Merge branch 'linus'

30 files changed, 181 insertions, 152 deletions

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 29a8fa4d3728..f8c25d500155 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -585,6 +585,12 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_
                 goto done;
         }
 
+        if (la->l2_psm > 0 && btohs(la->l2_psm) < 0x1001 &&
+                                !capable(CAP_NET_BIND_SERVICE)) {
+                err = -EACCES;
+                goto done;
+        }
+                
         write_lock_bh(&l2cap_sk_list.lock);
 
         if (la->l2_psm && __l2cap_get_sock_by_addr(la->l2_psm, &la->l2_bdaddr)) {
@@ -2150,8 +2156,8 @@ static ssize_t l2cap_sysfs_show(struct class *dev, char *buf)
 
                 str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d 0x%x\n",
                                 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
-                                sk->sk_state, pi->psm, pi->scid, pi->dcid, pi->imtu,
-                                pi->omtu, pi->link_mode);
+                                sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
+                                pi->imtu, pi->omtu, pi->link_mode);
         }
 
         read_unlock_bh(&l2cap_sk_list.lock);
diff --git a/net/core/flow.c b/net/core/flow.c
index d137f971f97d..5d25697920b1 100644
--- a/net/core/flow.c
+++ b/net/core/flow.c
@@ -231,22 +231,16 @@ nocache:
 
                 err = resolver(key, family, dir, &obj, &obj_ref);
 
-                if (fle) {
-                        if (err) {
-                                /* Force security policy check on next lookup */
-                                *head = fle->next;
-                                flow_entry_kill(cpu, fle);
-                        } else {
-                                fle->genid = atomic_read(&flow_cache_genid);
-
-                                if (fle->object)
-                                        atomic_dec(fle->object_ref);
-
-                                fle->object = obj;
-                                fle->object_ref = obj_ref;
-                                if (obj)
-                                        atomic_inc(fle->object_ref);
-                        }
+                if (fle && !err) {
+                        fle->genid = atomic_read(&flow_cache_genid);
+
+                        if (fle->object)
+                                atomic_dec(fle->object_ref);
+
+                        fle->object = obj;
+                        fle->object_ref = obj_ref;
+                        if (obj)
+                                atomic_inc(fle->object_ref);
                 }
                 local_bh_enable();
 
diff --git a/net/dccp/output.c b/net/dccp/output.c
index 824569659083..3435542e9652 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -124,7 +124,7 @@ static int dccp_transmit_skb(struct sock *sk, struct sk_buff *skb)
                 DCCP_INC_STATS(DCCP_MIB_OUTSEGS);
 
                 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
-                err = icsk->icsk_af_ops->queue_xmit(skb, sk, 0);
+                err = icsk->icsk_af_ops->queue_xmit(skb, 0);
                 return net_xmit_eval(err);
         }
         return -ENOBUFS;
@@ -396,7 +396,7 @@ int dccp_send_reset(struct sock *sk, enum dccp_reset_codes code)
                                                       code);
                 if (skb != NULL) {
                         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
-                        err = inet_csk(sk)->icsk_af_ops->queue_xmit(skb, sk, 0);
+                        err = inet_csk(sk)->icsk_af_ops->queue_xmit(skb, 0);
                         return net_xmit_eval(err);
                 }
         }
diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
index fc6f3c023a54..ed083ab455b7 100644
--- a/net/decnet/dn_dev.c
+++ b/net/decnet/dn_dev.c
@@ -1145,16 +1145,23 @@ struct dn_dev *dn_dev_create(struct net_device *dev, int *err)
         init_timer(&dn_db->timer);
 
         dn_db->uptime = jiffies;
+
+        dn_db->neigh_parms = neigh_parms_alloc(dev, &dn_neigh_table);
+        if (!dn_db->neigh_parms) {
+                dev->dn_ptr = NULL;
+                kfree(dn_db);
+                return NULL;
+        }
+
         if (dn_db->parms.up) {
                 if (dn_db->parms.up(dev) < 0) {
+                        neigh_parms_release(&dn_neigh_table, dn_db->neigh_parms);
                         dev->dn_ptr = NULL;
                         kfree(dn_db);
                         return NULL;
                 }
         }
 
-        dn_db->neigh_parms = neigh_parms_alloc(dev, &dn_neigh_table);
-
         dn_dev_sysctl_register(dev, &dn_db->parms);
 
         dn_dev_set_timer(dev);
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index cfb249cc0a58..1e589b91605e 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1989,6 +1989,10 @@ static struct node *fib_trie_get_next(struct fib_trie_iter *iter)
         unsigned cindex = iter->index;
         struct tnode *p;
 
