        memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
@@ -962,6 +974,11 @@ done_prefixes:
                }
        }
+        if (mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
+                kvm_report_emulation_failure(ctxt->vcpu, "invalid x86/64 instruction");;
+                return -1;
+        }
        if (c->d & Group) {
                group = c->d & GroupMask;
                c->modrm = insn_fetch(u8, 1, c->eip);
@@ -1186,6 +1203,69 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
        return rc;
 }
+static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt, int seg)
+{
+        struct decode_cache *c = &ctxt->decode;
+        struct kvm_segment segment;
+        kvm_x86_ops->get_segment(ctxt->vcpu, &segment, seg);
+        c->src.val = segment.selector;
+        emulate_push(ctxt);
+}
+static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
+                             struct x86_emulate_ops *ops, int seg)
+{
+        struct decode_cache *c = &ctxt->decode;
+        unsigned long selector;
+        int rc;
+        rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
+        if (rc != 0)
+                return rc;
+        rc = kvm_load_segment_descriptor(ctxt->vcpu, (u16)selector, 1, seg);
+        return rc;
+}
+static void emulate_pusha(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        unsigned long old_esp = c->regs[VCPU_REGS_RSP];
+        int reg = VCPU_REGS_RAX;
+        while (reg <= VCPU_REGS_RDI) {
+                (reg == VCPU_REGS_RSP) ?
+                (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
+                emulate_push(ctxt);
+                ++reg;
+        }
+}
+static int emulate_popa(struct x86_emulate_ctxt *ctxt,
+                        struct x86_emulate_ops *ops)
+{
+        struct decode_cache *c = &ctxt->decode;
+        int rc = 0;
+        int reg = VCPU_REGS_RDI;
+        while (reg >= VCPU_REGS_RAX) {
+                if (reg == VCPU_REGS_RSP) {
+                        register_address_increment(c, &c->regs[VCPU_REGS_RSP],
+                                                        c->op_bytes);
+                        --reg;
+                }
+                rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
+                if (rc != 0)
+                        break;
+                --reg;
+        }
+        return rc;
+}
 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
                                struct x86_emulate_ops *ops)
 {
@@ -1707,18 +1787,45 @@ special_insn:
              add:              /* add */
                emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
                break;
+        case 0x06:              /* push es */
+                emulate_push_sreg(ctxt, VCPU_SREG_ES);
+                break;
+        case 0x07:              /* pop es */
+                rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
+                if (rc != 0)
+                        goto done;
+                break;
        case 0x08 ... 0x0d:
              or:               /* or */
                emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
                break;
+        case 0x0e:              /* push cs */
+                emulate_push_sreg(ctxt, VCPU_SREG_CS);
+                break;
        case 0x10 ... 0x15:
              adc:              /* adc */
                emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
                break;
+        case 0x16:              /* push ss */
+                emulate_push_sreg(ctxt, VCPU_SREG_SS);
+                break;
+        case 0x17:              /* pop ss */
+                rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
+                if (rc != 0)
+                        goto done;
+                break;
        case 0x18 ... 0x1d:
              sbb:              /* sbb */
                emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
                break;
+        case 0x1e:              /* push ds */
+                emulate_push_sreg(ctxt, VCPU_SREG_DS);
+                break;
+        case 0x1f:              /* pop ds */
+                rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
+                if (rc != 0)
+                        goto done;
+                break;
        case 0x20 ... 0x25:
              and:              /* and */
                emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
@@ -1750,6 +1857,14 @@ special_insn:
                if (rc != 0)
                        goto done;
                break;
+        case 0x60:      /* pusha */
+                emulate_pusha(ctxt);
+                break;
+        case 0x61:      /* popa */
+                rc = emulate_popa(ctxt, ops);
+                if (rc != 0)
+                        goto done;
+                break;
        case 0x63:              /* movsxd */
                if (ctxt->mode != X86EMUL_MODE_PROT64)
                        goto cannot_emulate;
@@ -1761,7 +1876,7 @@ special_insn:
                break;
        case 0x6c:              /* insb */
        case 0x6d:              /* insw/insd */
-                 if (kvm_emulate_pio_string(ctxt->vcpu, NULL,
+                 if (kvm_emulate_pio_string(ctxt->vcpu,
                                1,
                                (c->d & ByteOp) ? 1 : c->op_bytes,
                                c->rep_prefix ?
@@ -1777,7 +1892,7 @@ special_insn:
                return 0;
        case 0x6e:              /* outsb */
        case 0x6f:              /* outsw/outsd */
-                if (kvm_emulate_pio_string(ctxt->vcpu, NULL,
+                if (kvm_emulate_pio_string(ctxt->vcpu,
                                0,
                                (c->d & ByteOp) ? 1 : c->op_bytes,
                                c->rep_prefix ?
@@ -2070,7 +2185,7 @@ special_insn:
        case 0xef: /* out (e/r)ax,dx */
                port = c->regs[VCPU_REGS_RDX];
                io_dir_in = 0;
-        do_io:  if (kvm_emulate_pio(ctxt->vcpu, NULL, io_dir_in,
+        do_io:  if (kvm_emulate_pio(ctxt->vcpu, io_dir_in,
                                   (c->d & ByteOp) ? 1 : c->op_bytes,
                                   port) != 0) {
                        c->eip = saved_eip;
@@ -2297,6 +2412,14 @@ twobyte_insn:
                        jmp_rel(c, c->src.val);
                c->dst.type = OP_NONE;
                break;
+        case 0xa0:        /* push fs */
+                emulate_push_sreg(ctxt, VCPU_SREG_FS);
+                break;
+        case 0xa1:       /* pop fs */
+                rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
+                if (rc != 0)
+                        goto done;
+                break;
        case 0xa3:
              bt:               /* bt */
                c->dst.type = OP_NONE;
@@ -2308,6 +2431,14 @@ twobyte_insn:
        case 0xa5: /* shld cl, r, r/m */
                emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
                break;
+        case 0xa8:      /* push gs */
+                emulate_push_sreg(ctxt, VCPU_SREG_GS);
+                break;
+        case 0xa9:      /* pop gs */
+                rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
+                if (rc != 0)
+                        goto done;
+                break;
        case 0xab:
              bts:              /* bts */
                /* only subword offset */
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 144e7f60b5e2..fab7440c9bb2 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -688,10 +688,8 @@ static void __inject_pit_timer_intr(struct kvm *kvm)
        struct kvm_vcpu *vcpu;
        int i;
-        mutex_lock(&kvm->irq_lock);
        kvm_set_irq(kvm, kvm->arch.vpit->irq_source_id, 0, 1);
        kvm_set_irq(kvm, kvm->arch.vpit->irq_source_id, 0, 0);
-        mutex_unlock(&kvm->irq_lock);
        /*
         * Provides NMI watchdog support via Virtual Wire mode.
diff --git a/arch/x86/kvm/i8259.c b/arch/x86/kvm/i8259.c
index 01f151682802..d057c0cbd245 100644
--- a/arch/x86/kvm/i8259.c
+++ b/arch/x86/kvm/i8259.c
@@ -38,7 +38,15 @@ static void pic_clear_isr(struct kvm_kpic_state *s, int irq)
        s->isr_ack |= (1 << irq);
        if (s != &s->pics_state->pics[0])
                irq += 8;
+        /*
+         * We are dropping lock while calling ack notifiers since ack
+         * notifier callbacks for assigned devices call into PIC recursively.
+         * Other interrupt may be delivered to PIC while lock is dropped but
+         * it should be safe since PIC state is already updated at this stage.
+         */
+        spin_unlock(&s->pics_state->lock);
        kvm_notify_acked_irq(s->pics_state->kvm, SELECT_PIC(irq), irq);
+        spin_lock(&s->pics_state->lock);
 }
 void kvm_pic_clear_isr_ack(struct kvm *kvm)
@@ -176,16 +184,18 @@ int kvm_pic_set_irq(void *opaque, int irq, int level)
 static inline void pic_intack(struct kvm_kpic_state *s, int irq)
 {
        s->isr |= 1 << irq;
-        if (s->auto_eoi) {
-                if (s->rotate_on_auto_eoi)
-                        s->priority_add = (irq + 1) & 7;
-                pic_clear_isr(s, irq);
-        }
        /*
         * We don't clear a level sensitive interrupt here
         */
        if (!(s->elcr & (1 << irq)))
                s->irr &= ~(1 << irq);
+        if (s->auto_eoi) {
+                if (s->rotate_on_auto_eoi)
+                        s->priority_add = (irq + 1) & 7;
+                pic_clear_isr(s, irq);
+        }
 }
 int kvm_pic_read_irq(struct kvm *kvm)
@@ -225,22 +235,11 @@ int kvm_pic_read_irq(struct kvm *kvm)
 void kvm_pic_reset(struct kvm_kpic_state *s)
 {
-        int irq, irqbase, n;
+        int irq;
        struct kvm *kvm = s->pics_state->irq_request_opaque;
        struct kvm_vcpu *vcpu0 = kvm->bsp_vcpu;
+        u8 irr = s->irr, isr = s->imr;
-        if (s == &s->pics_state->pics[0])
-                irqbase = 0;
-        else
-                irqbase = 8;
-        for (irq = 0; irq < PIC_NUM_PINS/2; irq++) {
-                if (vcpu0 && kvm_apic_accept_pic_intr(vcpu0))
-                        if (s->irr & (1 << irq) || s->isr & (1 << irq)) {
-                                n = irq + irqbase;
-                                kvm_notify_acked_irq(kvm, SELECT_PIC(n), n);
-                        }
-        }
        s->last_irr = 0;
        s->irr = 0;
        s->imr = 0;
@@ -256,6 +255,13 @@ void kvm_pic_reset(struct kvm_kpic_state *s)
        s->rotate_on_auto_eoi = 0;
        s->special_fully_nested_mode = 0;
        s->init4 = 0;
+        for (irq = 0; irq < PIC_NUM_PINS/2; irq++) {
+                if (vcpu0 && kvm_apic_accept_pic_intr(vcpu0))
+                        if (irr & (1 << irq) || isr & (1 << irq)) {
+                                pic_clear_isr(s, irq);
+                        }
+        }
 }
 static void pic_ioport_write(void *opaque, u32 addr, u32 val)
@@ -298,9 +304,9 @@ static void pic_ioport_write(void *opaque, u32 addr, u32 val)
                                priority = get_priority(s, s->isr);
                                if (priority != 8) {
                                        irq = (priority + s->priority_add) & 7;
-                                        pic_clear_isr(s, irq);
                                        if (cmd == 5)
                                                s->priority_add = (irq + 1) & 7;
+                                        pic_clear_isr(s, irq);
                                        pic_update_irq(s->pics_state);
                                }
                                break;
diff --git a/arch/x86/kvm/irq.h b/arch/x86/kvm/irq.h
index 7d6058a2fd38..be399e207d57 100644
--- a/arch/x86/kvm/irq.h
+++ b/arch/x86/kvm/irq.h
@@ -71,6 +71,7 @@ struct kvm_pic {
        int output;             /* intr from master PIC */
        struct kvm_io_device dev;
        void (*ack_notifier)(void *opaque, int irq);
+        unsigned long irq_states[16];
 };
 struct kvm_pic *kvm_create_pic(struct kvm *kvm);
@@ -85,7 +86,11 @@ static inline struct kvm_pic *pic_irqchip(struct kvm *kvm)
 static inline int irqchip_in_kernel(struct kvm *kvm)
 {
-        return pic_irqchip(kvm) != NULL;
+        int ret;
+        ret = (pic_irqchip(kvm) != NULL);
+        smp_rmb();
+        return ret;
 }
 void kvm_pic_reset(struct kvm_kpic_state *s);
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 23c217692ea9..cd60c0bd1b32 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -32,7 +32,6 @@
 #include <asm/current.h>
 #include <asm/apicdef.h>
 #include <asm/atomic.h>
-#include <asm/apicdef.h>
 #include "kvm_cache_regs.h"
 #include "irq.h"
 #include "trace.h"
@@ -471,11 +470,8 @@ static void apic_set_eoi(struct kvm_lapic *apic)
                trigger_mode = IOAPIC_LEVEL_TRIG;
        else
                trigger_mode = IOAPIC_EDGE_TRIG;
-        if (!(apic_get_reg(apic, APIC_SPIV) & APIC_SPIV_DIRECTED_EOI)) {
+        if (!(apic_get_reg(apic, APIC_SPIV) & APIC_SPIV_DIRECTED_EOI))
-                mutex_lock(&apic->vcpu->kvm->irq_lock);
                kvm_ioapic_update_eoi(apic->vcpu->kvm, vector, trigger_mode);
-                mutex_unlock(&apic->vcpu->kvm->irq_lock);
-        }
 }
 static void apic_send_ipi(struct kvm_lapic *apic)
@@ -504,9 +500,7 @@ static void apic_send_ipi(struct kvm_lapic *apic)
                   irq.trig_mode, irq.level, irq.dest_mode, irq.delivery_mode,
                   irq.vector);
-        mutex_lock(&apic->vcpu->kvm->irq_lock);
        kvm_irq_delivery_to_apic(apic->vcpu->kvm, apic, &irq);
-        mutex_unlock(&apic->vcpu->kvm->irq_lock);
 }
 static u32 apic_get_tmcct(struct kvm_lapic *apic)
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 818b92ad82cf..4c3e5b2314cb 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -2789,7 +2789,7 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u32 error_code)
        if (r)
                goto out;
-        er = emulate_instruction(vcpu, vcpu->run, cr2, error_code, 0);
+        er = emulate_instruction(vcpu, cr2, error_code, 0);
        switch (er) {
        case EMULATE_DONE:
@@ -2800,6 +2800,7 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u32 error_code)
        case EMULATE_FAIL:
                vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
                vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+                vcpu->run->internal.ndata = 0;
                return 0;
        default:
                BUG();
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index 72558f8ff3f5..a6017132fba8 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -467,7 +467,6 @@ static void FNAME(invlpg)(struct kvm_vcpu *vcpu, gva_t gva)
                level = iterator.level;
                sptep = iterator.sptep;
-                /* FIXME: properly handle invlpg on large guest pages */
                if (level == PT_PAGE_TABLE_LEVEL  ||
                    ((level == PT_DIRECTORY_LEVEL && is_large_pte(*sptep))) ||
                    ((level == PT_PDPE_LEVEL && is_large_pte(*sptep)))) {
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index c17404add91f..3de0b37ec038 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -46,6 +46,7 @@ MODULE_LICENSE("GPL");
 #define SVM_FEATURE_NPT  (1 << 0)
 #define SVM_FEATURE_LBRV (1 << 1)
 #define SVM_FEATURE_SVML (1 << 2)
+#define SVM_FEATURE_PAUSE_FILTER (1 << 10)
 #define NESTED_EXIT_HOST        0       /* Exit handled on host level */
 #define NESTED_EXIT_DONE        1       /* Exit caused nested vmexit  */
@@ -53,15 +54,6 @@ MODULE_LICENSE("GPL");
 #define DEBUGCTL_RESERVED_BITS (~(0x3fULL))
-/* Turn on to get debugging output*/
-/* #define NESTED_DEBUG */
-#ifdef NESTED_DEBUG
-#define nsvm_printk(fmt, args...) printk(KERN_INFO fmt, ## args)
-#else
-#define nsvm_printk(fmt, args...) do {} while(0)
-#endif
 static const u32 host_save_user_msrs[] = {
 #ifdef CONFIG_X86_64
        MSR_STAR, MSR_LSTAR, MSR_CSTAR, MSR_SYSCALL_MASK, MSR_KERNEL_GS_BASE,
@@ -85,6 +77,9 @@ struct nested_state {
        /* gpa pointers to the real vectors */
        u64 vmcb_msrpm;
+        /* A VMEXIT is required but not yet emulated */
+        bool exit_required;
        /* cache for intercepts of the guest */
        u16 intercept_cr_read;
        u16 intercept_cr_write;
@@ -112,6 +107,8 @@ struct vcpu_svm {
        u32 *msrpm;
        struct nested_state nested;
+        bool nmi_singlestep;
 };
 /* enable NPT for AMD64 and X86 with PAE */
@@ -286,7 +283,7 @@ static void skip_emulated_instruction(struct kvm_vcpu *vcpu)
        struct vcpu_svm *svm = to_svm(vcpu);
        if (!svm->next_rip) {
-                if (emulate_instruction(vcpu, vcpu->run, 0, 0, EMULTYPE_SKIP) !=
+                if (emulate_instruction(vcpu, 0, 0, EMULTYPE_SKIP) !=
                                EMULATE_DONE)
                        printk(KERN_DEBUG "%s: NOP\n", __func__);
                return;
@@ -316,7 +313,7 @@ static void svm_hardware_disable(void *garbage)
        cpu_svm_disable();
 }
-static void svm_hardware_enable(void *garbage)
+static int svm_hardware_enable(void *garbage)
 {
        struct svm_cpu_data *svm_data;
@@ -325,16 +322,21 @@ static void svm_hardware_enable(void *garbage)
        struct desc_struct *gdt;
        int me = raw_smp_processor_id();
+        rdmsrl(MSR_EFER, efer);
+        if (efer & EFER_SVME)
+                return -EBUSY;
        if (!has_svm()) {
-                printk(KERN_ERR "svm_cpu_init: err EOPNOTSUPP on %d\n", me);
+                printk(KERN_ERR "svm_hardware_enable: err EOPNOTSUPP on %d\n",
-                return;
+                       me);
+                return -EINVAL;
        }
        svm_data = per_cpu(svm_data, me);
        if (!svm_data) {
-                printk(KERN_ERR "svm_cpu_init: svm_data is NULL on %d\n",
+                printk(KERN_ERR "svm_hardware_enable: svm_data is NULL on %d\n",
                       me);
-                return;
+                return -EINVAL;
        }
        svm_data->asid_generation = 1;
@@ -345,11 +347,12 @@ static void svm_hardware_enable(void *garbage)
        gdt = (struct desc_struct *)gdt_descr.base;
        svm_data->tss_desc = (struct kvm_ldttss_desc *)(gdt + GDT_ENTRY_TSS);
-        rdmsrl(MSR_EFER, efer);
        wrmsrl(MSR_EFER, efer | EFER_SVME);
        wrmsrl(MSR_VM_HSAVE_PA,
               page_to_pfn(svm_data->save_area) << PAGE_SHIFT);
+        return 0;
 }
 static void svm_cpu_uninit(int cpu)
@@ -476,7 +479,7 @@ static __init int svm_hardware_setup(void)
                kvm_enable_efer_bits(EFER_SVME);
        }
-        for_each_online_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                r = svm_cpu_init(cpu);
                if (r)
                        goto err;
@@ -510,7 +513,7 @@ static __exit void svm_hardware_unsetup(void)
 {
        int cpu;
-        for_each_online_cpu(cpu)
+        for_each_possible_cpu(cpu)
                svm_cpu_uninit(cpu);
        __free_pages(pfn_to_page(iopm_base >> PAGE_SHIFT), IOPM_ALLOC_ORDER);
@@ -625,11 +628,12 @@ static void init_vmcb(struct vcpu_svm *svm)
        save->rip = 0x0000fff0;
        svm->vcpu.arch.regs[VCPU_REGS_RIP] = save->rip;
-        /*
+        /* This is the guest-visible cr0 value.
