Merge git://github.com/davem330/net

* git://github.com/davem330/net: (62 commits)
  ipv6: don't use inetpeer to store metrics for routes.
  can: ti_hecc: include linux/io.h
  IRDA: Fix global type conflicts in net/irda/irsysctl.c v2
  net: Handle different key sizes between address families in flow cache
  net: Align AF-specific flowi structs to long
  ipv4: Fix fib_info->fib_metrics leak
  caif: fix a potential NULL dereference
  sctp: deal with multiple COOKIE_ECHO chunks
  ibmveth: Fix checksum offload failure handling
  ibmveth: Checksum offload is always disabled
  ibmveth: Fix issue with DMA mapping failure
  ibmveth: Fix DMA unmap error
  pch_gbe: support ML7831 IOH
  pch_gbe: added the process of FIFO over run error
  pch_gbe: fixed the issue which receives an unnecessary packet.
  sfc: Use 64-bit writes for TX push where possible
  Revert "sfc: Use write-combining to reduce TX latency" and follow-ups
  bnx2x: Fix ethtool advertisement
  bnx2x: Fix 578xx link LED
  bnx2x: Fix XMAC loopback test
  ...

30 files changed, 187 insertions, 142 deletions

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index ba6f73eb06c6..a9aff9c7d027 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -4,7 +4,7 @@
 
 menuconfig BRIDGE_NF_EBTABLES
         tristate "Ethernet Bridge tables (ebtables) support"
-        depends on BRIDGE && BRIDGE_NETFILTER
+        depends on BRIDGE && NETFILTER
         select NETFILTER_XTABLES
         help
           ebtables is a general, extensible frame/packet identification
diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
index 7c2fa0a08148..7f9ac0742d19 100644
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -93,10 +93,14 @@ static struct caif_device_entry *caif_device_alloc(struct net_device *dev)
         caifdevs = caif_device_list(dev_net(dev));
         BUG_ON(!caifdevs);
 
-        caifd = kzalloc(sizeof(*caifd), GFP_ATOMIC);
+        caifd = kzalloc(sizeof(*caifd), GFP_KERNEL);
         if (!caifd)
                 return NULL;
         caifd->pcpu_refcnt = alloc_percpu(int);
+        if (!caifd->pcpu_refcnt) {
+                kfree(caifd);
+                return NULL;
+        }
         caifd->netdev = dev;
         dev_hold(dev);
         return caifd;
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 8ce926d3b2cb..9b0c32a2690c 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -857,7 +857,7 @@ static __exit void can_exit(void)
         struct net_device *dev;
 
         if (stats_timer)
-                del_timer(&can_stattimer);
+                del_timer_sync(&can_stattimer);
 
         can_remove_proc();
 
diff --git a/net/core/dev.c b/net/core/dev.c
index 17d67b579beb..b10ff0a71855 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1515,6 +1515,14 @@ static inline bool is_skb_forwardable(struct net_device *dev,
  */
 int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
 {
+        if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) {
+                if (skb_copy_ubufs(skb, GFP_ATOMIC)) {
+                        atomic_long_inc(&dev->rx_dropped);
+                        kfree_skb(skb);
+                        return NET_RX_DROP;
+                }
+        }
+
         skb_orphan(skb);
         nf_reset(skb);
 
diff --git a/net/core/flow.c b/net/core/flow.c
index bf32c33cad3b..555a456efb07 100644
--- a/net/core/flow.c
+++ b/net/core/flow.c
@@ -30,6 +30,7 @@ struct flow_cache_entry {
                 struct hlist_node       hlist;
                 struct list_head        gc_list;
         } u;
+        struct net                      *net;
         u16                             family;
         u8                              dir;
         u32                             genid;
@@ -172,29 +173,26 @@ static void flow_new_hash_rnd(struct flow_cache *fc,
 
 static u32 flow_hash_code(struct flow_cache *fc,
                           struct flow_cache_percpu *fcp,
-                          const struct flowi *key)
+                          const struct flowi *key,
+                          size_t keysize)
 {
         const u32 *k = (const u32 *) key;
+        const u32 length = keysize * sizeof(flow_compare_t) / sizeof(u32);
 
-        return jhash2(k, (sizeof(*key) / sizeof(u32)), fcp->hash_rnd)
+        return jhash2(k, length, fcp->hash_rnd)
                 & (flow_cache_hash_size(fc) - 1);
 }
 
-typedef unsigned long flow_compare_t;
-
 /* I hear what you're saying, use memcmp.  But memcmp cannot make
- * important assumptions that we can here, such as alignment and
- * constant size.
+ * important assumptions that we can here, such as alignment.
  */
-static int flow_key_compare(const struct flowi *key1, const struct flowi *key2)
+static int flow_key_compare(const struct flowi *key1, const struct flowi *key2,
+                            size_t keysize)
 {
         const flow_compare_t *k1, *k1_lim, *k2;
-        const int n_elem = sizeof(struct flowi) / sizeof(flow_compare_t);
-
-        BUILD_BUG_ON(sizeof(struct flowi) % sizeof(flow_compare_t));
 
         k1 = (const flow_compare_t *) key1;
-        k1_lim = k1 + n_elem;
+        k1_lim = k1 + keysize;
 
         k2 = (const flow_compare_t *) key2;
 
@@ -215,6 +213,7 @@ flow_cache_lookup(struct net *net, const struct flowi *key, u16 family, u8 dir,
         struct flow_cache_entry *fle, *tfle;
         struct hlist_node *entry;
         struct flow_cache_object *flo;
+        size_t keysize;
         unsigned int hash;
 
         local_bh_disable();
@@ -222,6 +221,11 @@ flow_cache_lookup(struct net *net, const struct flowi *key, u16 family, u8 dir,
 
         fle = NULL;
         flo = NULL;
+
+        keysize = flow_key_size(family);
+        if (!keysize)
+                goto nocache;
+
         /* Packet really early in init?  Making flow_cache_init a
          * pre-smp initcall would solve this.  --RR */
         if (!fcp->hash_table)
@@ -230,11 +234,12 @@ flow_cache_lookup(struct net *net, const struct flowi *key, u16 family, u8 dir,
         if (fcp->hash_rnd_recalc)
                 flow_new_hash_rnd(fc, fcp);
 
-        hash = flow_hash_code(fc, fcp, key);
+        hash = flow_hash_code(fc, fcp, key, keysize);
         hlist_for_each_entry(tfle, entry, &fcp->hash_table[hash], u.hlist) {
-                if (tfle->family == family &&
+                if (tfle->net == net &&
+                    tfle->family == family &&
                     tfle->dir == dir &&
-                    flow_key_compare(key, &tfle->key) == 0) {
+                    flow_key_compare(key, &tfle->key, keysize) == 0) {
                         fle = tfle;
                         break;
                 }
@@ -246,9 +251,10 @@ flow_cache_lookup(struct net *net, const struct flowi *key, u16 family, u8 dir,
 
                 fle = kmem_cache_alloc(flow_cachep, GFP_ATOMIC);
                 if (fle) {
+                        fle->net = net;
                         fle->family = family;
                         fle->dir = dir;
-                        memcpy(&fle->key, key, sizeof(*key));
+                        memcpy(&fle->key, key, keysize * sizeof(flow_compare_t));
                         fle->object = NULL;
                         hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
                         fcp->hash_count++;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 27002dffe7ed..387703f56fce 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -611,8 +611,21 @@ struct sk_buff *skb_morph(struct sk_buff *dst, struct sk_buff *src)
 }
 EXPORT_SYMBOL_GPL(skb_morph);
 
-/* skb frags copy userspace buffers to kernel */
-static int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
+/*      skb_copy_ubufs  -       copy userspace skb frags buffers to kernel
+ *      @skb: the skb to modify
+ *      @gfp_mask: allocation priority
+ *
+ *      This must be called on SKBTX_DEV_ZEROCOPY skb.
+ *      It will copy all frags into kernel and drop the reference
+ *      to userspace pages.
+ *
+ *      If this function is called from an interrupt gfp_mask() must be
+ *      %GFP_ATOMIC.
+ *
+ *      Returns 0 on success or a negative error code on failure
+ *      to allocate kernel memory to copy to.
+ */
+int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
 {
         int i;
         int num_frags = skb_shinfo(skb)->nr_frags;
@@ -652,6 +665,8 @@ static int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
                 skb_shinfo(skb)->frags[i - 1].page = head;
                 head = (struct page *)head->private;
         }
+
+        skb_shinfo(skb)->tx_flags &= ~SKBTX_DEV_ZEROCOPY;
         return 0;
 }
 
@@ -677,7 +692,6 @@ struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask)
         if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) {
                 if (skb_copy_ubufs(skb, gfp_mask))
                         return NULL;
-                skb_shinfo(skb)->tx_flags &= ~SKBTX_DEV_ZEROCOPY;
         }
 
         n = skb + 1;
@@ -803,7 +817,6 @@ struct sk_buff *pskb_copy(struct sk_buff *skb, gfp_t gfp_mask)
                                 n = NULL;
                                 goto out;
                         }
-                        skb_shinfo(skb)->tx_flags &= ~SKBTX_DEV_ZEROCOPY;
                 }
                 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
                         skb_shinfo(n)->frags[i] = skb_shinfo(skb)->frags[i];
@@ -896,7 +909,6 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
                 if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) {
                         if (skb_copy_ubufs(skb, gfp_mask))
                                 goto nofrags;
-                        skb_shinfo(skb)->tx_flags &= ~SKBTX_DEV_ZEROCOPY;
                 }
                 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
                         get_page(skb_shinfo(skb)->frags[i].page);
diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
index 27997d35ebd3..a2468363978e 100644
--- a/net/ethernet/eth.c
+++ b/net/ethernet/eth.c
@@ -340,7 +340,7 @@ void ether_setup(struct net_device *dev)
         dev->addr_len           = ETH_ALEN;
         dev->tx_queue_len       = 1000; /* Ethernet wants good queues */
         dev->flags              = IFF_BROADCAST|IFF_MULTICAST;
-        dev->priv_flags         = IFF_TX_SKB_SHARING;
+        dev->priv_flags         |= IFF_TX_SKB_SHARING;
 
         memset(dev->broadcast, 0xFF, ETH_ALEN);
 
