Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:
 "I know this is a bit more than you want to see, and I've told the
  wireless folks under no uncertain terms that they must severely scale
  back the extent of the fixes they are submitting this late in the
  game.

  Anyways:

   1) vmxnet3's netpoll doesn't perform the equivalent of an ISR, which
      is the correct implementation, like it should.  Instead it does
      something like a NAPI poll operation.  This leads to crashes.

      From Neil Horman and Arnd Bergmann.

   2) Segmentation of SKBs requires proper socket orphaning of the
      fragments, otherwise we might access stale state released by the
      release callbacks.

      This is a 5 patch fix, but the initial patches are giving
      variables and such significantly clearer names such that the
      actual fix itself at the end looks trivial.

      From Michael S.  Tsirkin.

   3) TCP control block release can deadlock if invoked from a timer on
      an already "owned" socket.  Fix from Eric Dumazet.

   4) In the bridge multicast code, we must validate that the
      destination address of general queries is the link local all-nodes
      multicast address.  From Linus Lüssing.

   5) The x86 BPF JIT support for negative offsets puts the parameter
      for the helper function call in the wrong register.  Fix from
      Alexei Starovoitov.

   6) The descriptor type used for RTL_GIGA_MAC_VER_17 chips in the
      r8169 driver is incorrect.  Fix from Hayes Wang.

   7) The xen-netback driver tests skb_shinfo(skb)->gso_type bits to see
      if a packet is a GSO frame, but that's not the correct test.  It
      should use skb_is_gso(skb) instead.  Fix from Wei Liu.

   8) Negative msg->msg_namelen values should generate an error, from
      Matthew Leach.

   9) at86rf230 can deadlock because it takes the same lock from it's
      ISR and it's hard_start_xmit method, without disabling interrupts
      in the latter.  Fix from Alexander Aring.

  10) The FEC driver's restart doesn't perform operations in the correct
      order, so promiscuous settings can get lost.  Fix from Stefan
      Wahren.

  11) Fix SKB leak in SCTP cookie handling, from Daniel Borkmann.

  12) Reference count and memory leak fixes in TIPC from Ying Xue and
      Erik Hugne.

  13) Forced eviction in inet_frag_evictor() must strictly make sure all
      frags are deleted, otherwise module unload (f.e.  6lowpan) can
      crash.  Fix from Florian Westphal.

  14) Remove assumptions in AF_UNIX's use of csum_partial() (which it
      uses as a hash function), which breaks on PowerPC.  From Anton
      Blanchard.

      The main gist of the issue is that csum_partial() is defined only
      as a value that, once folded (f.e.  via csum_fold()) produces a
      correct 16-bit checksum.  It is legitimate, therefore, for
      csum_partial() to produce two different 32-bit values over the
      same data if their respective alignments are different.

  15) Fix endiannes bug in MAC address handling of ibmveth driver, also
      from Anton Blanchard.

  16) Error checks for ipv6 exthdrs offload registration are reversed,
      from Anton Nayshtut.

  17) Externally triggered ipv6 addrconf routes should count against the
      garbage collection threshold.  Fix from Sabrina Dubroca.

  18) The PCI shutdown handler added to the bnx2 driver can wedge the
      chip if it was not brought up earlier already, which in particular
      causes the firmware to shut down the PHY.  Fix from Michael Chan.

  19) Adjust the sanity WARN_ON_ONCE() in qdisc_list_add() because as
      currently coded it can and does trigger in legitimate situations.
      From Eric Dumazet.

  20) BNA driver fails to build on ARM because of a too large udelay()
      call, fix from Ben Hutchings.

  21) Fair-Queue qdisc holds locks during GFP_KERNEL allocations, fix
      from Eric Dumazet.

  22) The vlan passthrough ops added in the previous release causes a
      regression in source MAC address setting of outgoing headers in
      some circumstances.  Fix from Peter Boström"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (70 commits)
  ipv6: Avoid unnecessary temporary addresses being generated
  eth: fec: Fix lost promiscuous mode after reconnecting cable
  bonding: set correct vlan id for alb xmit path
  at86rf230: fix lockdep splats
  net/mlx4_en: Deregister multicast vxlan steering rules when going down
  vmxnet3: fix building without CONFIG_PCI_MSI
  MAINTAINERS: add networking selftests to NETWORKING
  net: socket: error on a negative msg_namelen
  MAINTAINERS: Add tools/net to NETWORKING [GENERAL]
  packet: doc: Spelling s/than/that/
  net/mlx4_core: Load the IB driver when the device supports IBoE
  net/mlx4_en: Handle vxlan steering rules for mac address changes
  net/mlx4_core: Fix wrong dump of the vxlan offloads device capability
  xen-netback: use skb_is_gso in xenvif_start_xmit
  r8169: fix the incorrect tx descriptor version
  tools/net/Makefile: Define PACKAGE to fix build problems
  x86: bpf_jit: support negative offsets
  bridge: multicast: enable snooping on general queries only
  bridge: multicast: add sanity check for general query destination
  tcp: tcp_release_cb() should release socket ownership
  ...

