Merge branch 'percpu-for-linus' into percpu-for-next

Conflicts: arch/sparc/kernel/smp_64.c arch/x86/kernel/cpu/perf_counter.c arch/x86/kernel/setup_percpu.c drivers/cpufreq/cpufreq_ondemand.c mm/percpu.c Conflicts in core and arch percpu codes are mostly from commit ed78e1e078dd44249f88b1dd8c76dafb39567161 which substituted many num_possible_cpus() with nr_cpu_ids. As for-next branch has moved all the first chunk allocators into mm/percpu.c, the changes are moved from arch code to mm/percpu.c. Signed-off-by: Tejun Heo <tj@kernel.org>
author: Tejun Heo <tj@kernel.org> 2009-08-14 01:41:02 -0400
committer: Tejun Heo <tj@kernel.org> 2009-08-14 01:45:31 -0400
commit: 384be2b18a5f9475eab9ca2bdfa95cc1a04ef59c (patch)
tree: 04c93f391a1b65c8bf8d7ba8643c07d26c26590a /net
parent: a76761b621bcd8336065c4fe3a74f046858bc34c (diff)
parent: 142d44b0dd6741a64a7bdbe029110e7c1dcf1d23 (diff)
63 files changed, 296 insertions, 167 deletions
diff --git a/net/9p/client.c b/net/9p/client.c
index dd43a8289b0d..787ccddb85ea 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -117,9 +117,6 @@ static int parse_opts(char *opts, struct p9_client *clnt)
                }
        }
-        if (!clnt->trans_mod)
-                clnt->trans_mod = v9fs_get_default_trans();
        kfree(options);
        return ret;
 }
@@ -689,6 +686,9 @@ struct p9_client *p9_client_create(const char *dev_name, char *options)
        if (err < 0)
                goto error;
+        if (!clnt->trans_mod)
+                clnt->trans_mod = v9fs_get_default_trans();
        if (clnt->trans_mod == NULL) {
                err = -EPROTONOSUPPORT;
                P9_DPRINTK(P9_DEBUG_ERROR,
@@ -1098,7 +1098,6 @@ p9_client_read(struct p9_fid *fid, char *data, char __user *udata, u64 offset,
        if (data) {
                memmove(data, dataptr, count);
-                data += count;
        }
        if (udata) {
@@ -1192,9 +1191,9 @@ struct p9_wstat *p9_client_stat(struct p9_fid *fid)
        err = p9pdu_readf(req->rc, clnt->dotu, "wS", &ignored, ret);
        if (err) {
-                ret = ERR_PTR(err);
                p9pdu_dump(1, req->rc);
-                goto free_and_error;
+                p9_free_req(clnt, req);
+                goto error;
        }
        P9_DPRINTK(P9_DEBUG_9P,
@@ -1211,8 +1210,6 @@ struct p9_wstat *p9_client_stat(struct p9_fid *fid)
        p9_free_req(clnt, req);
        return ret;
-free_and_error:
-        p9_free_req(clnt, req);
 error:
        kfree(ret);
        return ERR_PTR(err);
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index a2a1814c7a8d..8c2588e4edc0 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -735,12 +735,14 @@ static int parse_opts(char *params, struct p9_fd_opts *opts)
                if (!*p)
                        continue;
                token = match_token(p, tokens, args);
-                r = match_int(&args[0], &option);
+                if (token != Opt_err) {
-                if (r < 0) {
+                        r = match_int(&args[0], &option);
-                        P9_DPRINTK(P9_DEBUG_ERROR,
+                        if (r < 0) {
-                         "integer field, but no integer?\n");
+                                P9_DPRINTK(P9_DEBUG_ERROR,
-                        ret = r;
+                                "integer field, but no integer?\n");
-                        continue;
+                                ret = r;
+                                continue;
+                        }
                }
                switch (token) {
                case Opt_port:
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 590b83963622..bfbe13786bb4 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -54,6 +54,7 @@
 #include <linux/capability.h>
 #include <linux/module.h>
 #include <linux/if_arp.h>
+#include <linux/smp_lock.h>
 #include <linux/termios.h>      /* For TIOCOUTQ/INQ */
 #include <net/datalink.h>
 #include <net/psnap.h>
diff --git a/net/atm/common.c b/net/atm/common.c
index c1c97936192c..8c4d843eb17f 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -92,7 +92,7 @@ static void vcc_sock_destruct(struct sock *sk)
 static void vcc_def_wakeup(struct sock *sk)
 {
        read_lock(&sk->sk_callback_lock);
-        if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
+        if (sk_has_sleeper(sk))
                wake_up(sk->sk_sleep);
        read_unlock(&sk->sk_callback_lock);
 }
@@ -110,7 +110,7 @@ static void vcc_write_space(struct sock *sk)
        read_lock(&sk->sk_callback_lock);
        if (vcc_writable(sk)) {
-                if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
+                if (sk_has_sleeper(sk))
                        wake_up_interruptible(sk->sk_sleep);
                sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT);
@@ -594,7 +594,7 @@ unsigned int vcc_poll(struct file *file, struct socket *sock, poll_table *wait)
        struct atm_vcc *vcc;
        unsigned int mask;
-        poll_wait(file, sk->sk_sleep, wait);
+        sock_poll_wait(file, sk->sk_sleep, wait);
        mask = 0;
        vcc = ATM_SD(sock);
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index e50566ebf9f9..94b3388c188b 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -2080,28 +2080,41 @@ static CLASS_ATTR(rfcomm_dlc, S_IRUGO, rfcomm_dlc_sysfs_show, NULL);
 /* ---- Initialization ---- */
 static int __init rfcomm_init(void)
 {
+        int ret;
        l2cap_load();
        hci_register_cb(&rfcomm_cb);
        rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
        if (IS_ERR(rfcomm_thread)) {
-                hci_unregister_cb(&rfcomm_cb);
+                ret = PTR_ERR(rfcomm_thread);
-                return PTR_ERR(rfcomm_thread);
+                goto out_thread;
        }
        if (class_create_file(bt_class, &class_attr_rfcomm_dlc) < 0)
                BT_ERR("Failed to create RFCOMM info file");
-        rfcomm_init_sockets();
+        ret = rfcomm_init_ttys();
+        if (ret)
+                goto out_tty;
-#ifdef CONFIG_BT_RFCOMM_TTY
+        ret = rfcomm_init_sockets();
-        rfcomm_init_ttys();
+        if (ret)
-#endif
+                goto out_sock;
        BT_INFO("RFCOMM ver %s", VERSION);
        return 0;
+out_sock:
+        rfcomm_cleanup_ttys();
+out_tty:
+        kthread_stop(rfcomm_thread);
+out_thread:
+        hci_unregister_cb(&rfcomm_cb);
+        return ret;
 }
 static void __exit rfcomm_exit(void)
@@ -2112,9 +2125,7 @@ static void __exit rfcomm_exit(void)
        kthread_stop(rfcomm_thread);
-#ifdef CONFIG_BT_RFCOMM_TTY
        rfcomm_cleanup_ttys();
-#endif
        rfcomm_cleanup_sockets();
 }
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 7f482784e9f7..0b85e8116859 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -1132,7 +1132,7 @@ error:
        return err;
 }
-void __exit rfcomm_cleanup_sockets(void)
+void rfcomm_cleanup_sockets(void)
 {
        class_remove_file(bt_class, &class_attr_rfcomm);
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 8a96672e2c5c..eb404dc3ed6e 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -424,7 +424,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
 err2:
        br_fdb_delete_by_port(br, p, 1);
 err1:
-        kobject_del(&p->kobj);
+        kobject_put(&p->kobj);
 err0:
        dev_set_promiscuity(dev, -1);
 put_back:
