Merge tag 'fixes-for-v4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus

Felipe writes:

usb: fixes for v4.11-rc4

f_acm got an endianness fix by Oliver Neukum. This has been around for a
long time but it's finally fixed.

f_hid learned that it should never access hidg->req without first
grabbing the spinlock.

Roger Quadros fixed two bugs in the f_uvc function driver.

Janusz Dziedzic fixed a very peculiar bug with EP0, one that's rather
difficult to trigger. When we're dealing with bounced EP0 requests, we
should delay unmap until after ->complete() is called.

UDC class got a use-after-free fix.

59 files changed, 348 insertions, 238 deletions

diff --git a/net/atm/svc.c b/net/atm/svc.c
index db9794ec61d8..5589de7086af 100644
--- a/net/atm/svc.c
+++ b/net/atm/svc.c
@@ -318,7 +318,8 @@ out:
         return error;
 }
 
-static int svc_accept(struct socket *sock, struct socket *newsock, int flags)
+static int svc_accept(struct socket *sock, struct socket *newsock, int flags,
+                      bool kern)
 {
         struct sock *sk = sock->sk;
         struct sk_buff *skb;
@@ -329,7 +330,7 @@ static int svc_accept(struct socket *sock, struct socket *newsock, int flags)
 
         lock_sock(sk);
 
-        error = svc_create(sock_net(sk), newsock, 0, 0);
+        error = svc_create(sock_net(sk), newsock, 0, kern);
         if (error)
                 goto out;
 
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index a8e42cedf1db..b7c486752b3a 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1320,7 +1320,8 @@ out_release:
         return err;
 }
 
-static int ax25_accept(struct socket *sock, struct socket *newsock, int flags)
+static int ax25_accept(struct socket *sock, struct socket *newsock, int flags,
+                       bool kern)
 {
         struct sk_buff *skb;
         struct sock *newsk;
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index f307b145ea54..507b80d59dec 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -301,7 +301,7 @@ done:
 }
 
 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
-                             int flags)
+                             int flags, bool kern)
 {
         DEFINE_WAIT_FUNC(wait, woken_wake_function);
         struct sock *sk = sock->sk, *nsk;
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index aa1a814ceddc..ac3c650cb234 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -471,7 +471,8 @@ done:
         return err;
 }
 
-static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags)
+static int rfcomm_sock_accept(struct socket *sock, struct socket *newsock, int flags,
+                              bool kern)
 {
         DEFINE_WAIT_FUNC(wait, woken_wake_function);
         struct sock *sk = sock->sk, *nsk;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index e4e9a2da1e7e..728e0c8dc8e7 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -627,7 +627,7 @@ done:
 }
 
 static int sco_sock_accept(struct socket *sock, struct socket *newsock,
-                           int flags)
+                           int flags, bool kern)
 {
         DEFINE_WAIT_FUNC(wait, woken_wake_function);
         struct sock *sk = sock->sk, *ch;
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 236f34244dbe..013f2290bfa5 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -30,6 +30,7 @@ EXPORT_SYMBOL(br_should_route_hook);
 static int
 br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
+        br_drop_fake_rtable(skb);
         return netif_receive_skb(skb);
 }
 
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 95087e6e8258..fa87fbd62bb7 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -521,21 +521,6 @@ static unsigned int br_nf_pre_routing(void *priv,
 }
 
 
-/* PF_BRIDGE/LOCAL_IN ************************************************/
-/* The packet is locally destined, which requires a real
- * dst_entry, so detach the fake one.  On the way up, the
- * packet would pass through PRE_ROUTING again (which already
- * took place when the packet entered the bridge), but we
- * register an IPv4 PRE_ROUTING 'sabotage' hook that will
- * prevent this from happening. */
-static unsigned int br_nf_local_in(void *priv,
-                                   struct sk_buff *skb,
-                                   const struct nf_hook_state *state)
-{
-        br_drop_fake_rtable(skb);
-        return NF_ACCEPT;
-}
-
 /* PF_BRIDGE/FORWARD *************************************************/
 static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
@@ -908,12 +893,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = {
                 .priority = NF_BR_PRI_BRNF,
         },
         {
-                .hook = br_nf_local_in,
-                .pf = NFPROTO_BRIDGE,
-                .hooknum = NF_BR_LOCAL_IN,
-                .priority = NF_BR_PRI_BRNF,
-        },
-        {
                 .hook = br_nf_forward_ip,
                 .pf = NFPROTO_BRIDGE,
                 .hooknum = NF_BR_FORWARD,
diff --git a/net/core/dev.c b/net/core/dev.c
index 8637b2b71f3d..7869ae3837ca 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1304,6 +1304,7 @@ void netdev_notify_peers(struct net_device *dev)
 {
         rtnl_lock();
         call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, dev);
+        call_netdevice_notifiers(NETDEV_RESEND_IGMP, dev);
         rtnl_unlock();
 }
 EXPORT_SYMBOL(netdev_notify_peers);
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 3945821e9c1f..65ea0ff4017c 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -953,7 +953,7 @@ net_rx_queue_update_kobjects(struct net_device *dev, int old_num, int new_num)
         while (--i >= new_num) {
                 struct kobject *kobj = &dev->_rx[i].kobj;
 
-                if (!list_empty(&dev_net(dev)->exit_list))
+                if (!atomic_read(&dev_net(dev)->count))
                         kobj->uevent_suppress = 1;
                 if (dev->sysfs_rx_queue_group)
                         sysfs_remove_group(kobj, dev->sysfs_rx_queue_group);
@@ -1371,7 +1371,7 @@ netdev_queue_update_kobjects(struct net_device *dev, int old_num, int new_num)
         while (--i >= new_num) {
                 struct netdev_queue *queue = dev->_tx + i;
 
-                if (!list_empty(&dev_net(dev)->exit_list))
+                if (!atomic_read(&dev_net(dev)->count))
                         queue->kobj.uevent_suppress = 1;
 #ifdef CONFIG_BQL
                 sysfs_remove_group(&queue->kobj, &dql_group);
@@ -1558,7 +1558,7 @@ void netdev_unregister_kobject(struct net_device *ndev)
 {
         struct device *dev = &(ndev->dev);
 
-        if (!list_empty(&dev_net(ndev)->exit_list))
+        if (!atomic_read(&dev_net(ndev)->count))
                 dev_set_uevent_suppress(dev, 1);
 
         kobject_get(&dev->kobj);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index f3557958e9bf..cd4ba8c6b609 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3828,13 +3828,14 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
         if (!skb_may_tx_timestamp(sk, false))
                 return;
 
-        /* take a reference to prevent skb_orphan() from freeing the socket */
-        sock_hold(sk);
-
-        *skb_hwtstamps(skb) = *hwtstamps;
-        __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
-
-        sock_put(sk);
+        /* Take a reference to prevent skb_orphan() from freeing the socket,
+         * but only if the socket refcount is not zero.
+         */
+        if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
+                *skb_hwtstamps(skb) = *hwtstamps;
+                __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
+                sock_put(sk);
+        }
 }
 EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp);
 
@@ -3893,7 +3894,7 @@ void skb_complete_wifi_ack(struct sk_buff *skb, bool acked)
 {
         struct sock *sk = skb->sk;
         struct sock_exterr_skb *serr;
-        int err;
+        int err = 1;
 
         skb->wifi_acked_valid = 1;
         skb->wifi_acked = acked;
@@ -3903,14 +3904,15 @@ void skb_complete_wifi_ack(struct sk_buff *skb, bool acked)
         serr->ee.ee_errno = ENOMSG;
         serr->ee.ee_origin = SO_EE_ORIGIN_TXSTATUS;
 
-        /* take a reference to prevent skb_orphan() from freeing the socket */
-        sock_hold(sk);
-
-        err = sock_queue_err_skb(sk, skb);
+        /* Take a reference to prevent skb_orphan() from freeing the socket,
+         * but only if the socket refcount is not zero.
+         */
+        if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
+                err = sock_queue_err_skb(sk, skb);
+                sock_put(sk);
+        }
         if (err)
                 kfree_skb(skb);
-
-        sock_put(sk);
 }
 EXPORT_SYMBOL_GPL(skb_complete_wifi_ack);
 
diff --git a/net/core/sock.c b/net/core/sock.c
index f6fd79f33097..a96d5f7a5734 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -197,66 +197,55 @@ EXPORT_SYMBOL(sk_net_capable);
 
 /*
  * Each address family might have different locking rules, so we have
- * one slock key per address family:
+ * one slock key per address family and separate keys for internal and
+ * userspace sockets.
  */
 static struct lock_class_key af_family_keys[AF_MAX];
+static struct lock_class_key af_family_kern_keys[AF_MAX];
 static struct lock_class_key af_family_slock_keys[AF_MAX];
+static struct lock_class_key af_family_kern_slock_keys[AF_MAX];
 
 /*
  * Make lock validator output more readable. (we pre-construct these
  * strings build-time, so that runtime initialization of socket
  * locks is fast):
  */
+
+#define _sock_locks(x)                                            \
+  x "AF_UNSPEC",        x "AF_UNIX"     ,       x "AF_INET"     , \
+  x "AF_AX25"  ,        x "AF_IPX"      ,       x "AF_APPLETALK", \
+  x "AF_NETROM",        x "AF_BRIDGE"   ,       x "AF_ATMPVC"   , \
+  x "AF_X25"   ,        x "AF_INET6"    ,       x "AF_ROSE"     , \
+  x "AF_DECnet",        x "AF_NETBEUI"  ,       x "AF_SECURITY" , \
+  x "AF_KEY"   ,        x "AF_NETLINK"  ,       x "AF_PACKET"   , \
+  x "AF_ASH"   ,        x "AF_ECONET"   ,       x "AF_ATMSVC"   , \
+  x "AF_RDS"   ,        x "AF_SNA"      ,       x "AF_IRDA"     , \
+  x "AF_PPPOX" ,        x "AF_WANPIPE"  ,       x "AF_LLC"      , \
+  x "27"       ,        x "28"          ,       x "AF_CAN"      , \
+  x "AF_TIPC"  ,        x "AF_BLUETOOTH",       x "IUCV"        , \
+  x "AF_RXRPC" ,        x "AF_ISDN"     ,       x "AF_PHONET"   , \
+  x "AF_IEEE802154",    x "AF_CAIF"     ,       x "AF_ALG"      , \
+  x "AF_NFC"   ,        x "AF_VSOCK"    ,       x "AF_KCM"      , \
+  x "AF_QIPCRTR",       x "AF_SMC"      ,       x "AF_MAX"
+
 static const char *const af_family_key_strings[AF_MAX+1] = {
-  "sk_lock-AF_UNSPEC", "sk_lock-AF_UNIX"     , "sk_lock-AF_INET"     ,
-  "sk_lock-AF_AX25"  , "sk_lock-AF_IPX"      , "sk_lock-AF_APPLETALK",
-  "sk_lock-AF_NETROM", "sk_lock-AF_BRIDGE"   , "sk_lock-AF_ATMPVC"   ,
-  "sk_lock-AF_X25"   , "sk_lock-AF_INET6"    , "sk_lock-AF_ROSE"     ,
-  "sk_lock-AF_DECnet", "sk_lock-AF_NETBEUI"  , "sk_lock-AF_SECURITY" ,
-  "sk_lock-AF_KEY"   , "sk_lock-AF_NETLINK"  , "sk_lock-AF_PACKET"   ,
-  "sk_lock-AF_ASH"   , "sk_lock-AF_ECONET"   , "sk_lock-AF_ATMSVC"   ,
-  "sk_lock-AF_RDS"   , "sk_lock-AF_SNA"      , "sk_lock-AF_IRDA"     ,
-  "sk_lock-AF_PPPOX" , "sk_lock-AF_WANPIPE"  , "sk_lock-AF_LLC"      ,
-  "sk_lock-27"       , "sk_lock-28"          , "sk_lock-AF_CAN"      ,
-  "sk_lock-AF_TIPC"  , "sk_lock-AF_BLUETOOTH", "sk_lock-IUCV"        ,
-  "sk_lock-AF_RXRPC" , "sk_lock-AF_ISDN"     , "sk_lock-AF_PHONET"   ,
-  "sk_lock-AF_IEEE802154", "sk_lock-AF_CAIF" , "sk_lock-AF_ALG"      ,
-  "sk_lock-AF_NFC"   , "sk_lock-AF_VSOCK"    , "sk_lock-AF_KCM"      ,
-  "sk_lock-AF_QIPCRTR", "sk_lock-AF_SMC"     , "sk_lock-AF_MAX"
+        _sock_locks("sk_lock-")
 };
 static const char *const af_family_slock_key_strings[AF_MAX+1] = {
-  "slock-AF_UNSPEC", "slock-AF_UNIX"     , "slock-AF_INET"     ,
-  "slock-AF_AX25"  , "slock-AF_IPX"      , "slock-AF_APPLETALK",
-  "slock-AF_NETROM", "slock-AF_BRIDGE"   , "slock-AF_ATMPVC"   ,
-  "slock-AF_X25"   , "slock-AF_INET6"    , "slock-AF_ROSE"     ,
-  "slock-AF_DECnet", "slock-AF_NETBEUI"  , "slock-AF_SECURITY" ,
-  "slock-AF_KEY"   , "slock-AF_NETLINK"  , "slock-AF_PACKET"   ,
-  "slock-AF_ASH"   , "slock-AF_ECONET"   , "slock-AF_ATMSVC"   ,
-  "slock-AF_RDS"   , "slock-AF_SNA"      , "slock-AF_IRDA"     ,
-  "slock-AF_PPPOX" , "slock-AF_WANPIPE"  , "slock-AF_LLC"      ,
-  "slock-27"       , "slock-28"          , "slock-AF_CAN"      ,
-  "slock-AF_TIPC"  , "slock-AF_BLUETOOTH", "slock-AF_IUCV"     ,
-  "slock-AF_RXRPC" , "slock-AF_ISDN"     , "slock-AF_PHONET"   ,
-  "slock-AF_IEEE802154", "slock-AF_CAIF" , "slock-AF_ALG"      ,
-  "slock-AF_NFC"   , "slock-AF_VSOCK"    ,"slock-AF_KCM"       ,
-  "slock-AF_QIPCRTR", "slock-AF_SMC"     , "slock-AF_MAX"
+        _sock_locks("slock-")
 };
 static const char *const af_family_clock_key_strings[AF_MAX+1] = {
-  "clock-AF_UNSPEC", "clock-AF_UNIX"     , "clock-AF_INET"     ,
-  "clock-AF_AX25"  , "clock-AF_IPX"      , "clock-AF_APPLETALK",
-  "clock-AF_NETROM", "clock-AF_BRIDGE"   , "clock-AF_ATMPVC"   ,
-  "clock-AF_X25"   , "clock-AF_INET6"    , "clock-AF_ROSE"     ,
-  "clock-AF_DECnet", "clock-AF_NETBEUI"  , "clock-AF_SECURITY" ,
-  "clock-AF_KEY"   , "clock-AF_NETLINK"  , "clock-AF_PACKET"   ,
-  "clock-AF_ASH"   , "clock-AF_ECONET"   , "clock-AF_ATMSVC"   ,
-  "clock-AF_RDS"   , "clock-AF_SNA"      , "clock-AF_IRDA"     ,
-  "clock-AF_PPPOX" , "clock-AF_WANPIPE"  , "clock-AF_LLC"      ,
-  "clock-27"       , "clock-28"          , "clock-AF_CAN"      ,
-  "clock-AF_TIPC"  , "clock-AF_BLUETOOTH", "clock-AF_IUCV"     ,
-  "clock-AF_RXRPC" , "clock-AF_ISDN"     , "clock-AF_PHONET"   ,
-  "clock-AF_IEEE802154", "clock-AF_CAIF" , "clock-AF_ALG"      ,
-  "clock-AF_NFC"   , "clock-AF_VSOCK"    , "clock-AF_KCM"      ,
-  "clock-AF_QIPCRTR", "clock-AF_SMC"     , "clock-AF_MAX"
+        _sock_locks("clock-")
+};
+
+static const char *const af_family_kern_key_strings[AF_MAX+1] = {
+        _sock_locks("k-sk_lock-")
+};
+static const char *const af_family_kern_slock_key_strings[AF_MAX+1] = {
+        _sock_locks("k-slock-")
+};
+static const char *const af_family_kern_clock_key_strings[AF_MAX+1] = {
+        _sock_locks("k-clock-")
 };
 
 /*
@@ -264,6 +253,7 @@ static const char *const af_family_clock_key_strings[AF_MAX+1] = {
  * so split the lock classes by using a per-AF key:
  */
 static struct lock_class_key af_callback_keys[AF_MAX];
+static struct lock_class_key af_kern_callback_keys[AF_MAX];
 
 /* Take into consideration the size of the struct sk_buff overhead in the
  * determination of these values, since that is non-constant across
@@ -1293,7 +1283,16 @@ lenout:
  */
 static inline void sock_lock_init(struct sock *sk)
 {
-        sock_lock_init_class_and_name(sk,
+        if (sk->sk_kern_sock)
+                sock_lock_init_class_and_name(
+                        sk,
+                        af_family_kern_slock_key_strings[sk->sk_family],
+                        af_family_kern_slock_keys + sk->sk_family,
+                        af_family_kern_key_strings[sk->sk_family],
+                        af_family_kern_keys + sk->sk_family);
+        else
+                sock_lock_init_class_and_name(
+                        sk,
                         af_family_slock_key_strings[sk->sk_family],
                         af_family_slock_keys + sk->sk_family,
                         af_family_key_strings[sk->sk_family],
@@ -1399,6 +1398,7 @@ struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
                  * why we need sk_prot_creator -acme
                  */
                 sk->sk_prot = sk->sk_prot_creator = prot;
+                sk->sk_kern_sock = kern;
                 sock_lock_init(sk);
                 sk->sk_net_refcnt = kern ? 0 : 1;
                 if (likely(sk->sk_net_refcnt))
@@ -2277,7 +2277,8 @@ int sock_no_socketpair(struct socket *sock1, struct socket *sock2)
 }
 EXPORT_SYMBOL(sock_no_socketpair);
 
-int sock_no_accept(struct socket *sock, struct socket *newsock, int flags)
+int sock_no_accept(struct socket *sock, struct socket *newsock, int flags,
+                   bool kern)
 {
         return -EOPNOTSUPP;
 }
@@ -2481,7 +2482,14 @@ void sock_init_data(struct socket *sock, struct sock *sk)
         }
 
         rwlock_init(&sk->sk_callback_lock);
-        lockdep_set_class_and_name(&sk->sk_callback_lock,
+        if (sk->sk_kern_sock)
+                lockdep_set_class_and_name(
+                        &sk->sk_callback_lock,
+                        af_kern_callback_keys + sk->sk_family,
+                        af_family_kern_clock_key_strings[sk->sk_family]);
+        else
+                lockdep_set_class_and_name(
+                        &sk->sk_callback_lock,
                         af_callback_keys + sk->sk_family,
                         af_family_clock_key_strings[sk->sk_family]);
 
diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
index f053198e730c..5e3a7302f774 100644
--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -749,6 +749,7 @@ static void ccid2_hc_tx_exit(struct sock *sk)
         for (i = 0; i < hc->tx_seqbufc; i++)
                 kfree(hc->tx_seqbuf[i]);
         hc->tx_seqbufc = 0;
+        dccp_ackvec_parsed_cleanup(&hc->tx_av_chunks);
 }
 
 static void ccid2_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 409d0cfd3447..b99168b0fabf 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -289,7 +289,8 @@ static void dccp_v4_err(struct sk_buff *skb, u32 info)
 
         switch (type) {
         case ICMP_REDIRECT:
-                dccp_do_redirect(skb, sk);
+                if (!sock_owned_by_user(sk))
+                        dccp_do_redirect(skb, sk);
                 goto out;
         case ICMP_SOURCE_QUENCH:
                 /* Just silently ignore these. */
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 233b57367758..d9b6a4e403e7 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -122,10 +122,12 @@ static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
         np = inet6_sk(sk);
 
         if (type == NDISC_REDIRECT) {
-                struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
+                if (!sock_owned_by_user(sk)) {
+                        struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
 
-                if (dst)
-                        dst->ops->redirect(dst, sk, skb);
+                        if (dst)
+                                dst->ops->redirect(dst, sk, skb);
+                }
                 goto out;
         }
 
diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index e267e6f4c9a5..abd07a443219 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -142,6 +142,13 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb,
         struct dccp_request_sock *dreq = dccp_rsk(req);
         bool own_req;
 
+        /* TCP/DCCP listeners became lockless.
+         * DCCP stores complex state in its request_sock, so we need
+         * a protection for them, now this code runs without being protected
+         * by the parent (listener) lock.
+         */
+        spin_lock_bh(&dreq->dreq_lock);
+
         /* Check for retransmitted REQUEST */
         if (dccp_hdr(skb)->dccph_type == DCCP_PKT_REQUEST) {
 
@@ -156,7 +163,7 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb,
                         inet_rtx_syn_ack(sk, req);
                 }
                 /* Network Duplicate, discard packet */
-                return NULL;
+                goto out;
         }
 
         DCCP_SKB_CB(skb)->dccpd_reset_code = DCCP_RESET_CODE_PACKET_ERROR;
@@ -182,20 +189,20 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb,
 
         child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL,
                                                          req, &own_req);
-        if (!child)
-                goto listen_overflow;
-
-        return inet_csk_complete_hashdance(sk, child, req, own_req);
+        if (child) {
+                child = inet_csk_complete_hashdance(sk, child, req, own_req);
+                goto out;
+        }
 
-listen_overflow:
-        dccp_pr_debug("listen_overflow!\n");
         DCCP_SKB_CB(skb)->dccpd_reset_code = DCCP_RESET_CODE_TOO_BUSY;
 drop:
         if (dccp_hdr(skb)->dccph_type != DCCP_PKT_RESET)
                 req->rsk_ops->send_reset(sk, skb);
 
         inet_csk_reqsk_queue_drop(sk, req);
-        return NULL;
+out:
+        spin_unlock_bh(&dreq->dreq_lock);
+        return child;
 }
 
 EXPORT_SYMBOL_GPL(dccp_check_req);
@@ -246,6 +253,7 @@ int dccp_reqsk_init(struct request_sock *req,
 {
         struct dccp_request_sock *dreq = dccp_rsk(req);
 
+        spin_lock_init(&dreq->dreq_lock);
         inet_rsk(req)->ir_rmt_port = dccp_hdr(skb)->dccph_sport;
         inet_rsk(req)->ir_num      = ntohs(dccp_hdr(skb)->dccph_dport);
         inet_rsk(req)->acked       = 0;
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index e6e79eda9763..7de5b40a5d0d 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -1070,7 +1070,8 @@ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo)
         return skb == NULL ? ERR_PTR(err) : skb;
 }
 
-static int dn_accept(struct socket *sock, struct socket *newsock, int flags)
+static int dn_accept(struct socket *sock, struct socket *newsock, int flags,
+                     bool kern)
 {
         struct sock *sk = sock->sk, *newsk;
         struct sk_buff *skb = NULL;
@@ -1099,7 +1100,7 @@ static int dn_accept(struct socket *sock, struct socket *newsock, int flags)
 
         cb = DN_SKB_CB(skb);
         sk->sk_ack_backlog--;
-        newsk = dn_alloc_sock(sock_net(sk), newsock, sk->sk_allocation, 0);
+        newsk = dn_alloc_sock(sock_net(sk), newsock, sk->sk_allocation, kern);
         if (newsk == NULL) {
                 release_sock(sk);
                 kfree_skb(skb);
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 602d40f43687..6b1fc6e4278e 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -689,11 +689,12 @@ EXPORT_SYMBOL(inet_stream_connect);
  *      Accept a pending connection. The TCP layer now gives BSD semantics.
  */
 
-int inet_accept(struct socket *sock, struct socket *newsock, int flags)
+int inet_accept(struct socket *sock, struct socket *newsock, int flags,
+                bool kern)
 {
         struct sock *sk1 = sock->sk;
         int err = -EINVAL;
-        struct sock *sk2 = sk1->sk_prot->accept(sk1, flags, &err);
+        struct sock *sk2 = sk1->sk_prot->accept(sk1, flags, &err, kern);
 
         if (!sk2)
                 goto do_err;
@@ -1487,8 +1488,10 @@ int inet_gro_complete(struct sk_buff *skb, int nhoff)
         int proto = iph->protocol;
         int err = -ENOSYS;
 
-        if (skb->encapsulation)
+        if (skb->encapsulation) {
+                skb_set_inner_protocol(skb, cpu_to_be16(ETH_P_IP));
                 skb_set_inner_network_header(skb, nhoff);
+        }
 
         csum_replace2(&iph->check, iph->tot_len, newlen);
         iph->tot_len = newlen;
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index b4d5980ade3b..5e313c1ac94f 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -424,7 +424,7 @@ static int inet_csk_wait_for_connect(struct sock *sk, long timeo)
 /*
  * This will accept the next outstanding connection.
  */
-struct sock *inet_csk_accept(struct sock *sk, int flags, int *err)
+struct sock *inet_csk_accept(struct sock *sk, int flags, int *err, bool kern)
 {
         struct inet_connection_sock *icsk = inet_csk(sk);
         struct request_sock_queue *queue = &icsk->icsk_accept_queue;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 737ce826d7ec..7a3fd25e8913 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -966,7 +966,7 @@ static int __ip_append_data(struct sock *sk,
         cork->length += length;
         if ((((length + fragheaderlen) > mtu) || (skb && skb_is_gso(skb))) &&
             (sk->sk_protocol == IPPROTO_UDP) &&
-            (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
+            (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
             (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
                 err = ip_ufo_append_data(sk, queue, getfrag, from, length,
                                          hh_len, fragheaderlen, transhdrlen,
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 9a89b8deafae..575e19dcc017 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -279,10 +279,13 @@ EXPORT_SYMBOL(tcp_v4_connect);
  */
 void tcp_v4_mtu_reduced(struct sock *sk)
 {
-        struct dst_entry *dst;
         struct inet_sock *inet = inet_sk(sk);
-        u32 mtu = tcp_sk(sk)->mtu_info;
+        struct dst_entry *dst;
+        u32 mtu;
 
+        if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
+                return;
+        mtu = tcp_sk(sk)->mtu_info;
         dst = inet_csk_update_pmtu(sk, mtu);
         if (!dst)
                 return;
@@ -428,7 +431,8 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
 
         switch (type) {
         case ICMP_REDIRECT:
-                do_redirect(icmp_skb, sk);
+                if (!sock_owned_by_user(sk))
+                        do_redirect(icmp_skb, sk);
                 goto out;
         case ICMP_SOURCE_QUENCH:
                 /* Just silently ignore these. */
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 40d893556e67..b2ab411c6d37 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -249,7 +249,8 @@ void tcp_delack_timer_handler(struct sock *sk)
 
         sk_mem_reclaim_partial(sk);
 
-        if (sk->sk_state == TCP_CLOSE || !(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
+        if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
+            !(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
                 goto out;
 
         if (time_after(icsk->icsk_ack.timeout, jiffies)) {
@@ -552,7 +553,8 @@ void tcp_write_timer_handler(struct sock *sk)
         struct inet_connection_sock *icsk = inet_csk(sk);
         int event;
 
-        if (sk->sk_state == TCP_CLOSE || !icsk->icsk_pending)
+        if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
+            !icsk->icsk_pending)
                 goto out;
 
         if (time_after(icsk->icsk_timeout, jiffies)) {
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 04db40620ea6..a9a9553ee63d 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -920,12 +920,12 @@ static int __init inet6_init(void)
         err = register_pernet_subsys(&inet6_net_ops);
         if (err)
                 goto register_pernet_fail;
-        err = icmpv6_init();
-        if (err)
-                goto icmp_fail;
         err = ip6_mr_init();
         if (err)
                 goto ipmr_fail;
+        err = icmpv6_init();
+        if (err)
+                goto icmp_fail;
         err = ndisc_init();
         if (err)
                 goto ndisc_fail;
@@ -1061,10 +1061,10 @@ igmp_fail:
         ndisc_cleanup();
 ndisc_fail:
         ip6_mr_cleanup();
-ipmr_fail:
-        icmpv6_cleanup();
 icmp_fail:
         unregister_pernet_subsys(&inet6_net_ops);
+ipmr_fail:
+        icmpv6_cleanup();
 register_pernet_fail:
         sock_unregister(PF_INET6);
         rtnl_unregister_all(PF_INET6);
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index e4266746e4a2..d4bf2c68a545 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -923,6 +923,8 @@ add:
                         ins = &rt->dst.rt6_next;
                         iter = *ins;
                         while (iter) {
+                                if (iter->rt6i_metric > rt->rt6i_metric)
+                                        break;
                                 if (rt6_qualify_for_ecmp(iter)) {
                                         *ins = iter->dst.rt6_next;
                                         fib6_purge_rt(iter, fn, info->nl_net);
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index 0838e6d01d2e..93e58a5e1837 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -294,8 +294,10 @@ static int ipv6_gro_complete(struct sk_buff *skb, int nhoff)
         struct ipv6hdr *iph = (struct ipv6hdr *)(skb->data + nhoff);
         int err = -ENOSYS;
 
-        if (skb->encapsulation)
+        if (skb->encapsulation) {
+                skb_set_inner_protocol(skb, cpu_to_be16(ETH_P_IPV6));
                 skb_set_inner_network_header(skb, nhoff);
+        }
 
         iph->payload_len = htons(skb->len - nhoff - sizeof(*iph));
 
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 528b3c1f3fde..58f6288e9ba5 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -768,13 +768,14 @@ slow_path:
          *      Fragment the datagram.
          */
 
-        *prevhdr = NEXTHDR_FRAGMENT;
         troom = rt->dst.dev->needed_tailroom;
 
         /*
          *      Keep copying data until we run out.
          */
         while (left > 0)        {
+                u8 *fragnexthdr_offset;
+
                 len = left;
                 /* IF: it doesn't fit, use 'mtu' - the data space left */
                 if (len > mtu)
@@ -819,6 +820,10 @@ slow_path:
                  */
                 skb_copy_from_linear_data(skb, skb_network_header(frag), hlen);
 
+                fragnexthdr_offset = skb_network_header(frag);
+                fragnexthdr_offset += prevhdr - skb_network_header(skb);
+                *fragnexthdr_offset = NEXTHDR_FRAGMENT;
+
                 /*
                  *      Build fragment header.
                  */
@@ -1385,7 +1390,7 @@ emsgsize:
         if ((((length + fragheaderlen) > mtu) ||
              (skb && skb_is_gso(skb))) &&
             (sk->sk_protocol == IPPROTO_UDP) &&
-            (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
+            (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
             (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
                 err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
                                           hh_len, fragheaderlen, exthdrlen,
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 644ba59fbd9d..3d8a3b63b4fd 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -485,11 +485,15 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
         if (!skb->ignore_df && skb->len > mtu) {
                 skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu);
 
-                if (skb->protocol == htons(ETH_P_IPV6))
+                if (skb->protocol == htons(ETH_P_IPV6)) {
+                        if (mtu < IPV6_MIN_MTU)
+                                mtu = IPV6_MIN_MTU;
+
                         icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
-                else
+                } else {
                         icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
                                   htonl(mtu));
+                }
 
                 return -EMSGSIZE;
         }
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 229bfcc451ef..35c58b669ebd 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3299,7 +3299,6 @@ static size_t rt6_nlmsg_size(struct rt6_info *rt)
                 nexthop_len = nla_total_size(0)  /* RTA_MULTIPATH */
                             + NLA_ALIGN(sizeof(struct rtnexthop))
                             + nla_total_size(16) /* RTA_GATEWAY */
-                            + nla_total_size(4)  /* RTA_OIF */
                             + lwtunnel_get_encap_size(rt->dst.lwtstate);
 
                 nexthop_len *= rt->rt6i_nsiblings;
@@ -3323,7 +3322,7 @@ static size_t rt6_nlmsg_size(struct rt6_info *rt)
 }
 
 static int rt6_nexthop_info(struct sk_buff *skb, struct rt6_info *rt,
-                            unsigned int *flags)
+                            unsigned int *flags, bool skip_oif)
 {
         if (!netif_running(rt->dst.dev) || !netif_carrier_ok(rt->dst.dev)) {
                 *flags |= RTNH_F_LINKDOWN;
@@ -3336,7 +3335,8 @@ static int rt6_nexthop_info(struct sk_buff *skb, struct rt6_info *rt,
                         goto nla_put_failure;
         }
 
-        if (rt->dst.dev &&
+        /* not needed for multipath encoding b/c it has a rtnexthop struct */
+        if (!skip_oif && rt->dst.dev &&
             nla_put_u32(skb, RTA_OIF, rt->dst.dev->ifindex))
                 goto nla_put_failure;
 
@@ -3350,6 +3350,7 @@ nla_put_failure:
         return -EMSGSIZE;
 }
 
+/* add multipath next hop */
 static int rt6_add_nexthop(struct sk_buff *skb, struct rt6_info *rt)
 {
         struct rtnexthop *rtnh;
@@ -3362,7 +3363,7 @@ static int rt6_add_nexthop(struct sk_buff *skb, struct rt6_info *rt)
         rtnh->rtnh_hops = 0;
         rtnh->rtnh_ifindex = rt->dst.dev ? rt->dst.dev->ifindex : 0;
 
-        if (rt6_nexthop_info(skb, rt, &flags) < 0)
+        if (rt6_nexthop_info(skb, rt, &flags, true) < 0)
                 goto nla_put_failure;
 
         rtnh->rtnh_flags = flags;
@@ -3515,7 +3516,7 @@ static int rt6_fill_node(struct net *net,
 
                 nla_nest_end(skb, mp);
         } else {
-                if (rt6_nexthop_info(skb, rt, &rtm->rtm_flags) < 0)
+                if (rt6_nexthop_info(skb, rt, &rtm->rtm_flags, false) < 0)
                         goto nla_put_failure;
         }
 
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 60a5295a7de6..49fa2e8c3fa9 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -391,10 +391,12 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
         np = inet6_sk(sk);
 
         if (type == NDISC_REDIRECT) {
-                struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
+                if (!sock_owned_by_user(sk)) {
+                        struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
 
-                if (dst)
-                        dst->ops->redirect(dst, sk, skb);
+                        if (dst)
+                                dst->ops->redirect(dst, sk, skb);
+                }
                 goto out;
         }
 
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 81adc29a448d..8d77ad5cadaf 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -828,7 +828,8 @@ out:
  *    Wait for incoming connection
  *
  */
-static int irda_accept(struct socket *sock, struct socket *newsock, int flags)
+static int irda_accept(struct socket *sock, struct socket *newsock, int flags,
+                       bool kern)
 {
         struct sock *sk = sock->sk;
         struct irda_sock *new, *self = irda_sk(sk);
@@ -836,7 +837,7 @@ static int irda_accept(struct socket *sock, struct socket *newsock, int flags)
         struct sk_buff *skb = NULL;
         int err;
 
-        err = irda_create(sock_net(sk), newsock, sk->sk_protocol, 0);
+        err = irda_create(sock_net(sk), newsock, sk->sk_protocol, kern);
         if (err)
                 return err;
 
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 89bbde1081ce..84de7b6326dc 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -938,7 +938,7 @@ done:
 
 /* Accept a pending connection */
 static int iucv_sock_accept(struct socket *sock, struct socket *newsock,
-                            int flags)
+                            int flags, bool kern)
 {
         DECLARE_WAITQUEUE(wait, current);
         struct sock *sk = sock->sk, *nsk;
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 06186d608a27..cb4fff785cbf 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -641,11 +641,13 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb)
  *      @sock: Socket which connections arrive on.
  *      @newsock: Socket to move incoming connection to.
  *      @flags: User specified operational flags.
+ *      @kern: If the socket is kernel internal
  *
  *      Accept a new incoming connection.
  *      Returns 0 upon success, negative otherwise.
  */
-static int llc_ui_accept(struct socket *sock, struct socket *newsock, int flags)
+static int llc_ui_accept(struct socket *sock, struct socket *newsock, int flags,
+                         bool kern)
 {
         struct sock *sk = sock->sk, *newsk;
         struct llc_sock *llc, *newllc;
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index 3818686182b2..33211f9a2656 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -1288,7 +1288,8 @@ static void mpls_ifdown(struct net_device *dev, int event)
                                 /* fall through */
                         case NETDEV_CHANGE:
                                 nh->nh_flags |= RTNH_F_LINKDOWN;
-                                ACCESS_ONCE(rt->rt_nhn_alive) = rt->rt_nhn_alive - 1;
+                                if (event != NETDEV_UNREGISTER)
+                                        ACCESS_ONCE(rt->rt_nhn_alive) = rt->rt_nhn_alive - 1;
                                 break;
                         }
                         if (event == NETDEV_UNREGISTER)
@@ -2028,6 +2029,7 @@ static void mpls_net_exit(struct net *net)
         for (index = 0; index < platform_labels; index++) {
                 struct mpls_route *rt = rtnl_dereference(platform_label[index]);
                 RCU_INIT_POINTER(platform_label[index], NULL);
+                mpls_notify_route(net, index, rt, NULL, NULL);
                 mpls_rt_free(rt);
         }
         rtnl_unlock();
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 4bbf4526b885..ebf16f7f9089 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -765,7 +765,8 @@ out_release:
         return err;
 }
 
-static int nr_accept(struct socket *sock, struct socket *newsock, int flags)
+static int nr_accept(struct socket *sock, struct socket *newsock, int flags,
+                     bool kern)
 {
         struct sk_buff *skb;
         struct sock *newsk;
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 879885b31cce..2ffb18e73df6 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -441,7 +441,7 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *parent,
 }
 
 static int llcp_sock_accept(struct socket *sock, struct socket *newsock,
-                            int flags)
+                            int flags, bool kern)
 {
         DECLARE_WAITQUEUE(wait, current);
         struct sock *sk = sock->sk, *new_sk;
diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index 222bedcd9575..e81537991ddf 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -772,7 +772,8 @@ static void pep_sock_close(struct sock *sk, long timeout)
         sock_put(sk);
 }
 
-static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp)
+static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp,
+                                    bool kern)
 {
         struct pep_sock *pn = pep_sk(sk), *newpn;
         struct sock *newsk = NULL;
@@ -846,7 +847,8 @@ static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp)
         }
 
         /* Create a new to-be-accepted sock */
-        newsk = sk_alloc(sock_net(sk), PF_PHONET, GFP_KERNEL, sk->sk_prot, 0);
+        newsk = sk_alloc(sock_net(sk), PF_PHONET, GFP_KERNEL, sk->sk_prot,
+                         kern);
         if (!newsk) {
                 pep_reject_conn(sk, skb, PN_PIPE_ERR_OVERLOAD, GFP_KERNEL);
                 err = -ENOBUFS;
diff --git a/net/phonet/socket.c b/net/phonet/socket.c
index a6c8da3ee893..64634e3ec2fc 100644
--- a/net/phonet/socket.c
+++ b/net/phonet/socket.c
@@ -305,7 +305,7 @@ out:
 }
 
 static int pn_socket_accept(struct socket *sock, struct socket *newsock,
-                                int flags)
+                            int flags, bool kern)
 {
         struct sock *sk = sock->sk;
         struct sock *newsk;
@@ -314,7 +314,7 @@ static int pn_socket_accept(struct socket *sock, struct socket *newsock,
         if (unlikely(sk->sk_state != TCP_LISTEN))
                 return -EINVAL;
 
-        newsk = sk->sk_prot->accept(sk, flags, &err);
+        newsk = sk->sk_prot->accept(sk, flags, &err, kern);
         if (!newsk)
                 return err;
 
diff --git a/net/rds/connection.c b/net/rds/connection.c
index 0e04dcceb1d4..1fa75ab7b733 100644
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -429,6 +429,7 @@ void rds_conn_destroy(struct rds_connection *conn)
          */
         rds_cong_remove_conn(conn);
 
+        put_net(conn->c_net);
         kmem_cache_free(rds_conn_slab, conn);
 
         spin_lock_irqsave(&rds_conn_lock, flags);
diff --git a/net/rds/ib_cm.c b/net/rds/ib_cm.c
index ce3775abc6e7..1c38d2c7caa8 100644
--- a/net/rds/ib_cm.c
+++ b/net/rds/ib_cm.c
@@ -442,7 +442,7 @@ static int rds_ib_setup_qp(struct rds_connection *conn)
                 ic->i_send_cq = NULL;
                 ibdev_put_vector(rds_ibdev, ic->i_scq_vector);
                 rdsdebug("ib_create_cq send failed: %d\n", ret);
-                goto out;
+                goto rds_ibdev_out;
         }
 
         ic->i_rcq_vector = ibdev_get_unused_vector(rds_ibdev);
@@ -456,19 +456,19 @@ static int rds_ib_setup_qp(struct rds_connection *conn)
                 ic->i_recv_cq = NULL;
                 ibdev_put_vector(rds_ibdev, ic->i_rcq_vector);
                 rdsdebug("ib_create_cq recv failed: %d\n", ret);
-                goto out;
+                goto send_cq_out;
         }
 
         ret = ib_req_notify_cq(ic->i_send_cq, IB_CQ_NEXT_COMP);
         if (ret) {
                 rdsdebug("ib_req_notify_cq send failed: %d\n", ret);
-                goto out;
+                goto recv_cq_out;
         }
 
         ret = ib_req_notify_cq(ic->i_recv_cq, IB_CQ_SOLICITED);
         if (ret) {
                 rdsdebug("ib_req_notify_cq recv failed: %d\n", ret);
-                goto out;
+                goto recv_cq_out;
         }
 
         /* XXX negotiate max send/recv with remote? */
@@ -494,7 +494,7 @@ static int rds_ib_setup_qp(struct rds_connection *conn)
         ret = rdma_create_qp(ic->i_cm_id, ic->i_pd, &attr);
         if (ret) {
                 rdsdebug("rdma_create_qp failed: %d\n", ret);
-                goto out;
+                goto recv_cq_out;
         }
 
         ic->i_send_hdrs = ib_dma_alloc_coherent(dev,
@@ -504,7 +504,7 @@ static int rds_ib_setup_qp(struct rds_connection *conn)
         if (!ic->i_send_hdrs) {
                 ret = -ENOMEM;
                 rdsdebug("ib_dma_alloc_coherent send failed\n");
-                goto out;
+                goto qp_out;
         }
 
         ic->i_recv_hdrs = ib_dma_alloc_coherent(dev,
@@ -514,7 +514,7 @@ static int rds_ib_setup_qp(struct rds_connection *conn)
         if (!ic->i_recv_hdrs) {
                 ret = -ENOMEM;
                 rdsdebug("ib_dma_alloc_coherent recv failed\n");
-                goto out;
+                goto send_hdrs_dma_out;
         }
 
         ic->i_ack = ib_dma_alloc_coherent(dev, sizeof(struct rds_header),
@@ -522,7 +522,7 @@ static int rds_ib_setup_qp(struct rds_connection *conn)
         if (!ic->i_ack) {
                 ret = -ENOMEM;
                 rdsdebug("ib_dma_alloc_coherent ack failed\n");
-                goto out;
+                goto recv_hdrs_dma_out;
         }
 
         ic->i_sends = vzalloc_node(ic->i_send_ring.w_nr * sizeof(struct rds_ib_send_work),
@@ -530,7 +530,7 @@ static int rds_ib_setup_qp(struct rds_connection *conn)
         if (!ic->i_sends) {
                 ret = -ENOMEM;
                 rdsdebug("send allocation failed\n");
-                goto out;
+                goto ack_dma_out;
         }
 
         ic->i_recvs = vzalloc_node(ic->i_recv_ring.w_nr * sizeof(struct rds_ib_recv_work),
@@ -538,7 +538,7 @@ static int rds_ib_setup_qp(struct rds_connection *conn)
         if (!ic->i_recvs) {
                 ret = -ENOMEM;
                 rdsdebug("recv allocation failed\n");
-                goto out;
+                goto sends_out;
         }
 
         rds_ib_recv_init_ack(ic);
@@ -546,8 +546,33 @@ static int rds_ib_setup_qp(struct rds_connection *conn)
         rdsdebug("conn %p pd %p cq %p %p\n", conn, ic->i_pd,
                  ic->i_send_cq, ic->i_recv_cq);
 
-out:
+        return ret;
+
+sends_out:
+        vfree(ic->i_sends);
+ack_dma_out:
+        ib_dma_free_coherent(dev, sizeof(struct rds_header),
+                             ic->i_ack, ic->i_ack_dma);
+recv_hdrs_dma_out:
+        ib_dma_free_coherent(dev, ic->i_recv_ring.w_nr *
+                                        sizeof(struct rds_header),
+                                        ic->i_recv_hdrs, ic->i_recv_hdrs_dma);
+send_hdrs_dma_out:
+        ib_dma_free_coherent(dev, ic->i_send_ring.w_nr *
+                                        sizeof(struct rds_header),
+                                        ic->i_send_hdrs, ic->i_send_hdrs_dma);
+qp_out:
+        rdma_destroy_qp(ic->i_cm_id);
+recv_cq_out:
+        if (!ib_destroy_cq(ic->i_recv_cq))
+                ic->i_recv_cq = NULL;
+send_cq_out:
+        if (!ib_destroy_cq(ic->i_send_cq))
+                ic->i_send_cq = NULL;
+rds_ibdev_out:
+        rds_ib_remove_conn(rds_ibdev, conn);
         rds_ib_dev_put(rds_ibdev);
+
         return ret;
 }
 
diff --git a/net/rds/rds.h b/net/rds/rds.h
index 39518ef7af4d..82d38ccf5e8b 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -147,7 +147,7 @@ struct rds_connection {
 
         /* Protocol version */
         unsigned int            c_version;
-        possible_net_t          c_net;
+        struct net              *c_net;
 
         struct list_head        c_map_item;
         unsigned long           c_map_queued;
@@ -162,13 +162,13 @@ struct rds_connection {
 static inline
 struct net *rds_conn_net(struct rds_connection *conn)
 {
-        return read_pnet(&conn->c_net);
+        return conn->c_net;
 }
 
 static inline
 void rds_conn_net_set(struct rds_connection *conn, struct net *net)
 {
-        write_pnet(&conn->c_net, net);
+        conn->c_net = get_net(net);
 }
 
 #define RDS_FLAG_CONG_BITMAP    0x01
diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index a973d3b4dff0..225690076773 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -484,9 +484,10 @@ static void __net_exit rds_tcp_exit_net(struct net *net)
          * we do need to clean up the listen socket here.
          */
         if (rtn->rds_tcp_listen_sock) {
-                rds_tcp_listen_stop(rtn->rds_tcp_listen_sock);
+                struct socket *lsock = rtn->rds_tcp_listen_sock;
+
                 rtn->rds_tcp_listen_sock = NULL;
-                flush_work(&rtn->rds_tcp_accept_w);
+                rds_tcp_listen_stop(lsock, &rtn->rds_tcp_accept_w);
         }
 }
 
@@ -523,13 +524,13 @@ static void rds_tcp_kill_sock(struct net *net)
         struct rds_tcp_connection *tc, *_tc;
         LIST_HEAD(tmp_list);
         struct rds_tcp_net *rtn = net_generic(net, rds_tcp_netid);
+        struct socket *lsock = rtn->rds_tcp_listen_sock;
 
-        rds_tcp_listen_stop(rtn->rds_tcp_listen_sock);
         rtn->rds_tcp_listen_sock = NULL;
-        flush_work(&rtn->rds_tcp_accept_w);
+        rds_tcp_listen_stop(lsock, &rtn->rds_tcp_accept_w);
         spin_lock_irq(&rds_tcp_conn_lock);
         list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
-                struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
+                struct net *c_net = tc->t_cpath->cp_conn->c_net;
 
                 if (net != c_net || !tc->t_sock)
                         continue;
@@ -546,8 +547,12 @@ static void rds_tcp_kill_sock(struct net *net)
 void *rds_tcp_listen_sock_def_readable(struct net *net)
 {
         struct rds_tcp_net *rtn = net_generic(net, rds_tcp_netid);
+        struct socket *lsock = rtn->rds_tcp_listen_sock;
+
+        if (!lsock)
+                return NULL;
 
-        return rtn->rds_tcp_listen_sock->sk->sk_user_data;
+        return lsock->sk->sk_user_data;
 }
 
 static int rds_tcp_dev_event(struct notifier_block *this,
@@ -584,7 +589,7 @@ static void rds_tcp_sysctl_reset(struct net *net)
 
         spin_lock_irq(&rds_tcp_conn_lock);
         list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
-                struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
+                struct net *c_net = tc->t_cpath->cp_conn->c_net;
 
                 if (net != c_net || !tc->t_sock)
                         continue;
@@ -638,19 +643,19 @@ static int rds_tcp_init(void)
                 goto out;
         }
 
-        ret = register_netdevice_notifier(&rds_tcp_dev_notifier);
-        if (ret) {
-                pr_warn("could not register rds_tcp_dev_notifier\n");
+        ret = rds_tcp_recv_init();
+        if (ret)
                 goto out_slab;
-        }
 
         ret = register_pernet_subsys(&rds_tcp_net_ops);
         if (ret)
-                goto out_notifier;
+                goto out_recv;
 
-        ret = rds_tcp_recv_init();
-        if (ret)
+        ret = register_netdevice_notifier(&rds_tcp_dev_notifier);
+        if (ret) {
+                pr_warn("could not register rds_tcp_dev_notifier\n");
                 goto out_pernet;
+        }
 
         rds_trans_register(&rds_tcp_transport);
 
@@ -660,9 +665,8 @@ static int rds_tcp_init(void)
 
 out_pernet:
         unregister_pernet_subsys(&rds_tcp_net_ops);
-out_notifier:
-        if (unregister_netdevice_notifier(&rds_tcp_dev_notifier))
-                pr_warn("could not unregister rds_tcp_dev_notifier\n");
+out_recv:
+        rds_tcp_recv_exit();
 out_slab:
         kmem_cache_destroy(rds_tcp_conn_slab);
 out:
diff --git a/net/rds/tcp.h b/net/rds/tcp.h
index 9a1cc8906576..56ea6620fcf9 100644
--- a/net/rds/tcp.h
+++ b/net/rds/tcp.h
@@ -66,7 +66,7 @@ void rds_tcp_state_change(struct sock *sk);
 
 /* tcp_listen.c */
 struct socket *rds_tcp_listen_init(struct net *);
-void rds_tcp_listen_stop(struct socket *);
+void rds_tcp_listen_stop(struct socket *sock, struct work_struct *acceptor);
 void rds_tcp_listen_data_ready(struct sock *sk);
 int rds_tcp_accept_one(struct socket *sock);
 int rds_tcp_keepalive(struct socket *sock);
diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c
index 67d0929c7d3d..507678853e6c 100644
--- a/net/rds/tcp_listen.c
+++ b/net/rds/tcp_listen.c
@@ -133,7 +133,7 @@ int rds_tcp_accept_one(struct socket *sock)
 
         new_sock->type = sock->type;
         new_sock->ops = sock->ops;
-        ret = sock->ops->accept(sock, new_sock, O_NONBLOCK);
+        ret = sock->ops->accept(sock, new_sock, O_NONBLOCK, true);
         if (ret < 0)
                 goto out;
 
@@ -223,6 +223,9 @@ void rds_tcp_listen_data_ready(struct sock *sk)
          * before it has been accepted and the accepter has set up their
          * data_ready.. we only want to queue listen work for our listening
          * socket
+         *
+         * (*ready)() may be null if we are racing with netns delete, and
+         * the listen socket is being torn down.
          */
         if (sk->sk_state == TCP_LISTEN)
                 rds_tcp_accept_work(sk);
@@ -231,7 +234,8 @@ void rds_tcp_listen_data_ready(struct sock *sk)
 
 out:
         read_unlock_bh(&sk->sk_callback_lock);
-        ready(sk);
+        if (ready)
+                ready(sk);
 }
 
 struct socket *rds_tcp_listen_init(struct net *net)
@@ -271,7 +275,7 @@ out:
         return NULL;
 }
 
-void rds_tcp_listen_stop(struct socket *sock)
+void rds_tcp_listen_stop(struct socket *sock, struct work_struct *acceptor)
 {
         struct sock *sk;
 
@@ -292,5 +296,6 @@ void rds_tcp_listen_stop(struct socket *sock)
 
         /* wait for accepts to stop and close the socket */
         flush_workqueue(rds_wq);
+        flush_work(acceptor);
         sock_release(sock);
 }
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index b8a1df2c9785..4a9729257023 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -871,7 +871,8 @@ out_release:
         return err;
 }
 
-static int rose_accept(struct socket *sock, struct socket *newsock, int flags)
+static int rose_accept(struct socket *sock, struct socket *newsock, int flags,
+                       bool kern)
 {
         struct sk_buff *skb;
         struct sock *newsk;
diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
index 9f4cfa25af7c..18b2ad8be8e2 100644
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -420,6 +420,7 @@ static void rxrpc_input_data(struct rxrpc_call *call, struct sk_buff *skb,
                              u16 skew)
 {
         struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+        enum rxrpc_call_state state;
         unsigned int offset = sizeof(struct rxrpc_wire_header);
         unsigned int ix;
         rxrpc_serial_t serial = sp->hdr.serial, ack_serial = 0;
@@ -434,14 +435,15 @@ static void rxrpc_input_data(struct rxrpc_call *call, struct sk_buff *skb,
         _proto("Rx DATA %%%u { #%u f=%02x }",
                sp->hdr.serial, seq, sp->hdr.flags);
 
-        if (call->state >= RXRPC_CALL_COMPLETE)
+        state = READ_ONCE(call->state);
+        if (state >= RXRPC_CALL_COMPLETE)
                 return;
 
         /* Received data implicitly ACKs all of the request packets we sent
          * when we're acting as a client.
          */
-        if ((call->state == RXRPC_CALL_CLIENT_SEND_REQUEST ||
-             call->state == RXRPC_CALL_CLIENT_AWAIT_REPLY) &&
+        if ((state == RXRPC_CALL_CLIENT_SEND_REQUEST ||
+             state == RXRPC_CALL_CLIENT_AWAIT_REPLY) &&
             !rxrpc_receiving_reply(call))
                 return;
 
@@ -650,6 +652,7 @@ static void rxrpc_input_ackinfo(struct rxrpc_call *call, struct sk_buff *skb,
         struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
         struct rxrpc_peer *peer;
         unsigned int mtu;
+        bool wake = false;
         u32 rwind = ntohl(ackinfo->rwind);
 
         _proto("Rx ACK %%%u Info { rx=%u max=%u rwin=%u jm=%u }",
@@ -657,9 +660,14 @@ static void rxrpc_input_ackinfo(struct rxrpc_call *call, struct sk_buff *skb,
                ntohl(ackinfo->rxMTU), ntohl(ackinfo->maxMTU),
                rwind, ntohl(ackinfo->jumbo_max));
 
-        if (rwind > RXRPC_RXTX_BUFF_SIZE - 1)
-                rwind = RXRPC_RXTX_BUFF_SIZE - 1;
-        call->tx_winsize = rwind;
+        if (call->tx_winsize != rwind) {
+                if (rwind > RXRPC_RXTX_BUFF_SIZE - 1)
+                        rwind = RXRPC_RXTX_BUFF_SIZE - 1;
+                if (rwind > call->tx_winsize)
+                        wake = true;
+                call->tx_winsize = rwind;
+        }
+
         if (call->cong_ssthresh > rwind)
                 call->cong_ssthresh = rwind;
 
@@ -673,6 +681,9 @@ static void rxrpc_input_ackinfo(struct rxrpc_call *call, struct sk_buff *skb,
                 spin_unlock_bh(&peer->lock);
                 _net("Net MTU %u (maxdata %u)", peer->mtu, peer->maxdata);
         }
+
+        if (wake)
+                wake_up(&call->waitq);
 }
 
 /*
@@ -799,7 +810,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb,
                 return rxrpc_proto_abort("AK0", call, 0);
 
         /* Ignore ACKs unless we are or have just been transmitting. */
-        switch (call->state) {
+        switch (READ_ONCE(call->state)) {
         case RXRPC_CALL_CLIENT_SEND_REQUEST:
         case RXRPC_CALL_CLIENT_AWAIT_REPLY:
         case RXRPC_CALL_SERVER_SEND_REPLY:
@@ -940,7 +951,7 @@ static void rxrpc_input_call_packet(struct rxrpc_call *call,
 static void rxrpc_input_implicit_end_call(struct rxrpc_connection *conn,
                                           struct rxrpc_call *call)
 {
-        switch (call->state) {
+        switch (READ_ONCE(call->state)) {
         case RXRPC_CALL_SERVER_AWAIT_ACK:
                 rxrpc_call_completed(call);
                 break;
diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
index 6491ca46a03f..3e2f1a8e9c5b 100644
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -527,7 +527,7 @@ try_again:
                 msg->msg_namelen = len;
         }
 
-        switch (call->state) {
+        switch (READ_ONCE(call->state)) {
         case RXRPC_CALL_SERVER_ACCEPTING:
                 ret = rxrpc_recvmsg_new_call(rx, call, msg, flags);
                 break;
@@ -640,7 +640,7 @@ int rxrpc_kernel_recv_data(struct socket *sock, struct rxrpc_call *call,
 
         mutex_lock(&call->user_mutex);
 
-        switch (call->state) {
+        switch (READ_ONCE(call->state)) {
         case RXRPC_CALL_CLIENT_RECV_REPLY:
         case RXRPC_CALL_SERVER_RECV_REQUEST:
         case RXRPC_CALL_SERVER_ACK_REQUEST:
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index bc2d3dcff9de..97ab214ca411 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -488,6 +488,7 @@ rxrpc_new_client_call_for_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg,
 int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
         __releases(&rx->sk.sk_lock.slock)
 {
+        enum rxrpc_call_state state;
         enum rxrpc_command cmd;
         struct rxrpc_call *call;
         unsigned long user_call_ID = 0;
@@ -526,13 +527,17 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
                         return PTR_ERR(call);
                 /* ... and we have the call lock. */
         } else {
-                ret = -EBUSY;
-                if (call->state == RXRPC_CALL_UNINITIALISED ||
-                    call->state == RXRPC_CALL_CLIENT_AWAIT_CONN ||
-                    call->state == RXRPC_CALL_SERVER_PREALLOC ||
-                    call->state == RXRPC_CALL_SERVER_SECURING ||
-                    call->state == RXRPC_CALL_SERVER_ACCEPTING)
+                switch (READ_ONCE(call->state)) {
+                case RXRPC_CALL_UNINITIALISED:
+                case RXRPC_CALL_CLIENT_AWAIT_CONN:
+                case RXRPC_CALL_SERVER_PREALLOC:
+                case RXRPC_CALL_SERVER_SECURING:
+                case RXRPC_CALL_SERVER_ACCEPTING:
+                        ret = -EBUSY;
                         goto error_release_sock;
+                default:
+                        break;
+                }
 
                 ret = mutex_lock_interruptible(&call->user_mutex);
                 release_sock(&rx->sk);
@@ -542,10 +547,11 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
                 }
         }
 
+        state = READ_ONCE(call->state);
         _debug("CALL %d USR %lx ST %d on CONN %p",
-               call->debug_id, call->user_call_ID, call->state, call->conn);
+               call->debug_id, call->user_call_ID, state, call->conn);
 
-        if (call->state >= RXRPC_CALL_COMPLETE) {
+        if (state >= RXRPC_CALL_COMPLETE) {
                 /* it's too late for this call */
                 ret = -ESHUTDOWN;
         } else if (cmd == RXRPC_CMD_SEND_ABORT) {
@@ -555,12 +561,12 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
         } else if (cmd != RXRPC_CMD_SEND_DATA) {
                 ret = -EINVAL;
         } else if (rxrpc_is_client_call(call) &&
-                   call->state != RXRPC_CALL_CLIENT_SEND_REQUEST) {
+                   state != RXRPC_CALL_CLIENT_SEND_REQUEST) {
                 /* request phase complete for this client call */
                 ret = -EPROTO;
         } else if (rxrpc_is_service_call(call) &&
-                   call->state != RXRPC_CALL_SERVER_ACK_REQUEST &&
-                   call->state != RXRPC_CALL_SERVER_SEND_REPLY) {
+                   state != RXRPC_CALL_SERVER_ACK_REQUEST &&
+                   state != RXRPC_CALL_SERVER_SEND_REPLY) {
                 /* Reply phase not begun or not complete for service call. */
                 ret = -EPROTO;
         } else {
@@ -605,14 +611,21 @@ int rxrpc_kernel_send_data(struct socket *sock, struct rxrpc_call *call,
         _debug("CALL %d USR %lx ST %d on CONN %p",
                call->debug_id, call->user_call_ID, call->state, call->conn);
 
-        if (call->state >= RXRPC_CALL_COMPLETE) {
-                ret = -ESHUTDOWN; /* it's too late for this call */
-        } else if (call->state != RXRPC_CALL_CLIENT_SEND_REQUEST &&
-                   call->state != RXRPC_CALL_SERVER_ACK_REQUEST &&
-                   call->state != RXRPC_CALL_SERVER_SEND_REPLY) {
-                ret = -EPROTO; /* request phase complete for this client call */
-        } else {
+        switch (READ_ONCE(call->state)) {
+        case RXRPC_CALL_CLIENT_SEND_REQUEST:
+        case RXRPC_CALL_SERVER_ACK_REQUEST:
+        case RXRPC_CALL_SERVER_SEND_REPLY:
                 ret = rxrpc_send_data(rxrpc_sk(sock->sk), call, msg, len);
+                break;
+        case RXRPC_CALL_COMPLETE:
+                read_lock_bh(&call->state_lock);
+                ret = -call->error;
+                read_unlock_bh(&call->state_lock);
+                break;
+        default:
+                 /* Request phase complete for this client call */
+                ret = -EPROTO;
+                break;
         }
 
         mutex_unlock(&call->user_mutex);
diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
index ab8062909962..f9bb43c25697 100644
--- a/net/sched/act_connmark.c
+++ b/net/sched/act_connmark.c
@@ -113,6 +113,9 @@ static int tcf_connmark_init(struct net *net, struct nlattr *nla,
         if (ret < 0)
                 return ret;
 
+        if (!tb[TCA_CONNMARK_PARMS])
+                return -EINVAL;
+
         parm = nla_data(tb[TCA_CONNMARK_PARMS]);
 
         if (!tcf_hash_check(tn, parm->index, a, bind)) {
diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c
index 3b7074e23024..c736627f8f4a 100644
--- a/net/sched/act_skbmod.c
+++ b/net/sched/act_skbmod.c
@@ -228,7 +228,6 @@ static int tcf_skbmod_dump(struct sk_buff *skb, struct tc_action *a,
 
         return skb->len;
 nla_put_failure:
-        rcu_read_unlock();
         nlmsg_trim(skb, b);
         return -1;
 }
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 063baac5b9fe..961ee59f696a 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -640,14 +640,15 @@ static sctp_scope_t sctp_v6_scope(union sctp_addr *addr)
 
 /* Create and initialize a new sk for the socket to be returned by accept(). */
 static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
-                                             struct sctp_association *asoc)
+                                             struct sctp_association *asoc,
+                                             bool kern)
 {
         struct sock *newsk;
         struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
         struct sctp6_sock *newsctp6sk;
         struct ipv6_txoptions *opt;
 