+        /* A single entry routing table */
+        if (!tn)
+                return NULL;
+
         pr_debug("get_next iter={node=%p index=%d depth=%d}\n",
                  iter->tnode, iter->index, iter->depth);
 rescan:
@@ -2037,11 +2041,18 @@ static struct node *fib_trie_get_first(struct fib_trie_iter *iter,
         if(!iter)
                 return NULL;
 
-        if (n && IS_TNODE(n)) {
-                iter->tnode = (struct tnode *) n;
-                iter->trie = t;
-                iter->index = 0;
-                iter->depth = 1;
+        if (n) {
+                if (IS_TNODE(n)) {
+                        iter->tnode = (struct tnode *) n;
+                        iter->trie = t;
+                        iter->index = 0;
+                        iter->depth = 1;
+                } else {
+                        iter->tnode = NULL;
+                        iter->trie  = t;
+                        iter->index = 0;
+                        iter->depth = 0;
+                }
                 return n;
         }
         return NULL;
@@ -2279,16 +2290,17 @@ static int fib_trie_seq_show(struct seq_file *seq, void *v)
         if (v == SEQ_START_TOKEN)
                 return 0;
 
+        if (!NODE_PARENT(n)) {
+                if (iter->trie == trie_local)
+                        seq_puts(seq, "<local>:\n");
+                else
+                        seq_puts(seq, "<main>:\n");
+        }
+
         if (IS_TNODE(n)) {
                 struct tnode *tn = (struct tnode *) n;
                 __be32 prf = htonl(MASK_PFX(tn->key, tn->pos));
 
-                if (!NODE_PARENT(n)) {
-                        if (iter->trie == trie_local)
-                                seq_puts(seq, "<local>:\n");
-                        else
-                                seq_puts(seq, "<main>:\n");
-                } 
                 seq_indent(seq, iter->depth-1);
                 seq_printf(seq, "  +-- %d.%d.%d.%d/%d %d %d %d\n",
                            NIPQUAD(prf), tn->pos, tn->bits, tn->full_children, 
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index f071f84808fa..a0f2008584bc 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -281,8 +281,9 @@ int ip_output(struct sk_buff *skb)
                             !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
 
-int ip_queue_xmit(struct sk_buff *skb, struct sock *sk, int ipfragok)
+int ip_queue_xmit(struct sk_buff *skb, int ipfragok)
 {
+        struct sock *sk = skb->sk;
         struct inet_sock *inet = inet_sk(sk);
         struct ip_options *opt = inet->opt;
         struct rtable *rt;
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 15e741aeb291..16d177b71bf8 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -4,6 +4,14 @@
 
 # objects for the standalone - connection tracking / NAT
 ip_conntrack-objs       := ip_conntrack_standalone.o ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o
+# objects for l3 independent conntrack
+nf_conntrack_ipv4-objs  :=  nf_conntrack_l3proto_ipv4.o nf_conntrack_proto_icmp.o
+ifeq ($(CONFIG_NF_CONNTRACK_PROC_COMPAT),y)
+ifeq ($(CONFIG_PROC_FS),y)
+nf_conntrack_ipv4-objs  += nf_conntrack_l3proto_ipv4_compat.o
+endif
+endif
+
 ip_nat-objs     := ip_nat_core.o ip_nat_helper.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o ip_nat_proto_udp.o ip_nat_proto_icmp.o
 nf_nat-objs     := nf_nat_core.o nf_nat_helper.o nf_nat_proto_unknown.o nf_nat_proto_tcp.o nf_nat_proto_udp.o nf_nat_proto_icmp.o
 ifneq ($(CONFIG_NF_NAT),)
@@ -20,6 +28,8 @@ ip_nat_h323-objs := ip_nat_helper_h323.o
 
 # connection tracking
 obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
+obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o
+
 obj-$(CONFIG_IP_NF_NAT) += ip_nat.o
 obj-$(CONFIG_NF_NAT) += nf_nat.o
 