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 95d7f32643ae..72720c710351 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -75,6 +75,7 @@ static __initdata const char banner[] = KERN_INFO
 MODULE_DESCRIPTION("PF_CAN broadcast manager protocol");
 MODULE_LICENSE("Dual BSD/GPL");
 MODULE_AUTHOR("Oliver Hartkopp <oliver.hartkopp@volkswagen.de>");
+MODULE_ALIAS("can-proto-2");
 /* easy access to can_frame payload */
 static inline u64 GET_U64(const struct can_frame *cp)
@@ -1469,6 +1470,9 @@ static int bcm_release(struct socket *sock)
                bo->ifindex = 0;
        }
+        sock_orphan(sk);
+        sock->sk = NULL;
        release_sock(sk);
        sock_put(sk);
diff --git a/net/can/raw.c b/net/can/raw.c
index 6aa154e806ae..f4cc44548bda 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -62,6 +62,7 @@ static __initdata const char banner[] =
 MODULE_DESCRIPTION("PF_CAN raw protocol");
 MODULE_LICENSE("Dual BSD/GPL");
 MODULE_AUTHOR("Urs Thuermann <urs.thuermann@volkswagen.de>");
+MODULE_ALIAS("can-proto-1");
 #define MASK_ALL 0
@@ -306,6 +307,9 @@ static int raw_release(struct socket *sock)
        ro->bound   = 0;
        ro->count   = 0;
+        sock_orphan(sk);
+        sock->sk = NULL;
        release_sock(sk);
        sock_put(sk);
diff --git a/net/core/datagram.c b/net/core/datagram.c
index 58abee1f1df1..b0fe69211eef 100644
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -712,7 +712,7 @@ unsigned int datagram_poll(struct file *file, struct socket *sock,
        struct sock *sk = sock->sk;
        unsigned int mask;
-        poll_wait(file, sk->sk_sleep, wait);
+        sock_poll_wait(file, sk->sk_sleep, wait);
        mask = 0;
        /* exceptional events? */
diff --git a/net/core/dev.c b/net/core/dev.c
index 70c27e0c7c32..6a94475aee85 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3865,10 +3865,12 @@ int dev_unicast_delete(struct net_device *dev, void *addr)
        ASSERT_RTNL();
+        netif_addr_lock_bh(dev);
        err = __hw_addr_del(&dev->uc, addr, dev->addr_len,
                            NETDEV_HW_ADDR_T_UNICAST);
        if (!err)
                __dev_set_rx_mode(dev);
+        netif_addr_unlock_bh(dev);
        return err;
 }
 EXPORT_SYMBOL(dev_unicast_delete);
@@ -3889,10 +3891,12 @@ int dev_unicast_add(struct net_device *dev, void *addr)
        ASSERT_RTNL();
+        netif_addr_lock_bh(dev);
        err = __hw_addr_add(&dev->uc, addr, dev->addr_len,
                            NETDEV_HW_ADDR_T_UNICAST);
        if (!err)
                __dev_set_rx_mode(dev);
+        netif_addr_unlock_bh(dev);
        return err;
 }
 EXPORT_SYMBOL(dev_unicast_add);
@@ -3949,7 +3953,8 @@ void __dev_addr_unsync(struct dev_addr_list **to, int *to_count,
 *      @from: source device
 *
 *      Add newly added addresses to the destination device and release
- *      addresses that have no users left.
+ *      addresses that have no users left. The source device must be
+ *      locked by netif_tx_lock_bh.
 *
 *      This function is intended to be called from the dev->set_rx_mode
 *      function of layered software devices.
@@ -3958,14 +3963,14 @@ int dev_unicast_sync(struct net_device *to, struct net_device *from)
 {
        int err = 0;
-        ASSERT_RTNL();
        if (to->addr_len != from->addr_len)
                return -EINVAL;
+        netif_addr_lock_bh(to);
        err = __hw_addr_sync(&to->uc, &from->uc, to->addr_len);
        if (!err)
                __dev_set_rx_mode(to);
+        netif_addr_unlock_bh(to);
        return err;
 }
 EXPORT_SYMBOL(dev_unicast_sync);
@@ -3981,27 +3986,27 @@ EXPORT_SYMBOL(dev_unicast_sync);
 */
 void dev_unicast_unsync(struct net_device *to, struct net_device *from)
 {
-        ASSERT_RTNL();
        if (to->addr_len != from->addr_len)
                return;
+        netif_addr_lock_bh(from);
+        netif_addr_lock(to);
        __hw_addr_unsync(&to->uc, &from->uc, to->addr_len);
        __dev_set_rx_mode(to);
+        netif_addr_unlock(to);
+        netif_addr_unlock_bh(from);
 }
 EXPORT_SYMBOL(dev_unicast_unsync);
 static void dev_unicast_flush(struct net_device *dev)
 {
-        /* rtnl_mutex must be held here */
+        netif_addr_lock_bh(dev);
        __hw_addr_flush(&dev->uc);
+        netif_addr_unlock_bh(dev);
 }
 static void dev_unicast_init(struct net_device *dev)
 {
-        /* rtnl_mutex must be held here */
        __hw_addr_init(&dev->uc);
 }
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index b7292a2719dc..197283072cc8 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -488,7 +488,7 @@ int net_assign_generic(struct net *net, int id, void *data)
         */
        ng->len = id;
-        memcpy(&ng->ptr, &old_ng->ptr, old_ng->len);
+        memcpy(&ng->ptr, &old_ng->ptr, old_ng->len * sizeof(void*));
        rcu_assign_pointer(net->gen, ng);
        call_rcu(&old_ng->rcu, net_generic_release);
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 9675f312830d..df30feb2fc72 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -740,7 +740,7 @@ int netpoll_setup(struct netpoll *np)
                                       np->name);
                                break;
                        }
-                        cond_resched();
+                        msleep(1);
                }
                /* If carrier appears to come up instantly, we don't
diff --git a/net/core/sock.c b/net/core/sock.c
index b0ba569bc973..bbb25be7ddfe 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -631,7 +631,7 @@ set_rcvbuf:
        case SO_TIMESTAMPING:
                if (val & ~SOF_TIMESTAMPING_MASK) {
-                        ret = EINVAL;
+                        ret = -EINVAL;
                        break;
                }
                sock_valbool_flag(sk, SOCK_TIMESTAMPING_TX_HARDWARE,
@@ -919,13 +919,19 @@ static inline void sock_lock_init(struct sock *sk)
                        af_family_keys + sk->sk_family);
 }
+/*
+ * Copy all fields from osk to nsk but nsk->sk_refcnt must not change yet,
+ * even temporarly, because of RCU lookups. sk_node should also be left as is.
+ */
 static void sock_copy(struct sock *nsk, const struct sock *osk)
 {
 #ifdef CONFIG_SECURITY_NETWORK
        void *sptr = nsk->sk_security;
 #endif
+        BUILD_BUG_ON(offsetof(struct sock, sk_copy_start) !=
-        memcpy(nsk, osk, osk->sk_prot->obj_size);
+                     sizeof(osk->sk_node) + sizeof(osk->sk_refcnt));
+        memcpy(&nsk->sk_copy_start, &osk->sk_copy_start,
+               osk->sk_prot->obj_size - offsetof(struct sock, sk_copy_start));
 #ifdef CONFIG_SECURITY_NETWORK
        nsk->sk_security = sptr;
        security_sk_clone(osk, nsk);
@@ -939,8 +945,23 @@ static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
        struct kmem_cache *slab;
        slab = prot->slab;
-        if (slab != NULL)
+        if (slab != NULL) {
-                sk = kmem_cache_alloc(slab, priority);
+                sk = kmem_cache_alloc(slab, priority & ~__GFP_ZERO);
+                if (!sk)
+                        return sk;
+                if (priority & __GFP_ZERO) {
+                        /*
+                         * caches using SLAB_DESTROY_BY_RCU should let
+                         * sk_node.next un-modified. Special care is taken
+                         * when initializing object to zero.
