31 files changed, 250 insertions, 149 deletions
diff --git a/net/ceph/Makefile b/net/ceph/Makefile
index aab1cabb8035..5f19415ec9c0 100644
--- a/net/ceph/Makefile
+++ b/net/ceph/Makefile
@@ -1,9 +1,6 @@
 #
 # Makefile for CEPH filesystem.
 #
-ifneq ($(KERNELRELEASE),)
 obj-$(CONFIG_CEPH_LIB) += libceph.o
 libceph-objs := ceph_common.o messenger.o msgpool.o buffer.o pagelist.o \
@@ -16,22 +13,3 @@ libceph-objs := ceph_common.o messenger.o msgpool.o buffer.o pagelist.o \
        ceph_fs.o ceph_strings.o ceph_hash.o \
        pagevec.o
-else
-#Otherwise we were called directly from the command
-# line; invoke the kernel build system.
-KERNELDIR ?= /lib/modules/$(shell uname -r)/build
-PWD := $(shell pwd)
-default: all
-all:
-        $(MAKE) -C $(KERNELDIR) M=$(PWD) CONFIG_CEPH_LIB=m modules
-modules_install:
-        $(MAKE) -C $(KERNELDIR) M=$(PWD) CONFIG_CEPH_LIB=m modules_install
-clean:
-        $(MAKE) -C $(KERNELDIR) M=$(PWD) clean
-endif
diff --git a/net/ceph/buffer.c b/net/ceph/buffer.c
index 53d8abfa25d5..bf3e6a13c215 100644
--- a/net/ceph/buffer.c
+++ b/net/ceph/buffer.c
@@ -19,7 +19,7 @@ struct ceph_buffer *ceph_buffer_new(size_t len, gfp_t gfp)
        if (b->vec.iov_base) {
                b->is_vmalloc = false;
        } else {
-                b->vec.iov_base = __vmalloc(len, gfp, PAGE_KERNEL);
+                b->vec.iov_base = __vmalloc(len, gfp | __GFP_HIGHMEM, PAGE_KERNEL);
                if (!b->vec.iov_base) {
                        kfree(b);
                        return NULL;
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 0e8157ee5d43..1c7a2ec4f3cc 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -540,8 +540,7 @@ static void prepare_write_message(struct ceph_connection *con)
                /* initialize page iterator */
                con->out_msg_pos.page = 0;
                if (m->pages)
-                        con->out_msg_pos.page_pos =
+                        con->out_msg_pos.page_pos = m->page_alignment;
-                                le16_to_cpu(m->hdr.data_off) & ~PAGE_MASK;
                else
                        con->out_msg_pos.page_pos = 0;
                con->out_msg_pos.data_pos = 0;
@@ -1491,7 +1490,7 @@ static int read_partial_message(struct ceph_connection *con)
        struct ceph_msg *m = con->in_msg;
        int ret;
        int to, left;
-        unsigned front_len, middle_len, data_len, data_off;
+        unsigned front_len, middle_len, data_len;
        int datacrc = con->msgr->nocrc;
        int skip;
        u64 seq;
@@ -1527,19 +1526,17 @@ static int read_partial_message(struct ceph_connection *con)
        data_len = le32_to_cpu(con->in_hdr.data_len);
        if (data_len > CEPH_MSG_MAX_DATA_LEN)
                return -EIO;
-        data_off = le16_to_cpu(con->in_hdr.data_off);
        /* verify seq# */
        seq = le64_to_cpu(con->in_hdr.seq);
        if ((s64)seq - (s64)con->in_seq < 1) {
-                pr_info("skipping %s%lld %s seq %lld, expected %lld\n",
+                pr_info("skipping %s%lld %s seq %lld expected %lld\n",
                        ENTITY_NAME(con->peer_name),
                        ceph_pr_addr(&con->peer_addr.in_addr),
                        seq, con->in_seq + 1);
                con->in_base_pos = -front_len - middle_len - data_len -
                        sizeof(m->footer);
                con->in_tag = CEPH_MSGR_TAG_READY;
-                con->in_seq++;
                return 0;
        } else if ((s64)seq - (s64)con->in_seq > 1) {
                pr_err("read_partial_message bad seq %lld expected %lld\n",
@@ -1576,7 +1573,7 @@ static int read_partial_message(struct ceph_connection *con)
                con->in_msg_pos.page = 0;
                if (m->pages)
-                        con->in_msg_pos.page_pos = data_off & ~PAGE_MASK;
+                        con->in_msg_pos.page_pos = m->page_alignment;
                else
                        con->in_msg_pos.page_pos = 0;
                con->in_msg_pos.data_pos = 0;
@@ -2301,6 +2298,7 @@ struct ceph_msg *ceph_msg_new(int type, int front_len, gfp_t flags)
        /* data */
        m->nr_pages = 0;
+        m->page_alignment = 0;
        m->pages = NULL;
        m->pagelist = NULL;
        m->bio = NULL;
@@ -2370,6 +2368,7 @@ static struct ceph_msg *ceph_alloc_msg(struct ceph_connection *con,
                               type, front_len);
                        return NULL;
                }
+                msg->page_alignment = le16_to_cpu(hdr->data_off);
        }
        memcpy(&msg->hdr, &con->in_hdr, sizeof(con->in_hdr));
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index 79391994b3ed..3e20a122ffa2 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -71,6 +71,7 @@ void ceph_calc_raw_layout(struct ceph_osd_client *osdc,
                op->extent.length = objlen;
        }
        req->r_num_pages = calc_pages_for(off, *plen);
+        req->r_page_alignment = off & ~PAGE_MASK;
        if (op->op == CEPH_OSD_OP_WRITE)
                op->payload_len = *plen;
@@ -390,6 +391,8 @@ void ceph_osdc_build_request(struct ceph_osd_request *req,
                req->r_request->hdr.data_len = cpu_to_le32(data_len);
        }