@@ -106,13 +116,3 @@ obj-$(CONFIG_IP_NF_ARPFILTER) += arptable_filter.o
 
 obj-$(CONFIG_IP_NF_QUEUE) += ip_queue.o
 
-# objects for l3 independent conntrack
-nf_conntrack_ipv4-objs  :=  nf_conntrack_l3proto_ipv4.o nf_conntrack_proto_icmp.o
-ifeq ($(CONFIG_NF_CONNTRACK_PROC_COMPAT),y)
-ifeq ($(CONFIG_PROC_FS),y)
-nf_conntrack_ipv4-objs  += nf_conntrack_l3proto_ipv4_compat.o
-endif
-endif
-
-# l3 independent conntrack
-obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index 5fcf91d617cd..6f31fad9be13 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -959,7 +959,7 @@ ctnetlink_create_conntrack(struct nfattr *cda[],
         if (cda[CTA_PROTOINFO-1]) {
                 err = ctnetlink_change_protoinfo(ct, cda);
                 if (err < 0)
-                        return err;
+                        goto err;
         }
 
 #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c
index 0ae45b79a4eb..5df4fcae3ab6 100644
--- a/net/ipv4/netfilter/nf_nat_pptp.c
+++ b/net/ipv4/netfilter/nf_nat_pptp.c
@@ -72,9 +72,9 @@ static void pptp_nat_expected(struct nf_conn *ct,
                 DEBUGP("we are PAC->PNS\n");
                 /* build tuple for PNS->PAC */
                 t.src.l3num = AF_INET;
-                t.src.u3.ip = master->tuplehash[exp->dir].tuple.src.u3.ip;
+                t.src.u3.ip = master->tuplehash[!exp->dir].tuple.src.u3.ip;
                 t.src.u.gre.key = nat_pptp_info->pns_call_id;
-                t.dst.u3.ip = master->tuplehash[exp->dir].tuple.dst.u3.ip;
+                t.dst.u3.ip = master->tuplehash[!exp->dir].tuple.dst.u3.ip;
                 t.dst.u.gre.key = nat_pptp_info->pac_call_id;
                 t.dst.protonum = IPPROTO_GRE;
         }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index c701f6abbfc1..c26076fb890e 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1011,10 +1011,11 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
                         for (j = 0; j < i; j++){
                                 if (after(ntohl(sp[j].start_seq),
                                           ntohl(sp[j+1].start_seq))){
-                                        sp[j].start_seq = htonl(tp->recv_sack_cache[j+1].start_seq);
-                                        sp[j].end_seq = htonl(tp->recv_sack_cache[j+1].end_seq);
-                                        sp[j+1].start_seq = htonl(tp->recv_sack_cache[j].start_seq);
-                                        sp[j+1].end_seq = htonl(tp->recv_sack_cache[j].end_seq);
+                                        struct tcp_sack_block_wire tmp;
+
+                                        tmp = sp[j];
+                                        sp[j] = sp[j+1];
+                                        sp[j+1] = tmp;
                                 }
 
                         }
@@ -4420,9 +4421,11 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
                          * But, this leaves one open to an easy denial of
                          * service attack, and SYN cookies can't defend
                          * against this problem. So, we drop the data
-                         * in the interest of security over speed.
+                         * in the interest of security over speed unless
+                         * it's still in use.
                          */
-                        goto discard;
+                        kfree_skb(skb);
+                        return 0;
                 }
                 goto discard;
 
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 32c1a972fa31..975f4472af29 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -467,6 +467,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
 
         th = (struct tcphdr *) skb_push(skb, tcp_header_size);
         skb->h.th = th;
+        skb_set_owner_w(skb, sk);
 
         /* Build TCP header and checksum it. */
         th->source              = inet->sport;
@@ -540,7 +541,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
         if (after(tcb->end_seq, tp->snd_nxt) || tcb->seq == tcb->end_seq)
                 TCP_INC_STATS(TCP_MIB_OUTSEGS);
 
-        err = icsk->icsk_af_ops->queue_xmit(skb, sk, 0);
+        err = icsk->icsk_af_ops->queue_xmit(skb, 0);
         if (likely(err <= 0))
                 return err;
 
@@ -1650,7 +1651,8 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *skb, int m
 
                 memcpy(skb_put(skb, next_skb_size), next_skb->data, next_skb_size);
 
-                skb->ip_summed = next_skb->ip_summed;
+                if (next_skb->ip_summed == CHECKSUM_PARTIAL)
+                        skb->ip_summed = CHECKSUM_PARTIAL;
 
                 if (skb->ip_summed != CHECKSUM_PARTIAL)
                         skb->csum = csum_block_add(skb->csum, next_skb->csum, skb_size);
diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
index f230eeecf092..41c157848181 100644
--- a/net/ipv4/tcp_probe.c
+++ b/net/ipv4/tcp_probe.c
@@ -30,7 +30,7 @@
 
 #include <net/tcp.h>
 
-MODULE_AUTHOR("Stephen Hemminger <shemminger@osdl.org>");
+MODULE_AUTHOR("Stephen Hemminger <shemminger@linux-foundation.org>");
 MODULE_DESCRIPTION("TCP cwnd snooper");
 MODULE_LICENSE("GPL");
 
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 171e5b55d7d6..2a7e4618f526 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -341,6 +341,7 @@ void in6_dev_finish_destroy(struct inet6_dev *idev)
 static struct inet6_dev * ipv6_add_dev(struct net_device *dev)
 {
         struct inet6_dev *ndev;
+        struct in6_addr maddr;
 
         ASSERT_RTNL();
 
@@ -425,6 +426,11 @@ static struct inet6_dev * ipv6_add_dev(struct net_device *dev)
 #endif
         /* protected by rtnl_lock */
         rcu_assign_pointer(dev->ip6_ptr, ndev);
+
+        /* Join all-node multicast group */
+        ipv6_addr_all_nodes(&maddr);
+        ipv6_dev_mc_inc(dev, &maddr);
+
         return ndev;
 }
 
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index c700302ad51a..116f94a49071 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -139,8 +139,9 @@ void inet6_csk_addr2sockaddr(struct sock *sk, struct sockaddr * uaddr)
 
 EXPORT_SYMBOL_GPL(inet6_csk_addr2sockaddr);
 
-int inet6_csk_xmit(struct sk_buff *skb, struct sock *sk, int ipfragok)
+int inet6_csk_xmit(struct sk_buff *skb, int ipfragok)
 {
+        struct sock *sk = skb->sk;
         struct inet_sock *inet = inet_sk(sk);
         struct ipv6_pinfo *np = inet6_sk(sk);
         struct flowi fl;
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index a1c231a04ac2..882cde4b4047 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -2258,8 +2258,6 @@ void ipv6_mc_up(struct inet6_dev *idev)
 
 void ipv6_mc_init_dev(struct inet6_dev *idev)
 {
-        struct in6_addr maddr;
-
         write_lock_bh(&idev->lock);
         rwlock_init(&idev->mc_lock);
         idev->mc_gq_running = 0;
@@ -2275,10 +2273,6 @@ void ipv6_mc_init_dev(struct inet6_dev *idev)
         idev->mc_maxdelay = IGMP6_UNSOLICITED_IVAL;
         idev->mc_v1_seen = 0;
         write_unlock_bh(&idev->lock);
-
-        /* Add all-nodes address. */
-        ipv6_addr_all_nodes(&maddr);
-        ipv6_dev_mc_inc(idev->dev, &maddr);
 }
 
 /*
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 8c3d56871b50..5f0043c30b70 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2017,6 +2017,7 @@ static inline size_t rt6_nlmsg_size(void)
                + nla_total_size(4) /* RTA_IIF */
                + nla_total_size(4) /* RTA_OIF */
                + nla_total_size(4) /* RTA_PRIORITY */
+               + RTAX_MAX * nla_total_size(4) /* RTA_METRICS */
                + nla_total_size(sizeof(struct rta_cacheinfo));
 }
 
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index bd1d2de75e45..811e3e782f0f 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -981,7 +981,7 @@ ctnetlink_create_conntrack(struct nfattr *cda[],
         if (cda[CTA_PROTOINFO-1]) {
                 err = ctnetlink_change_protoinfo(ct, cda);
                 if (err < 0)
-                        return err;
+                        goto err;
         }
 
 #if defined(CONFIG_NF_CONNTRACK_MARK)
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index f0ff00e0d052..c59df3bc2bbd 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -113,7 +113,7 @@ static void pptp_expectfn(struct nf_conn *ct,
 
         rcu_read_lock();
         nf_nat_pptp_expectfn = rcu_dereference(nf_nat_pptp_hook_expectfn);
-        if (nf_nat_pptp_expectfn && ct->status & IPS_NAT_MASK)
+        if (nf_nat_pptp_expectfn && ct->master->status & IPS_NAT_MASK)
                 nf_nat_pptp_expectfn(ct, exp);
         else {
                 struct nf_conntrack_tuple inv_t;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index da73e8a8c18d..6dc01bdeb76b 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -359,6 +359,10 @@ static int packet_sendmsg_spkt(struct kiocb *iocb, struct socket *sock,
         if (dev == NULL)
                 goto out_unlock;
         
+        err = -ENETDOWN;
+        if (!(dev->flags & IFF_UP))
+                goto out_unlock;
+
         /*
          *      You may not queue a frame bigger than the mtu. This is the lowest level
          *      raw protocol and you must do your own fragmentation at this level.
@@ -407,10 +411,6 @@ static int packet_sendmsg_spkt(struct kiocb *iocb, struct socket *sock,
         if (err)
                 goto out_free;
 
-        err = -ENETDOWN;
-        if (!(dev->flags & IFF_UP))
-                goto out_free;
-
         /*
          *      Now send it
          */
@@ -428,24 +428,18 @@ out_unlock:
 }
 #endif
 
-static inline int run_filter(struct sk_buff *skb, struct sock *sk,
-                                                        unsigned *snaplen)
+static inline unsigned int run_filter(struct sk_buff *skb, struct sock *sk,
+                                      unsigned int res)
 {
         struct sk_filter *filter;
-        int err = 0;
 
         rcu_read_lock_bh();
         filter = rcu_dereference(sk->sk_filter);
-        if (filter != NULL) {
-                err = sk_run_filter(skb, filter->insns, filter->len);
-                if (!err)
-                        err = -EPERM;
-                else if (*snaplen > err)
-                        *snaplen = err;
-        }
+        if (filter != NULL)
+                res = sk_run_filter(skb, filter->insns, filter->len);
         rcu_read_unlock_bh();
 
-        return err;
+        return res;
 }
 
 /*
@@ -467,7 +461,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, struct packet
         struct packet_sock *po;
         u8 * skb_head = skb->data;
         int skb_len = skb->len;
-        unsigned snaplen;
+        unsigned int snaplen, res;
 
         if (skb->pkt_type == PACKET_LOOPBACK)
                 goto drop;
@@ -495,8 +489,11 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, struct packet
 
         snaplen = skb->len;
 
-        if (run_filter(skb, sk, &snaplen) < 0)
+        res = run_filter(skb, sk, snaplen);
+        if (!res)
                 goto drop_n_restore;
+        if (snaplen > res)
+                snaplen = res;
 
         if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
             (unsigned)sk->sk_rcvbuf)
@@ -568,7 +565,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, struct packe
         struct tpacket_hdr *h;
         u8 * skb_head = skb->data;
         int skb_len = skb->len;
-        unsigned snaplen;
+        unsigned int snaplen, res;
         unsigned long status = TP_STATUS_LOSING|TP_STATUS_USER;
         unsigned short macoff, netoff;
         struct sk_buff *copy_skb = NULL;
@@ -592,8 +589,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, struct packe
 
         snaplen = skb->len;
 
-        if (run_filter(skb, sk, &snaplen) < 0)
+        res = run_filter(skb, sk, snaplen);
+        if (!res)
                 goto drop_n_restore;
+        if (snaplen > res)
+                snaplen = res;
 
         if (sk->sk_type == SOCK_DGRAM) {
                 macoff = netoff = TPACKET_ALIGN(TPACKET_HDRLEN) + 16;
@@ -738,6 +738,10 @@ static int packet_sendmsg(struct kiocb *iocb, struct socket *sock,
         if (sock->type == SOCK_RAW)
                 reserve = dev->hard_header_len;
 
+        err = -ENETDOWN;
+        if (!(dev->flags & IFF_UP))
+                goto out_unlock;
+
         err = -EMSGSIZE;
         if (len > dev->mtu+reserve)
                 goto out_unlock;
@@ -770,10 +774,6 @@ static int packet_sendmsg(struct kiocb *iocb, struct socket *sock,
         skb->dev = dev;
         skb->priority = sk->sk_priority;
 
-        err = -ENETDOWN;
-        if (!(dev->flags & IFF_UP))
-                goto out_free;
-
         /*
          *      Now send it
          */
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 225f39b5d595..0ef48126b117 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -804,7 +804,7 @@ static inline int sctp_v4_xmit(struct sk_buff *skb,
                           NIPQUAD(((struct rtable *)skb->dst)->rt_dst));
 
         SCTP_INC_STATS(SCTP_MIB_OUTSCTPPACKS);
-        return ip_queue_xmit(skb, skb->sk, ipfragok);
+        return ip_queue_xmit(skb, ipfragok);
 }
 
 static struct sctp_af sctp_ipv4_specific;
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 167d888d1df2..0b1ddb1005ac 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1562,7 +1562,7 @@ static int sctp_process_missing_param(const struct sctp_association *asoc,
         if (*errp) {
                 report.num_missing = htonl(1);
                 report.type = paramtype;
-                sctp_init_cause(*errp, SCTP_ERROR_INV_PARAM,
+                sctp_init_cause(*errp, SCTP_ERROR_MISS_PARAM,
                                 &report, sizeof(report));
         }
 
@@ -1775,7 +1775,9 @@ int sctp_verify_init(const struct sctp_association *asoc,
 
         /* Verify stream values are non-zero. */
         if ((0 == peer_init->init_hdr.num_outbound_streams) ||
-            (0 == peer_init->init_hdr.num_inbound_streams)) {
+            (0 == peer_init->init_hdr.num_inbound_streams) ||
+            (0 == peer_init->init_hdr.init_tag) ||
+            (SCTP_DEFAULT_MINWINDOW > ntohl(peer_init->init_hdr.a_rwnd))) {
 
                 sctp_process_inv_mandatory(asoc, chunk, errp);
                 return 0;
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 7bbc6156e455..8bd30976cdee 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -217,7 +217,7 @@ static int sctp_gen_sack(struct sctp_association *asoc, int force,
 
                 asoc->peer.sack_needed = 0;
 
-                error = sctp_outq_tail(&asoc->outqueue, sack);
+                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(sack));
 
                 /* Stop the SACK timer.  */
                 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index aa51d190bfb2..fbbc9e6a3b78 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -440,7 +440,6 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
 {
         struct sctp_chunk *chunk = arg;
         sctp_init_chunk_t *initchunk;
-        __u32 init_tag;
         struct sctp_chunk *err_chunk;
         struct sctp_packet *packet;
         sctp_error_t error;
@@ -462,24 +461,6 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
         /* Grab the INIT header.  */
         chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data;
 
-        init_tag = ntohl(chunk->subh.init_hdr->init_tag);
-
-        /* Verification Tag: 3.3.3
-         *   If the value of the Initiate Tag in a received INIT ACK
-         *   chunk is found to be 0, the receiver MUST treat it as an
-         *   error and close the association by transmitting an ABORT.
-         */
-        if (!init_tag) {
-                struct sctp_chunk *reply = sctp_make_abort(asoc, chunk, 0);
-                if (!reply)
-                        goto nomem;
-
-                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
-                return sctp_stop_t1_and_abort(commands, SCTP_ERROR_INV_PARAM,
-                                              ECONNREFUSED, asoc,
-                                              chunk->transport);
-        }
-
         /* Verify the INIT chunk before processing it. */
         err_chunk = NULL;
         if (!sctp_verify_init(asoc, chunk->chunk_hdr->type,
@@ -550,9 +531,6 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
                         SCTP_CHUNK(err_chunk));
 
         return SCTP_DISPOSITION_CONSUME;
-
-nomem:
-        return SCTP_DISPOSITION_NOMEM;
 }
 
 /*
@@ -1553,6 +1531,28 @@ sctp_disposition_t sctp_sf_do_5_2_2_dupinit(const struct sctp_endpoint *ep,
 }
 
 
+/*
+ * Unexpected INIT-ACK handler.
+ *
+ * Section 5.2.3
+ * If an INIT ACK received by an endpoint in any state other than the
+ * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
+ * An unexpected INIT ACK usually indicates the processing of an old or
+ * duplicated INIT chunk.
+*/
+sctp_disposition_t sctp_sf_do_5_2_3_initack(const struct sctp_endpoint *ep,
+                                            const struct sctp_association *asoc,
+                                            const sctp_subtype_t type,
+                                            void *arg, sctp_cmd_seq_t *commands)
+{
+        /* Per the above section, we'll discard the chunk if we have an
+         * endpoint.  If this is an OOTB INIT-ACK, treat it as such.
+         */
+        if (ep == sctp_sk((sctp_get_ctl_sock()))->ep)
+                return sctp_sf_ootb(ep, asoc, type, arg, commands);
+        else
+                return sctp_sf_discard_chunk(ep, asoc, type, arg, commands);
+}
 
 /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
  *
diff --git a/net/sctp/sm_statetable.c b/net/sctp/sm_statetable.c
index 733dd87b3a7d..5f6cc7aa661b 100644
--- a/net/sctp/sm_statetable.c
+++ b/net/sctp/sm_statetable.c
@@ -152,7 +152,7 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
         /* SCTP_STATE_EMPTY */ \
         TYPE_SCTP_FUNC(sctp_sf_ootb), \
         /* SCTP_STATE_CLOSED */ \
-        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
+        TYPE_SCTP_FUNC(sctp_sf_do_5_2_3_initack), \
         /* SCTP_STATE_COOKIE_WAIT */ \
         TYPE_SCTP_FUNC(sctp_sf_do_5_1C_ack), \
         /* SCTP_STATE_COOKIE_ECHOED */ \
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index aba528b9ae76..16c9fbc1db69 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -490,16 +490,14 @@ int rpc_call_sync(struct rpc_clnt *clnt, struct rpc_message *msg, int flags)
 
         /* Set up the call info struct and execute the task */
         status = task->tk_status;
-        if (status != 0) {
-                rpc_release_task(task);
+        if (status != 0)
                 goto out;
-        }
         atomic_inc(&task->tk_count);
         status = rpc_execute(task);
         if (status == 0)
                 status = task->tk_status;
-        rpc_put_task(task);
 out:
+        rpc_put_task(task);
         rpc_restore_sigmask(&oldset);
         return status;
 }
@@ -537,7 +535,7 @@ rpc_call_async(struct rpc_clnt *clnt, struct rpc_message *msg, int flags,
         if (status == 0)
                 rpc_execute(task);
         else
-                rpc_release_task(task);
+                rpc_put_task(task);
 
         rpc_restore_sigmask(&oldset);           
         return status;
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index 79bc4cdf5d48..fc083f0b3544 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -42,6 +42,7 @@ static mempool_t	*rpc_buffer_mempool __read_mostly;
 static void                     __rpc_default_timer(struct rpc_task *task);
 static void                     rpciod_killall(void);
 static void                     rpc_async_schedule(struct work_struct *);
+static void                      rpc_release_task(struct rpc_task *task);
 
 /*
  * RPC tasks sit here while waiting for conditions to improve.
@@ -896,7 +897,7 @@ void rpc_put_task(struct rpc_task *task)
 }
 EXPORT_SYMBOL(rpc_put_task);
 
-void rpc_release_task(struct rpc_task *task)
+static void rpc_release_task(struct rpc_task *task)
 {
 #ifdef RPC_DEBUG
         BUG_ON(task->tk_magic != RPC_TASK_MAGIC_ID);
diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index f3001f3626f6..4c1611211119 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -26,7 +26,6 @@
 #include <linux/sunrpc/clnt.h>
 
 #define RPCDBG_FACILITY RPCDBG_SVCDSP
-#define RPC_PARANOIA 1
 
 /*
  * Mode for mapping cpus to pools.
@@ -872,15 +871,15 @@ svc_process(struct svc_rqst *rqstp)
         return 0;
 
 err_short_len:
-#ifdef RPC_PARANOIA
-        printk("svc: short len %Zd, dropping request\n", argv->iov_len);
-#endif
+        if (net_ratelimit())
+                printk("svc: short len %Zd, dropping request\n", argv->iov_len);
+
         goto dropit;                    /* drop request */
 
 err_bad_dir:
-#ifdef RPC_PARANOIA
-        printk("svc: bad direction %d, dropping request\n", dir);
-#endif
+        if (net_ratelimit())
+                printk("svc: bad direction %d, dropping request\n", dir);
+
         serv->sv_stats->rpcbadfmt++;
         goto dropit;                    /* drop request */
 
@@ -909,9 +908,10 @@ err_bad_prog:
         goto sendit;
 
 err_bad_vers:
-#ifdef RPC_PARANOIA
-        printk("svc: unknown version (%d)\n", vers);
-#endif
+        if (net_ratelimit())
+                printk("svc: unknown version (%d for prog %d, %s)\n",
+                       vers, prog, progp->pg_name);
+
         serv->sv_stats->rpcbadfmt++;
         svc_putnl(resv, RPC_PROG_MISMATCH);
         svc_putnl(resv, progp->pg_lovers);
@@ -919,17 +919,17 @@ err_bad_vers:
         goto sendit;
 
 err_bad_proc:
-#ifdef RPC_PARANOIA
-        printk("svc: unknown procedure (%d)\n", proc);
-#endif
+        if (net_ratelimit())
+                printk("svc: unknown procedure (%d)\n", proc);
+
         serv->sv_stats->rpcbadfmt++;
         svc_putnl(resv, RPC_PROC_UNAVAIL);
         goto sendit;
 
 err_garbage:
-#ifdef RPC_PARANOIA
-        printk("svc: failed to decode args\n");
-#endif
+        if (net_ratelimit())
+                printk("svc: failed to decode args\n");
+
         rpc_stat = rpc_garbage_args;
 err_bad:
         serv->sv_stats->rpcbadfmt++;
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index 99f54fb6d669..ff1f8bf680aa 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -1062,15 +1062,19 @@ svc_tcp_recvfrom(struct svc_rqst *rqstp)
                          *  bit set in the fragment length header.
                          *  But apparently no known nfs clients send fragmented
                          *  records. */
-                        printk(KERN_NOTICE "RPC: bad TCP reclen 0x%08lx (non-terminal)\n",
-                               (unsigned long) svsk->sk_reclen);
+                        if (net_ratelimit())
+                                printk(KERN_NOTICE "RPC: bad TCP reclen 0x%08lx"
+                                       " (non-terminal)\n",
+                                       (unsigned long) svsk->sk_reclen);
                         goto err_delete;
                 }
                 svsk->sk_reclen &= 0x7fffffff;
                 dprintk("svc: TCP record, %d bytes\n", svsk->sk_reclen);
                 if (svsk->sk_reclen > serv->sv_max_mesg) {
-                        printk(KERN_NOTICE "RPC: bad TCP reclen 0x%08lx (large)\n",
-                               (unsigned long) svsk->sk_reclen);
+                        if (net_ratelimit())
+                                printk(KERN_NOTICE "RPC: bad TCP reclen 0x%08lx"
+                                       " (large)\n",
+                                       (unsigned long) svsk->sk_reclen);
                         goto err_delete;
                 }
         }
@@ -1278,6 +1282,8 @@ svc_recv(struct svc_rqst *rqstp, long timeout)
                                 schedule_timeout_uninterruptible(msecs_to_jiffies(500));
                         rqstp->rq_pages[i] = p;
                 }
+        rqstp->rq_pages[i++] = NULL; /* this might be seen in nfs_read_actor */
+        BUG_ON(pages >= RPCSVC_MAXPAGES);
 
         /* Make arg->head point to first page and arg->pages point to rest */
         arg = &rqstp->rq_arg;
diff --git a/net/x25/x25_dev.c b/net/x25/x25_dev.c
index 47b68a301677..328d80f000ad 100644
--- a/net/x25/x25_dev.c
+++ b/net/x25/x25_dev.c
@@ -56,6 +56,7 @@ static int x25_receive_data(struct sk_buff *skb, struct x25_neigh *nb)
                         sk_add_backlog(sk, skb);
                 }
                 bh_unlock_sock(sk);
+                sock_put(sk);
                 return queued;
         }
 
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index bebd40e5a62e..b7e537fe2d75 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -650,19 +650,18 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
         struct xfrm_policy *pol;
         struct xfrm_policy *delpol;
         struct hlist_head *chain;
-        struct hlist_node *entry, *newpos, *last;
+        struct hlist_node *entry, *newpos;
         struct dst_entry *gc_list;
 
         write_lock_bh(&xfrm_policy_lock);
         chain = policy_hash_bysel(&policy->selector, policy->family, dir);
         delpol = NULL;
         newpos = NULL;
-        last = NULL;
         hlist_for_each_entry(pol, entry, chain, bydst) {
-                if (!delpol &&
-                    pol->type == policy->type &&
+                if (pol->type == policy->type &&
                     !selector_cmp(&pol->selector, &policy->selector) &&
-                    xfrm_sec_ctx_match(pol->security, policy->security)) {
+                    xfrm_sec_ctx_match(pol->security, policy->security) &&
+                    !WARN_ON(delpol)) {
                         if (excl) {
                                 write_unlock_bh(&xfrm_policy_lock);
                                 return -EEXIST;
@@ -671,17 +670,12 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
                         if (policy->priority > pol->priority)
                                 continue;
                 } else if (policy->priority >= pol->priority) {
-                        last = &pol->bydst;
+                        newpos = &pol->bydst;
                         continue;
                 }
-                if (!newpos)
-                        newpos = &pol->bydst;
                 if (delpol)
                         break;
-                last = &pol->bydst;
         }
-        if (!newpos)
-                newpos = last;
         if (newpos)
                 hlist_add_after(newpos, &policy->bydst);
         else