+                         */
+                        if (offsetof(struct sock, sk_node.next) != 0)
+                                memset(sk, 0, offsetof(struct sock, sk_node.next));
+                        memset(&sk->sk_node.pprev, 0,
+                               prot->obj_size - offsetof(struct sock,
+                                                         sk_node.pprev));
+                }
+        }
        else
                sk = kmalloc(prot->obj_size, priority);
@@ -1125,6 +1146,11 @@ struct sock *sk_clone(const struct sock *sk, const gfp_t priority)
                newsk->sk_err      = 0;
                newsk->sk_priority = 0;
+                /*
+                 * Before updating sk_refcnt, we must commit prior changes to memory
+                 * (Documentation/RCU/rculist_nulls.txt for details)
+                 */
+                smp_wmb();
                atomic_set(&newsk->sk_refcnt, 2);
                /*
@@ -1715,7 +1741,7 @@ EXPORT_SYMBOL(sock_no_sendpage);
 static void sock_def_wakeup(struct sock *sk)
 {
        read_lock(&sk->sk_callback_lock);
-        if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
+        if (sk_has_sleeper(sk))
                wake_up_interruptible_all(sk->sk_sleep);
        read_unlock(&sk->sk_callback_lock);
 }
@@ -1723,7 +1749,7 @@ static void sock_def_wakeup(struct sock *sk)
 static void sock_def_error_report(struct sock *sk)
 {
        read_lock(&sk->sk_callback_lock);
-        if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
+        if (sk_has_sleeper(sk))
                wake_up_interruptible_poll(sk->sk_sleep, POLLERR);
        sk_wake_async(sk, SOCK_WAKE_IO, POLL_ERR);
        read_unlock(&sk->sk_callback_lock);
@@ -1732,7 +1758,7 @@ static void sock_def_error_report(struct sock *sk)
 static void sock_def_readable(struct sock *sk, int len)
 {
        read_lock(&sk->sk_callback_lock);
-        if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
+        if (sk_has_sleeper(sk))
                wake_up_interruptible_sync_poll(sk->sk_sleep, POLLIN |
                                                POLLRDNORM | POLLRDBAND);
        sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN);
@@ -1747,7 +1773,7 @@ static void sock_def_write_space(struct sock *sk)
         * progress.  --DaveM
         */
        if ((atomic_read(&sk->sk_wmem_alloc) << 1) <= sk->sk_sndbuf) {
-                if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
+                if (sk_has_sleeper(sk))
                        wake_up_interruptible_sync_poll(sk->sk_sleep, POLLOUT |
                                                POLLWRNORM | POLLWRBAND);
@@ -1840,6 +1866,11 @@ void sock_init_data(struct socket *sock, struct sock *sk)
        sk->sk_stamp = ktime_set(-1L, 0);
+        /*
+         * Before updating sk_refcnt, we must commit prior changes to memory
+         * (Documentation/RCU/rculist_nulls.txt for details)
+         */
+        smp_wmb();
        atomic_set(&sk->sk_refcnt, 1);
        atomic_set(&sk->sk_wmem_alloc, 1);
        atomic_set(&sk->sk_drops, 0);
diff --git a/net/dccp/output.c b/net/dccp/output.c
index c0e88c16d088..c96119fda688 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -196,7 +196,7 @@ void dccp_write_space(struct sock *sk)
 {
        read_lock(&sk->sk_callback_lock);
-        if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
+        if (sk_has_sleeper(sk))
                wake_up_interruptible(sk->sk_sleep);
        /* Should agree with poll, otherwise some programs break */
        if (sock_writeable(sk))
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index 314a1b5c033c..3281013ce038 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -311,7 +311,7 @@ unsigned int dccp_poll(struct file *file, struct socket *sock,
        unsigned int mask;
        struct sock *sk = sock->sk;
-        poll_wait(file, sk->sk_sleep, wait);
+        sock_poll_wait(file, sk->sk_sleep, wait);
        if (sk->sk_state == DCCP_LISTEN)
                return inet_csk_listen_poll(sk);
@@ -1066,7 +1066,7 @@ static int __init dccp_init(void)
                       (dccp_hashinfo.ehash_size - 1))
                        dccp_hashinfo.ehash_size--;
                dccp_hashinfo.ehash = (struct inet_ehash_bucket *)
-                        __get_free_pages(GFP_ATOMIC, ehash_order);
+                        __get_free_pages(GFP_ATOMIC|__GFP_NOWARN, ehash_order);
        } while (!dccp_hashinfo.ehash && --ehash_order > 0);
        if (!dccp_hashinfo.ehash) {
@@ -1091,7 +1091,7 @@ static int __init dccp_init(void)
                    bhash_order > 0)
                        continue;
                dccp_hashinfo.bhash = (struct inet_bind_hashbucket *)
-                        __get_free_pages(GFP_ATOMIC, bhash_order);
+                        __get_free_pages(GFP_ATOMIC|__GFP_NOWARN, bhash_order);
        } while (!dccp_hashinfo.bhash && --bhash_order >= 0);
        if (!dccp_hashinfo.bhash) {
diff --git a/net/dsa/mv88e6xxx.c b/net/dsa/mv88e6xxx.c
index 4e4d8b5ad03d..efe661a9def4 100644
--- a/net/dsa/mv88e6xxx.c
+++ b/net/dsa/mv88e6xxx.c
@@ -418,7 +418,7 @@ static int mv88e6xxx_stats_wait(struct dsa_switch *ds)
        int i;
        for (i = 0; i < 10; i++) {
-                ret = REG_READ(REG_GLOBAL2, 0x1d);
+                ret = REG_READ(REG_GLOBAL, 0x1d);
                if ((ret & 0x8000) == 0)
                        return 0;
        }
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index c29d75d8f1b1..090e9991ac2a 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1304,7 +1304,9 @@ static void arp_format_neigh_entry(struct seq_file *seq,
                hbuffer[k++] = hex_asc_lo(n->ha[j]);
                hbuffer[k++] = ':';
        }
-        hbuffer[--k] = 0;
+        if (k != 0)
+                --k;
+        hbuffer[k] = 0;
 #if defined(CONFIG_AX25) || defined(CONFIG_AX25_MODULE)
        }
 #endif
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 00a54b246dfe..63c2fa7b68c4 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -316,8 +316,8 @@ static inline void check_tnode(const struct tnode *tn)
 static const int halve_threshold = 25;
 static const int inflate_threshold = 50;
-static const int halve_threshold_root = 8;
+static const int halve_threshold_root = 15;
-static const int inflate_threshold_root = 15;
+static const int inflate_threshold_root = 25;
 static void __alias_free_mem(struct rcu_head *head)
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 44e2a3d2359a..cb4a0f4bd5e5 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -735,10 +735,10 @@ static int ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
        }
        tos = tiph->tos;
-        if (tos&1) {
+        if (tos == 1) {
+                tos = 0;
                if (skb->protocol == htons(ETH_P_IP))
                        tos = old_iph->tos;
-                tos &= ~1;
        }
        {
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 247026282669..7d0821054729 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1243,7 +1243,6 @@ int ip_push_pending_frames(struct sock *sk)
                skb->len += tmp_skb->len;
                skb->data_len += tmp_skb->len;
                skb->truesize += tmp_skb->truesize;
-                __sock_put(tmp_skb->sk);
                tmp_skb->destructor = NULL;
                tmp_skb->sk = NULL;
        }
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 7870a535dac6..91145244ea63 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -339,7 +339,7 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
        struct sock *sk = sock->sk;
        struct tcp_sock *tp = tcp_sk(sk);
-        poll_wait(file, sk->sk_sleep, wait);
+        sock_poll_wait(file, sk->sk_sleep, wait);
        if (sk->sk_state == TCP_LISTEN)
                return inet_csk_listen_poll(sk);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 5a1ca2698c88..6d88219c5e22 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1160,6 +1160,7 @@ struct request_sock_ops tcp_request_sock_ops __read_mostly = {
 #ifdef CONFIG_TCP_MD5SIG
 static struct tcp_request_sock_ops tcp_request_sock_ipv4_ops = {
        .md5_lookup     =       tcp_v4_reqsk_md5_lookup,
+        .calc_md5_hash  =       tcp_v4_md5_hash_skb,
 };