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 1b745d412cf6..dd2b9478ddd1 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -466,8 +466,13 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                 goto out;
 
         if (addr->sin_family != AF_INET) {
+                /* Compatibility games : accept AF_UNSPEC (mapped to AF_INET)
+                 * only if s_addr is INADDR_ANY.
+                 */
                 err = -EAFNOSUPPORT;
-                goto out;
+                if (addr->sin_family != AF_UNSPEC ||
+                    addr->sin_addr.s_addr != htonl(INADDR_ANY))
+                        goto out;
         }
 
         chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr);
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 33e2c35b74b7..80106d89d548 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -142,6 +142,14 @@ const struct fib_prop fib_props[RTN_MAX + 1] = {
 };
 
 /* Release a nexthop info record */
+static void free_fib_info_rcu(struct rcu_head *head)
+{
+        struct fib_info *fi = container_of(head, struct fib_info, rcu);
+
+        if (fi->fib_metrics != (u32 *) dst_default_metrics)
+                kfree(fi->fib_metrics);
+        kfree(fi);
+}
 
 void free_fib_info(struct fib_info *fi)
 {
@@ -156,7 +164,7 @@ void free_fib_info(struct fib_info *fi)
         } endfor_nexthops(fi);
         fib_info_cnt--;
         release_net(fi->fib_net);
-        kfree_rcu(fi, rcu);
+        call_rcu(&fi->rcu, free_fib_info_rcu);
 }
 
 void fib_release_info(struct fib_info *fi)
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index 5c9b9d963918..e59aabd0eae4 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -218,6 +218,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
         return skb;
 
 nlmsg_failure:
+        kfree_skb(skb);
         *errp = -EINVAL;
         printk(KERN_ERR "ip_queue: error creating packet message\n");
         return NULL;
@@ -313,7 +314,7 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len)
 {
         struct nf_queue_entry *entry;
 
-        if (vmsg->value > NF_MAX_VERDICT)
+        if (vmsg->value > NF_MAX_VERDICT || vmsg->value == NF_STOLEN)
                 return -EINVAL;
 
         entry = ipq_find_dequeue_entry(vmsg->id);
@@ -358,12 +359,9 @@ ipq_receive_peer(struct ipq_peer_msg *pmsg,
                 break;
 
         case IPQM_VERDICT:
-                if (pmsg->msg.verdict.value > NF_MAX_VERDICT)
-                        status = -EINVAL;
-                else
-                        status = ipq_set_verdict(&pmsg->msg.verdict,
-                                                 len - sizeof(*pmsg));
-                        break;
+                status = ipq_set_verdict(&pmsg->msg.verdict,
+                                         len - sizeof(*pmsg));
+                break;
         default:
                 status = -EINVAL;
         }
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index b14ec7d03b6e..4bfad5da94f4 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -254,6 +254,8 @@ static const struct snmp_mib snmp4_net_list[] = {
         SNMP_MIB_ITEM("TCPDeferAcceptDrop", LINUX_MIB_TCPDEFERACCEPTDROP),
         SNMP_MIB_ITEM("IPReversePathFilter", LINUX_MIB_IPRPFILTER),
         SNMP_MIB_ITEM("TCPTimeWaitOverflow", LINUX_MIB_TCPTIMEWAITOVERFLOW),
+        SNMP_MIB_ITEM("TCPReqQFullDoCookies", LINUX_MIB_TCPREQQFULLDOCOOKIES),
+        SNMP_MIB_ITEM("TCPReqQFullDrop", LINUX_MIB_TCPREQQFULLDROP),
         SNMP_MIB_SENTINEL
 };
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 1c12b8ec849d..c34f01513945 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -808,20 +808,38 @@ static void tcp_v4_reqsk_destructor(struct request_sock *req)
         kfree(inet_rsk(req)->opt);
 }
 
-static void syn_flood_warning(const struct sk_buff *skb)
+/*
+ * Return 1 if a syncookie should be sent
+ */
+int tcp_syn_flood_action(struct sock *sk,
+                         const struct sk_buff *skb,
+                         const char *proto)
 {
-        const char *msg;
+        const char *msg = "Dropping request";
+        int want_cookie = 0;
+        struct listen_sock *lopt;
+
+
 
 #ifdef CONFIG_SYN_COOKIES
-        if (sysctl_tcp_syncookies)
+        if (sysctl_tcp_syncookies) {
                 msg = "Sending cookies";
-        else
+                want_cookie = 1;
+                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDOCOOKIES);
+        } else
 #endif
-                msg = "Dropping request";
+                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP);
 
-        pr_info("TCP: Possible SYN flooding on port %d. %s.\n",
-                                ntohs(tcp_hdr(skb)->dest), msg);
+        lopt = inet_csk(sk)->icsk_accept_queue.listen_opt;
+        if (!lopt->synflood_warned) {
+                lopt->synflood_warned = 1;
+                pr_info("%s: Possible SYN flooding on port %d. %s. "
+                        " Check SNMP counters.\n",
+                        proto, ntohs(tcp_hdr(skb)->dest), msg);
+        }
+        return want_cookie;
 }
+EXPORT_SYMBOL(tcp_syn_flood_action);
 
 /*
  * Save and compile IPv4 options into the request_sock if needed.
@@ -1235,11 +1253,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
         __be32 saddr = ip_hdr(skb)->saddr;
         __be32 daddr = ip_hdr(skb)->daddr;
         __u32 isn = TCP_SKB_CB(skb)->when;
-#ifdef CONFIG_SYN_COOKIES
         int want_cookie = 0;
-#else
-#define want_cookie 0 /* Argh, why doesn't gcc optimize this :( */
-#endif
 
         /* Never answer to SYNs send to broadcast or multicast */
         if (skb_rtable(skb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
@@ -1250,14 +1264,9 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
          * evidently real one.
          */
         if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
-                if (net_ratelimit())
-                        syn_flood_warning(skb);
-#ifdef CONFIG_SYN_COOKIES
-                if (sysctl_tcp_syncookies) {
-                        want_cookie = 1;
-                } else
-#endif
-                goto drop;
+                want_cookie = tcp_syn_flood_action(sk, skb, "TCP");
+                if (!want_cookie)
+                        goto drop;
         }
 
         /* Accept backlog is full. If we have already queued enough
@@ -1303,9 +1312,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
                 while (l-- > 0)
                         *c++ ^= *hash_location++;
 
-#ifdef CONFIG_SYN_COOKIES
                 want_cookie = 0;        /* not our kind of cookie */
-#endif
                 tmp_ext.cookie_out_never = 0; /* false */
                 tmp_ext.cookie_plus = tmp_opt.cookie_plus;
         } else if (!tp->rx_opt.cookie_in_always) {
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 9ef1831746ef..b46e9f88ce37 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -599,7 +599,7 @@ int datagram_recv_ctl(struct sock *sk, struct msghdr *msg, struct sk_buff *skb)
         return 0;
 }
 
-int datagram_send_ctl(struct net *net,
+int datagram_send_ctl(struct net *net, struct sock *sk,
                       struct msghdr *msg, struct flowi6 *fl6,
                       struct ipv6_txoptions *opt,
                       int *hlimit, int *tclass, int *dontfrag)
@@ -658,7 +658,8 @@ int datagram_send_ctl(struct net *net,
 
                         if (addr_type != IPV6_ADDR_ANY) {
                                 int strict = __ipv6_addr_src_scope(addr_type) <= IPV6_ADDR_SCOPE_LINKLOCAL;
-                                if (!ipv6_chk_addr(net, &src_info->ipi6_addr,
+                                if (!inet_sk(sk)->transparent &&
+                                    !ipv6_chk_addr(net, &src_info->ipi6_addr,
                                                    strict ? dev : NULL, 0))
                                         err = -EINVAL;
                                 else
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index f3caf1b8d572..543039450193 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -322,8 +322,8 @@ static int fl6_renew(struct ip6_flowlabel *fl, unsigned long linger, unsigned lo
 }
 
 static struct ip6_flowlabel *
-fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
-          int optlen, int *err_p)
+fl_create(struct net *net, struct sock *sk, struct in6_flowlabel_req *freq,
+          char __user *optval, int optlen, int *err_p)
 {
         struct ip6_flowlabel *fl = NULL;
         int olen;
@@ -360,7 +360,7 @@ fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
                 msg.msg_control = (void*)(fl->opt+1);
                 memset(&flowi6, 0, sizeof(flowi6));
 
-                err = datagram_send_ctl(net, &msg, &flowi6, fl->opt, &junk,
+                err = datagram_send_ctl(net, sk, &msg, &flowi6, fl->opt, &junk,
                                         &junk, &junk);
                 if (err)
                         goto done;
@@ -528,7 +528,7 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
                 if (freq.flr_label & ~IPV6_FLOWLABEL_MASK)
                         return -EINVAL;
 
-                fl = fl_create(net, &freq, optval, optlen, &err);
+                fl = fl_create(net, sk, &freq, optval, optlen, &err);
                 if (fl == NULL)
                         return err;
                 sfl1 = kmalloc(sizeof(*sfl1), GFP_KERNEL);
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 147ede38ab48..2fbda5fc4cc4 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -475,7 +475,7 @@ sticky_done:
                 msg.msg_controllen = optlen;
                 msg.msg_control = (void*)(opt+1);
 
-                retv = datagram_send_ctl(net, &msg, &fl6, opt, &junk, &junk,
+                retv = datagram_send_ctl(net, sk, &msg, &fl6, opt, &junk, &junk,
                                          &junk);
                 if (retv)
                         goto done;
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 249394863284..e63c3972a739 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -218,6 +218,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
         return skb;
 
 nlmsg_failure:
+        kfree_skb(skb);
         *errp = -EINVAL;
         printk(KERN_ERR "ip6_queue: error creating packet message\n");
         return NULL;
@@ -313,7 +314,7 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len)
 {
         struct nf_queue_entry *entry;
 
-        if (vmsg->value > NF_MAX_VERDICT)
+        if (vmsg->value > NF_MAX_VERDICT || vmsg->value == NF_STOLEN)
                 return -EINVAL;
 
         entry = ipq_find_dequeue_entry(vmsg->id);
@@ -358,12 +359,9 @@ ipq_receive_peer(struct ipq_peer_msg *pmsg,
                 break;
 
         case IPQM_VERDICT:
-                if (pmsg->msg.verdict.value > NF_MAX_VERDICT)
-                        status = -EINVAL;
-                else
-                        status = ipq_set_verdict(&pmsg->msg.verdict,
-                                                 len - sizeof(*pmsg));
-                        break;
+                status = ipq_set_verdict(&pmsg->msg.verdict,
+                                         len - sizeof(*pmsg));
+                break;
         default:
                 status = -EINVAL;
         }
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 6a79f3081bdb..343852e5c703 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -817,8 +817,8 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
                 memset(opt, 0, sizeof(struct ipv6_txoptions));
                 opt->tot_len = sizeof(struct ipv6_txoptions);
 
-                err = datagram_send_ctl(sock_net(sk), msg, &fl6, opt, &hlimit,
-                                        &tclass, &dontfrag);
+                err = datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
+                                        &hlimit, &tclass, &dontfrag);
                 if (err < 0) {
                         fl6_sock_release(flowlabel);
                         return err;
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 9e69eb0ec6dd..1250f9020670 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -104,6 +104,9 @@ static u32 *ipv6_cow_metrics(struct dst_entry *dst, unsigned long old)
         struct inet_peer *peer;
         u32 *p = NULL;
 
+        if (!(rt->dst.flags & DST_HOST))
+                return NULL;
+
         if (!rt->rt6i_peer)
                 rt6_bind_peer(rt, 1);
 
@@ -252,6 +255,9 @@ static void ip6_dst_destroy(struct dst_entry *dst)
         struct inet6_dev *idev = rt->rt6i_idev;
         struct inet_peer *peer = rt->rt6i_peer;
 
+        if (!(rt->dst.flags & DST_HOST))
+                dst_destroy_metrics_generic(dst);
+
         if (idev != NULL) {
                 rt->rt6i_idev = NULL;
                 in6_dev_put(idev);
@@ -723,9 +729,7 @@ static struct rt6_info *rt6_alloc_cow(const struct rt6_info *ort,
                         ipv6_addr_copy(&rt->rt6i_gateway, daddr);
                 }
 
-                rt->rt6i_dst.plen = 128;
                 rt->rt6i_flags |= RTF_CACHE;
-                rt->dst.flags |= DST_HOST;
 
 #ifdef CONFIG_IPV6_SUBTREES
                 if (rt->rt6i_src.plen && saddr) {
@@ -775,9 +779,7 @@ static struct rt6_info *rt6_alloc_clone(struct rt6_info *ort,
         struct rt6_info *rt = ip6_rt_copy(ort, daddr);
 
         if (rt) {
-                rt->rt6i_dst.plen = 128;
                 rt->rt6i_flags |= RTF_CACHE;
-                rt->dst.flags |= DST_HOST;
                 dst_set_neighbour(&rt->dst, neigh_clone(dst_get_neighbour_raw(&ort->dst)));
         }
         return rt;
@@ -1078,12 +1080,15 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
                         neigh = NULL;
         }
 
-        rt->rt6i_idev     = idev;
+        rt->dst.flags |= DST_HOST;
+        rt->dst.output  = ip6_output;
         dst_set_neighbour(&rt->dst, neigh);
         atomic_set(&rt->dst.__refcnt, 1);
-        ipv6_addr_copy(&rt->rt6i_dst.addr, addr);
         dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 255);
-        rt->dst.output  = ip6_output;
+
+        ipv6_addr_copy(&rt->rt6i_dst.addr, addr);
+        rt->rt6i_dst.plen = 128;
+        rt->rt6i_idev     = idev;
 
         spin_lock_bh(&icmp6_dst_lock);
         rt->dst.next = icmp6_dst_gc_list;
@@ -1261,6 +1266,14 @@ int ip6_route_add(struct fib6_config *cfg)
         if (rt->rt6i_dst.plen == 128)
                rt->dst.flags |= DST_HOST;
 
+        if (!(rt->dst.flags & DST_HOST) && cfg->fc_mx) {
+                u32 *metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL);
+                if (!metrics) {
+                        err = -ENOMEM;
+                        goto out;
+                }
+                dst_init_metrics(&rt->dst, metrics, 0);
+        }
 #ifdef CONFIG_IPV6_SUBTREES
         ipv6_addr_prefix(&rt->rt6i_src.addr, &cfg->fc_src, cfg->fc_src_len);
         rt->rt6i_src.plen = cfg->fc_src_len;
@@ -1607,9 +1620,6 @@ void rt6_redirect(const struct in6_addr *dest, const struct in6_addr *src,
         if (on_link)
                 nrt->rt6i_flags &= ~RTF_GATEWAY;
 
-        nrt->rt6i_dst.plen = 128;
-        nrt->dst.flags |= DST_HOST;
-
         ipv6_addr_copy(&nrt->rt6i_gateway, (struct in6_addr*)neigh->primary_key);
         dst_set_neighbour(&nrt->dst, neigh_clone(neigh));
 
@@ -1754,9 +1764,10 @@ static struct rt6_info *ip6_rt_copy(const struct rt6_info *ort,
         if (rt) {
                 rt->dst.input = ort->dst.input;
                 rt->dst.output = ort->dst.output;
+                rt->dst.flags |= DST_HOST;
 
                 ipv6_addr_copy(&rt->rt6i_dst.addr, dest);
-                rt->rt6i_dst.plen = ort->rt6i_dst.plen;
+                rt->rt6i_dst.plen = 128;
                 dst_copy_metrics(&rt->dst, &ort->dst);
                 rt->dst.error = ort->dst.error;
                 rt->rt6i_idev = ort->rt6i_idev;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index d1fb63f4aeb7..3c9fa618b69d 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -531,20 +531,6 @@ static int tcp_v6_rtx_synack(struct sock *sk, struct request_sock *req,
         return tcp_v6_send_synack(sk, req, rvp);
 }
 
-static inline void syn_flood_warning(struct sk_buff *skb)
-{
-#ifdef CONFIG_SYN_COOKIES
-        if (sysctl_tcp_syncookies)
-                printk(KERN_INFO
-                       "TCPv6: Possible SYN flooding on port %d. "
-                       "Sending cookies.\n", ntohs(tcp_hdr(skb)->dest));
-        else
-#endif
-                printk(KERN_INFO
-                       "TCPv6: Possible SYN flooding on port %d. "
-                       "Dropping request.\n", ntohs(tcp_hdr(skb)->dest));
-}
-
 static void tcp_v6_reqsk_destructor(struct request_sock *req)
 {
         kfree_skb(inet6_rsk(req)->pktopts);
@@ -1179,11 +1165,7 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
         struct tcp_sock *tp = tcp_sk(sk);
         __u32 isn = TCP_SKB_CB(skb)->when;
         struct dst_entry *dst = NULL;
-#ifdef CONFIG_SYN_COOKIES
         int want_cookie = 0;
-#else
-#define want_cookie 0
-#endif
 
         if (skb->protocol == htons(ETH_P_IP))
                 return tcp_v4_conn_request(sk, skb);
@@ -1192,14 +1174,9 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
                 goto drop;
 
         if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
-                if (net_ratelimit())
-                        syn_flood_warning(skb);
-#ifdef CONFIG_SYN_COOKIES
-                if (sysctl_tcp_syncookies)
-                        want_cookie = 1;
-                else
-#endif
-                goto drop;
+                want_cookie = tcp_syn_flood_action(sk, skb, "TCPv6");
+                if (!want_cookie)
+                        goto drop;
         }
 
         if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
@@ -1249,9 +1226,7 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
                 while (l-- > 0)
                         *c++ ^= *hash_location++;
 
-#ifdef CONFIG_SYN_COOKIES
                 want_cookie = 0;        /* not our kind of cookie */
-#endif
                 tmp_ext.cookie_out_never = 0; /* false */
                 tmp_ext.cookie_plus = tmp_opt.cookie_plus;
         } else if (!tp->rx_opt.cookie_in_always) {
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 29213b51c499..bb95e8e1c6f9 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1090,8 +1090,8 @@ do_udp_sendmsg:
                 memset(opt, 0, sizeof(struct ipv6_txoptions));
                 opt->tot_len = sizeof(*opt);
 
-                err = datagram_send_ctl(sock_net(sk), msg, &fl6, opt, &hlimit,
-                                        &tclass, &dontfrag);
+                err = datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
+                                        &hlimit, &tclass, &dontfrag);
                 if (err < 0) {
                         fl6_sock_release(flowlabel);
                         return err;
diff --git a/net/irda/irsysctl.c b/net/irda/irsysctl.c
index d0b70dadf73b..2615ffc8e785 100644
--- a/net/irda/irsysctl.c
+++ b/net/irda/irsysctl.c
@@ -40,9 +40,9 @@ extern int  sysctl_slot_timeout;
 extern int  sysctl_fast_poll_increase;
 extern char sysctl_devname[];
 extern int  sysctl_max_baud_rate;
-extern int  sysctl_min_tx_turn_time;
-extern int  sysctl_max_tx_data_size;
-extern int  sysctl_max_tx_window;
+extern unsigned int sysctl_min_tx_turn_time;
+extern unsigned int sysctl_max_tx_data_size;
+extern unsigned int sysctl_max_tx_window;
 extern int  sysctl_max_noreply_time;
 extern int  sysctl_warn_noreply_time;
 extern int  sysctl_lap_keepalive_time;
diff --git a/net/irda/qos.c b/net/irda/qos.c
index 1b51bcf42394..4369f7f41bcb 100644
--- a/net/irda/qos.c
+++ b/net/irda/qos.c
@@ -60,7 +60,7 @@ int sysctl_max_noreply_time = 12;
  * Default is 10us which means using the unmodified value given by the
  * peer except if it's 0 (0 is likely a bug in the other stack).
  */
-unsigned sysctl_min_tx_turn_time = 10;
+unsigned int sysctl_min_tx_turn_time = 10;
 /*
  * Maximum data size to be used in transmission in payload of LAP frame.
  * There is a bit of confusion in the IrDA spec :
@@ -75,13 +75,13 @@ unsigned sysctl_min_tx_turn_time = 10;
  * bytes frames or all negotiated frame sizes, but you can use the sysctl
  * to play with this value anyway.
  * Jean II */
-unsigned sysctl_max_tx_data_size = 2042;
+unsigned int sysctl_max_tx_data_size = 2042;
 /*
  * Maximum transmit window, i.e. number of LAP frames between turn-around.
  * This allow to override what the peer told us. Some peers are buggy and
  * don't always support what they tell us.
  * Jean II */
-unsigned sysctl_max_tx_window = 7;
+unsigned int sysctl_max_tx_window = 7;
 
 static int irlap_param_baud_rate(void *instance, irda_param_t *param, int get);
 static int irlap_param_link_disconnect(void *instance, irda_param_t *parm,
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 3db78b696c5c..21070e9bc8d0 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -665,7 +665,7 @@ static int __must_check __sta_info_destroy(struct sta_info *sta)
                 BUG_ON(!sdata->bss);
 
                 atomic_dec(&sdata->bss->num_sta_ps);
-                __sta_info_clear_tim_bit(sdata->bss, sta);
+                sta_info_clear_tim_bit(sta);
         }
 
         local->num_sta--;
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index 2fd4565144de..31d56b23b9e9 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -364,6 +364,7 @@ pptp_inbound_pkt(struct sk_buff *skb,
                 break;
 
         case PPTP_WAN_ERROR_NOTIFY:
+        case PPTP_SET_LINK_INFO:
         case PPTP_ECHO_REQUEST:
         case PPTP_ECHO_REPLY:
                 /* I don't have to explain these ;) */
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 37bf94394be0..8235b86b4e87 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -409,7 +409,7 @@ static void tcp_options(const struct sk_buff *skb,
                         if (opsize < 2) /* "silly options" */
                                 return;
                         if (opsize > length)
-                                break;  /* don't parse partial options */
+                                return; /* don't parse partial options */
 
                         if (opcode == TCPOPT_SACK_PERM
                             && opsize == TCPOLEN_SACK_PERM)
@@ -447,7 +447,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
         BUG_ON(ptr == NULL);
 
         /* Fast path for timestamp-only option */
-        if (length == TCPOLEN_TSTAMP_ALIGNED*4
+        if (length == TCPOLEN_TSTAMP_ALIGNED
             && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24)
                                        | (TCPOPT_NOP << 16)
                                        | (TCPOPT_TIMESTAMP << 8)
@@ -469,7 +469,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
                         if (opsize < 2) /* "silly options" */
                                 return;
                         if (opsize > length)
-                                break;  /* don't parse partial options */
+                                return; /* don't parse partial options */
 
                         if (opcode == TCPOPT_SACK
                             && opsize >= (TCPOLEN_SACK_BASE
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 00bd475eab4b..a80b0cb03f17 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -646,8 +646,8 @@ verdicthdr_get(const struct nlattr * const nfqa[])
                 return NULL;
 
         vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]);
-        verdict = ntohl(vhdr->verdict);
-        if ((verdict & NF_VERDICT_MASK) > NF_MAX_VERDICT)
+        verdict = ntohl(vhdr->verdict) & NF_VERDICT_MASK;
+        if (verdict > NF_MAX_VERDICT || verdict == NF_STOLEN)
                 return NULL;
         return vhdr;
 }
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 76a083184d8e..ed0db15ab00e 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -78,7 +78,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
 {
         struct xt_rateest_match_info *info = par->matchinfo;
         struct xt_rateest *est1, *est2;
-        int ret = false;
+        int ret = -EINVAL;
 
         if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
                                      XT_RATEEST_MATCH_REL)) != 1)
@@ -101,13 +101,12 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
         if (!est1)
                 goto err1;
 
+        est2 = NULL;
         if (info->flags & XT_RATEEST_MATCH_REL) {
                 est2 = xt_rateest_lookup(info->name2);
                 if (!est2)
                         goto err2;
-        } else
-                est2 = NULL;
-
+        }
 
         info->est1 = est1;
         info->est2 = est2;
@@ -116,7 +115,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
 err2:
         xt_rateest_put(est1);
 err1:
-        return -EINVAL;
+        return ret;
 }
 
 static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
index be4505ee67a9..b01427924f81 100644
--- a/net/sched/cls_rsvp.h
+++ b/net/sched/cls_rsvp.h
@@ -425,7 +425,7 @@ static int rsvp_change(struct tcf_proto *tp, unsigned long base,
         struct rsvp_filter *f, **fp;
         struct rsvp_session *s, **sp;
         struct tc_rsvp_pinfo *pinfo = NULL;
-        struct nlattr *opt = tca[TCA_OPTIONS-1];
+        struct nlattr *opt = tca[TCA_OPTIONS];
         struct nlattr *tb[TCA_RSVP_MAX + 1];
         struct tcf_exts e;
         unsigned int h1, h2;
@@ -439,7 +439,7 @@ static int rsvp_change(struct tcf_proto *tp, unsigned long base,
         if (err < 0)
                 return err;
 
-        err = tcf_exts_validate(tp, tb, tca[TCA_RATE-1], &e, &rsvp_ext_map);
+        err = tcf_exts_validate(tp, tb, tca[TCA_RATE], &e, &rsvp_ext_map);
         if (err < 0)
                 return err;
 
@@ -449,8 +449,8 @@ static int rsvp_change(struct tcf_proto *tp, unsigned long base,
 
                 if (f->handle != handle && handle)
                         goto errout2;
-                if (tb[TCA_RSVP_CLASSID-1]) {
-                        f->res.classid = nla_get_u32(tb[TCA_RSVP_CLASSID-1]);
+                if (tb[TCA_RSVP_CLASSID]) {
+                        f->res.classid = nla_get_u32(tb[TCA_RSVP_CLASSID]);
                         tcf_bind_filter(tp, &f->res, base);
                 }
 
@@ -462,7 +462,7 @@ static int rsvp_change(struct tcf_proto *tp, unsigned long base,
         err = -EINVAL;
         if (handle)
                 goto errout2;
-        if (tb[TCA_RSVP_DST-1] == NULL)
+        if (tb[TCA_RSVP_DST] == NULL)
                 goto errout2;
 
         err = -ENOBUFS;
@@ -471,19 +471,19 @@ static int rsvp_change(struct tcf_proto *tp, unsigned long base,
                 goto errout2;
 
         h2 = 16;
-        if (tb[TCA_RSVP_SRC-1]) {
-                memcpy(f->src, nla_data(tb[TCA_RSVP_SRC-1]), sizeof(f->src));
+        if (tb[TCA_RSVP_SRC]) {
+                memcpy(f->src, nla_data(tb[TCA_RSVP_SRC]), sizeof(f->src));
                 h2 = hash_src(f->src);
         }
-        if (tb[TCA_RSVP_PINFO-1]) {
-                pinfo = nla_data(tb[TCA_RSVP_PINFO-1]);
+        if (tb[TCA_RSVP_PINFO]) {
+                pinfo = nla_data(tb[TCA_RSVP_PINFO]);
                 f->spi = pinfo->spi;
                 f->tunnelhdr = pinfo->tunnelhdr;
         }
-        if (tb[TCA_RSVP_CLASSID-1])
-                f->res.classid = nla_get_u32(tb[TCA_RSVP_CLASSID-1]);
+        if (tb[TCA_RSVP_CLASSID])
+                f->res.classid = nla_get_u32(tb[TCA_RSVP_CLASSID]);
 
-        dst = nla_data(tb[TCA_RSVP_DST-1]);
+        dst = nla_data(tb[TCA_RSVP_DST]);
         h1 = hash_dst(dst, pinfo ? pinfo->protocol : 0, pinfo ? pinfo->tunnelid : 0);
 
         err = -ENOMEM;
@@ -642,8 +642,7 @@ nla_put_failure:
         return -1;
 }
 
-static struct tcf_proto_ops RSVP_OPS = {
-        .next           =       NULL,
+static struct tcf_proto_ops RSVP_OPS __read_mostly = {
         .kind           =       RSVP_ID,
         .classify       =       rsvp_classify,
         .init           =       rsvp_init,
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 167c880cf8da..76388b083f28 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -1689,6 +1689,11 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
                 case SCTP_CMD_PURGE_ASCONF_QUEUE:
                         sctp_asconf_queue_teardown(asoc);
                         break;
+
+                case SCTP_CMD_SET_ASOC:
+                        asoc = cmd->obj.asoc;
+                        break;
+
                 default:
                         pr_warn("Impossible command: %u, %p\n",
                                 cmd->verb, cmd->obj.ptr);
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 49b847b00f99..a0f31e6c1c63 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2047,6 +2047,12 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep,
         sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
         sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
 
+        /* Restore association pointer to provide SCTP command interpeter
+         * with a valid context in case it needs to manipulate
+         * the queues */
+        sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC,
+                         SCTP_ASOC((struct sctp_association *)asoc));
+
         return retval;
 
 nomem: