20 files changed, 37 insertions, 44 deletions

diff --git a/include/linux/filter.h b/include/linux/filter.h
index 3ba843c46382..c6cb8f095088 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -143,7 +143,7 @@ static inline unsigned int sk_filter_len(struct sk_filter *fp)
 struct sk_buff;
 struct sock;
 
-extern int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen);
+extern unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen);
 extern int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk);
 extern int sk_chk_filter(struct sock_filter *filter, int flen);
 #endif /* __KERNEL__ */
diff --git a/include/linux/inet.h b/include/linux/inet.h
index 3b5e9fdff872..6c5587af118d 100644
--- a/include/linux/inet.h
+++ b/include/linux/inet.h
@@ -45,6 +45,6 @@
 #ifdef __KERNEL__
 #include <linux/types.h>
 
-extern __u32 in_aton(const char *str);
+extern __be32 in_aton(const char *str);
 #endif
 #endif  /* _LINUX_INET_H */
diff --git a/include/linux/ip.h b/include/linux/ip.h
index 9e2eb9a602eb..4b55cf1df732 100644
--- a/include/linux/ip.h
+++ b/include/linux/ip.h
@@ -90,14 +90,14 @@ struct iphdr {
 #error  "Please fix <asm/byteorder.h>"
 #endif
         __u8    tos;
-        __u16   tot_len;
-        __u16   id;
-        __u16   frag_off;
+        __be16  tot_len;
+        __be16  id;
+        __be16  frag_off;
         __u8    ttl;
         __u8    protocol;
         __u16   check;
-        __u32   saddr;
-        __u32   daddr;
+        __be32  saddr;
+        __be32  daddr;
         /*The options start here. */
 };
 
diff --git a/include/net/sock.h b/include/net/sock.h
index 6961700ff3a0..1806e5b61419 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -856,8 +856,8 @@ static inline int sk_filter(struct sock *sk, struct sk_buff *skb, int needlock)
                 
                 filter = sk->sk_filter;
                 if (filter) {
-                        int pkt_len = sk_run_filter(skb, filter->insns,
-                                                    filter->len);
+                        unsigned int pkt_len = sk_run_filter(skb, filter->insns,
+                                                             filter->len);
                         if (!pkt_len)
                                 err = -EPERM;
                         else
diff --git a/net/atm/br2684.c b/net/atm/br2684.c
index 72f3f7b8de80..bdb4d89730d2 100644
--- a/net/atm/br2684.c
+++ b/net/atm/br2684.c
@@ -295,7 +295,7 @@ static inline __be16 br_type_trans(struct sk_buff *skb, struct net_device *dev)
         unsigned char *rawp;
         eth = eth_hdr(skb);
 
-        if (*eth->h_dest & 1) {
+        if (is_multicast_ether_addr(eth->h_dest)) {
                 if (memcmp(eth->h_dest, dev->broadcast, ETH_ALEN) == 0)
                         skb->pkt_type = PACKET_BROADCAST;
                 else
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index c387852f753a..e3a73cead6b6 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -68,7 +68,7 @@ int br_handle_frame_finish(struct sk_buff *skb)
                 }
         }
 
-        if (dest[0] & 1) {
+        if (is_multicast_ether_addr(dest)) {
                 br_flood_forward(br, skb, !passedup);
                 if (!passedup)
                         br_pass_frame_up(br, skb);
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 223f8270daee..7cac3fb9f809 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -394,8 +394,9 @@ inhdr_error:
  * target in particular.  Save the original destination IP
  * address to be able to detect DNAT afterwards. */
 static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
-   const struct net_device *in, const struct net_device *out,
-   int (*okfn)(struct sk_buff *))
+                                      const struct net_device *in,
+                                      const struct net_device *out,
+                                      int (*okfn)(struct sk_buff *))
 {
         struct iphdr *iph;
         __u32 len;
@@ -412,8 +413,10 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
                         goto out;
 
                 if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
+                        u8 *vhdr = skb->data;
                         skb_pull(skb, VLAN_HLEN);
-                        (skb)->nh.raw += VLAN_HLEN;
+                        skb_postpull_rcsum(skb, vhdr, VLAN_HLEN);
+                        skb->nh.raw += VLAN_HLEN;
                 }
                 return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
         }
@@ -429,8 +432,10 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
                 goto out;
 
         if (skb->protocol == __constant_htons(ETH_P_8021Q)) {
+                u8 *vhdr = skb->data;
                 skb_pull(skb, VLAN_HLEN);
-                (skb)->nh.raw += VLAN_HLEN;
+                skb_postpull_rcsum(skb, vhdr, VLAN_HLEN);
+                skb->nh.raw += VLAN_HLEN;
         }
 
         if (!pskb_may_pull(skb, sizeof(struct iphdr)))
diff --git a/net/core/filter.c b/net/core/filter.c
index 8964d3445588..9eb9d0017a01 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -75,7 +75,7 @@ static inline void *load_pointer(struct sk_buff *skb, int k,
  * len is the number of filter blocks in the array.
  */
  
-int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen)
+unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen)
 {
         struct sock_filter *fentry;     /* We walk down these */
         void *ptr;
@@ -241,9 +241,9 @@ load_b:
                         A = X;
                         continue;
                 case BPF_RET|BPF_K:
-                        return ((unsigned int)fentry->k);
+                        return fentry->k;
                 case BPF_RET|BPF_A:
-                        return ((unsigned int)A);
+                        return A;
                 case BPF_ST:
                         mem[fentry->k] = A;
                         continue;
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 06cad2d63e8a..631056d44b7b 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -473,7 +473,6 @@ static char version[] __initdata = VERSION;
 
 static int pktgen_remove_device(struct pktgen_thread* t, struct pktgen_dev *i);
 static int pktgen_add_device(struct pktgen_thread* t, const char* ifname);
-static struct pktgen_thread* pktgen_find_thread(const char* name);
 static struct pktgen_dev *pktgen_find_dev(struct pktgen_thread* t, const char* ifname);
 static int pktgen_device_event(struct notifier_block *, unsigned long, void *);
 static void pktgen_run_all_threads(void);
@@ -2883,7 +2882,7 @@ static int pktgen_add_device(struct pktgen_thread *t, const char* ifname)
         return add_dev_to_thread(t, pkt_dev);
 }
 
-static struct pktgen_thread *pktgen_find_thread(const char* name) 
+static struct pktgen_thread * __init pktgen_find_thread(const char* name) 
 {
         struct pktgen_thread *t = NULL;
 
@@ -2900,7 +2899,7 @@ static struct pktgen_thread *pktgen_find_thread(const char* name)
         return t;
 }
 
-static int pktgen_create_thread(const char* name, int cpu) 
+static int __init pktgen_create_thread(const char* name, int cpu) 
 {
         struct pktgen_thread *t = NULL;
         struct proc_dir_entry *pe;
diff --git a/net/core/utils.c b/net/core/utils.c
index 587eb7787deb..ac1d1fcf8673 100644
--- a/net/core/utils.c
+++ b/net/core/utils.c
@@ -162,7 +162,7 @@ EXPORT_SYMBOL(net_srandom);
  * is otherwise not dependent on the TCP/IP stack.
  */
 
-__u32 in_aton(const char *str)
+__be32 in_aton(const char *str)
 {
         unsigned long l;
         unsigned int val;
diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
index 9f4dbeb59315..9890fd97e538 100644
--- a/net/ethernet/eth.c
+++ b/net/ethernet/eth.c
@@ -163,7 +163,7 @@ __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
         skb_pull(skb,ETH_HLEN);
         eth = eth_hdr(skb);
         
-        if (*eth->h_dest&1) {
+        if (is_multicast_ether_addr(eth->h_dest)) {
                 if (!compare_ether_addr(eth->h_dest, dev->broadcast))
                         skb->pkt_type = PACKET_BROADCAST;
                 else
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index ce2b70ce4018..2a8adda15e11 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -383,7 +383,7 @@ out_nomem:
  */
 static inline struct ipq *ip_find(struct iphdr *iph, u32 user)
 {
-        __u16 id = iph->id;
+        __be16 id = iph->id;
         __u32 saddr = iph->saddr;
         __u32 daddr = iph->daddr;
         __u8 protocol = iph->protocol;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 71da31818cfc..8b1c9bd0091e 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -418,7 +418,7 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
         struct sk_buff *skb2;
         unsigned int mtu, hlen, left, len, ll_rs;
         int offset;
-        int not_last_frag;
+        __be16 not_last_frag;
         struct rtable *rt = (struct rtable*)skb->dst;
         int err = 0;
 
@@ -1180,7 +1180,7 @@ int ip_push_pending_frames(struct sock *sk)
         struct ip_options *opt = NULL;
         struct rtable *rt = inet->cork.rt;
         struct iphdr *iph;
-        int df = 0;
+        __be16 df = 0;
         __u8 ttl;
         int err = 0;
 
diff --git a/net/ipv4/ipvs/ip_vs_xmit.c b/net/ipv4/ipvs/ip_vs_xmit.c
index 3b87482049cf..52c12e9edbbc 100644
--- a/net/ipv4/ipvs/ip_vs_xmit.c
+++ b/net/ipv4/ipvs/ip_vs_xmit.c
@@ -322,7 +322,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
         struct net_device *tdev;                /* Device to other host */
         struct iphdr  *old_iph = skb->nh.iph;
         u8     tos = old_iph->tos;
-        u16    df = old_iph->frag_off;
+        __be16 df = old_iph->frag_off;
         struct iphdr  *iph;                     /* Our new IP header */
         int    max_headroom;                    /* The extra header space needed */
         int    mtu;
diff --git a/net/ipv4/netfilter/ipt_helper.c b/net/ipv4/netfilter/ipt_helper.c
index bf14e1c7798a..aef649e393af 100644
--- a/net/ipv4/netfilter/ipt_helper.c
+++ b/net/ipv4/netfilter/ipt_helper.c
@@ -13,6 +13,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter.h>
+#include <linux/interrupt.h>
 #if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
 #include <linux/netfilter_ipv4/ip_conntrack.h>
 #include <linux/netfilter_ipv4/ip_conntrack_core.h>
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 16459c7f54b2..bfabaf9cba87 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -540,12 +540,7 @@ static struct sock *x25_make_new(struct sock *osk)
         sk->sk_state       = TCP_ESTABLISHED;
         sk->sk_sleep       = osk->sk_sleep;
         sk->sk_backlog_rcv = osk->sk_backlog_rcv;
-
-        if (sock_flag(osk, SOCK_ZAPPED))
-                sock_set_flag(sk, SOCK_ZAPPED);
-        
-        if (sock_flag(osk, SOCK_DBG))
-                sock_set_flag(sk, SOCK_DBG);
+        sock_copy_flags(sk, osk);
 
         ox25 = x25_sk(osk);
         x25->t21        = ox25->t21;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 92e2b804c606..ac87a09ba83e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -802,6 +802,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
         excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
         err = xfrm_policy_insert(p->dir, xp, excl);
         if (err) {
+                security_xfrm_policy_free(xp);
                 kfree(xp);
                 return err;
         }
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 71aeb12f07c8..591e98d9315a 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -238,5 +238,4 @@
    S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index d1d0996049e3..d7f02edf3930 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -908,8 +908,7 @@
 
 #define ASSOCIATION__SENDTO                       0x00000001UL
 #define ASSOCIATION__RECVFROM                     0x00000002UL
-#define ASSOCIATION__RELABELFROM                  0x00000004UL
-#define ASSOCIATION__RELABELTO                    0x00000008UL
+#define ASSOCIATION__SETCONTEXT                   0x00000004UL
 
 #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL      0x00000001UL
 #define NETLINK_KOBJECT_UEVENT_SOCKET__READ       0x00000002UL
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index c4d87d4dca7b..5b7776504e4c 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -137,15 +137,9 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us
          * Must be permitted to relabel from default socket type (process type)
          * to specified context
          */
-        rc = avc_has_perm(tsec->sid, tsec->sid,
-                          SECCLASS_ASSOCIATION,
-                          ASSOCIATION__RELABELFROM, NULL);
-        if (rc)
-                goto out;
-
         rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
                           SECCLASS_ASSOCIATION,
-                          ASSOCIATION__RELABELTO, NULL);
+                          ASSOCIATION__SETCONTEXT, NULL);
         if (rc)
                 goto out;