-         * cr0 val on cpu init should be 0x60000010, we enable cpu
+         * svm_set_cr0() sets PG and WP and clears NW and CD on save->cr0.
-         * cache by default. the orderly way is to enable cache in bios.
         */
-        save->cr0 = 0x00000010 | X86_CR0_PG | X86_CR0_WP;
+        svm->vcpu.arch.cr0 = X86_CR0_NW | X86_CR0_CD | X86_CR0_ET;
+        kvm_set_cr0(&svm->vcpu, svm->vcpu.arch.cr0);
        save->cr4 = X86_CR4_PAE;
        /* rdx = ?? */
@@ -644,8 +648,6 @@ static void init_vmcb(struct vcpu_svm *svm)
                control->intercept_cr_write &= ~(INTERCEPT_CR0_MASK|
                                                 INTERCEPT_CR3_MASK);
                save->g_pat = 0x0007040600070406ULL;
-                /* enable caching because the QEMU Bios doesn't enable it */
-                save->cr0 = X86_CR0_ET;
                save->cr3 = 0;
                save->cr4 = 0;
        }
@@ -654,6 +656,11 @@ static void init_vmcb(struct vcpu_svm *svm)
        svm->nested.vmcb = 0;
        svm->vcpu.arch.hflags = 0;
+        if (svm_has(SVM_FEATURE_PAUSE_FILTER)) {
+                control->pause_filter_count = 3000;
+                control->intercept |= (1ULL << INTERCEPT_PAUSE);
+        }
        enable_gif(svm);
 }
@@ -758,14 +765,13 @@ static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
        int i;
        if (unlikely(cpu != vcpu->cpu)) {
-                u64 tsc_this, delta;
+                u64 delta;
                /*
                 * Make sure that the guest sees a monotonically
                 * increasing TSC.
                 */
-                rdtscll(tsc_this);
+                delta = vcpu->arch.host_tsc - native_read_tsc();
-                delta = vcpu->arch.host_tsc - tsc_this;
                svm->vmcb->control.tsc_offset += delta;
                if (is_nested(svm))
                        svm->nested.hsave->control.tsc_offset += delta;
@@ -787,7 +793,7 @@ static void svm_vcpu_put(struct kvm_vcpu *vcpu)
        for (i = 0; i < NR_HOST_SAVE_USER_MSRS; i++)
                wrmsrl(host_save_user_msrs[i], svm->host_user_msrs[i]);
-        rdtscll(vcpu->arch.host_tsc);
+        vcpu->arch.host_tsc = native_read_tsc();
 }
 static unsigned long svm_get_rflags(struct kvm_vcpu *vcpu)
@@ -1045,7 +1051,7 @@ static void update_db_intercept(struct kvm_vcpu *vcpu)
        svm->vmcb->control.intercept_exceptions &=
                ~((1 << DB_VECTOR) | (1 << BP_VECTOR));
-        if (vcpu->arch.singlestep)
+        if (svm->nmi_singlestep)
                svm->vmcb->control.intercept_exceptions |= (1 << DB_VECTOR);
        if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
@@ -1060,26 +1066,16 @@ static void update_db_intercept(struct kvm_vcpu *vcpu)
                vcpu->guest_debug = 0;
 }
-static int svm_guest_debug(struct kvm_vcpu *vcpu, struct kvm_guest_debug *dbg)
+static void svm_guest_debug(struct kvm_vcpu *vcpu, struct kvm_guest_debug *dbg)
 {
-        int old_debug = vcpu->guest_debug;
        struct vcpu_svm *svm = to_svm(vcpu);
-        vcpu->guest_debug = dbg->control;
-        update_db_intercept(vcpu);
        if (vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)
                svm->vmcb->save.dr7 = dbg->arch.debugreg[7];
        else
                svm->vmcb->save.dr7 = vcpu->arch.dr7;
-        if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)
+        update_db_intercept(vcpu);
-                svm->vmcb->save.rflags |= X86_EFLAGS_TF | X86_EFLAGS_RF;
-        else if (old_debug & KVM_GUESTDBG_SINGLESTEP)
-                svm->vmcb->save.rflags &= ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
-        return 0;
 }
 static void load_host_msrs(struct kvm_vcpu *vcpu)
@@ -1180,7 +1176,7 @@ static void svm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long value,
        }
 }
-static int pf_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int pf_interception(struct vcpu_svm *svm)
 {
        u64 fault_address;
        u32 error_code;
@@ -1194,17 +1190,19 @@ static int pf_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return kvm_mmu_page_fault(&svm->vcpu, fault_address, error_code);
 }
-static int db_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int db_interception(struct vcpu_svm *svm)
 {
+        struct kvm_run *kvm_run = svm->vcpu.run;
        if (!(svm->vcpu.guest_debug &
              (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) &&
-                !svm->vcpu.arch.singlestep) {
+                !svm->nmi_singlestep) {
                kvm_queue_exception(&svm->vcpu, DB_VECTOR);
                return 1;
        }
-        if (svm->vcpu.arch.singlestep) {
+        if (svm->nmi_singlestep) {
-                svm->vcpu.arch.singlestep = false;
+                svm->nmi_singlestep = false;
                if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
                        svm->vmcb->save.rflags &=
                                ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
@@ -1223,25 +1221,27 @@ static int db_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return 1;
 }
-static int bp_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int bp_interception(struct vcpu_svm *svm)
 {
+        struct kvm_run *kvm_run = svm->vcpu.run;
        kvm_run->exit_reason = KVM_EXIT_DEBUG;
        kvm_run->debug.arch.pc = svm->vmcb->save.cs.base + svm->vmcb->save.rip;
        kvm_run->debug.arch.exception = BP_VECTOR;
        return 0;
 }
-static int ud_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int ud_interception(struct vcpu_svm *svm)
 {
        int er;
-        er = emulate_instruction(&svm->vcpu, kvm_run, 0, 0, EMULTYPE_TRAP_UD);
+        er = emulate_instruction(&svm->vcpu, 0, 0, EMULTYPE_TRAP_UD);
        if (er != EMULATE_DONE)
                kvm_queue_exception(&svm->vcpu, UD_VECTOR);
        return 1;
 }
-static int nm_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int nm_interception(struct vcpu_svm *svm)
 {
        svm->vmcb->control.intercept_exceptions &= ~(1 << NM_VECTOR);
        if (!(svm->vcpu.arch.cr0 & X86_CR0_TS))
@@ -1251,7 +1251,7 @@ static int nm_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return 1;
 }
-static int mc_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int mc_interception(struct vcpu_svm *svm)
 {
        /*
         * On an #MC intercept the MCE handler is not called automatically in
@@ -1264,8 +1264,10 @@ static int mc_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return 1;
 }
-static int shutdown_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int shutdown_interception(struct vcpu_svm *svm)
 {
+        struct kvm_run *kvm_run = svm->vcpu.run;
        /*
         * VMCB is undefined after a SHUTDOWN intercept
         * so reinitialize it.
@@ -1277,7 +1279,7 @@ static int shutdown_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return 0;
 }
-static int io_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int io_interception(struct vcpu_svm *svm)
 {
        u32 io_info = svm->vmcb->control.exit_info_1; /* address size bug? */
        int size, in, string;
@@ -1291,7 +1293,7 @@ static int io_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        if (string) {
                if (emulate_instruction(&svm->vcpu,
-                                        kvm_run, 0, 0, 0) == EMULATE_DO_MMIO)
+                                        0, 0, 0) == EMULATE_DO_MMIO)
                        return 0;
                return 1;
        }
@@ -1301,33 +1303,33 @@ static int io_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        size = (io_info & SVM_IOIO_SIZE_MASK) >> SVM_IOIO_SIZE_SHIFT;
        skip_emulated_instruction(&svm->vcpu);
-        return kvm_emulate_pio(&svm->vcpu, kvm_run, in, size, port);
+        return kvm_emulate_pio(&svm->vcpu, in, size, port);
 }
-static int nmi_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int nmi_interception(struct vcpu_svm *svm)
 {
        return 1;
 }
-static int intr_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int intr_interception(struct vcpu_svm *svm)
 {
        ++svm->vcpu.stat.irq_exits;
        return 1;
 }
-static int nop_on_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int nop_on_interception(struct vcpu_svm *svm)
 {
        return 1;
 }
-static int halt_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int halt_interception(struct vcpu_svm *svm)
 {
        svm->next_rip = kvm_rip_read(&svm->vcpu) + 1;
        skip_emulated_instruction(&svm->vcpu);
        return kvm_emulate_halt(&svm->vcpu);
 }
-static int vmmcall_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int vmmcall_interception(struct vcpu_svm *svm)
 {
        svm->next_rip = kvm_rip_read(&svm->vcpu) + 3;
        skip_emulated_instruction(&svm->vcpu);
@@ -1378,8 +1380,15 @@ static inline int nested_svm_intr(struct vcpu_svm *svm)
        svm->vmcb->control.exit_code = SVM_EXIT_INTR;
-        if (nested_svm_exit_handled(svm)) {
+        if (svm->nested.intercept & 1ULL) {
-                nsvm_printk("VMexit -> INTR\n");
+                /*
+                 * The #vmexit can't be emulated here directly because this
+                 * code path runs with irqs and preemtion disabled. A
+                 * #vmexit emulation might sleep. Only signal request for
+                 * the #vmexit here.
+                 */
+                svm->nested.exit_required = true;
+                trace_kvm_nested_intr_vmexit(svm->vmcb->save.rip);
                return 1;
        }
@@ -1390,10 +1399,7 @@ static void *nested_svm_map(struct vcpu_svm *svm, u64 gpa, enum km_type idx)
 {
        struct page *page;
-        down_read(&current->mm->mmap_sem);
        page = gfn_to_page(svm->vcpu.kvm, gpa >> PAGE_SHIFT);
-        up_read(&current->mm->mmap_sem);
        if (is_error_page(page))
                goto error;
@@ -1532,14 +1538,12 @@ static int nested_svm_exit_handled(struct vcpu_svm *svm)
        }
        default: {
                u64 exit_bits = 1ULL << (exit_code - SVM_EXIT_INTR);
-                nsvm_printk("exit code: 0x%x\n", exit_code);
                if (svm->nested.intercept & exit_bits)
                        vmexit = NESTED_EXIT_DONE;
        }
        }
        if (vmexit == NESTED_EXIT_DONE) {
-                nsvm_printk("#VMEXIT reason=%04x\n", exit_code);
                nested_svm_vmexit(svm);
        }
@@ -1584,6 +1588,12 @@ static int nested_svm_vmexit(struct vcpu_svm *svm)
        struct vmcb *hsave = svm->nested.hsave;
        struct vmcb *vmcb = svm->vmcb;
+        trace_kvm_nested_vmexit_inject(vmcb->control.exit_code,
+                                       vmcb->control.exit_info_1,
+                                       vmcb->control.exit_info_2,
+                                       vmcb->control.exit_int_info,
+                                       vmcb->control.exit_int_info_err);
        nested_vmcb = nested_svm_map(svm, svm->nested.vmcb, KM_USER0);
        if (!nested_vmcb)
                return 1;
@@ -1617,6 +1627,22 @@ static int nested_svm_vmexit(struct vcpu_svm *svm)
        nested_vmcb->control.exit_info_2       = vmcb->control.exit_info_2;
        nested_vmcb->control.exit_int_info     = vmcb->control.exit_int_info;
        nested_vmcb->control.exit_int_info_err = vmcb->control.exit_int_info_err;
+        /*
+         * If we emulate a VMRUN/#VMEXIT in the same host #vmexit cycle we have
+         * to make sure that we do not lose injected events. So check event_inj
+         * here and copy it to exit_int_info if it is valid.
+         * Exit_int_info and event_inj can't be both valid because the case
+         * below only happens on a VMRUN instruction intercept which has
+         * no valid exit_int_info set.
