Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix bluetooth userland regression reported by Keith Packard, from
    Gustavo Padovan.

 2) Revert ath9k PS idle change, from Sujith Manoharan.

 3) Correct default TCP memory limits (again), from Eric Dumazet.

 4) Fix tcp_rcv_rtt_update() accidental use of unscaled RTT, from Neal
    Cardwell.

 5) We made a facility for layers like wireless to say how much tailroom
    they need in the SKB for link layer stuff such as wireless
    encryption etc., but TCP works hard to fill every SKB out to the end
    defeating this specification.

    This leads to every TCP packet getting reallocated by the wireless
    code in order to have the right amount of tailroom available.

    Fix TCP to only fill SKBs out to the real amount of data area it
    asked for during the allocation, this way it won't eat into the
    slack added for the device's tailroom needs.

    Reported by Marc Merlin and fixed by Eric Dumazet.

 6) Leaks, endian bugs, and new device IDs in bluetooth from Santosh
    Nayak, João Paulo Rechi Vita, Cho, Yu-Chen, Andrei Emeltchenko,
    AceLan Kao, and Andrei Emeltchenko.

 7) OOPS on tty_close fix in bluetooth's hci_ldisc from Johan Hovold.

 8) netfilter erroneously scales TCP window twice, fix from Changli Gao.

 9) Memleak fix in wext-core from Julia Lawall.

10) Consistently handle invalid TCP packets in ipv4 vs.  ipv6 conntrack,
    from Jozsef Kadlecsik.

11) Validate IP header length properly in netfilter conntrack's
    ipv4_get_l4proto().

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (39 commits)
  NFC: Fix the LLCP Tx fragmentation loop
  rtlwifi: Add missing DMA buffer unmapping for PCI drivers
  rtlwifi: Preallocate USB read buffers and eliminate kalloc in read routine
  tcp: avoid order-1 allocations on wifi and tx path
  net: allow pskb_expand_head() to get maximum tailroom
  bridge: Do not send queries on multicast group leaves
  MAINTAINERS: Mark NATSEMI driver as orphan'd.
  tcp: fix tcp_rcv_rtt_update() use of an unscaled RTT sample
  tcp: restore correct limit
  Revert "ath9k: fix going to full-sleep on PS idle"
  rt2x00: Fix rfkill_polling register function.
  bcma: fix build error on MIPS; implicit pcibios_enable_device
  netfilter: nf_conntrack: fix incorrect logic in nf_conntrack_init_net
  netfilter: nf_ct_ipv4: packets with wrong ihl are invalid
  netfilter: nf_ct_ipv4: handle invalid IPv4 and IPv6 packets consistently
  net/wireless/wext-core.c: add missing kfree
  rtlwifi: Fix oops on rate-control failure
  mac80211: Convert WARN_ON to WARN_ON_ONCE
  rtlwifi: rtl8192de: Fix firmware initialization
  nl80211: ensure interface is up in various APIs
  ...

37 files changed, 160 insertions, 194 deletions

diff --git a/MAINTAINERS b/MAINTAINERS
index a1270978eb41..f08bac96c431 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1521,8 +1521,8 @@ M:	Gustavo Padovan <gustavo@padovan.org>
 M:      Johan Hedberg <johan.hedberg@gmail.com>
 L:      linux-bluetooth@vger.kernel.org
 W:      http://www.bluez.org/
-T:      git git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth.git
-T:      git git://git.kernel.org/pub/scm/linux/kernel/git/jh/bluetooth.git
+T:      git git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git
+T:      git git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git
 S:      Maintained
 F:      drivers/bluetooth/
 
@@ -1532,8 +1532,8 @@ M:	Gustavo Padovan <gustavo@padovan.org>
 M:      Johan Hedberg <johan.hedberg@gmail.com>
 L:      linux-bluetooth@vger.kernel.org
 W:      http://www.bluez.org/
-T:      git git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth.git
-T:      git git://git.kernel.org/pub/scm/linux/kernel/git/jh/bluetooth.git
+T:      git git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git
+T:      git git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git
 S:      Maintained
 F:      net/bluetooth/
 F:      include/net/bluetooth/
@@ -4533,8 +4533,7 @@ S:	Supported
 F:      drivers/net/ethernet/myricom/myri10ge/
 
 NATSEMI ETHERNET DRIVER (DP8381x)
-M:      Tim Hockin <thockin@hockin.org>
-S:      Maintained
+S:      Orphan
 F:      drivers/net/ethernet/natsemi/natsemi.c
 
 NATIVE INSTRUMENTS USB SOUND INTERFACE DRIVER
diff --git a/drivers/bcma/Kconfig b/drivers/bcma/Kconfig
index c1172dafdffa..fb7c80fb721e 100644
--- a/drivers/bcma/Kconfig
+++ b/drivers/bcma/Kconfig
@@ -29,7 +29,7 @@ config BCMA_HOST_PCI
 
 config BCMA_DRIVER_PCI_HOSTMODE
         bool "Driver for PCI core working in hostmode"
-        depends on BCMA && MIPS
+        depends on BCMA && MIPS && BCMA_HOST_PCI
         help
           PCI core hostmode operation (external PCI bus).
 