 #endif
@@ -1373,7 +1374,7 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
                 */
                char *newkey = kmemdup(key->key, key->keylen, GFP_ATOMIC);
                if (newkey != NULL)
-                        tcp_v4_md5_do_add(newsk, inet_sk(sk)->daddr,
+                        tcp_v4_md5_do_add(newsk, newinet->daddr,
                                          newkey, key->keylen);
                newsk->sk_route_caps &= ~NETIF_F_GSO_MASK;
        }
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 5bdf08d312d9..bd62712848fa 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2261,7 +2261,7 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
 #ifdef CONFIG_TCP_MD5SIG
        /* Okay, we have all we need - do the md5 hash if needed */
        if (md5) {
-                tp->af_specific->calc_md5_hash(md5_hash_location,
+                tcp_rsk(req)->af_specific->calc_md5_hash(md5_hash_location,
                                               md5, NULL, req, skb);
        }
 #endif
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 60d918c96a4f..0071ee6f441f 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -136,7 +136,8 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
                case IPPROTO_TCP:
                case IPPROTO_SCTP:
                case IPPROTO_DCCP:
-                        if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
+                        if (xprth + 4 < skb->data ||
+                            pskb_may_pull(skb, xprth + 4 - skb->data)) {
                                __be16 *ports = (__be16 *)xprth;
                                fl->fl_ip_sport = ports[!!reverse];
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 3883b4036a74..43b3c9f89c12 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1916,8 +1916,32 @@ ok:
                                        update_lft = 1;
                                else if (stored_lft <= MIN_VALID_LIFETIME) {
                                        /* valid_lft <= stored_lft is always true */
-                                        /* XXX: IPsec */
+                                        /*
-                                        update_lft = 0;
+                                         * RFC 4862 Section 5.5.3e:
+                                         * "Note that the preferred lifetime of
+                                         *  the corresponding address is always
+                                         *  reset to the Preferred Lifetime in
+                                         *  the received Prefix Information
+                                         *  option, regardless of whether the
+                                         *  valid lifetime is also reset or
+                                         *  ignored."
+                                         *
+                                         *  So if the preferred lifetime in
+                                         *  this advertisement is different
+                                         *  than what we have stored, but the
+                                         *  valid lifetime is invalid, just
+                                         *  reset prefered_lft.
+                                         *
+                                         *  We must set the valid lifetime
+                                         *  to the stored lifetime since we'll
+                                         *  be updating the timestamp below,
+                                         *  else we'll set it back to the
+                                         *  minumum.
+                                         */
+                                        if (prefered_lft != ifp->prefered_lft) {
+                                                valid_lft = stored_lft;
+                                                update_lft = 1;
+                                        }
                                } else {
                                        valid_lft = MIN_VALID_LIFETIME;
                                        if (valid_lft < prefered_lft)
@@ -3085,7 +3109,7 @@ restart:
                                spin_unlock(&ifp->lock);
                                continue;
                        } else if (age >= ifp->prefered_lft) {
-                                /* jiffies - ifp->tsamp > age >= ifp->prefered_lft */
+                                /* jiffies - ifp->tstamp > age >= ifp->prefered_lft */
                                int deprecate = 0;
                                if (!(ifp->flags&IFA_F_DEPRECATED)) {
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 7c76e3d18215..87f8419a68fd 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1484,7 +1484,6 @@ int ip6_push_pending_frames(struct sock *sk)
                skb->len += tmp_skb->len;
                skb->data_len += tmp_skb->len;
                skb->truesize += tmp_skb->truesize;
-                __sock_put(tmp_skb->sk);
                tmp_skb->destructor = NULL;
                tmp_skb->sk = NULL;
        }
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 68e52308e552..98b7327d0949 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1018,6 +1018,7 @@ static void ipip6_tunnel_setup(struct net_device *dev)
        dev->hard_header_len    = LL_MAX_HEADER + sizeof(struct iphdr);
        dev->mtu                = ETH_DATA_LEN - sizeof(struct iphdr);
        dev->flags              = IFF_NOARP;
+        dev->priv_flags        &= ~IFF_XMIT_DST_RELEASE;
        dev->iflink             = 0;
        dev->addr_len           = 4;
        dev->features           |= NETIF_F_NETNS_LOCAL;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 58810c65b635..d849dd53b788 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -896,6 +896,7 @@ struct request_sock_ops tcp6_request_sock_ops __read_mostly = {
 #ifdef CONFIG_TCP_MD5SIG
 static struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
        .md5_lookup     =       tcp_v6_reqsk_md5_lookup,
+        .calc_md5_hash  =       tcp_v6_md5_hash_skb,
 };
 #endif
@@ -1441,7 +1442,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
                 */
                char *newkey = kmemdup(key->key, key->keylen, GFP_ATOMIC);
                if (newkey != NULL)
-                        tcp_v6_md5_do_add(newsk, &inet6_sk(sk)->daddr,
+                        tcp_v6_md5_do_add(newsk, &newnp->daddr,
                                          newkey, key->keylen);
        }
 #endif
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index b4b16a43f277..3a3c677bc0f2 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -157,7 +157,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
        ipv6_addr_copy(&fl->fl6_dst, reverse ? &hdr->saddr : &hdr->daddr);
        ipv6_addr_copy(&fl->fl6_src, reverse ? &hdr->daddr : &hdr->saddr);
-        while (pskb_may_pull(skb, nh + offset + 1 - skb->data)) {
+        while (nh + offset + 1 < skb->data ||
+               pskb_may_pull(skb, nh + offset + 1 - skb->data)) {
                nh = skb_network_header(skb);
                exthdr = (struct ipv6_opt_hdr *)(nh + offset);
@@ -177,7 +178,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
                case IPPROTO_TCP:
                case IPPROTO_SCTP:
                case IPPROTO_DCCP:
-                        if (!onlyproto && pskb_may_pull(skb, nh + offset + 4 - skb->data)) {
+                        if (!onlyproto && (nh + offset + 4 < skb->data ||
+                             pskb_may_pull(skb, nh + offset + 4 - skb->data))) {
                                __be16 *ports = (__be16 *)exthdr;
                                fl->fl_ip_sport = ports[!!reverse];
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index 417b0e309495..f1118d92a191 100644
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -41,6 +41,7 @@
 #include <linux/netdevice.h>
 #include <linux/uio.h>
 #include <linux/skbuff.h>
+#include <linux/smp_lock.h>
 #include <linux/socket.h>
 #include <linux/sockios.h>
 #include <linux/string.h>
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index cb762c8723ea..80cf29aae096 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -45,6 +45,7 @@
 #include <linux/capability.h>
 #include <linux/module.h>
 #include <linux/types.h>
+#include <linux/smp_lock.h>
 #include <linux/socket.h>
 #include <linux/sockios.h>
 #include <linux/init.h>
diff --git a/net/irda/irnet/irnet.h b/net/irda/irnet/irnet.h
index bccf4d0059f0..b001c361ad30 100644
--- a/net/irda/irnet/irnet.h
+++ b/net/irda/irnet/irnet.h
@@ -241,7 +241,6 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
-#include <linux/smp_lock.h>
 #include <linux/skbuff.h>
 #include <linux/tty.h>
 #include <linux/proc_fs.h>
diff --git a/net/irda/irnet/irnet_ppp.c b/net/irda/irnet/irnet_ppp.c
index 6d8ae03c14f5..68cbcb19cbd8 100644
--- a/net/irda/irnet/irnet_ppp.c
+++ b/net/irda/irnet/irnet_ppp.c
@@ -13,6 +13,7 @@
 *      2) as a control channel (write commands, read events)
 */
+#include <linux/smp_lock.h>
 #include "irnet_ppp.h"          /* Private header */
 /* Please put other headers in irnet.h - Thanks */
diff --git a/net/irda/irttp.c b/net/irda/irttp.c
index ecf4eb2717cb..9cb79f95bf63 100644
--- a/net/irda/irttp.c
+++ b/net/irda/irttp.c
@@ -1453,6 +1453,7 @@ struct tsap_cb *irttp_dup(struct tsap_cb *orig, void *instance)
        }
        /* Dup */
        memcpy(new, orig, sizeof(struct tsap_cb));
+        spin_lock_init(&new->lock);
        /* We don't need the old instance any more */
        spin_unlock_irqrestore(&irttp->tsaps->hb_spinlock, flags);
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 6be5f92d1094..49c15b48408e 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -306,7 +306,7 @@ static inline int iucv_below_msglim(struct sock *sk)
 static void iucv_sock_wake_msglim(struct sock *sk)
 {
        read_lock(&sk->sk_callback_lock);
-        if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
+        if (sk_has_sleeper(sk))
                wake_up_interruptible_all(sk->sk_sleep);
        sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT);
        read_unlock(&sk->sk_callback_lock);
@@ -1256,7 +1256,7 @@ unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
        struct sock *sk = sock->sk;
        unsigned int mask = 0;
-        poll_wait(file, sk->sk_sleep, wait);
+        sock_poll_wait(file, sk->sk_sleep, wait);
        if (sk->sk_state == IUCV_LISTEN)
                return iucv_accept_poll(sk);
diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
index ba2643a43c73..7836ee928983 100644
--- a/net/mac80211/Kconfig
+++ b/net/mac80211/Kconfig
@@ -83,6 +83,7 @@ endmenu
 config MAC80211_MESH
        bool "Enable mac80211 mesh networking (pre-802.11s) support"
        depends on MAC80211 && EXPERIMENTAL
+        depends on BROKEN
        ---help---
         This options enables support of Draft 802.11s mesh networking.
         The implementation is based on Draft 1.08 of the Mesh Networking
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 003cb470ac84..f49ef288e2e2 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -637,7 +637,7 @@ static void mesh_queue_preq(struct mesh_path *mpath, u8 flags)
        struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
        struct mesh_preq_queue *preq_node;
-        preq_node = kmalloc(sizeof(struct mesh_preq_queue), GFP_KERNEL);
+        preq_node = kmalloc(sizeof(struct mesh_preq_queue), GFP_ATOMIC);
        if (!preq_node) {
                printk(KERN_DEBUG "Mesh HWMP: could not allocate PREQ node\n");
                return;
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index 3c72557df45a..479597e88583 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -175,6 +175,8 @@ int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata)
        int err = 0;
        u32 hash_idx;
+        might_sleep();
        if (memcmp(dst, sdata->dev->dev_addr, ETH_ALEN) == 0)
                /* never add ourselves as neighbours */
                return -ENOTSUPP;
@@ -265,6 +267,7 @@ int mpp_path_add(u8 *dst, u8 *mpp, struct ieee80211_sub_if_data *sdata)
        int err = 0;
        u32 hash_idx;
+        might_sleep();
        if (memcmp(dst, sdata->dev->dev_addr, ETH_ALEN) == 0)
                /* never add ourselves as neighbours */
@@ -491,8 +494,10 @@ void mesh_path_tx_pending(struct mesh_path *mpath)
 * @skb: frame to discard
 * @sdata: network subif the frame was to be sent through
 *
- * If the frame was beign forwarded from another MP, a PERR frame will be sent
+ * If the frame was being forwarded from another MP, a PERR frame will be sent
- * to the precursor.
+ * to the precursor.  The precursor's address (i.e. the previous hop) was saved
+ * in addr1 of the frame-to-be-forwarded, and would only be overwritten once
+ * the destination is successfully resolved.
 *
 * Locking: the function must me called within a rcu_read_lock region
 */
@@ -507,7 +512,7 @@ void mesh_path_discard_frame(struct sk_buff *skb,
                u8 *ra, *da;
                da = hdr->addr3;
-                ra = hdr->addr2;
+                ra = hdr->addr1;
                mpath = mesh_path_lookup(da, sdata);
                if (mpath)
                        dsn = ++mpath->dsn;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index aca22b00b6a3..07e7e41816be 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -721,7 +721,7 @@ void ieee80211_dynamic_ps_timer(unsigned long data)
 {
        struct ieee80211_local *local = (void *) data;
-        if (local->quiescing)
+        if (local->quiescing || local->suspended)
                return;
        queue_work(local->hw.workqueue, &local->dynamic_ps_enable_work);
diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
index 7a549f9deb96..5e3d476972f9 100644
--- a/net/mac80211/pm.c
+++ b/net/mac80211/pm.c
@@ -55,15 +55,6 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
        rcu_read_unlock();
-        /* flush again, in case driver queued work */
-        flush_workqueue(local->hw.workqueue);
-        /* stop hardware - this must stop RX */
-        if (local->open_count) {
-                ieee80211_led_radio(local, false);
-                drv_stop(local);
-        }
        /* remove STAs */
        spin_lock_irqsave(&local->sta_lock, flags);
        list_for_each_entry(sta, &local->sta_list, list) {
@@ -111,7 +102,22 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
                drv_remove_interface(local, &conf);
        }
+        /* stop hardware - this must stop RX */
+        if (local->open_count) {
+                ieee80211_led_radio(local, false);
+                drv_stop(local);
+        }
+        /*
+         * flush again, in case driver queued work -- it
+         * shouldn't be doing (or cancel everything in the
+         * stop callback) that but better safe than sorry.
+         */
+        flush_workqueue(local->hw.workqueue);
        local->suspended = true;
+        /* need suspended to be visible before quiescing is false */
+        barrier();
        local->quiescing = false;
        return 0;
diff --git a/net/mac80211/rc80211_minstrel.c b/net/mac80211/rc80211_minstrel.c
index b218b98fba7f..37771abd8f5a 100644
--- a/net/mac80211/rc80211_minstrel.c
+++ b/net/mac80211/rc80211_minstrel.c
@@ -66,7 +66,7 @@ rix_to_ndx(struct minstrel_sta_info *mi, int rix)
        for (i = rix; i >= 0; i--)
                if (mi->r[i].rix == rix)
                        break;
-        WARN_ON(mi->r[i].rix != rix);
+        WARN_ON(i < 0);
        return i;
 }
@@ -181,6 +181,9 @@ minstrel_tx_status(void *priv, struct ieee80211_supported_band *sband,
                        break;
                ndx = rix_to_ndx(mi, ar[i].idx);
+                if (ndx < 0)
+                        continue;
                mi->r[ndx].attempts += ar[i].count;
                if ((i != IEEE80211_TX_MAX_RATES - 1) && (ar[i + 1].idx < 0))
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index de5bba7f910a..0936fc24942d 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2453,6 +2453,18 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
                return;
        }
+        /*
+         * If we're suspending, it is possible although not too likely
+         * that we'd be receiving frames after having already partially
+         * quiesced the stack. We can't process such frames then since
+         * that might, for example, cause stations to be added or other
+         * driver callbacks be invoked.
+         */
+        if (unlikely(local->quiescing || local->suspended)) {
+                kfree_skb(skb);
+                return;
+        }
        if (status->flag & RX_FLAG_HT) {
                /* rate_idx is MCS index */
                if (WARN_ON(status->rate_idx < 0 ||
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index d238a8939a09..3a8922cd1038 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1455,7 +1455,7 @@ int ieee80211_master_start_xmit(struct sk_buff *skb, struct net_device *dev)
                monitor_iface = UNKNOWN_ADDRESS;
                len_rthdr = ieee80211_get_radiotap_len(skb->data);
-                hdr = (struct ieee80211_hdr *)skb->data + len_rthdr;
+                hdr = (struct ieee80211_hdr *)(skb->data + len_rthdr);
                hdrlen = ieee80211_hdrlen(hdr->frame_control);
                /* check the header is complete in the frame */
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 7508f11c5b39..b5869b9574b0 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -561,23 +561,38 @@ struct nf_conn *nf_conntrack_alloc(struct net *net,
                }
        }
-        ct = kmem_cache_zalloc(nf_conntrack_cachep, gfp);
+        /*
+         * Do not use kmem_cache_zalloc(), as this cache uses
+         * SLAB_DESTROY_BY_RCU.
+         */
+        ct = kmem_cache_alloc(nf_conntrack_cachep, gfp);
        if (ct == NULL) {
                pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n");
                atomic_dec(&net->ct.count);
                return ERR_PTR(-ENOMEM);
        }
+        /*
+         * Let ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode.next
+         * and ct->tuplehash[IP_CT_DIR_REPLY].hnnode.next unchanged.
+         */
+        memset(&ct->tuplehash[IP_CT_DIR_MAX], 0,
+               sizeof(*ct) - offsetof(struct nf_conn, tuplehash[IP_CT_DIR_MAX]));
        spin_lock_init(&ct->lock);
-        atomic_set(&ct->ct_general.use, 1);
        ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig;
+        ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode.pprev = NULL;
        ct->tuplehash[IP_CT_DIR_REPLY].tuple = *repl;
+        ct->tuplehash[IP_CT_DIR_REPLY].hnnode.pprev = NULL;
        /* Don't set timer yet: wait for confirmation */
        setup_timer(&ct->timeout, death_by_timeout, (unsigned long)ct);
 #ifdef CONFIG_NET_NS
        ct->ct_net = net;
 #endif
+        /*
+         * changes to lookup keys must be done before setting refcnt to 1
+         */
+        smp_wmb();
+        atomic_set(&ct->ct_general.use, 1);
        return ct;
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_alloc);
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index 863e40977a4d..0f482e2440b4 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -330,7 +330,8 @@ static bool xt_osf_match_packet(const struct sk_buff *skb,
                        fcount++;
                        if (info->flags & XT_OSF_LOG)
-                                nf_log_packet(p->hooknum, 0, skb, p->in, p->out, NULL,
+                                nf_log_packet(p->family, p->hooknum, skb,
+                                        p->in, p->out, NULL,
                                        "%s [%s:%s] : %pi4:%d -> %pi4:%d hops=%d\n",
                                        f->genre, f->version, f->subtype,
                                        &ip->saddr, ntohs(tcp->source),
@@ -345,7 +346,7 @@ static bool xt_osf_match_packet(const struct sk_buff *skb,
        rcu_read_unlock();
        if (!fcount && (info->flags & XT_OSF_LOG))
-                nf_log_packet(p->hooknum, 0, skb, p->in, p->out, NULL,
+                nf_log_packet(p->family, p->hooknum, skb, p->in, p->out, NULL,
                        "Remote OS is not known: %pi4:%u -> %pi4:%u\n",
                                &ip->saddr, ntohs(tcp->source),
                                &ip->daddr, ntohs(tcp->dest));
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index b0e582f2d37a..16e6c4378ff1 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -151,7 +151,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain,
                        addr6 = addr;
                        mask6 = mask;
                        map6 = kzalloc(sizeof(*map6), GFP_ATOMIC);
-                        if (map4 == NULL)
+                        if (map6 == NULL)
                                goto cfg_unlbl_map_add_failure;
                        map6->type = NETLBL_NLTYPE_UNLABELED;
                        ipv6_addr_copy(&map6->list.addr, addr6);
diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index 79693fe2001e..2fc4a1724eb8 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -549,6 +549,10 @@ void rfkill_set_states(struct rfkill *rfkill, bool sw, bool hw)
        swprev = !!(rfkill->state & RFKILL_BLOCK_SW);
        hwprev = !!(rfkill->state & RFKILL_BLOCK_HW);
        __rfkill_set_sw_state(rfkill, sw);
+        if (hw)
+                rfkill->state |= RFKILL_BLOCK_HW;
+        else
+                rfkill->state &= ~RFKILL_BLOCK_HW;
        spin_unlock_irqrestore(&rfkill->lock, flags);
@@ -648,15 +652,26 @@ static ssize_t rfkill_state_store(struct device *dev,
                                  struct device_attribute *attr,
                                  const char *buf, size_t count)
 {
-        /*
+        struct rfkill *rfkill = to_rfkill(dev);
-         * The intention was that userspace can only take control over
+        unsigned long state;
-         * a given device when/if rfkill-input doesn't control it due
+        int err;
-         * to user_claim. Since user_claim is currently unsupported,
-         * we never support changing the state from userspace -- this
+        if (!capable(CAP_NET_ADMIN))
-         * can be implemented again later.
+                return -EPERM;
-         */
+        err = strict_strtoul(buf, 0, &state);
+        if (err)
+                return err;
+        if (state != RFKILL_USER_STATE_SOFT_BLOCKED &&
+            state != RFKILL_USER_STATE_UNBLOCKED)
+                return -EINVAL;
+        mutex_lock(&rfkill_global_mutex);
+        rfkill_set_block(rfkill, state == RFKILL_USER_STATE_SOFT_BLOCKED);
+        mutex_unlock(&rfkill_global_mutex);
-        return -EPERM;
+        return err ?: count;
 }
 static ssize_t rfkill_claim_show(struct device *dev,
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 6bd8e93869ed..f0a76f6bca71 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -92,23 +92,21 @@ static void rose_set_lockdep_key(struct net_device *dev)
 /*
 *      Convert a ROSE address into text.
 */
-const char *rose2asc(const rose_address *addr)
+char *rose2asc(char *buf, const rose_address *addr)
 {
-        static char buffer[11];
        if (addr->rose_addr[0] == 0x00 && addr->rose_addr[1] == 0x00 &&
            addr->rose_addr[2] == 0x00 && addr->rose_addr[3] == 0x00 &&
            addr->rose_addr[4] == 0x00) {
-                strcpy(buffer, "*");
+                strcpy(buf, "*");
        } else {
-                sprintf(buffer, "%02X%02X%02X%02X%02X", addr->rose_addr[0] & 0xFF,
+                sprintf(buf, "%02X%02X%02X%02X%02X", addr->rose_addr[0] & 0xFF,
                                                addr->rose_addr[1] & 0xFF,
                                                addr->rose_addr[2] & 0xFF,
                                                addr->rose_addr[3] & 0xFF,
                                                addr->rose_addr[4] & 0xFF);
        }
-        return buffer;
+        return buf;
 }
 /*
@@ -1437,7 +1435,7 @@ static void rose_info_stop(struct seq_file *seq, void *v)
 static int rose_info_show(struct seq_file *seq, void *v)
 {
-        char buf[11];
+        char buf[11], rsbuf[11];
        if (v == SEQ_START_TOKEN)
                seq_puts(seq,
@@ -1455,8 +1453,8 @@ static int rose_info_show(struct seq_file *seq, void *v)
                        devname = dev->name;
                seq_printf(seq, "%-10s %-9s ",
-                        rose2asc(&rose->dest_addr),
+                           rose2asc(rsbuf, &rose->dest_addr),
-                        ax2asc(buf, &rose->dest_call));
+                           ax2asc(buf, &rose->dest_call));
                if (ax25cmp(&rose->source_call, &null_ax25_address) == 0)
                        callsign = "??????-?";
@@ -1465,7 +1463,7 @@ static int rose_info_show(struct seq_file *seq, void *v)
                seq_printf(seq,
                           "%-10s %-9s %-5s %3.3X %05d  %d  %d  %d  %d %3lu %3lu %3lu %3lu %3lu %3lu/%03lu %5d %5d %ld\n",
-                        rose2asc(&rose->source_addr),
+                        rose2asc(rsbuf, &rose->source_addr),
                        callsign,
                        devname,
                        rose->lci & 0x0FFF,
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index a81066a1010a..9478d9b3d977 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -1104,6 +1104,7 @@ static void rose_node_stop(struct seq_file *seq, void *v)
 static int rose_node_show(struct seq_file *seq, void *v)
 {
+        char rsbuf[11];
        int i;
        if (v == SEQ_START_TOKEN)
@@ -1112,13 +1113,13 @@ static int rose_node_show(struct seq_file *seq, void *v)
                const struct rose_node *rose_node = v;
                /* if (rose_node->loopback) {
                        seq_printf(seq, "%-10s %04d 1 loopback\n",
-                                rose2asc(&rose_node->address),
+                                   rose2asc(rsbuf, &rose_node->address),
-                                rose_node->mask);
+                                   rose_node->mask);
                } else { */
                        seq_printf(seq, "%-10s %04d %d",
-                                rose2asc(&rose_node->address),
+                                   rose2asc(rsbuf, &rose_node->address),
-                                rose_node->mask,
+                                   rose_node->mask,
-                                rose_node->count);
+                                   rose_node->count);
                        for (i = 0; i < rose_node->count; i++)
                                seq_printf(seq, " %05d",
@@ -1267,7 +1268,7 @@ static void rose_route_stop(struct seq_file *seq, void *v)
 static int rose_route_show(struct seq_file *seq, void *v)
 {
-        char buf[11];
+        char buf[11], rsbuf[11];
        if (v == SEQ_START_TOKEN)
                seq_puts(seq,
@@ -1279,7 +1280,7 @@ static int rose_route_show(struct seq_file *seq, void *v)
                        seq_printf(seq,
                                   "%3.3X  %-10s  %-9s  %05d      ",
                                   rose_route->lci1,
-                                   rose2asc(&rose_route->src_addr),
+                                   rose2asc(rsbuf, &rose_route->src_addr),
                                   ax2asc(buf, &rose_route->src_call),
                                   rose_route->neigh1->number);
                else
@@ -1289,10 +1290,10 @@ static int rose_route_show(struct seq_file *seq, void *v)
                if (rose_route->neigh2)
                        seq_printf(seq,
                                   "%3.3X  %-10s  %-9s  %05d\n",
-                                rose_route->lci2,
+                                   rose_route->lci2,
-                                rose2asc(&rose_route->dest_addr),
+                                   rose2asc(rsbuf, &rose_route->dest_addr),
-                                ax2asc(buf, &rose_route->dest_call),
+                                   ax2asc(buf, &rose_route->dest_call),
-                                rose_route->neigh2->number);
+                                   rose_route->neigh2->number);
                 else
                         seq_puts(seq,
                                  "000  *           *          00000\n");
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index eac5e7bb7365..bfe493ebf27c 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -63,7 +63,7 @@ static void rxrpc_write_space(struct sock *sk)
        _enter("%p", sk);
        read_lock(&sk->sk_callback_lock);
        if (rxrpc_writable(sk)) {
-                if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
+                if (sk_has_sleeper(sk))
                        wake_up_interruptible(sk->sk_sleep);
                sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT);
        }
@@ -588,7 +588,7 @@ static unsigned int rxrpc_poll(struct file *file, struct socket *sock,
        unsigned int mask;
        struct sock *sk = sock->sk;
-        poll_wait(file, sk->sk_sleep, wait);
+        sock_poll_wait(file, sk->sk_sleep, wait);
        mask = 0;
        /* the socket is readable if there are any messages waiting on the Rx
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 35ba035970a2..971890dbfea0 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -6652,21 +6652,6 @@ static void sctp_wait_for_close(struct sock *sk, long timeout)
        finish_wait(sk->sk_sleep, &wait);
 }
-static void sctp_sock_rfree_frag(struct sk_buff *skb)
-{
-        struct sk_buff *frag;
-        if (!skb->data_len)
-                goto done;
-        /* Don't forget the fragments. */
-        skb_walk_frags(skb, frag)
-                sctp_sock_rfree_frag(frag);
-done:
-        sctp_sock_rfree(skb);
-}
 static void sctp_skb_set_owner_r_frag(struct sk_buff *skb, struct sock *sk)
 {
        struct sk_buff *frag;
@@ -6776,7 +6761,6 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
        sctp_skb_for_each(skb, &oldsk->sk_receive_queue, tmp) {
                event = sctp_skb2event(skb);
                if (event->asoc == assoc) {
-                        sctp_sock_rfree_frag(skb);
                        __skb_unlink(skb, &oldsk->sk_receive_queue);
                        __skb_queue_tail(&newsk->sk_receive_queue, skb);
                        sctp_skb_set_owner_r_frag(skb, newsk);
@@ -6807,7 +6791,6 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
                sctp_skb_for_each(skb, &oldsp->pd_lobby, tmp) {
                        event = sctp_skb2event(skb);
                        if (event->asoc == assoc) {
-                                sctp_sock_rfree_frag(skb);
                                __skb_unlink(skb, &oldsp->pd_lobby);
                                __skb_queue_tail(queue, skb);
                                sctp_skb_set_owner_r_frag(skb, newsk);
@@ -6822,15 +6805,11 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
        }
-        sctp_skb_for_each(skb, &assoc->ulpq.reasm, tmp) {
+        sctp_skb_for_each(skb, &assoc->ulpq.reasm, tmp)
-                sctp_sock_rfree_frag(skb);
                sctp_skb_set_owner_r_frag(skb, newsk);
-        }
-        sctp_skb_for_each(skb, &assoc->ulpq.lobby, tmp) {
+        sctp_skb_for_each(skb, &assoc->ulpq.lobby, tmp)
-                sctp_sock_rfree_frag(skb);
                sctp_skb_set_owner_r_frag(skb, newsk);
-        }
        /* Set the type of socket to indicate that it is peeled off from the
         * original UDP-style socket or created with the accept() call on a
diff --git a/net/socket.c b/net/socket.c
index 791d71a36a93..6d4716559047 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -736,7 +736,7 @@ static ssize_t sock_sendpage(struct file *file, struct page *page,
        if (more)
                flags |= MSG_MORE;
-        return sock->ops->sendpage(sock, page, offset, size, flags);
+        return kernel_sendpage(sock, page, offset, size, flags);
 }
 static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 5bc2f45bddf0..ebfcf9b89909 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -28,7 +28,6 @@
 #include <linux/kallsyms.h>
 #include <linux/mm.h>
 #include <linux/slab.h>
-#include <linux/smp_lock.h>
 #include <linux/utsname.h>
 #include <linux/workqueue.h>
 #include <linux/in6.h>
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index 1102ce1251f7..8f459abe97cf 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -16,7 +16,6 @@
 #include <linux/slab.h>
 #include <linux/mempool.h>
 #include <linux/smp.h>
-#include <linux/smp_lock.h>
 #include <linux/spinlock.h>
 #include <linux/mutex.h>
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index 6f33d33cc064..27d44332f017 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -5,6 +5,7 @@
 */
 #include <linux/sched.h>
+#include <linux/smp_lock.h>
 #include <linux/errno.h>
 #include <linux/freezer.h>
 #include <linux/kthread.h>
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 36d4e44d6233..fc3ebb906911 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -315,7 +315,7 @@ static void unix_write_space(struct sock *sk)
 {
        read_lock(&sk->sk_callback_lock);
        if (unix_writable(sk)) {
-                if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
+                if (sk_has_sleeper(sk))
                        wake_up_interruptible_sync(sk->sk_sleep);
                sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT);
        }
@@ -1985,7 +1985,7 @@ static unsigned int unix_poll(struct file *file, struct socket *sock, poll_table
        struct sock *sk = sock->sk;
        unsigned int mask;
-        poll_wait(file, sk->sk_sleep, wait);
+        sock_poll_wait(file, sk->sk_sleep, wait);
        mask = 0;
        /* exceptional events? */
@@ -2022,7 +2022,7 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
        struct sock *sk = sock->sk, *other;
        unsigned int mask, writable;
-        poll_wait(file, sk->sk_sleep, wait);
+        sock_poll_wait(file, sk->sk_sleep, wait);
        mask = 0;
        /* exceptional events? */
@@ -2053,7 +2053,7 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
                other = unix_peer_get(sk);
                if (other) {
                        if (unix_peer(other) != sk) {
-                                poll_wait(file, &unix_sk(other)->peer_wait,
+                                sock_poll_wait(file, &unix_sk(other)->peer_wait,
                                          wait);
                                if (unix_recvq_full(other))
                                        writable = 0;
diff --git a/net/wanrouter/wanmain.c b/net/wanrouter/wanmain.c
index 466e2d22d256..258daa80ad92 100644
--- a/net/wanrouter/wanmain.c
+++ b/net/wanrouter/wanmain.c
@@ -48,6 +48,7 @@
 #include <linux/kernel.h>
 #include <linux/module.h>       /* support for loadable modules */
 #include <linux/slab.h>         /* kmalloc(), kfree() */
+#include <linux/smp_lock.h>
 #include <linux/mm.h>
 #include <linux/string.h>       /* inline mem*, str* functions */
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 241bddd0b4f1..634496b3ed77 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -447,6 +447,7 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
        rdev = __cfg80211_drv_from_info(info);
        if (IS_ERR(rdev)) {
+                mutex_unlock(&cfg80211_mutex);
                result = PTR_ERR(rdev);
                goto unlock;
        }
@@ -996,7 +997,7 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
        if (IS_ERR(hdr)) {
                err = PTR_ERR(hdr);
-                goto out;
+                goto free_msg;
        }
        cookie.msg = msg;
@@ -1010,7 +1011,7 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
                                &cookie, get_key_callback);
        if (err)
-                goto out;
+                goto free_msg;
        if (cookie.error)
                goto nla_put_failure;
@@ -1021,6 +1022,7 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
 nla_put_failure:
        err = -ENOBUFS;
+ free_msg:
        nlmsg_free(msg);
 out:
        cfg80211_put_dev(drv);
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 5e14371cda70..75a406d33619 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1089,17 +1089,18 @@ static void handle_reg_beacon(struct wiphy *wiphy,
        chan->beacon_found = true;
+        if (wiphy->disable_beacon_hints)
+                return;
        chan_before.center_freq = chan->center_freq;
        chan_before.flags = chan->flags;
-        if ((chan->flags & IEEE80211_CHAN_PASSIVE_SCAN) &&
+        if (chan->flags & IEEE80211_CHAN_PASSIVE_SCAN) {
-            !(chan->orig_flags & IEEE80211_CHAN_PASSIVE_SCAN)) {
                chan->flags &= ~IEEE80211_CHAN_PASSIVE_SCAN;
                channel_changed = true;
        }
-        if ((chan->flags & IEEE80211_CHAN_NO_IBSS) &&
+        if (chan->flags & IEEE80211_CHAN_NO_IBSS) {
-            !(chan->orig_flags & IEEE80211_CHAN_NO_IBSS)) {
                chan->flags &= ~IEEE80211_CHAN_NO_IBSS;
                channel_changed = true;
        }
diff --git a/net/wireless/reg.h b/net/wireless/reg.h
index e37829a49dc4..4e167a8e11be 100644
--- a/net/wireless/reg.h
+++ b/net/wireless/reg.h
@@ -30,7 +30,8 @@ int set_regdom(const struct ieee80211_regdomain *rd);
 * non-radar 5 GHz channels.
 *
 * Drivers do not need to call this, cfg80211 will do it for after a scan
- * on a newly found BSS.
+ * on a newly found BSS. If you cannot make use of this feature you can
+ * set the wiphy->disable_beacon_hints to true.
 */
 int regulatory_hint_found_beacon(struct wiphy *wiphy,
                                        struct ieee80211_channel *beacon_chan,
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index e95b638b919f..7e595ce24eeb 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -35,8 +35,6 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted)
        else
                nl80211_send_scan_done(wiphy_to_dev(request->wiphy), dev);
-        wiphy_to_dev(request->wiphy)->scan_req = NULL;
 #ifdef CONFIG_WIRELESS_EXT
        if (!aborted) {
                memset(&wrqu, 0, sizeof(wrqu));
@@ -48,6 +46,7 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted)
        dev_put(dev);
 out:
+        wiphy_to_dev(request->wiphy)->scan_req = NULL;
        kfree(request);
 }
 EXPORT_SYMBOL(cfg80211_scan_done);
@@ -119,7 +118,7 @@ static int cmp_ies(u8 num, u8 *ies1, size_t len1, u8 *ies2, size_t len2)
        if (!ie1 && !ie2)
                return 0;
-        if (!ie1)
+        if (!ie1 || !ie2)
                return -1;
        r = memcmp(ie1 + 2, ie2 + 2, min(ie1[1], ie2[1]));
@@ -172,6 +171,8 @@ static bool is_mesh(struct cfg80211_bss *a,
        ie = find_ie(WLAN_EID_MESH_CONFIG,
                     a->information_elements,
                     a->len_information_elements);
+        if (!ie)
+                return false;
        if (ie[1] != IEEE80211_MESH_CONFIG_LEN)
                return false;
@@ -366,7 +367,6 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev,
        found = rb_find_bss(dev, res);
        if (found) {
-                kref_get(&found->ref);
                found->pub.beacon_interval = res->pub.beacon_interval;
                found->pub.tsf = res->pub.tsf;
                found->pub.signal = res->pub.signal;
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 21cdc872004e..5e6c072c64d3 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -40,6 +40,7 @@
 #include <linux/errno.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
+#include <linux/smp_lock.h>
 #include <linux/timer.h>
 #include <linux/string.h>
 #include <linux/net.h>
author	Tejun Heo <tj@kernel.org>	2009-08-14 01:41:02 -0400
committer	Tejun Heo <tj@kernel.org>	2009-08-14 01:45:31 -0400
commit	384be2b18a5f9475eab9ca2bdfa95cc1a04ef59c (patch)
tree	04c93f391a1b65c8bf8d7ba8643c07d26c26590a /net
parent	a76761b621bcd8336065c4fe3a74f046858bc34c (diff)
parent	142d44b0dd6741a64a7bdbe029110e7c1dcf1d23 (diff)