+        req->r_request->page_alignment = req->r_page_alignment;
        BUG_ON(p > msg->front.iov_base + msg->front.iov_len);
        msg_size = p - msg->front.iov_base;
        msg->front.iov_len = msg_size;
@@ -419,7 +422,8 @@ struct ceph_osd_request *ceph_osdc_new_request(struct ceph_osd_client *osdc,
                                               u32 truncate_seq,
                                               u64 truncate_size,
                                               struct timespec *mtime,
-                                               bool use_mempool, int num_reply)
+                                               bool use_mempool, int num_reply,
+                                               int page_align)
 {
        struct ceph_osd_req_op ops[3];
        struct ceph_osd_request *req;
@@ -447,6 +451,10 @@ struct ceph_osd_request *ceph_osdc_new_request(struct ceph_osd_client *osdc,
        calc_layout(osdc, vino, layout, off, plen, req, ops);
        req->r_file_layout = *layout;  /* keep a copy */
+        /* in case it differs from natural alignment that calc_layout
+           filled in for us */
+        req->r_page_alignment = page_align;
        ceph_osdc_build_request(req, off, plen, ops,
                                snapc,
                                mtime,
@@ -1489,7 +1497,7 @@ int ceph_osdc_readpages(struct ceph_osd_client *osdc,
                        struct ceph_vino vino, struct ceph_file_layout *layout,
                        u64 off, u64 *plen,
                        u32 truncate_seq, u64 truncate_size,
-                        struct page **pages, int num_pages)
+                        struct page **pages, int num_pages, int page_align)
 {
        struct ceph_osd_request *req;
        int rc = 0;
@@ -1499,15 +1507,15 @@ int ceph_osdc_readpages(struct ceph_osd_client *osdc,
        req = ceph_osdc_new_request(osdc, layout, vino, off, plen,
                                    CEPH_OSD_OP_READ, CEPH_OSD_FLAG_READ,
                                    NULL, 0, truncate_seq, truncate_size, NULL,
-                                    false, 1);
+                                    false, 1, page_align);
        if (!req)
                return -ENOMEM;
        /* it may be a short read due to an object boundary */
        req->r_pages = pages;
-        dout("readpages  final extent is %llu~%llu (%d pages)\n",
+        dout("readpages  final extent is %llu~%llu (%d pages align %d)\n",
-             off, *plen, req->r_num_pages);
+             off, *plen, req->r_num_pages, page_align);
        rc = ceph_osdc_start_request(osdc, req, false);
        if (!rc)
@@ -1533,6 +1541,7 @@ int ceph_osdc_writepages(struct ceph_osd_client *osdc, struct ceph_vino vino,
 {
        struct ceph_osd_request *req;
        int rc = 0;
+        int page_align = off & ~PAGE_MASK;
        BUG_ON(vino.snap != CEPH_NOSNAP);
        req = ceph_osdc_new_request(osdc, layout, vino, off, &len,
@@ -1541,7 +1550,7 @@ int ceph_osdc_writepages(struct ceph_osd_client *osdc, struct ceph_vino vino,
                                            CEPH_OSD_FLAG_WRITE,
                                    snapc, do_sync,
                                    truncate_seq, truncate_size, mtime,
-                                    nofail, 1);
+                                    nofail, 1, page_align);
        if (!req)
                return -ENOMEM;
@@ -1638,8 +1647,7 @@ static struct ceph_msg *get_reply(struct ceph_connection *con,
        m = ceph_msg_get(req->r_reply);
        if (data_len > 0) {
-                unsigned data_off = le16_to_cpu(hdr->data_off);
+                int want = calc_pages_for(req->r_page_alignment, data_len);
-                int want = calc_pages_for(data_off & ~PAGE_MASK, data_len);
                if (unlikely(req->r_num_pages < want)) {
                        pr_warning("tid %lld reply %d > expected %d pages\n",
@@ -1651,6 +1659,7 @@ static struct ceph_msg *get_reply(struct ceph_connection *con,
                }
                m->pages = req->r_pages;
                m->nr_pages = req->r_num_pages;
+                m->page_alignment = req->r_page_alignment;
 #ifdef CONFIG_BLOCK
                m->bio = req->r_bio;
 #endif
diff --git a/net/ceph/pagevec.c b/net/ceph/pagevec.c
index 54caf0687155..ac34feeb2b3a 100644
--- a/net/ceph/pagevec.c
+++ b/net/ceph/pagevec.c
@@ -13,8 +13,7 @@
 * build a vector of user pages
 */
 struct page **ceph_get_direct_page_vector(const char __user *data,
-                                                 int num_pages,
+                                          int num_pages)
-                                                 loff_t off, size_t len)
 {
        struct page **pages;
        int rc;
diff --git a/net/core/filter.c b/net/core/filter.c
index 23e9b2a6b4c8..c1ee800bc080 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -589,7 +589,7 @@ int sk_chk_filter(struct sock_filter *filter, int flen)
 EXPORT_SYMBOL(sk_chk_filter);
 /**
- *      sk_filter_rcu_release: Release a socket filter by rcu_head
+ *      sk_filter_rcu_release - Release a socket filter by rcu_head
 *      @rcu: rcu_head that contains the sk_filter to free
 */
 static void sk_filter_rcu_release(struct rcu_head *rcu)