diff --git a/drivers/bcma/driver_pci_host.c b/drivers/bcma/driver_pci_host.c
index 4e20bcfa7ec5..d2097a11c3c7 100644
--- a/drivers/bcma/driver_pci_host.c
+++ b/drivers/bcma/driver_pci_host.c
@@ -10,6 +10,7 @@
  */
 
 #include "bcma_private.h"
+#include <linux/pci.h>
 #include <linux/export.h>
 #include <linux/bcma/bcma.h>
 #include <asm/paccess.h>
diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index 48442476ec00..ae9edca7b56d 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -72,7 +72,9 @@ static struct usb_device_id ath3k_table[] = {
 
         /* Atheros AR3012 with sflash firmware*/
         { USB_DEVICE(0x0CF3, 0x3004) },
+        { USB_DEVICE(0x0CF3, 0x311D) },
         { USB_DEVICE(0x13d3, 0x3375) },
+        { USB_DEVICE(0x04CA, 0x3005) },
 
         /* Atheros AR5BBU12 with sflash firmware */
         { USB_DEVICE(0x0489, 0xE02C) },
@@ -89,7 +91,9 @@ static struct usb_device_id ath3k_blist_tbl[] = {
 
         /* Atheros AR3012 with sflash firmware*/
         { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
+        { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
+        { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
 
         { }     /* Terminating entry */
 };
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 480cad920048..3311b812a0c6 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -61,7 +61,7 @@ static struct usb_device_id btusb_table[] = {
         { USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
 
         /* Broadcom SoftSailing reporting vendor specific */
-        { USB_DEVICE(0x05ac, 0x21e1) },
+        { USB_DEVICE(0x0a5c, 0x21e1) },
 
         /* Apple MacBookPro 7,1 */
         { USB_DEVICE(0x05ac, 0x8213) },
@@ -103,6 +103,7 @@ static struct usb_device_id btusb_table[] = {
         /* Broadcom BCM20702A0 */
         { USB_DEVICE(0x0a5c, 0x21e3) },
         { USB_DEVICE(0x0a5c, 0x21e6) },
+        { USB_DEVICE(0x0a5c, 0x21e8) },
         { USB_DEVICE(0x0a5c, 0x21f3) },
         { USB_DEVICE(0x413c, 0x8197) },
 
@@ -129,7 +130,9 @@ static struct usb_device_id blacklist_table[] = {
 
         /* Atheros 3012 with sflash firmware */
         { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
+        { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
         { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
+        { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
 
         /* Atheros AR5BBU12 with sflash firmware */
         { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index fd5adb408f44..98a8c05d4f23 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -299,11 +299,11 @@ static void hci_uart_tty_close(struct tty_struct *tty)
                         hci_uart_close(hdev);
 
                 if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
-                        hu->proto->close(hu);
                         if (hdev) {
                                 hci_unregister_dev(hdev);
                                 hci_free_dev(hdev);
                         }
+                        hu->proto->close(hu);
                 }
 
                 kfree(hu);
diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
index 215eb2536b1e..2504ab005589 100644
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -118,15 +118,13 @@ void ath9k_ps_restore(struct ath_softc *sc)
         if (--sc->ps_usecount != 0)
                 goto unlock;
 
-        if (sc->ps_flags & PS_WAIT_FOR_TX_ACK)
-                goto unlock;
-
-        if (sc->ps_idle)
+        if (sc->ps_idle && (sc->ps_flags & PS_WAIT_FOR_TX_ACK))
                 mode = ATH9K_PM_FULL_SLEEP;
         else if (sc->ps_enabled &&
                  !(sc->ps_flags & (PS_WAIT_FOR_BEACON |
                               PS_WAIT_FOR_CAB |
-                              PS_WAIT_FOR_PSPOLL_DATA)))
+                              PS_WAIT_FOR_PSPOLL_DATA |
+                              PS_WAIT_FOR_TX_ACK)))
                 mode = ATH9K_PM_NETWORK_SLEEP;
         else
                 goto unlock;
diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
index fc9901e027c1..90cc5e772650 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -1062,11 +1062,6 @@ static int rt2x00lib_initialize(struct rt2x00_dev *rt2x00dev)
 
         set_bit(DEVICE_STATE_INITIALIZED, &rt2x00dev->flags);
 
-        /*
-         * Register the extra components.
-         */
-        rt2x00rfkill_register(rt2x00dev);
-
         return 0;
 }
 
@@ -1210,6 +1205,7 @@ int rt2x00lib_probe_dev(struct rt2x00_dev *rt2x00dev)
         rt2x00link_register(rt2x00dev);
         rt2x00leds_register(rt2x00dev);
         rt2x00debug_register(rt2x00dev);
+        rt2x00rfkill_register(rt2x00dev);
 
         return 0;
 
diff --git a/drivers/net/wireless/rtlwifi/base.c b/drivers/net/wireless/rtlwifi/base.c
index 510023554e5f..e54488db0e10 100644
--- a/drivers/net/wireless/rtlwifi/base.c
+++ b/drivers/net/wireless/rtlwifi/base.c
@@ -838,7 +838,10 @@ void rtl_get_tcb_desc(struct ieee80211_hw *hw,
         __le16 fc = hdr->frame_control;
 
         txrate = ieee80211_get_tx_rate(hw, info);
-        tcb_desc->hw_rate = txrate->hw_value;
+        if (txrate)
+                tcb_desc->hw_rate = txrate->hw_value;
+        else
+                tcb_desc->hw_rate = 0;
 
         if (ieee80211_is_data(fc)) {
                 /*
diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c
index 07dd38efe62a..288b035a3579 100644
--- a/drivers/net/wireless/rtlwifi/pci.c
+++ b/drivers/net/wireless/rtlwifi/pci.c
@@ -912,8 +912,13 @@ static void _rtl_pci_prepare_bcn_tasklet(struct ieee80211_hw *hw)
         memset(&tcb_desc, 0, sizeof(struct rtl_tcb_desc));
         ring = &rtlpci->tx_ring[BEACON_QUEUE];
         pskb = __skb_dequeue(&ring->queue);
-        if (pskb)
+        if (pskb) {
+                struct rtl_tx_desc *entry = &ring->desc[ring->idx];
+                pci_unmap_single(rtlpci->pdev, rtlpriv->cfg->ops->get_desc(
+                                 (u8 *) entry, true, HW_DESC_TXBUFF_ADDR),
+                                 pskb->len, PCI_DMA_TODEVICE);
                 kfree_skb(pskb);
+        }
 
         /*NB: the beacon data buffer must be 32-bit aligned. */
         pskb = ieee80211_beacon_get(hw, mac->vif);
diff --git a/drivers/net/wireless/rtlwifi/rtl8192de/sw.c b/drivers/net/wireless/rtlwifi/rtl8192de/sw.c
index 4898c502974d..480862c07f92 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192de/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192de/sw.c
@@ -91,7 +91,6 @@ static int rtl92d_init_sw_vars(struct ieee80211_hw *hw)
         u8 tid;
         struct rtl_priv *rtlpriv = rtl_priv(hw);
         struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw));
-        static int header_print;
 
         rtlpriv->dm.dm_initialgain_enable = true;
         rtlpriv->dm.dm_flag = 0;
@@ -171,10 +170,6 @@ static int rtl92d_init_sw_vars(struct ieee80211_hw *hw)
         for (tid = 0; tid < 8; tid++)
                 skb_queue_head_init(&rtlpriv->mac80211.skb_waitq[tid]);
 
-        /* Only load firmware for first MAC */
-        if (header_print)
-                return 0;
-
         /* for firmware buf */
         rtlpriv->rtlhal.pfirmware = vzalloc(0x8000);
         if (!rtlpriv->rtlhal.pfirmware) {
@@ -186,7 +181,6 @@ static int rtl92d_init_sw_vars(struct ieee80211_hw *hw)
         rtlpriv->max_fw_size = 0x8000;
         pr_info("Driver for Realtek RTL8192DE WLAN interface\n");
         pr_info("Loading firmware file %s\n", rtlpriv->cfg->fw_name);
-        header_print++;
 
         /* request fw */
         err = request_firmware_nowait(THIS_MODULE, 1, rtlpriv->cfg->fw_name,
diff --git a/drivers/net/wireless/rtlwifi/usb.c b/drivers/net/wireless/rtlwifi/usb.c
index 2e1e352864bb..d04dbda13f5a 100644
--- a/drivers/net/wireless/rtlwifi/usb.c
+++ b/drivers/net/wireless/rtlwifi/usb.c
@@ -124,46 +124,38 @@ static int _usbctrl_vendorreq_sync_read(struct usb_device *udev, u8 request,
         return status;
 }
 
-static u32 _usb_read_sync(struct usb_device *udev, u32 addr, u16 len)
+static u32 _usb_read_sync(struct rtl_priv *rtlpriv, u32 addr, u16 len)
 {
+        struct device *dev = rtlpriv->io.dev;
+        struct usb_device *udev = to_usb_device(dev);
         u8 request;
         u16 wvalue;
         u16 index;
-        u32 *data;
-        u32 ret;
+        __le32 *data = &rtlpriv->usb_data[rtlpriv->usb_data_index];
 
-        data = kmalloc(sizeof(u32), GFP_KERNEL);
-        if (!data)
-                return -ENOMEM;
         request = REALTEK_USB_VENQT_CMD_REQ;
         index = REALTEK_USB_VENQT_CMD_IDX; /* n/a */
 
         wvalue = (u16)addr;
         _usbctrl_vendorreq_sync_read(udev, request, wvalue, index, data, len);
-        ret = le32_to_cpu(*data);
-        kfree(data);
-        return ret;
+        if (++rtlpriv->usb_data_index >= RTL_USB_MAX_RX_COUNT)
+                rtlpriv->usb_data_index = 0;
+        return le32_to_cpu(*data);
 }
 
 static u8 _usb_read8_sync(struct rtl_priv *rtlpriv, u32 addr)
 {
-        struct device *dev = rtlpriv->io.dev;
-
-        return (u8)_usb_read_sync(to_usb_device(dev), addr, 1);
+        return (u8)_usb_read_sync(rtlpriv, addr, 1);
 }
 
 static u16 _usb_read16_sync(struct rtl_priv *rtlpriv, u32 addr)
 {
-        struct device *dev = rtlpriv->io.dev;
-
-        return (u16)_usb_read_sync(to_usb_device(dev), addr, 2);
+        return (u16)_usb_read_sync(rtlpriv, addr, 2);
 }
 
 static u32 _usb_read32_sync(struct rtl_priv *rtlpriv, u32 addr)
 {
-        struct device *dev = rtlpriv->io.dev;
-
-        return _usb_read_sync(to_usb_device(dev), addr, 4);
+        return _usb_read_sync(rtlpriv, addr, 4);
 }
 
 static void _usb_write_async(struct usb_device *udev, u32 addr, u32 val,
@@ -955,6 +947,11 @@ int __devinit rtl_usb_probe(struct usb_interface *intf,
                 return -ENOMEM;
         }
         rtlpriv = hw->priv;
+        rtlpriv->usb_data = kzalloc(RTL_USB_MAX_RX_COUNT * sizeof(u32),
+                                    GFP_KERNEL);
+        if (!rtlpriv->usb_data)
+                return -ENOMEM;
+        rtlpriv->usb_data_index = 0;
         init_completion(&rtlpriv->firmware_loading_complete);
         SET_IEEE80211_DEV(hw, &intf->dev);
         udev = interface_to_usbdev(intf);
@@ -1025,6 +1022,7 @@ void rtl_usb_disconnect(struct usb_interface *intf)
         /* rtl_deinit_rfkill(hw); */
         rtl_usb_deinit(hw);
         rtl_deinit_core(hw);
+        kfree(rtlpriv->usb_data);
         rtlpriv->cfg->ops->deinit_sw_leds(hw);
         rtlpriv->cfg->ops->deinit_sw_vars(hw);
         _rtl_usb_io_handler_release(hw);
diff --git a/drivers/net/wireless/rtlwifi/wifi.h b/drivers/net/wireless/rtlwifi/wifi.h
index b591614c3b9b..28ebc69218a3 100644
--- a/drivers/net/wireless/rtlwifi/wifi.h
+++ b/drivers/net/wireless/rtlwifi/wifi.h
@@ -67,7 +67,7 @@
 #define QOS_QUEUE_NUM                           4
 #define RTL_MAC80211_NUM_QUEUE                  5
 #define REALTEK_USB_VENQT_MAX_BUF_SIZE          254
-
+#define RTL_USB_MAX_RX_COUNT                    100
 #define QBSS_LOAD_SIZE                          5
 #define MAX_WMMELE_LENGTH                       64
 
@@ -1629,6 +1629,10 @@ struct rtl_priv {
            interface or hardware */
         unsigned long status;
 
+        /* data buffer pointer for USB reads */
+        __le32 *usb_data;
+        int usb_data_index;
+
         /*This must be the last item so
            that it points to the data allocated
            beyond  this structure like:
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index f549adccc94c..1bc898b14a80 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -287,7 +287,17 @@ extern unsigned int ip6t_do_table(struct sk_buff *skb,
                                   struct xt_table *table);
 
 /* Check for an extension */
-extern int ip6t_ext_hdr(u8 nexthdr);
+static inline int
+ip6t_ext_hdr(u8 nexthdr)
+{       return (nexthdr == IPPROTO_HOPOPTS) ||
+               (nexthdr == IPPROTO_ROUTING) ||
+               (nexthdr == IPPROTO_FRAGMENT) ||
+               (nexthdr == IPPROTO_ESP) ||
+               (nexthdr == IPPROTO_AH) ||
+               (nexthdr == IPPROTO_NONE) ||
+               (nexthdr == IPPROTO_DSTOPTS);
+}
+
 /* find specified header and get offset to it */
 extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
                          int target, unsigned short *fragoff);
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 33370271b8b2..70a3f8d49118 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -481,6 +481,7 @@ struct sk_buff {
         union {
                 __u32           mark;
                 __u32           dropcount;
+                __u32           avail_size;
         };
 
         sk_buff_data_t          transport_header;
@@ -1366,6 +1367,18 @@ static inline int skb_tailroom(const struct sk_buff *skb)
 }
 
 /**
+ *      skb_availroom - bytes at buffer end
+ *      @skb: buffer to check
+ *
+ *      Return the number of bytes of free space at the tail of an sk_buff
+ *      allocated by sk_stream_alloc()
+ */
+static inline int skb_availroom(const struct sk_buff *skb)
+{
+        return skb_is_nonlinear(skb) ? 0 : skb->avail_size - skb->len;
+}
+
+/**
  *      skb_reserve - adjust headroom
  *      @skb: buffer to alter
  *      @len: bytes to move
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 344b0f972828..d47e523c9d83 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -92,6 +92,7 @@ enum {
         HCI_SERVICE_CACHE,
         HCI_LINK_KEYS,
         HCI_DEBUG_KEYS,
+        HCI_UNREGISTER,
 
         HCI_LE_SCAN,
         HCI_SSP_ENABLED,
@@ -1327,8 +1328,8 @@ struct sockaddr_hci {
 #define HCI_DEV_NONE    0xffff
 
 #define HCI_CHANNEL_RAW         0
-#define HCI_CHANNEL_CONTROL     1
 #define HCI_CHANNEL_MONITOR     2
+#define HCI_CHANNEL_CONTROL     3
 
 struct hci_filter {
         unsigned long type_mask;
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index daefaac51131..6822d2595aff 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -427,7 +427,7 @@ enum {
 static inline bool hci_conn_ssp_enabled(struct hci_conn *conn)
 {
         struct hci_dev *hdev = conn->hdev;
-        return (test_bit(HCI_SSP_ENABLED, &hdev->flags) &&
+        return (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags) &&
                                 test_bit(HCI_CONN_SSP_ENABLED, &conn->flags));
 }
 
@@ -907,11 +907,13 @@ static inline void hci_role_switch_cfm(struct hci_conn *conn, __u8 status,
 
 static inline bool eir_has_data_type(u8 *data, size_t data_len, u8 type)
 {
-        u8 field_len;
-        size_t parsed;
+        size_t parsed = 0;
 
-        for (parsed = 0; parsed < data_len - 1; parsed += field_len) {
-                field_len = data[0];
+        if (data_len < 2)
+                return false;
+
+        while (parsed < data_len - 1) {
+                u8 field_len = data[0];
 
                 if (field_len == 0)
                         break;
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index ffc1377e092e..ebfd91fc20f8 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -117,7 +117,7 @@ struct mgmt_mode {
 #define MGMT_OP_SET_DISCOVERABLE        0x0006
 struct mgmt_cp_set_discoverable {
         __u8    val;
-        __u16   timeout;
+        __le16  timeout;
 } __packed;
 #define MGMT_SET_DISCOVERABLE_SIZE      3
 
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 87d203ff7a8a..9210bdc7bd8d 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -1327,7 +1327,7 @@ static inline struct ieee80211_rate *
 ieee80211_get_tx_rate(const struct ieee80211_hw *hw,
                       const struct ieee80211_tx_info *c)
 {
-        if (WARN_ON(c->control.rates[0].idx < 0))
+        if (WARN_ON_ONCE(c->control.rates[0].idx < 0))
                 return NULL;
         return &hw->wiphy->bands[c->band]->bitrates[c->control.rates[0].idx];
 }
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index e33af63a884a..92a857e3786d 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -665,6 +665,11 @@ int hci_dev_open(__u16 dev)
 
         hci_req_lock(hdev);
 
+        if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
+                ret = -ENODEV;
+                goto done;
+        }
+
         if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
                 ret = -ERFKILL;
                 goto done;
@@ -1849,6 +1854,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
 
         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
 
+        set_bit(HCI_UNREGISTER, &hdev->dev_flags);
+
         write_lock(&hci_dev_list_lock);
         list_del(&hdev->list);
         write_unlock(&hci_dev_list_lock);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index b8e17e4dac8b..94552b33d528 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1308,6 +1308,7 @@ static void l2cap_monitor_timeout(struct work_struct *work)
         if (chan->retry_count >= chan->remote_max_tx) {
                 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
                 l2cap_chan_unlock(chan);
+                l2cap_chan_put(chan);
                 return;
         }
 
@@ -1316,6 +1317,7 @@ static void l2cap_monitor_timeout(struct work_struct *work)
 
         l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
         l2cap_chan_unlock(chan);
+        l2cap_chan_put(chan);
 }
 
 static void l2cap_retrans_timeout(struct work_struct *work)
@@ -1335,6 +1337,7 @@ static void l2cap_retrans_timeout(struct work_struct *work)
         l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
 
         l2cap_chan_unlock(chan);
+        l2cap_chan_put(chan);
 }
 
 static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index c4fe583b0af6..29122ed28ea9 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -82,7 +82,7 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
         }
 
         if (la.l2_cid)
-                err = l2cap_add_scid(chan, la.l2_cid);
+                err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid));
         else
                 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
 
@@ -123,7 +123,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
         if (la.l2_cid && la.l2_psm)
                 return -EINVAL;
 
-        err = l2cap_chan_connect(chan, la.l2_psm, la.l2_cid, &la.l2_bdaddr);
+        err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
+                                &la.l2_bdaddr);
         if (err)
                 return err;
 
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 7fcff8887131..4ef275c69675 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -2523,13 +2523,18 @@ static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
 
         if (cp->val) {
                 type = PAGE_SCAN_TYPE_INTERLACED;
-                acp.interval = 0x0024;  /* 22.5 msec page scan interval */
+
+                /* 22.5 msec page scan interval */
+                acp.interval = __constant_cpu_to_le16(0x0024);
         } else {
                 type = PAGE_SCAN_TYPE_STANDARD; /* default */
-                acp.interval = 0x0800;  /* default 1.28 sec page scan */
+
+                /* default 1.28 sec page scan */
+                acp.interval = __constant_cpu_to_le16(0x0800);
         }
 
-        acp.window = 0x0012;    /* default 11.25 msec page scan window */
+        /* default 11.25 msec page scan window */
+        acp.window = __constant_cpu_to_le16(0x0012);
 
         err = hci_send_cmd(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY, sizeof(acp),
                            &acp);
@@ -2936,7 +2941,7 @@ int mgmt_device_connected(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
                                           name, name_len);
 
         if (dev_class && memcmp(dev_class, "\0\0\0", 3) != 0)
-                eir_len = eir_append_data(&ev->eir[eir_len], eir_len,
+                eir_len = eir_append_data(ev->eir, eir_len,
                                           EIR_CLASS_OF_DEV, dev_class, 3);
 
         put_unaligned_le16(eir_len, &ev->eir_len);
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 702a1ae9220b..27ca25ed7021 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -241,7 +241,6 @@ static void br_multicast_group_expired(unsigned long data)
         hlist_del_rcu(&mp->hlist[mdb->ver]);
         mdb->size--;
 
-        del_timer(&mp->query_timer);
         call_rcu_bh(&mp->rcu, br_multicast_free_group);
 
 out:
@@ -271,7 +270,6 @@ static void br_multicast_del_pg(struct net_bridge *br,
                 rcu_assign_pointer(*pp, p->next);
                 hlist_del_init(&p->mglist);
                 del_timer(&p->timer);
-                del_timer(&p->query_timer);
                 call_rcu_bh(&p->rcu, br_multicast_free_pg);
 
                 if (!mp->ports && !mp->mglist &&
@@ -507,74 +505,6 @@ static struct sk_buff *br_multicast_alloc_query(struct net_bridge *br,
         return NULL;
 }
 
-static void br_multicast_send_group_query(struct net_bridge_mdb_entry *mp)
-{
-        struct net_bridge *br = mp->br;
-        struct sk_buff *skb;
-
-        skb = br_multicast_alloc_query(br, &mp->addr);
-        if (!skb)
-                goto timer;
-
-        netif_rx(skb);
-
-timer:
-        if (++mp->queries_sent < br->multicast_last_member_count)
-                mod_timer(&mp->query_timer,
-                          jiffies + br->multicast_last_member_interval);
-}
-
-static void br_multicast_group_query_expired(unsigned long data)
-{
-        struct net_bridge_mdb_entry *mp = (void *)data;
-        struct net_bridge *br = mp->br;
-
-        spin_lock(&br->multicast_lock);
-        if (!netif_running(br->dev) || !mp->mglist ||
-            mp->queries_sent >= br->multicast_last_member_count)
-                goto out;
-
-        br_multicast_send_group_query(mp);
-
-out:
-        spin_unlock(&br->multicast_lock);
-}
-
-static void br_multicast_send_port_group_query(struct net_bridge_port_group *pg)
-{
-        struct net_bridge_port *port = pg->port;
-        struct net_bridge *br = port->br;
-        struct sk_buff *skb;
-
-        skb = br_multicast_alloc_query(br, &pg->addr);
-        if (!skb)
-                goto timer;
-
-        br_deliver(port, skb);
-
-timer:
-        if (++pg->queries_sent < br->multicast_last_member_count)
-                mod_timer(&pg->query_timer,
-                          jiffies + br->multicast_last_member_interval);
-}
-
-static void br_multicast_port_group_query_expired(unsigned long data)
-{
-        struct net_bridge_port_group *pg = (void *)data;
-        struct net_bridge_port *port = pg->port;
-        struct net_bridge *br = port->br;
-
-        spin_lock(&br->multicast_lock);
-        if (!netif_running(br->dev) || hlist_unhashed(&pg->mglist) ||
-            pg->queries_sent >= br->multicast_last_member_count)
-                goto out;
-
-        br_multicast_send_port_group_query(pg);
-
-out:
-        spin_unlock(&br->multicast_lock);
-}
-
 static struct net_bridge_mdb_entry *br_multicast_get_group(
         struct net_bridge *br, struct net_bridge_port *port,
         struct br_ip *group, int hash)
@@ -690,8 +620,6 @@ rehash:
         mp->addr = *group;
         setup_timer(&mp->timer, br_multicast_group_expired,
                     (unsigned long)mp);
-        setup_timer(&mp->query_timer, br_multicast_group_query_expired,
-                    (unsigned long)mp);
 
         hlist_add_head_rcu(&mp->hlist[mdb->ver], &mdb->mhash[hash]);
         mdb->size++;
@@ -746,8 +674,6 @@ static int br_multicast_add_group(struct net_bridge *br,
         hlist_add_head(&p->mglist, &port->mglist);
         setup_timer(&p->timer, br_multicast_port_group_expired,
                     (unsigned long)p);
-        setup_timer(&p->query_timer, br_multicast_port_group_query_expired,
-                    (unsigned long)p);
 
         rcu_assign_pointer(*pp, p);
 
@@ -1291,9 +1217,6 @@ static void br_multicast_leave_group(struct net_bridge *br,
                      time_after(mp->timer.expires, time) :
                      try_to_del_timer_sync(&mp->timer) >= 0)) {
                         mod_timer(&mp->timer, time);
-
-                        mp->queries_sent = 0;
-                        mod_timer(&mp->query_timer, now);
                 }
 
                 goto out;
@@ -1310,9 +1233,6 @@ static void br_multicast_leave_group(struct net_bridge *br,
                      time_after(p->timer.expires, time) :
                      try_to_del_timer_sync(&p->timer) >= 0)) {
                         mod_timer(&p->timer, time);
-
-                        p->queries_sent = 0;
-                        mod_timer(&p->query_timer, now);
                 }
 
                 break;
@@ -1681,7 +1601,6 @@ void br_multicast_stop(struct net_bridge *br)
                 hlist_for_each_entry_safe(mp, p, n, &mdb->mhash[i],
                                           hlist[ver]) {
                         del_timer(&mp->timer);
-                        del_timer(&mp->query_timer);
                         call_rcu_bh(&mp->rcu, br_multicast_free_group);
                 }
         }
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 0b67a63ad7a8..e1d882257877 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -82,9 +82,7 @@ struct net_bridge_port_group {
         struct hlist_node               mglist;
         struct rcu_head                 rcu;
         struct timer_list               timer;
-        struct timer_list               query_timer;
         struct br_ip                    addr;
-        u32                             queries_sent;
 };
 
 struct net_bridge_mdb_entry
@@ -94,10 +92,8 @@ struct net_bridge_mdb_entry
         struct net_bridge_port_group __rcu *ports;
         struct rcu_head                 rcu;
         struct timer_list               timer;
-        struct timer_list               query_timer;
         struct br_ip                    addr;
         bool                            mglist;
-        u32                             queries_sent;
 };
 
 struct net_bridge_mdb_htable
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index baf8d281152c..e59840010d45 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -952,9 +952,11 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
                 goto adjust_others;
         }
 
-        data = kmalloc(size + sizeof(struct skb_shared_info), gfp_mask);
+        data = kmalloc(size + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)),
+                       gfp_mask);
         if (!data)
                 goto nodata;
+        size = SKB_WITH_OVERHEAD(ksize(data));
 
         /* Copy only real data... and, alas, header. This should be
          * optimized for the cases when header is void.
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index de9da21113a1..cf73cc70ed2d 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -74,16 +74,24 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
 
         iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
         if (iph == NULL)
-                return -NF_DROP;
+                return -NF_ACCEPT;
 
         /* Conntrack defragments packets, we might still see fragments
          * inside ICMP packets though. */
         if (iph->frag_off & htons(IP_OFFSET))
-                return -NF_DROP;
+                return -NF_ACCEPT;
 
         *dataoff = nhoff + (iph->ihl << 2);
         *protonum = iph->protocol;
 
+        /* Check bogus IP headers */
+        if (*dataoff > skb->len) {
+                pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: "
+                         "nhoff %u, ihl %u, skblen %u\n",
+                         nhoff, iph->ihl << 2, skb->len);
+                return -NF_ACCEPT;
+        }
+
         return NF_ACCEPT;
 }
 
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 0cd36e33273b..8bb6adeb62c0 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -701,11 +701,12 @@ struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp)
         skb = alloc_skb_fclone(size + sk->sk_prot->max_header, gfp);
         if (skb) {
                 if (sk_wmem_schedule(sk, skb->truesize)) {
+                        skb_reserve(skb, sk->sk_prot->max_header);
                         /*
                          * Make sure that we have exactly size bytes
                          * available to the caller, no more, no less.
                          */
-                        skb_reserve(skb, skb_tailroom(skb) - size);
+                        skb->avail_size = size;
                         return skb;
                 }
                 __kfree_skb(skb);
@@ -995,10 +996,9 @@ new_segment:
                                 copy = seglen;
 
                         /* Where to copy to? */
-                        if (skb_tailroom(skb) > 0) {
+                        if (skb_availroom(skb) > 0) {
                                 /* We have some space in skb head. Superb! */
-                                if (copy > skb_tailroom(skb))
-                                        copy = skb_tailroom(skb);
+                                copy = min_t(int, copy, skb_availroom(skb));
                                 err = skb_add_data_nocache(sk, skb, from, copy);
                                 if (err)
                                         goto do_fault;
@@ -3302,8 +3302,7 @@ void __init tcp_init(void)
 
         tcp_init_mem(&init_net);
         /* Set per-socket limits to no more than 1/128 the pressure threshold */
-        limit = nr_free_buffer_pages() << (PAGE_SHIFT - 10);
-        limit = max(limit, 128UL);
+        limit = nr_free_buffer_pages() << (PAGE_SHIFT - 7);
         max_share = min(4UL*1024*1024, limit);
 
         sysctl_tcp_wmem[0] = SK_MEM_QUANTUM;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 05b2dd569691..9944c1d9a218 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -474,8 +474,11 @@ static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep)
                 if (!win_dep) {
                         m -= (new_sample >> 3);
                         new_sample += m;
-                } else if (m < new_sample)
-                        new_sample = m << 3;
+                } else {
+                        m <<= 3;
+                        if (m < new_sample)
+                                new_sample = m;
+                }
         } else {
                 /* No previous measure. */
                 new_sample = m << 3;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 364784a91939..376b2cfbb685 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2060,7 +2060,7 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *to,
                 /* Punt if not enough space exists in the first SKB for
                  * the data in the second
                  */
-                if (skb->len > skb_tailroom(to))
+                if (skb->len > skb_availroom(to))
                         break;
 
                 if (after(TCP_SKB_CB(skb)->end_seq, tcp_wnd_end(tp)))
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 94874b0bdcdc..9d4e15559319 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -78,19 +78,6 @@ EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
 
    Hence the start of any table is given by get_table() below.  */
 
-/* Check for an extension */
-int
-ip6t_ext_hdr(u8 nexthdr)
-{
-        return  (nexthdr == IPPROTO_HOPOPTS)   ||
-                (nexthdr == IPPROTO_ROUTING)   ||
-                (nexthdr == IPPROTO_FRAGMENT)  ||
-                (nexthdr == IPPROTO_ESP)       ||
-                (nexthdr == IPPROTO_AH)        ||
-                (nexthdr == IPPROTO_NONE)      ||
-                (nexthdr == IPPROTO_DSTOPTS);
-}
-
 /* Returns whether matches rule or not. */
 /* Performance critical - called for every packet */
 static inline bool
@@ -2366,7 +2353,6 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
 EXPORT_SYMBOL(ip6t_register_table);
 EXPORT_SYMBOL(ip6t_unregister_table);
 EXPORT_SYMBOL(ip6t_do_table);
-EXPORT_SYMBOL(ip6t_ext_hdr);
 EXPORT_SYMBOL(ipv6_find_hdr);
 
 module_init(ip6_tables_init);
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 576fb25456dd..f76da5b3f5c5 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3387,8 +3387,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
                  */
                 printk(KERN_DEBUG "%s: waiting for beacon from %pM\n",
                        sdata->name, ifmgd->bssid);
-                assoc_data->timeout = jiffies +
-                                TU_TO_EXP_TIME(req->bss->beacon_interval);
+                assoc_data->timeout = TU_TO_EXP_TIME(req->bss->beacon_interval);
         } else {
                 assoc_data->have_beacon = true;
                 assoc_data->sent_assoc = false;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 3cc4487ac349..729f157a0efa 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1592,7 +1592,7 @@ static int nf_conntrack_init_net(struct net *net)
         return 0;
 
 err_timeout:
-        nf_conntrack_timeout_fini(net);
+        nf_conntrack_ecache_fini(net);
 err_ecache:
         nf_conntrack_tstamp_fini(net);
 err_tstamp:
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 361eade62a09..0d07a1dcf605 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -584,8 +584,8 @@ static bool tcp_in_window(const struct nf_conn *ct,
                          * Let's try to use the data from the packet.
                          */
                         sender->td_end = end;
-                        win <<= sender->td_scale;
-                        sender->td_maxwin = (win == 0 ? 1 : win);
+                        swin = win << sender->td_scale;
+                        sender->td_maxwin = (swin == 0 ? 1 : swin);
                         sender->td_maxend = end + sender->td_maxwin;
                         /*
                          * We haven't seen traffic in the other direction yet
diff --git a/net/nfc/llcp/commands.c b/net/nfc/llcp/commands.c
index 7b76eb7192f3..ef10ffcb4b6f 100644
--- a/net/nfc/llcp/commands.c
+++ b/net/nfc/llcp/commands.c
@@ -474,7 +474,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
 
         while (remaining_len > 0) {
 
-                frag_len = min_t(u16, local->remote_miu, remaining_len);
+                frag_len = min_t(size_t, local->remote_miu, remaining_len);
 
                 pr_debug("Fragment %zd bytes remaining %zd",
                          frag_len, remaining_len);
@@ -497,7 +497,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
                 release_sock(sk);
 
                 remaining_len -= frag_len;
-                msg_ptr += len;
+                msg_ptr += frag_len;
         }
 
         kfree(msg_data);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index e49da2797022..f432c57af05d 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -1294,6 +1294,11 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
                         goto bad_res;
                 }
 
+                if (!netif_running(netdev)) {
+                        result = -ENETDOWN;
+                        goto bad_res;
+                }
+
                 nla_for_each_nested(nl_txq_params,
                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
                                     rem_txq_params) {
@@ -6384,7 +6389,7 @@ static struct genl_ops nl80211_ops[] = {
                 .doit = nl80211_get_key,
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6416,7 +6421,7 @@ static struct genl_ops nl80211_ops[] = {
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
                 .doit = nl80211_set_beacon,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6424,7 +6429,7 @@ static struct genl_ops nl80211_ops[] = {
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
                 .doit = nl80211_start_ap,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6432,7 +6437,7 @@ static struct genl_ops nl80211_ops[] = {
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
                 .doit = nl80211_stop_ap,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6448,7 +6453,7 @@ static struct genl_ops nl80211_ops[] = {
                 .doit = nl80211_set_station,
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6464,7 +6469,7 @@ static struct genl_ops nl80211_ops[] = {
                 .doit = nl80211_del_station,
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6497,7 +6502,7 @@ static struct genl_ops nl80211_ops[] = {
                 .doit = nl80211_del_mpath,
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6505,7 +6510,7 @@ static struct genl_ops nl80211_ops[] = {
                 .doit = nl80211_set_bss,
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6531,7 +6536,7 @@ static struct genl_ops nl80211_ops[] = {
                 .doit = nl80211_get_mesh_config,
                 .policy = nl80211_policy,
                 /* can be retrieved by unprivileged users */
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6664,7 +6669,7 @@ static struct genl_ops nl80211_ops[] = {
                 .doit = nl80211_setdel_pmksa,
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6672,7 +6677,7 @@ static struct genl_ops nl80211_ops[] = {
                 .doit = nl80211_setdel_pmksa,
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6680,7 +6685,7 @@ static struct genl_ops nl80211_ops[] = {
                 .doit = nl80211_flush_pmksa,
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
@@ -6840,7 +6845,7 @@ static struct genl_ops nl80211_ops[] = {
                 .doit = nl80211_probe_client,
                 .policy = nl80211_policy,
                 .flags = GENL_ADMIN_PERM,
-                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
         {
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index 0af7f54e4f61..af648e08e61b 100644
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -780,8 +780,10 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
                 if (cmd == SIOCSIWENCODEEXT) {
                         struct iw_encode_ext *ee = (void *) extra;
 
-                        if (iwp->length < sizeof(*ee) + ee->key_len)
-                                return -EFAULT;
+                        if (iwp->length < sizeof(*ee) + ee->key_len) {
+                                err = -EFAULT;
+                                goto out;
+                        }
                 }
         }