Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Revert iwlwifi reclaimed packet tracking, it causes problems for a
    bunch of folks.  From Emmanuel Grumbach.

 2) Work limiting code in brcmsmac wifi driver can clear tx status
    without processing the event.  From Arend van Spriel.

 3) rtlwifi USB driver processes wrong SKB, fix from Larry Finger.

 4) l2tp tunnel delete can race with close, fix from Tom Parkin.

 5) pktgen_add_device() failures are not checked at all, fix from Cong
    Wang.

 6) Fix unintentional removal of carrier off from tun_detach(),
    otherwise we confuse userspace, from Michael S.  Tsirkin.

 7) Don't leak socket reference counts and ubufs in vhost-net driver,
    from Jason Wang.

 8) vmxnet3 driver gets it's initial carrier state wrong, fix from Neil
    Horman.

 9) Protect against USB networking devices which spam the host with 0
    length frames, from Bjørn Mork.

10) Prevent neighbour overflows in ipv6 for locally destined routes,
    from Marcelo Ricardo.  This is the best short-term fix for this, a
    longer term fix has been implemented in net-next.

11) L2TP uses ipv4 datagram routines in it's ipv6 code, whoops.  This
    mistake is largely because the ipv6 functions don't even have some
    kind of prefix in their names to suggest they are ipv6 specific.
    From Tom Parkin.

12) Check SYN packet drops properly in tcp_rcv_fastopen_synack(), from
    Yuchung Cheng.

13) Fix races and TX skb freeing bugs in via-rhine's NAPI support, from
    Francois Romieu and your's truly.

14) Fix infinite loops and divides by zero in TCP congestion window
    handling, from Eric Dumazet, Neal Cardwell, and Ilpo Järvinen.

15) AF_PACKET tx ring handling can leak kernel memory to userspace, fix
    from Phil Sutter.

16) Fix error handling in ipv6 GRE tunnel transmit, from Tommi Rantala.

17) Protect XEN netback driver against hostile frontend putting garbage
    into the rings, don't leak pages in TX GOP checking, and add proper
    resource releasing in error path of xen_netbk_get_requests().  From
    Ian Campbell.

18) SCTP authentication keys should be cleared out and released with
    kzfree(), from Daniel Borkmann.

19) L2TP is a bit too clever trying to maintain skb->truesize, and ends
    up corrupting socket memory accounting to the point where packet
    sending is halted indefinitely.  Just remove the adjustments
    entirely, they aren't really needed.  From Eric Dumazet.

20) ATM Iphase driver uses a data type with the same name as the S390
    headers, rename to fix the build.  From Heiko Carstens.

21) Fix a typo in copying the inner network header offset from one SKB
    to another, from Pravin B Shelar.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (56 commits)
  net: sctp: sctp_endpoint_free: zero out secret key data
  net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
  atm/iphase: rename fregt_t -> ffreg_t
  net: usb: fix regression from FLAG_NOARP code
  l2tp: dont play with skb->truesize
  net: sctp: sctp_auth_key_put: use kzfree instead of kfree
  netback: correct netbk_tx_err to handle wrap around.
  xen/netback: free already allocated memory on failure in xen_netbk_get_requests
  xen/netback: don't leak pages on failure in xen_netbk_tx_check_gop.
  xen/netback: shutdown the ring if it contains garbage.
  net: qmi_wwan: add more Huawei devices, including E320
  net: cdc_ncm: add another Huawei vendor specific device
  ipv6/ip6_gre: fix error case handling in ip6gre_tunnel_xmit()
  tcp: fix for zero packets_in_flight was too broad
  brcmsmac: rework of mac80211 .flush() callback operation
  ssb: unregister gpios before unloading ssb
  bcma: unregister gpios before unloading bcma
  rtlwifi: Fix scheduling while atomic bug
  net: usbnet: fix tx_dropped statistics
  tcp: ipv6: Update MIB counters for drops
  ...

