Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Don't allow negative TCP reordering values, from Soheil Hassas
    Yeganeh.

 2) Don't overflow while parsing ipv6 header options, from Craig Gallek.

 3) Handle more cleanly the case where an individual route entry during
    a dump will not fit into the allocated netlink SKB, from David
    Ahern.

 4) Add missing CONFIG_INET dependency for mlx5e, from Arnd Bergmann.

 5) Allow neighbour updates to converge more quickly via gratuitous
    ARPs, from Ihar Hrachyshka.

 6) Fix compile error from CONFIG_INET is disabled, from Eric Dumazet.

 7) Fix use after free in x25 protocol init, from Lin Zhang.

 8) Valid VLAN pvid ranges passed into br_validate(), from Tobias
    Jungel.

 9) NULL out address lists in child sockets in SCTP, this is similar to
    the fix we made for inet connection sockets last week. From Eric
    Dumazet.

10) Fix NULL deref in mlxsw driver, from Ido Schimmel.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (27 commits)
  mlxsw: spectrum: Avoid possible NULL pointer dereference
  sh_eth: Do not print an error message for probe deferral
  sh_eth: Use platform device for printing before register_netdev()
  mlxsw: spectrum_router: Fix rif counter freeing routine
  mlxsw: spectrum_dpipe: Fix incorrect entry index
  cxgb4: update latest firmware version supported
  qmi_wwan: add another Lenovo EM74xx device ID
  sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
  udp: make *udp*_queue_rcv_skb() functions static
  bridge: netlink: check vlan_default_pvid range
  net: ethernet: faraday: To support device tree usage.
  net: x25: fix one potential use-after-free issue
  bpf: adjust verifier heuristics
  ipv6: Check ip6_find_1stfragopt() return value properly.
  selftests/bpf: fix broken build due to types.h
  bnxt_en: Check status of firmware DCBX agent before setting DCB_CAP_DCBX_HOST.
  bnxt_en: Call bnxt_dcb_init() after getting firmware DCBX configuration.
  net: fix compile error in skb_orphan_partial()
  ipv6: Prevent overrun when parsing v6 header options
  neighbour: update neigh timestamps iff update is effective
  ...

26 files changed, 157 insertions, 103 deletions

diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index c5ce7745b230..574f78824d8a 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -835,6 +835,13 @@ static int br_validate(struct nlattr *tb[], struct nlattr *data[])
                         return -EPROTONOSUPPORT;
                 }
         }
+
+        if (data[IFLA_BR_VLAN_DEFAULT_PVID]) {
+                __u16 defpvid = nla_get_u16(data[IFLA_BR_VLAN_DEFAULT_PVID]);
+
+                if (defpvid >= VLAN_VID_MASK)
+                        return -EINVAL;
+        }
 #endif
 
         return 0;
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 58b0bcc125b5..d274f81fcc2c 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1132,10 +1132,6 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
                 lladdr = neigh->ha;
         }
 
-        if (new & NUD_CONNECTED)
-                neigh->confirmed = jiffies;
-        neigh->updated = jiffies;
-
         /* If entry was valid and address is not changed,
            do not change entry state, if new one is STALE.
          */
@@ -1157,6 +1153,16 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
                 }
         }
 
+        /* Update timestamps only once we know we will make a change to the
+         * neighbour entry. Otherwise we risk to move the locktime window with
+         * noop updates and ignore relevant ARP updates.
+         */
+        if (new != old || lladdr != neigh->ha) {
+                if (new & NUD_CONNECTED)
+                        neigh->confirmed = jiffies;
+                neigh->updated = jiffies;
+        }
+
         if (new != old) {
                 neigh_del_timer(neigh);
                 if (new & NUD_PROBE)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index d7f82c3450b1..49a279a7cc15 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1627,13 +1627,13 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
                                                cb->nlh->nlmsg_seq, 0,
                                                flags,
                                                ext_filter_mask);
-                        /* If we ran out of room on the first message,
-                         * we're in trouble
-                         */
-                        WARN_ON((err == -EMSGSIZE) && (skb->len == 0));
 
-                        if (err < 0)
-                                goto out;
+                        if (err < 0) {
+                                if (likely(skb->len))
+                                        goto out;
+
+                                goto out_err;
+                        }
 
                         nl_dump_check_consistent(cb, nlmsg_hdr(skb));
 cont:
@@ -1641,10 +1641,12 @@ cont:
                 }
         }
 out:
+        err = skb->len;
+out_err:
         cb->args[1] = idx;
         cb->args[0] = h;
 
-        return skb->len;
+        return err;
 }
 
 int rtnl_nla_parse_ifla(struct nlattr **tb, const struct nlattr *head, int len,
@@ -3453,8 +3455,12 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb)
                                 err = br_dev->netdev_ops->ndo_bridge_getlink(
                                                 skb, portid, seq, dev,
                                                 filter_mask, NLM_F_MULTI);
-                                if (err < 0 && err != -EOPNOTSUPP)
-                                        break;
+                                if (err < 0 && err != -EOPNOTSUPP) {
+                                        if (likely(skb->len))
+                                                break;
+
+                                        goto out_err;
+                                }
                         }
                         idx++;
                 }
@@ -3465,16 +3471,22 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb)
                                                               seq, dev,
                                                               filter_mask,
                                                               NLM_F_MULTI);
-                                if (err < 0 && err != -EOPNOTSUPP)
-                                        break;
+                                if (err < 0 && err != -EOPNOTSUPP) {
+                                        if (likely(skb->len))
+                                                break;
+
+                                        goto out_err;
+                                }
                         }
                         idx++;
                 }
         }
+        err = skb->len;
+out_err:
         rcu_read_unlock();
         cb->args[0] = idx;
 
-        return skb->len;
+        return err;
 }
 
 static inline size_t bridge_nlmsg_size(void)
diff --git a/net/core/sock.c b/net/core/sock.c
index e43e71d7856b..727f924b7f91 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -139,10 +139,7 @@
 
 #include <trace/events/sock.h>
 
-#ifdef CONFIG_INET
 #include <net/tcp.h>
-#endif
-
 #include <net/busy_poll.h>
 
 static DEFINE_MUTEX(proto_list_mutex);
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 0937b34c27ca..d54345a06f72 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -653,6 +653,7 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
         unsigned char *arp_ptr;
         struct rtable *rt;
         unsigned char *sha;
+        unsigned char *tha = NULL;
         __be32 sip, tip;
         u16 dev_type = dev->type;
         int addr_type;
@@ -724,6 +725,7 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
                 break;
 #endif
         default:
+                tha = arp_ptr;
                 arp_ptr += dev->addr_len;
         }
         memcpy(&tip, arp_ptr, 4);
@@ -842,8 +844,18 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
                    It is possible, that this option should be enabled for some
                    devices (strip is candidate)
                  */
-                is_garp = arp->ar_op == htons(ARPOP_REQUEST) && tip == sip &&
-                          addr_type == RTN_UNICAST;
+                is_garp = tip == sip && addr_type == RTN_UNICAST;
+
+                /* Unsolicited ARP _replies_ also require target hwaddr to be
+                 * the same as source.
+                 */
+                if (is_garp && arp->ar_op == htons(ARPOP_REPLY))
+                        is_garp =
+                                /* IPv4 over IEEE 1394 doesn't provide target
+                                 * hardware address field in its ARP payload.
+                                 */
+                                tha &&
+                                !memcmp(tha, sha, dev->addr_len);
 
                 if (!n &&
                     ((arp->ar_op == htons(ARPOP_REPLY)  &&
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 39bd1edee676..83e3ed258467 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -763,7 +763,7 @@ static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb)
         unsigned int e = 0, s_e;
         struct fib_table *tb;
         struct hlist_head *head;
-        int dumped = 0;
+        int dumped = 0, err;
 
         if (nlmsg_len(cb->nlh) >= sizeof(struct rtmsg) &&
             ((struct rtmsg *) nlmsg_data(cb->nlh))->rtm_flags & RTM_F_CLONED)
@@ -783,20 +783,27 @@ static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb)
                         if (dumped)
                                 memset(&cb->args[2], 0, sizeof(cb->args) -
                                                  2 * sizeof(cb->args[0]));
-                        if (fib_table_dump(tb, skb, cb) < 0)
-                                goto out;
+                        err = fib_table_dump(tb, skb, cb);
+                        if (err < 0) {
+                                if (likely(skb->len))
+                                        goto out;
+
+                                goto out_err;
+                        }
                         dumped = 1;
 next:
                         e++;
                 }
         }
 out:
+        err = skb->len;
+out_err:
         rcu_read_unlock();
 
         cb->args[1] = e;
         cb->args[0] = h;
 
-        return skb->len;
+        return err;
 }
 
 /* Prepare and feed intra-kernel routing request.
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 1201409ba1dc..51182ff2b441 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1983,6 +1983,8 @@ static int fn_trie_dump_leaf(struct key_vector *l, struct fib_table *tb,
 
         /* rcu_read_lock is hold by caller */
         hlist_for_each_entry_rcu(fa, &l->leaf, fa_list) {
+                int err;
+
                 if (i < s_i) {
                         i++;
                         continue;
@@ -1993,17 +1995,14 @@ static int fn_trie_dump_leaf(struct key_vector *l, struct fib_table *tb,
                         continue;
                 }
 
-                if (fib_dump_info(skb, NETLINK_CB(cb->skb).portid,
-                                  cb->nlh->nlmsg_seq,
-                                  RTM_NEWROUTE,
-                                  tb->tb_id,
-                                  fa->fa_type,
-                                  xkey,
-                                  KEYLENGTH - fa->fa_slen,
-                                  fa->fa_tos,
-                                  fa->fa_info, NLM_F_MULTI) < 0) {
+                err = fib_dump_info(skb, NETLINK_CB(cb->skb).portid,
+                                    cb->nlh->nlmsg_seq, RTM_NEWROUTE,
+                                    tb->tb_id, fa->fa_type,
+                                    xkey, KEYLENGTH - fa->fa_slen,
+                                    fa->fa_tos, fa->fa_info, NLM_F_MULTI);
+                if (err < 0) {
                         cb->args[4] = i;
-                        return -1;
+                        return err;
                 }
                 i++;
         }
@@ -2025,10 +2024,13 @@ int fib_table_dump(struct fib_table *tb, struct sk_buff *skb,
         t_key key = cb->args[3];
 
         while ((l = leaf_walk_rcu(&tp, key)) != NULL) {
-                if (fn_trie_dump_leaf(l, tb, skb, cb) < 0) {
+                int err;
+
+                err = fn_trie_dump_leaf(l, tb, skb, cb);
+                if (err < 0) {
                         cb->args[3] = key;
                         cb->args[2] = count;
-                        return -1;
+                        return err;
                 }
 
                 ++count;
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 3a02d52ed50e..551de4d023a8 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1980,6 +1980,20 @@ int ip_mr_input(struct sk_buff *skb)
         struct net *net = dev_net(skb->dev);
         int local = skb_rtable(skb)->rt_flags & RTCF_LOCAL;
         struct mr_table *mrt;
+        struct net_device *dev;
+
+        /* skb->dev passed in is the loX master dev for vrfs.
+         * As there are no vifs associated with loopback devices,
+         * get the proper interface that does have a vif associated with it.
+         */
+        dev = skb->dev;
+        if (netif_is_l3_master(skb->dev)) {
+                dev = dev_get_by_index_rcu(net, IPCB(skb)->iif);
+                if (!dev) {
+                        kfree_skb(skb);
+                        return -ENODEV;
+                }
+        }
 
         /* Packet is looped back after forward, it should not be
          * forwarded second time, but still can be delivered locally.
@@ -2017,7 +2031,7 @@ int ip_mr_input(struct sk_buff *skb)
         /* already under rcu_read_lock() */
         cache = ipmr_cache_find(mrt, ip_hdr(skb)->saddr, ip_hdr(skb)->daddr);
         if (!cache) {
-                int vif = ipmr_find_vif(mrt, skb->dev);
+                int vif = ipmr_find_vif(mrt, dev);
 
                 if (vif >= 0)
                         cache = ipmr_cache_find_any(mrt, ip_hdr(skb)->daddr,
@@ -2037,7 +2051,7 @@ int ip_mr_input(struct sk_buff *skb)
                 }
 
                 read_lock(&mrt_lock);
-                vif = ipmr_find_vif(mrt, skb->dev);
+                vif = ipmr_find_vif(mrt, dev);
                 if (vif >= 0) {
                         int err2 = ipmr_cache_unresolved(mrt, vif, skb);
                         read_unlock(&mrt_lock);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 06e2dbc2b4a2..174d4376baa5 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3190,7 +3190,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,
                         int delta;
 
                         /* Non-retransmitted hole got filled? That's reordering */
-                        if (reord < prior_fackets)
+                        if (reord < prior_fackets && reord <= tp->fackets_out)
                                 tcp_update_reordering(sk, tp->fackets_out - reord, 0);
 
                         delta = tcp_is_fack(tp) ? pkts_acked :
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index ea6e4cff9faf..1d6219bf2d6b 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1612,7 +1612,7 @@ static void udp_v4_rehash(struct sock *sk)
         udp_lib_rehash(sk, new_hash);
 }
 
-int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
         int rc;
 
@@ -1657,7 +1657,7 @@ EXPORT_SYMBOL(udp_encap_enable);
  * Note that in the success and error cases, the skb is assumed to
  * have either been requeued or freed.
  */
-int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
         struct udp_sock *up = udp_sk(sk);
         int is_udplite = IS_UDPLITE(sk);
diff --git a/net/ipv4/udp_impl.h b/net/ipv4/udp_impl.h
index feb50a16398d..a8cf8c6fb60c 100644
--- a/net/ipv4/udp_impl.h
+++ b/net/ipv4/udp_impl.h
@@ -25,7 +25,6 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
                 int flags, int *addr_len);
 int udp_sendpage(struct sock *sk, struct page *page, int offset, size_t size,
                  int flags);
-int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
 void udp_destroy_sock(struct sock *sk);
 
 #ifdef CONFIG_PROC_FS
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index 93e58a5e1837..280268f1dd7b 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
         const struct net_offload *ops;
         int proto;
         struct frag_hdr *fptr;
-        unsigned int unfrag_ip6hlen;
         unsigned int payload_len;
         u8 *prevhdr;
         int offset = 0;
@@ -116,8 +115,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
                 skb->network_header = (u8 *)ipv6h - skb->head;
 
                 if (udpfrag) {
-                        unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-                        fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
+                        int err = ip6_find_1stfragopt(skb, &prevhdr);
+                        if (err < 0)
+                                return ERR_PTR(err);
+                        fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
                         fptr->frag_off = htons(offset);
                         if (skb->next)
                                 fptr->frag_off |= htons(IP6_MF);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 58f6288e9ba5..d4a31becbd25 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -597,7 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
         int ptr, offset = 0, err = 0;
         u8 *prevhdr, nexthdr = 0;
 
-        hlen = ip6_find_1stfragopt(skb, &prevhdr);
+        err = ip6_find_1stfragopt(skb, &prevhdr);
+        if (err < 0)
+                goto fail;
+        hlen = err;
         nexthdr = *prevhdr;
 
         mtu = ip6_skb_dst_mtu(skb);
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index cd4252346a32..e9065b8d3af8 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -79,14 +79,13 @@ EXPORT_SYMBOL(ipv6_select_ident);
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 {
         u16 offset = sizeof(struct ipv6hdr);
-        struct ipv6_opt_hdr *exthdr =
-                                (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
         unsigned int packet_len = skb_tail_pointer(skb) -
                 skb_network_header(skb);
         int found_rhdr = 0;
         *nexthdr = &ipv6_hdr(skb)->nexthdr;
 
-        while (offset + 1 <= packet_len) {
+        while (offset <= packet_len) {
+                struct ipv6_opt_hdr *exthdr;
 
                 switch (**nexthdr) {
 
@@ -107,13 +106,16 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
                         return offset;
                 }
 
-                offset += ipv6_optlen(exthdr);
-                *nexthdr = &exthdr->nexthdr;
+                if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+                        return -EINVAL;
+
                 exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
                                                  offset);
+                offset += ipv6_optlen(exthdr);
+                *nexthdr = &exthdr->nexthdr;
         }
 
-        return offset;
+        return -EINVAL;
 }
 EXPORT_SYMBOL(ip6_find_1stfragopt);
 
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 04862abfe4ec..06ec39b79609 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -526,7 +526,7 @@ out:
         return;
 }
 
-int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
         int rc;
 
@@ -569,7 +569,7 @@ void udpv6_encap_enable(void)
 }
 EXPORT_SYMBOL(udpv6_encap_enable);
 
-int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
         struct udp_sock *up = udp_sk(sk);
         int is_udplite = IS_UDPLITE(sk);
diff --git a/net/ipv6/udp_impl.h b/net/ipv6/udp_impl.h
index e78bdc76dcc3..f180b3d85e31 100644
--- a/net/ipv6/udp_impl.h
+++ b/net/ipv6/udp_impl.h
@@ -26,7 +26,6 @@ int compat_udpv6_getsockopt(struct sock *sk, int level, int optname,
 int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len);
 int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
                   int flags, int *addr_len);
-int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
 void udpv6_destroy_sock(struct sock *sk);
 
 #ifdef CONFIG_PROC_FS
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
index ac858c480f2f..a2267f80febb 100644
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
         u8 frag_hdr_sz = sizeof(struct frag_hdr);
         __wsum csum;
         int tnl_hlen;
+        int err;
 
         mss = skb_shinfo(skb)->gso_size;
         if (unlikely(skb->len <= mss))
@@ -90,7 +91,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
                 /* Find the unfragmentable header and shift it left by frag_hdr_sz
                  * bytes to insert fragment header.
                  */
-                unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+                err = ip6_find_1stfragopt(skb, &prevhdr);
+                if (err < 0)
+                        return ERR_PTR(err);
+                unfrag_ip6hlen = err;
                 nexthdr = *prevhdr;
                 *prevhdr = NEXTHDR_FRAGMENT;
                 unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 142b70e959af..f5b45b8b8b16 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -677,6 +677,9 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
         newnp = inet6_sk(newsk);
 
         memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+        newnp->ipv6_mc_list = NULL;
+        newnp->ipv6_ac_list = NULL;
+        newnp->ipv6_fl_list = NULL;
 
         rcu_read_lock();
         opt = rcu_dereference(np->opt);
diff --git a/net/smc/Kconfig b/net/smc/Kconfig
index c717ef0896aa..33954852f3f8 100644
--- a/net/smc/Kconfig
+++ b/net/smc/Kconfig
@@ -8,6 +8,10 @@ config SMC
           The Linux implementation of the SMC-R solution is designed as
           a separate socket family SMC.
 
+          Warning: SMC will expose all memory for remote reads and writes
+          once a connection is established.  Don't enable this option except
+          for tightly controlled lab environment.
+
           Select this option if you want to run SMC socket applications
 
 config SMC_DIAG
diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index e41f594a1e1d..03ec058d18df 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -204,7 +204,7 @@ int smc_clc_send_confirm(struct smc_sock *smc)
         memcpy(&cclc.lcl.mac, &link->smcibdev->mac[link->ibport - 1], ETH_ALEN);
         hton24(cclc.qpn, link->roce_qp->qp_num);
         cclc.rmb_rkey =
-                htonl(conn->rmb_desc->mr_rx[SMC_SINGLE_LINK]->rkey);
+                htonl(conn->rmb_desc->rkey[SMC_SINGLE_LINK]);
         cclc.conn_idx = 1; /* for now: 1 RMB = 1 RMBE */
         cclc.rmbe_alert_token = htonl(conn->alert_token_local);
         cclc.qp_mtu = min(link->path_mtu, link->peer_mtu);
@@ -256,7 +256,7 @@ int smc_clc_send_accept(struct smc_sock *new_smc, int srv_first_contact)
         memcpy(&aclc.lcl.mac, link->smcibdev->mac[link->ibport - 1], ETH_ALEN);
         hton24(aclc.qpn, link->roce_qp->qp_num);
         aclc.rmb_rkey =
-                htonl(conn->rmb_desc->mr_rx[SMC_SINGLE_LINK]->rkey);
+                htonl(conn->rmb_desc->rkey[SMC_SINGLE_LINK]);
         aclc.conn_idx = 1;                      /* as long as 1 RMB = 1 RMBE */
         aclc.rmbe_alert_token = htonl(conn->alert_token_local);
         aclc.qp_mtu = link->path_mtu;
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
index 65020e93ff21..3ac09a629ea1 100644
--- a/net/smc/smc_core.c
+++ b/net/smc/smc_core.c
@@ -613,19 +613,8 @@ int smc_rmb_create(struct smc_sock *smc)
                         rmb_desc = NULL;
                         continue; /* if mapping failed, try smaller one */
                 }
-                rc = smc_ib_get_memory_region(lgr->lnk[SMC_SINGLE_LINK].roce_pd,
-                                              IB_ACCESS_REMOTE_WRITE |
-                                              IB_ACCESS_LOCAL_WRITE,
-                                             &rmb_desc->mr_rx[SMC_SINGLE_LINK]);
-                if (rc) {
-                        smc_ib_buf_unmap(lgr->lnk[SMC_SINGLE_LINK].smcibdev,
-                                         tmp_bufsize, rmb_desc,
-                                         DMA_FROM_DEVICE);
-                        kfree(rmb_desc->cpu_addr);
-                        kfree(rmb_desc);
-                        rmb_desc = NULL;
-                        continue;
-                }
+                rmb_desc->rkey[SMC_SINGLE_LINK] =
+                        lgr->lnk[SMC_SINGLE_LINK].roce_pd->unsafe_global_rkey;
                 rmb_desc->used = 1;
                 write_lock_bh(&lgr->rmbs_lock);
                 list_add(&rmb_desc->list,
@@ -668,6 +657,7 @@ int smc_rmb_rtoken_handling(struct smc_connection *conn,
 
         for (i = 0; i < SMC_RMBS_PER_LGR_MAX; i++) {
                 if ((lgr->rtokens[i][SMC_SINGLE_LINK].rkey == rkey) &&
+                    (lgr->rtokens[i][SMC_SINGLE_LINK].dma_addr == dma_addr) &&
                     test_bit(i, lgr->rtokens_used_mask)) {
                         conn->rtoken_idx = i;
                         return 0;
diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h
index 27eb38056a27..b013cb43a327 100644
--- a/net/smc/smc_core.h
+++ b/net/smc/smc_core.h
@@ -93,7 +93,7 @@ struct smc_buf_desc {
         u64                     dma_addr[SMC_LINKS_PER_LGR_MAX];
                                                 /* mapped address of buffer */
         void                    *cpu_addr;      /* virtual address of buffer */
-        struct ib_mr            *mr_rx[SMC_LINKS_PER_LGR_MAX];
+        u32                     rkey[SMC_LINKS_PER_LGR_MAX];
                                                 /* for rmb only:
                                                  * rkey provided to peer
                                                  */
diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
index cb69ab977cd7..b31715505a35 100644
--- a/net/smc/smc_ib.c
+++ b/net/smc/smc_ib.c
@@ -37,24 +37,6 @@ u8 local_systemid[SMC_SYSTEMID_LEN] = SMC_LOCAL_SYSTEMID_RESET;	/* unique system
                                                                  * identifier
                                                                  */
 
-int smc_ib_get_memory_region(struct ib_pd *pd, int access_flags,
-                             struct ib_mr **mr)
-{
-        int rc;
-
-        if (*mr)
-                return 0; /* already done */
-
-        /* obtain unique key -
-         * next invocation of get_dma_mr returns a different key!
-         */
-        *mr = pd->device->get_dma_mr(pd, access_flags);
-        rc = PTR_ERR_OR_ZERO(*mr);
-        if (IS_ERR(*mr))
-                *mr = NULL;
-        return rc;
-}
-
 static int smc_ib_modify_qp_init(struct smc_link *lnk)
 {
         struct ib_qp_attr qp_attr;
@@ -210,7 +192,8 @@ int smc_ib_create_protection_domain(struct smc_link *lnk)
 {
         int rc;
 
-        lnk->roce_pd = ib_alloc_pd(lnk->smcibdev->ibdev, 0);
+        lnk->roce_pd = ib_alloc_pd(lnk->smcibdev->ibdev,
+                                   IB_PD_UNSAFE_GLOBAL_RKEY);
         rc = PTR_ERR_OR_ZERO(lnk->roce_pd);
         if (IS_ERR(lnk->roce_pd))
                 lnk->roce_pd = NULL;
diff --git a/net/smc/smc_ib.h b/net/smc/smc_ib.h
index 7e1f0e24d177..b567152a526d 100644
--- a/net/smc/smc_ib.h
+++ b/net/smc/smc_ib.h
@@ -61,8 +61,6 @@ void smc_ib_dealloc_protection_domain(struct smc_link *lnk);
 int smc_ib_create_protection_domain(struct smc_link *lnk);
 void smc_ib_destroy_queue_pair(struct smc_link *lnk);
 int smc_ib_create_queue_pair(struct smc_link *lnk);
-int smc_ib_get_memory_region(struct ib_pd *pd, int access_flags,
-                             struct ib_mr **mr);
 int smc_ib_ready_link(struct smc_link *lnk);
 int smc_ib_modify_qp_rts(struct smc_link *lnk);
 int smc_ib_modify_qp_reset(struct smc_link *lnk);
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 8b911c29860e..5a1a98df3499 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -1791,32 +1791,40 @@ void x25_kill_by_neigh(struct x25_neigh *nb)
 
 static int __init x25_init(void)
 {
-        int rc = proto_register(&x25_proto, 0);
+        int rc;
 
-        if (rc != 0)
+        rc = proto_register(&x25_proto, 0);
+        if (rc)
                 goto out;
 
         rc = sock_register(&x25_family_ops);
-        if (rc != 0)
+        if (rc)
                 goto out_proto;
 
         dev_add_pack(&x25_packet_type);
 
         rc = register_netdevice_notifier(&x25_dev_notifier);
-        if (rc != 0)
+        if (rc)
                 goto out_sock;
 
-        pr_info("Linux Version 0.2\n");
+        rc = x25_register_sysctl();
+        if (rc)
+                goto out_dev;
 
-        x25_register_sysctl();
         rc = x25_proc_init();
-        if (rc != 0)
-                goto out_dev;
+        if (rc)
+                goto out_sysctl;
+
+        pr_info("Linux Version 0.2\n");
+
 out:
         return rc;
+out_sysctl:
+        x25_unregister_sysctl();
 out_dev:
         unregister_netdevice_notifier(&x25_dev_notifier);
 out_sock:
+        dev_remove_pack(&x25_packet_type);
         sock_unregister(AF_X25);
 out_proto:
         proto_unregister(&x25_proto);
diff --git a/net/x25/sysctl_net_x25.c b/net/x25/sysctl_net_x25.c
index a06dfe143c67..ba078c85f0a1 100644
--- a/net/x25/sysctl_net_x25.c
+++ b/net/x25/sysctl_net_x25.c
@@ -73,9 +73,12 @@ static struct ctl_table x25_table[] = {
         { },
 };
 
-void __init x25_register_sysctl(void)
+int __init x25_register_sysctl(void)
 {
         x25_table_header = register_net_sysctl(&init_net, "net/x25", x25_table);
+        if (!x25_table_header)
+                return -ENOMEM;
+        return 0;
 }
 
 void x25_unregister_sysctl(void)