+         */
+        if (vmcb->control.event_inj & SVM_EVTINJ_VALID) {
+                struct vmcb_control_area *nc = &nested_vmcb->control;
+                nc->exit_int_info     = vmcb->control.event_inj;
+                nc->exit_int_info_err = vmcb->control.event_inj_err;
+        }
        nested_vmcb->control.tlb_ctl           = 0;
        nested_vmcb->control.event_inj         = 0;
        nested_vmcb->control.event_inj_err     = 0;
@@ -1628,10 +1654,6 @@ static int nested_svm_vmexit(struct vcpu_svm *svm)
        /* Restore the original control entries */
        copy_vmcb_control_area(vmcb, hsave);
-        /* Kill any pending exceptions */
-        if (svm->vcpu.arch.exception.pending == true)
-                nsvm_printk("WARNING: Pending Exception\n");
        kvm_clear_exception_queue(&svm->vcpu);
        kvm_clear_interrupt_queue(&svm->vcpu);
@@ -1702,6 +1724,12 @@ static bool nested_svm_vmrun(struct vcpu_svm *svm)
        /* nested_vmcb is our indicator if nested SVM is activated */
        svm->nested.vmcb = svm->vmcb->save.rax;
+        trace_kvm_nested_vmrun(svm->vmcb->save.rip - 3, svm->nested.vmcb,
+                               nested_vmcb->save.rip,
+                               nested_vmcb->control.int_ctl,
+                               nested_vmcb->control.event_inj,
+                               nested_vmcb->control.nested_ctl);
        /* Clear internal status */
        kvm_clear_exception_queue(&svm->vcpu);
        kvm_clear_interrupt_queue(&svm->vcpu);
@@ -1789,28 +1817,15 @@ static bool nested_svm_vmrun(struct vcpu_svm *svm)
        svm->nested.intercept            = nested_vmcb->control.intercept;
        force_new_asid(&svm->vcpu);
-        svm->vmcb->control.exit_int_info = nested_vmcb->control.exit_int_info;
-        svm->vmcb->control.exit_int_info_err = nested_vmcb->control.exit_int_info_err;
        svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK;
-        if (nested_vmcb->control.int_ctl & V_IRQ_MASK) {
-                nsvm_printk("nSVM Injecting Interrupt: 0x%x\n",
-                                nested_vmcb->control.int_ctl);
-        }
        if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK)
                svm->vcpu.arch.hflags |= HF_VINTR_MASK;
        else
                svm->vcpu.arch.hflags &= ~HF_VINTR_MASK;
-        nsvm_printk("nSVM exit_int_info: 0x%x | int_state: 0x%x\n",
-                        nested_vmcb->control.exit_int_info,
-                        nested_vmcb->control.int_state);
        svm->vmcb->control.int_vector = nested_vmcb->control.int_vector;
        svm->vmcb->control.int_state = nested_vmcb->control.int_state;
        svm->vmcb->control.tsc_offset += nested_vmcb->control.tsc_offset;
-        if (nested_vmcb->control.event_inj & SVM_EVTINJ_VALID)
-                nsvm_printk("Injecting Event: 0x%x\n",
-                                nested_vmcb->control.event_inj);
        svm->vmcb->control.event_inj = nested_vmcb->control.event_inj;
        svm->vmcb->control.event_inj_err = nested_vmcb->control.event_inj_err;
@@ -1837,7 +1852,7 @@ static void nested_svm_vmloadsave(struct vmcb *from_vmcb, struct vmcb *to_vmcb)
        to_vmcb->save.sysenter_eip = from_vmcb->save.sysenter_eip;
 }
-static int vmload_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int vmload_interception(struct vcpu_svm *svm)
 {
        struct vmcb *nested_vmcb;
@@ -1857,7 +1872,7 @@ static int vmload_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return 1;
 }
-static int vmsave_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int vmsave_interception(struct vcpu_svm *svm)
 {
        struct vmcb *nested_vmcb;
@@ -1877,10 +1892,8 @@ static int vmsave_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return 1;
 }
-static int vmrun_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int vmrun_interception(struct vcpu_svm *svm)
 {
-        nsvm_printk("VMrun\n");
        if (nested_svm_check_permissions(svm))
                return 1;
@@ -1907,7 +1920,7 @@ failed:
        return 1;
 }
-static int stgi_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int stgi_interception(struct vcpu_svm *svm)
 {
        if (nested_svm_check_permissions(svm))
                return 1;
@@ -1920,7 +1933,7 @@ static int stgi_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return 1;
 }
-static int clgi_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int clgi_interception(struct vcpu_svm *svm)
 {
        if (nested_svm_check_permissions(svm))
                return 1;
@@ -1937,10 +1950,12 @@ static int clgi_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return 1;
 }
-static int invlpga_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int invlpga_interception(struct vcpu_svm *svm)
 {
        struct kvm_vcpu *vcpu = &svm->vcpu;
-        nsvm_printk("INVLPGA\n");
+        trace_kvm_invlpga(svm->vmcb->save.rip, vcpu->arch.regs[VCPU_REGS_RCX],
+                          vcpu->arch.regs[VCPU_REGS_RAX]);
        /* Let's treat INVLPGA the same as INVLPG (can be optimized!) */
        kvm_mmu_invlpg(vcpu, vcpu->arch.regs[VCPU_REGS_RAX]);
@@ -1950,15 +1965,21 @@ static int invlpga_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return 1;
 }
-static int invalid_op_interception(struct vcpu_svm *svm,
+static int skinit_interception(struct vcpu_svm *svm)
-                                   struct kvm_run *kvm_run)
 {
+        trace_kvm_skinit(svm->vmcb->save.rip, svm->vcpu.arch.regs[VCPU_REGS_RAX]);
        kvm_queue_exception(&svm->vcpu, UD_VECTOR);
        return 1;
 }
-static int task_switch_interception(struct vcpu_svm *svm,
+static int invalid_op_interception(struct vcpu_svm *svm)
-                                    struct kvm_run *kvm_run)
+{
+        kvm_queue_exception(&svm->vcpu, UD_VECTOR);
+        return 1;
+}
+static int task_switch_interception(struct vcpu_svm *svm)
 {
        u16 tss_selector;
        int reason;
@@ -2008,14 +2029,14 @@ static int task_switch_interception(struct vcpu_svm *svm,
        return kvm_task_switch(&svm->vcpu, tss_selector, reason);
 }
-static int cpuid_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int cpuid_interception(struct vcpu_svm *svm)
 {
        svm->next_rip = kvm_rip_read(&svm->vcpu) + 2;
        kvm_emulate_cpuid(&svm->vcpu);
        return 1;
 }
-static int iret_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int iret_interception(struct vcpu_svm *svm)
 {
        ++svm->vcpu.stat.nmi_window_exits;
        svm->vmcb->control.intercept &= ~(1UL << INTERCEPT_IRET);
@@ -2023,26 +2044,27 @@ static int iret_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return 1;
 }
-static int invlpg_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int invlpg_interception(struct vcpu_svm *svm)
 {
-        if (emulate_instruction(&svm->vcpu, kvm_run, 0, 0, 0) != EMULATE_DONE)
+        if (emulate_instruction(&svm->vcpu, 0, 0, 0) != EMULATE_DONE)
                pr_unimpl(&svm->vcpu, "%s: failed\n", __func__);
        return 1;
 }
-static int emulate_on_interception(struct vcpu_svm *svm,
+static int emulate_on_interception(struct vcpu_svm *svm)
-                                   struct kvm_run *kvm_run)
 {
-        if (emulate_instruction(&svm->vcpu, NULL, 0, 0, 0) != EMULATE_DONE)
+        if (emulate_instruction(&svm->vcpu, 0, 0, 0) != EMULATE_DONE)
                pr_unimpl(&svm->vcpu, "%s: failed\n", __func__);
        return 1;
 }
-static int cr8_write_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int cr8_write_interception(struct vcpu_svm *svm)
 {
+        struct kvm_run *kvm_run = svm->vcpu.run;
        u8 cr8_prev = kvm_get_cr8(&svm->vcpu);
        /* instruction emulation calls kvm_set_cr8() */
-        emulate_instruction(&svm->vcpu, NULL, 0, 0, 0);
+        emulate_instruction(&svm->vcpu, 0, 0, 0);
        if (irqchip_in_kernel(svm->vcpu.kvm)) {
                svm->vmcb->control.intercept_cr_write &= ~INTERCEPT_CR8_MASK;
                return 1;
@@ -2128,7 +2150,7 @@ static int svm_get_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 *data)
        return 0;
 }
-static int rdmsr_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int rdmsr_interception(struct vcpu_svm *svm)
 {
        u32 ecx = svm->vcpu.arch.regs[VCPU_REGS_RCX];
        u64 data;
@@ -2221,7 +2243,7 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data)
        return 0;
 }
-static int wrmsr_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int wrmsr_interception(struct vcpu_svm *svm)
 {
        u32 ecx = svm->vcpu.arch.regs[VCPU_REGS_RCX];
        u64 data = (svm->vcpu.arch.regs[VCPU_REGS_RAX] & -1u)
@@ -2237,17 +2259,18 @@ static int wrmsr_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
        return 1;
 }
-static int msr_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+static int msr_interception(struct vcpu_svm *svm)
 {
        if (svm->vmcb->control.exit_info_1)
-                return wrmsr_interception(svm, kvm_run);
+                return wrmsr_interception(svm);
        else
-                return rdmsr_interception(svm, kvm_run);
+                return rdmsr_interception(svm);
 }
-static int interrupt_window_interception(struct vcpu_svm *svm,
+static int interrupt_window_interception(struct vcpu_svm *svm)
-                                   struct kvm_run *kvm_run)
 {
+        struct kvm_run *kvm_run = svm->vcpu.run;
        svm_clear_vintr(svm);
        svm->vmcb->control.int_ctl &= ~V_IRQ_MASK;
        /*
@@ -2265,8 +2288,13 @@ static int interrupt_window_interception(struct vcpu_svm *svm,
        return 1;
 }
-static int (*svm_exit_handlers[])(struct vcpu_svm *svm,
+static int pause_interception(struct vcpu_svm *svm)
-                                      struct kvm_run *kvm_run) = {
+{
+        kvm_vcpu_on_spin(&(svm->vcpu));
+        return 1;
+}
+static int (*svm_exit_handlers[])(struct vcpu_svm *svm) = {
        [SVM_EXIT_READ_CR0]                     = emulate_on_interception,
        [SVM_EXIT_READ_CR3]                     = emulate_on_interception,
        [SVM_EXIT_READ_CR4]                     = emulate_on_interception,
@@ -2301,6 +2329,7 @@ static int (*svm_exit_handlers[])(struct vcpu_svm *svm,
        [SVM_EXIT_CPUID]                        = cpuid_interception,
        [SVM_EXIT_IRET]                         = iret_interception,
        [SVM_EXIT_INVD]                         = emulate_on_interception,
+        [SVM_EXIT_PAUSE]                        = pause_interception,
        [SVM_EXIT_HLT]                          = halt_interception,
        [SVM_EXIT_INVLPG]                       = invlpg_interception,
        [SVM_EXIT_INVLPGA]                      = invlpga_interception,
@@ -2314,26 +2343,36 @@ static int (*svm_exit_handlers[])(struct vcpu_svm *svm,
        [SVM_EXIT_VMSAVE]                       = vmsave_interception,
        [SVM_EXIT_STGI]                         = stgi_interception,
        [SVM_EXIT_CLGI]                         = clgi_interception,
-        [SVM_EXIT_SKINIT]                       = invalid_op_interception,
+        [SVM_EXIT_SKINIT]                       = skinit_interception,
        [SVM_EXIT_WBINVD]                       = emulate_on_interception,
        [SVM_EXIT_MONITOR]                      = invalid_op_interception,
        [SVM_EXIT_MWAIT]                        = invalid_op_interception,
        [SVM_EXIT_NPF]                          = pf_interception,
 };
-static int handle_exit(struct kvm_run *kvm_run, struct kvm_vcpu *vcpu)
+static int handle_exit(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
+        struct kvm_run *kvm_run = vcpu->run;
        u32 exit_code = svm->vmcb->control.exit_code;
        trace_kvm_exit(exit_code, svm->vmcb->save.rip);
+        if (unlikely(svm->nested.exit_required)) {
+                nested_svm_vmexit(svm);
+                svm->nested.exit_required = false;
+                return 1;
+        }
        if (is_nested(svm)) {
                int vmexit;
-                nsvm_printk("nested handle_exit: 0x%x | 0x%lx | 0x%lx | 0x%lx\n",
+                trace_kvm_nested_vmexit(svm->vmcb->save.rip, exit_code,
-                            exit_code, svm->vmcb->control.exit_info_1,
+                                        svm->vmcb->control.exit_info_1,
-                            svm->vmcb->control.exit_info_2, svm->vmcb->save.rip);
+                                        svm->vmcb->control.exit_info_2,
+                                        svm->vmcb->control.exit_int_info,
+                                        svm->vmcb->control.exit_int_info_err);
                vmexit = nested_svm_exit_special(svm);
@@ -2383,7 +2422,7 @@ static int handle_exit(struct kvm_run *kvm_run, struct kvm_vcpu *vcpu)
                return 0;
        }
-        return svm_exit_handlers[exit_code](svm, kvm_run);
+        return svm_exit_handlers[exit_code](svm);
 }
 static void reload_tss(struct kvm_vcpu *vcpu)
@@ -2460,20 +2499,47 @@ static int svm_nmi_allowed(struct kvm_vcpu *vcpu)
                !(svm->vcpu.arch.hflags & HF_NMI_MASK);
 }
+static bool svm_get_nmi_mask(struct kvm_vcpu *vcpu)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        return !!(svm->vcpu.arch.hflags & HF_NMI_MASK);
+}
+static void svm_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        if (masked) {
+                svm->vcpu.arch.hflags |= HF_NMI_MASK;
+                svm->vmcb->control.intercept |= (1UL << INTERCEPT_IRET);
+        } else {
+                svm->vcpu.arch.hflags &= ~HF_NMI_MASK;
+                svm->vmcb->control.intercept &= ~(1UL << INTERCEPT_IRET);
+        }
+}
 static int svm_interrupt_allowed(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
        struct vmcb *vmcb = svm->vmcb;
-        return (vmcb->save.rflags & X86_EFLAGS_IF) &&
+        int ret;
-                !(vmcb->control.int_state & SVM_INTERRUPT_SHADOW_MASK) &&
-                gif_set(svm) &&
+        if (!gif_set(svm) ||
-                !(is_nested(svm) && (svm->vcpu.arch.hflags & HF_VINTR_MASK));
+             (vmcb->control.int_state & SVM_INTERRUPT_SHADOW_MASK))
+                return 0;
+        ret = !!(vmcb->save.rflags & X86_EFLAGS_IF);
+        if (is_nested(svm))
+                return ret && !(svm->vcpu.arch.hflags & HF_VINTR_MASK);
+        return ret;
 }
 static void enable_irq_window(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
-        nsvm_printk("Trying to open IRQ window\n");
        nested_svm_intr(svm);
@@ -2498,7 +2564,7 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
        /* Something prevents NMI from been injected. Single step over
           possible problem (IRET or exception injection or interrupt
           shadow) */
-        vcpu->arch.singlestep = true;
+        svm->nmi_singlestep = true;
        svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
        update_db_intercept(vcpu);
 }
@@ -2588,13 +2654,20 @@ static void svm_complete_interrupts(struct vcpu_svm *svm)
 #define R "e"
 #endif
-static void svm_vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static void svm_vcpu_run(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
        u16 fs_selector;
        u16 gs_selector;
        u16 ldt_selector;
+        /*
+         * A vmexit emulation is required before the vcpu can be executed
+         * again.
+         */
+        if (unlikely(svm->nested.exit_required))
+                return;
        svm->vmcb->save.rax = vcpu->arch.regs[VCPU_REGS_RAX];
        svm->vmcb->save.rsp = vcpu->arch.regs[VCPU_REGS_RSP];
        svm->vmcb->save.rip = vcpu->arch.regs[VCPU_REGS_RIP];
@@ -2893,6 +2966,8 @@ static struct kvm_x86_ops svm_x86_ops = {
        .queue_exception = svm_queue_exception,
        .interrupt_allowed = svm_interrupt_allowed,
        .nmi_allowed = svm_nmi_allowed,
+        .get_nmi_mask = svm_get_nmi_mask,
+        .set_nmi_mask = svm_set_nmi_mask,
        .enable_nmi_window = enable_nmi_window,
        .enable_irq_window = enable_irq_window,
        .update_cr8_intercept = update_cr8_intercept,
diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h
index 0d480e77eacf..816e0449db0b 100644
--- a/arch/x86/kvm/trace.h
+++ b/arch/x86/kvm/trace.h
@@ -349,6 +349,171 @@ TRACE_EVENT(kvm_apic_accept_irq,
                  __entry->coalesced ? " (coalesced)" : "")
 );
+/*
+ * Tracepoint for nested VMRUN
+ */
+TRACE_EVENT(kvm_nested_vmrun,
+            TP_PROTO(__u64 rip, __u64 vmcb, __u64 nested_rip, __u32 int_ctl,
+                     __u32 event_inj, bool npt),
+            TP_ARGS(rip, vmcb, nested_rip, int_ctl, event_inj, npt),
+        TP_STRUCT__entry(
+                __field(        __u64,          rip             )
+                __field(        __u64,          vmcb            )
+                __field(        __u64,          nested_rip      )
+                __field(        __u32,          int_ctl         )
+                __field(        __u32,          event_inj       )
+                __field(        bool,           npt             )
+        ),
+        TP_fast_assign(
+                __entry->rip            = rip;
+                __entry->vmcb           = vmcb;
+                __entry->nested_rip     = nested_rip;
+                __entry->int_ctl        = int_ctl;
+                __entry->event_inj      = event_inj;
+                __entry->npt            = npt;
+        ),
+        TP_printk("rip: 0x%016llx vmcb: 0x%016llx nrip: 0x%016llx int_ctl: 0x%08x "
+                  "event_inj: 0x%08x npt: %s\n",
+                __entry->rip, __entry->vmcb, __entry->nested_rip,
+                __entry->int_ctl, __entry->event_inj,
+                __entry->npt ? "on" : "off")
+);
+/*
+ * Tracepoint for #VMEXIT while nested
+ */
+TRACE_EVENT(kvm_nested_vmexit,
+            TP_PROTO(__u64 rip, __u32 exit_code,
+                     __u64 exit_info1, __u64 exit_info2,
+                     __u32 exit_int_info, __u32 exit_int_info_err),
+            TP_ARGS(rip, exit_code, exit_info1, exit_info2,
+                    exit_int_info, exit_int_info_err),
+        TP_STRUCT__entry(
+                __field(        __u64,          rip                     )
+                __field(        __u32,          exit_code               )
+                __field(        __u64,          exit_info1              )
+                __field(        __u64,          exit_info2              )
+                __field(        __u32,          exit_int_info           )
+                __field(        __u32,          exit_int_info_err       )
+        ),
+        TP_fast_assign(
+                __entry->rip                    = rip;
+                __entry->exit_code              = exit_code;
+                __entry->exit_info1             = exit_info1;
+                __entry->exit_info2             = exit_info2;
+                __entry->exit_int_info          = exit_int_info;
+                __entry->exit_int_info_err      = exit_int_info_err;
+        ),
+        TP_printk("rip: 0x%016llx reason: %s ext_inf1: 0x%016llx "
+                  "ext_inf2: 0x%016llx ext_int: 0x%08x ext_int_err: 0x%08x\n",
+                  __entry->rip,
+                  ftrace_print_symbols_seq(p, __entry->exit_code,
+                                           kvm_x86_ops->exit_reasons_str),
+                  __entry->exit_info1, __entry->exit_info2,
+                  __entry->exit_int_info, __entry->exit_int_info_err)
+);
+/*
+ * Tracepoint for #VMEXIT reinjected to the guest
+ */
+TRACE_EVENT(kvm_nested_vmexit_inject,
+            TP_PROTO(__u32 exit_code,
+                     __u64 exit_info1, __u64 exit_info2,
+                     __u32 exit_int_info, __u32 exit_int_info_err),
+            TP_ARGS(exit_code, exit_info1, exit_info2,
+                    exit_int_info, exit_int_info_err),
+        TP_STRUCT__entry(
+                __field(        __u32,          exit_code               )
+                __field(        __u64,          exit_info1              )
+                __field(        __u64,          exit_info2              )
+                __field(        __u32,          exit_int_info           )
+                __field(        __u32,          exit_int_info_err       )
+        ),
+        TP_fast_assign(
+                __entry->exit_code              = exit_code;
+                __entry->exit_info1             = exit_info1;
+                __entry->exit_info2             = exit_info2;
+                __entry->exit_int_info          = exit_int_info;
+                __entry->exit_int_info_err      = exit_int_info_err;
+        ),
+        TP_printk("reason: %s ext_inf1: 0x%016llx "
+                  "ext_inf2: 0x%016llx ext_int: 0x%08x ext_int_err: 0x%08x\n",
+                  ftrace_print_symbols_seq(p, __entry->exit_code,
+                                           kvm_x86_ops->exit_reasons_str),
+                __entry->exit_info1, __entry->exit_info2,
+                __entry->exit_int_info, __entry->exit_int_info_err)
+);
+/*
+ * Tracepoint for nested #vmexit because of interrupt pending
+ */
+TRACE_EVENT(kvm_nested_intr_vmexit,
+            TP_PROTO(__u64 rip),
+            TP_ARGS(rip),
+        TP_STRUCT__entry(
+                __field(        __u64,  rip     )
+        ),
+        TP_fast_assign(
+                __entry->rip    =       rip
+        ),
+        TP_printk("rip: 0x%016llx\n", __entry->rip)
+);
+/*
+ * Tracepoint for nested #vmexit because of interrupt pending
+ */
+TRACE_EVENT(kvm_invlpga,
+            TP_PROTO(__u64 rip, int asid, u64 address),
+            TP_ARGS(rip, asid, address),
+        TP_STRUCT__entry(
+                __field(        __u64,  rip     )
+                __field(        int,    asid    )
+                __field(        __u64,  address )
+        ),
+        TP_fast_assign(
+                __entry->rip            =       rip;
+                __entry->asid           =       asid;
+                __entry->address        =       address;
+        ),
+        TP_printk("rip: 0x%016llx asid: %d address: 0x%016llx\n",
+                  __entry->rip, __entry->asid, __entry->address)
+);
+/*
+ * Tracepoint for nested #vmexit because of interrupt pending
+ */
+TRACE_EVENT(kvm_skinit,
+            TP_PROTO(__u64 rip, __u32 slb),
+            TP_ARGS(rip, slb),
+        TP_STRUCT__entry(
+                __field(        __u64,  rip     )
+                __field(        __u32,  slb     )
+        ),
+        TP_fast_assign(
+                __entry->rip            =       rip;
+                __entry->slb            =       slb;
+        ),
+        TP_printk("rip: 0x%016llx slb: 0x%08x\n",
+                  __entry->rip, __entry->slb)
+);
 #endif /* _TRACE_KVM_H */
 /* This part must be outside protection */
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index ed53b42caba1..d4918d6fc924 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -61,12 +61,37 @@ module_param_named(unrestricted_guest,
 static int __read_mostly emulate_invalid_guest_state = 0;
 module_param(emulate_invalid_guest_state, bool, S_IRUGO);
+/*
+ * These 2 parameters are used to config the controls for Pause-Loop Exiting:
+ * ple_gap:    upper bound on the amount of time between two successive
+ *             executions of PAUSE in a loop. Also indicate if ple enabled.
+ *             According to test, this time is usually small than 41 cycles.
+ * ple_window: upper bound on the amount of time a guest is allowed to execute
+ *             in a PAUSE loop. Tests indicate that most spinlocks are held for
+ *             less than 2^12 cycles
+ * Time is measured based on a counter that runs at the same rate as the TSC,
+ * refer SDM volume 3b section 21.6.13 & 22.1.3.
+ */
+#define KVM_VMX_DEFAULT_PLE_GAP    41
+#define KVM_VMX_DEFAULT_PLE_WINDOW 4096
+static int ple_gap = KVM_VMX_DEFAULT_PLE_GAP;
+module_param(ple_gap, int, S_IRUGO);
+static int ple_window = KVM_VMX_DEFAULT_PLE_WINDOW;
+module_param(ple_window, int, S_IRUGO);
 struct vmcs {
        u32 revision_id;
        u32 abort;
        char data[0];
 };
+struct shared_msr_entry {
+        unsigned index;
+        u64 data;
+        u64 mask;
+};
 struct vcpu_vmx {
        struct kvm_vcpu       vcpu;
        struct list_head      local_vcpus_link;
@@ -74,13 +99,12 @@ struct vcpu_vmx {
        int                   launched;
        u8                    fail;
        u32                   idt_vectoring_info;
-        struct kvm_msr_entry *guest_msrs;
+        struct shared_msr_entry *guest_msrs;
-        struct kvm_msr_entry *host_msrs;
        int                   nmsrs;
        int                   save_nmsrs;
-        int                   msr_offset_efer;
 #ifdef CONFIG_X86_64
-        int                   msr_offset_kernel_gs_base;
+        u64                   msr_host_kernel_gs_base;
+        u64                   msr_guest_kernel_gs_base;
 #endif
        struct vmcs          *vmcs;
        struct {
@@ -88,7 +112,6 @@ struct vcpu_vmx {
                u16           fs_sel, gs_sel, ldt_sel;
                int           gs_ldt_reload_needed;
                int           fs_reload_needed;
-                int           guest_efer_loaded;
        } host_state;
        struct {
                int vm86_active;
@@ -107,7 +130,6 @@ struct vcpu_vmx {
        } rmode;
        int vpid;
        bool emulation_required;
-        enum emulation_result invalid_state_emulation_result;
        /* Support for vnmi-less CPUs */
        int soft_vnmi_blocked;
@@ -176,6 +198,8 @@ static struct kvm_vmx_segment_field {
        VMX_SEGMENT_FIELD(LDTR),
 };
+static u64 host_efer;
 static void ept_save_pdptrs(struct kvm_vcpu *vcpu);
 /*
@@ -184,28 +208,12 @@ static void ept_save_pdptrs(struct kvm_vcpu *vcpu);
 */
 static const u32 vmx_msr_index[] = {
 #ifdef CONFIG_X86_64
-        MSR_SYSCALL_MASK, MSR_LSTAR, MSR_CSTAR, MSR_KERNEL_GS_BASE,
+        MSR_SYSCALL_MASK, MSR_LSTAR, MSR_CSTAR,
 #endif
        MSR_EFER, MSR_K6_STAR,
 };
 #define NR_VMX_MSR ARRAY_SIZE(vmx_msr_index)
-static void load_msrs(struct kvm_msr_entry *e, int n)
-{
-        int i;
-        for (i = 0; i < n; ++i)
-                wrmsrl(e[i].index, e[i].data);
-}
-static void save_msrs(struct kvm_msr_entry *e, int n)
-{
-        int i;
-        for (i = 0; i < n; ++i)
-                rdmsrl(e[i].index, e[i].data);
-}
 static inline int is_page_fault(u32 intr_info)
 {
        return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VECTOR_MASK |
@@ -320,6 +328,12 @@ static inline int cpu_has_vmx_unrestricted_guest(void)
                SECONDARY_EXEC_UNRESTRICTED_GUEST;
 }
+static inline int cpu_has_vmx_ple(void)
+{
+        return vmcs_config.cpu_based_2nd_exec_ctrl &
+                SECONDARY_EXEC_PAUSE_LOOP_EXITING;
+}
 static inline int vm_need_virtualize_apic_accesses(struct kvm *kvm)
 {
        return flexpriority_enabled &&
@@ -348,7 +362,7 @@ static int __find_msr_index(struct vcpu_vmx *vmx, u32 msr)
        int i;
        for (i = 0; i < vmx->nmsrs; ++i)
-                if (vmx->guest_msrs[i].index == msr)
+                if (vmx_msr_index[vmx->guest_msrs[i].index] == msr)
                        return i;
        return -1;
 }
@@ -379,7 +393,7 @@ static inline void __invept(int ext, u64 eptp, gpa_t gpa)
                        : : "a" (&operand), "c" (ext) : "cc", "memory");
 }
-static struct kvm_msr_entry *find_msr_entry(struct vcpu_vmx *vmx, u32 msr)
+static struct shared_msr_entry *find_msr_entry(struct vcpu_vmx *vmx, u32 msr)
 {
        int i;
@@ -570,17 +584,12 @@ static void reload_tss(void)
        load_TR_desc();
 }
-static void load_transition_efer(struct vcpu_vmx *vmx)
+static bool update_transition_efer(struct vcpu_vmx *vmx, int efer_offset)
 {
-        int efer_offset = vmx->msr_offset_efer;
-        u64 host_efer;
        u64 guest_efer;
        u64 ignore_bits;
-        if (efer_offset < 0)
+        guest_efer = vmx->vcpu.arch.shadow_efer;
-                return;
-        host_efer = vmx->host_msrs[efer_offset].data;
-        guest_efer = vmx->guest_msrs[efer_offset].data;
        /*
         * NX is emulated; LMA and LME handled by hardware; SCE meaninless
@@ -593,27 +602,17 @@ static void load_transition_efer(struct vcpu_vmx *vmx)
        if (guest_efer & EFER_LMA)
                ignore_bits &= ~(u64)EFER_SCE;
 #endif
-        if ((guest_efer & ~ignore_bits) == (host_efer & ~ignore_bits))
-                return;
-        vmx->host_state.guest_efer_loaded = 1;
        guest_efer &= ~ignore_bits;
        guest_efer |= host_efer & ignore_bits;
-        wrmsrl(MSR_EFER, guest_efer);
+        vmx->guest_msrs[efer_offset].data = guest_efer;
-        vmx->vcpu.stat.efer_reload++;
+        vmx->guest_msrs[efer_offset].mask = ~ignore_bits;
-}
+        return true;
-static void reload_host_efer(struct vcpu_vmx *vmx)
-{
-        if (vmx->host_state.guest_efer_loaded) {
-                vmx->host_state.guest_efer_loaded = 0;
-                load_msrs(vmx->host_msrs + vmx->msr_offset_efer, 1);
-        }
 }
 static void vmx_save_host_state(struct kvm_vcpu *vcpu)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
+        int i;
        if (vmx->host_state.loaded)
                return;
@@ -650,13 +649,15 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
 #endif
 #ifdef CONFIG_X86_64
-        if (is_long_mode(&vmx->vcpu))
+        if (is_long_mode(&vmx->vcpu)) {
-                save_msrs(vmx->host_msrs +
+                rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
-                          vmx->msr_offset_kernel_gs_base, 1);
+                wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
+        }
 #endif
-        load_msrs(vmx->guest_msrs, vmx->save_nmsrs);
+        for (i = 0; i < vmx->save_nmsrs; ++i)
-        load_transition_efer(vmx);
+                kvm_set_shared_msr(vmx->guest_msrs[i].index,
+                                   vmx->guest_msrs[i].data,
+                                   vmx->guest_msrs[i].mask);
 }
 static void __vmx_load_host_state(struct vcpu_vmx *vmx)
@@ -684,9 +685,12 @@ static void __vmx_load_host_state(struct vcpu_vmx *vmx)
                local_irq_restore(flags);
        }
        reload_tss();
-        save_msrs(vmx->guest_msrs, vmx->save_nmsrs);
+#ifdef CONFIG_X86_64
-        load_msrs(vmx->host_msrs, vmx->save_nmsrs);
+        if (is_long_mode(&vmx->vcpu)) {
-        reload_host_efer(vmx);
+                rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
+                wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
+        }
+#endif
 }
 static void vmx_load_host_state(struct vcpu_vmx *vmx)
@@ -877,19 +881,14 @@ static void vmx_queue_exception(struct kvm_vcpu *vcpu, unsigned nr,
 /*
 * Swap MSR entry in host/guest MSR entry array.
 */
-#ifdef CONFIG_X86_64
 static void move_msr_up(struct vcpu_vmx *vmx, int from, int to)
 {
-        struct kvm_msr_entry tmp;
+        struct shared_msr_entry tmp;
        tmp = vmx->guest_msrs[to];
        vmx->guest_msrs[to] = vmx->guest_msrs[from];
        vmx->guest_msrs[from] = tmp;
-        tmp = vmx->host_msrs[to];
-        vmx->host_msrs[to] = vmx->host_msrs[from];
-        vmx->host_msrs[from] = tmp;
 }
-#endif
 /*
 * Set up the vmcs to automatically save and restore system
@@ -898,15 +897,13 @@ static void move_msr_up(struct vcpu_vmx *vmx, int from, int to)
 */
 static void setup_msrs(struct vcpu_vmx *vmx)
 {
-        int save_nmsrs;
+        int save_nmsrs, index;
        unsigned long *msr_bitmap;
        vmx_load_host_state(vmx);
        save_nmsrs = 0;
 #ifdef CONFIG_X86_64
        if (is_long_mode(&vmx->vcpu)) {
-                int index;
                index = __find_msr_index(vmx, MSR_SYSCALL_MASK);
                if (index >= 0)
                        move_msr_up(vmx, index, save_nmsrs++);
@@ -916,9 +913,6 @@ static void setup_msrs(struct vcpu_vmx *vmx)
                index = __find_msr_index(vmx, MSR_CSTAR);
                if (index >= 0)
                        move_msr_up(vmx, index, save_nmsrs++);
-                index = __find_msr_index(vmx, MSR_KERNEL_GS_BASE);
-                if (index >= 0)
-                        move_msr_up(vmx, index, save_nmsrs++);
                /*
                 * MSR_K6_STAR is only needed on long mode guests, and only
                 * if efer.sce is enabled.
@@ -928,13 +922,11 @@ static void setup_msrs(struct vcpu_vmx *vmx)
                        move_msr_up(vmx, index, save_nmsrs++);
        }
 #endif
-        vmx->save_nmsrs = save_nmsrs;
+        index = __find_msr_index(vmx, MSR_EFER);
+        if (index >= 0 && update_transition_efer(vmx, index))
+                move_msr_up(vmx, index, save_nmsrs++);
-#ifdef CONFIG_X86_64
+        vmx->save_nmsrs = save_nmsrs;
-        vmx->msr_offset_kernel_gs_base =
-                __find_msr_index(vmx, MSR_KERNEL_GS_BASE);
-#endif
-        vmx->msr_offset_efer = __find_msr_index(vmx, MSR_EFER);
        if (cpu_has_vmx_msr_bitmap()) {
                if (is_long_mode(&vmx->vcpu))
@@ -976,7 +968,7 @@ static void guest_write_tsc(u64 guest_tsc, u64 host_tsc)
 static int vmx_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
 {
        u64 data;
-        struct kvm_msr_entry *msr;
+        struct shared_msr_entry *msr;
        if (!pdata) {
                printk(KERN_ERR "BUG: get_msr called with NULL pdata\n");
@@ -991,9 +983,13 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
        case MSR_GS_BASE:
                data = vmcs_readl(GUEST_GS_BASE);
                break;
+        case MSR_KERNEL_GS_BASE:
+                vmx_load_host_state(to_vmx(vcpu));
+                data = to_vmx(vcpu)->msr_guest_kernel_gs_base;
+                break;
+#endif
        case MSR_EFER:
                return kvm_get_msr_common(vcpu, msr_index, pdata);
-#endif
        case MSR_IA32_TSC:
                data = guest_read_tsc();
                break;
@@ -1007,6 +1003,7 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
                data = vmcs_readl(GUEST_SYSENTER_ESP);
                break;
        default:
+                vmx_load_host_state(to_vmx(vcpu));
                msr = find_msr_entry(to_vmx(vcpu), msr_index);
                if (msr) {
                        vmx_load_host_state(to_vmx(vcpu));
@@ -1028,7 +1025,7 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
 static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
-        struct kvm_msr_entry *msr;
+        struct shared_msr_entry *msr;
        u64 host_tsc;
        int ret = 0;
@@ -1044,6 +1041,10 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
        case MSR_GS_BASE:
                vmcs_writel(GUEST_GS_BASE, data);
                break;
+        case MSR_KERNEL_GS_BASE:
+                vmx_load_host_state(vmx);
+                vmx->msr_guest_kernel_gs_base = data;
+                break;
 #endif
        case MSR_IA32_SYSENTER_CS:
                vmcs_write32(GUEST_SYSENTER_CS, data);
@@ -1097,30 +1098,14 @@ static void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg)
        }
 }
-static int set_guest_debug(struct kvm_vcpu *vcpu, struct kvm_guest_debug *dbg)
+static void set_guest_debug(struct kvm_vcpu *vcpu, struct kvm_guest_debug *dbg)
 {
-        int old_debug = vcpu->guest_debug;
-        unsigned long flags;
-        vcpu->guest_debug = dbg->control;
-        if (!(vcpu->guest_debug & KVM_GUESTDBG_ENABLE))
-                vcpu->guest_debug = 0;
        if (vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)
                vmcs_writel(GUEST_DR7, dbg->arch.debugreg[7]);
        else
                vmcs_writel(GUEST_DR7, vcpu->arch.dr7);
-        flags = vmcs_readl(GUEST_RFLAGS);
-        if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)
-                flags |= X86_EFLAGS_TF | X86_EFLAGS_RF;
-        else if (old_debug & KVM_GUESTDBG_SINGLESTEP)
-                flags &= ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
-        vmcs_writel(GUEST_RFLAGS, flags);
        update_exception_bitmap(vcpu);
-        return 0;
 }
 static __init int cpu_has_kvm_support(void)
@@ -1139,12 +1124,15 @@ static __init int vmx_disabled_by_bios(void)
        /* locked but not enabled */
 }
-static void hardware_enable(void *garbage)
+static int hardware_enable(void *garbage)
 {
        int cpu = raw_smp_processor_id();
        u64 phys_addr = __pa(per_cpu(vmxarea, cpu));
        u64 old;
+        if (read_cr4() & X86_CR4_VMXE)
+                return -EBUSY;
        INIT_LIST_HEAD(&per_cpu(vcpus_on_cpu, cpu));
        rdmsrl(MSR_IA32_FEATURE_CONTROL, old);
        if ((old & (FEATURE_CONTROL_LOCKED |
@@ -1159,6 +1147,10 @@ static void hardware_enable(void *garbage)
        asm volatile (ASM_VMX_VMXON_RAX
                      : : "a"(&phys_addr), "m"(phys_addr)
                      : "memory", "cc");
+        ept_sync_global();
+        return 0;
 }
 static void vmclear_local_vcpus(void)
@@ -1250,7 +1242,8 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
                        SECONDARY_EXEC_WBINVD_EXITING |
                        SECONDARY_EXEC_ENABLE_VPID |
                        SECONDARY_EXEC_ENABLE_EPT |
-                        SECONDARY_EXEC_UNRESTRICTED_GUEST;
+                        SECONDARY_EXEC_UNRESTRICTED_GUEST |
+                        SECONDARY_EXEC_PAUSE_LOOP_EXITING;
                if (adjust_vmx_controls(min2, opt2,
                                        MSR_IA32_VMX_PROCBASED_CTLS2,
                                        &_cpu_based_2nd_exec_control) < 0)
@@ -1344,15 +1337,17 @@ static void free_kvm_area(void)
 {
        int cpu;
-        for_each_online_cpu(cpu)
+        for_each_possible_cpu(cpu) {
                free_vmcs(per_cpu(vmxarea, cpu));
+                per_cpu(vmxarea, cpu) = NULL;
+        }
 }
 static __init int alloc_kvm_area(void)
 {
        int cpu;
-        for_each_online_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                struct vmcs *vmcs;
                vmcs = alloc_vmcs_cpu(cpu);
@@ -1394,6 +1389,9 @@ static __init int hardware_setup(void)
        if (enable_ept && !cpu_has_vmx_ept_2m_page())
                kvm_disable_largepages();
+        if (!cpu_has_vmx_ple())
+                ple_gap = 0;
        return alloc_kvm_area();
 }
@@ -1536,8 +1534,16 @@ continue_rmode:
 static void vmx_set_efer(struct kvm_vcpu *vcpu, u64 efer)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
-        struct kvm_msr_entry *msr = find_msr_entry(vmx, MSR_EFER);
+        struct shared_msr_entry *msr = find_msr_entry(vmx, MSR_EFER);
+        if (!msr)
+                return;
+        /*
+         * Force kernel_gs_base reloading before EFER changes, as control
+         * of this msr depends on is_long_mode().
+         */
+        vmx_load_host_state(to_vmx(vcpu));
        vcpu->arch.shadow_efer = efer;
        if (!msr)
                return;
@@ -1727,6 +1733,7 @@ static void vmx_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3)
                vmcs_write64(EPT_POINTER, eptp);
                guest_cr3 = is_paging(vcpu) ? vcpu->arch.cr3 :
                        vcpu->kvm->arch.ept_identity_map_addr;
+                ept_load_pdptrs(vcpu);
        }
        vmx_flush_tlb(vcpu);
@@ -2302,13 +2309,22 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
                                ~SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
                if (vmx->vpid == 0)
                        exec_control &= ~SECONDARY_EXEC_ENABLE_VPID;
-                if (!enable_ept)
+                if (!enable_ept) {
                        exec_control &= ~SECONDARY_EXEC_ENABLE_EPT;
+                        enable_unrestricted_guest = 0;
+                }
                if (!enable_unrestricted_guest)
                        exec_control &= ~SECONDARY_EXEC_UNRESTRICTED_GUEST;
+                if (!ple_gap)
+                        exec_control &= ~SECONDARY_EXEC_PAUSE_LOOP_EXITING;
                vmcs_write32(SECONDARY_VM_EXEC_CONTROL, exec_control);
        }
+        if (ple_gap) {
+                vmcs_write32(PLE_GAP, ple_gap);
+                vmcs_write32(PLE_WINDOW, ple_window);
+        }
        vmcs_write32(PAGE_FAULT_ERROR_CODE_MASK, !!bypass_guest_pf);
        vmcs_write32(PAGE_FAULT_ERROR_CODE_MATCH, !!bypass_guest_pf);
        vmcs_write32(CR3_TARGET_COUNT, 0);           /* 22.2.1 */
@@ -2376,10 +2392,9 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
                if (wrmsr_safe(index, data_low, data_high) < 0)
                        continue;
                data = data_low | ((u64)data_high << 32);
-                vmx->host_msrs[j].index = index;
+                vmx->guest_msrs[j].index = i;
-                vmx->host_msrs[j].reserved = 0;
+                vmx->guest_msrs[j].data = 0;
-                vmx->host_msrs[j].data = data;
+                vmx->guest_msrs[j].mask = -1ull;
-                vmx->guest_msrs[j] = vmx->host_msrs[j];
                ++vmx->nmsrs;
        }
@@ -2510,7 +2525,7 @@ static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
        if (vmx->vpid != 0)
                vmcs_write16(VIRTUAL_PROCESSOR_ID, vmx->vpid);
-        vmx->vcpu.arch.cr0 = 0x60000010;
+        vmx->vcpu.arch.cr0 = X86_CR0_NW | X86_CR0_CD | X86_CR0_ET;
        vmx_set_cr0(&vmx->vcpu, vmx->vcpu.arch.cr0); /* enter rmode */
        vmx_set_cr4(&vmx->vcpu, 0);
        vmx_set_efer(&vmx->vcpu, 0);
@@ -2627,6 +2642,34 @@ static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
                                GUEST_INTR_STATE_NMI));
 }
+static bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu)
+{
+        if (!cpu_has_virtual_nmis())
+                return to_vmx(vcpu)->soft_vnmi_blocked;
+        else
+                return !!(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) &
+                          GUEST_INTR_STATE_NMI);
+}
+static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
+{
+        struct vcpu_vmx *vmx = to_vmx(vcpu);
+        if (!cpu_has_virtual_nmis()) {
+                if (vmx->soft_vnmi_blocked != masked) {
+                        vmx->soft_vnmi_blocked = masked;
+                        vmx->vnmi_blocked_time = 0;
+                }
+        } else {
+                if (masked)
+                        vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
+                                      GUEST_INTR_STATE_NMI);
+                else
+                        vmcs_clear_bits(GUEST_INTERRUPTIBILITY_INFO,
+                                        GUEST_INTR_STATE_NMI);
+        }
+}
 static int vmx_interrupt_allowed(struct kvm_vcpu *vcpu)
 {
        return (vmcs_readl(GUEST_RFLAGS) & X86_EFLAGS_IF) &&
@@ -2659,7 +2702,7 @@ static int handle_rmode_exception(struct kvm_vcpu *vcpu,
         * Cause the #SS fault with 0 error code in VM86 mode.
         */
        if (((vec == GP_VECTOR) || (vec == SS_VECTOR)) && err_code == 0)
-                if (emulate_instruction(vcpu, NULL, 0, 0, 0) == EMULATE_DONE)
+                if (emulate_instruction(vcpu, 0, 0, 0) == EMULATE_DONE)
                        return 1;
        /*
         * Forward all other exceptions that are valid in real mode.
@@ -2710,15 +2753,16 @@ static void kvm_machine_check(void)
 #endif
 }
-static int handle_machine_check(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_machine_check(struct kvm_vcpu *vcpu)
 {
        /* already handled by vcpu_run */
        return 1;
 }
-static int handle_exception(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_exception(struct kvm_vcpu *vcpu)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
+        struct kvm_run *kvm_run = vcpu->run;
        u32 intr_info, ex_no, error_code;
        unsigned long cr2, rip, dr6;
        u32 vect_info;
@@ -2728,12 +2772,17 @@ static int handle_exception(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
        if (is_machine_check(intr_info))
-                return handle_machine_check(vcpu, kvm_run);
+                return handle_machine_check(vcpu);
        if ((vect_info & VECTORING_INFO_VALID_MASK) &&
-                                                !is_page_fault(intr_info))
+            !is_page_fault(intr_info)) {
-                printk(KERN_ERR "%s: unexpected, vectoring info 0x%x "
+                vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
-                       "intr info 0x%x\n", __func__, vect_info, intr_info);
+                vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_SIMUL_EX;
+                vcpu->run->internal.ndata = 2;
+                vcpu->run->internal.data[0] = vect_info;
+                vcpu->run->internal.data[1] = intr_info;
+                return 0;
+        }
        if ((intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR)
                return 1;  /* already handled by vmx_vcpu_run() */
@@ -2744,7 +2793,7 @@ static int handle_exception(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        }
        if (is_invalid_opcode(intr_info)) {
-                er = emulate_instruction(vcpu, kvm_run, 0, 0, EMULTYPE_TRAP_UD);
+                er = emulate_instruction(vcpu, 0, 0, EMULTYPE_TRAP_UD);
                if (er != EMULATE_DONE)
                        kvm_queue_exception(vcpu, UD_VECTOR);
                return 1;
@@ -2803,20 +2852,19 @@ static int handle_exception(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        return 0;
 }
-static int handle_external_interrupt(struct kvm_vcpu *vcpu,
+static int handle_external_interrupt(struct kvm_vcpu *vcpu)
-                                     struct kvm_run *kvm_run)
 {
        ++vcpu->stat.irq_exits;
        return 1;
 }
-static int handle_triple_fault(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_triple_fault(struct kvm_vcpu *vcpu)
 {
-        kvm_run->exit_reason = KVM_EXIT_SHUTDOWN;
+        vcpu->run->exit_reason = KVM_EXIT_SHUTDOWN;
        return 0;
 }
-static int handle_io(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_io(struct kvm_vcpu *vcpu)
 {
        unsigned long exit_qualification;
        int size, in, string;
@@ -2827,8 +2875,7 @@ static int handle_io(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        string = (exit_qualification & 16) != 0;
        if (string) {
-                if (emulate_instruction(vcpu,
+                if (emulate_instruction(vcpu, 0, 0, 0) == EMULATE_DO_MMIO)
-                                        kvm_run, 0, 0, 0) == EMULATE_DO_MMIO)
                        return 0;
                return 1;
        }
@@ -2838,7 +2885,7 @@ static int handle_io(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        port = exit_qualification >> 16;
        skip_emulated_instruction(vcpu);
-        return kvm_emulate_pio(vcpu, kvm_run, in, size, port);
+        return kvm_emulate_pio(vcpu, in, size, port);
 }
 static void
@@ -2852,7 +2899,7 @@ vmx_patch_hypercall(struct kvm_vcpu *vcpu, unsigned char *hypercall)
        hypercall[2] = 0xc1;
 }
-static int handle_cr(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_cr(struct kvm_vcpu *vcpu)
 {
        unsigned long exit_qualification, val;
        int cr;
@@ -2887,7 +2934,7 @@ static int handle_cr(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
                                        return 1;
                                if (cr8_prev <= cr8)
                                        return 1;
-                                kvm_run->exit_reason = KVM_EXIT_SET_TPR;
+                                vcpu->run->exit_reason = KVM_EXIT_SET_TPR;
                                return 0;
                        }
                };
@@ -2922,13 +2969,13 @@ static int handle_cr(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        default:
                break;
        }
-        kvm_run->exit_reason = 0;
+        vcpu->run->exit_reason = 0;
        pr_unimpl(vcpu, "unhandled control register: op %d cr %d\n",
               (int)(exit_qualification >> 4) & 3, cr);
        return 0;
 }
-static int handle_dr(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_dr(struct kvm_vcpu *vcpu)
 {
        unsigned long exit_qualification;
        unsigned long val;
@@ -2944,13 +2991,13 @@ static int handle_dr(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
                 * guest debugging itself.
                 */
                if (vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP) {
-                        kvm_run->debug.arch.dr6 = vcpu->arch.dr6;
+                        vcpu->run->debug.arch.dr6 = vcpu->arch.dr6;
-                        kvm_run->debug.arch.dr7 = dr;
+                        vcpu->run->debug.arch.dr7 = dr;
-                        kvm_run->debug.arch.pc =
+                        vcpu->run->debug.arch.pc =
                                vmcs_readl(GUEST_CS_BASE) +
                                vmcs_readl(GUEST_RIP);
-                        kvm_run->debug.arch.exception = DB_VECTOR;
+                        vcpu->run->debug.arch.exception = DB_VECTOR;
-                        kvm_run->exit_reason = KVM_EXIT_DEBUG;
+                        vcpu->run->exit_reason = KVM_EXIT_DEBUG;
                        return 0;
                } else {
                        vcpu->arch.dr7 &= ~DR7_GD;
@@ -3016,13 +3063,13 @@ static int handle_dr(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        return 1;
 }
-static int handle_cpuid(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_cpuid(struct kvm_vcpu *vcpu)
 {
        kvm_emulate_cpuid(vcpu);
        return 1;
 }
-static int handle_rdmsr(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_rdmsr(struct kvm_vcpu *vcpu)
 {
        u32 ecx = vcpu->arch.regs[VCPU_REGS_RCX];
        u64 data;
@@ -3041,7 +3088,7 @@ static int handle_rdmsr(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        return 1;
 }
-static int handle_wrmsr(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_wrmsr(struct kvm_vcpu *vcpu)
 {
        u32 ecx = vcpu->arch.regs[VCPU_REGS_RCX];
        u64 data = (vcpu->arch.regs[VCPU_REGS_RAX] & -1u)
@@ -3058,14 +3105,12 @@ static int handle_wrmsr(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        return 1;
 }
-static int handle_tpr_below_threshold(struct kvm_vcpu *vcpu,
+static int handle_tpr_below_threshold(struct kvm_vcpu *vcpu)
-                                      struct kvm_run *kvm_run)
 {
        return 1;
 }
-static int handle_interrupt_window(struct kvm_vcpu *vcpu,
+static int handle_interrupt_window(struct kvm_vcpu *vcpu)
-                                   struct kvm_run *kvm_run)
 {
        u32 cpu_based_vm_exec_control;
@@ -3081,34 +3126,34 @@ static int handle_interrupt_window(struct kvm_vcpu *vcpu,
         * possible
         */
        if (!irqchip_in_kernel(vcpu->kvm) &&
-            kvm_run->request_interrupt_window &&
+            vcpu->run->request_interrupt_window &&
            !kvm_cpu_has_interrupt(vcpu)) {
-                kvm_run->exit_reason = KVM_EXIT_IRQ_WINDOW_OPEN;
+                vcpu->run->exit_reason = KVM_EXIT_IRQ_WINDOW_OPEN;
                return 0;
        }
        return 1;
 }
-static int handle_halt(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_halt(struct kvm_vcpu *vcpu)
 {
        skip_emulated_instruction(vcpu);
        return kvm_emulate_halt(vcpu);
 }
-static int handle_vmcall(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_vmcall(struct kvm_vcpu *vcpu)
 {
        skip_emulated_instruction(vcpu);
        kvm_emulate_hypercall(vcpu);
        return 1;
 }
-static int handle_vmx_insn(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_vmx_insn(struct kvm_vcpu *vcpu)
 {
        kvm_queue_exception(vcpu, UD_VECTOR);
        return 1;
 }
-static int handle_invlpg(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_invlpg(struct kvm_vcpu *vcpu)
 {
        unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
@@ -3117,14 +3162,14 @@ static int handle_invlpg(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        return 1;
 }
-static int handle_wbinvd(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_wbinvd(struct kvm_vcpu *vcpu)
 {
        skip_emulated_instruction(vcpu);
        /* TODO: Add support for VT-d/pass-through device */
        return 1;
 }
-static int handle_apic_access(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_apic_access(struct kvm_vcpu *vcpu)
 {
        unsigned long exit_qualification;
        enum emulation_result er;
@@ -3133,7 +3178,7 @@ static int handle_apic_access(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
        offset = exit_qualification & 0xffful;
-        er = emulate_instruction(vcpu, kvm_run, 0, 0, 0);
+        er = emulate_instruction(vcpu, 0, 0, 0);
        if (er !=  EMULATE_DONE) {
                printk(KERN_ERR
@@ -3144,7 +3189,7 @@ static int handle_apic_access(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        return 1;
 }
-static int handle_task_switch(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_task_switch(struct kvm_vcpu *vcpu)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        unsigned long exit_qualification;
@@ -3198,7 +3243,7 @@ static int handle_task_switch(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        return 1;
 }
-static int handle_ept_violation(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_ept_violation(struct kvm_vcpu *vcpu)
 {
        unsigned long exit_qualification;
        gpa_t gpa;
@@ -3219,8 +3264,8 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
                        vmcs_readl(GUEST_LINEAR_ADDRESS));
                printk(KERN_ERR "EPT: Exit qualification is 0x%lx\n",
                        (long unsigned int)exit_qualification);
-                kvm_run->exit_reason = KVM_EXIT_UNKNOWN;
+                vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
-                kvm_run->hw.hardware_exit_reason = EXIT_REASON_EPT_VIOLATION;
+                vcpu->run->hw.hardware_exit_reason = EXIT_REASON_EPT_VIOLATION;
                return 0;
        }
@@ -3290,7 +3335,7 @@ static void ept_misconfig_inspect_spte(struct kvm_vcpu *vcpu, u64 spte,
        }
 }
-static int handle_ept_misconfig(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
 {
        u64 sptes[4];
        int nr_sptes, i;
@@ -3306,13 +3351,13 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        for (i = PT64_ROOT_LEVEL; i > PT64_ROOT_LEVEL - nr_sptes; --i)
                ept_misconfig_inspect_spte(vcpu, sptes[i-1], i);
-        kvm_run->exit_reason = KVM_EXIT_UNKNOWN;
+        vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
-        kvm_run->hw.hardware_exit_reason = EXIT_REASON_EPT_MISCONFIG;
+        vcpu->run->hw.hardware_exit_reason = EXIT_REASON_EPT_MISCONFIG;
        return 0;
 }
-static int handle_nmi_window(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int handle_nmi_window(struct kvm_vcpu *vcpu)
 {
        u32 cpu_based_vm_exec_control;
@@ -3325,36 +3370,50 @@ static int handle_nmi_window(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        return 1;
 }
-static void handle_invalid_guest_state(struct kvm_vcpu *vcpu,
+static int handle_invalid_guest_state(struct kvm_vcpu *vcpu)
-                                struct kvm_run *kvm_run)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        enum emulation_result err = EMULATE_DONE;
+        int ret = 1;
-        local_irq_enable();
-        preempt_enable();
        while (!guest_state_valid(vcpu)) {
-                err = emulate_instruction(vcpu, kvm_run, 0, 0, 0);
+                err = emulate_instruction(vcpu, 0, 0, 0);
-                if (err == EMULATE_DO_MMIO)
+                if (err == EMULATE_DO_MMIO) {
-                        break;
+                        ret = 0;
+                        goto out;
+                }
                if (err != EMULATE_DONE) {
                        kvm_report_emulation_failure(vcpu, "emulation failure");
-                        break;
+                        vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+                        vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+                        vcpu->run->internal.ndata = 0;
+                        ret = 0;
+                        goto out;
                }
                if (signal_pending(current))
-                        break;
+                        goto out;
                if (need_resched())
                        schedule();
        }
-        preempt_disable();
+        vmx->emulation_required = 0;
-        local_irq_disable();
+out:
+        return ret;
+}
-        vmx->invalid_state_emulation_result = err;
+/*
+ * Indicate a busy-waiting vcpu in spinlock. We do not enable the PAUSE
+ * exiting, so only get here on cpu with PAUSE-Loop-Exiting.
+ */
+static int handle_pause(struct kvm_vcpu *vcpu)
+{
+        skip_emulated_instruction(vcpu);
+        kvm_vcpu_on_spin(vcpu);
+        return 1;
 }
 /*
@@ -3362,8 +3421,7 @@ static void handle_invalid_guest_state(struct kvm_vcpu *vcpu,
 * may resume.  Otherwise they set the kvm_run parameter to indicate what needs
 * to be done to userspace and return 0.
 */
-static int (*kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu,
+static int (*kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = {
-                                      struct kvm_run *kvm_run) = {
        [EXIT_REASON_EXCEPTION_NMI]           = handle_exception,
        [EXIT_REASON_EXTERNAL_INTERRUPT]      = handle_external_interrupt,
        [EXIT_REASON_TRIPLE_FAULT]            = handle_triple_fault,
@@ -3394,6 +3452,7 @@ static int (*kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu,
        [EXIT_REASON_MCE_DURING_VMENTRY]      = handle_machine_check,
        [EXIT_REASON_EPT_VIOLATION]           = handle_ept_violation,
        [EXIT_REASON_EPT_MISCONFIG]           = handle_ept_misconfig,
+        [EXIT_REASON_PAUSE_INSTRUCTION]       = handle_pause,
 };
 static const int kvm_vmx_max_exit_handlers =
@@ -3403,7 +3462,7 @@ static const int kvm_vmx_max_exit_handlers =
 * The guest has exited.  See if we can fix it or if we need userspace
 * assistance.
 */
-static int vmx_handle_exit(struct kvm_run *kvm_run, struct kvm_vcpu *vcpu)
+static int vmx_handle_exit(struct kvm_vcpu *vcpu)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        u32 exit_reason = vmx->exit_reason;
@@ -3411,13 +3470,9 @@ static int vmx_handle_exit(struct kvm_run *kvm_run, struct kvm_vcpu *vcpu)
        trace_kvm_exit(exit_reason, kvm_rip_read(vcpu));
-        /* If we need to emulate an MMIO from handle_invalid_guest_state
+        /* If guest state is invalid, start emulating */
-         * we just return 0 */
+        if (vmx->emulation_required && emulate_invalid_guest_state)
-        if (vmx->emulation_required && emulate_invalid_guest_state) {
+                return handle_invalid_guest_state(vcpu);
-                if (guest_state_valid(vcpu))
-                        vmx->emulation_required = 0;
-                return vmx->invalid_state_emulation_result != EMULATE_DO_MMIO;
-        }
        /* Access CR3 don't cause VMExit in paging mode, so we need
         * to sync with guest real CR3. */
@@ -3425,8 +3480,8 @@ static int vmx_handle_exit(struct kvm_run *kvm_run, struct kvm_vcpu *vcpu)
                vcpu->arch.cr3 = vmcs_readl(GUEST_CR3);
        if (unlikely(vmx->fail)) {
-                kvm_run->exit_reason = KVM_EXIT_FAIL_ENTRY;
+                vcpu->run->exit_reason = KVM_EXIT_FAIL_ENTRY;
-                kvm_run->fail_entry.hardware_entry_failure_reason
+                vcpu->run->fail_entry.hardware_entry_failure_reason
                        = vmcs_read32(VM_INSTRUCTION_ERROR);
                return 0;
        }
@@ -3459,10 +3514,10 @@ static int vmx_handle_exit(struct kvm_run *kvm_run, struct kvm_vcpu *vcpu)
        if (exit_reason < kvm_vmx_max_exit_handlers
            && kvm_vmx_exit_handlers[exit_reason])
-                return kvm_vmx_exit_handlers[exit_reason](vcpu, kvm_run);
+                return kvm_vmx_exit_handlers[exit_reason](vcpu);
        else {
-                kvm_run->exit_reason = KVM_EXIT_UNKNOWN;
+                vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
-                kvm_run->hw.hardware_exit_reason = exit_reason;
+                vcpu->run->hw.hardware_exit_reason = exit_reason;
        }
        return 0;
 }
@@ -3600,23 +3655,18 @@ static void fixup_rmode_irq(struct vcpu_vmx *vmx)
 #define Q "l"
 #endif
-static void vmx_vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static void vmx_vcpu_run(struct kvm_vcpu *vcpu)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
-        if (enable_ept && is_paging(vcpu)) {
-                vmcs_writel(GUEST_CR3, vcpu->arch.cr3);
-                ept_load_pdptrs(vcpu);
-        }
        /* Record the guest's net vcpu time for enforced NMI injections. */
        if (unlikely(!cpu_has_virtual_nmis() && vmx->soft_vnmi_blocked))
                vmx->entry_time = ktime_get();
-        /* Handle invalid guest state instead of entering VMX */
+        /* Don't enter VMX if guest state is invalid, let the exit handler
-        if (vmx->emulation_required && emulate_invalid_guest_state) {
+           start emulation until we arrive back to a valid state */
-                handle_invalid_guest_state(vcpu, kvm_run);
+        if (vmx->emulation_required && emulate_invalid_guest_state)
                return;
-        }
        if (test_bit(VCPU_REGS_RSP, (unsigned long *)&vcpu->arch.regs_dirty))
                vmcs_writel(GUEST_RSP, vcpu->arch.regs[VCPU_REGS_RSP]);
@@ -3775,7 +3825,6 @@ static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
                __clear_bit(vmx->vpid, vmx_vpid_bitmap);
        spin_unlock(&vmx_vpid_lock);
        vmx_free_vmcs(vcpu);
-        kfree(vmx->host_msrs);
        kfree(vmx->guest_msrs);
        kvm_vcpu_uninit(vcpu);
        kmem_cache_free(kvm_vcpu_cache, vmx);
@@ -3802,10 +3851,6 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
                goto uninit_vcpu;
        }
-        vmx->host_msrs = kmalloc(PAGE_SIZE, GFP_KERNEL);
-        if (!vmx->host_msrs)
-                goto free_guest_msrs;
        vmx->vmcs = alloc_vmcs();
        if (!vmx->vmcs)
                goto free_msrs;
@@ -3836,8 +3881,6 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
 free_vmcs:
        free_vmcs(vmx->vmcs);
 free_msrs:
-        kfree(vmx->host_msrs);
-free_guest_msrs:
        kfree(vmx->guest_msrs);
 uninit_vcpu:
        kvm_vcpu_uninit(&vmx->vcpu);
@@ -3973,6 +4016,8 @@ static struct kvm_x86_ops vmx_x86_ops = {
        .queue_exception = vmx_queue_exception,
        .interrupt_allowed = vmx_interrupt_allowed,
        .nmi_allowed = vmx_nmi_allowed,
+        .get_nmi_mask = vmx_get_nmi_mask,
+        .set_nmi_mask = vmx_set_nmi_mask,
        .enable_nmi_window = enable_nmi_window,
        .enable_irq_window = enable_irq_window,
        .update_cr8_intercept = update_cr8_intercept,
@@ -3987,7 +4032,12 @@ static struct kvm_x86_ops vmx_x86_ops = {
 static int __init vmx_init(void)
 {
-        int r;
+        int r, i;
+        rdmsrl_safe(MSR_EFER, &host_efer);
+        for (i = 0; i < NR_VMX_MSR; ++i)
+                kvm_define_shared_msr(i, vmx_msr_index[i]);
        vmx_io_bitmap_a = (unsigned long *)__get_free_page(GFP_KERNEL);
        if (!vmx_io_bitmap_a)
@@ -4049,8 +4099,6 @@ static int __init vmx_init(void)
        if (bypass_guest_pf)
                kvm_mmu_set_nonpresent_ptes(~0xffeull, 0ull);
-        ept_sync_global();
        return 0;
 out3:
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 4fc80174191c..9d068966fb2a 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -37,6 +37,7 @@
 #include <linux/iommu.h>
 #include <linux/intel-iommu.h>
 #include <linux/cpufreq.h>
+#include <linux/user-return-notifier.h>
 #include <trace/events/kvm.h>
 #undef TRACE_INCLUDE_FILE
 #define CREATE_TRACE_POINTS
@@ -88,6 +89,25 @@ EXPORT_SYMBOL_GPL(kvm_x86_ops);
 int ignore_msrs = 0;
 module_param_named(ignore_msrs, ignore_msrs, bool, S_IRUGO | S_IWUSR);
+#define KVM_NR_SHARED_MSRS 16
+struct kvm_shared_msrs_global {
+        int nr;
+        struct kvm_shared_msr {
+                u32 msr;
+                u64 value;
+        } msrs[KVM_NR_SHARED_MSRS];
+};
+struct kvm_shared_msrs {
+        struct user_return_notifier urn;
+        bool registered;
+        u64 current_value[KVM_NR_SHARED_MSRS];
+};
+static struct kvm_shared_msrs_global __read_mostly shared_msrs_global;
+static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
 struct kvm_stats_debugfs_item debugfs_entries[] = {
        { "pf_fixed", VCPU_STAT(pf_fixed) },
        { "pf_guest", VCPU_STAT(pf_guest) },
@@ -124,6 +144,72 @@ struct kvm_stats_debugfs_item debugfs_entries[] = {
        { NULL }
 };
+static void kvm_on_user_return(struct user_return_notifier *urn)
+{
+        unsigned slot;
+        struct kvm_shared_msr *global;
+        struct kvm_shared_msrs *locals
+                = container_of(urn, struct kvm_shared_msrs, urn);
+        for (slot = 0; slot < shared_msrs_global.nr; ++slot) {
+                global = &shared_msrs_global.msrs[slot];
+                if (global->value != locals->current_value[slot]) {
+                        wrmsrl(global->msr, global->value);
+                        locals->current_value[slot] = global->value;
+                }
+        }
+        locals->registered = false;
+        user_return_notifier_unregister(urn);
+}
+void kvm_define_shared_msr(unsigned slot, u32 msr)
+{
+        int cpu;
+        u64 value;
+        if (slot >= shared_msrs_global.nr)
+                shared_msrs_global.nr = slot + 1;
+        shared_msrs_global.msrs[slot].msr = msr;
+        rdmsrl_safe(msr, &value);
+        shared_msrs_global.msrs[slot].value = value;
+        for_each_online_cpu(cpu)
+                per_cpu(shared_msrs, cpu).current_value[slot] = value;
+}
+EXPORT_SYMBOL_GPL(kvm_define_shared_msr);
+static void kvm_shared_msr_cpu_online(void)
+{
+        unsigned i;
+        struct kvm_shared_msrs *locals = &__get_cpu_var(shared_msrs);
+        for (i = 0; i < shared_msrs_global.nr; ++i)
+                locals->current_value[i] = shared_msrs_global.msrs[i].value;
+}
+void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
+{
+        struct kvm_shared_msrs *smsr = &__get_cpu_var(shared_msrs);
+        if (((value ^ smsr->current_value[slot]) & mask) == 0)
+                return;
+        smsr->current_value[slot] = value;
+        wrmsrl(shared_msrs_global.msrs[slot].msr, value);
+        if (!smsr->registered) {
+                smsr->urn.on_user_return = kvm_on_user_return;
+                user_return_notifier_register(&smsr->urn);
+                smsr->registered = true;
+        }
+}
+EXPORT_SYMBOL_GPL(kvm_set_shared_msr);
+static void drop_user_return_notifiers(void *ignore)
+{
+        struct kvm_shared_msrs *smsr = &__get_cpu_var(shared_msrs);
+        if (smsr->registered)
+                kvm_on_user_return(&smsr->urn);
+}
 unsigned long segment_base(u16 selector)
 {
        struct descriptor_table gdt;
@@ -485,16 +571,19 @@ static inline u32 bit(int bitno)
 * and KVM_SET_MSRS, and KVM_GET_MSR_INDEX_LIST.
 *
 * This list is modified at module load time to reflect the
- * capabilities of the host cpu.
+ * capabilities of the host cpu. This capabilities test skips MSRs that are
+ * kvm-specific. Those are put in the beginning of the list.
 */
+#define KVM_SAVE_MSRS_BEGIN     2
 static u32 msrs_to_save[] = {
+        MSR_KVM_SYSTEM_TIME, MSR_KVM_WALL_CLOCK,
        MSR_IA32_SYSENTER_CS, MSR_IA32_SYSENTER_ESP, MSR_IA32_SYSENTER_EIP,
        MSR_K6_STAR,
 #ifdef CONFIG_X86_64
        MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR,
 #endif
-        MSR_IA32_TSC, MSR_KVM_SYSTEM_TIME, MSR_KVM_WALL_CLOCK,
+        MSR_IA32_TSC, MSR_IA32_PERF_STATUS, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA
-        MSR_IA32_PERF_STATUS, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA
 };
 static unsigned num_msrs_to_save;
@@ -678,7 +767,8 @@ static void kvm_write_guest_time(struct kvm_vcpu *v)
        /* With all the info we got, fill in the values */
        vcpu->hv_clock.system_time = ts.tv_nsec +
-                                     (NSEC_PER_SEC * (u64)ts.tv_sec);
+                                     (NSEC_PER_SEC * (u64)ts.tv_sec) + v->kvm->arch.kvmclock_offset;
        /*
         * The interface expects us to write an even number signaling that the
         * update is finished. Since the guest won't see the intermediate
@@ -836,6 +926,38 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, u32 msr, u64 data)
        return 0;
 }
+static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
+{
+        struct kvm *kvm = vcpu->kvm;
+        int lm = is_long_mode(vcpu);
+        u8 *blob_addr = lm ? (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_64
+                : (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
+        u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
+                : kvm->arch.xen_hvm_config.blob_size_32;
+        u32 page_num = data & ~PAGE_MASK;
+        u64 page_addr = data & PAGE_MASK;
+        u8 *page;
+        int r;
+        r = -E2BIG;
+        if (page_num >= blob_size)
+                goto out;
+        r = -ENOMEM;
+        page = kzalloc(PAGE_SIZE, GFP_KERNEL);
+        if (!page)
+                goto out;
+        r = -EFAULT;
+        if (copy_from_user(page, blob_addr + (page_num * PAGE_SIZE), PAGE_SIZE))
+                goto out_free;
+        if (kvm_write_guest(kvm, page_addr, page, PAGE_SIZE))
+                goto out_free;
+        r = 0;
+out_free:
+        kfree(page);
+out:
+        return r;
+}
 int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
 {
        switch (msr) {
@@ -951,6 +1073,8 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
                        "0x%x data 0x%llx\n", msr, data);
                break;
        default:
+                if (msr && (msr == vcpu->kvm->arch.xen_hvm_config.msr))
+                        return xen_hvm_config(vcpu, data);
                if (!ignore_msrs) {
                        pr_unimpl(vcpu, "unhandled wrmsr: 0x%x data %llx\n",
                                msr, data);
@@ -1225,6 +1349,9 @@ int kvm_dev_ioctl_check_extension(long ext)
        case KVM_CAP_PIT2:
        case KVM_CAP_PIT_STATE2:
        case KVM_CAP_SET_IDENTITY_MAP_ADDR:
+        case KVM_CAP_XEN_HVM:
+        case KVM_CAP_ADJUST_CLOCK:
+        case KVM_CAP_VCPU_EVENTS:
                r = 1;
                break;
        case KVM_CAP_COALESCED_MMIO:
@@ -1239,8 +1366,8 @@ int kvm_dev_ioctl_check_extension(long ext)
        case KVM_CAP_NR_MEMSLOTS:
                r = KVM_MEMORY_SLOTS;
                break;
-        case KVM_CAP_PV_MMU:
+        case KVM_CAP_PV_MMU:    /* obsolete */
-                r = !tdp_enabled;
+                r = 0;
                break;
        case KVM_CAP_IOMMU:
                r = iommu_found();
@@ -1327,6 +1454,12 @@ out:
 void kvm_arch_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
 {
        kvm_x86_ops->vcpu_load(vcpu, cpu);
+        if (unlikely(per_cpu(cpu_tsc_khz, cpu) == 0)) {
+                unsigned long khz = cpufreq_quick_get(cpu);
+                if (!khz)
+                        khz = tsc_khz;
+                per_cpu(cpu_tsc_khz, cpu) = khz;
+        }
        kvm_request_guest_time_update(vcpu);
 }
@@ -1760,6 +1893,61 @@ static int kvm_vcpu_ioctl_x86_set_mce(struct kvm_vcpu *vcpu,
        return 0;
 }
+static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu,
+                                               struct kvm_vcpu_events *events)
+{
+        vcpu_load(vcpu);
+        events->exception.injected = vcpu->arch.exception.pending;
+        events->exception.nr = vcpu->arch.exception.nr;
+        events->exception.has_error_code = vcpu->arch.exception.has_error_code;
+        events->exception.error_code = vcpu->arch.exception.error_code;
+        events->interrupt.injected = vcpu->arch.interrupt.pending;
+        events->interrupt.nr = vcpu->arch.interrupt.nr;
+        events->interrupt.soft = vcpu->arch.interrupt.soft;
+        events->nmi.injected = vcpu->arch.nmi_injected;
+        events->nmi.pending = vcpu->arch.nmi_pending;
+        events->nmi.masked = kvm_x86_ops->get_nmi_mask(vcpu);
+        events->sipi_vector = vcpu->arch.sipi_vector;
+        events->flags = 0;
+        vcpu_put(vcpu);
+}
+static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
+                                              struct kvm_vcpu_events *events)
+{
+        if (events->flags)
+                return -EINVAL;
+        vcpu_load(vcpu);
+        vcpu->arch.exception.pending = events->exception.injected;
+        vcpu->arch.exception.nr = events->exception.nr;
+        vcpu->arch.exception.has_error_code = events->exception.has_error_code;
+        vcpu->arch.exception.error_code = events->exception.error_code;
+        vcpu->arch.interrupt.pending = events->interrupt.injected;
+        vcpu->arch.interrupt.nr = events->interrupt.nr;
+        vcpu->arch.interrupt.soft = events->interrupt.soft;
+        if (vcpu->arch.interrupt.pending && irqchip_in_kernel(vcpu->kvm))
+                kvm_pic_clear_isr_ack(vcpu->kvm);
+        vcpu->arch.nmi_injected = events->nmi.injected;
+        vcpu->arch.nmi_pending = events->nmi.pending;
+        kvm_x86_ops->set_nmi_mask(vcpu, events->nmi.masked);
+        vcpu->arch.sipi_vector = events->sipi_vector;
+        vcpu_put(vcpu);
+        return 0;
+}
 long kvm_arch_vcpu_ioctl(struct file *filp,
                         unsigned int ioctl, unsigned long arg)
 {
@@ -1770,6 +1958,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
        switch (ioctl) {
        case KVM_GET_LAPIC: {
+                r = -EINVAL;
+                if (!vcpu->arch.apic)
+                        goto out;
                lapic = kzalloc(sizeof(struct kvm_lapic_state), GFP_KERNEL);
                r = -ENOMEM;
@@ -1785,6 +1976,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
                break;
        }
        case KVM_SET_LAPIC: {
+                r = -EINVAL;
+                if (!vcpu->arch.apic)
+                        goto out;
                lapic = kmalloc(sizeof(struct kvm_lapic_state), GFP_KERNEL);
                r = -ENOMEM;
                if (!lapic)
@@ -1911,6 +2105,27 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
                r = kvm_vcpu_ioctl_x86_set_mce(vcpu, &mce);
                break;
        }
+        case KVM_GET_VCPU_EVENTS: {
+                struct kvm_vcpu_events events;
+                kvm_vcpu_ioctl_x86_get_vcpu_events(vcpu, &events);
+                r = -EFAULT;
+                if (copy_to_user(argp, &events, sizeof(struct kvm_vcpu_events)))
+                        break;
+                r = 0;
+                break;
+        }
+        case KVM_SET_VCPU_EVENTS: {
+                struct kvm_vcpu_events events;
+                r = -EFAULT;
+                if (copy_from_user(&events, argp, sizeof(struct kvm_vcpu_events)))
+                        break;
+                r = kvm_vcpu_ioctl_x86_set_vcpu_events(vcpu, &events);
+                break;
+        }
        default:
                r = -EINVAL;
        }
@@ -2039,9 +2254,7 @@ static int kvm_vm_ioctl_get_irqchip(struct kvm *kvm, struct kvm_irqchip *chip)
                        sizeof(struct kvm_pic_state));
                break;
        case KVM_IRQCHIP_IOAPIC:
-                memcpy(&chip->chip.ioapic,
+                r = kvm_get_ioapic(kvm, &chip->chip.ioapic);
-                        ioapic_irqchip(kvm),
-                        sizeof(struct kvm_ioapic_state));
                break;
        default:
                r = -EINVAL;
@@ -2071,11 +2284,7 @@ static int kvm_vm_ioctl_set_irqchip(struct kvm *kvm, struct kvm_irqchip *chip)
                spin_unlock(&pic_irqchip(kvm)->lock);
                break;
        case KVM_IRQCHIP_IOAPIC:
-                mutex_lock(&kvm->irq_lock);
+                r = kvm_set_ioapic(kvm, &chip->chip.ioapic);
-                memcpy(ioapic_irqchip(kvm),
-                        &chip->chip.ioapic,
-                        sizeof(struct kvm_ioapic_state));
-                mutex_unlock(&kvm->irq_lock);
                break;
        default:
                r = -EINVAL;
@@ -2183,7 +2392,7 @@ long kvm_arch_vm_ioctl(struct file *filp,
 {
        struct kvm *kvm = filp->private_data;
        void __user *argp = (void __user *)arg;
-        int r = -EINVAL;
+        int r = -ENOTTY;
        /*
         * This union makes it completely explicit to gcc-3.x
         * that these two variables' stack usage should be
@@ -2245,25 +2454,39 @@ long kvm_arch_vm_ioctl(struct file *filp,
                if (r)
                        goto out;
                break;
-        case KVM_CREATE_IRQCHIP:
+        case KVM_CREATE_IRQCHIP: {
+                struct kvm_pic *vpic;
+                mutex_lock(&kvm->lock);
+                r = -EEXIST;
+                if (kvm->arch.vpic)
+                        goto create_irqchip_unlock;
                r = -ENOMEM;
-                kvm->arch.vpic = kvm_create_pic(kvm);
+                vpic = kvm_create_pic(kvm);
-                if (kvm->arch.vpic) {
+                if (vpic) {
                        r = kvm_ioapic_init(kvm);
                        if (r) {
-                                kfree(kvm->arch.vpic);
+                                kfree(vpic);
-                                kvm->arch.vpic = NULL;
+                                goto create_irqchip_unlock;
-                                goto out;
                        }
                } else
-                        goto out;
+                        goto create_irqchip_unlock;
+                smp_wmb();
+                kvm->arch.vpic = vpic;
+                smp_wmb();
                r = kvm_setup_default_irq_routing(kvm);
                if (r) {
+                        mutex_lock(&kvm->irq_lock);
                        kfree(kvm->arch.vpic);
                        kfree(kvm->arch.vioapic);
-                        goto out;
+                        kvm->arch.vpic = NULL;
+                        kvm->arch.vioapic = NULL;
+                        mutex_unlock(&kvm->irq_lock);
                }
+        create_irqchip_unlock:
+                mutex_unlock(&kvm->lock);
                break;
+        }
        case KVM_CREATE_PIT:
                u.pit_config.flags = KVM_PIT_SPEAKER_DUMMY;
                goto create_pit;
@@ -2293,10 +2516,8 @@ long kvm_arch_vm_ioctl(struct file *filp,
                        goto out;
                if (irqchip_in_kernel(kvm)) {
                        __s32 status;
-                        mutex_lock(&kvm->irq_lock);
                        status = kvm_set_irq(kvm, KVM_USERSPACE_IRQ_SOURCE_ID,
                                        irq_event.irq, irq_event.level);
-                        mutex_unlock(&kvm->irq_lock);
                        if (ioctl == KVM_IRQ_LINE_STATUS) {
                                irq_event.status = status;
                                if (copy_to_user(argp, &irq_event,
@@ -2422,6 +2643,55 @@ long kvm_arch_vm_ioctl(struct file *filp,
                r = 0;
                break;
        }
+        case KVM_XEN_HVM_CONFIG: {
+                r = -EFAULT;
+                if (copy_from_user(&kvm->arch.xen_hvm_config, argp,
+                                   sizeof(struct kvm_xen_hvm_config)))
+                        goto out;
+                r = -EINVAL;
+                if (kvm->arch.xen_hvm_config.flags)
+                        goto out;
+                r = 0;
+                break;
+        }
+        case KVM_SET_CLOCK: {
+                struct timespec now;
+                struct kvm_clock_data user_ns;
+                u64 now_ns;
+                s64 delta;
+                r = -EFAULT;
+                if (copy_from_user(&user_ns, argp, sizeof(user_ns)))
+                        goto out;
+                r = -EINVAL;
+                if (user_ns.flags)
+                        goto out;
+                r = 0;
+                ktime_get_ts(&now);
+                now_ns = timespec_to_ns(&now);
+                delta = user_ns.clock - now_ns;
+                kvm->arch.kvmclock_offset = delta;
+                break;
+        }
+        case KVM_GET_CLOCK: {
+                struct timespec now;
+                struct kvm_clock_data user_ns;
+                u64 now_ns;
+                ktime_get_ts(&now);
+                now_ns = timespec_to_ns(&now);
+                user_ns.clock = kvm->arch.kvmclock_offset + now_ns;
+                user_ns.flags = 0;
+                r = -EFAULT;
+                if (copy_to_user(argp, &user_ns, sizeof(user_ns)))
+                        goto out;
+                r = 0;
+                break;
+        }
        default:
                ;
        }
@@ -2434,7 +2704,8 @@ static void kvm_init_msr_list(void)
        u32 dummy[2];
        unsigned i, j;
-        for (i = j = 0; i < ARRAY_SIZE(msrs_to_save); i++) {
+        /* skip the first msrs in the list. KVM-specific */
+        for (i = j = KVM_SAVE_MSRS_BEGIN; i < ARRAY_SIZE(msrs_to_save); i++) {
                if (rdmsr_safe(msrs_to_save[i], &dummy[0], &dummy[1]) < 0)
                        continue;
                if (j < i)
@@ -2758,13 +3029,13 @@ static void cache_all_regs(struct kvm_vcpu *vcpu)
 }
 int emulate_instruction(struct kvm_vcpu *vcpu,
-                        struct kvm_run *run,
                        unsigned long cr2,
                        u16 error_code,
                        int emulation_type)
 {
        int r, shadow_mask;
        struct decode_cache *c;
+        struct kvm_run *run = vcpu->run;
        kvm_clear_exception_queue(vcpu);
        vcpu->arch.mmio_fault_cr2 = cr2;
@@ -2784,7 +3055,7 @@ int emulate_instruction(struct kvm_vcpu *vcpu,
                kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l);
                vcpu->arch.emulate_ctxt.vcpu = vcpu;
-                vcpu->arch.emulate_ctxt.eflags = kvm_x86_ops->get_rflags(vcpu);
+                vcpu->arch.emulate_ctxt.eflags = kvm_get_rflags(vcpu);
                vcpu->arch.emulate_ctxt.mode =
                        (vcpu->arch.emulate_ctxt.eflags & X86_EFLAGS_VM)
                        ? X86EMUL_MODE_REAL : cs_l
@@ -2862,7 +3133,7 @@ int emulate_instruction(struct kvm_vcpu *vcpu,
                return EMULATE_DO_MMIO;
        }
-        kvm_x86_ops->set_rflags(vcpu, vcpu->arch.emulate_ctxt.eflags);
+        kvm_set_rflags(vcpu, vcpu->arch.emulate_ctxt.eflags);
        if (vcpu->mmio_is_write) {
                vcpu->mmio_needed = 0;
@@ -2970,8 +3241,7 @@ static int pio_string_write(struct kvm_vcpu *vcpu)
        return r;
 }
-int kvm_emulate_pio(struct kvm_vcpu *vcpu, struct kvm_run *run, int in,
+int kvm_emulate_pio(struct kvm_vcpu *vcpu, int in, int size, unsigned port)
-                  int size, unsigned port)
 {
        unsigned long val;
@@ -3000,7 +3270,7 @@ int kvm_emulate_pio(struct kvm_vcpu *vcpu, struct kvm_run *run, int in,
 }
 EXPORT_SYMBOL_GPL(kvm_emulate_pio);
-int kvm_emulate_pio_string(struct kvm_vcpu *vcpu, struct kvm_run *run, int in,
+int kvm_emulate_pio_string(struct kvm_vcpu *vcpu, int in,
                  int size, unsigned long count, int down,
                  gva_t address, int rep, unsigned port)
 {
@@ -3073,9 +3343,6 @@ static void bounce_off(void *info)
        /* nothing */
 }
-static unsigned int  ref_freq;
-static unsigned long tsc_khz_ref;
 static int kvmclock_cpufreq_notifier(struct notifier_block *nb, unsigned long val,
                                     void *data)
 {
@@ -3084,14 +3351,11 @@ static int kvmclock_cpufreq_notifier(struct notifier_block *nb, unsigned long va
        struct kvm_vcpu *vcpu;
        int i, send_ipi = 0;
-        if (!ref_freq)
-                ref_freq = freq->old;
        if (val == CPUFREQ_PRECHANGE && freq->old > freq->new)
                return 0;
        if (val == CPUFREQ_POSTCHANGE && freq->old < freq->new)
                return 0;
-        per_cpu(cpu_tsc_khz, freq->cpu) = cpufreq_scale(tsc_khz_ref, ref_freq, freq->new);
+        per_cpu(cpu_tsc_khz, freq->cpu) = freq->new;
        spin_lock(&kvm_lock);
        list_for_each_entry(kvm, &vm_list, vm_list) {
@@ -3128,9 +3392,28 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = {
        .notifier_call  = kvmclock_cpufreq_notifier
 };
+static void kvm_timer_init(void)
+{
+        int cpu;
+        if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC)) {
+                cpufreq_register_notifier(&kvmclock_cpufreq_notifier_block,
+                                          CPUFREQ_TRANSITION_NOTIFIER);
+                for_each_online_cpu(cpu) {
+                        unsigned long khz = cpufreq_get(cpu);
+                        if (!khz)
+                                khz = tsc_khz;
+                        per_cpu(cpu_tsc_khz, cpu) = khz;
+                }
+        } else {
+                for_each_possible_cpu(cpu)
+                        per_cpu(cpu_tsc_khz, cpu) = tsc_khz;
+        }
+}
 int kvm_arch_init(void *opaque)
 {
-        int r, cpu;
+        int r;
        struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
        if (kvm_x86_ops) {
@@ -3162,13 +3445,7 @@ int kvm_arch_init(void *opaque)
        kvm_mmu_set_mask_ptes(PT_USER_MASK, PT_ACCESSED_MASK,
                        PT_DIRTY_MASK, PT64_NX_MASK, 0);
-        for_each_possible_cpu(cpu)
+        kvm_timer_init();
-                per_cpu(cpu_tsc_khz, cpu) = tsc_khz;
-        if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC)) {
-                tsc_khz_ref = tsc_khz;
-                cpufreq_register_notifier(&kvmclock_cpufreq_notifier_block,
-                                          CPUFREQ_TRANSITION_NOTIFIER);
-        }
        return 0;
@@ -3296,7 +3573,7 @@ void realmode_lmsw(struct kvm_vcpu *vcpu, unsigned long msw,
                   unsigned long *rflags)
 {
        kvm_lmsw(vcpu, msw);
-        *rflags = kvm_x86_ops->get_rflags(vcpu);
+        *rflags = kvm_get_rflags(vcpu);
 }
 unsigned long realmode_get_cr(struct kvm_vcpu *vcpu, int cr)
@@ -3334,7 +3611,7 @@ void realmode_set_cr(struct kvm_vcpu *vcpu, int cr, unsigned long val,
        switch (cr) {
        case 0:
                kvm_set_cr0(vcpu, mk_cr_64(vcpu->arch.cr0, val));
-                *rflags = kvm_x86_ops->get_rflags(vcpu);
+                *rflags = kvm_get_rflags(vcpu);
                break;
        case 2:
                vcpu->arch.cr2 = val;
@@ -3454,18 +3731,18 @@ EXPORT_SYMBOL_GPL(kvm_emulate_cpuid);
 *
 * No need to exit to userspace if we already have an interrupt queued.
 */
-static int dm_request_for_irq_injection(struct kvm_vcpu *vcpu,
+static int dm_request_for_irq_injection(struct kvm_vcpu *vcpu)
-                                          struct kvm_run *kvm_run)
 {
        return (!irqchip_in_kernel(vcpu->kvm) && !kvm_cpu_has_interrupt(vcpu) &&
-                kvm_run->request_interrupt_window &&
+                vcpu->run->request_interrupt_window &&
                kvm_arch_interrupt_allowed(vcpu));
 }
-static void post_kvm_run_save(struct kvm_vcpu *vcpu,
+static void post_kvm_run_save(struct kvm_vcpu *vcpu)
-                              struct kvm_run *kvm_run)
 {
-        kvm_run->if_flag = (kvm_x86_ops->get_rflags(vcpu) & X86_EFLAGS_IF) != 0;
+        struct kvm_run *kvm_run = vcpu->run;
+        kvm_run->if_flag = (kvm_get_rflags(vcpu) & X86_EFLAGS_IF) != 0;
        kvm_run->cr8 = kvm_get_cr8(vcpu);
        kvm_run->apic_base = kvm_get_apic_base(vcpu);
        if (irqchip_in_kernel(vcpu->kvm))
@@ -3526,7 +3803,7 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu)
        kvm_x86_ops->update_cr8_intercept(vcpu, tpr, max_irr);
 }
-static void inject_pending_event(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static void inject_pending_event(struct kvm_vcpu *vcpu)
 {
        /* try to reinject previous events if any */
        if (vcpu->arch.exception.pending) {
@@ -3562,11 +3839,11 @@ static void inject_pending_event(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        }
 }
-static int vcpu_enter_guest(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
 {
        int r;
        bool req_int_win = !irqchip_in_kernel(vcpu->kvm) &&
-                kvm_run->request_interrupt_window;
+                vcpu->run->request_interrupt_window;
        if (vcpu->requests)
                if (test_and_clear_bit(KVM_REQ_MMU_RELOAD, &vcpu->requests))
@@ -3587,12 +3864,12 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
                        kvm_x86_ops->tlb_flush(vcpu);
                if (test_and_clear_bit(KVM_REQ_REPORT_TPR_ACCESS,
                                       &vcpu->requests)) {
-                        kvm_run->exit_reason = KVM_EXIT_TPR_ACCESS;
+                        vcpu->run->exit_reason = KVM_EXIT_TPR_ACCESS;
                        r = 0;
                        goto out;
                }
                if (test_and_clear_bit(KVM_REQ_TRIPLE_FAULT, &vcpu->requests)) {
-                        kvm_run->exit_reason = KVM_EXIT_SHUTDOWN;
+                        vcpu->run->exit_reason = KVM_EXIT_SHUTDOWN;
                        r = 0;
                        goto out;
                }
@@ -3616,7 +3893,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
                goto out;
        }
-        inject_pending_event(vcpu, kvm_run);
+        inject_pending_event(vcpu);
        /* enable NMI/IRQ window open exits if needed */
        if (vcpu->arch.nmi_pending)
@@ -3642,7 +3919,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        }
        trace_kvm_entry(vcpu->vcpu_id);
-        kvm_x86_ops->run(vcpu, kvm_run);
+        kvm_x86_ops->run(vcpu);
        /*
         * If the guest has used debug registers, at least dr7
@@ -3684,13 +3961,13 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        kvm_lapic_sync_from_vapic(vcpu);
-        r = kvm_x86_ops->handle_exit(kvm_run, vcpu);
+        r = kvm_x86_ops->handle_exit(vcpu);
 out:
        return r;
 }
-static int __vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+static int __vcpu_run(struct kvm_vcpu *vcpu)
 {
        int r;
@@ -3710,7 +3987,7 @@ static int __vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        r = 1;
        while (r > 0) {
                if (vcpu->arch.mp_state == KVM_MP_STATE_RUNNABLE)
-                        r = vcpu_enter_guest(vcpu, kvm_run);
+                        r = vcpu_enter_guest(vcpu);
                else {
                        up_read(&vcpu->kvm->slots_lock);
                        kvm_vcpu_block(vcpu);
@@ -3738,14 +4015,14 @@ static int __vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
                if (kvm_cpu_has_pending_timer(vcpu))
                        kvm_inject_pending_timer_irqs(vcpu);
-                if (dm_request_for_irq_injection(vcpu, kvm_run)) {
+                if (dm_request_for_irq_injection(vcpu)) {
                        r = -EINTR;
-                        kvm_run->exit_reason = KVM_EXIT_INTR;
+                        vcpu->run->exit_reason = KVM_EXIT_INTR;
                        ++vcpu->stat.request_irq_exits;
                }
                if (signal_pending(current)) {
                        r = -EINTR;
-                        kvm_run->exit_reason = KVM_EXIT_INTR;
+                        vcpu->run->exit_reason = KVM_EXIT_INTR;
                        ++vcpu->stat.signal_exits;
                }
                if (need_resched()) {
@@ -3756,7 +4033,7 @@ static int __vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        }
        up_read(&vcpu->kvm->slots_lock);
-        post_kvm_run_save(vcpu, kvm_run);
+        post_kvm_run_save(vcpu);
        vapic_exit(vcpu);
@@ -3789,15 +4066,13 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
                if (r)
                        goto out;
        }
-#if CONFIG_HAS_IOMEM
        if (vcpu->mmio_needed) {
                memcpy(vcpu->mmio_data, kvm_run->mmio.data, 8);
                vcpu->mmio_read_completed = 1;
                vcpu->mmio_needed = 0;
                down_read(&vcpu->kvm->slots_lock);
-                r = emulate_instruction(vcpu, kvm_run,
+                r = emulate_instruction(vcpu, vcpu->arch.mmio_fault_cr2, 0,
-                                        vcpu->arch.mmio_fault_cr2, 0,
                                        EMULTYPE_NO_DECODE);
                up_read(&vcpu->kvm->slots_lock);
                if (r == EMULATE_DO_MMIO) {
@@ -3808,12 +4083,11 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
                        goto out;
                }
        }
-#endif
        if (kvm_run->exit_reason == KVM_EXIT_HYPERCALL)
                kvm_register_write(vcpu, VCPU_REGS_RAX,
                                     kvm_run->hypercall.ret);
-        r = __vcpu_run(vcpu, kvm_run);
+        r = __vcpu_run(vcpu);
 out:
        if (vcpu->sigset_active)
@@ -3847,13 +4121,7 @@ int kvm_arch_vcpu_ioctl_get_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)
 #endif
        regs->rip = kvm_rip_read(vcpu);
-        regs->rflags = kvm_x86_ops->get_rflags(vcpu);
+        regs->rflags = kvm_get_rflags(vcpu);
-        /*
-         * Don't leak debug flags in case they were set for guest debugging
-         */
-        if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)
-                regs->rflags &= ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
        vcpu_put(vcpu);
@@ -3881,12 +4149,10 @@ int kvm_arch_vcpu_ioctl_set_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)
        kvm_register_write(vcpu, VCPU_REGS_R13, regs->r13);
        kvm_register_write(vcpu, VCPU_REGS_R14, regs->r14);
        kvm_register_write(vcpu, VCPU_REGS_R15, regs->r15);
 #endif
        kvm_rip_write(vcpu, regs->rip);
-        kvm_x86_ops->set_rflags(vcpu, regs->rflags);
+        kvm_set_rflags(vcpu, regs->rflags);
        vcpu->arch.exception.pending = false;
@@ -4105,7 +4371,7 @@ static int is_vm86_segment(struct kvm_vcpu *vcpu, int seg)
 {
        return (seg != VCPU_SREG_LDTR) &&
                (seg != VCPU_SREG_TR) &&
-                (kvm_x86_ops->get_rflags(vcpu) & X86_EFLAGS_VM);
+                (kvm_get_rflags(vcpu) & X86_EFLAGS_VM);
 }
 int kvm_load_segment_descriptor(struct kvm_vcpu *vcpu, u16 selector,
@@ -4133,7 +4399,7 @@ static void save_state_to_tss32(struct kvm_vcpu *vcpu,
 {
        tss->cr3 = vcpu->arch.cr3;
        tss->eip = kvm_rip_read(vcpu);
-        tss->eflags = kvm_x86_ops->get_rflags(vcpu);
+        tss->eflags = kvm_get_rflags(vcpu);
        tss->eax = kvm_register_read(vcpu, VCPU_REGS_RAX);
        tss->ecx = kvm_register_read(vcpu, VCPU_REGS_RCX);
        tss->edx = kvm_register_read(vcpu, VCPU_REGS_RDX);
@@ -4157,7 +4423,7 @@ static int load_state_from_tss32(struct kvm_vcpu *vcpu,
        kvm_set_cr3(vcpu, tss->cr3);
        kvm_rip_write(vcpu, tss->eip);
-        kvm_x86_ops->set_rflags(vcpu, tss->eflags | 2);
+        kvm_set_rflags(vcpu, tss->eflags | 2);
        kvm_register_write(vcpu, VCPU_REGS_RAX, tss->eax);
        kvm_register_write(vcpu, VCPU_REGS_RCX, tss->ecx);
@@ -4195,7 +4461,7 @@ static void save_state_to_tss16(struct kvm_vcpu *vcpu,
                                struct tss_segment_16 *tss)
 {
        tss->ip = kvm_rip_read(vcpu);
-        tss->flag = kvm_x86_ops->get_rflags(vcpu);
+        tss->flag = kvm_get_rflags(vcpu);
        tss->ax = kvm_register_read(vcpu, VCPU_REGS_RAX);
        tss->cx = kvm_register_read(vcpu, VCPU_REGS_RCX);
        tss->dx = kvm_register_read(vcpu, VCPU_REGS_RDX);
@@ -4210,14 +4476,13 @@ static void save_state_to_tss16(struct kvm_vcpu *vcpu,
        tss->ss = get_segment_selector(vcpu, VCPU_SREG_SS);
        tss->ds = get_segment_selector(vcpu, VCPU_SREG_DS);
        tss->ldt = get_segment_selector(vcpu, VCPU_SREG_LDTR);
-        tss->prev_task_link = get_segment_selector(vcpu, VCPU_SREG_TR);
 }
 static int load_state_from_tss16(struct kvm_vcpu *vcpu,
                                 struct tss_segment_16 *tss)
 {
        kvm_rip_write(vcpu, tss->ip);
-        kvm_x86_ops->set_rflags(vcpu, tss->flag | 2);
+        kvm_set_rflags(vcpu, tss->flag | 2);
        kvm_register_write(vcpu, VCPU_REGS_RAX, tss->ax);
        kvm_register_write(vcpu, VCPU_REGS_RCX, tss->cx);
        kvm_register_write(vcpu, VCPU_REGS_RDX, tss->dx);
@@ -4363,8 +4628,8 @@ int kvm_task_switch(struct kvm_vcpu *vcpu, u16 tss_selector, int reason)
        }
        if (reason == TASK_SWITCH_IRET) {
-                u32 eflags = kvm_x86_ops->get_rflags(vcpu);
+                u32 eflags = kvm_get_rflags(vcpu);
-                kvm_x86_ops->set_rflags(vcpu, eflags & ~X86_EFLAGS_NT);
+                kvm_set_rflags(vcpu, eflags & ~X86_EFLAGS_NT);
        }
        /* set back link to prev task only if NT bit is set in eflags
@@ -4372,11 +4637,6 @@ int kvm_task_switch(struct kvm_vcpu *vcpu, u16 tss_selector, int reason)
        if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
                old_tss_sel = 0xffff;
-        /* set back link to prev task only if NT bit is set in eflags
-           note that old_tss_sel is not used afetr this point */
-        if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
-                old_tss_sel = 0xffff;
        if (nseg_desc.type & 8)
                ret = kvm_task_switch_32(vcpu, tss_selector, old_tss_sel,
                                         old_tss_base, &nseg_desc);
@@ -4385,8 +4645,8 @@ int kvm_task_switch(struct kvm_vcpu *vcpu, u16 tss_selector, int reason)
                                         old_tss_base, &nseg_desc);
        if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE) {
-                u32 eflags = kvm_x86_ops->get_rflags(vcpu);
+                u32 eflags = kvm_get_rflags(vcpu);
-                kvm_x86_ops->set_rflags(vcpu, eflags | X86_EFLAGS_NT);
+                kvm_set_rflags(vcpu, eflags | X86_EFLAGS_NT);
        }
        if (reason != TASK_SWITCH_IRET) {
@@ -4438,8 +4698,10 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
        mmu_reset_needed |= vcpu->arch.cr4 != sregs->cr4;
        kvm_x86_ops->set_cr4(vcpu, sregs->cr4);
-        if (!is_long_mode(vcpu) && is_pae(vcpu))
+        if (!is_long_mode(vcpu) && is_pae(vcpu)) {
                load_pdptrs(vcpu, vcpu->arch.cr3);
+                mmu_reset_needed = 1;
+        }
        if (mmu_reset_needed)
                kvm_mmu_reset_context(vcpu);
@@ -4480,12 +4742,32 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
 int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu,
                                        struct kvm_guest_debug *dbg)
 {
+        unsigned long rflags;
        int i, r;
        vcpu_load(vcpu);
-        if ((dbg->control & (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_HW_BP)) ==
+        if (dbg->control & (KVM_GUESTDBG_INJECT_DB | KVM_GUESTDBG_INJECT_BP)) {
-            (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_HW_BP)) {
+                r = -EBUSY;
+                if (vcpu->arch.exception.pending)
+                        goto unlock_out;
+                if (dbg->control & KVM_GUESTDBG_INJECT_DB)
+                        kvm_queue_exception(vcpu, DB_VECTOR);
+                else
+                        kvm_queue_exception(vcpu, BP_VECTOR);
+        }
+        /*
+         * Read rflags as long as potentially injected trace flags are still
+         * filtered out.
+         */
+        rflags = kvm_get_rflags(vcpu);
+        vcpu->guest_debug = dbg->control;
+        if (!(vcpu->guest_debug & KVM_GUESTDBG_ENABLE))
+                vcpu->guest_debug = 0;
+        if (vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP) {
                for (i = 0; i < KVM_NR_DB_REGS; ++i)
                        vcpu->arch.eff_db[i] = dbg->arch.debugreg[i];
                vcpu->arch.switch_db_regs =
@@ -4496,13 +4778,23 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu,
                vcpu->arch.switch_db_regs = (vcpu->arch.dr7 & DR7_BP_EN_MASK);
        }
-        r = kvm_x86_ops->set_guest_debug(vcpu, dbg);
+        if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP) {
+                vcpu->arch.singlestep_cs =
+                        get_segment_selector(vcpu, VCPU_SREG_CS);
+                vcpu->arch.singlestep_rip = kvm_rip_read(vcpu);
+        }
+        /*
+         * Trigger an rflags update that will inject or remove the trace
+         * flags.
+         */
+        kvm_set_rflags(vcpu, rflags);
+        kvm_x86_ops->set_guest_debug(vcpu, dbg);
-        if (dbg->control & KVM_GUESTDBG_INJECT_DB)
+        r = 0;
-                kvm_queue_exception(vcpu, DB_VECTOR);
-        else if (dbg->control & KVM_GUESTDBG_INJECT_BP)
-                kvm_queue_exception(vcpu, BP_VECTOR);
+unlock_out:
        vcpu_put(vcpu);
        return r;
@@ -4703,14 +4995,26 @@ int kvm_arch_vcpu_reset(struct kvm_vcpu *vcpu)
        return kvm_x86_ops->vcpu_reset(vcpu);
 }
-void kvm_arch_hardware_enable(void *garbage)
+int kvm_arch_hardware_enable(void *garbage)
 {
-        kvm_x86_ops->hardware_enable(garbage);
+        /*
+         * Since this may be called from a hotplug notifcation,
+         * we can't get the CPU frequency directly.
+         */
+        if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC)) {
+                int cpu = raw_smp_processor_id();
+                per_cpu(cpu_tsc_khz, cpu) = 0;
+        }
+        kvm_shared_msr_cpu_online();
+        return kvm_x86_ops->hardware_enable(garbage);
 }
 void kvm_arch_hardware_disable(void *garbage)
 {
        kvm_x86_ops->hardware_disable(garbage);
+        drop_user_return_notifiers(garbage);
 }
 int kvm_arch_hardware_setup(void)
@@ -4948,8 +5252,36 @@ int kvm_arch_interrupt_allowed(struct kvm_vcpu *vcpu)
        return kvm_x86_ops->interrupt_allowed(vcpu);
 }
+unsigned long kvm_get_rflags(struct kvm_vcpu *vcpu)
+{
+        unsigned long rflags;
+        rflags = kvm_x86_ops->get_rflags(vcpu);
+        if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)
+                rflags &= ~(unsigned long)(X86_EFLAGS_TF | X86_EFLAGS_RF);
+        return rflags;
+}
+EXPORT_SYMBOL_GPL(kvm_get_rflags);
+void kvm_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags)
+{
+        if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP &&
+            vcpu->arch.singlestep_cs ==
+                        get_segment_selector(vcpu, VCPU_SREG_CS) &&
+            vcpu->arch.singlestep_rip == kvm_rip_read(vcpu))
+                rflags |= X86_EFLAGS_TF | X86_EFLAGS_RF;
+        kvm_x86_ops->set_rflags(vcpu, rflags);
+}
+EXPORT_SYMBOL_GPL(kvm_set_rflags);
 EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_exit);
 EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_inj_virq);
 EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_page_fault);
 EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_msr);
 EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_cr);
+EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_nested_vmrun);
+EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_nested_vmexit);
+EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_nested_vmexit_inject);
+EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_nested_intr_vmexit);
+EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_invlpga);
+EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_skinit);
diff --git a/arch/x86/vdso/vdso32-setup.c b/arch/x86/vdso/vdso32-setup.c
index 58bc00f68b12..02b442e92007 100644
--- a/arch/x86/vdso/vdso32-setup.c
+++ b/arch/x86/vdso/vdso32-setup.c
@@ -393,7 +393,6 @@ static ctl_table abi_table2[] = {
 static ctl_table abi_root_table2[] = {
        {
-                .ctl_name = CTL_ABI,
                .procname = "abi",
                .mode = 0555,
                .child = abi_table2
diff --git a/arch/xtensa/include/asm/socket.h b/arch/xtensa/include/asm/socket.h
index beb3a6bdb61d..cbdf2ffaacff 100644
--- a/arch/xtensa/include/asm/socket.h
+++ b/arch/xtensa/include/asm/socket.h
@@ -71,4 +71,6 @@
 #define SO_PROTOCOL             38
 #define SO_DOMAIN               39
+#define SO_RXQ_OVFL             40
 #endif  /* _XTENSA_SOCKET_H */
diff --git a/arch/xtensa/include/asm/unistd.h b/arch/xtensa/include/asm/unistd.h
index c092c8fbb2cf..4e55dc763021 100644
--- a/arch/xtensa/include/asm/unistd.h
+++ b/arch/xtensa/include/asm/unistd.h
@@ -681,8 +681,10 @@ __SYSCALL(304, sys_signalfd, 3)
 __SYSCALL(305, sys_ni_syscall, 0)
 #define __NR_eventfd                            306
 __SYSCALL(306, sys_eventfd, 1)
+#define __NR_recvmmsg                           307
+__SYSCALL(307, sys_recvmmsg, 5)
-#define __NR_syscall_count                      307
+#define __NR_syscall_count                      308
 /*
 * sysxtensa syscall handler