28 files changed, 176 insertions, 85 deletions

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 25bfce0666eb..4925a02ae7e4 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -249,12 +249,12 @@ static void hci_conn_disconnect(struct hci_conn *conn)
         __u8 reason = hci_proto_disconn_ind(conn);
 
         switch (conn->type) {
-        case ACL_LINK:
-                hci_acl_disconn(conn, reason);
-                break;
         case AMP_LINK:
                 hci_amp_disconn(conn, reason);
                 break;
+        default:
+                hci_acl_disconn(conn, reason);
+                break;
         }
 }
 
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 68a9587c9694..5abefb12891d 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -859,6 +859,19 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
 
         skb_pull(skb, sizeof(code));
 
+        /*
+         * The SMP context must be initialized for all other PDUs except
+         * pairing and security requests. If we get any other PDU when
+         * not initialized simply disconnect (done if this function
+         * returns an error).
+         */
+        if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
+            !conn->smp_chan) {
+                BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
+                kfree_skb(skb);
+                return -ENOTSUPP;
+        }
+
         switch (code) {
         case SMP_CMD_PAIRING_REQ:
                 reason = smp_cmd_pairing_req(conn, skb);
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index b29dacf900f9..e6e1cbe863f5 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -1781,10 +1781,13 @@ static ssize_t pktgen_thread_write(struct file *file,
                         return -EFAULT;
                 i += len;
                 mutex_lock(&pktgen_thread_lock);
-                pktgen_add_device(t, f);
+                ret = pktgen_add_device(t, f);
                 mutex_unlock(&pktgen_thread_lock);
-                ret = count;
-                sprintf(pg_result, "OK: add_device=%s", f);
+                if (!ret) {
+                        ret = count;
+                        sprintf(pg_result, "OK: add_device=%s", f);
+                } else
+                        sprintf(pg_result, "ERROR: can not add device %s", f);
                 goto out;
         }
 
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a9a2ae3e2213..32443ebc3e89 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -683,7 +683,7 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
         new->network_header     = old->network_header;
         new->mac_header         = old->mac_header;
         new->inner_transport_header = old->inner_transport_header;
-        new->inner_network_header = old->inner_transport_header;
+        new->inner_network_header = old->inner_network_header;
         skb_dst_copy(new, old);
         new->rxhash             = old->rxhash;
         new->ooo_okay           = old->ooo_okay;
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index 291f2ed7cc31..cdf2e707bb10 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -310,6 +310,12 @@ void tcp_slow_start(struct tcp_sock *tp)
 {
         int cnt; /* increase in packets */
         unsigned int delta = 0;
+        u32 snd_cwnd = tp->snd_cwnd;
+
+        if (unlikely(!snd_cwnd)) {
+                pr_err_once("snd_cwnd is nul, please report this bug.\n");
+                snd_cwnd = 1U;
+        }
 
         /* RFC3465: ABC Slow start
          * Increase only after a full MSS of bytes is acked
@@ -324,7 +330,7 @@ void tcp_slow_start(struct tcp_sock *tp)
         if (sysctl_tcp_max_ssthresh > 0 && tp->snd_cwnd > sysctl_tcp_max_ssthresh)
                 cnt = sysctl_tcp_max_ssthresh >> 1;     /* limited slow start */
         else
-                cnt = tp->snd_cwnd;                     /* exponential increase */
+                cnt = snd_cwnd;                         /* exponential increase */
 
         /* RFC3465: ABC
          * We MAY increase by 2 if discovered delayed ack
@@ -334,11 +340,11 @@ void tcp_slow_start(struct tcp_sock *tp)
         tp->bytes_acked = 0;
 
         tp->snd_cwnd_cnt += cnt;
-        while (tp->snd_cwnd_cnt >= tp->snd_cwnd) {
-                tp->snd_cwnd_cnt -= tp->snd_cwnd;
+        while (tp->snd_cwnd_cnt >= snd_cwnd) {
+                tp->snd_cwnd_cnt -= snd_cwnd;
                 delta++;
         }
-        tp->snd_cwnd = min(tp->snd_cwnd + delta, tp->snd_cwnd_clamp);
+        tp->snd_cwnd = min(snd_cwnd + delta, tp->snd_cwnd_clamp);
 }
 EXPORT_SYMBOL_GPL(tcp_slow_start);
 
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 18f97ca76b00..ad70a962c20e 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3504,6 +3504,11 @@ static bool tcp_process_frto(struct sock *sk, int flag)
                 }
         } else {
                 if (!(flag & FLAG_DATA_ACKED) && (tp->frto_counter == 1)) {
+                        if (!tcp_packets_in_flight(tp)) {
+                                tcp_enter_frto_loss(sk, 2, flag);
+                                return true;
+                        }
+
                         /* Prevent sending of new data. */
                         tp->snd_cwnd = min(tp->snd_cwnd,
                                            tcp_packets_in_flight(tp));
@@ -5649,8 +5654,7 @@ static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack,
          * the remote receives only the retransmitted (regular) SYNs: either
          * the original SYN-data or the corresponding SYN-ACK is lost.
          */
-        syn_drop = (cookie->len <= 0 && data &&
-                    inet_csk(sk)->icsk_retransmits);
+        syn_drop = (cookie->len <= 0 && data && tp->total_retrans);
 
         tcp_fastopen_cache_set(sk, mss, cookie, syn_drop);
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 70b09ef2463b..eadb693eef55 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -496,6 +496,7 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
                  * errors returned from accept().
                  */
                 inet_csk_reqsk_queue_drop(sk, req, prev);
+                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
                 goto out;
 
         case TCP_SYN_SENT:
@@ -1500,8 +1501,10 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
          * clogging syn queue with openreqs with exponentially increasing
          * timeout.
          */
-        if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
+        if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) {
+                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
                 goto drop;
+        }
 
         req = inet_reqsk_alloc(&tcp_request_sock_ops);
         if (!req)
@@ -1666,6 +1669,7 @@ drop_and_release:
 drop_and_free:
         reqsk_free(req);
 drop:
+        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
         return 0;
 }
 EXPORT_SYMBOL(tcp_v4_conn_request);
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 420e56326384..1b5d8cb9b123 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1660,6 +1660,7 @@ static int addrconf_ifid_eui64(u8 *eui, struct net_device *dev)
         if (dev->addr_len != IEEE802154_ADDR_LEN)
                 return -1;
         memcpy(eui, dev->dev_addr, 8);
+        eui[0] ^= 2;
         return 0;
 }
 
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 8edf2601065a..7a778b9a7b85 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -380,7 +380,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
                 if (skb->protocol == htons(ETH_P_IPV6)) {
                         sin->sin6_addr = ipv6_hdr(skb)->saddr;
                         if (np->rxopt.all)
-                                datagram_recv_ctl(sk, msg, skb);
+                                ip6_datagram_recv_ctl(sk, msg, skb);
                         if (ipv6_addr_type(&sin->sin6_addr) & IPV6_ADDR_LINKLOCAL)
                                 sin->sin6_scope_id = IP6CB(skb)->iif;
                 } else {
@@ -468,7 +468,8 @@ out:
 }
 
 
-int datagram_recv_ctl(struct sock *sk, struct msghdr *msg, struct sk_buff *skb)
+int ip6_datagram_recv_ctl(struct sock *sk, struct msghdr *msg,
+                          struct sk_buff *skb)
 {
         struct ipv6_pinfo *np = inet6_sk(sk);
         struct inet6_skb_parm *opt = IP6CB(skb);
@@ -597,11 +598,12 @@ int datagram_recv_ctl(struct sock *sk, struct msghdr *msg, struct sk_buff *skb)
         }
         return 0;
 }
+EXPORT_SYMBOL_GPL(ip6_datagram_recv_ctl);
 
-int datagram_send_ctl(struct net *net, struct sock *sk,
-                      struct msghdr *msg, struct flowi6 *fl6,
-                      struct ipv6_txoptions *opt,
-                      int *hlimit, int *tclass, int *dontfrag)
+int ip6_datagram_send_ctl(struct net *net, struct sock *sk,
+                          struct msghdr *msg, struct flowi6 *fl6,
+                          struct ipv6_txoptions *opt,
+                          int *hlimit, int *tclass, int *dontfrag)
 {
         struct in6_pktinfo *src_info;
         struct cmsghdr *cmsg;
@@ -871,4 +873,4 @@ int datagram_send_ctl(struct net *net, struct sock *sk,
 exit_f:
         return err;
 }
-EXPORT_SYMBOL_GPL(datagram_send_ctl);
+EXPORT_SYMBOL_GPL(ip6_datagram_send_ctl);
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 29124b7a04c8..d6de4b447250 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -365,8 +365,8 @@ fl_create(struct net *net, struct sock *sk, struct in6_flowlabel_req *freq,
                 msg.msg_control = (void*)(fl->opt+1);
                 memset(&flowi6, 0, sizeof(flowi6));
 
-                err = datagram_send_ctl(net, sk, &msg, &flowi6, fl->opt, &junk,
-                                        &junk, &junk);
+                err = ip6_datagram_send_ctl(net, sk, &msg, &flowi6, fl->opt,
+                                            &junk, &junk, &junk);
                 if (err)
                         goto done;
                 err = -EINVAL;
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index c727e4712751..131dd097736d 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -960,7 +960,7 @@ static netdev_tx_t ip6gre_tunnel_xmit(struct sk_buff *skb,
         int ret;
 
         if (!ip6_tnl_xmit_ctl(t))
-                return -1;
+                goto tx_err;
 
         switch (skb->protocol) {
         case htons(ETH_P_IP):
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index ee94d31c9d4d..d1e2e8ef29c5 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -476,8 +476,8 @@ sticky_done:
                 msg.msg_controllen = optlen;
                 msg.msg_control = (void*)(opt+1);
 
-                retv = datagram_send_ctl(net, sk, &msg, &fl6, opt, &junk, &junk,
-                                         &junk);
+                retv = ip6_datagram_send_ctl(net, sk, &msg, &fl6, opt, &junk,
+                                             &junk, &junk);
                 if (retv)
                         goto done;
 update:
@@ -1002,7 +1002,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
                 release_sock(sk);
 
                 if (skb) {
-                        int err = datagram_recv_ctl(sk, &msg, skb);
+                        int err = ip6_datagram_recv_ctl(sk, &msg, skb);
                         kfree_skb(skb);
                         if (err)
                                 return err;
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 6cd29b1e8b92..70fa81449997 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -507,7 +507,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
         sock_recv_ts_and_drops(msg, sk, skb);
 
         if (np->rxopt.all)
-                datagram_recv_ctl(sk, msg, skb);
+                ip6_datagram_recv_ctl(sk, msg, skb);
 
         err = copied;
         if (flags & MSG_TRUNC)
@@ -822,8 +822,8 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
                 memset(opt, 0, sizeof(struct ipv6_txoptions));
                 opt->tot_len = sizeof(struct ipv6_txoptions);
 
-                err = datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
-                                        &hlimit, &tclass, &dontfrag);
+                err = ip6_datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
+                                            &hlimit, &tclass, &dontfrag);
                 if (err < 0) {
                         fl6_sock_release(flowlabel);
                         return err;
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index e229a3bc345d..363d8b7772e8 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -928,7 +928,7 @@ restart:
         dst_hold(&rt->dst);
         read_unlock_bh(&table->tb6_lock);
 
-        if (!rt->n && !(rt->rt6i_flags & RTF_NONEXTHOP))
+        if (!rt->n && !(rt->rt6i_flags & (RTF_NONEXTHOP | RTF_LOCAL)))
                 nrt = rt6_alloc_cow(rt, &fl6->daddr, &fl6->saddr);
         else if (!(rt->dst.flags & DST_HOST))
                 nrt = rt6_alloc_clone(rt, &fl6->daddr);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 93825dd3a7c0..4f43537197ef 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -423,6 +423,7 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                 }
 
                 inet_csk_reqsk_queue_drop(sk, req, prev);
+                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
                 goto out;
 
         case TCP_SYN_SENT:
@@ -958,8 +959,10 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
                         goto drop;
         }
 
-        if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
+        if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) {
+                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
                 goto drop;
+        }
 
         req = inet6_reqsk_alloc(&tcp6_request_sock_ops);
         if (req == NULL)
@@ -1108,6 +1111,7 @@ drop_and_release:
 drop_and_free:
         reqsk_free(req);
 drop:
+        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
         return 0; /* don't send reset */
 }
 
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index dfaa29b8b293..fb083295ff0b 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -443,7 +443,7 @@ try_again:
                         ip_cmsg_recv(msg, skb);
         } else {
                 if (np->rxopt.all)
-                        datagram_recv_ctl(sk, msg, skb);
+                        ip6_datagram_recv_ctl(sk, msg, skb);
         }
 
         err = copied;
@@ -1153,8 +1153,8 @@ do_udp_sendmsg:
                 memset(opt, 0, sizeof(struct ipv6_txoptions));
                 opt->tot_len = sizeof(*opt);
 
-                err = datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
-                                        &hlimit, &tclass, &dontfrag);
+                err = ip6_datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
+                                            &hlimit, &tclass, &dontfrag);
                 if (err < 0) {
                         fl6_sock_release(flowlabel);
                         return err;
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 1a9f3723c13c..2ac884d0e89b 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -168,6 +168,51 @@ l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
 
 }
 
+/* Lookup the tunnel socket, possibly involving the fs code if the socket is
+ * owned by userspace.  A struct sock returned from this function must be
+ * released using l2tp_tunnel_sock_put once you're done with it.
+ */
+struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
+{
+        int err = 0;
+        struct socket *sock = NULL;
+        struct sock *sk = NULL;
+
+        if (!tunnel)
+                goto out;
+
+        if (tunnel->fd >= 0) {
+                /* Socket is owned by userspace, who might be in the process
+                 * of closing it.  Look the socket up using the fd to ensure
+                 * consistency.
+                 */
+                sock = sockfd_lookup(tunnel->fd, &err);
+                if (sock)
+                        sk = sock->sk;
+        } else {
+                /* Socket is owned by kernelspace */
+                sk = tunnel->sock;
+        }
+
+out:
+        return sk;
+}
+EXPORT_SYMBOL_GPL(l2tp_tunnel_sock_lookup);
+
+/* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
+void l2tp_tunnel_sock_put(struct sock *sk)
+{
+        struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
+        if (tunnel) {
+                if (tunnel->fd >= 0) {
+                        /* Socket is owned by userspace */
+                        sockfd_put(sk->sk_socket);
+                }
+                sock_put(sk);
+        }
+}
+EXPORT_SYMBOL_GPL(l2tp_tunnel_sock_put);
+
 /* Lookup a session by id in the global session list
  */
 static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id)
@@ -1123,8 +1168,6 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
         struct udphdr *uh;
         struct inet_sock *inet;
         __wsum csum;
-        int old_headroom;
-        int new_headroom;
         int headroom;
         int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
         int udp_len;
@@ -1136,16 +1179,12 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
          */
         headroom = NET_SKB_PAD + sizeof(struct iphdr) +
                 uhlen + hdr_len;
-        old_headroom = skb_headroom(skb);
         if (skb_cow_head(skb, headroom)) {
                 kfree_skb(skb);
                 return NET_XMIT_DROP;
         }
 
-        new_headroom = skb_headroom(skb);
         skb_orphan(skb);
-        skb->truesize += new_headroom - old_headroom;
-
         /* Setup L2TP header */
         session->build_header(session, __skb_push(skb, hdr_len));
 
@@ -1607,6 +1646,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
         tunnel->old_sk_destruct = sk->sk_destruct;
         sk->sk_destruct = &l2tp_tunnel_destruct;
         tunnel->sock = sk;
+        tunnel->fd = fd;
         lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
 
         sk->sk_allocation = GFP_ATOMIC;
@@ -1642,24 +1682,32 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
  */
 int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
 {
-        int err = 0;
-        struct socket *sock = tunnel->sock ? tunnel->sock->sk_socket : NULL;
+        int err = -EBADF;
+        struct socket *sock = NULL;
+        struct sock *sk = NULL;
+
+        sk = l2tp_tunnel_sock_lookup(tunnel);
+        if (!sk)
+                goto out;
+
+        sock = sk->sk_socket;
+        BUG_ON(!sock);
 
         /* Force the tunnel socket to close. This will eventually
          * cause the tunnel to be deleted via the normal socket close
          * mechanisms when userspace closes the tunnel socket.
          */
-        if (sock != NULL) {
-                err = inet_shutdown(sock, 2);
+        err = inet_shutdown(sock, 2);
 
-                /* If the tunnel's socket was created by the kernel,
-                 * close the socket here since the socket was not
-                 * created by userspace.
-                 */
-                if (sock->file == NULL)
-                        err = inet_release(sock);
-        }
+        /* If the tunnel's socket was created by the kernel,
+         * close the socket here since the socket was not
+         * created by userspace.
+         */
+        if (sock->file == NULL)
+                err = inet_release(sock);
 
+        l2tp_tunnel_sock_put(sk);
+out:
         return err;
 }
 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index 56d583e083a7..e62204cad4fe 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -188,7 +188,8 @@ struct l2tp_tunnel {
         int (*recv_payload_hook)(struct sk_buff *skb);
         void (*old_sk_destruct)(struct sock *);
         struct sock             *sock;          /* Parent socket */
-        int                     fd;
+        int                     fd;             /* Parent fd, if tunnel socket
+                                                 * was created by userspace */
 
         uint8_t                 priv[0];        /* private data */
 };
@@ -228,6 +229,8 @@ out:
         return tunnel;
 }
 
+extern struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel);
+extern void l2tp_tunnel_sock_put(struct sock *sk);
 extern struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunnel, u32 session_id);
 extern struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth);
 extern struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname);
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 927547171bc7..8ee4a86ae996 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -554,8 +554,8 @@ static int l2tp_ip6_sendmsg(struct kiocb *iocb, struct sock *sk,
                 memset(opt, 0, sizeof(struct ipv6_txoptions));
                 opt->tot_len = sizeof(struct ipv6_txoptions);
 
-                err = datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
-                                        &hlimit, &tclass, &dontfrag);
+                err = ip6_datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
+                                            &hlimit, &tclass, &dontfrag);
                 if (err < 0) {
                         fl6_sock_release(flowlabel);
                         return err;
@@ -646,7 +646,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk,
                             struct msghdr *msg, size_t len, int noblock,
                             int flags, int *addr_len)
 {
-        struct inet_sock *inet = inet_sk(sk);
+        struct ipv6_pinfo *np = inet6_sk(sk);
         struct sockaddr_l2tpip6 *lsa = (struct sockaddr_l2tpip6 *)msg->msg_name;
         size_t copied = 0;
         int err = -EOPNOTSUPP;
@@ -688,8 +688,8 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk,
                         lsa->l2tp_scope_id = IP6CB(skb)->iif;
         }
 
-        if (inet->cmsg_flags)
-                ip_cmsg_recv(msg, skb);
+        if (np->rxopt.all)
+                ip6_datagram_recv_ctl(sk, msg, skb);
 
         if (flags & MSG_TRUNC)
                 copied = skb->len;
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 286366ef8930..716605c241f4 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -388,8 +388,6 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
         struct l2tp_session *session;
         struct l2tp_tunnel *tunnel;
         struct pppol2tp_session *ps;
-        int old_headroom;
-        int new_headroom;
         int uhlen, headroom;
 
         if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
@@ -408,7 +406,6 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
         if (tunnel == NULL)
                 goto abort_put_sess;
 
-        old_headroom = skb_headroom(skb);
         uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
         headroom = NET_SKB_PAD +
                    sizeof(struct iphdr) + /* IP header */
@@ -418,9 +415,6 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
         if (skb_cow_head(skb, headroom))
                 goto abort_put_sess_tun;
 
-        new_headroom = skb_headroom(skb);
-        skb->truesize += new_headroom - old_headroom;
-
         /* Setup PPP header */
         __skb_push(skb, sizeof(ppph));
         skb->data[0] = ppph[0];
diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
index a9327e2e48ce..670cbc3518de 100644
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -35,10 +35,11 @@
 /* Must be called with rcu_read_lock. */
 static void netdev_port_receive(struct vport *vport, struct sk_buff *skb)
 {
-        if (unlikely(!vport)) {
-                kfree_skb(skb);
-                return;
-        }
+        if (unlikely(!vport))
+                goto error;
+
+        if (unlikely(skb_warn_if_lro(skb)))
+                goto error;
 
         /* Make our own copy of the packet.  Otherwise we will mangle the
          * packet for anyone who came before us (e.g. tcpdump via AF_PACKET).
@@ -50,6 +51,10 @@ static void netdev_port_receive(struct vport *vport, struct sk_buff *skb)
 
         skb_push(skb, ETH_HLEN);
         ovs_vport_receive(vport, skb);
+        return;
+
+error:
+        kfree_skb(skb);
 }
 
 /* Called with rcu_read_lock and bottom-halves disabled. */
@@ -169,9 +174,6 @@ static int netdev_send(struct vport *vport, struct sk_buff *skb)
                 goto error;
         }
 
-        if (unlikely(skb_warn_if_lro(skb)))
-                goto error;
-
         skb->dev = netdev_vport->dev;
         len = skb->len;
         dev_queue_xmit(skb);
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index e639645e8fec..c111bd0e083a 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2361,13 +2361,15 @@ static int packet_release(struct socket *sock)
 
         packet_flush_mclist(sk);
 
-        memset(&req_u, 0, sizeof(req_u));
-
-        if (po->rx_ring.pg_vec)
+        if (po->rx_ring.pg_vec) {
+                memset(&req_u, 0, sizeof(req_u));
                 packet_set_ring(sk, &req_u, 1, 0);
+        }
 
-        if (po->tx_ring.pg_vec)
+        if (po->tx_ring.pg_vec) {
+                memset(&req_u, 0, sizeof(req_u));
                 packet_set_ring(sk, &req_u, 1, 1);
+        }
 
         fanout_release(sk);
 
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 298c0ddfb57e..3d2acc7a9c80 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -438,18 +438,18 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
                 if (q->rate) {
                         struct sk_buff_head *list = &sch->q;
 
-                        delay += packet_len_2_sched_time(skb->len, q);
-
                         if (!skb_queue_empty(list)) {
                                 /*
-                                 * Last packet in queue is reference point (now).
-                                 * First packet in queue is already in flight,
-                                 * calculate this time bonus and substract
+                                 * Last packet in queue is reference point (now),
+                                 * calculate this time bonus and subtract
                                  * from delay.
                                  */
-                                delay -= now - netem_skb_cb(skb_peek(list))->time_to_send;
+                                delay -= netem_skb_cb(skb_peek_tail(list))->time_to_send - now;
+                                delay = max_t(psched_tdiff_t, 0, delay);
                                 now = netem_skb_cb(skb_peek_tail(list))->time_to_send;
                         }
+
+                        delay += packet_len_2_sched_time(skb->len, q);
                 }
 
                 cb->time_to_send = now + delay;
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 159b9bc5d633..d8420ae614dc 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -71,7 +71,7 @@ void sctp_auth_key_put(struct sctp_auth_bytes *key)
                 return;
 
         if (atomic_dec_and_test(&key->refcnt)) {
-                kfree(key);
+                kzfree(key);
                 SCTP_DBG_OBJCNT_DEC(keys);
         }
 }
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index 17a001bac2cc..1a9c5fb77310 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -249,6 +249,8 @@ void sctp_endpoint_free(struct sctp_endpoint *ep)
 /* Final destructor for endpoint.  */
 static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
 {
+        int i;
+
         SCTP_ASSERT(ep->base.dead, "Endpoint is not dead", return);
 
         /* Free up the HMAC transform. */
@@ -271,6 +273,9 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
         sctp_inq_free(&ep->base.inqueue);
         sctp_bind_addr_free(&ep->base.bind_addr);
 
+        for (i = 0; i < SCTP_HOW_MANY_SECRETS; ++i)
+                memset(&ep->secret_key[i], 0, SCTP_SECRET_SIZE);
+
         /* Remove and free the port */
         if (sctp_sk(ep->base.sk)->bind_hash)
                 sctp_put_port(ep->base.sk);
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 9e65758cb038..cedd9bf67b8c 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3390,7 +3390,7 @@ static int sctp_setsockopt_auth_key(struct sock *sk,
 
         ret = sctp_auth_set_key(sctp_sk(sk)->ep, asoc, authkey);
 out:
-        kfree(authkey);
+        kzfree(authkey);
         return ret;
 }
 
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index 0a148c9d2a5c..0f679df7d072 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -465,7 +465,7 @@ static int svc_udp_get_dest_address4(struct svc_rqst *rqstp,
 }
 
 /*
- * See net/ipv6/datagram.c : datagram_recv_ctl
+ * See net/ipv6/datagram.c : ip6_datagram_recv_ctl
  */
 static int svc_udp_get_dest_address6(struct svc_rqst *rqstp,
                                      struct cmsghdr *cmh)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 01592d7d4789..45f1618c8e23 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1358,7 +1358,7 @@ ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info,
                                                   &iwe, IW_EV_UINT_LEN);
         }
 
-        buf = kmalloc(30, GFP_ATOMIC);
+        buf = kmalloc(31, GFP_ATOMIC);
         if (buf) {
                 memset(&iwe, 0, sizeof(iwe));
                 iwe.cmd = IWEVCUSTOM;