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index a5ff5a89f376..7f902cad10f8 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -712,15 +712,21 @@ static void rx_queue_release(struct kobject *kobj)
        map = rcu_dereference_raw(queue->rps_map);
-        if (map)
+        if (map) {
+                RCU_INIT_POINTER(queue->rps_map, NULL);
                call_rcu(&map->rcu, rps_map_release);
+        }
        flow_table = rcu_dereference_raw(queue->rps_flow_table);
-        if (flow_table)
+        if (flow_table) {
+                RCU_INIT_POINTER(queue->rps_flow_table, NULL);
                call_rcu(&flow_table->rcu, rps_dev_flow_table_release);
+        }
        if (atomic_dec_and_test(&first->count))
                kfree(first);
+        else
+                memset(kobj, 0, sizeof(*kobj));
 }
 static struct kobj_type rx_queue_ktype = {
diff --git a/net/core/request_sock.c b/net/core/request_sock.c
index 7552495aff7a..fceeb37d7161 100644
--- a/net/core/request_sock.c
+++ b/net/core/request_sock.c
@@ -45,9 +45,7 @@ int reqsk_queue_alloc(struct request_sock_queue *queue,
        nr_table_entries = roundup_pow_of_two(nr_table_entries + 1);
        lopt_size += nr_table_entries * sizeof(struct request_sock *);
        if (lopt_size > PAGE_SIZE)
-                lopt = __vmalloc(lopt_size,
+                lopt = vzalloc(lopt_size);
-                        GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO,
-                        PAGE_KERNEL);
        else
                lopt = kzalloc(lopt_size, GFP_KERNEL);
        if (lopt == NULL)
diff --git a/net/dccp/input.c b/net/dccp/input.c
index 265985370fa1..e424a09e83f6 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -239,7 +239,8 @@ static int dccp_check_seqno(struct sock *sk, struct sk_buff *skb)
                dccp_update_gsr(sk, seqno);
                if (dh->dccph_type != DCCP_PKT_SYNC &&
-                    (ackno != DCCP_PKT_WITHOUT_ACK_SEQ))
+                    ackno != DCCP_PKT_WITHOUT_ACK_SEQ &&
+                    after48(ackno, dp->dccps_gar))
                        dp->dccps_gar = ackno;
        } else {
                unsigned long now = jiffies;
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index a76b78de679f..6f97268ed85f 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -1556,6 +1556,8 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us
                        if (r_len > sizeof(struct linkinfo_dn))
                                r_len = sizeof(struct linkinfo_dn);
+                        memset(&link, 0, sizeof(link));
                        switch(sock->state) {
                                case SS_CONNECTING:
                                        link.idn_linkstate = LL_CONNECTING;
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index f8c1ae4b41f0..13992e1d2726 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -31,6 +31,7 @@
 #include <linux/skbuff.h>
 #include <linux/udp.h>
 #include <linux/slab.h>
+#include <linux/vmalloc.h>
 #include <net/sock.h>
 #include <net/inet_common.h>
 #include <linux/stat.h>
@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 #endif
 #ifdef CONFIG_ECONET_AUNUDP
        struct msghdr udpmsg;
-        struct iovec iov[msg->msg_iovlen+1];
+        struct iovec iov[2];
        struct aunhdr ah;
        struct sockaddr_in udpdest;
        __kernel_size_t size;
-        int i;
        mm_segment_t oldfs;
+        char *userbuf;
 #endif
        /*
@@ -297,23 +298,14 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        mutex_lock(&econet_mutex);
-        if (saddr == NULL) {
+        if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-                struct econet_sock *eo = ec_sk(sk);
+                mutex_unlock(&econet_mutex);
+                return -EINVAL;
-                addr.station = eo->station;
+        }
-                addr.net     = eo->net;
+        addr.station = saddr->addr.station;
-                port         = eo->port;
+        addr.net = saddr->addr.net;
-                cb           = eo->cb;
+        port = saddr->port;
-        } else {
+        cb = saddr->cb;
-                if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-                        mutex_unlock(&econet_mutex);
-                        return -EINVAL;
-                }
-                addr.station = saddr->addr.station;
-                addr.net = saddr->addr.net;
-                port = saddr->port;
-                cb = saddr->cb;
-        }
        /* Look for a device with the right network number. */
        dev = net2dev_map[addr.net];
@@ -328,17 +320,17 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                }
        }
-        if (len + 15 > dev->mtu) {
-                mutex_unlock(&econet_mutex);
-                return -EMSGSIZE;
-        }
        if (dev->type == ARPHRD_ECONET) {
                /* Real hardware Econet.  We're not worthy etc. */
 #ifdef CONFIG_ECONET_NATIVE
                unsigned short proto = 0;
                int res;
+                if (len + 15 > dev->mtu) {
+                        mutex_unlock(&econet_mutex);
+                        return -EMSGSIZE;
+                }
                dev_hold(dev);
                skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
@@ -351,7 +343,6 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                eb = (struct ec_cb *)&skb->cb;
-                /* BUG: saddr may be NULL */
                eb->cookie = saddr->cookie;
                eb->sec = *saddr;
                eb->sent = ec_tx_done;
@@ -415,6 +406,11 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                return -ENETDOWN;               /* No socket - can't send */
        }
+        if (len > 32768) {
+                err = -E2BIG;
+                goto error;
+        }
        /* Make up a UDP datagram and hand it off to some higher intellect. */
        memset(&udpdest, 0, sizeof(udpdest));
@@ -446,36 +442,26 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        /* tack our header on the front of the iovec */
        size = sizeof(struct aunhdr);
-        /*
-         * XXX: that is b0rken.  We can't mix userland and kernel pointers
-         * in iovec, since on a lot of platforms copy_from_user() will
-         * *not* work with the kernel and userland ones at the same time,
-         * regardless of what we do with set_fs().  And we are talking about
-         * econet-over-ethernet here, so "it's only ARM anyway" doesn't
-         * apply.  Any suggestions on fixing that code?         -- AV
-         */
        iov[0].iov_base = (void *)&ah;
        iov[0].iov_len = size;
-        for (i = 0; i < msg->msg_iovlen; i++) {
-                void __user *base = msg->msg_iov[i].iov_base;
+        userbuf = vmalloc(len);
-                size_t iov_len = msg->msg_iov[i].iov_len;
+        if (userbuf == NULL) {
-                /* Check it now since we switch to KERNEL_DS later. */
+                err = -ENOMEM;
-                if (!access_ok(VERIFY_READ, base, iov_len)) {
+                goto error;
-                        mutex_unlock(&econet_mutex);
-                        return -EFAULT;
-                }
-                iov[i+1].iov_base = base;
-                iov[i+1].iov_len = iov_len;
-                size += iov_len;
        }
+        iov[1].iov_base = userbuf;
+        iov[1].iov_len = len;
+        err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
+        if (err)
+                goto error_free_buf;
        /* Get a skbuff (no data, just holds our cb information) */
        if ((skb = sock_alloc_send_skb(sk, 0,
                                       msg->msg_flags & MSG_DONTWAIT,
-                                       &err)) == NULL) {
+                                       &err)) == NULL)
-                mutex_unlock(&econet_mutex);
+                goto error_free_buf;
-                return err;
-        }
        eb = (struct ec_cb *)&skb->cb;
@@ -491,7 +477,7 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        udpmsg.msg_name = (void *)&udpdest;
        udpmsg.msg_namelen = sizeof(udpdest);
        udpmsg.msg_iov = &iov[0];
-        udpmsg.msg_iovlen = msg->msg_iovlen + 1;
+        udpmsg.msg_iovlen = 2;
        udpmsg.msg_control = NULL;
        udpmsg.msg_controllen = 0;
        udpmsg.msg_flags=0;
@@ -499,9 +485,13 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        oldfs = get_fs(); set_fs(KERNEL_DS);    /* More privs :-) */
        err = sock_sendmsg(udpsock, &udpmsg, size);
        set_fs(oldfs);
+error_free_buf:
+        vfree(userbuf);
 #else
        err = -EPROTOTYPE;
 #endif
+        error:
        mutex_unlock(&econet_mutex);
        return err;
@@ -671,6 +661,9 @@ static int ec_dev_ioctl(struct socket *sock, unsigned int cmd, void __user *arg)
        err = 0;
        switch (cmd) {
        case SIOCSIFADDR:
+                if (!capable(CAP_NET_ADMIN))
+                        return -EPERM;
                edev = dev->ec_ptr;
                if (edev == NULL) {
                        /* Magic up a new one. */
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 200eb538fbb3..0f280348e0fd 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -365,7 +365,7 @@ static struct tnode *tnode_alloc(size_t size)
        if (size <= PAGE_SIZE)
                return kzalloc(size, GFP_KERNEL);
        else
-                return __vmalloc(size, GFP_KERNEL | __GFP_ZERO, PAGE_KERNEL);
+                return vzalloc(size);
 }
 static void __tnode_vfree(struct work_struct *arg)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 96bc7f9475a3..e5d1a44bcbdf 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -569,6 +569,9 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
                /* No need to clone since we're just using its address. */
                rt2 = rt;
+                if (!fl.nl_u.ip4_u.saddr)
+                        fl.nl_u.ip4_u.saddr = rt->rt_src;
                err = xfrm_lookup(net, (struct dst_entry **)&rt, &fl, NULL, 0);
                switch (err) {
                case 0:
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 1b344f30b463..3c0369a3a663 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -133,8 +133,7 @@ int __inet_inherit_port(struct sock *sk, struct sock *child)
                        }
                }
        }
-        sk_add_bind_node(child, &tb->owners);