-        newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, 0);
+        newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, kern);
         if (!newsk)
                 goto out;
 
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 1b6d4574d2b0..989a900383b5 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -575,10 +575,11 @@ static int sctp_v4_is_ce(const struct sk_buff *skb)
 
 /* Create and initialize a new sk for the socket returned by accept(). */
 static struct sock *sctp_v4_create_accept_sk(struct sock *sk,
-                                             struct sctp_association *asoc)
+                                             struct sctp_association *asoc,
+                                             bool kern)
 {
         struct sock *newsk = sk_alloc(sock_net(sk), PF_INET, GFP_KERNEL,
-                        sk->sk_prot, 0);
+                        sk->sk_prot, kern);
         struct inet_sock *newinet;
 
         if (!newsk)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 6f0a9be50f50..0f378ea2ae38 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4116,7 +4116,7 @@ static int sctp_disconnect(struct sock *sk, int flags)
  * descriptor will be returned from accept() to represent the newly
  * formed association.
  */
-static struct sock *sctp_accept(struct sock *sk, int flags, int *err)
+static struct sock *sctp_accept(struct sock *sk, int flags, int *err, bool kern)
 {
         struct sctp_sock *sp;
         struct sctp_endpoint *ep;
@@ -4151,7 +4151,7 @@ static struct sock *sctp_accept(struct sock *sk, int flags, int *err)
          */
         asoc = list_entry(ep->asocs.next, struct sctp_association, asocs);
 
-        newsk = sp->pf->create_accept_sk(sk, asoc);
+        newsk = sp->pf->create_accept_sk(sk, asoc, kern);
         if (!newsk) {
                 error = -ENOMEM;
                 goto out;
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 85837ab90e89..093803786eac 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -944,7 +944,7 @@ out:
 }
 
 static int smc_accept(struct socket *sock, struct socket *new_sock,
-                      int flags)
+                      int flags, bool kern)
 {
         struct sock *sk = sock->sk, *nsk;
         DECLARE_WAITQUEUE(wait, current);
diff --git a/net/socket.c b/net/socket.c
index 2c1e8677ff2d..e034fe4164be 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1506,7 +1506,7 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
         if (err)
                 goto out_fd;
 
-        err = sock->ops->accept(sock, newsock, sock->file->f_flags);
+        err = sock->ops->accept(sock, newsock, sock->file->f_flags, false);
         if (err < 0)
                 goto out_fd;
 
@@ -1731,6 +1731,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
         /* We assume all kernel code knows the size of sockaddr_storage */
         msg.msg_namelen = 0;
         msg.msg_iocb = NULL;
+        msg.msg_flags = 0;
         if (sock->file->f_flags & O_NONBLOCK)
                 flags |= MSG_DONTWAIT;
         err = sock_recvmsg(sock, &msg, flags);
@@ -3238,7 +3239,7 @@ int kernel_accept(struct socket *sock, struct socket **newsock, int flags)
         if (err < 0)
                 goto done;
 
-        err = sock->ops->accept(sock, *newsock, flags);
+        err = sock->ops->accept(sock, *newsock, flags, true);
         if (err < 0) {
                 sock_release(*newsock);
                 *newsock = NULL;
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 81cd31acf690..3b332b395045 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -503,7 +503,8 @@ rpcrdma_ep_create(struct rpcrdma_ep *ep, struct rpcrdma_ia *ia,
         struct ib_cq *sendcq, *recvcq;
         int rc;
 
-        max_sge = min(ia->ri_device->attrs.max_sge, RPCRDMA_MAX_SEND_SGES);
+        max_sge = min_t(unsigned int, ia->ri_device->attrs.max_sge,
+                        RPCRDMA_MAX_SEND_SGES);
         if (max_sge < RPCRDMA_MIN_SEND_SGES) {
                 pr_warn("rpcrdma: HCA provides only %d send SGEs\n", max_sge);
                 return -ENOMEM;
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 43e4045e72bc..7130e73bd42c 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -115,7 +115,8 @@ static void tipc_data_ready(struct sock *sk);
 static void tipc_write_space(struct sock *sk);
 static void tipc_sock_destruct(struct sock *sk);
 static int tipc_release(struct socket *sock);
-static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags);
+static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags,
+                       bool kern);
 static void tipc_sk_timeout(unsigned long data);
 static int tipc_sk_publish(struct tipc_sock *tsk, uint scope,
                            struct tipc_name_seq const *seq);
@@ -2029,7 +2030,8 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo)
  *
  * Returns 0 on success, errno otherwise
  */
-static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags)
+static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags,
+                       bool kern)
 {
         struct sock *new_sk, *sk = sock->sk;
         struct sk_buff *buf;
@@ -2051,7 +2053,7 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags)
 
         buf = skb_peek(&sk->sk_receive_queue);
 
-        res = tipc_sk_create(sock_net(sock->sk), new_sock, 0, 0);
+        res = tipc_sk_create(sock_net(sock->sk), new_sock, 0, kern);
         if (res)
                 goto exit;
         security_sk_clone(sock->sk, new_sock->sk);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index ee37b390260a..928691c43408 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -636,7 +636,7 @@ static int unix_bind(struct socket *, struct sockaddr *, int);
 static int unix_stream_connect(struct socket *, struct sockaddr *,
                                int addr_len, int flags);
 static int unix_socketpair(struct socket *, struct socket *);
-static int unix_accept(struct socket *, struct socket *, int);
+static int unix_accept(struct socket *, struct socket *, int, bool);
 static int unix_getname(struct socket *, struct sockaddr *, int *, int);
 static unsigned int unix_poll(struct file *, struct socket *, poll_table *);
 static unsigned int unix_dgram_poll(struct file *, struct socket *,
@@ -1402,7 +1402,8 @@ static void unix_sock_inherit_flags(const struct socket *old,
                 set_bit(SOCK_PASSSEC, &new->flags);
 }
 
-static int unix_accept(struct socket *sock, struct socket *newsock, int flags)
+static int unix_accept(struct socket *sock, struct socket *newsock, int flags,
+                       bool kern)
 {
         struct sock *sk = sock->sk;
         struct sock *tsk;
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 9192ead66751..9f770f33c100 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1250,7 +1250,8 @@ out:
         return err;
 }
 
-static int vsock_accept(struct socket *sock, struct socket *newsock, int flags)
+static int vsock_accept(struct socket *sock, struct socket *newsock, int flags,
+                        bool kern)
 {
         struct sock *listener;
         int err;
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index fd28a49dbe8f..8b911c29860e 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -852,7 +852,8 @@ static int x25_wait_for_data(struct sock *sk, long timeout)
         return rc;
 }
 
-static int x25_accept(struct socket *sock, struct socket *newsock, int flags)
+static int x25_accept(struct socket *sock, struct socket *newsock, int flags,
+                      bool kern)
 {
         struct sock *sk = sock->sk;
         struct sock *newsk;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 0806dccdf507..236cbbc0ab9c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1243,7 +1243,7 @@ static inline int policy_to_flow_dir(int dir)
 }
 
 static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
-                                                 const struct flowi *fl)
+                                                 const struct flowi *fl, u16 family)
 {
         struct xfrm_policy *pol;
 
@@ -1251,8 +1251,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
  again:
         pol = rcu_dereference(sk->sk_policy[dir]);
         if (pol != NULL) {
-                bool match = xfrm_selector_match(&pol->selector, fl,
-                                                 sk->sk_family);
+                bool match = xfrm_selector_match(&pol->selector, fl, family);
                 int err = 0;
 
                 if (match) {
@@ -2239,7 +2238,7 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
         sk = sk_const_to_full_sk(sk);
         if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
                 num_pols = 1;
-                pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
+                pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl, family);
                 err = xfrm_expand_policies(fl, family, pols,
                                            &num_pols, &num_xfrms);
                 if (err < 0)
@@ -2518,7 +2517,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
         pol = NULL;
         sk = sk_to_full_sk(sk);
         if (sk && sk->sk_policy[dir]) {
-                pol = xfrm_sk_policy_lookup(sk, dir, &fl);
+                pol = xfrm_sk_policy_lookup(sk, dir, &fl, family);
                 if (IS_ERR(pol)) {
                         XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
                         return 0;
@@ -3069,6 +3068,11 @@ static int __net_init xfrm_net_init(struct net *net)
 {
         int rv;
 
+        /* Initialize the per-net locks here */
+        spin_lock_init(&net->xfrm.xfrm_state_lock);
+        spin_lock_init(&net->xfrm.xfrm_policy_lock);
+        mutex_init(&net->xfrm.xfrm_cfg_mutex);
+
         rv = xfrm_statistics_init(net);
         if (rv < 0)
                 goto out_statistics;
@@ -3085,11 +3089,6 @@ static int __net_init xfrm_net_init(struct net *net)
         if (rv < 0)
                 goto out;
 
-        /* Initialize the per-net locks here */
-        spin_lock_init(&net->xfrm.xfrm_state_lock);
-        spin_lock_init(&net->xfrm.xfrm_policy_lock);
-        mutex_init(&net->xfrm.xfrm_cfg_mutex);
-
         return 0;
 
 out: