51 files changed, 357 insertions, 208 deletions
diff --git a/net/atm/atm_sysfs.c b/net/atm/atm_sysfs.c
index 799c631f0fed..f7fa67c78766 100644
--- a/net/atm/atm_sysfs.c
+++ b/net/atm/atm_sysfs.c
@@ -143,12 +143,13 @@ static struct class atm_class = {
        .dev_uevent             = atm_uevent,
 };
-int atm_register_sysfs(struct atm_dev *adev)
+int atm_register_sysfs(struct atm_dev *adev, struct device *parent)
 {
        struct device *cdev = &adev->class_dev;
        int i, j, err;
        cdev->class = &atm_class;
+        cdev->parent = parent;
        dev_set_drvdata(cdev, adev);
        dev_set_name(cdev, "%s%d", adev->type, adev->number);
diff --git a/net/atm/resources.c b/net/atm/resources.c
index d29e58261511..23f45ce6f351 100644
--- a/net/atm/resources.c
+++ b/net/atm/resources.c
@@ -74,8 +74,9 @@ struct atm_dev *atm_dev_lookup(int number)
 }
 EXPORT_SYMBOL(atm_dev_lookup);
-struct atm_dev *atm_dev_register(const char *type, const struct atmdev_ops *ops,
+struct atm_dev *atm_dev_register(const char *type, struct device *parent,
-                                 int number, unsigned long *flags)
+                                 const struct atmdev_ops *ops, int number,
+                                 unsigned long *flags)
 {
        struct atm_dev *dev, *inuse;
@@ -115,7 +116,7 @@ struct atm_dev *atm_dev_register(const char *type, const struct atmdev_ops *ops,
                goto out_fail;
        }
-        if (atm_register_sysfs(dev) < 0) {
+        if (atm_register_sysfs(dev, parent) < 0) {
                pr_err("atm_register_sysfs failed for dev %s\n", type);
                atm_proc_dev_deregister(dev);
                goto out_fail;
diff --git a/net/atm/resources.h b/net/atm/resources.h
index 126fb1840dfb..521431e30507 100644
--- a/net/atm/resources.h
+++ b/net/atm/resources.h
@@ -42,6 +42,6 @@ static inline void atm_proc_dev_deregister(struct atm_dev *dev)
 #endif /* CONFIG_PROC_FS */
-int atm_register_sysfs(struct atm_dev *adev);
+int atm_register_sysfs(struct atm_dev *adev, struct device *parent);
 void atm_unregister_sysfs(struct atm_dev *adev);
 #endif
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index fa642aa652bd..432a9a633e8d 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -311,6 +311,7 @@ static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
        d->state      = BT_OPEN;
        d->flags      = 0;
        d->mscex      = 0;
+        d->sec_level  = BT_SECURITY_LOW;
        d->mtu        = RFCOMM_DEFAULT_MTU;
        d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index d0927d1fdada..66b9e5c0523a 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -882,7 +882,7 @@ static int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 type)
        int lm = 0;
        if (type != SCO_LINK && type != ESCO_LINK)
-                return 0;
+                return -EINVAL;
        BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
@@ -908,7 +908,7 @@ static int sco_connect_cfm(struct hci_conn *hcon, __u8 status)
        BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
        if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
-                return 0;
+                return -EINVAL;
        if (!status) {
                struct sco_conn *conn;
@@ -927,7 +927,7 @@ static int sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
        BT_DBG("hcon %p reason %d", hcon, reason);
        if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
-                return 0;
+                return -EINVAL;
        sco_conn_del(hcon, bt_err(reason));
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index eb5b256ffc88..f19e347f56f6 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -437,7 +437,7 @@ static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
        ip6h = ipv6_hdr(skb);
        *(__force __be32 *)ip6h = htonl(0x60000000);
-        ip6h->payload_len = 8 + sizeof(*mldq);
+        ip6h->payload_len = htons(8 + sizeof(*mldq));
        ip6h->nexthdr = IPPROTO_HOPOPTS;
        ip6h->hop_limit = 1;
        ipv6_addr_set(&ip6h->saddr, 0, 0, 0, 0);
diff --git a/net/ceph/Makefile b/net/ceph/Makefile
index aab1cabb8035..5f19415ec9c0 100644
--- a/net/ceph/Makefile
+++ b/net/ceph/Makefile
@@ -1,9 +1,6 @@
 #
 # Makefile for CEPH filesystem.
 #
-ifneq ($(KERNELRELEASE),)
 obj-$(CONFIG_CEPH_LIB) += libceph.o
 libceph-objs := ceph_common.o messenger.o msgpool.o buffer.o pagelist.o \
@@ -16,22 +13,3 @@ libceph-objs := ceph_common.o messenger.o msgpool.o buffer.o pagelist.o \
        ceph_fs.o ceph_strings.o ceph_hash.o \
        pagevec.o
-else
-#Otherwise we were called directly from the command
-# line; invoke the kernel build system.
-KERNELDIR ?= /lib/modules/$(shell uname -r)/build
-PWD := $(shell pwd)
-default: all
-all:
-        $(MAKE) -C $(KERNELDIR) M=$(PWD) CONFIG_CEPH_LIB=m modules
-modules_install:
-        $(MAKE) -C $(KERNELDIR) M=$(PWD) CONFIG_CEPH_LIB=m modules_install
-clean:
-        $(MAKE) -C $(KERNELDIR) M=$(PWD) clean
-endif
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 1c7a2ec4f3cc..b6ff4a1519ab 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -97,11 +97,9 @@ struct workqueue_struct *ceph_msgr_wq;
 int ceph_msgr_init(void)
 {
        ceph_msgr_wq = create_workqueue("ceph-msgr");
-        if (IS_ERR(ceph_msgr_wq)) {
+        if (!ceph_msgr_wq) {
-                int ret = PTR_ERR(ceph_msgr_wq);
+                pr_err("msgr_init failed to create workqueue\n");
-                pr_err("msgr_init failed to create workqueue: %d\n", ret);
+                return -ENOMEM;
-                ceph_msgr_wq = NULL;
-                return ret;
        }
        return 0;
 }
diff --git a/net/ceph/pagevec.c b/net/ceph/pagevec.c
index ac34feeb2b3a..1a040e64c69f 100644
--- a/net/ceph/pagevec.c
+++ b/net/ceph/pagevec.c
@@ -13,7 +13,7 @@
 * build a vector of user pages
 */
 struct page **ceph_get_direct_page_vector(const char __user *data,
-                                          int num_pages)
+                                          int num_pages, bool write_page)
 {
        struct page **pages;
        int rc;
@@ -24,24 +24,27 @@ struct page **ceph_get_direct_page_vector(const char __user *data,
        down_read(&current->mm->mmap_sem);
        rc = get_user_pages(current, current->mm, (unsigned long)data,
-                            num_pages, 0, 0, pages, NULL);
+                            num_pages, write_page, 0, pages, NULL);
        up_read(&current->mm->mmap_sem);
-        if (rc < 0)
+        if (rc < num_pages)
                goto fail;
        return pages;
 fail:
-        kfree(pages);
+        ceph_put_page_vector(pages, rc > 0 ? rc : 0, false);
        return ERR_PTR(rc);
 }
 EXPORT_SYMBOL(ceph_get_direct_page_vector);
-void ceph_put_page_vector(struct page **pages, int num_pages)
+void ceph_put_page_vector(struct page **pages, int num_pages, bool dirty)
 {
        int i;
-        for (i = 0; i < num_pages; i++)
+        for (i = 0; i < num_pages; i++) {
+                if (dirty)
+                        set_page_dirty_lock(pages[i]);
                put_page(pages[i]);
+        }
        kfree(pages);
 }
 EXPORT_SYMBOL(ceph_put_page_vector);
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 82a4369ae150..a20e5d3bbfa0 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -181,8 +181,7 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
 {
        int ret = 0;
-        if (rule->iifindex && (rule->iifindex != fl->iif) &&
+        if (rule->iifindex && (rule->iifindex != fl->iif))
-            !(fl->flags & FLOWI_FLAG_MATCH_ANY_IIF))
                goto out;
        if (rule->oifindex && (rule->oifindex != fl->oif))
diff --git a/net/core/filter.c b/net/core/filter.c
index c1ee800bc080..ae21a0d3c4a2 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -589,23 +589,16 @@ int sk_chk_filter(struct sock_filter *filter, int flen)
 EXPORT_SYMBOL(sk_chk_filter);
 /**
- *      sk_filter_rcu_release - Release a socket filter by rcu_head
+ *      sk_filter_release_rcu - Release a socket filter by rcu_head
 *      @rcu: rcu_head that contains the sk_filter to free
 */
-static void sk_filter_rcu_release(struct rcu_head *rcu)
+void sk_filter_release_rcu(struct rcu_head *rcu)
 {
        struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);
-        sk_filter_release(fp);
+        kfree(fp);
-}
-static void sk_filter_delayed_uncharge(struct sock *sk, struct sk_filter *fp)
-{
-        unsigned int size = sk_filter_len(fp);
-        atomic_sub(size, &sk->sk_omem_alloc);
-        call_rcu_bh(&fp->rcu, sk_filter_rcu_release);
 }
+EXPORT_SYMBOL(sk_filter_release_rcu);
 /**
 *      sk_attach_filter - attach a socket filter
@@ -649,7 +642,7 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
        rcu_assign_pointer(sk->sk_filter, fp);
        if (old_fp)
-                sk_filter_delayed_uncharge(sk, old_fp);
+                sk_filter_uncharge(sk, old_fp);
        return 0;
 }
 EXPORT_SYMBOL_GPL(sk_attach_filter);
@@ -663,7 +656,7 @@ int sk_detach_filter(struct sock *sk)
                                           sock_owned_by_user(sk));
        if (filter) {
                rcu_assign_pointer(sk->sk_filter, NULL);
-                sk_filter_delayed_uncharge(sk, filter);
+                sk_filter_uncharge(sk, filter);
                ret = 0;
        }
        return ret;
diff --git a/net/core/sock.c b/net/core/sock.c
index fb6080111461..e5af8d5d5b50 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1009,6 +1009,36 @@ static void sock_copy(struct sock *nsk, const struct sock *osk)
 #endif
 }
+/*
+ * caches using SLAB_DESTROY_BY_RCU should let .next pointer from nulls nodes
+ * un-modified. Special care is taken when initializing object to zero.
+ */
+static inline void sk_prot_clear_nulls(struct sock *sk, int size)
+{
+        if (offsetof(struct sock, sk_node.next) != 0)
+                memset(sk, 0, offsetof(struct sock, sk_node.next));
+        memset(&sk->sk_node.pprev, 0,
+               size - offsetof(struct sock, sk_node.pprev));
+}
+void sk_prot_clear_portaddr_nulls(struct sock *sk, int size)
+{
+        unsigned long nulls1, nulls2;
+        nulls1 = offsetof(struct sock, __sk_common.skc_node.next);
+        nulls2 = offsetof(struct sock, __sk_common.skc_portaddr_node.next);
+        if (nulls1 > nulls2)
+                swap(nulls1, nulls2);
+        if (nulls1 != 0)
+                memset((char *)sk, 0, nulls1);
+        memset((char *)sk + nulls1 + sizeof(void *), 0,
+               nulls2 - nulls1 - sizeof(void *));
+        memset((char *)sk + nulls2 + sizeof(void *), 0,
+               size - nulls2 - sizeof(void *));
+}
+EXPORT_SYMBOL(sk_prot_clear_portaddr_nulls);
 static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
                int family)
 {
@@ -1021,19 +1051,12 @@ static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
                if (!sk)
                        return sk;
                if (priority & __GFP_ZERO) {
-                        /*
+                        if (prot->clear_sk)
-                         * caches using SLAB_DESTROY_BY_RCU should let
+                                prot->clear_sk(sk, prot->obj_size);
-                         * sk_node.next un-modified. Special care is taken
+                        else
-                         * when initializing object to zero.
+                                sk_prot_clear_nulls(sk, prot->obj_size);
-                         */
-                        if (offsetof(struct sock, sk_node.next) != 0)
-                                memset(sk, 0, offsetof(struct sock, sk_node.next));
-                        memset(&sk->sk_node.pprev, 0,
-                               prot->obj_size - offsetof(struct sock,
-                                                         sk_node.pprev));
                }
-        }
+        } else
-        else
                sk = kmalloc(prot->obj_size, priority);
        if (sk != NULL) {
diff --git a/net/core/timestamping.c b/net/core/timestamping.c
index 0ae6c22da85b..c19bb4ee405e 100644
--- a/net/core/timestamping.c
+++ b/net/core/timestamping.c
@@ -96,11 +96,13 @@ bool skb_defer_rx_timestamp(struct sk_buff *skb)
        struct phy_device *phydev;
        unsigned int type;
-        skb_push(skb, ETH_HLEN);
+        if (skb_headroom(skb) < ETH_HLEN)
+                return false;
+        __skb_push(skb, ETH_HLEN);
        type = classify(skb);
-        skb_pull(skb, ETH_HLEN);
+        __skb_pull(skb, ETH_HLEN);
        switch (type) {
        case PTP_CLASS_V1_IPV4:
diff --git a/net/dccp/input.c b/net/dccp/input.c
index 265985370fa1..e424a09e83f6 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -239,7 +239,8 @@ static int dccp_check_seqno(struct sock *sk, struct sk_buff *skb)
                dccp_update_gsr(sk, seqno);
                if (dh->dccph_type != DCCP_PKT_SYNC &&
-                    (ackno != DCCP_PKT_WITHOUT_ACK_SEQ))
+                    ackno != DCCP_PKT_WITHOUT_ACK_SEQ &&
+                    after48(ackno, dp->dccps_gar))
                        dp->dccps_gar = ackno;
        } else {
                unsigned long now = jiffies;
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index a76b78de679f..6f97268ed85f 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -1556,6 +1556,8 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us
                        if (r_len > sizeof(struct linkinfo_dn))
                                r_len = sizeof(struct linkinfo_dn);
+                        memset(&link, 0, sizeof(link));
                        switch(sock->state) {
                                case SS_CONNECTING:
                                        link.idn_linkstate = LL_CONNECTING;
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index f8c1ae4b41f0..15dcc1a586b4 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -31,6 +31,7 @@
 #include <linux/skbuff.h>
 #include <linux/udp.h>
 #include <linux/slab.h>
+#include <linux/vmalloc.h>
 #include <net/sock.h>
 #include <net/inet_common.h>
 #include <linux/stat.h>
@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 #endif
 #ifdef CONFIG_ECONET_AUNUDP
        struct msghdr udpmsg;
-        struct iovec iov[msg->msg_iovlen+1];
+        struct iovec iov[2];
        struct aunhdr ah;
        struct sockaddr_in udpdest;
        __kernel_size_t size;
-        int i;
        mm_segment_t oldfs;
+        char *userbuf;
 #endif
        /*
@@ -297,23 +298,14 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        mutex_lock(&econet_mutex);
-        if (saddr == NULL) {
+        if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-                struct econet_sock *eo = ec_sk(sk);
+                mutex_unlock(&econet_mutex);
+                return -EINVAL;
-                addr.station = eo->station;
+        }
-                addr.net     = eo->net;
+        addr.station = saddr->addr.station;
-                port         = eo->port;
+        addr.net = saddr->addr.net;
-                cb           = eo->cb;
+        port = saddr->port;
-        } else {
+        cb = saddr->cb;
-                if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-                        mutex_unlock(&econet_mutex);
-                        return -EINVAL;
-                }
-                addr.station = saddr->addr.station;
-                addr.net = saddr->addr.net;
-                port = saddr->port;
-                cb = saddr->cb;
-        }
        /* Look for a device with the right network number. */
        dev = net2dev_map[addr.net];
@@ -328,17 +320,17 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                }
        }
-        if (len + 15 > dev->mtu) {
-                mutex_unlock(&econet_mutex);
-                return -EMSGSIZE;
-        }
        if (dev->type == ARPHRD_ECONET) {
                /* Real hardware Econet.  We're not worthy etc. */
 #ifdef CONFIG_ECONET_NATIVE
                unsigned short proto = 0;
                int res;
+                if (len + 15 > dev->mtu) {
+                        mutex_unlock(&econet_mutex);
+                        return -EMSGSIZE;
+                }
                dev_hold(dev);
                skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
@@ -351,7 +343,6 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                eb = (struct ec_cb *)&skb->cb;
-                /* BUG: saddr may be NULL */
                eb->cookie = saddr->cookie;
                eb->sec = *saddr;
                eb->sent = ec_tx_done;
@@ -415,6 +406,11 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                return -ENETDOWN;               /* No socket - can't send */
        }
+        if (len > 32768) {
+                err = -E2BIG;
+                goto error;
+        }
        /* Make up a UDP datagram and hand it off to some higher intellect. */
        memset(&udpdest, 0, sizeof(udpdest));
@@ -446,36 +442,26 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        /* tack our header on the front of the iovec */
        size = sizeof(struct aunhdr);
-        /*
-         * XXX: that is b0rken.  We can't mix userland and kernel pointers
-         * in iovec, since on a lot of platforms copy_from_user() will
-         * *not* work with the kernel and userland ones at the same time,
-         * regardless of what we do with set_fs().  And we are talking about
-         * econet-over-ethernet here, so "it's only ARM anyway" doesn't
-         * apply.  Any suggestions on fixing that code?         -- AV
-         */
        iov[0].iov_base = (void *)&ah;
        iov[0].iov_len = size;
-        for (i = 0; i < msg->msg_iovlen; i++) {
-                void __user *base = msg->msg_iov[i].iov_base;
+        userbuf = vmalloc(len);
-                size_t iov_len = msg->msg_iov[i].iov_len;
+        if (userbuf == NULL) {
-                /* Check it now since we switch to KERNEL_DS later. */
+                err = -ENOMEM;
-                if (!access_ok(VERIFY_READ, base, iov_len)) {
+                goto error;
-                        mutex_unlock(&econet_mutex);
-                        return -EFAULT;
-                }
-                iov[i+1].iov_base = base;
-                iov[i+1].iov_len = iov_len;
-                size += iov_len;
        }
+        iov[1].iov_base = userbuf;
+        iov[1].iov_len = len;
+        err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
+        if (err)
+                goto error_free_buf;
        /* Get a skbuff (no data, just holds our cb information) */
        if ((skb = sock_alloc_send_skb(sk, 0,
                                       msg->msg_flags & MSG_DONTWAIT,
-                                       &err)) == NULL) {
+                                       &err)) == NULL)
-                mutex_unlock(&econet_mutex);
+                goto error_free_buf;
-                return err;
-        }
        eb = (struct ec_cb *)&skb->cb;
@@ -491,7 +477,7 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        udpmsg.msg_name = (void *)&udpdest;
        udpmsg.msg_namelen = sizeof(udpdest);
        udpmsg.msg_iov = &iov[0];
-        udpmsg.msg_iovlen = msg->msg_iovlen + 1;
+        udpmsg.msg_iovlen = 2;
        udpmsg.msg_control = NULL;
        udpmsg.msg_controllen = 0;
        udpmsg.msg_flags=0;
@@ -499,9 +485,13 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
        oldfs = get_fs(); set_fs(KERNEL_DS);    /* More privs :-) */
        err = sock_sendmsg(udpsock, &udpmsg, size);
        set_fs(oldfs);
+error_free_buf:
+        vfree(userbuf);
 #else
        err = -EPROTOTYPE;
 #endif
+        error:
        mutex_unlock(&econet_mutex);
        return err;
@@ -671,6 +661,11 @@ static int ec_dev_ioctl(struct socket *sock, unsigned int cmd, void __user *arg)
        err = 0;
        switch (cmd) {
        case SIOCSIFADDR:
+                if (!capable(CAP_NET_ADMIN)) {
+                        err = -EPERM;
+                        break;
+                }
                edev = dev->ec_ptr;
                if (edev == NULL) {
                        /* Magic up a new one. */
@@ -856,9 +851,13 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
 {
        struct iphdr *ip = ip_hdr(skb);
        unsigned char stn = ntohl(ip->saddr) & 0xff;
+        struct dst_entry *dst = skb_dst(skb);
+        struct ec_device *edev = NULL;
        struct sock *sk = NULL;
        struct sk_buff *newskb;
-        struct ec_device *edev = skb->dev->ec_ptr;
+        if (dst)
+                edev = dst->dev->ec_ptr;
        if (! edev)
                goto bad;
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index eb6f69a8f27a..c19c1f739fba 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -163,13 +163,19 @@ struct net_device *__ip_dev_find(struct net *net, __be32 addr, bool devref)
                                .daddr = addr
                        }
                },
-                .flags = FLOWI_FLAG_MATCH_ANY_IIF
        };
        struct fib_result res = { 0 };
        struct net_device *dev = NULL;
+        struct fib_table *local_table;
+#ifdef CONFIG_IP_MULTIPLE_TABLES
+        res.r = NULL;
+#endif
        rcu_read_lock();
-        if (fib_lookup(net, &fl, &res)) {
+        local_table = fib_get_table(net, RT_TABLE_LOCAL);
+        if (!local_table ||
+            fib_table_lookup(local_table, &fl, &res, FIB_LOOKUP_NOREF)) {
                rcu_read_unlock();
                return NULL;
        }
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 1b344f30b463..3c0369a3a663 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -133,8 +133,7 @@ int __inet_inherit_port(struct sock *sk, struct sock *child)
                        }
                }
        }
-        sk_add_bind_node(child, &tb->owners);
+        inet_bind_hash(child, tb, port);
-        inet_csk(child)->icsk_bind_hash = tb;
        spin_unlock(&head->lock);
        return 0;
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index 1b48eb1ed453..b14ec7d03b6e 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -253,6 +253,7 @@ static const struct snmp_mib snmp4_net_list[] = {
        SNMP_MIB_ITEM("TCPMinTTLDrop", LINUX_MIB_TCPMINTTLDROP),
        SNMP_MIB_ITEM("TCPDeferAcceptDrop", LINUX_MIB_TCPDEFERACCEPTDROP),
        SNMP_MIB_ITEM("IPReversePathFilter", LINUX_MIB_IPRPFILTER),
+        SNMP_MIB_ITEM("TCPTimeWaitOverflow", LINUX_MIB_TCPTIMEWAITOVERFLOW),
        SNMP_MIB_SENTINEL
 };
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 987bf9adb318..df948b0f1ac9 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2585,9 +2585,10 @@ static int ip_route_output_slow(struct net *net, struct rtable **rp,
                        goto out;
                /* RACE: Check return value of inet_select_addr instead. */
-                if (rcu_dereference(dev_out->ip_ptr) == NULL)
+                if (!(dev_out->flags & IFF_UP) || !__in_dev_get_rcu(dev_out)) {
-                        goto out;       /* Wrong error code */
+                        err = -ENETUNREACH;
+                        goto out;
+                }
                if (ipv4_is_local_multicast(oldflp->fl4_dst) ||
                    ipv4_is_lbcast(oldflp->fl4_dst)) {
                        if (!fl.fl4_src)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index e91911d7aae2..1b4ec21497a4 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -26,6 +26,8 @@ static int zero;
 static int tcp_retr1_max = 255;
 static int ip_local_port_range_min[] = { 1, 1 };
 static int ip_local_port_range_max[] = { 65535, 65535 };
+static int tcp_adv_win_scale_min = -31;
+static int tcp_adv_win_scale_max = 31;
 /* Update system visible IP port range */
 static void set_local_port_range(int range[2])
@@ -426,7 +428,9 @@ static struct ctl_table ipv4_table[] = {
                .data           = &sysctl_tcp_adv_win_scale,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = proc_dointvec
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &tcp_adv_win_scale_min,
+                .extra2         = &tcp_adv_win_scale_max,
        },
        {
                .procname       = "tcp_tw_reuse",
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 081419969485..f15c36a706ec 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2246,7 +2246,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
                /* Values greater than interface MTU won't take effect. However
                 * at the point when this call is done we typically don't yet
                 * know which interface is going to be used */
-                if (val < 64 || val > MAX_TCP_WINDOW) {
+                if (val < TCP_MIN_MSS || val > MAX_TCP_WINDOW) {
                        err = -EINVAL;
                        break;
                }
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 69ccbc1dde9c..d978bb2f748b 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2030,7 +2030,7 @@ static void *listening_get_next(struct seq_file *seq, void *cur)
 get_req:
                        req = icsk->icsk_accept_queue.listen_opt->syn_table[st->sbucket];
                }
-                sk        = sk_next(st->syn_wait_sk);
+                sk        = sk_nulls_next(st->syn_wait_sk);
                st->state = TCP_SEQ_STATE_LISTENING;
                read_unlock_bh(&icsk->icsk_accept_queue.syn_wait_lock);
        } else {
@@ -2039,11 +2039,13 @@ get_req:
                if (reqsk_queue_len(&icsk->icsk_accept_queue))
                        goto start_req;
                read_unlock_bh(&icsk->icsk_accept_queue.syn_wait_lock);
-                sk = sk_next(sk);
+                sk = sk_nulls_next(sk);
        }
 get_sk:
        sk_nulls_for_each_from(sk, node) {
-                if (sk->sk_family == st->family && net_eq(sock_net(sk), net)) {
+                if (!net_eq(sock_net(sk), net))
+                        continue;
+                if (sk->sk_family == st->family) {
                        cur = sk;
                        goto out;
                }
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 43cf901d7659..a66735f75963 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -347,7 +347,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo)
                 * socket up.  We've got bigger problems than
                 * non-graceful socket closings.
                 */
-                LIMIT_NETDEBUG(KERN_INFO "TCP: time wait bucket table overflow\n");
+                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPTIMEWAITOVERFLOW);
        }
        tcp_update_metrics(sk);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 05b1ecf36763..61c2463e2753 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -231,11 +231,10 @@ void tcp_select_initial_window(int __space, __u32 mss,
                /* when initializing use the value from init_rcv_wnd
                 * rather than the default from above
                 */
-                if (init_rcv_wnd &&
+                if (init_rcv_wnd)
-                    (*rcv_wnd > init_rcv_wnd * mss))
+                        *rcv_wnd = min(*rcv_wnd, init_rcv_wnd * mss);
-                        *rcv_wnd = init_rcv_wnd * mss;
+                else
-                else if (*rcv_wnd > init_cwnd * mss)
+                        *rcv_wnd = min(*rcv_wnd, init_cwnd * mss);
-                        *rcv_wnd = init_cwnd * mss;
        }
        /* Set the clamp no higher than max representable value */
@@ -386,27 +385,30 @@ struct tcp_out_options {
 */
 static u8 tcp_cookie_size_check(u8 desired)
 {
-        if (desired > 0) {
+        int cookie_size;
+        if (desired > 0)
                /* previously specified */
                return desired;
-        }
-        if (sysctl_tcp_cookie_size <= 0) {
+        cookie_size = ACCESS_ONCE(sysctl_tcp_cookie_size);
+        if (cookie_size <= 0)
                /* no default specified */
                return 0;
-        }
-        if (sysctl_tcp_cookie_size <= TCP_COOKIE_MIN) {
+        if (cookie_size <= TCP_COOKIE_MIN)
                /* value too small, specify minimum */
                return TCP_COOKIE_MIN;
-        }
-        if (sysctl_tcp_cookie_size >= TCP_COOKIE_MAX) {
+        if (cookie_size >= TCP_COOKIE_MAX)
                /* value too large, specify maximum */
                return TCP_COOKIE_MAX;
-        }
-        if (0x1 & sysctl_tcp_cookie_size) {
+        if (cookie_size & 1)
                /* 8-bit multiple, illegal, fix it */
-                return (u8)(sysctl_tcp_cookie_size + 0x1);
+                cookie_size++;
-        }
-        return (u8)sysctl_tcp_cookie_size;
+        return (u8)cookie_size;
 }
 /* Write previously computed TCP options to the packet.
@@ -1513,6 +1515,7 @@ static int tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb)
        struct tcp_sock *tp = tcp_sk(sk);
        const struct inet_connection_sock *icsk = inet_csk(sk);
        u32 send_win, cong_win, limit, in_flight;
+        int win_divisor;
        if (TCP_SKB_CB(skb)->flags & TCPHDR_FIN)
                goto send_now;
@@ -1544,13 +1547,14 @@ static int tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb)
        if ((skb != tcp_write_queue_tail(sk)) && (limit >= skb->len))
                goto send_now;
-        if (sysctl_tcp_tso_win_divisor) {
+        win_divisor = ACCESS_ONCE(sysctl_tcp_tso_win_divisor);
+        if (win_divisor) {
                u32 chunk = min(tp->snd_wnd, tp->snd_cwnd * tp->mss_cache);
                /* If at least some fraction of a window is available,
                 * just use it.
                 */
-                chunk /= sysctl_tcp_tso_win_divisor;
+                chunk /= win_divisor;
                if (limit >= chunk)
                        goto send_now;
        } else {
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 5e0a3a582a59..2d3ded4d0786 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1899,6 +1899,7 @@ struct proto udp_prot = {
        .compat_setsockopt = compat_udp_setsockopt,
        .compat_getsockopt = compat_udp_getsockopt,
 #endif
+        .clear_sk          = sk_prot_clear_portaddr_nulls,
 };
 EXPORT_SYMBOL(udp_prot);
diff --git a/net/ipv4/udplite.c b/net/ipv4/udplite.c
index ab76aa928fa9..aee9963f7f5a 100644
--- a/net/ipv4/udplite.c
+++ b/net/ipv4/udplite.c
@@ -57,6 +57,7 @@ struct proto 	udplite_prot = {
        .compat_setsockopt = compat_udp_setsockopt,
        .compat_getsockopt = compat_udp_getsockopt,
 #endif
+        .clear_sk          = sk_prot_clear_portaddr_nulls,
 };
 EXPORT_SYMBOL(udplite_prot);
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 23cc8e1ce8d4..848b35591042 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2669,7 +2669,9 @@ static int addrconf_ifdown(struct net_device *dev, int how)
        ASSERT_RTNL();
-        rt6_ifdown(net, dev);
+        /* Flush routes if device is being removed or it is not loopback */
+        if (how || !(dev->flags & IFF_LOOPBACK))
+                rt6_ifdown(net, dev);
        neigh_ifdown(&nd_tbl, dev);
        idev = __in6_dev_get(dev);
@@ -4021,11 +4023,11 @@ void inet6_ifinfo_notify(int event, struct inet6_dev *idev)
                kfree_skb(skb);
                goto errout;
        }
-        rtnl_notify(skb, net, 0, RTNLGRP_IPV6_IFADDR, NULL, GFP_ATOMIC);
+        rtnl_notify(skb, net, 0, RTNLGRP_IPV6_IFINFO, NULL, GFP_ATOMIC);
        return;
 errout:
        if (err < 0)
-                rtnl_set_sk_err(net, RTNLGRP_IPV6_IFADDR, err);
+                rtnl_set_sk_err(net, RTNLGRP_IPV6_IFINFO, err);
 }
 static inline size_t inet6_prefix_nlmsg_size(void)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 99157b4cd56e..94b5bf132b2e 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -56,7 +56,7 @@
 #include <net/checksum.h>
 #include <linux/mroute6.h>
-static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *));
+int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *));
 int __ip6_local_out(struct sk_buff *skb)
 {
@@ -145,14 +145,6 @@ static int ip6_finish_output2(struct sk_buff *skb)
        return -EINVAL;
 }
-static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
-{
-        struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL;
-        return (np && np->pmtudisc == IPV6_PMTUDISC_PROBE) ?
-               skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb));
-}
 static int ip6_finish_output(struct sk_buff *skb)
 {
        if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
@@ -601,7 +593,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
        return offset;
 }
-static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
+int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
 {
        struct sk_buff *frag;
        struct rt6_info *rt = (struct rt6_info*)skb_dst(skb);
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 2a59610c2a58..70e891a20fb9 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1175,6 +1175,8 @@ static void ip6_tnl_link_config(struct ip6_tnl *t)
                                sizeof (struct ipv6hdr);
                        dev->mtu = rt->rt6i_dev->mtu - sizeof (struct ipv6hdr);
+                        if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
+                                dev->mtu-=8;
                        if (dev->mtu < IPV6_MIN_MTU)
                                dev->mtu = IPV6_MIN_MTU;
@@ -1363,12 +1365,17 @@ static const struct net_device_ops ip6_tnl_netdev_ops = {
 static void ip6_tnl_dev_setup(struct net_device *dev)
 {
+        struct ip6_tnl *t;
        dev->netdev_ops = &ip6_tnl_netdev_ops;
        dev->destructor = ip6_dev_free;
        dev->type = ARPHRD_TUNNEL6;
        dev->hard_header_len = LL_MAX_HEADER + sizeof (struct ipv6hdr);
        dev->mtu = ETH_DATA_LEN - sizeof (struct ipv6hdr);
+        t = netdev_priv(dev);
+        if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
+                dev->mtu-=8;
        dev->flags |= IFF_NOARP;
        dev->addr_len = sizeof(struct in6_addr);
        dev->features |= NETIF_F_NETNS_LOCAL;
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 96455ffb76fb..7659d6f16e6b 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1565,11 +1565,16 @@ static void rt6_do_pmtu_disc(struct in6_addr *daddr, struct in6_addr *saddr,
 {
        struct rt6_info *rt, *nrt;
        int allfrag = 0;
+again:
        rt = rt6_lookup(net, daddr, saddr, ifindex, 0);
        if (rt == NULL)
                return;
+        if (rt6_check_expired(rt)) {
+                ip6_del_rt(rt);
+                goto again;
+        }
        if (pmtu >= dst_mtu(&rt->dst))
                goto out;
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index d6bfaec3bbbf..8c4d00c7cd2b 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -606,8 +606,9 @@ static int ipip6_rcv(struct sk_buff *skb)
                return 0;
        }
-        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+        /* no tunnel matched,  let upstream know, ipsec may handle it */
        rcu_read_unlock();
+        return 1;
 out:
        kfree_skb(skb);
        return 0;
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 91def93bec85..cd6cb7c3e563 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1477,6 +1477,7 @@ struct proto udpv6_prot = {
        .compat_setsockopt = compat_udpv6_setsockopt,
        .compat_getsockopt = compat_udpv6_getsockopt,
 #endif
+        .clear_sk          = sk_prot_clear_portaddr_nulls,
 };
 static struct inet_protosw udpv6_protosw = {
diff --git a/net/ipv6/udplite.c b/net/ipv6/udplite.c
index 5f48fadc27f7..986c4de5292e 100644
--- a/net/ipv6/udplite.c
+++ b/net/ipv6/udplite.c
@@ -55,6 +55,7 @@ struct proto udplitev6_prot = {
        .compat_setsockopt = compat_udpv6_setsockopt,
        .compat_getsockopt = compat_udpv6_getsockopt,
 #endif
+        .clear_sk          = sk_prot_clear_portaddr_nulls,
 };
 static struct inet_protosw udplite6_protosw = {
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 6434bd5ce088..8e688b3de9ab 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -17,6 +17,7 @@
 #include <linux/netfilter_ipv6.h>
 #include <net/dst.h>
 #include <net/ipv6.h>
+#include <net/ip6_route.h>
 #include <net/xfrm.h>
 int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
@@ -88,8 +89,21 @@ static int xfrm6_output_finish(struct sk_buff *skb)
        return xfrm_output(skb);
 }
+static int __xfrm6_output(struct sk_buff *skb)
+{
+        struct dst_entry *dst = skb_dst(skb);
+        struct xfrm_state *x = dst->xfrm;
+        if ((x && x->props.mode == XFRM_MODE_TUNNEL) &&
+            ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
+                dst_allfrag(skb_dst(skb)))) {
+                        return ip6_fragment(skb, xfrm6_output_finish);
+        }
+        return xfrm6_output_finish(skb);
+}
 int xfrm6_output(struct sk_buff *skb)
 {
        return NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL,
-                       skb_dst(skb)->dev, xfrm6_output_finish);
+                       skb_dst(skb)->dev, __xfrm6_output);
 }
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index a6de3059746d..c9890e25cd4c 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -2280,6 +2280,16 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
        switch (optname) {
        case IRLMP_ENUMDEVICES:
+                /* Offset to first device entry */
+                offset = sizeof(struct irda_device_list) -
+                        sizeof(struct irda_device_info);
+                if (len < offset) {
+                        err = -EINVAL;
+                        goto out;
+                }
                /* Ask lmp for the current discovery log */
                discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
                                                    self->nslots);
@@ -2290,15 +2300,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
                }
                /* Write total list length back to client */
-                if (copy_to_user(optval, &list,
+                if (copy_to_user(optval, &list, offset))
-                                 sizeof(struct irda_device_list) -
-                                 sizeof(struct irda_device_info)))
                        err = -EFAULT;
-                /* Offset to first device entry */
-                offset = sizeof(struct irda_device_list) -
-                        sizeof(struct irda_device_info);
                /* Copy the list itself - watch for overflow */
                if (list.len > 2048) {
                        err = -EINVAL;
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 0bf6a59545ab..522e219f3558 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -674,4 +674,8 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
 MODULE_DESCRIPTION("L2TP over IP");
 MODULE_VERSION("1.0");
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, SOCK_DGRAM, IPPROTO_L2TP);
+/* Use the value of SOCK_DGRAM (2) directory, because __stringify does't like
+ * enums
+ */
+MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 2, IPPROTO_L2TP);
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 582612998211..e35dbe55f520 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -317,8 +317,9 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen)
                goto out;
        rc = -ENODEV;
        rtnl_lock();
+        rcu_read_lock();
        if (sk->sk_bound_dev_if) {
-                llc->dev = dev_get_by_index(&init_net, sk->sk_bound_dev_if);
+                llc->dev = dev_get_by_index_rcu(&init_net, sk->sk_bound_dev_if);
                if (llc->dev) {
                        if (!addr->sllc_arphrd)
                                addr->sllc_arphrd = llc->dev->type;
@@ -329,13 +330,13 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen)
                            !llc_mac_match(addr->sllc_mac,
                                           llc->dev->dev_addr)) {
                                rc = -EINVAL;
-                                dev_put(llc->dev);
                                llc->dev = NULL;
                        }
                }
        } else
                llc->dev = dev_getbyhwaddr(&init_net, addr->sllc_arphrd,
                                           addr->sllc_mac);
+        rcu_read_unlock();
        rtnl_unlock();
        if (!llc->dev)
                goto out;
diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
index 4d6f8653ec88..8e8ea9cb7093 100644
--- a/net/mac80211/Kconfig
+++ b/net/mac80211/Kconfig
@@ -92,7 +92,7 @@ config MAC80211_MESH
 config MAC80211_LEDS
        bool "Enable LED triggers"
        depends on MAC80211
-        select NEW_LEDS
+        depends on LEDS_CLASS
        select LEDS_TRIGGERS
        ---help---
          This option enables a few LED triggers for different
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 239c4836a946..077a93dd1671 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -780,6 +780,9 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
        mutex_lock(&sdata->u.ibss.mtx);
+        if (!sdata->u.ibss.ssid_len)
+                goto mgmt_out; /* not ready to merge yet */
        switch (fc & IEEE80211_FCTL_STYPE) {
        case IEEE80211_STYPE_PROBE_REQ:
                ieee80211_rx_mgmt_probe_req(sdata, mgmt, skb->len);
@@ -797,6 +800,7 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
                break;
        }
+ mgmt_out:
        mutex_unlock(&sdata->u.ibss.mtx);
 }
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 902b03ee8f60..b01e467b76c6 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1788,9 +1788,11 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
                        fwd_skb = skb_copy(skb, GFP_ATOMIC);
-                        if (!fwd_skb && net_ratelimit())
+                        if (!fwd_skb && net_ratelimit()) {
                                printk(KERN_DEBUG "%s: failed to clone mesh frame\n",
                                                   sdata->name);
+                                goto out;
+                        }
                        fwd_hdr =  (struct ieee80211_hdr *) fwd_skb->data;
                        memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
@@ -1828,6 +1830,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
                }
        }
+ out:
        if (is_multicast_ether_addr(hdr->addr1) ||
            sdata->dev->flags & IFF_PROMISC)
                return RX_CONTINUE;
@@ -2247,6 +2250,10 @@ ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
                break;
        case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
        case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
+                if (is_multicast_ether_addr(mgmt->da) &&
+                    !is_broadcast_ether_addr(mgmt->da))
+                        return RX_DROP_MONITOR;
                /* process only for station */
                if (sdata->vif.type != NL80211_IFTYPE_STATION)
                        return RX_DROP_MONITOR;
@@ -2741,6 +2748,7 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
                        if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
                                return;
+                        goto out;
                }
        }
@@ -2780,6 +2788,7 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
                        return;
        }
+ out:
        dev_kfree_skb(skb);
 }
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 96c594309506..7a637b80a62e 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1587,7 +1587,12 @@ static void ieee80211_xmit(struct ieee80211_sub_if_data *sdata,
                                                list) {
                                if (!ieee80211_sdata_running(tmp_sdata))
                                        continue;
-                                if (tmp_sdata->vif.type != NL80211_IFTYPE_AP)
+                                if (tmp_sdata->vif.type ==
+                                    NL80211_IFTYPE_MONITOR ||
+                                    tmp_sdata->vif.type ==
+                                    NL80211_IFTYPE_AP_VLAN ||
+                                        tmp_sdata->vif.type ==
+                                    NL80211_IFTYPE_WDS)
                                        continue;
                                if (compare_ether_addr(tmp_sdata->vif.addr,
                                                       hdr->addr2) == 0) {
@@ -1732,15 +1737,13 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
        int nh_pos, h_pos;
        struct sta_info *sta = NULL;
        u32 sta_flags = 0;
+        struct sk_buff *tmp_skb;
        if (unlikely(skb->len < ETH_HLEN)) {
                ret = NETDEV_TX_OK;
                goto fail;
        }
-        nh_pos = skb_network_header(skb) - skb->data;
-        h_pos = skb_transport_header(skb) - skb->data;
        /* convert Ethernet header to proper 802.11 header (based on
         * operation mode) */
        ethertype = (skb->data[12] << 8) | skb->data[13];
@@ -1913,6 +1916,20 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                goto fail;
        }
+        /*
+         * If the skb is shared we need to obtain our own copy.
+         */
+        if (skb_shared(skb)) {
+                tmp_skb = skb;
+                skb = skb_copy(skb, GFP_ATOMIC);
+                kfree_skb(tmp_skb);
+                if (!skb) {
+                        ret = NETDEV_TX_OK;
+                        goto fail;
+                }
+        }
        hdr.frame_control = fc;
        hdr.duration_id = 0;
        hdr.seq_ctrl = 0;
@@ -1931,6 +1948,9 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                encaps_len = 0;
        }
+        nh_pos = skb_network_header(skb) - skb->data;
+        h_pos = skb_transport_header(skb) - skb->data;
        skb_pull(skb, skip_header_bytes);
        nh_pos -= skip_header_bytes;
        h_pos -= skip_header_bytes;
diff --git a/net/mac80211/work.c b/net/mac80211/work.c
index ae344d1ba056..146097cb43a7 100644
--- a/net/mac80211/work.c
+++ b/net/mac80211/work.c
@@ -1051,11 +1051,13 @@ void ieee80211_work_purge(struct ieee80211_sub_if_data *sdata)
 {
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_work *wk;
+        bool cleanup = false;
        mutex_lock(&local->mtx);
        list_for_each_entry(wk, &local->work_list, list) {
                if (wk->sdata != sdata)
                        continue;
+                cleanup = true;
                wk->type = IEEE80211_WORK_ABORT;
                wk->started = true;
                wk->timeout = jiffies;
@@ -1063,7 +1065,8 @@ void ieee80211_work_purge(struct ieee80211_sub_if_data *sdata)
        mutex_unlock(&local->mtx);
        /* run cleanups etc. */
-        ieee80211_work_work(&local->work_work);
+        if (cleanup)
+                ieee80211_work_work(&local->work_work);
        mutex_lock(&local->mtx);
        list_for_each_entry(wk, &local->work_list, list) {
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index 3cf478d012dd..7150705f1d0b 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -270,7 +270,6 @@ static unsigned int sfq_drop(struct Qdisc *sch)
                /* It is difficult to believe, but ALL THE SLOTS HAVE LENGTH 1. */
                d = q->next[q->tail];
                q->next[q->tail] = q->next[d];
-                q->allot[q->next[d]] += q->quantum;
                skb = q->qs[d].prev;
                len = qdisc_pkt_len(skb);
                __skb_unlink(skb, &q->qs[d]);
@@ -321,14 +320,13 @@ sfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        sfq_inc(q, x);
        if (q->qs[x].qlen == 1) {               /* The flow is new */
                if (q->tail == SFQ_DEPTH) {     /* It is the first flow */
-                        q->tail = x;
                        q->next[x] = x;
-                        q->allot[x] = q->quantum;
                } else {
                        q->next[x] = q->next[q->tail];
                        q->next[q->tail] = x;
-                        q->tail = x;
                }
+                q->tail = x;
+                q->allot[x] = q->quantum;
        }
        if (++sch->q.qlen <= q->limit) {
                sch->bstats.bytes += qdisc_pkt_len(skb);
@@ -359,13 +357,13 @@ sfq_dequeue(struct Qdisc *sch)
 {
        struct sfq_sched_data *q = qdisc_priv(sch);
        struct sk_buff *skb;
-        sfq_index a, old_a;
+        sfq_index a, next_a;
        /* No active slots */
        if (q->tail == SFQ_DEPTH)
                return NULL;
-        a = old_a = q->next[q->tail];
+        a = q->next[q->tail];
        /* Grab packet */
        skb = __skb_dequeue(&q->qs[a]);
@@ -376,17 +374,15 @@ sfq_dequeue(struct Qdisc *sch)
        /* Is the slot empty? */
        if (q->qs[a].qlen == 0) {
                q->ht[q->hash[a]] = SFQ_DEPTH;
-                a = q->next[a];
+                next_a = q->next[a];
-                if (a == old_a) {
+                if (a == next_a) {
                        q->tail = SFQ_DEPTH;
                        return skb;
                }
-                q->next[q->tail] = a;
+                q->next[q->tail] = next_a;
-                q->allot[a] += q->quantum;
        } else if ((q->allot[a] -= qdisc_pkt_len(skb)) <= 0) {
-                q->tail = a;
-                a = q->next[a];
                q->allot[a] += q->quantum;
+                q->tail = a;
        }
        return skb;
 }
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 6bd554323a34..fff0926b1111 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2932,6 +2932,7 @@ static int sctp_setsockopt_peer_primary_addr(struct sock *sk, char __user *optva
        struct sctp_association *asoc = NULL;
        struct sctp_setpeerprim prim;
        struct sctp_chunk       *chunk;
+        struct sctp_af          *af;
        int                     err;
        sp = sctp_sk(sk);
@@ -2959,6 +2960,13 @@ static int sctp_setsockopt_peer_primary_addr(struct sock *sk, char __user *optva
        if (!sctp_state(asoc, ESTABLISHED))
                return -ENOTCONN;
+        af = sctp_get_af_specific(prim.sspp_addr.ss_family);
+        if (!af)
+                return -EINVAL;
+        if (!af->addr_valid((union sctp_addr *)&prim.sspp_addr, sp, NULL))
+                return -EADDRNOTAVAIL;
        if (!sctp_assoc_lookup_laddr(asoc, (union sctp_addr *)&prim.sspp_addr))
                return -EADDRNOTAVAIL;
@@ -5045,7 +5053,7 @@ static int sctp_getsockopt_partial_delivery_point(struct sock *sk, int len,
        if (copy_to_user(optval, &val, len))
                return -EFAULT;
-        return -ENOTSUPP;
+        return 0;
 }
 /*
diff --git a/net/socket.c b/net/socket.c
index 3ca2fd9e3720..088fb3fd45e0 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -732,6 +732,21 @@ static int sock_recvmsg_nosec(struct socket *sock, struct msghdr *msg,
        return ret;
 }
+/**
+ * kernel_recvmsg - Receive a message from a socket (kernel space)
+ * @sock:       The socket to receive the message from
+ * @msg:        Received message
+ * @vec:        Input s/g array for message data
+ * @num:        Size of input s/g array
+ * @size:       Number of bytes to read
+ * @flags:      Message flags (MSG_DONTWAIT, etc...)
+ *
+ * On return the msg structure contains the scatter/gather array passed in the
+ * vec argument. The array is modified so that it consists of the unfilled
+ * portion of the original array.
+ *
+ * The returned value is the total number of bytes received, or an error.
+ */
 int kernel_recvmsg(struct socket *sock, struct msghdr *msg,
                   struct kvec *vec, size_t num, size_t size, int flags)
 {
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index ea2ff78dcf7b..3f2c5559ca1a 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -212,6 +212,7 @@ int svc_create_xprt(struct svc_serv *serv, const char *xprt_name,
        spin_lock(&svc_xprt_class_lock);
        list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) {
                struct svc_xprt *newxprt;
+                unsigned short newport;
                if (strcmp(xprt_name, xcl->xcl_name))
                        continue;
@@ -230,8 +231,9 @@ int svc_create_xprt(struct svc_serv *serv, const char *xprt_name,
                spin_lock_bh(&serv->sv_lock);
                list_add(&newxprt->xpt_list, &serv->sv_permsocks);
                spin_unlock_bh(&serv->sv_lock);
+                newport = svc_xprt_local_port(newxprt);
                clear_bit(XPT_BUSY, &newxprt->xpt_flags);
-                return svc_xprt_local_port(newxprt);
+                return newport;
        }
 err:
        spin_unlock(&svc_xprt_class_lock);
@@ -425,8 +427,13 @@ void svc_xprt_received(struct svc_xprt *xprt)
 {
        BUG_ON(!test_bit(XPT_BUSY, &xprt->xpt_flags));
        xprt->xpt_pool = NULL;
+        /* As soon as we clear busy, the xprt could be closed and
+         * 'put', so we need a reference to call svc_xprt_enqueue with:
+         */
+        svc_xprt_get(xprt);
        clear_bit(XPT_BUSY, &xprt->xpt_flags);
        svc_xprt_enqueue(xprt);
+        svc_xprt_put(xprt);
 }
 EXPORT_SYMBOL_GPL(svc_xprt_received);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 3c95304a0817..2268e6798124 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1343,9 +1343,25 @@ static void unix_destruct_scm(struct sk_buff *skb)
        sock_wfree(skb);
 }
+#define MAX_RECURSION_LEVEL 4
 static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
 {
        int i;
+        unsigned char max_level = 0;
+        int unix_sock_count = 0;
+        for (i = scm->fp->count - 1; i >= 0; i--) {
+                struct sock *sk = unix_get_socket(scm->fp->fp[i]);
+                if (sk) {
+                        unix_sock_count++;
+                        max_level = max(max_level,
+                                        unix_sk(sk)->recursion_level);
+                }
+        }
+        if (unlikely(max_level > MAX_RECURSION_LEVEL))
+                return -ETOOMANYREFS;
        /*
         * Need to duplicate file references for the sake of garbage
@@ -1356,9 +1372,11 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
        if (!UNIXCB(skb).fp)
                return -ENOMEM;
-        for (i = scm->fp->count-1; i >= 0; i--)
+        if (unix_sock_count) {
-                unix_inflight(scm->fp->fp[i]);
+                for (i = scm->fp->count - 1; i >= 0; i--)
-        return 0;
+                        unix_inflight(scm->fp->fp[i]);
+        }
+        return max_level;
 }
 static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool send_fds)
@@ -1393,6 +1411,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
        struct sk_buff *skb;
        long timeo;
        struct scm_cookie tmp_scm;
+        int max_level;
        if (NULL == siocb->scm)
                siocb->scm = &tmp_scm;
@@ -1431,8 +1450,9 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
                goto out;
        err = unix_scm_to_skb(siocb->scm, skb, true);
-        if (err)
+        if (err < 0)
                goto out_free;
+        max_level = err + 1;
        unix_get_secdata(siocb->scm, skb);
        skb_reset_transport_header(skb);
@@ -1514,6 +1534,8 @@ restart:
        if (sock_flag(other, SOCK_RCVTSTAMP))
                __net_timestamp(skb);
        skb_queue_tail(&other->sk_receive_queue, skb);
+        if (max_level > unix_sk(other)->recursion_level)
+                unix_sk(other)->recursion_level = max_level;
        unix_state_unlock(other);
        other->sk_data_ready(other, len);
        sock_put(other);
@@ -1544,6 +1566,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
        int sent = 0;
        struct scm_cookie tmp_scm;
        bool fds_sent = false;
+        int max_level;
        if (NULL == siocb->scm)
                siocb->scm = &tmp_scm;
@@ -1607,10 +1630,11 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
                /* Only send the fds in the first buffer */
                err = unix_scm_to_skb(siocb->scm, skb, !fds_sent);
-                if (err) {
+                if (err < 0) {
                        kfree_skb(skb);
                        goto out_err;
                }
+                max_level = err + 1;
                fds_sent = true;
                err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
@@ -1626,6 +1650,8 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
                        goto pipe_err_free;
                skb_queue_tail(&other->sk_receive_queue, skb);
+                if (max_level > unix_sk(other)->recursion_level)
+                        unix_sk(other)->recursion_level = max_level;
                unix_state_unlock(other);
                other->sk_data_ready(other, size);
                sent += size;
@@ -1845,6 +1871,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                unix_state_lock(sk);
                skb = skb_dequeue(&sk->sk_receive_queue);
                if (skb == NULL) {
+                        unix_sk(sk)->recursion_level = 0;
                        if (copied >= target)
                                goto unlock;
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index c8df6fda0b1f..f89f83bf828e 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -96,7 +96,7 @@ static DECLARE_WAIT_QUEUE_HEAD(unix_gc_wait);
 unsigned int unix_tot_inflight;
-static struct sock *unix_get_socket(struct file *filp)
+struct sock *unix_get_socket(struct file *filp)
 {
        struct sock *u_sock = NULL;
        struct inode *inode = filp->f_path.dentry->d_inode;
@@ -259,9 +259,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)
 }
 static bool gc_in_progress = false;
+#define UNIX_INFLIGHT_TRIGGER_GC 16000
 void wait_for_unix_gc(void)
 {
+        /*
+         * If number of inflight sockets is insane,
+         * force a garbage collect right now.
+         */
+        if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
+                unix_gc();
        wait_event(unix_gc_wait, gc_in_progress == false);
 }
diff --git a/net/x25/x25_link.c b/net/x25/x25_link.c
index 73e7b954ad28..b25c6463c3e9 100644
--- a/net/x25/x25_link.c
+++ b/net/x25/x25_link.c
@@ -394,6 +394,7 @@ void __exit x25_link_free(void)
        list_for_each_safe(entry, tmp, &x25_neigh_list) {
                nb = list_entry(entry, struct x25_neigh, node);
                __x25_remove_neigh(nb);
+                dev_put(nb->dev);
        }
        write_unlock_bh(&x25_neigh_list_lock);
 }
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index eb96ce52f178..220ebc05c7af 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1268,7 +1268,7 @@ struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
        return xc;
 error:
-        kfree(xc);
+        xfrm_state_put(xc);
        return NULL;
 }
 EXPORT_SYMBOL(xfrm_state_migrate);