+        inet_bind_hash(child, tb, port);
-        inet_csk(child)->icsk_bind_hash = tb;
        spin_unlock(&head->lock);
        return 0;
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index e91911d7aae2..1b4ec21497a4 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -26,6 +26,8 @@ static int zero;
 static int tcp_retr1_max = 255;
 static int ip_local_port_range_min[] = { 1, 1 };
 static int ip_local_port_range_max[] = { 65535, 65535 };
+static int tcp_adv_win_scale_min = -31;
+static int tcp_adv_win_scale_max = 31;
 /* Update system visible IP port range */
 static void set_local_port_range(int range[2])
@@ -426,7 +428,9 @@ static struct ctl_table ipv4_table[] = {
                .data           = &sysctl_tcp_adv_win_scale,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = proc_dointvec
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &tcp_adv_win_scale_min,
+                .extra2         = &tcp_adv_win_scale_max,
        },
        {
                .procname       = "tcp_tw_reuse",
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 081419969485..f15c36a706ec 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2246,7 +2246,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
                /* Values greater than interface MTU won't take effect. However
                 * at the point when this call is done we typically don't yet
                 * know which interface is going to be used */
-                if (val < 64 || val > MAX_TCP_WINDOW) {
+                if (val < TCP_MIN_MSS || val > MAX_TCP_WINDOW) {
                        err = -EINVAL;
                        break;
                }
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 69ccbc1dde9c..e13da6de1fc7 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2043,7 +2043,9 @@ get_req:
        }
 get_sk:
        sk_nulls_for_each_from(sk, node) {
-                if (sk->sk_family == st->family && net_eq(sock_net(sk), net)) {
+                if (!net_eq(sock_net(sk), net))
+                        continue;
+                if (sk->sk_family == st->family) {
                        cur = sk;
                        goto out;
                }
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index b41ce0f0d514..23cc8e1ce8d4 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -98,7 +98,11 @@
 #endif
 #define INFINITY_LIFE_TIME      0xFFFFFFFF
-#define TIME_DELTA(a, b) ((unsigned long)((long)(a) - (long)(b)))
+static inline u32 cstamp_delta(unsigned long cstamp)
+{
+        return (cstamp - INITIAL_JIFFIES) * 100UL / HZ;
+}
 #define ADDRCONF_TIMER_FUZZ_MINUS       (HZ > 50 ? HZ/50 : 1)
 #define ADDRCONF_TIMER_FUZZ             (HZ / 4)
@@ -2754,13 +2758,13 @@ static int addrconf_ifdown(struct net_device *dev, int how)
                        ifa->state = INET6_IFADDR_STATE_DEAD;
                        spin_unlock_bh(&ifa->state_lock);
-                        if (state == INET6_IFADDR_STATE_DEAD) {
+                        if (state != INET6_IFADDR_STATE_DEAD) {
-                                in6_ifa_put(ifa);
-                        } else {
                                __ipv6_ifa_notify(RTM_DELADDR, ifa);
                                atomic_notifier_call_chain(&inet6addr_chain,
                                                           NETDEV_DOWN, ifa);
                        }
+                        in6_ifa_put(ifa);
                        write_lock_bh(&idev->lock);
                }
        }
@@ -3444,10 +3448,8 @@ static int put_cacheinfo(struct sk_buff *skb, unsigned long cstamp,
 {
        struct ifa_cacheinfo ci;
-        ci.cstamp = (u32)(TIME_DELTA(cstamp, INITIAL_JIFFIES) / HZ * 100
+        ci.cstamp = cstamp_delta(cstamp);
-                        + TIME_DELTA(cstamp, INITIAL_JIFFIES) % HZ * 100 / HZ);
+        ci.tstamp = cstamp_delta(tstamp);
-        ci.tstamp = (u32)(TIME_DELTA(tstamp, INITIAL_JIFFIES) / HZ * 100
-                        + TIME_DELTA(tstamp, INITIAL_JIFFIES) % HZ * 100 / HZ);
        ci.ifa_prefered = preferred;
        ci.ifa_valid = valid;
@@ -3798,8 +3800,10 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
        array[DEVCONF_AUTOCONF] = cnf->autoconf;
        array[DEVCONF_DAD_TRANSMITS] = cnf->dad_transmits;
        array[DEVCONF_RTR_SOLICITS] = cnf->rtr_solicits;
-        array[DEVCONF_RTR_SOLICIT_INTERVAL] = cnf->rtr_solicit_interval;
+        array[DEVCONF_RTR_SOLICIT_INTERVAL] =
-        array[DEVCONF_RTR_SOLICIT_DELAY] = cnf->rtr_solicit_delay;
+                jiffies_to_msecs(cnf->rtr_solicit_interval);
+        array[DEVCONF_RTR_SOLICIT_DELAY] =
+                jiffies_to_msecs(cnf->rtr_solicit_delay);
        array[DEVCONF_FORCE_MLD_VERSION] = cnf->force_mld_version;
 #ifdef CONFIG_IPV6_PRIVACY
        array[DEVCONF_USE_TEMPADDR] = cnf->use_tempaddr;
@@ -3813,7 +3817,8 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
        array[DEVCONF_ACCEPT_RA_PINFO] = cnf->accept_ra_pinfo;
 #ifdef CONFIG_IPV6_ROUTER_PREF
        array[DEVCONF_ACCEPT_RA_RTR_PREF] = cnf->accept_ra_rtr_pref;
-        array[DEVCONF_RTR_PROBE_INTERVAL] = cnf->rtr_probe_interval;
+        array[DEVCONF_RTR_PROBE_INTERVAL] =
+                jiffies_to_msecs(cnf->rtr_probe_interval);
 #ifdef CONFIG_IPV6_ROUTE_INFO
        array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] = cnf->accept_ra_rt_info_max_plen;
 #endif
@@ -3929,10 +3934,9 @@ static int inet6_fill_ifinfo(struct sk_buff *skb, struct inet6_dev *idev,
        NLA_PUT_U32(skb, IFLA_INET6_FLAGS, idev->if_flags);
        ci.max_reasm_len = IPV6_MAXPLEN;
-        ci.tstamp = (__u32)(TIME_DELTA(idev->tstamp, INITIAL_JIFFIES) / HZ * 100
+        ci.tstamp = cstamp_delta(idev->tstamp);
-                    + TIME_DELTA(idev->tstamp, INITIAL_JIFFIES) % HZ * 100 / HZ);
+        ci.reachable_time = jiffies_to_msecs(idev->nd_parms->reachable_time);
-        ci.reachable_time = idev->nd_parms->reachable_time;
+        ci.retrans_time = jiffies_to_msecs(idev->nd_parms->retrans_time);
-        ci.retrans_time = idev->nd_parms->retrans_time;
        NLA_PUT(skb, IFLA_INET6_CACHEINFO, sizeof(ci), &ci);
        nla = nla_reserve(skb, IFLA_INET6_CONF, DEVCONF_MAX * sizeof(s32));
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 7f097989cde2..a6de3059746d 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -45,7 +45,6 @@
 #include <linux/capability.h>
 #include <linux/module.h>
 #include <linux/types.h>
-#include <linux/smp_lock.h>
 #include <linux/socket.h>
 #include <linux/sockios.h>
 #include <linux/slab.h>
diff --git a/net/irda/irnet/irnet_ppp.c b/net/irda/irnet/irnet_ppp.c
index 7fa86373de41..7c567b8aa89a 100644
--- a/net/irda/irnet/irnet_ppp.c
+++ b/net/irda/irnet/irnet_ppp.c
@@ -15,7 +15,6 @@
 #include <linux/sched.h>
 #include <linux/slab.h>
-#include <linux/smp_lock.h>
 #include "irnet_ppp.h"          /* Private header */
 /* Please put other headers in irnet.h - Thanks */
diff --git a/net/irda/irttp.c b/net/irda/irttp.c
index 285761e77d90..f6054f9ccbe3 100644
--- a/net/irda/irttp.c
+++ b/net/irda/irttp.c
@@ -550,22 +550,30 @@ EXPORT_SYMBOL(irttp_close_tsap);
 */
 int irttp_udata_request(struct tsap_cb *self, struct sk_buff *skb)
 {
+        int ret;
        IRDA_ASSERT(self != NULL, return -1;);
        IRDA_ASSERT(self->magic == TTP_TSAP_MAGIC, return -1;);
        IRDA_ASSERT(skb != NULL, return -1;);
        IRDA_DEBUG(4, "%s()\n", __func__);
+        /* Take shortcut on zero byte packets */
+        if (skb->len == 0) {
+                ret = 0;
+                goto err;
+        }
        /* Check that nothing bad happens */
-        if ((skb->len == 0) || (!self->connected)) {
+        if (!self->connected) {
-                IRDA_DEBUG(1, "%s(), No data, or not connected\n",
+                IRDA_WARNING("%s(), Not connected\n", __func__);
-                           __func__);
+                ret = -ENOTCONN;
                goto err;
        }
        if (skb->len > self->max_seg_size) {
-                IRDA_DEBUG(1, "%s(), UData is too large for IrLAP!\n",
+                IRDA_ERROR("%s(), UData is too large for IrLAP!\n", __func__);
-                           __func__);
+                ret = -EMSGSIZE;
                goto err;
        }
@@ -576,7 +584,7 @@ int irttp_udata_request(struct tsap_cb *self, struct sk_buff *skb)
 err:
        dev_kfree_skb(skb);
-        return -1;
+        return ret;
 }
 EXPORT_SYMBOL(irttp_udata_request);
@@ -599,9 +607,15 @@ int irttp_data_request(struct tsap_cb *self, struct sk_buff *skb)
        IRDA_DEBUG(2, "%s() : queue len = %d\n", __func__,
                   skb_queue_len(&self->tx_queue));
+        /* Take shortcut on zero byte packets */
+        if (skb->len == 0) {
+                ret = 0;
+                goto err;
+        }
        /* Check that nothing bad happens */
-        if ((skb->len == 0) || (!self->connected)) {
+        if (!self->connected) {
-                IRDA_WARNING("%s: No data, or not connected\n", __func__);
+                IRDA_WARNING("%s: Not connected\n", __func__);
                ret = -ENOTCONN;
                goto err;
        }
diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
index 4d6f8653ec88..8e8ea9cb7093 100644
--- a/net/mac80211/Kconfig
+++ b/net/mac80211/Kconfig
@@ -92,7 +92,7 @@ config MAC80211_MESH
 config MAC80211_LEDS
        bool "Enable LED triggers"
        depends on MAC80211
-        select NEW_LEDS
+        depends on LEDS_CLASS
        select LEDS_TRIGGERS
        ---help---
          This option enables a few LED triggers for different
diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
index a22dac227055..70bd1d0774c6 100644
--- a/net/netfilter/ipvs/Kconfig
+++ b/net/netfilter/ipvs/Kconfig
@@ -4,6 +4,7 @@
 menuconfig IP_VS
        tristate "IP virtual server support"
        depends on NET && INET && NETFILTER
+        depends on (NF_CONNTRACK || NF_CONNTRACK=n)
        ---help---
          IP Virtual Server support will let you build a high-performance
          virtual server based on cluster of two or more real servers. This
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 8920f2a83327..4e37c1cbe8b2 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -567,7 +567,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
                goto out;
        }
-        if (args->nr_local > (u64)UINT_MAX) {
+        if (args->nr_local > UIO_MAXIOV) {
                ret = -EMSGSIZE;
                goto out;