29 files changed, 207 insertions, 121 deletions

diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index de51c48c4393..4b65aa492fb6 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -538,6 +538,9 @@ static int vlan_passthru_hard_header(struct sk_buff *skb, struct net_device *dev
         struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
         struct net_device *real_dev = vlan->real_dev;
 
+        if (saddr == NULL)
+                saddr = dev->dev_addr;
+
         return dev_hard_header(skb, real_dev, type, daddr, saddr, len);
 }
 
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index ef66365b7354..93067ecdb9a2 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1127,9 +1127,10 @@ static void br_multicast_query_received(struct net_bridge *br,
                                         struct net_bridge_port *port,
                                         struct bridge_mcast_querier *querier,
                                         int saddr,
+                                        bool is_general_query,
                                         unsigned long max_delay)
 {
-        if (saddr)
+        if (saddr && is_general_query)
                 br_multicast_update_querier_timer(br, querier, max_delay);
         else if (timer_pending(&querier->timer))
                 return;
@@ -1181,8 +1182,16 @@ static int br_ip4_multicast_query(struct net_bridge *br,
                             IGMPV3_MRC(ih3->code) * (HZ / IGMP_TIMER_SCALE) : 1;
         }
 
+        /* RFC2236+RFC3376 (IGMPv2+IGMPv3) require the multicast link layer
+         * all-systems destination addresses (224.0.0.1) for general queries
+         */
+        if (!group && iph->daddr != htonl(INADDR_ALLHOSTS_GROUP)) {
+                err = -EINVAL;
+                goto out;
+        }
+
         br_multicast_query_received(br, port, &br->ip4_querier, !!iph->saddr,
-                                    max_delay);
+                                    !group, max_delay);
 
         if (!group)
                 goto out;
@@ -1228,6 +1237,7 @@ static int br_ip6_multicast_query(struct net_bridge *br,
         unsigned long max_delay;
         unsigned long now = jiffies;
         const struct in6_addr *group = NULL;
+        bool is_general_query;
         int err = 0;
 
         spin_lock(&br->multicast_lock);
@@ -1235,6 +1245,12 @@ static int br_ip6_multicast_query(struct net_bridge *br,
             (port && port->state == BR_STATE_DISABLED))
                 goto out;
 
+        /* RFC2710+RFC3810 (MLDv1+MLDv2) require link-local source addresses */
+        if (!(ipv6_addr_type(&ip6h->saddr) & IPV6_ADDR_LINKLOCAL)) {
+                err = -EINVAL;
+                goto out;
+        }
+
         if (skb->len == sizeof(*mld)) {
                 if (!pskb_may_pull(skb, sizeof(*mld))) {
                         err = -EINVAL;
@@ -1256,8 +1272,19 @@ static int br_ip6_multicast_query(struct net_bridge *br,
                 max_delay = max(msecs_to_jiffies(mldv2_mrc(mld2q)), 1UL);
         }
 
+        is_general_query = group && ipv6_addr_any(group);
+
+        /* RFC2710+RFC3810 (MLDv1+MLDv2) require the multicast link layer
+         * all-nodes destination address (ff02::1) for general queries
+         */
+        if (is_general_query && !ipv6_addr_is_ll_all_nodes(&ip6h->daddr)) {
+                err = -EINVAL;
+                goto out;
+        }
+
         br_multicast_query_received(br, port, &br->ip6_querier,
-                                    !ipv6_addr_any(&ip6h->saddr), max_delay);
+                                    !ipv6_addr_any(&ip6h->saddr),
+                                    is_general_query, max_delay);
 
         if (!group)
                 goto out;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 5d6236d9fdce..869c7afe3b07 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2838,81 +2838,84 @@ EXPORT_SYMBOL_GPL(skb_pull_rcsum);
 
 /**
  *      skb_segment - Perform protocol segmentation on skb.
- *      @skb: buffer to segment
+ *      @head_skb: buffer to segment
  *      @features: features for the output path (see dev->features)
  *
  *      This function performs segmentation on the given skb.  It returns
  *      a pointer to the first in a list of new skbs for the segments.
  *      In case of error it returns ERR_PTR(err).
  */
-struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features)
+struct sk_buff *skb_segment(struct sk_buff *head_skb,
+                            netdev_features_t features)
 {
         struct sk_buff *segs = NULL;
         struct sk_buff *tail = NULL;
-        struct sk_buff *fskb = skb_shinfo(skb)->frag_list;
-        skb_frag_t *skb_frag = skb_shinfo(skb)->frags;
-        unsigned int mss = skb_shinfo(skb)->gso_size;
-        unsigned int doffset = skb->data - skb_mac_header(skb);
+        struct sk_buff *list_skb = skb_shinfo(head_skb)->frag_list;
+        skb_frag_t *frag = skb_shinfo(head_skb)->frags;
+        unsigned int mss = skb_shinfo(head_skb)->gso_size;
+        unsigned int doffset = head_skb->data - skb_mac_header(head_skb);
+        struct sk_buff *frag_skb = head_skb;
         unsigned int offset = doffset;
-        unsigned int tnl_hlen = skb_tnl_header_len(skb);
+        unsigned int tnl_hlen = skb_tnl_header_len(head_skb);
         unsigned int headroom;
         unsigned int len;
         __be16 proto;
         bool csum;
         int sg = !!(features & NETIF_F_SG);
-        int nfrags = skb_shinfo(skb)->nr_frags;
+        int nfrags = skb_shinfo(head_skb)->nr_frags;
         int err = -ENOMEM;
         int i = 0;
         int pos;
 
-        proto = skb_network_protocol(skb);
+        proto = skb_network_protocol(head_skb);
         if (unlikely(!proto))
                 return ERR_PTR(-EINVAL);
 
         csum = !!can_checksum_protocol(features, proto);
-        __skb_push(skb, doffset);
-        headroom = skb_headroom(skb);
-        pos = skb_headlen(skb);
+        __skb_push(head_skb, doffset);
+        headroom = skb_headroom(head_skb);
+        pos = skb_headlen(head_skb);
 
         do {
                 struct sk_buff *nskb;
-                skb_frag_t *frag;
+                skb_frag_t *nskb_frag;
                 int hsize;
                 int size;
 
-                len = skb->len - offset;
+                len = head_skb->len - offset;
                 if (len > mss)
                         len = mss;
 
-                hsize = skb_headlen(skb) - offset;
+                hsize = skb_headlen(head_skb) - offset;
                 if (hsize < 0)
                         hsize = 0;
                 if (hsize > len || !sg)
                         hsize = len;
 
-                if (!hsize && i >= nfrags && skb_headlen(fskb) &&
-                    (skb_headlen(fskb) == len || sg)) {
-                        BUG_ON(skb_headlen(fskb) > len);
+                if (!hsize && i >= nfrags && skb_headlen(list_skb) &&
+                    (skb_headlen(list_skb) == len || sg)) {
+                        BUG_ON(skb_headlen(list_skb) > len);
 
                         i = 0;
-                        nfrags = skb_shinfo(fskb)->nr_frags;
-                        skb_frag = skb_shinfo(fskb)->frags;
-                        pos += skb_headlen(fskb);
+                        nfrags = skb_shinfo(list_skb)->nr_frags;
+                        frag = skb_shinfo(list_skb)->frags;
+                        frag_skb = list_skb;
+                        pos += skb_headlen(list_skb);
 
                         while (pos < offset + len) {
                                 BUG_ON(i >= nfrags);
 
-                                size = skb_frag_size(skb_frag);
+                                size = skb_frag_size(frag);
                                 if (pos + size > offset + len)
                                         break;
 
                                 i++;
                                 pos += size;
-                                skb_frag++;
+                                frag++;
                         }
 
-                        nskb = skb_clone(fskb, GFP_ATOMIC);
-                        fskb = fskb->next;
+                        nskb = skb_clone(list_skb, GFP_ATOMIC);
+                        list_skb = list_skb->next;
 
                         if (unlikely(!nskb))
                                 goto err;
@@ -2933,7 +2936,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features)
                         __skb_push(nskb, doffset);
                 } else {
                         nskb = __alloc_skb(hsize + doffset + headroom,
-                                           GFP_ATOMIC, skb_alloc_rx_flag(skb),
+                                           GFP_ATOMIC, skb_alloc_rx_flag(head_skb),
                                            NUMA_NO_NODE);
 
                         if (unlikely(!nskb))
@@ -2949,12 +2952,12 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features)
                         segs = nskb;
                 tail = nskb;
 
-                __copy_skb_header(nskb, skb);
-                nskb->mac_len = skb->mac_len;
+                __copy_skb_header(nskb, head_skb);
+                nskb->mac_len = head_skb->mac_len;
 
                 skb_headers_offset_update(nskb, skb_headroom(nskb) - headroom);
 
-                skb_copy_from_linear_data_offset(skb, -tnl_hlen,
+                skb_copy_from_linear_data_offset(head_skb, -tnl_hlen,
                                                  nskb->data - tnl_hlen,
                                                  doffset + tnl_hlen);
 
@@ -2963,30 +2966,32 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features)
 
                 if (!sg) {
                         nskb->ip_summed = CHECKSUM_NONE;
-                        nskb->csum = skb_copy_and_csum_bits(skb, offset,
+                        nskb->csum = skb_copy_and_csum_bits(head_skb, offset,
                                                             skb_put(nskb, len),
                                                             len, 0);
                         continue;
                 }
 
-                frag = skb_shinfo(nskb)->frags;
+                nskb_frag = skb_shinfo(nskb)->frags;
 
-                skb_copy_from_linear_data_offset(skb, offset,
+                skb_copy_from_linear_data_offset(head_skb, offset,
                                                  skb_put(nskb, hsize), hsize);
 
-                skb_shinfo(nskb)->tx_flags = skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
+                skb_shinfo(nskb)->tx_flags = skb_shinfo(head_skb)->tx_flags &
+                        SKBTX_SHARED_FRAG;
 
                 while (pos < offset + len) {
                         if (i >= nfrags) {
-                                BUG_ON(skb_headlen(fskb));
+                                BUG_ON(skb_headlen(list_skb));
 
                                 i = 0;
-                                nfrags = skb_shinfo(fskb)->nr_frags;
-                                skb_frag = skb_shinfo(fskb)->frags;
+                                nfrags = skb_shinfo(list_skb)->nr_frags;
+                                frag = skb_shinfo(list_skb)->frags;
+                                frag_skb = list_skb;
 
                                 BUG_ON(!nfrags);
 
-                                fskb = fskb->next;
+                                list_skb = list_skb->next;
                         }
 
                         if (unlikely(skb_shinfo(nskb)->nr_frags >=
@@ -2997,27 +3002,30 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features)
                                 goto err;
                         }
 
-                        *frag = *skb_frag;
-                        __skb_frag_ref(frag);
-                        size = skb_frag_size(frag);
+                        if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC)))
+                                goto err;
+
+                        *nskb_frag = *frag;
+                        __skb_frag_ref(nskb_frag);
+                        size = skb_frag_size(nskb_frag);
 
                         if (pos < offset) {
-                                frag->page_offset += offset - pos;
-                                skb_frag_size_sub(frag, offset - pos);
+                                nskb_frag->page_offset += offset - pos;
+                                skb_frag_size_sub(nskb_frag, offset - pos);
                         }
 
                         skb_shinfo(nskb)->nr_frags++;
 
                         if (pos + size <= offset + len) {
                                 i++;
-                                skb_frag++;
+                                frag++;
                                 pos += size;
                         } else {
-                                skb_frag_size_sub(frag, pos + size - (offset + len));
+                                skb_frag_size_sub(nskb_frag, pos + size - (offset + len));
                                 goto skip_fraglist;
                         }
 
-                        frag++;
+                        nskb_frag++;
                 }
 
 skip_fraglist:
@@ -3031,7 +3039,7 @@ perform_csum_check:
                                                   nskb->len - doffset, 0);
                         nskb->ip_summed = CHECKSUM_NONE;
                 }
-        } while ((offset += len) < skb->len);
+        } while ((offset += len) < head_skb->len);
 
         return segs;
 
diff --git a/net/core/sock.c b/net/core/sock.c
index 5b6a9431b017..c0fc6bdad1e3 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2357,10 +2357,13 @@ void release_sock(struct sock *sk)
         if (sk->sk_backlog.tail)
                 __release_sock(sk);
 
+        /* Warning : release_cb() might need to release sk ownership,
+         * ie call sock_release_ownership(sk) before us.
+         */
         if (sk->sk_prot->release_cb)
                 sk->sk_prot->release_cb(sk);
 
-        sk->sk_lock.owned = 0;
+        sock_release_ownership(sk);
         if (waitqueue_active(&sk->sk_lock.wq))
                 wake_up(&sk->sk_lock.wq);
         spin_unlock_bh(&sk->sk_lock.slock);
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index bb075fc9a14f..3b01959bf4bb 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -208,7 +208,7 @@ int inet_frag_evictor(struct netns_frags *nf, struct inet_frags *f, bool force)
         }
 
         work = frag_mem_limit(nf) - nf->low_thresh;
-        while (work > 0) {
+        while (work > 0 || force) {
                 spin_lock(&nf->lru_lock);
 
                 if (list_empty(&nf->lru_list)) {
@@ -278,9 +278,10 @@ static struct inet_frag_queue *inet_frag_intern(struct netns_frags *nf,
 
         atomic_inc(&qp->refcnt);
         hlist_add_head(&qp->list, &hb->chain);
+        inet_frag_lru_add(nf, qp);
         spin_unlock(&hb->chain_lock);
         read_unlock(&f->lock);
-        inet_frag_lru_add(nf, qp);
+
         return qp;
 }
 
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index f0eb4e337ec8..17a11e65e57f 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -767,6 +767,17 @@ void tcp_release_cb(struct sock *sk)
         if (flags & (1UL << TCP_TSQ_DEFERRED))
                 tcp_tsq_handler(sk);
 
+        /* Here begins the tricky part :
+         * We are called from release_sock() with :
+         * 1) BH disabled
+         * 2) sk_lock.slock spinlock held
+         * 3) socket owned by us (sk->sk_lock.owned == 1)
+         *
+         * But following code is meant to be called from BH handlers,
+         * so we should keep BH disabled, but early release socket ownership
+         */
+        sock_release_ownership(sk);
+
         if (flags & (1UL << TCP_WRITE_TIMER_DEFERRED)) {
                 tcp_write_timer_handler(sk);
                 __sock_put(sk);
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index fdbfeca36d63..344e972426df 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1103,8 +1103,11 @@ retry:
          * Lifetime is greater than REGEN_ADVANCE time units.  In particular,
          * an implementation must not create a temporary address with a zero
          * Preferred Lifetime.
+         * Use age calculation as in addrconf_verify to avoid unnecessary
+         * temporary addresses being generated.
          */
-        if (tmp_prefered_lft <= regen_advance) {
+        age = (now - tmp_tstamp + ADDRCONF_TIMER_FUZZ_MINUS) / HZ;
+        if (tmp_prefered_lft <= regen_advance + age) {
                 in6_ifa_put(ifp);
                 in6_dev_put(idev);
                 ret = -1;
diff --git a/net/ipv6/exthdrs_offload.c b/net/ipv6/exthdrs_offload.c
index cf77f3abfd06..447a7fbd1bb6 100644
--- a/net/ipv6/exthdrs_offload.c
+++ b/net/ipv6/exthdrs_offload.c
@@ -25,11 +25,11 @@ int __init ipv6_exthdrs_offload_init(void)
         int ret;
 
         ret = inet6_add_offload(&rthdr_offload, IPPROTO_ROUTING);
-        if (!ret)
+        if (ret)
                 goto out;
 
         ret = inet6_add_offload(&dstopt_offload, IPPROTO_DSTOPTS);
-        if (!ret)
+        if (ret)
                 goto out_rt;
 
 out:
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 11dac21e6586..fba54a407bb2 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1513,7 +1513,7 @@ int ip6_route_add(struct fib6_config *cfg)
         if (!table)
                 goto out;
 
-        rt = ip6_dst_alloc(net, NULL, DST_NOCOUNT, table);
+        rt = ip6_dst_alloc(net, NULL, (cfg->fc_flags & RTF_ADDRCONF) ? 0 : DST_NOCOUNT, table);
 
         if (!rt) {
                 err = -ENOMEM;
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 735d0f60c83a..85d9d94c0a3c 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -112,7 +112,6 @@ struct l2tp_net {
         spinlock_t l2tp_session_hlist_lock;
 };
 
-static void l2tp_session_set_header_len(struct l2tp_session *session, int version);
 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
 
 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
@@ -1863,7 +1862,7 @@ EXPORT_SYMBOL_GPL(l2tp_session_delete);
 /* We come here whenever a session's send_seq, cookie_len or
  * l2specific_len parameters are set.
  */
-static void l2tp_session_set_header_len(struct l2tp_session *session, int version)
+void l2tp_session_set_header_len(struct l2tp_session *session, int version)
 {
         if (version == L2TP_HDR_VER_2) {
                 session->hdr_len = 6;
@@ -1876,6 +1875,7 @@ static void l2tp_session_set_header_len(struct l2tp_session *session, int versio
         }
 
 }
+EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
 
 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
 {
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index 1f01ba3435bc..3f93ccd6ba97 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -263,6 +263,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                       int length, int (*payload_hook)(struct sk_buff *skb));
 int l2tp_session_queue_purge(struct l2tp_session *session);
 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb);
+void l2tp_session_set_header_len(struct l2tp_session *session, int version);
 
 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb,
                   int hdr_len);
diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 4cfd722e9153..bd7387adea9e 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -578,8 +578,10 @@ static int l2tp_nl_cmd_session_modify(struct sk_buff *skb, struct genl_info *inf
         if (info->attrs[L2TP_ATTR_RECV_SEQ])
                 session->recv_seq = nla_get_u8(info->attrs[L2TP_ATTR_RECV_SEQ]);
 
-        if (info->attrs[L2TP_ATTR_SEND_SEQ])
+        if (info->attrs[L2TP_ATTR_SEND_SEQ]) {
                 session->send_seq = nla_get_u8(info->attrs[L2TP_ATTR_SEND_SEQ]);
+                l2tp_session_set_header_len(session, session->tunnel->version);
+        }
 
         if (info->attrs[L2TP_ATTR_LNS_MODE])
                 session->lns_mode = nla_get_u8(info->attrs[L2TP_ATTR_LNS_MODE]);
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index be5fadf34739..5990919356a5 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -254,12 +254,14 @@ static void pppol2tp_recv(struct l2tp_session *session, struct sk_buff *skb, int
                 po = pppox_sk(sk);
                 ppp_input(&po->chan, skb);
         } else {
-                l2tp_info(session, PPPOL2TP_MSG_DATA, "%s: socket not bound\n",
-                          session->name);
+                l2tp_dbg(session, PPPOL2TP_MSG_DATA,
+                         "%s: recv %d byte data frame, passing to L2TP socket\n",
+                         session->name, data_len);
 
-                /* Not bound. Nothing we can do, so discard. */
-                atomic_long_inc(&session->stats.rx_errors);
-                kfree_skb(skb);
+                if (sock_queue_rcv_skb(sk, skb) < 0) {
+                        atomic_long_inc(&session->stats.rx_errors);
+                        kfree_skb(skb);
+                }
         }
 
         return;
@@ -1312,6 +1314,7 @@ static int pppol2tp_session_setsockopt(struct sock *sk,
                         po->chan.hdrlen = val ? PPPOL2TP_L2TP_HDR_SIZE_SEQ :
                                 PPPOL2TP_L2TP_HDR_SIZE_NOSEQ;
                 }
+                l2tp_session_set_header_len(session, session->tunnel->version);
                 l2tp_info(session, PPPOL2TP_MSG_CONTROL,
                           "%s: set send_seq=%d\n",
                           session->name, session->send_seq);
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index f43613a97dd6..0c1ecfdf9a12 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -100,6 +100,12 @@ ieee80211_get_chanctx_max_required_bw(struct ieee80211_local *local,
                 }
                 max_bw = max(max_bw, width);
         }
+
+        /* use the configured bandwidth in case of monitor interface */
+        sdata = rcu_dereference(local->monitor_sdata);
+        if (sdata && rcu_access_pointer(sdata->vif.chanctx_conf) == conf)
+                max_bw = max(max_bw, conf->def.width);
+
         rcu_read_unlock();
 
         return max_bw;
diff --git a/net/mac80211/mesh_ps.c b/net/mac80211/mesh_ps.c
index 2802f9d9279d..ad8b377b4b9f 100644
--- a/net/mac80211/mesh_ps.c
+++ b/net/mac80211/mesh_ps.c
@@ -36,6 +36,7 @@ static struct sk_buff *mps_qos_null_get(struct sta_info *sta)
                                       sdata->vif.addr);
         nullfunc->frame_control = fc;
         nullfunc->duration_id = 0;
+        nullfunc->seq_ctrl = 0;
         /* no address resolution for this frame -> set addr 1 immediately */
         memcpy(nullfunc->addr1, sta->sta.addr, ETH_ALEN);
         memset(skb_put(skb, 2), 0, 2); /* append QoS control field */
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index a023b432143b..137a192e64bc 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1206,6 +1206,7 @@ static void ieee80211_send_null_response(struct ieee80211_sub_if_data *sdata,
         memcpy(nullfunc->addr1, sta->sta.addr, ETH_ALEN);
         memcpy(nullfunc->addr2, sdata->vif.addr, ETH_ALEN);
         memcpy(nullfunc->addr3, sdata->vif.addr, ETH_ALEN);
+        nullfunc->seq_ctrl = 0;
 
         skb->priority = tid;
         skb_set_queue_mapping(skb, ieee802_1d_to_ac[tid]);
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 1313145e3b86..a07d55e75698 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -273,11 +273,12 @@ static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle)
 
 void qdisc_list_add(struct Qdisc *q)
 {
-        struct Qdisc *root = qdisc_dev(q)->qdisc;
+        if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS)) {
+                struct Qdisc *root = qdisc_dev(q)->qdisc;
 
-        WARN_ON_ONCE(root == &noop_qdisc);
-        if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS))
+                WARN_ON_ONCE(root == &noop_qdisc);
                 list_add_tail(&q->list, &root->list);
+        }
 }
 EXPORT_SYMBOL(qdisc_list_add);
 
diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
index 08ef7a42c0e4..21e251766eb1 100644
--- a/net/sched/sch_fq.c
+++ b/net/sched/sch_fq.c
@@ -601,6 +601,7 @@ static int fq_resize(struct Qdisc *sch, u32 log)
 {
         struct fq_sched_data *q = qdisc_priv(sch);
         struct rb_root *array;
+        void *old_fq_root;
         u32 idx;
 
         if (q->fq_root && log == q->fq_trees_log)
@@ -615,13 +616,19 @@ static int fq_resize(struct Qdisc *sch, u32 log)
         for (idx = 0; idx < (1U << log); idx++)
                 array[idx] = RB_ROOT;
 
-        if (q->fq_root) {
-                fq_rehash(q, q->fq_root, q->fq_trees_log, array, log);
-                fq_free(q->fq_root);
-        }
+        sch_tree_lock(sch);
+
+        old_fq_root = q->fq_root;
+        if (old_fq_root)
+                fq_rehash(q, old_fq_root, q->fq_trees_log, array, log);
+
         q->fq_root = array;
         q->fq_trees_log = log;
 
+        sch_tree_unlock(sch);
+
+        fq_free(old_fq_root);
+
         return 0;
 }
 
@@ -697,9 +704,11 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt)
                 q->flow_refill_delay = usecs_to_jiffies(usecs_delay);
         }
 
-        if (!err)
+        if (!err) {
+                sch_tree_unlock(sch);
                 err = fq_resize(sch, fq_log);
-
+                sch_tree_lock(sch);
+        }
         while (sch->q.qlen > sch->limit) {
                 struct sk_buff *skb = fq_dequeue(sch);
 
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 632090b961c3..3a1767ef3201 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1421,8 +1421,8 @@ static void sctp_chunk_destroy(struct sctp_chunk *chunk)
         BUG_ON(!list_empty(&chunk->list));
         list_del_init(&chunk->transmitted_list);
 
-        /* Free the chunk skb data and the SCTP_chunk stub itself. */
-        dev_kfree_skb(chunk->skb);
+        consume_skb(chunk->skb);
+        consume_skb(chunk->auth_chunk);
 
         SCTP_DBG_OBJCNT_DEC(chunk);
         kmem_cache_free(sctp_chunk_cachep, chunk);
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index ae65b6b5973a..01e002430c85 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -760,7 +760,6 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
 
                 /* Make sure that we and the peer are AUTH capable */
                 if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
-                        kfree_skb(chunk->auth_chunk);
                         sctp_association_free(new_asoc);
                         return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
                 }
@@ -775,10 +774,6 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
                 auth.transport = chunk->transport;
 
                 ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth);
-
-                /* We can now safely free the auth_chunk clone */
-                kfree_skb(chunk->auth_chunk);
-
                 if (ret != SCTP_IERROR_NO_ERROR) {
                         sctp_association_free(new_asoc);
                         return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
diff --git a/net/socket.c b/net/socket.c
index fd8d86e06f95..a19ae1968d37 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1986,6 +1986,10 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
 {
         if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
                 return -EFAULT;
+
+        if (kmsg->msg_namelen < 0)
+                return -EINVAL;
+
         if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
                 kmsg->msg_namelen = sizeof(struct sockaddr_storage);
         return 0;
diff --git a/net/tipc/config.c b/net/tipc/config.c
index e74eef2e7490..e6d721692ae0 100644
--- a/net/tipc/config.c
+++ b/net/tipc/config.c
@@ -376,7 +376,6 @@ static void cfg_conn_msg_event(int conid, struct sockaddr_tipc *addr,
         struct tipc_cfg_msg_hdr *req_hdr;
         struct tipc_cfg_msg_hdr *rep_hdr;
         struct sk_buff *rep_buf;
-        int ret;
 
         /* Validate configuration message header (ignore invalid message) */
         req_hdr = (struct tipc_cfg_msg_hdr *)buf;
@@ -398,12 +397,8 @@ static void cfg_conn_msg_event(int conid, struct sockaddr_tipc *addr,
                 memcpy(rep_hdr, req_hdr, sizeof(*rep_hdr));
                 rep_hdr->tcm_len = htonl(rep_buf->len);
                 rep_hdr->tcm_flags &= htons(~TCM_F_REQUEST);
-
-                ret = tipc_conn_sendmsg(&cfgsrv, conid, addr, rep_buf->data,
-                                        rep_buf->len);
-                if (ret < 0)
-                        pr_err("Sending cfg reply message failed, no memory\n");
-
+                tipc_conn_sendmsg(&cfgsrv, conid, addr, rep_buf->data,
+                                  rep_buf->len);
                 kfree_skb(rep_buf);
         }
 }
diff --git a/net/tipc/handler.c b/net/tipc/handler.c
index e4bc8a296744..1fabf160501f 100644
--- a/net/tipc/handler.c
+++ b/net/tipc/handler.c
@@ -58,7 +58,6 @@ unsigned int tipc_k_signal(Handler routine, unsigned long argument)
 
         spin_lock_bh(&qitem_lock);
         if (!handler_enabled) {
-                pr_err("Signal request ignored by handler\n");
                 spin_unlock_bh(&qitem_lock);
                 return -ENOPROTOOPT;
         }
diff --git a/net/tipc/name_table.c b/net/tipc/name_table.c
index 48302be175ce..042e8e3cabc0 100644
--- a/net/tipc/name_table.c
+++ b/net/tipc/name_table.c
@@ -941,17 +941,48 @@ int tipc_nametbl_init(void)
         return 0;
 }
 
+/**
+ * tipc_purge_publications - remove all publications for a given type
+ *
+ * tipc_nametbl_lock must be held when calling this function
+ */
+static void tipc_purge_publications(struct name_seq *seq)
+{
+        struct publication *publ, *safe;
+        struct sub_seq *sseq;
+        struct name_info *info;
+
+        if (!seq->sseqs) {
+                nameseq_delete_empty(seq);
+                return;
+        }
+        sseq = seq->sseqs;
+        info = sseq->info;
+        list_for_each_entry_safe(publ, safe, &info->zone_list, zone_list) {
+                tipc_nametbl_remove_publ(publ->type, publ->lower, publ->node,
+                                         publ->ref, publ->key);
+        }
+}
+
 void tipc_nametbl_stop(void)
 {
         u32 i;
+        struct name_seq *seq;
+        struct hlist_head *seq_head;
+        struct hlist_node *safe;
 
-        /* Verify name table is empty, then release it */
+        /* Verify name table is empty and purge any lingering
+         * publications, then release the name table
+         */
         write_lock_bh(&tipc_nametbl_lock);
         for (i = 0; i < TIPC_NAMETBL_SIZE; i++) {
                 if (hlist_empty(&table.types[i]))
                         continue;
-                pr_err("nametbl_stop(): orphaned hash chain detected\n");
-                break;
+                seq_head = &table.types[i];
+                hlist_for_each_entry_safe(seq, safe, seq_head, ns_list) {
+                        tipc_purge_publications(seq);
+                }
+                continue;
         }
         kfree(table.types);
         table.types = NULL;
diff --git a/net/tipc/server.c b/net/tipc/server.c
index 373979789a73..646a930eefbf 100644
--- a/net/tipc/server.c
+++ b/net/tipc/server.c
@@ -87,7 +87,6 @@ static void tipc_clean_outqueues(struct tipc_conn *con);
 static void tipc_conn_kref_release(struct kref *kref)
 {
         struct tipc_conn *con = container_of(kref, struct tipc_conn, kref);
-        struct tipc_server *s = con->server;
 
         if (con->sock) {
                 tipc_sock_release_local(con->sock);
@@ -95,10 +94,6 @@ static void tipc_conn_kref_release(struct kref *kref)
         }
 
         tipc_clean_outqueues(con);
-
-        if (con->conid)
-                s->tipc_conn_shutdown(con->conid, con->usr_data);
-
         kfree(con);
 }
 
@@ -181,6 +176,9 @@ static void tipc_close_conn(struct tipc_conn *con)
         struct tipc_server *s = con->server;
 
         if (test_and_clear_bit(CF_CONNECTED, &con->flags)) {
+                if (con->conid)
+                        s->tipc_conn_shutdown(con->conid, con->usr_data);
+
                 spin_lock_bh(&s->idr_lock);
                 idr_remove(&s->conn_idr, con->conid);
                 s->idr_in_use--;
@@ -429,10 +427,12 @@ int tipc_conn_sendmsg(struct tipc_server *s, int conid,
         list_add_tail(&e->list, &con->outqueue);
         spin_unlock_bh(&con->outqueue_lock);
 
-        if (test_bit(CF_CONNECTED, &con->flags))
+        if (test_bit(CF_CONNECTED, &con->flags)) {
                 if (!queue_work(s->send_wq, &con->swork))
                         conn_put(con);
-
+        } else {
+                conn_put(con);
+        }
         return 0;
 }
 
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index a4cf274455aa..0ed0eaa62f29 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -997,7 +997,7 @@ static int tipc_wait_for_rcvmsg(struct socket *sock, long timeo)
 
         for (;;) {
                 prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
-                if (skb_queue_empty(&sk->sk_receive_queue)) {
+                if (timeo && skb_queue_empty(&sk->sk_receive_queue)) {
                         if (sock->state == SS_DISCONNECTING) {
                                 err = -ENOTCONN;
                                 break;
@@ -1623,7 +1623,7 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo)
         for (;;) {
                 prepare_to_wait_exclusive(sk_sleep(sk), &wait,
                                           TASK_INTERRUPTIBLE);
-                if (skb_queue_empty(&sk->sk_receive_queue)) {
+                if (timeo && skb_queue_empty(&sk->sk_receive_queue)) {
                         release_sock(sk);
                         timeo = schedule_timeout(timeo);
                         lock_sock(sk);
diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
index 7cb0bd5b1176..11c9ae00837d 100644
--- a/net/tipc/subscr.c
+++ b/net/tipc/subscr.c
@@ -96,20 +96,16 @@ static void subscr_send_event(struct tipc_subscription *sub, u32 found_lower,
 {
         struct tipc_subscriber *subscriber = sub->subscriber;
         struct kvec msg_sect;
-        int ret;
 
         msg_sect.iov_base = (void *)&sub->evt;
         msg_sect.iov_len = sizeof(struct tipc_event);
-
         sub->evt.event = htohl(event, sub->swap);
         sub->evt.found_lower = htohl(found_lower, sub->swap);
         sub->evt.found_upper = htohl(found_upper, sub->swap);
         sub->evt.port.ref = htohl(port_ref, sub->swap);
         sub->evt.port.node = htohl(node, sub->swap);
-        ret = tipc_conn_sendmsg(&topsrv, subscriber->conid, NULL,
-                                msg_sect.iov_base, msg_sect.iov_len);
-        if (ret < 0)
-                pr_err("Sending subscription event failed, no memory\n");
+        tipc_conn_sendmsg(&topsrv, subscriber->conid, NULL, msg_sect.iov_base,
+                          msg_sect.iov_len);
 }
 
 /**
@@ -153,14 +149,6 @@ static void subscr_timeout(struct tipc_subscription *sub)
         /* The spin lock per subscriber is used to protect its members */
         spin_lock_bh(&subscriber->lock);
 
-        /* Validate if the connection related to the subscriber is
-         * closed (in case subscriber is terminating)
-         */
-        if (subscriber->conid == 0) {
-                spin_unlock_bh(&subscriber->lock);
-                return;
-        }
-
         /* Validate timeout (in case subscription is being cancelled) */
         if (sub->timeout == TIPC_WAIT_FOREVER) {
                 spin_unlock_bh(&subscriber->lock);
@@ -215,9 +203,6 @@ static void subscr_release(struct tipc_subscriber *subscriber)
 
         spin_lock_bh(&subscriber->lock);
 
-        /* Invalidate subscriber reference */
-        subscriber->conid = 0;
-
         /* Destroy any existing subscriptions for subscriber */
         list_for_each_entry_safe(sub, sub_temp, &subscriber->subscription_list,
                                  subscription_list) {
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 29fc8bee9702..ce6ec6c2f4de 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -163,9 +163,8 @@ static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 
 static inline unsigned int unix_hash_fold(__wsum n)
 {
-        unsigned int hash = (__force unsigned int)n;
+        unsigned int hash = (__force unsigned int)csum_fold(n);
 
-        hash ^= hash>>16;
         hash ^= hash>>8;
         return hash&(UNIX_HASH_SIZE-1);
 }
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 010892b81a06..a3bf18d11609 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -788,8 +788,6 @@ void cfg80211_leave(struct cfg80211_registered_device *rdev,
         default:
                 break;
         }
-
-        wdev->beacon_interval = 0;
 }
 
 static int cfg80211_netdev_notifier_call(struct notifier_block *nb,