        }
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 9dab9573be41..92ce94f5146b 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -989,20 +989,26 @@ call_refreshresult(struct rpc_task *task)
        dprint_status(task);
        task->tk_status = 0;
-        task->tk_action = call_allocate;
+        task->tk_action = call_refresh;
-        if (status >= 0 && rpcauth_uptodatecred(task))
-                return;
        switch (status) {
-        case -EACCES:
+        case 0:
-                rpc_exit(task, -EACCES);
+                if (rpcauth_uptodatecred(task))
-                return;
+                        task->tk_action = call_allocate;
-        case -ENOMEM:
-                rpc_exit(task, -ENOMEM);
                return;
        case -ETIMEDOUT:
                rpc_delay(task, 3*HZ);
+        case -EAGAIN:
+                status = -EACCES;
+                if (!task->tk_cred_retry)
+                        break;
+                task->tk_cred_retry--;
+                dprintk("RPC: %5u %s: retry refresh creds\n",
+                                task->tk_pid, __func__);
+                return;
        }
-        task->tk_action = call_refresh;
+        dprintk("RPC: %5u %s: refresh creds failed with error %d\n",
+                                task->tk_pid, __func__, status);
+        rpc_exit(task, status);
 }
 /*
diff --git a/net/sunrpc/stats.c b/net/sunrpc/stats.c
index f71a73107ae9..80df89d957ba 100644
--- a/net/sunrpc/stats.c
+++ b/net/sunrpc/stats.c
@@ -115,9 +115,7 @@ EXPORT_SYMBOL_GPL(svc_seq_show);
 */
 struct rpc_iostats *rpc_alloc_iostats(struct rpc_clnt *clnt)
 {
-        struct rpc_iostats *new;
+        return kcalloc(clnt->cl_maxproc, sizeof(struct rpc_iostats), GFP_KERNEL);
-        new = kcalloc(clnt->cl_maxproc, sizeof(struct rpc_iostats), GFP_KERNEL);
-        return new;
 }
 EXPORT_SYMBOL_GPL(rpc_alloc_iostats);
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index c82fe739fbdc..ea2ff78dcf7b 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -5,7 +5,6 @@
 */
 #include <linux/sched.h>
-#include <linux/smp_lock.h>
 #include <linux/errno.h>
 #include <linux/freezer.h>
 #include <linux/kthread.h>
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 3c95304a0817..2268e6798124 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1343,9 +1343,25 @@ static void unix_destruct_scm(struct sk_buff *skb)
        sock_wfree(skb);
 }
+#define MAX_RECURSION_LEVEL 4
 static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
 {
        int i;
+        unsigned char max_level = 0;
+        int unix_sock_count = 0;
+        for (i = scm->fp->count - 1; i >= 0; i--) {
+                struct sock *sk = unix_get_socket(scm->fp->fp[i]);
+                if (sk) {
+                        unix_sock_count++;
+                        max_level = max(max_level,
+                                        unix_sk(sk)->recursion_level);
+                }
+        }
+        if (unlikely(max_level > MAX_RECURSION_LEVEL))
+                return -ETOOMANYREFS;
        /*
         * Need to duplicate file references for the sake of garbage
@@ -1356,9 +1372,11 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
        if (!UNIXCB(skb).fp)
                return -ENOMEM;
-        for (i = scm->fp->count-1; i >= 0; i--)
+        if (unix_sock_count) {
-                unix_inflight(scm->fp->fp[i]);
+                for (i = scm->fp->count - 1; i >= 0; i--)
-        return 0;
+                        unix_inflight(scm->fp->fp[i]);
+        }
+        return max_level;
 }
 static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool send_fds)
@@ -1393,6 +1411,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
        struct sk_buff *skb;
        long timeo;
        struct scm_cookie tmp_scm;
+        int max_level;
        if (NULL == siocb->scm)
                siocb->scm = &tmp_scm;
@@ -1431,8 +1450,9 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
                goto out;
        err = unix_scm_to_skb(siocb->scm, skb, true);
-        if (err)
+        if (err < 0)
                goto out_free;
+        max_level = err + 1;
        unix_get_secdata(siocb->scm, skb);
        skb_reset_transport_header(skb);
@@ -1514,6 +1534,8 @@ restart:
        if (sock_flag(other, SOCK_RCVTSTAMP))
                __net_timestamp(skb);
        skb_queue_tail(&other->sk_receive_queue, skb);
+        if (max_level > unix_sk(other)->recursion_level)
+                unix_sk(other)->recursion_level = max_level;
        unix_state_unlock(other);
        other->sk_data_ready(other, len);
        sock_put(other);
@@ -1544,6 +1566,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
        int sent = 0;
        struct scm_cookie tmp_scm;
        bool fds_sent = false;
+        int max_level;
        if (NULL == siocb->scm)
                siocb->scm = &tmp_scm;
@@ -1607,10 +1630,11 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
                /* Only send the fds in the first buffer */
                err = unix_scm_to_skb(siocb->scm, skb, !fds_sent);
-                if (err) {
+                if (err < 0) {
                        kfree_skb(skb);
                        goto out_err;
                }
+                max_level = err + 1;
                fds_sent = true;
                err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
@@ -1626,6 +1650,8 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
                        goto pipe_err_free;
                skb_queue_tail(&other->sk_receive_queue, skb);
+                if (max_level > unix_sk(other)->recursion_level)
+                        unix_sk(other)->recursion_level = max_level;
                unix_state_unlock(other);
                other->sk_data_ready(other, size);
                sent += size;
@@ -1845,6 +1871,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                unix_state_lock(sk);
                skb = skb_dequeue(&sk->sk_receive_queue);
                if (skb == NULL) {
+                        unix_sk(sk)->recursion_level = 0;
                        if (copied >= target)
                                goto unlock;
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index c8df6fda0b1f..f89f83bf828e 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -96,7 +96,7 @@ static DECLARE_WAIT_QUEUE_HEAD(unix_gc_wait);
 unsigned int unix_tot_inflight;
-static struct sock *unix_get_socket(struct file *filp)
+struct sock *unix_get_socket(struct file *filp)
 {
        struct sock *u_sock = NULL;
        struct inode *inode = filp->f_path.dentry->d_inode;
@@ -259,9 +259,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)
 }
 static bool gc_in_progress = false;
+#define UNIX_INFLIGHT_TRIGGER_GC 16000
 void wait_for_unix_gc(void)
 {
+        /*
+         * If number of inflight sockets is insane,
+         * force a garbage collect right now.
+         */
+        if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
+                unix_gc();
        wait_event(unix_gc_wait, gc_in_progress == false);
 }
diff --git a/net/wireless/chan.c b/net/wireless/chan.c
index d0c92dddb26b..17cd0c04d139 100644
--- a/net/wireless/chan.c
+++ b/net/wireless/chan.c
@@ -44,6 +44,38 @@ rdev_freq_to_chan(struct cfg80211_registered_device *rdev,
        return chan;
 }
+static bool can_beacon_sec_chan(struct wiphy *wiphy,
+                                struct ieee80211_channel *chan,
+                                enum nl80211_channel_type channel_type)
+{
+        struct ieee80211_channel *sec_chan;
+        int diff;
+        switch (channel_type) {
+        case NL80211_CHAN_HT40PLUS:
+                diff = 20;
+                break;
+        case NL80211_CHAN_HT40MINUS:
+                diff = -20;
+                break;
+        default:
+                return false;
+        }
+        sec_chan = ieee80211_get_channel(wiphy, chan->center_freq + diff);
+        if (!sec_chan)
+                return false;
+        /* we'll need a DFS capability later */
+        if (sec_chan->flags & (IEEE80211_CHAN_DISABLED |
+                               IEEE80211_CHAN_PASSIVE_SCAN |
+                               IEEE80211_CHAN_NO_IBSS |
+                               IEEE80211_CHAN_RADAR))
+                return false;
+        return true;
+}
 int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
                      struct wireless_dev *wdev, int freq,
                      enum nl80211_channel_type channel_type)
@@ -68,6 +100,28 @@ int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
        if (!chan)
                return -EINVAL;
+        /* Both channels should be able to initiate communication */
+        if (wdev && (wdev->iftype == NL80211_IFTYPE_ADHOC ||
+                     wdev->iftype == NL80211_IFTYPE_AP ||
+                     wdev->iftype == NL80211_IFTYPE_AP_VLAN ||
+                     wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
+                     wdev->iftype == NL80211_IFTYPE_P2P_GO)) {
+                switch (channel_type) {
+                case NL80211_CHAN_HT40PLUS:
+                case NL80211_CHAN_HT40MINUS:
+                        if (!can_beacon_sec_chan(&rdev->wiphy, chan,
+                                                 channel_type)) {
+                                printk(KERN_DEBUG
+                                       "cfg80211: Secondary channel not "
+                                       "allowed to initiate communication\n");
+                                return -EINVAL;
+                        }
+                        break;
+                default:
+                        break;
+                }
+        }
        result = rdev->ops->set_channel(&rdev->wiphy,
                                        wdev ? wdev->netdev : NULL,
                                        chan, channel_type);
diff --git a/net/xfrm/xfrm_hash.c b/net/xfrm/xfrm_hash.c
index a2023ec52329..1e98bc0fe0a5 100644
--- a/net/xfrm/xfrm_hash.c
+++ b/net/xfrm/xfrm_hash.c
@@ -19,7 +19,7 @@ struct hlist_head *xfrm_hash_alloc(unsigned int sz)
        if (sz <= PAGE_SIZE)
                n = kzalloc(sz, GFP_KERNEL);
        else if (hashdist)
-                n = __vmalloc(sz, GFP_KERNEL | __GFP_ZERO, PAGE_KERNEL);
+                n = vzalloc(sz);
        else
                n = (struct hlist_head *)
                        __get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO,