Merge tag 'v3.10' into sched/core

Merge in a recent upstream commit:

  c2853c8df57f include/linux/math64.h: add div64_ul()

because:

  72a4cf20cb71 sched: Change cfs_rq load avg to unsigned long

relies on it.

[ We don't rebase sched/core for this, because the handful of
  followup commits after the broken commit are not behavioral
  changes so are unlikely to be needed during bisection. ]

Signed-off-by: Ingo Molnar <mingo@kernel.org>

71 files changed, 699 insertions, 330 deletions

diff --git a/net/9p/client.c b/net/9p/client.c
index 8eb75425e6e6..addc116cecf0 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -562,36 +562,19 @@ static int p9_check_zc_errors(struct p9_client *c, struct p9_req_t *req,
 
         if (!p9_is_proto_dotl(c)) {
                 /* Error is reported in string format */
-                uint16_t len;
-                /* 7 = header size for RERROR, 2 is the size of string len; */
-                int inline_len = in_hdrlen - (7 + 2);
+                int len;
+                /* 7 = header size for RERROR; */
+                int inline_len = in_hdrlen - 7;
 
-                /* Read the size of error string */
-                err = p9pdu_readf(req->rc, c->proto_version, "w", &len);
-                if (err)
-                        goto out_err;
-
-                ename = kmalloc(len + 1, GFP_NOFS);
-                if (!ename) {
-                        err = -ENOMEM;
+                len =  req->rc->size - req->rc->offset;
+                if (len > (P9_ZC_HDR_SZ - 7)) {
+                        err = -EFAULT;
                         goto out_err;
                 }
-                if (len <= inline_len) {
-                        /* We have error in protocol buffer itself */
-                        if (pdu_read(req->rc, ename, len)) {
-                                err = -EFAULT;
-                                goto out_free;
 
-                        }
-                } else {
-                        /*
-                         *  Part of the data is in user space buffer.
-                         */
-                        if (pdu_read(req->rc, ename, inline_len)) {
-                                err = -EFAULT;
-                                goto out_free;
-
-                        }
+                ename = &req->rc->sdata[req->rc->offset];
+                if (len > inline_len) {
+                        /* We have error in external buffer */
                         if (kern_buf) {
                                 memcpy(ename + inline_len, uidata,
                                        len - inline_len);
@@ -600,19 +583,19 @@ static int p9_check_zc_errors(struct p9_client *c, struct p9_req_t *req,
                                                      uidata, len - inline_len);
                                 if (err) {
                                         err = -EFAULT;
-                                        goto out_free;
+                                        goto out_err;
                                 }
                         }
                 }
-                ename[len] = 0;
-                if (p9_is_proto_dotu(c)) {
-                        /* For dotu we also have error code */
-                        err = p9pdu_readf(req->rc,
-                                          c->proto_version, "d", &ecode);
-                        if (err)
-                                goto out_free;
+                ename = NULL;
+                err = p9pdu_readf(req->rc, c->proto_version, "s?d",
+                                  &ename, &ecode);
+                if (err)
+                        goto out_err;
+
+                if (p9_is_proto_dotu(c))
                         err = -ecode;
-                }
+
                 if (!err || !IS_ERR_VALUE(err)) {
                         err = p9_errstr2errno(ename, strlen(ename));
 
@@ -628,8 +611,6 @@ static int p9_check_zc_errors(struct p9_client *c, struct p9_req_t *req,
         }
         return err;
 
-out_free:
-        kfree(ename);
 out_err:
         p9_debug(P9_DEBUG_ERROR, "couldn't parse error%d\n", err);
         return err;
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 071f288b77a8..f680ee101878 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -29,6 +29,21 @@
 #include "bat_algo.h"
 #include "network-coding.h"
 
+/**
+ * batadv_dup_status - duplicate status
+ * @BATADV_NO_DUP: the packet is a duplicate
+ * @BATADV_ORIG_DUP: OGM is a duplicate in the originator (but not for the
+ *  neighbor)
+ * @BATADV_NEIGH_DUP: OGM is a duplicate for the neighbor
+ * @BATADV_PROTECTED: originator is currently protected (after reboot)
+ */
+enum batadv_dup_status {
+        BATADV_NO_DUP = 0,
+        BATADV_ORIG_DUP,
+        BATADV_NEIGH_DUP,
+        BATADV_PROTECTED,
+};
+
 static struct batadv_neigh_node *
 batadv_iv_ogm_neigh_new(struct batadv_hard_iface *hard_iface,
                         const uint8_t *neigh_addr,
@@ -650,7 +665,7 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
                           const struct batadv_ogm_packet *batadv_ogm_packet,
                           struct batadv_hard_iface *if_incoming,
                           const unsigned char *tt_buff,
-                          int is_duplicate)
+                          enum batadv_dup_status dup_status)
 {
         struct batadv_neigh_node *neigh_node = NULL, *tmp_neigh_node = NULL;
         struct batadv_neigh_node *router = NULL;
@@ -676,7 +691,7 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
                         continue;
                 }
 
-                if (is_duplicate)
+                if (dup_status != BATADV_NO_DUP)
                         continue;
 
                 spin_lock_bh(&tmp_neigh_node->lq_update_lock);
@@ -718,7 +733,7 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
         neigh_node->tq_avg = batadv_ring_buffer_avg(neigh_node->tq_recv);
         spin_unlock_bh(&neigh_node->lq_update_lock);
 
-        if (!is_duplicate) {
+        if (dup_status == BATADV_NO_DUP) {
                 orig_node->last_ttl = batadv_ogm_packet->header.ttl;
                 neigh_node->last_ttl = batadv_ogm_packet->header.ttl;
         }
@@ -902,15 +917,16 @@ out:
         return ret;
 }
 
-/* processes a batman packet for all interfaces, adjusts the sequence number and
- * finds out whether it is a duplicate.
- * returns:
- *   1 the packet is a duplicate
- *   0 the packet has not yet been received
- *  -1 the packet is old and has been received while the seqno window
- *     was protected. Caller should drop it.
+/**
+ * batadv_iv_ogm_update_seqnos -  process a batman packet for all interfaces,
+ *  adjust the sequence number and find out whether it is a duplicate
+ * @ethhdr: ethernet header of the packet
+ * @batadv_ogm_packet: OGM packet to be considered
+ * @if_incoming: interface on which the OGM packet was received
+ *
+ * Returns duplicate status as enum batadv_dup_status
  */
-static int
+static enum batadv_dup_status
 batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
                             const struct batadv_ogm_packet *batadv_ogm_packet,
                             const struct batadv_hard_iface *if_incoming)
@@ -918,17 +934,18 @@ batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
         struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
         struct batadv_orig_node *orig_node;
         struct batadv_neigh_node *tmp_neigh_node;
-        int is_duplicate = 0;
+        int is_dup;
         int32_t seq_diff;
         int need_update = 0;
-        int set_mark, ret = -1;
+        int set_mark;
+        enum batadv_dup_status ret = BATADV_NO_DUP;
         uint32_t seqno = ntohl(batadv_ogm_packet->seqno);
         uint8_t *neigh_addr;
         uint8_t packet_count;
 
         orig_node = batadv_get_orig_node(bat_priv, batadv_ogm_packet->orig);
         if (!orig_node)
-                return 0;
+                return BATADV_NO_DUP;
 
         spin_lock_bh(&orig_node->ogm_cnt_lock);
         seq_diff = seqno - orig_node->last_real_seqno;
@@ -936,22 +953,29 @@ batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
         /* signalize caller that the packet is to be dropped. */
         if (!hlist_empty(&orig_node->neigh_list) &&
             batadv_window_protected(bat_priv, seq_diff,
-                                    &orig_node->batman_seqno_reset))
+                                    &orig_node->batman_seqno_reset)) {
+                ret = BATADV_PROTECTED;
                 goto out;
+        }
 
         rcu_read_lock();
         hlist_for_each_entry_rcu(tmp_neigh_node,
                                  &orig_node->neigh_list, list) {
-                is_duplicate |= batadv_test_bit(tmp_neigh_node->real_bits,
-                                                orig_node->last_real_seqno,
-                                                seqno);
-
                 neigh_addr = tmp_neigh_node->addr;
+                is_dup = batadv_test_bit(tmp_neigh_node->real_bits,
+                                         orig_node->last_real_seqno,
+                                         seqno);
+
                 if (batadv_compare_eth(neigh_addr, ethhdr->h_source) &&
-                    tmp_neigh_node->if_incoming == if_incoming)
+                    tmp_neigh_node->if_incoming == if_incoming) {
                         set_mark = 1;
-                else
+                        if (is_dup)
+                                ret = BATADV_NEIGH_DUP;
+                } else {
                         set_mark = 0;
+                        if (is_dup && (ret != BATADV_NEIGH_DUP))
+                                ret = BATADV_ORIG_DUP;
+                }
 
                 /* if the window moved, set the update flag. */
                 need_update |= batadv_bit_get_packet(bat_priv,
@@ -971,8 +995,6 @@ batadv_iv_ogm_update_seqnos(const struct ethhdr *ethhdr,
                 orig_node->last_real_seqno = seqno;
         }
 
-        ret = is_duplicate;
-
 out:
         spin_unlock_bh(&orig_node->ogm_cnt_lock);
         batadv_orig_node_free_ref(orig_node);
@@ -994,7 +1016,8 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
         int is_broadcast = 0, is_bidirect;
         bool is_single_hop_neigh = false;
         bool is_from_best_next_hop = false;
-        int is_duplicate, sameseq, simlar_ttl;
+        int sameseq, similar_ttl;
+        enum batadv_dup_status dup_status;
         uint32_t if_incoming_seqno;
         uint8_t *prev_sender;
 
@@ -1138,10 +1161,10 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
         if (!orig_node)
                 return;
 
-        is_duplicate = batadv_iv_ogm_update_seqnos(ethhdr, batadv_ogm_packet,
-                                                   if_incoming);
+        dup_status = batadv_iv_ogm_update_seqnos(ethhdr, batadv_ogm_packet,
+                                                 if_incoming);
 
-        if (is_duplicate == -1) {
+        if (dup_status == BATADV_PROTECTED) {
                 batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
                            "Drop packet: packet within seqno protection time (sender: %pM)\n",
                            ethhdr->h_source);
@@ -1211,11 +1234,12 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
          * seqno and similar ttl as the non-duplicate
          */
         sameseq = orig_node->last_real_seqno == ntohl(batadv_ogm_packet->seqno);
-        simlar_ttl = orig_node->last_ttl - 3 <= batadv_ogm_packet->header.ttl;
-        if (is_bidirect && (!is_duplicate || (sameseq && simlar_ttl)))
+        similar_ttl = orig_node->last_ttl - 3 <= batadv_ogm_packet->header.ttl;
+        if (is_bidirect && ((dup_status == BATADV_NO_DUP) ||
+                            (sameseq && similar_ttl)))
                 batadv_iv_ogm_orig_update(bat_priv, orig_node, ethhdr,
                                           batadv_ogm_packet, if_incoming,
-                                          tt_buff, is_duplicate);
+                                          tt_buff, dup_status);
 
         /* is single hop (direct) neighbor */
         if (is_single_hop_neigh) {
@@ -1236,7 +1260,7 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
                 goto out_neigh;
         }
 
-        if (is_duplicate) {
+        if (dup_status == BATADV_NEIGH_DUP) {
                 batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
                            "Drop packet: duplicate packet received\n");
                 goto out_neigh;
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 379061c72549..de27b3175cfd 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1067,6 +1067,10 @@ void batadv_bla_update_orig_address(struct batadv_priv *bat_priv,
         group = htons(crc16(0, primary_if->net_dev->dev_addr, ETH_ALEN));
         bat_priv->bla.claim_dest.group = group;
 
+        /* purge everything when bridge loop avoidance is turned off */
+        if (!atomic_read(&bat_priv->bridge_loop_avoidance))
+                oldif = NULL;
+
         if (!oldif) {
                 batadv_bla_purge_claims(bat_priv, NULL, 1);
                 batadv_bla_purge_backbone_gw(bat_priv, 1);
diff --git a/net/batman-adv/sysfs.c b/net/batman-adv/sysfs.c
index 15a22efa9a67..929e304dacb2 100644
--- a/net/batman-adv/sysfs.c
+++ b/net/batman-adv/sysfs.c
@@ -582,10 +582,7 @@ static ssize_t batadv_store_mesh_iface(struct kobject *kobj,
             (strncmp(hard_iface->soft_iface->name, buff, IFNAMSIZ) == 0))
                 goto out;
 
-        if (!rtnl_trylock()) {
-                ret = -ERESTARTSYS;
-                goto out;
-        }
+        rtnl_lock();
 
         if (status_tmp == BATADV_IF_NOT_IN_USE) {
                 batadv_hardif_disable_interface(hard_iface,
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 33843c5c4939..ace5e55fe5a3 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -341,7 +341,6 @@ static void hci_init1_req(struct hci_request *req, unsigned long opt)
 
 static void bredr_setup(struct hci_request *req)
 {
-        struct hci_cp_delete_stored_link_key cp;
         __le16 param;
         __u8 flt_type;
 
@@ -365,10 +364,6 @@ static void bredr_setup(struct hci_request *req)
         param = __constant_cpu_to_le16(0x7d00);
         hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
 
-        bacpy(&cp.bdaddr, BDADDR_ANY);
-        cp.delete_all = 0x01;
-        hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp);
-
         /* Read page scan parameters */
         if (req->hdev->hci_ver > BLUETOOTH_VER_1_1) {
                 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
@@ -602,6 +597,16 @@ static void hci_init3_req(struct hci_request *req, unsigned long opt)
         struct hci_dev *hdev = req->hdev;
         u8 p;
 
+        /* Only send HCI_Delete_Stored_Link_Key if it is supported */
+        if (hdev->commands[6] & 0x80) {
+                struct hci_cp_delete_stored_link_key cp;
+
+                bacpy(&cp.bdaddr, BDADDR_ANY);
+                cp.delete_all = 0x01;
+                hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
+                            sizeof(cp), &cp);
+        }
+
         if (hdev->commands[5] & 0x10)
                 hci_setup_link_policy(req);
 
@@ -1555,11 +1560,15 @@ static const struct rfkill_ops hci_rfkill_ops = {
 static void hci_power_on(struct work_struct *work)
 {
         struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
+        int err;
 
         BT_DBG("%s", hdev->name);
 
-        if (hci_dev_open(hdev->id) < 0)
+        err = hci_dev_open(hdev->id);
+        if (err < 0) {
+                mgmt_set_powered_failed(hdev, err);
                 return;
+        }
 
         if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
                 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a76d1ac0321b..68843a28a7af 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2852,6 +2852,9 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
         BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
                conn, code, ident, dlen);
 
+        if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
+                return NULL;
+
         len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
         count = min_t(unsigned int, conn->mtu, len);
 
@@ -3677,10 +3680,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
 }
 
 static inline int l2cap_command_rej(struct l2cap_conn *conn,
-                                    struct l2cap_cmd_hdr *cmd, u8 *data)
+                                    struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                    u8 *data)
 {
         struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
 
+        if (cmd_len < sizeof(*rej))
+                return -EPROTO;
+
         if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
                 return 0;
 
@@ -3829,11 +3836,14 @@ sendresp:
 }
 
 static int l2cap_connect_req(struct l2cap_conn *conn,
-                             struct l2cap_cmd_hdr *cmd, u8 *data)
+                             struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
 {
         struct hci_dev *hdev = conn->hcon->hdev;
         struct hci_conn *hcon = conn->hcon;
 
+        if (cmd_len < sizeof(struct l2cap_conn_req))
+                return -EPROTO;
+
         hci_dev_lock(hdev);
         if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
             !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
@@ -3847,7 +3857,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn,
 }
 
 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
-                                    struct l2cap_cmd_hdr *cmd, u8 *data)
+                                    struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                    u8 *data)
 {
         struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
         u16 scid, dcid, result, status;
@@ -3855,6 +3866,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
         u8 req[128];
         int err;
 
+        if (cmd_len < sizeof(*rsp))
+                return -EPROTO;
+
         scid   = __le16_to_cpu(rsp->scid);
         dcid   = __le16_to_cpu(rsp->dcid);
         result = __le16_to_cpu(rsp->result);
@@ -3952,6 +3966,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
         struct l2cap_chan *chan;
         int len, err = 0;
 
+        if (cmd_len < sizeof(*req))
+                return -EPROTO;
+
         dcid  = __le16_to_cpu(req->dcid);
         flags = __le16_to_cpu(req->flags);
 
@@ -3975,7 +3992,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
 
         /* Reject if config buffer is too small. */
         len = cmd_len - sizeof(*req);
-        if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
+        if (chan->conf_len + len > sizeof(chan->conf_req)) {
                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
                                l2cap_build_conf_rsp(chan, rsp,
                                L2CAP_CONF_REJECT, flags), rsp);
@@ -4053,14 +4070,18 @@ unlock:
 }
 
 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
-                                   struct l2cap_cmd_hdr *cmd, u8 *data)
+                                   struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                   u8 *data)
 {
         struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
         u16 scid, flags, result;
         struct l2cap_chan *chan;
-        int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
+        int len = cmd_len - sizeof(*rsp);
         int err = 0;
 
+        if (cmd_len < sizeof(*rsp))
+                return -EPROTO;
+
         scid   = __le16_to_cpu(rsp->scid);
         flags  = __le16_to_cpu(rsp->flags);
         result = __le16_to_cpu(rsp->result);
@@ -4161,7 +4182,8 @@ done:
 }
 
 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
-                                       struct l2cap_cmd_hdr *cmd, u8 *data)
+                                       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                       u8 *data)
 {
         struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
         struct l2cap_disconn_rsp rsp;
@@ -4169,6 +4191,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
         struct l2cap_chan *chan;
         struct sock *sk;
 
+        if (cmd_len != sizeof(*req))
+                return -EPROTO;
+
         scid = __le16_to_cpu(req->scid);
         dcid = __le16_to_cpu(req->dcid);
 
@@ -4208,12 +4233,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
 }
 
 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
-                                       struct l2cap_cmd_hdr *cmd, u8 *data)
+                                       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                       u8 *data)
 {
         struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
         u16 dcid, scid;
         struct l2cap_chan *chan;
 
+        if (cmd_len != sizeof(*rsp))
+                return -EPROTO;
+
         scid = __le16_to_cpu(rsp->scid);
         dcid = __le16_to_cpu(rsp->dcid);
 
@@ -4243,11 +4272,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
 }
 
 static inline int l2cap_information_req(struct l2cap_conn *conn,
-                                        struct l2cap_cmd_hdr *cmd, u8 *data)
+                                        struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                        u8 *data)
 {
         struct l2cap_info_req *req = (struct l2cap_info_req *) data;
         u16 type;
 
+        if (cmd_len != sizeof(*req))
+                return -EPROTO;
+
         type = __le16_to_cpu(req->type);
 
         BT_DBG("type 0x%4.4x", type);
@@ -4294,11 +4327,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
 }
 
 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
-                                        struct l2cap_cmd_hdr *cmd, u8 *data)
+                                        struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                        u8 *data)
 {
         struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
         u16 type, result;
 
+        if (cmd_len < sizeof(*rsp))
+                return -EPROTO;
+
         type   = __le16_to_cpu(rsp->type);
         result = __le16_to_cpu(rsp->result);
 
@@ -5164,16 +5201,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
 
         switch (cmd->code) {
         case L2CAP_COMMAND_REJ:
-                l2cap_command_rej(conn, cmd, data);
+                l2cap_command_rej(conn, cmd, cmd_len, data);
                 break;
 
         case L2CAP_CONN_REQ:
-                err = l2cap_connect_req(conn, cmd, data);
+                err = l2cap_connect_req(conn, cmd, cmd_len, data);
                 break;
 
         case L2CAP_CONN_RSP:
         case L2CAP_CREATE_CHAN_RSP:
-                err = l2cap_connect_create_rsp(conn, cmd, data);
+                err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
                 break;
 
         case L2CAP_CONF_REQ:
@@ -5181,15 +5218,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
                 break;
 
         case L2CAP_CONF_RSP:
-                err = l2cap_config_rsp(conn, cmd, data);
+                err = l2cap_config_rsp(conn, cmd, cmd_len, data);
                 break;
 
         case L2CAP_DISCONN_REQ:
-                err = l2cap_disconnect_req(conn, cmd, data);
+                err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
                 break;
 
         case L2CAP_DISCONN_RSP:
-                err = l2cap_disconnect_rsp(conn, cmd, data);
+                err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
                 break;
 
         case L2CAP_ECHO_REQ:
@@ -5200,11 +5237,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
                 break;
 
         case L2CAP_INFO_REQ:
-                err = l2cap_information_req(conn, cmd, data);
+                err = l2cap_information_req(conn, cmd, cmd_len, data);
                 break;
 
         case L2CAP_INFO_RSP:
-                err = l2cap_information_rsp(conn, cmd, data);
+                err = l2cap_information_rsp(conn, cmd, cmd_len, data);
                 break;
 
         case L2CAP_CREATE_CHAN_REQ:
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 35fef22703e9..f8ecbc70293d 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -2700,7 +2700,7 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
                 break;
 
         case DISCOV_TYPE_LE:
-                if (!lmp_host_le_capable(hdev)) {
+                if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
                         err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
                                          MGMT_STATUS_NOT_SUPPORTED);
                         mgmt_pending_remove(cmd);
@@ -3418,6 +3418,27 @@ new_settings:
         return err;
 }
 
+int mgmt_set_powered_failed(struct hci_dev *hdev, int err)
+{
+        struct pending_cmd *cmd;
+        u8 status;
+
+        cmd = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
+        if (!cmd)
+                return -ENOENT;
+
+        if (err == -ERFKILL)
+                status = MGMT_STATUS_RFKILLED;
+        else
+                status = MGMT_STATUS_FAILED;
+
+        err = cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
+
+        mgmt_pending_remove(cmd);
+
+        return err;
+}
+
 int mgmt_discoverable(struct hci_dev *hdev, u8 discoverable)
 {
         struct cmd_lookup match = { NULL, hdev };
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index b2296d3857a0..b5562abdd6e0 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -770,7 +770,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
 
         BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
 
-        if (!lmp_host_le_capable(hcon->hdev))
+        if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
                 return 1;
 
         if (sec_level == BT_SECURITY_LOW)
@@ -851,7 +851,7 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
         __u8 reason;
         int err = 0;
 
-        if (!lmp_host_le_capable(conn->hcon->hdev)) {
+        if (!test_bit(HCI_LE_ENABLED, &conn->hcon->hdev->dev_flags)) {
                 err = -ENOTSUPP;
                 reason = SMP_PAIRING_NOTSUPP;
                 goto done;
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 81f2389f78eb..d6448e35e027 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -465,8 +465,9 @@ static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
         skb_set_transport_header(skb, skb->len);
         mldq = (struct mld_msg *) icmp6_hdr(skb);
 
-        interval = ipv6_addr_any(group) ? br->multicast_last_member_interval :
-                                          br->multicast_query_response_interval;
+        interval = ipv6_addr_any(group) ?
+                        br->multicast_query_response_interval :
+                        br->multicast_last_member_interval;
 
         mldq->mld_type = ICMPV6_MGM_QUERY;
         mldq->mld_code = 0;
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index d5953b87918c..3a246a6cab47 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -1675,13 +1675,13 @@ static void kick_requests(struct ceph_osd_client *osdc, int force_resend)
                 __register_request(osdc, req);
                 __unregister_linger_request(osdc, req);
         }
+        reset_changed_osds(osdc);
         mutex_unlock(&osdc->request_mutex);
 
         if (needmap) {
                 dout("%d requests for down osds, need new map\n", needmap);
                 ceph_monc_request_next_osdmap(&osdc->client->monc);
         }
-        reset_changed_osds(osdc);
 }
 
 
diff --git a/net/compat.c b/net/compat.c
index 79ae88485001..f0a1ba6c8086 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -734,19 +734,25 @@ static unsigned char nas[21] = {
 
 asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
 {
-        return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
+        return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
 }
 
 asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
                                     unsigned int vlen, unsigned int flags)
 {
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
         return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
                               flags | MSG_CMSG_COMPAT);
 }
 
 asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
 {
-        return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
+        return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
 }
 
 asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned int flags)
@@ -768,6 +774,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
         int datagrams;
         struct timespec ktspec;
 
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
+
         if (COMPAT_USE_64BIT_TIME)
                 return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
                                       flags | MSG_CMSG_COMPAT,
diff --git a/net/core/dev.c b/net/core/dev.c
index fc1e289397f5..faebb398fb46 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -792,6 +792,40 @@ struct net_device *dev_get_by_index(struct net *net, int ifindex)
 EXPORT_SYMBOL(dev_get_by_index);
 
 /**
+ *      netdev_get_name - get a netdevice name, knowing its ifindex.
+ *      @net: network namespace
+ *      @name: a pointer to the buffer where the name will be stored.
+ *      @ifindex: the ifindex of the interface to get the name from.
+ *
+ *      The use of raw_seqcount_begin() and cond_resched() before
+ *      retrying is required as we want to give the writers a chance
+ *      to complete when CONFIG_PREEMPT is not set.
+ */
+int netdev_get_name(struct net *net, char *name, int ifindex)
+{
+        struct net_device *dev;
+        unsigned int seq;
+
+retry:
+        seq = raw_seqcount_begin(&devnet_rename_seq);
+        rcu_read_lock();
+        dev = dev_get_by_index_rcu(net, ifindex);
+        if (!dev) {
+                rcu_read_unlock();
+                return -ENODEV;
+        }
+
+        strcpy(name, dev->name);
+        rcu_read_unlock();
+        if (read_seqcount_retry(&devnet_rename_seq, seq)) {
+                cond_resched();
+                goto retry;
+        }
+
+        return 0;
+}
+
+/**
  *      dev_getbyhwaddr_rcu - find a device by its hardware address
  *      @net: the applicable net namespace
  *      @type: media type of device
diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
index c013f38482a1..6cda4e2c2132 100644
--- a/net/core/dev_addr_lists.c
+++ b/net/core/dev_addr_lists.c
@@ -39,6 +39,7 @@ static int __hw_addr_create_ex(struct netdev_hw_addr_list *list,
         ha->refcount = 1;
         ha->global_use = global;
         ha->synced = sync;
+        ha->sync_cnt = 0;
         list_add_tail_rcu(&ha->list, &list->list);
         list->count++;
 
@@ -66,7 +67,7 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list,
                         }
                         if (sync) {
                                 if (ha->synced)
-                                        return 0;
+                                        return -EEXIST;
                                 else
                                         ha->synced = true;
                         }
@@ -139,10 +140,13 @@ static int __hw_addr_sync_one(struct netdev_hw_addr_list *to_list,
 
         err = __hw_addr_add_ex(to_list, ha->addr, addr_len, ha->type,
                                false, true);
-        if (err)
+        if (err && err != -EEXIST)
                 return err;
-        ha->sync_cnt++;
-        ha->refcount++;
+
+        if (!err) {
+                ha->sync_cnt++;
+                ha->refcount++;
+        }
 
         return 0;
 }
@@ -159,7 +163,8 @@ static void __hw_addr_unsync_one(struct netdev_hw_addr_list *to_list,
         if (err)
                 return;
         ha->sync_cnt--;
-        __hw_addr_del_entry(from_list, ha, false, true);
+        /* address on from list is not marked synced */
+        __hw_addr_del_entry(from_list, ha, false, false);
 }
 
 static int __hw_addr_sync_multiple(struct netdev_hw_addr_list *to_list,
@@ -796,7 +801,7 @@ int dev_mc_sync_multiple(struct net_device *to, struct net_device *from)
                 return -EINVAL;
 
         netif_addr_lock_nested(to);
-        err = __hw_addr_sync(&to->mc, &from->mc, to->addr_len);
+        err = __hw_addr_sync_multiple(&to->mc, &from->mc, to->addr_len);
         if (!err)
                 __dev_set_rx_mode(to);
         netif_addr_unlock(to);
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index 6cc0481faade..5b7d0e1d0664 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -19,9 +19,8 @@
 
 static int dev_ifname(struct net *net, struct ifreq __user *arg)
 {
-        struct net_device *dev;
         struct ifreq ifr;
-        unsigned seq;
+        int error;
 
         /*
          *      Fetch the caller's info block.
@@ -30,19 +29,9 @@ static int dev_ifname(struct net *net, struct ifreq __user *arg)
         if (copy_from_user(&ifr, arg, sizeof(struct ifreq)))
                 return -EFAULT;
 
-retry:
-        seq = read_seqcount_begin(&devnet_rename_seq);
-        rcu_read_lock();
-        dev = dev_get_by_index_rcu(net, ifr.ifr_ifindex);
-        if (!dev) {
-                rcu_read_unlock();
-                return -ENODEV;
-        }
-
-        strcpy(ifr.ifr_name, dev->name);
-        rcu_read_unlock();
-        if (read_seqcount_retry(&devnet_rename_seq, seq))
-                goto retry;
+        error = netdev_get_name(net, ifr.ifr_name, ifr.ifr_ifindex);
+        if (error)
+                return error;
 
         if (copy_to_user(arg, &ifr, sizeof(struct ifreq)))
                 return -EFAULT;
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 22efdaa76ebf..ce91766eeca9 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -60,10 +60,10 @@ static const char netdev_features_strings[NETDEV_FEATURE_COUNT][ETH_GSTRING_LEN]
         [NETIF_F_IPV6_CSUM_BIT] =        "tx-checksum-ipv6",
         [NETIF_F_HIGHDMA_BIT] =          "highdma",
         [NETIF_F_FRAGLIST_BIT] =         "tx-scatter-gather-fraglist",
-        [NETIF_F_HW_VLAN_CTAG_TX_BIT] =  "tx-vlan-ctag-hw-insert",
+        [NETIF_F_HW_VLAN_CTAG_TX_BIT] =  "tx-vlan-hw-insert",
 
-        [NETIF_F_HW_VLAN_CTAG_RX_BIT] =  "rx-vlan-ctag-hw-parse",
-        [NETIF_F_HW_VLAN_CTAG_FILTER_BIT] = "rx-vlan-ctag-filter",
+        [NETIF_F_HW_VLAN_CTAG_RX_BIT] =  "rx-vlan-hw-parse",
+        [NETIF_F_HW_VLAN_CTAG_FILTER_BIT] = "rx-vlan-filter",
         [NETIF_F_HW_VLAN_STAG_TX_BIT] =  "tx-vlan-stag-hw-insert",
         [NETIF_F_HW_VLAN_STAG_RX_BIT] =  "rx-vlan-stag-hw-parse",
         [NETIF_F_HW_VLAN_STAG_FILTER_BIT] = "rx-vlan-stag-filter",
diff --git a/net/core/filter.c b/net/core/filter.c
index dad2a178f9f8..6438f29ff266 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -778,7 +778,7 @@ int sk_detach_filter(struct sock *sk)
 }
 EXPORT_SYMBOL_GPL(sk_detach_filter);
 
-static void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to)
+void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to)
 {
         static const u16 decodes[] = {
                 [BPF_S_ALU_ADD_K]       = BPF_ALU|BPF_ADD|BPF_K,
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index af9185d0be6a..1c1738cc4538 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -195,7 +195,7 @@ struct sk_buff *__alloc_skb_head(gfp_t gfp_mask, int node)
          * the tail pointer in struct sk_buff!
          */
         memset(skb, 0, offsetof(struct sk_buff, tail));
-        skb->data = NULL;
+        skb->head = NULL;
         skb->truesize = sizeof(struct sk_buff);
         atomic_set(&skb->users, 1);
 
@@ -483,15 +483,8 @@ EXPORT_SYMBOL(skb_add_rx_frag);
 
 static void skb_drop_list(struct sk_buff **listp)
 {
-        struct sk_buff *list = *listp;
-
+        kfree_skb_list(*listp);
         *listp = NULL;
-
-        do {
-                struct sk_buff *this = list;
-                list = list->next;
-                kfree_skb(this);
-        } while (list);
 }
 
 static inline void skb_drop_fraglist(struct sk_buff *skb)
@@ -611,7 +604,7 @@ static void skb_release_head_state(struct sk_buff *skb)
 static void skb_release_all(struct sk_buff *skb)
 {
         skb_release_head_state(skb);
-        if (likely(skb->data))
+        if (likely(skb->head))
                 skb_release_data(skb);
 }
 
@@ -651,6 +644,17 @@ void kfree_skb(struct sk_buff *skb)
 }
 EXPORT_SYMBOL(kfree_skb);
 
+void kfree_skb_list(struct sk_buff *segs)
+{
+        while (segs) {
+                struct sk_buff *next = segs->next;
+
+                kfree_skb(segs);
+                segs = next;
+        }
+}
+EXPORT_SYMBOL(kfree_skb_list);
+
 /**
  *      skb_tx_error - report an sk_buff xmit error
  *      @skb: buffer that triggered an error
diff --git a/net/core/sock.c b/net/core/sock.c
index 6ba327da79e1..d6d024cfaaaf 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -210,7 +210,7 @@ static const char *const af_family_key_strings[AF_MAX+1] = {
   "sk_lock-AF_TIPC"  , "sk_lock-AF_BLUETOOTH", "sk_lock-IUCV"        ,
   "sk_lock-AF_RXRPC" , "sk_lock-AF_ISDN"     , "sk_lock-AF_PHONET"   ,
   "sk_lock-AF_IEEE802154", "sk_lock-AF_CAIF" , "sk_lock-AF_ALG"      ,
-  "sk_lock-AF_NFC"   , "sk_lock-AF_MAX"
+  "sk_lock-AF_NFC"   , "sk_lock-AF_VSOCK"    , "sk_lock-AF_MAX"
 };
 static const char *const af_family_slock_key_strings[AF_MAX+1] = {
   "slock-AF_UNSPEC", "slock-AF_UNIX"     , "slock-AF_INET"     ,
@@ -226,7 +226,7 @@ static const char *const af_family_slock_key_strings[AF_MAX+1] = {
   "slock-AF_TIPC"  , "slock-AF_BLUETOOTH", "slock-AF_IUCV"     ,
   "slock-AF_RXRPC" , "slock-AF_ISDN"     , "slock-AF_PHONET"   ,
   "slock-AF_IEEE802154", "slock-AF_CAIF" , "slock-AF_ALG"      ,
-  "slock-AF_NFC"   , "slock-AF_MAX"
+  "slock-AF_NFC"   , "slock-AF_VSOCK"    ,"slock-AF_MAX"
 };
 static const char *const af_family_clock_key_strings[AF_MAX+1] = {
   "clock-AF_UNSPEC", "clock-AF_UNIX"     , "clock-AF_INET"     ,
@@ -242,7 +242,7 @@ static const char *const af_family_clock_key_strings[AF_MAX+1] = {
   "clock-AF_TIPC"  , "clock-AF_BLUETOOTH", "clock-AF_IUCV"     ,
   "clock-AF_RXRPC" , "clock-AF_ISDN"     , "clock-AF_PHONET"   ,
   "clock-AF_IEEE802154", "clock-AF_CAIF" , "clock-AF_ALG"      ,
-  "clock-AF_NFC"   , "clock-AF_MAX"
+  "clock-AF_NFC"   , "clock-AF_VSOCK"    , "clock-AF_MAX"
 };
 
 /*
@@ -571,9 +571,7 @@ static int sock_getbindtodevice(struct sock *sk, char __user *optval,
         int ret = -ENOPROTOOPT;
 #ifdef CONFIG_NETDEVICES
         struct net *net = sock_net(sk);
-        struct net_device *dev;
         char devname[IFNAMSIZ];
-        unsigned seq;
 
         if (sk->sk_bound_dev_if == 0) {
                 len = 0;
@@ -584,20 +582,9 @@ static int sock_getbindtodevice(struct sock *sk, char __user *optval,
         if (len < IFNAMSIZ)
                 goto out;
 
-retry:
-        seq = read_seqcount_begin(&devnet_rename_seq);
-        rcu_read_lock();
-        dev = dev_get_by_index_rcu(net, sk->sk_bound_dev_if);
-        ret = -ENODEV;
-        if (!dev) {
-                rcu_read_unlock();
+        ret = netdev_get_name(net, devname, sk->sk_bound_dev_if);
+        if (ret)
                 goto out;
-        }
-
-        strcpy(devname, dev->name);
-        rcu_read_unlock();
-        if (read_seqcount_retry(&devnet_rename_seq, seq))
-                goto retry;
 
         len = strlen(devname) + 1;
 
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index d5bef0b0f639..a0e9cf6379de 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -73,8 +73,13 @@ int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
                 goto out;
         }
 
-        if (filter)
-                memcpy(nla_data(attr), filter->insns, len);
+        if (filter) {
+                struct sock_filter *fb = (struct sock_filter *)nla_data(attr);
+                int i;
+
+                for (i = 0; i < filter->len; i++, fb++)
+                        sk_decode_filter(&filter->insns[i], fb);
+        }
 
 out:
         rcu_read_unlock();
diff --git a/net/ipv4/gre.c b/net/ipv4/gre.c
index b2e805af9b87..7856d1651d05 100644
--- a/net/ipv4/gre.c
+++ b/net/ipv4/gre.c
@@ -178,7 +178,7 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
 
                                 err = __skb_linearize(skb);
                                 if (err) {
-                                        kfree_skb(segs);
+                                        kfree_skb_list(segs);
                                         segs = ERR_PTR(err);
                                         goto out;
                                 }
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index e4147ec1665a..7fa8f08fa7ae 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -503,6 +503,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
 
         inner_iph = (const struct iphdr *)skb_inner_network_header(skb);
 
+        memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
         dst = tnl_params->daddr;
         if (dst == 0) {
                 /* NBMA tunnel */
@@ -658,7 +659,6 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
 
         skb_dst_drop(skb);
         skb_dst_set(skb, &rt->dst);
-        memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
 
         /* Push down and install the IP header. */
         skb_push(skb, sizeof(struct iphdr));
@@ -853,7 +853,7 @@ void ip_tunnel_dellink(struct net_device *dev, struct list_head *head)
 }
 EXPORT_SYMBOL_GPL(ip_tunnel_dellink);
 
-int __net_init ip_tunnel_init_net(struct net *net, int ip_tnl_net_id,
+int ip_tunnel_init_net(struct net *net, int ip_tnl_net_id,
                                   struct rtnl_link_ops *ops, char *devname)
 {
         struct ip_tunnel_net *itn = net_generic(net, ip_tnl_net_id);
@@ -899,7 +899,7 @@ static void ip_tunnel_destroy(struct ip_tunnel_net *itn, struct list_head *head)
                 unregister_netdevice_queue(itn->fb_tunnel_dev, head);
 }
 
-void __net_exit ip_tunnel_delete_net(struct ip_tunnel_net *itn)
+void ip_tunnel_delete_net(struct ip_tunnel_net *itn)
 {
         LIST_HEAD(list);
 
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 9d2bdb2c1d3f..c118f6b576bb 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -361,8 +361,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
                         tunnel->err_count = 0;
         }
 
-        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
-                              IPSKB_REROUTED);
+        memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
         skb_dst_drop(skb);
         skb_dst_set(skb, &rt->dst);
         nf_reset(skb);
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index cf08218ddbcf..32b0e978c8e0 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -125,15 +125,16 @@ static void ulog_send(struct ulog_net *ulog, unsigned int nlgroupnum)
 /* timer function to flush queue in flushtimeout time */
 static void ulog_timer(unsigned long data)
 {
+        unsigned int groupnum = *((unsigned int *)data);
         struct ulog_net *ulog = container_of((void *)data,
                                              struct ulog_net,
-                                             nlgroup[*(unsigned int *)data]);
+                                             nlgroup[groupnum]);
         pr_debug("timer function called, calling ulog_send\n");
 
         /* lock to protect against somebody modifying our structure
          * from ipt_ulog_target at the same time */
         spin_lock_bh(&ulog->lock);
-        ulog_send(ulog, data);
+        ulog_send(ulog, groupnum);
         spin_unlock_bh(&ulog->lock);
 }
 
@@ -231,8 +232,10 @@ static void ipt_ulog_packet(struct net *net,
         put_unaligned(tv.tv_usec, &pm->timestamp_usec);
         put_unaligned(skb->mark, &pm->mark);
         pm->hook = hooknum;
-        if (prefix != NULL)
-                strncpy(pm->prefix, prefix, sizeof(pm->prefix));
+        if (prefix != NULL) {
+                strncpy(pm->prefix, prefix, sizeof(pm->prefix) - 1);
+                pm->prefix[sizeof(pm->prefix) - 1] = '\0';
+        }
         else if (loginfo->prefix[0] != '\0')
                 strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
         else
@@ -405,8 +408,11 @@ static int __net_init ulog_tg_net_init(struct net *net)
 
         spin_lock_init(&ulog->lock);
         /* initialize ulog_buffers */
-        for (i = 0; i < ULOG_MAXNLGROUPS; i++)
-                setup_timer(&ulog->ulog_buffers[i].timer, ulog_timer, i);
+        for (i = 0; i < ULOG_MAXNLGROUPS; i++) {
+                ulog->nlgroup[i] = i;
+                setup_timer(&ulog->ulog_buffers[i].timer, ulog_timer,
+                            (unsigned long)&ulog->nlgroup[i]);
+        }
 
         ulog->nflognl = netlink_kernel_create(net, NETLINK_NFLOG, &cfg);
         if (!ulog->nflognl)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 550781a17b34..d35bbf0cf404 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -737,10 +737,15 @@ static void ip_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_buf
 {
         struct rtable *rt;
         struct flowi4 fl4;
+        const struct iphdr *iph = (const struct iphdr *) skb->data;
+        int oif = skb->dev->ifindex;
+        u8 tos = RT_TOS(iph->tos);
+        u8 prot = iph->protocol;
+        u32 mark = skb->mark;
 
         rt = (struct rtable *) dst;
 
-        ip_rt_build_flow_key(&fl4, sk, skb);
+        __build_flow_key(&fl4, sk, iph, oif, tos, prot, mark, 0);
         __ip_do_redirect(rt, skb, &fl4, true);
 }
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 719652305a29..7999fc55c83b 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1003,7 +1003,7 @@ int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr,
         struct tcp_sock *tp = tcp_sk(sk);
         struct tcp_md5sig_info *md5sig;
 
-        key = tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&addr, AF_INET);
+        key = tcp_md5_do_lookup(sk, addr, family);
         if (key) {
                 /* Pre-existing entry - just update that one. */
                 memcpy(key->key, newkey, newkeylen);
@@ -1048,7 +1048,7 @@ int tcp_md5_do_del(struct sock *sk, const union tcp_md5_addr *addr, int family)
         struct tcp_md5sig_key *key;
         struct tcp_md5sig_info *md5sig;
 
-        key = tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&addr, AF_INET);
+        key = tcp_md5_do_lookup(sk, addr, family);
         if (!key)
                 return -ENOENT;
         hlist_del_rcu(&key->node);
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index d1ab6ab29a55..4ab4c38958c6 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1487,7 +1487,7 @@ static int ipv6_count_addresses(struct inet6_dev *idev)
 }
 
 int ipv6_chk_addr(struct net *net, const struct in6_addr *addr,
-                  struct net_device *dev, int strict)
+                  const struct net_device *dev, int strict)
 {
         struct inet6_ifaddr *ifp;
         unsigned int hash = inet6_addr_hash(addr);
@@ -2655,11 +2655,16 @@ static void init_loopback(struct net_device *dev)
                         if (sp_ifa->flags & (IFA_F_DADFAILED | IFA_F_TENTATIVE))
                                 continue;
 
+                        if (sp_ifa->rt)
+                                continue;
+
                         sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, 0);
 
                         /* Failure cases are ignored */
-                        if (!IS_ERR(sp_rt))
+                        if (!IS_ERR(sp_rt)) {
+                                sp_ifa->rt = sp_rt;
                                 ip6_ins_rt(sp_rt);
+                        }
                 }
                 read_unlock_bh(&idev->lock);
         }
@@ -4301,6 +4306,7 @@ static int inet6_set_iftoken(struct inet6_dev *idev, struct in6_addr *token)
         struct inet6_ifaddr *ifp;
         struct net_device *dev = idev->dev;
         bool update_rs = false;
+        struct in6_addr ll_addr;
 
         if (token == NULL)
                 return -EINVAL;
@@ -4320,11 +4326,9 @@ static int inet6_set_iftoken(struct inet6_dev *idev, struct in6_addr *token)
 
         write_unlock_bh(&idev->lock);
 
-        if (!idev->dead && (idev->if_flags & IF_READY)) {
-                struct in6_addr ll_addr;
-
-                ipv6_get_lladdr(dev, &ll_addr, IFA_F_TENTATIVE |
-                                IFA_F_OPTIMISTIC);
+        if (!idev->dead && (idev->if_flags & IF_READY) &&
+            !ipv6_get_lladdr(dev, &ll_addr, IFA_F_TENTATIVE |
+                             IFA_F_OPTIMISTIC)) {
 
                 /* If we're not ready, then normal ifup will take care
                  * of this. Otherwise, we need to request our rs here.
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index dae1949019d7..d5d20cde8d92 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -381,9 +381,8 @@ int ip6_forward(struct sk_buff *skb)
          *      cannot be fragmented, because there is no warranty
          *      that different fragments will go along one path. --ANK
          */
-        if (opt->ra) {
-                u8 *ptr = skb_network_header(skb) + opt->ra;
-                if (ip6_call_ra_chain(skb, (ptr[2]<<8) + ptr[3]))
+        if (unlikely(opt->flags & IP6SKB_ROUTERALERT)) {
+                if (ip6_call_ra_chain(skb, ntohs(opt->ra)))
                         return 0;
         }
 
@@ -822,11 +821,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
                                           const struct flowi6 *fl6)
 {
         struct ipv6_pinfo *np = inet6_sk(sk);
-        struct rt6_info *rt = (struct rt6_info *)dst;
+        struct rt6_info *rt;
 
         if (!dst)
                 goto out;
 
+        if (dst->ops->family != AF_INET6) {
+                dst_release(dst);
+                return NULL;
+        }
+
+        rt = (struct rt6_info *)dst;
         /* Yes, checking route validity in not connected
          * case is not very simple. Take into account,
          * that we do not support routing by source, TOS,
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 2712ab22a174..ca4ffcc287f1 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1493,7 +1493,7 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
          */
 
         if (ha)
-                ndisc_fill_addr_option(skb, ND_OPT_TARGET_LL_ADDR, ha);
+                ndisc_fill_addr_option(buff, ND_OPT_TARGET_LL_ADDR, ha);
 
         /*
          *      build redirect option and copy skb over to the new packet.
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 72836f40b730..95f3f1da0d7f 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -10,6 +10,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv6.h>
 #include <linux/export.h>
+#include <net/addrconf.h>
 #include <net/dst.h>
 #include <net/ipv6.h>
 #include <net/ip6_route.h>
@@ -186,6 +187,10 @@ static __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
         return csum;
 };
 
+static const struct nf_ipv6_ops ipv6ops = {
+        .chk_addr       = ipv6_chk_addr,
+};
+
 static const struct nf_afinfo nf_ip6_afinfo = {
         .family                 = AF_INET6,
         .checksum               = nf_ip6_checksum,
@@ -198,6 +203,7 @@ static const struct nf_afinfo nf_ip6_afinfo = {
 
 int __init ipv6_netfilter_init(void)
 {
+        RCU_INIT_POINTER(nf_ipv6_ops, &ipv6ops);
         return nf_register_afinfo(&nf_ip6_afinfo);
 }
 
@@ -206,5 +212,6 @@ int __init ipv6_netfilter_init(void)
  */
 void ipv6_netfilter_fini(void)
 {
+        RCU_INIT_POINTER(nf_ipv6_ops, NULL);
         nf_unregister_afinfo(&nf_ip6_afinfo);
 }
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 97bcf2bae857..c9b6a6e6a1e8 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -204,7 +204,7 @@ static unsigned int __ipv6_conntrack_in(struct net *net,
                 if (ct != NULL && !nf_ct_is_untracked(ct)) {
                         help = nfct_help(ct);
                         if ((help && help->helper) || !nf_ct_is_confirmed(ct)) {
-                                nf_conntrack_get_reasm(skb);
+                                nf_conntrack_get_reasm(reasm);
                                 NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
                                                (struct net_device *)in,
                                                (struct net_device *)out,
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index f3c1ff4357ff..51c3285b5d9b 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -90,7 +90,7 @@ static const struct snmp_mib snmp6_ipstats_list[] = {
         SNMP_MIB_ITEM("Ip6OutMcastOctets", IPSTATS_MIB_OUTMCASTOCTETS),
         SNMP_MIB_ITEM("Ip6InBcastOctets", IPSTATS_MIB_INBCASTOCTETS),
         SNMP_MIB_ITEM("Ip6OutBcastOctets", IPSTATS_MIB_OUTBCASTOCTETS),
-        SNMP_MIB_ITEM("InCsumErrors", IPSTATS_MIB_CSUMERRORS),
+        /* IPSTATS_MIB_CSUMERRORS is not relevant in IPv6 (no checksum) */
         SNMP_MIB_SENTINEL
 };
 
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
index 3bb3a891a424..d3cfaf9c7a08 100644
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -46,11 +46,12 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
         unsigned int mss;
         unsigned int unfrag_ip6hlen, unfrag_len;
         struct frag_hdr *fptr;
-        u8 *mac_start, *prevhdr;
+        u8 *packet_start, *prevhdr;
         u8 nexthdr;
         u8 frag_hdr_sz = sizeof(struct frag_hdr);
         int offset;
         __wsum csum;
+        int tnl_hlen;
 
         mss = skb_shinfo(skb)->gso_size;
         if (unlikely(skb->len <= mss))
@@ -83,9 +84,11 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
         skb->ip_summed = CHECKSUM_NONE;
 
         /* Check if there is enough headroom to insert fragment header. */
-        if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
-            pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
-                goto out;
+        tnl_hlen = skb_tnl_header_len(skb);
+        if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
+                if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
+                        goto out;
+        }
 
         /* Find the unfragmentable header and shift it left by frag_hdr_sz
          * bytes to insert fragment header.
@@ -93,11 +96,12 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
         unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
         nexthdr = *prevhdr;
         *prevhdr = NEXTHDR_FRAGMENT;
-        unfrag_len = skb_network_header(skb) - skb_mac_header(skb) +
-                     unfrag_ip6hlen;
-        mac_start = skb_mac_header(skb);
-        memmove(mac_start-frag_hdr_sz, mac_start, unfrag_len);
+        unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
+                     unfrag_ip6hlen + tnl_hlen;
+        packet_start = (u8 *) skb->head + SKB_GSO_CB(skb)->mac_offset;
+        memmove(packet_start-frag_hdr_sz, packet_start, unfrag_len);
 
+        SKB_GSO_CB(skb)->mac_offset -= frag_hdr_sz;
         skb->mac_header -= frag_hdr_sz;
         skb->network_header -= frag_hdr_sz;
 
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 5b1e5af25713..9da862070dd8 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1710,6 +1710,7 @@ static int key_notify_sa_flush(const struct km_event *c)
         hdr->sadb_msg_version = PF_KEY_V2;
         hdr->sadb_msg_errno = (uint8_t) 0;
         hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+        hdr->sadb_msg_reserved = 0;
 
         pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
 
@@ -2366,6 +2367,8 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sa
 
 out:
         xfrm_pol_put(xp);
+        if (err == 0)
+                xfrm_garbage_collect(net);
         return err;
 }
 
@@ -2615,6 +2618,8 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, const struct sadb_
 
 out:
         xfrm_pol_put(xp);
+        if (delete && err == 0)
+                xfrm_garbage_collect(net);
         return err;
 }
 
@@ -2695,6 +2700,7 @@ static int key_notify_policy_flush(const struct km_event *c)
         hdr->sadb_msg_errno = (uint8_t) 0;
         hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
         hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+        hdr->sadb_msg_reserved = 0;
         pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
         return 0;
 
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 637a341c1e2d..8dec6876dc50 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
         skb_put(skb, 2);
 
         /* Copy user data into skb */
-        error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
+        error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
+                                 total_len);
         if (error < 0) {
                 kfree_skb(skb);
                 goto error_put_sess_tun;
         }
-        skb_put(skb, total_len);
 
         l2tp_xmit_skb(session, skb, session->hdr_len);
 
         sock_put(ps->tunnel_sock);
         sock_put(sk);
 
-        return error;
+        return total_len;
 
 error_put_sess_tun:
         sock_put(ps->tunnel_sock);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 1a89c80e6407..4fdb306e42e0 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1057,6 +1057,12 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev)
         clear_bit(SDATA_STATE_OFFCHANNEL_BEACON_STOPPED, &sdata->state);
         ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON_ENABLED);
 
+        if (sdata->wdev.cac_started) {
+                cancel_delayed_work_sync(&sdata->dfs_cac_timer_work);
+                cfg80211_cac_event(sdata->dev, NL80211_RADAR_CAC_ABORTED,
+                                   GFP_KERNEL);
+        }
+
         drv_stop_ap(sdata->local, sdata);
 
         /* free all potentially still buffered bcast frames */
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 44be28cfc6c4..9ca8e3278cc0 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1497,10 +1497,11 @@ static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
         ieee80211_tx_skb_tid(sdata, skb, 7);
 }
 
-u32 ieee802_11_parse_elems_crc(u8 *start, size_t len, bool action,
+u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
                                struct ieee802_11_elems *elems,
                                u64 filter, u32 crc);
-static inline void ieee802_11_parse_elems(u8 *start, size_t len, bool action,
+static inline void ieee802_11_parse_elems(const u8 *start, size_t len,
+                                          bool action,
                                           struct ieee802_11_elems *elems)
 {
         ieee802_11_parse_elems_crc(start, len, action, elems, 0, 0);
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 60f1ce5e5e52..98d20c0f6fed 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -159,9 +159,10 @@ static int ieee80211_change_mtu(struct net_device *dev, int new_mtu)
         return 0;
 }
 
-static int ieee80211_verify_mac(struct ieee80211_local *local, u8 *addr)
+static int ieee80211_verify_mac(struct ieee80211_sub_if_data *sdata, u8 *addr)
 {
-        struct ieee80211_sub_if_data *sdata;
+        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_sub_if_data *iter;
         u64 new, mask, tmp;
         u8 *m;
         int ret = 0;
@@ -181,11 +182,14 @@ static int ieee80211_verify_mac(struct ieee80211_local *local, u8 *addr)
 
 
         mutex_lock(&local->iflist_mtx);
-        list_for_each_entry(sdata, &local->interfaces, list) {
-                if (sdata->vif.type == NL80211_IFTYPE_MONITOR)
+        list_for_each_entry(iter, &local->interfaces, list) {
+                if (iter == sdata)
+                        continue;
+
+                if (iter->vif.type == NL80211_IFTYPE_MONITOR)
                         continue;
 
-                m = sdata->vif.addr;
+                m = iter->vif.addr;
                 tmp =   ((u64)m[0] << 5*8) | ((u64)m[1] << 4*8) |
                         ((u64)m[2] << 3*8) | ((u64)m[3] << 2*8) |
                         ((u64)m[4] << 1*8) | ((u64)m[5] << 0*8);
@@ -209,7 +213,7 @@ static int ieee80211_change_mac(struct net_device *dev, void *addr)
         if (ieee80211_sdata_running(sdata))
                 return -EBUSY;
 
-        ret = ieee80211_verify_mac(sdata->local, sa->sa_data);
+        ret = ieee80211_verify_mac(sdata, sa->sa_data);
         if (ret)
                 return ret;
 
@@ -474,6 +478,9 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
                         master->control_port_protocol;
                 sdata->control_port_no_encrypt =
                         master->control_port_no_encrypt;
+                sdata->vif.cab_queue = master->vif.cab_queue;
+                memcpy(sdata->vif.hw_queue, master->vif.hw_queue,
+                       sizeof(sdata->vif.hw_queue));
                 break;
                 }
         case NL80211_IFTYPE_AP:
@@ -653,7 +660,11 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
 
         ieee80211_recalc_ps(local, -1);
 
-        if (dev) {
+        if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
+            sdata->vif.type == NL80211_IFTYPE_AP_VLAN) {
+                /* XXX: for AP_VLAN, actually track AP queues */
+                netif_tx_start_all_queues(dev);
+        } else if (dev) {
                 unsigned long flags;
                 int n_acs = IEEE80211_NUM_ACS;
                 int ac;
@@ -1479,7 +1490,17 @@ static void ieee80211_assign_perm_addr(struct ieee80211_local *local,
                         break;
                 }
 
+                /*
+                 * Pick address of existing interface in case user changed
+                 * MAC address manually, default to perm_addr.
+                 */
                 m = local->hw.wiphy->perm_addr;
+                list_for_each_entry(sdata, &local->interfaces, list) {
+                        if (sdata->vif.type == NL80211_IFTYPE_MONITOR)
+                                continue;
+                        m = sdata->vif.addr;
+                        break;
+                }
                 start = ((u64)m[0] << 5*8) | ((u64)m[1] << 4*8) |
                         ((u64)m[2] << 3*8) | ((u64)m[3] << 2*8) |
                         ((u64)m[4] << 1*8) | ((u64)m[5] << 0*8);
@@ -1696,6 +1717,15 @@ void ieee80211_remove_interfaces(struct ieee80211_local *local)
 
         ASSERT_RTNL();
 
+        /*
+         * Close all AP_VLAN interfaces first, as otherwise they
+         * might be closed while the AP interface they belong to
+         * is closed, causing unregister_netdevice_many() to crash.
+         */
+        list_for_each_entry(sdata, &local->interfaces, list)
+                if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+                        dev_close(sdata->dev);
+
         mutex_lock(&local->iflist_mtx);
         list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
                 list_del(&sdata->list);
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index a46e490f20dd..741448b30825 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2522,8 +2522,11 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
         u16 capab_info, aid;
         struct ieee802_11_elems elems;
         struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
+        const struct cfg80211_bss_ies *bss_ies = NULL;
+        struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
         u32 changed = 0;
         int err;
+        bool ret;
 
         /* AssocResp and ReassocResp have identical structure */
 
@@ -2555,21 +2558,86 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
         ifmgd->aid = aid;
 
         /*
+         * Some APs are erroneously not including some information in their
+         * (re)association response frames. Try to recover by using the data
+         * from the beacon or probe response. This seems to afflict mobile
+         * 2G/3G/4G wifi routers, reported models include the "Onda PN51T",
+         * "Vodafone PocketWiFi 2", "ZTE MF60" and a similar T-Mobile device.
+         */
+        if ((assoc_data->wmm && !elems.wmm_param) ||
+            (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
+             (!elems.ht_cap_elem || !elems.ht_operation)) ||
+            (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
+             (!elems.vht_cap_elem || !elems.vht_operation))) {
+                const struct cfg80211_bss_ies *ies;
+                struct ieee802_11_elems bss_elems;
+
+                rcu_read_lock();
+                ies = rcu_dereference(cbss->ies);
+                if (ies)
+                        bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
+                                          GFP_ATOMIC);
+                rcu_read_unlock();
+                if (!bss_ies)
+                        return false;
+
+                ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
+                                       false, &bss_elems);
+                if (assoc_data->wmm &&
+                    !elems.wmm_param && bss_elems.wmm_param) {
+                        elems.wmm_param = bss_elems.wmm_param;
+                        sdata_info(sdata,
+                                   "AP bug: WMM param missing from AssocResp\n");
+                }
+
+                /*
+                 * Also check if we requested HT/VHT, otherwise the AP doesn't
+                 * have to include the IEs in the (re)association response.
+                 */
+                if (!elems.ht_cap_elem && bss_elems.ht_cap_elem &&
+                    !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
+                        elems.ht_cap_elem = bss_elems.ht_cap_elem;
+                        sdata_info(sdata,
+                                   "AP bug: HT capability missing from AssocResp\n");
+                }
+                if (!elems.ht_operation && bss_elems.ht_operation &&
+                    !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
+                        elems.ht_operation = bss_elems.ht_operation;
+                        sdata_info(sdata,
+                                   "AP bug: HT operation missing from AssocResp\n");
+                }
+                if (!elems.vht_cap_elem && bss_elems.vht_cap_elem &&
+                    !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
+                        elems.vht_cap_elem = bss_elems.vht_cap_elem;
+                        sdata_info(sdata,
+                                   "AP bug: VHT capa missing from AssocResp\n");
+                }
+                if (!elems.vht_operation && bss_elems.vht_operation &&
+                    !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
+                        elems.vht_operation = bss_elems.vht_operation;
+                        sdata_info(sdata,
+                                   "AP bug: VHT operation missing from AssocResp\n");
+                }
+        }
+
+        /*
          * We previously checked these in the beacon/probe response, so
          * they should be present here. This is just a safety net.
          */
         if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
             (!elems.wmm_param || !elems.ht_cap_elem || !elems.ht_operation)) {
                 sdata_info(sdata,
-                           "HT AP is missing WMM params or HT capability/operation in AssocResp\n");
-                return false;
+                           "HT AP is missing WMM params or HT capability/operation\n");
+                ret = false;
+                goto out;
         }
 
         if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
             (!elems.vht_cap_elem || !elems.vht_operation)) {
                 sdata_info(sdata,
-                           "VHT AP is missing VHT capability/operation in AssocResp\n");
-                return false;
+                           "VHT AP is missing VHT capability/operation\n");
+                ret = false;
+                goto out;
         }
 
         mutex_lock(&sdata->local->sta_mtx);
@@ -2580,7 +2648,8 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
         sta = sta_info_get(sdata, cbss->bssid);
         if (WARN_ON(!sta)) {
                 mutex_unlock(&sdata->local->sta_mtx);
-                return false;
+                ret = false;
+                goto out;
         }
 
         sband = local->hw.wiphy->bands[ieee80211_get_sdata_band(sdata)];
@@ -2633,7 +2702,8 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
                            sta->sta.addr);
                 WARN_ON(__sta_info_destroy(sta));
                 mutex_unlock(&sdata->local->sta_mtx);
-                return false;
+                ret = false;
+                goto out;
         }
 
         mutex_unlock(&sdata->local->sta_mtx);
@@ -2673,7 +2743,10 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
         ieee80211_sta_rx_notify(sdata, (struct ieee80211_hdr *)mgmt);
         ieee80211_sta_reset_beacon_monitor(sdata);
 
-        return true;
+        ret = true;
+ out:
+        kfree(bss_ies);
+        return ret;
 }
 
 static enum rx_mgmt_action __must_check
@@ -3321,10 +3394,6 @@ static int ieee80211_probe_auth(struct ieee80211_sub_if_data *sdata)
         if (WARN_ON_ONCE(!auth_data))
                 return -EINVAL;
 
-        if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
-                tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
-                           IEEE80211_TX_INTFL_MLME_CONN_TX;
-
         auth_data->tries++;
 
         if (auth_data->tries > IEEE80211_AUTH_MAX_TRIES) {
@@ -3358,6 +3427,10 @@ static int ieee80211_probe_auth(struct ieee80211_sub_if_data *sdata)
                         auth_data->expected_transaction = trans;
                 }
 
+                if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
+                        tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
+                                   IEEE80211_TX_INTFL_MLME_CONN_TX;
+
                 ieee80211_send_auth(sdata, trans, auth_data->algorithm, status,
                                     auth_data->data, auth_data->data_len,
                                     auth_data->bss->bssid,
@@ -3381,12 +3454,12 @@ static int ieee80211_probe_auth(struct ieee80211_sub_if_data *sdata)
                  * will not answer to direct packet in unassociated state.
                  */
                 ieee80211_send_probe_req(sdata, NULL, ssidie + 2, ssidie[1],
-                                         NULL, 0, (u32) -1, true, tx_flags,
+                                         NULL, 0, (u32) -1, true, 0,
                                          auth_data->bss->channel, false);
                 rcu_read_unlock();
         }
 
-        if (!(local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)) {
+        if (tx_flags == 0) {
                 auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
                 ifmgd->auth_data->timeout_started = true;
                 run_again(ifmgd, auth_data->timeout);
diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
index d3f414fe67e0..a02bef35b134 100644
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -615,7 +615,7 @@ static void rate_control_apply_mask(struct ieee80211_sub_if_data *sdata,
                 if (rates[i].idx < 0)
                         break;
 
-                rate_idx_match_mask(&rates[i], sband, mask, chan_width,
+                rate_idx_match_mask(&rates[i], sband, chan_width, mask,
                                     mcs_mask);
         }
 }
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 27e07150eb46..72e6292955bb 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -661,12 +661,12 @@ void ieee80211_queue_delayed_work(struct ieee80211_hw *hw,
 }
 EXPORT_SYMBOL(ieee80211_queue_delayed_work);
 
-u32 ieee802_11_parse_elems_crc(u8 *start, size_t len, bool action,
+u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
                                struct ieee802_11_elems *elems,
                                u64 filter, u32 crc)
 {
         size_t left = len;
-        u8 *pos = start;
+        const u8 *pos = start;
         bool calc_crc = filter != 0;
         DECLARE_BITMAP(seen_elems, 256);
         const u8 *ie;
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 07c865a31a3d..857ca9f35177 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -30,6 +30,8 @@ static DEFINE_MUTEX(afinfo_mutex);
 
 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
 EXPORT_SYMBOL(nf_afinfo);
+const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
+EXPORT_SYMBOL_GPL(nf_ipv6_ops);
 
 int nf_register_afinfo(const struct nf_afinfo *afinfo)
 {
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 085b5880ab0d..23b8eb53a569 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1001,6 +1001,32 @@ static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len)
         return th->rst;
 }
 
+static inline bool is_new_conn(const struct sk_buff *skb,
+                               struct ip_vs_iphdr *iph)
+{
+        switch (iph->protocol) {
+        case IPPROTO_TCP: {
+                struct tcphdr _tcph, *th;
+
+                th = skb_header_pointer(skb, iph->len, sizeof(_tcph), &_tcph);
+                if (th == NULL)
+                        return false;
+                return th->syn;
+        }
+        case IPPROTO_SCTP: {
+                sctp_chunkhdr_t *sch, schunk;
+
+                sch = skb_header_pointer(skb, iph->len + sizeof(sctp_sctphdr_t),
+                                         sizeof(schunk), &schunk);
+                if (sch == NULL)
+                        return false;
+                return sch->type == SCTP_CID_INIT;
+        }
+        default:
+                return false;
+        }
+}
+
 /* Handle response packets: rewrite addresses and send away...
  */
 static unsigned int
@@ -1416,7 +1442,8 @@ ignore_ipip:
 
         /* do the statistics and put it back */
         ip_vs_in_stats(cp, skb);
-        if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
+        if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol ||
+            IPPROTO_SCTP == cih->protocol)
                 offset += 2 * sizeof(__u16);
         verdict = ip_vs_icmp_xmit(skb, cp, pp, offset, hooknum, &ciph);
 
@@ -1612,6 +1639,15 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
          * Check if the packet belongs to an existing connection entry
          */
         cp = pp->conn_in_get(af, skb, &iph, 0);
+
+        if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp && cp->dest &&
+            unlikely(!atomic_read(&cp->dest->weight)) && !iph.fragoffs &&
+            is_new_conn(skb, &iph)) {
+                ip_vs_conn_expire_now(cp);
+                __ip_vs_conn_put(cp);
+                cp = NULL;
+        }
+
         if (unlikely(!cp) && !iph.fragoffs) {
                 /* No (second) fragments need to enter here, as nf_defrag_ipv6
                  * replayed fragment zero will already have created the cp
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 5b142fb16480..9e6c2a075a4c 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2542,6 +2542,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
                 struct ip_vs_dest *dest;
                 struct ip_vs_dest_entry entry;
 
+                memset(&entry, 0, sizeof(entry));
                 list_for_each_entry(dest, &svc->destinations, n_list) {
                         if (count >= get->num_dests)
                                 break;
diff --git a/net/netfilter/ipvs/ip_vs_sh.c b/net/netfilter/ipvs/ip_vs_sh.c
index 0df269d7c99f..a65edfe4b16c 100644
--- a/net/netfilter/ipvs/ip_vs_sh.c
+++ b/net/netfilter/ipvs/ip_vs_sh.c
@@ -67,8 +67,8 @@ struct ip_vs_sh_bucket {
 #define IP_VS_SH_TAB_MASK               (IP_VS_SH_TAB_SIZE - 1)
 
 struct ip_vs_sh_state {
-        struct ip_vs_sh_bucket          buckets[IP_VS_SH_TAB_SIZE];
         struct rcu_head                 rcu_head;
+        struct ip_vs_sh_bucket          buckets[IP_VS_SH_TAB_SIZE];
 };
 
 /*
diff --git a/net/netfilter/nf_conntrack_labels.c b/net/netfilter/nf_conntrack_labels.c
index 8fe2e99428b7..355d2ef08094 100644
--- a/net/netfilter/nf_conntrack_labels.c
+++ b/net/netfilter/nf_conntrack_labels.c
@@ -45,7 +45,7 @@ int nf_connlabel_set(struct nf_conn *ct, u16 bit)
         if (test_bit(bit, labels->bits))
                 return 0;
 
-        if (test_and_set_bit(bit, labels->bits))
+        if (!test_and_set_bit(bit, labels->bits))
                 nf_conntrack_event_cache(IPCT_LABEL, ct);
 
         return 0;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 6d0f8a17c5b7..ecf065f94032 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1825,6 +1825,7 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
                         nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
                                                       (1 << IPCT_ASSURED) |
                                                       (1 << IPCT_HELPER) |
+                                                      (1 << IPCT_LABEL) |
                                                       (1 << IPCT_PROTOINFO) |
                                                       (1 << IPCT_NATSEQADJ) |
                                                       (1 << IPCT_MARK),
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index 96ccdf78a29f..dac11f73868e 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -230,9 +230,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
                                         &ct->tuplehash[!dir].tuple.src.u3,
                                         false);
                         if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
-                                           poff, plen, buffer, buflen))
+                                           poff, plen, buffer, buflen)) {
                                 nf_ct_helper_log(skb, ct, "cannot mangle received");
                                 return NF_DROP;
+                        }
                 }
 
                 /* The rport= parameter (RFC 3581) contains the port number
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index dc3fd5d44464..c7b6d466a662 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -149,9 +149,12 @@ nfnl_acct_dump(struct sk_buff *skb, struct netlink_callback *cb)
 
         rcu_read_lock();
         list_for_each_entry_rcu(cur, &nfnl_acct_list, head) {
-                if (last && cur != last)
-                        continue;
+                if (last) {
+                        if (cur != last)
+                                continue;
 
+                        last = NULL;
+                }
                 if (nfnl_acct_fill_info(skb, NETLINK_CB(cb->skb).portid,
                                        cb->nlh->nlmsg_seq,
                                        NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 701c88a20fea..65074dfb9383 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -220,9 +220,12 @@ ctnl_timeout_dump(struct sk_buff *skb, struct netlink_callback *cb)
 
         rcu_read_lock();
         list_for_each_entry_rcu(cur, &cttimeout_list, head) {
-                if (last && cur != last)
-                        continue;
+                if (last) {
+                        if (cur != last)
+                                continue;
 
+                        last = NULL;
+                }
                 if (ctnl_timeout_fill_info(skb, NETLINK_CB(cb->skb).portid,
                                            cb->nlh->nlmsg_seq,
                                            NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 4e27fa035814..5352b2d2d5bf 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -637,9 +637,6 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
         if (queue->copy_mode == NFQNL_COPY_NONE)
                 return -EINVAL;
 
-        if ((queue->flags & NFQA_CFG_F_GSO) || !skb_is_gso(entry->skb))
-                return __nfqnl_enqueue_packet(net, queue, entry);
-
         skb = entry->skb;
 
         switch (entry->pf) {
@@ -651,6 +648,9 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
                 break;
         }
 
+        if ((queue->flags & NFQA_CFG_F_GSO) || !skb_is_gso(skb))
+                return __nfqnl_enqueue_packet(net, queue, entry);
+
         nf_bridge_adjust_skb_data(skb);
         segs = skb_gso_segment(skb, 0);
         /* Does not use PTR_ERR to limit the number of error codes that can be
diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c
index 491c7d821a0b..5ab24843370a 100644
--- a/net/netfilter/xt_LOG.c
+++ b/net/netfilter/xt_LOG.c
@@ -737,7 +737,7 @@ static void dump_ipv6_packet(struct sbuff *m,
                 dump_sk_uid_gid(m, skb->sk);
 
         /* Max length: 16 "MARK=0xFFFFFFFF " */
-        if (!recurse && skb->mark)
+        if (recurse && skb->mark)
                 sb_add(m, "MARK=0x%x ", skb->mark);
 }
 
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index a75240f0d42b..7011c71646f0 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -45,17 +45,22 @@ optlen(const u_int8_t *opt, unsigned int offset)
 
 static int
 tcpmss_mangle_packet(struct sk_buff *skb,
-                     const struct xt_tcpmss_info *info,
+                     const struct xt_action_param *par,
                      unsigned int in_mtu,
                      unsigned int tcphoff,
                      unsigned int minlen)
 {
+        const struct xt_tcpmss_info *info = par->targinfo;
         struct tcphdr *tcph;
         unsigned int tcplen, i;
         __be16 oldval;
         u16 newmss;
         u8 *opt;
 
+        /* This is a fragment, no TCP header is available */
+        if (par->fragoff != 0)
+                return XT_CONTINUE;
+
         if (!skb_make_writable(skb, skb->len))
                 return -1;
 
@@ -125,6 +130,18 @@ tcpmss_mangle_packet(struct sk_buff *skb,
 
         skb_put(skb, TCPOLEN_MSS);
 
+        /*
+         * IPv4: RFC 1122 states "If an MSS option is not received at
+         * connection setup, TCP MUST assume a default send MSS of 536".
+         * IPv6: RFC 2460 states IPv6 has a minimum MTU of 1280 and a minimum
+         * length IPv6 header of 60, ergo the default MSS value is 1220
+         * Since no MSS was provided, we must use the default values
+         */
+        if (par->family == NFPROTO_IPV4)
+                newmss = min(newmss, (u16)536);
+        else
+                newmss = min(newmss, (u16)1220);
+
         opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
         memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
 
@@ -182,7 +199,7 @@ tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
         __be16 newlen;
         int ret;
 
-        ret = tcpmss_mangle_packet(skb, par->targinfo,
+        ret = tcpmss_mangle_packet(skb, par,
                                    tcpmss_reverse_mtu(skb, PF_INET),
                                    iph->ihl * 4,
                                    sizeof(*iph) + sizeof(struct tcphdr));
@@ -211,7 +228,7 @@ tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
         tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr, &frag_off);
         if (tcphoff < 0)
                 return NF_DROP;
-        ret = tcpmss_mangle_packet(skb, par->targinfo,
+        ret = tcpmss_mangle_packet(skb, par,
                                    tcpmss_reverse_mtu(skb, PF_INET6),
                                    tcphoff,
                                    sizeof(*ipv6h) + sizeof(struct tcphdr));
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 1eb1a44bfd3d..b68fa191710f 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -48,11 +48,13 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
                 return NF_DROP;
 
         len = skb->len - tcphoff;
-        if (len < (int)sizeof(struct tcphdr) ||
-            tcp_hdr(skb)->doff * 4 > len)
+        if (len < (int)sizeof(struct tcphdr))
                 return NF_DROP;
 
         tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
+        if (tcph->doff * 4 > len)
+                return NF_DROP;
+
         opt  = (u_int8_t *)tcph;
 
         /*
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
index 49c5ff7f6dd6..68ff29f60867 100644
--- a/net/netfilter/xt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@@ -22,6 +22,7 @@
 #include <net/ip6_fib.h>
 #endif
 
+#include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/xt_addrtype.h>
 #include <linux/netfilter/x_tables.h>
 
@@ -33,12 +34,12 @@ MODULE_ALIAS("ip6t_addrtype");
 
 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
-                            const struct in6_addr *addr)
+                            const struct in6_addr *addr, u16 mask)
 {
         const struct nf_afinfo *afinfo;
         struct flowi6 flow;
         struct rt6_info *rt;
-        u32 ret;
+        u32 ret = 0;
         int route_err;
 
         memset(&flow, 0, sizeof(flow));
@@ -49,12 +50,19 @@ static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
         rcu_read_lock();
 
         afinfo = nf_get_afinfo(NFPROTO_IPV6);
-        if (afinfo != NULL)
+        if (afinfo != NULL) {
+                const struct nf_ipv6_ops *v6ops;
+
+                if (dev && (mask & XT_ADDRTYPE_LOCAL)) {
+                        v6ops = nf_get_ipv6_ops();
+                        if (v6ops && v6ops->chk_addr(net, addr, dev, true))
+                                ret = XT_ADDRTYPE_LOCAL;
+                }
                 route_err = afinfo->route(net, (struct dst_entry **)&rt,
-                                        flowi6_to_flowi(&flow), !!dev);
-        else
+                                          flowi6_to_flowi(&flow), false);
+        } else {
                 route_err = 1;
-
+        }
         rcu_read_unlock();
 
         if (route_err)
@@ -62,15 +70,12 @@ static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
 
         if (rt->rt6i_flags & RTF_REJECT)
                 ret = XT_ADDRTYPE_UNREACHABLE;
-        else
-                ret = 0;
 
-        if (rt->rt6i_flags & RTF_LOCAL)
+        if (dev == NULL && rt->rt6i_flags & RTF_LOCAL)
                 ret |= XT_ADDRTYPE_LOCAL;
         if (rt->rt6i_flags & RTF_ANYCAST)
                 ret |= XT_ADDRTYPE_ANYCAST;
 
-
         dst_release(&rt->dst);
         return ret;
 }
@@ -90,7 +95,7 @@ static bool match_type6(struct net *net, const struct net_device *dev,
 
         if ((XT_ADDRTYPE_LOCAL | XT_ADDRTYPE_ANYCAST |
              XT_ADDRTYPE_UNREACHABLE) & mask)
-                return !!(mask & match_lookup_rt6(net, dev, addr));
+                return !!(mask & match_lookup_rt6(net, dev, addr, mask));
         return true;
 }
 
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 12ac6b47a35c..57ee84d21470 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -371,7 +371,7 @@ static int netlink_mmap(struct file *file, struct socket *sock,
         err = 0;
 out:
         mutex_unlock(&nlk->pg_vec_lock);
-        return 0;
+        return err;
 }
 
 static void netlink_frame_flush_dcache(const struct nl_mmap_hdr *hdr)
@@ -747,7 +747,7 @@ static void netlink_skb_destructor(struct sk_buff *skb)
                 atomic_dec(&ring->pending);
                 sock_put(sk);
 
-                skb->data = NULL;
+                skb->head = NULL;
         }
 #endif
         if (skb->sk != NULL)
diff --git a/net/nfc/Makefile b/net/nfc/Makefile
index fb799deaed4f..a76f4533cb6c 100644
--- a/net/nfc/Makefile
+++ b/net/nfc/Makefile
@@ -5,7 +5,6 @@
 obj-$(CONFIG_NFC) += nfc.o
 obj-$(CONFIG_NFC_NCI) += nci/
 obj-$(CONFIG_NFC_HCI) += hci/
-#obj-$(CONFIG_NFC_LLCP) += llcp/
 
 nfc-objs := core.o netlink.o af_nfc.o rawsock.o llcp_core.o llcp_commands.o \
                 llcp_sock.o
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 8ec1bca7f859..20a1bd0e6549 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2851,12 +2851,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
                 return -EOPNOTSUPP;
 
         uaddr->sa_family = AF_PACKET;
+        memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
         rcu_read_lock();
         dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
         if (dev)
-                strncpy(uaddr->sa_data, dev->name, 14);
-        else
-                memset(uaddr->sa_data, 0, 14);
+                strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
         rcu_read_unlock();
         *uaddr_len = sizeof(*uaddr);
 
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index 823463adbd21..189e3c5b3d09 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -231,14 +231,14 @@ override:
         }
         if (R_tab) {
                 police->rate_present = true;
-                psched_ratecfg_precompute(&police->rate, R_tab->rate.rate);
+                psched_ratecfg_precompute(&police->rate, &R_tab->rate);
                 qdisc_put_rtab(R_tab);
         } else {
                 police->rate_present = false;
         }
         if (P_tab) {
                 police->peak_present = true;
-                psched_ratecfg_precompute(&police->peak, P_tab->rate.rate);
+                psched_ratecfg_precompute(&police->peak, &P_tab->rate);
                 qdisc_put_rtab(P_tab);
         } else {
                 police->peak_present = false;
@@ -376,9 +376,9 @@ tcf_act_police_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
         };
 
         if (police->rate_present)
-                opt.rate.rate = psched_ratecfg_getrate(&police->rate);
+                psched_ratecfg_getrate(&opt.rate, &police->rate);
         if (police->peak_present)
-                opt.peakrate.rate = psched_ratecfg_getrate(&police->peak);
+                psched_ratecfg_getrate(&opt.peakrate, &police->peak);
         if (nla_put(skb, TCA_POLICE_TBF, sizeof(opt), &opt))
                 goto nla_put_failure;
         if (police->tcfp_result &&
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 2b935e7cfe7b..281c1bded1f6 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -291,17 +291,18 @@ struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct nlattr *ta
 {
         struct qdisc_rate_table *rtab;
 
+        if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
+            nla_len(tab) != TC_RTAB_SIZE)
+                return NULL;
+
         for (rtab = qdisc_rtab_list; rtab; rtab = rtab->next) {
-                if (memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) == 0) {
+                if (!memcmp(&rtab->rate, r, sizeof(struct tc_ratespec)) &&
+                    !memcmp(&rtab->data, nla_data(tab), 1024)) {
                         rtab->refcnt++;
                         return rtab;
                 }
         }
 
-        if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
-            nla_len(tab) != TC_RTAB_SIZE)
-                return NULL;
-
         rtab = kmalloc(sizeof(*rtab), GFP_KERNEL);
         if (rtab) {
                 rtab->rate = *r;
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index eac7e0ee23c1..20224086cc28 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -898,14 +898,16 @@ void dev_shutdown(struct net_device *dev)
         WARN_ON(timer_pending(&dev->watchdog_timer));
 }
 
-void psched_ratecfg_precompute(struct psched_ratecfg *r, u32 rate)
+void psched_ratecfg_precompute(struct psched_ratecfg *r,
+                               const struct tc_ratespec *conf)
 {
         u64 factor;
         u64 mult;
         int shift;
 
-        r->rate_bps = (u64)rate << 3;
-        r->shift = 0;
+        memset(r, 0, sizeof(*r));
+        r->overhead = conf->overhead;
+        r->rate_bps = (u64)conf->rate << 3;
         r->mult = 1;
         /*
          * Calibrate mult, shift so that token counting is accurate
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 79b1876b6cd2..adaedd79389c 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -109,7 +109,7 @@ struct htb_class {
         } un;
         struct rb_node node[TC_HTB_NUMPRIO];    /* node for self or feed tree */
         struct rb_node pq_node; /* node for event queue */
-        psched_time_t pq_key;
+        s64     pq_key;
 
         int prio_activity;      /* for which prios are we active */
         enum htb_cmode cmode;   /* current mode of the class */
@@ -121,10 +121,10 @@ struct htb_class {
         /* token bucket parameters */
         struct psched_ratecfg rate;
         struct psched_ratecfg ceil;
-        s64 buffer, cbuffer;    /* token bucket depth/rate */
-        psched_tdiff_t mbuffer; /* max wait time */
-        s64 tokens, ctokens;    /* current number of tokens */
-        psched_time_t t_c;      /* checkpoint time */
+        s64     buffer, cbuffer;        /* token bucket depth/rate */
+        s64     mbuffer;                /* max wait time */
+        s64     tokens, ctokens;        /* current number of tokens */
+        s64     t_c;                    /* checkpoint time */
 };
 
 struct htb_sched {
@@ -141,15 +141,15 @@ struct htb_sched {
         struct rb_root wait_pq[TC_HTB_MAXDEPTH];
 
         /* time of nearest event per level (row) */
-        psched_time_t near_ev_cache[TC_HTB_MAXDEPTH];
+        s64     near_ev_cache[TC_HTB_MAXDEPTH];
 
         int defcls;             /* class where unclassified flows go to */
 
         /* filters for qdisc itself */
         struct tcf_proto *filter_list;
 
-        int rate2quantum;       /* quant = rate / rate2quantum */
-        psched_time_t now;      /* cached dequeue time */
+        int     rate2quantum;   /* quant = rate / rate2quantum */
+        s64     now;    /* cached dequeue time */
         struct qdisc_watchdog watchdog;
 
         /* non shaped skbs; let them go directly thru */
@@ -664,8 +664,8 @@ static void htb_charge_class(struct htb_sched *q, struct htb_class *cl,
  * next pending event (0 for no event in pq, q->now for too many events).
  * Note: Applied are events whose have cl->pq_key <= q->now.
  */
-static psched_time_t htb_do_events(struct htb_sched *q, int level,
-                                   unsigned long start)
+static s64 htb_do_events(struct htb_sched *q, int level,
+                         unsigned long start)
 {
         /* don't run for longer than 2 jiffies; 2 is used instead of
          * 1 to simplify things when jiffy is going to be incremented
@@ -857,7 +857,7 @@ static struct sk_buff *htb_dequeue(struct Qdisc *sch)
         struct sk_buff *skb;
         struct htb_sched *q = qdisc_priv(sch);
         int level;
-        psched_time_t next_event;
+        s64 next_event;
         unsigned long start_at;
 
         /* try to dequeue direct packets as high prio (!) to minimize cpu work */
@@ -880,7 +880,7 @@ ok:
         for (level = 0; level < TC_HTB_MAXDEPTH; level++) {
                 /* common case optimization - skip event handler quickly */
                 int m;
-                psched_time_t event;
+                s64 event;
 
                 if (q->now >= q->near_ev_cache[level]) {
                         event = htb_do_events(q, level, start_at);
@@ -1090,9 +1090,9 @@ static int htb_dump_class(struct Qdisc *sch, unsigned long arg,
 
         memset(&opt, 0, sizeof(opt));
 
-        opt.rate.rate = psched_ratecfg_getrate(&cl->rate);
+        psched_ratecfg_getrate(&opt.rate, &cl->rate);
         opt.buffer = PSCHED_NS2TICKS(cl->buffer);
-        opt.ceil.rate = psched_ratecfg_getrate(&cl->ceil);
+        psched_ratecfg_getrate(&opt.ceil, &cl->ceil);
         opt.cbuffer = PSCHED_NS2TICKS(cl->cbuffer);
         opt.quantum = cl->quantum;
         opt.prio = cl->prio;
@@ -1117,8 +1117,8 @@ htb_dump_class_stats(struct Qdisc *sch, unsigned long arg, struct gnet_dump *d)
 
         if (!cl->level && cl->un.leaf.q)
                 cl->qstats.qlen = cl->un.leaf.q->q.qlen;
-        cl->xstats.tokens = cl->tokens;
-        cl->xstats.ctokens = cl->ctokens;
+        cl->xstats.tokens = PSCHED_NS2TICKS(cl->tokens);
+        cl->xstats.ctokens = PSCHED_NS2TICKS(cl->ctokens);
 
         if (gnet_stats_copy_basic(d, &cl->bstats) < 0 ||
             gnet_stats_copy_rate_est(d, NULL, &cl->rate_est) < 0 ||
@@ -1200,7 +1200,7 @@ static void htb_parent_to_leaf(struct htb_sched *q, struct htb_class *cl,
         parent->un.leaf.q = new_q ? new_q : &noop_qdisc;
         parent->tokens = parent->buffer;
         parent->ctokens = parent->cbuffer;
-        parent->t_c = psched_get_time();
+        parent->t_c = ktime_to_ns(ktime_get());
         parent->cmode = HTB_CAN_SEND;
 }
 
@@ -1417,8 +1417,8 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
                 /* set class to be in HTB_CAN_SEND state */
                 cl->tokens = PSCHED_TICKS2NS(hopt->buffer);
                 cl->ctokens = PSCHED_TICKS2NS(hopt->cbuffer);
-                cl->mbuffer = 60 * PSCHED_TICKS_PER_SEC;        /* 1min */
-                cl->t_c = psched_get_time();
+                cl->mbuffer = 60ULL * NSEC_PER_SEC;     /* 1min */
+                cl->t_c = ktime_to_ns(ktime_get());
                 cl->cmode = HTB_CAN_SEND;
 
                 /* attach to the hash list and parent's family */
@@ -1459,8 +1459,8 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
                         cl->prio = TC_HTB_NUMPRIO - 1;
         }
 
-        psched_ratecfg_precompute(&cl->rate, hopt->rate.rate);
-        psched_ratecfg_precompute(&cl->ceil, hopt->ceil.rate);
+        psched_ratecfg_precompute(&cl->rate, &hopt->rate);
+        psched_ratecfg_precompute(&cl->ceil, &hopt->ceil);
 
         cl->buffer = PSCHED_TICKS2NS(hopt->buffer);
         cl->cbuffer = PSCHED_TICKS2NS(hopt->buffer);
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index c8388f3c3426..e478d316602b 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -298,9 +298,9 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt)
         q->tokens = q->buffer;
         q->ptokens = q->mtu;
 
-        psched_ratecfg_precompute(&q->rate, rtab->rate.rate);
+        psched_ratecfg_precompute(&q->rate, &rtab->rate);
         if (ptab) {
-                psched_ratecfg_precompute(&q->peak, ptab->rate.rate);
+                psched_ratecfg_precompute(&q->peak, &ptab->rate);
                 q->peak_present = true;
         } else {
                 q->peak_present = false;
@@ -350,9 +350,9 @@ static int tbf_dump(struct Qdisc *sch, struct sk_buff *skb)
                 goto nla_put_failure;
 
         opt.limit = q->limit;
-        opt.rate.rate = psched_ratecfg_getrate(&q->rate);
+        psched_ratecfg_getrate(&opt.rate, &q->rate);
         if (q->peak_present)
-                opt.peakrate.rate = psched_ratecfg_getrate(&q->peak);
+                psched_ratecfg_getrate(&opt.peakrate, &q->peak);
         else
                 memset(&opt.peakrate, 0, sizeof(opt.peakrate));
         opt.mtu = PSCHED_NS2TICKS(q->mtu);
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 32a4625fef77..be35e2dbcc9a 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
  */
 void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
 {
+        memset(q, 0, sizeof(struct sctp_outq));
+
         q->asoc = asoc;
         INIT_LIST_HEAD(&q->out_chunk_list);
         INIT_LIST_HEAD(&q->control_chunk_list);
@@ -213,11 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
         INIT_LIST_HEAD(&q->sacked);
         INIT_LIST_HEAD(&q->abandoned);
 
-        q->fast_rtx = 0;
-        q->outstanding_bytes = 0;
         q->empty = 1;
-        q->cork  = 0;
-        q->out_qlen = 0;
 }
 
 /* Free the outqueue structure and any related pending chunks.
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index f631c5ff4dbf..6abb1caf9836 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4003,6 +4003,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
 
         /* Release our hold on the endpoint. */
         sp = sctp_sk(sk);
+        /* This could happen during socket init, thus we bail out
+         * early, since the rest of the below is not setup either.
+         */
+        if (sp->ep == NULL)
+                return;
+
         if (sp->do_auto_asconf) {
                 sp->do_auto_asconf = 0;
                 list_del(&sp->auto_asconf_list);
diff --git a/net/socket.c b/net/socket.c
index 6b94633ca61d..4ca1526db756 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1956,7 +1956,7 @@ struct used_address {
         unsigned int name_len;
 };
 
-static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
                          struct msghdr *msg_sys, unsigned int flags,
                          struct used_address *used_address)
 {
@@ -2071,22 +2071,30 @@ out:
  *      BSD sendmsg interface
  */
 
-SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags)
+long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
 {
         int fput_needed, err;
         struct msghdr msg_sys;
-        struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+        struct socket *sock;
 
+        sock = sockfd_lookup_light(fd, &err, &fput_needed);
         if (!sock)
                 goto out;
 
-        err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
+        err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
 
         fput_light(sock->file, fput_needed);
 out:
         return err;
 }
 
+SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags)
+{
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
+        return __sys_sendmsg(fd, msg, flags);
+}
+
 /*
  *      Linux sendmmsg interface
  */
@@ -2117,15 +2125,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
 
         while (datagrams < vlen) {
                 if (MSG_CMSG_COMPAT & flags) {
-                        err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
-                                            &msg_sys, flags, &used_address);
+                        err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
+                                             &msg_sys, flags, &used_address);
                         if (err < 0)
                                 break;
                         err = __put_user(err, &compat_entry->msg_len);
                         ++compat_entry;
                 } else {
-                        err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
-                                            &msg_sys, flags, &used_address);
+                        err = ___sys_sendmsg(sock,
+                                             (struct msghdr __user *)entry,
+                                             &msg_sys, flags, &used_address);
                         if (err < 0)
                                 break;
                         err = put_user(err, &entry->msg_len);
@@ -2149,10 +2158,12 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
 SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
                 unsigned int, vlen, unsigned int, flags)
 {
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
         return __sys_sendmmsg(fd, mmsg, vlen, flags);
 }
 
-static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
                          struct msghdr *msg_sys, unsigned int flags, int nosec)
 {
         struct compat_msghdr __user *msg_compat =
@@ -2244,23 +2255,31 @@ out:
  *      BSD recvmsg interface
  */
 
-SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
-                unsigned int, flags)
+long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags)
 {
         int fput_needed, err;
         struct msghdr msg_sys;
-        struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+        struct socket *sock;
 
+        sock = sockfd_lookup_light(fd, &err, &fput_needed);
         if (!sock)
                 goto out;
 
-        err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0);
+        err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0);
 
         fput_light(sock->file, fput_needed);
 out:
         return err;
 }
 
+SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
+                unsigned int, flags)
+{
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
+        return __sys_recvmsg(fd, msg, flags);
+}
+
 /*
  *     Linux recvmmsg interface
  */
@@ -2298,17 +2317,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
                  * No need to ask LSM for more than the first datagram.
                  */
                 if (MSG_CMSG_COMPAT & flags) {
-                        err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
-                                            &msg_sys, flags & ~MSG_WAITFORONE,
-                                            datagrams);
+                        err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
+                                             &msg_sys, flags & ~MSG_WAITFORONE,
+                                             datagrams);
                         if (err < 0)
                                 break;
                         err = __put_user(err, &compat_entry->msg_len);
                         ++compat_entry;
                 } else {
-                        err = __sys_recvmsg(sock, (struct msghdr __user *)entry,
-                                            &msg_sys, flags & ~MSG_WAITFORONE,
-                                            datagrams);
+                        err = ___sys_recvmsg(sock,
+                                             (struct msghdr __user *)entry,
+                                             &msg_sys, flags & ~MSG_WAITFORONE,
+                                             datagrams);
                         if (err < 0)
                                 break;
                         err = put_user(err, &entry->msg_len);
@@ -2375,6 +2395,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
         int datagrams;
         struct timespec timeout_sys;
 
+        if (flags & MSG_CMSG_COMPAT)
+                return -EINVAL;
+
         if (!timeout)
                 return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL);
 
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 871c73c92165..29b4ba93ab3c 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1287,7 +1287,7 @@ static bool use_gss_proxy(struct net *net)
 
 #ifdef CONFIG_PROC_FS
 
-static bool set_gss_proxy(struct net *net, int type)
+static int set_gss_proxy(struct net *net, int type)
 {
         struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
         int ret = 0;
@@ -1317,10 +1317,12 @@ static inline bool gssp_ready(struct sunrpc_net *sn)
         return false;
 }
 
-static int wait_for_gss_proxy(struct net *net)
+static int wait_for_gss_proxy(struct net *net, struct file *file)
 {
         struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
 
+        if (file->f_flags & O_NONBLOCK && !gssp_ready(sn))
+                return -EAGAIN;
         return wait_event_interruptible(sn->gssp_wq, gssp_ready(sn));
 }
 
@@ -1362,7 +1364,7 @@ static ssize_t read_gssp(struct file *file, char __user *buf,
         size_t len;
         int ret;
 
-        ret = wait_for_gss_proxy(net);
+        ret = wait_for_gss_proxy(net, file);
         if (ret)
                 return ret;
 
diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c
index c3f9e1ef7f53..06bdf5a1082c 100644
--- a/net/sunrpc/svcauth_unix.c
+++ b/net/sunrpc/svcauth_unix.c
@@ -810,11 +810,15 @@ svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp)
                 goto badcred;
         argv->iov_base = (void*)((__be32*)argv->iov_base + slen);       /* skip machname */
         argv->iov_len -= slen*4;
-
+        /*
+         * Note: we skip uid_valid()/gid_valid() checks here for
+         * backwards compatibility with clients that use -1 id's.
+         * Instead, -1 uid or gid is later mapped to the
+         * (export-specific) anonymous id by nfsd_setuser.
+         * Supplementary gid's will be left alone.
+         */
         cred->cr_uid = make_kuid(&init_user_ns, svc_getnl(argv)); /* uid */
         cred->cr_gid = make_kgid(&init_user_ns, svc_getnl(argv)); /* gid */
-        if (!uid_valid(cred->cr_uid) || !gid_valid(cred->cr_gid))
-                goto badcred;
         slen = svc_getnl(argv);                 /* gids length */
         if (slen > 16 || (len -= (slen + 2)*4) < 0)
                 goto badcred;
@@ -823,8 +827,6 @@ svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp)
                 return SVC_CLOSE;
         for (i = 0; i < slen; i++) {
                 kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv));
-                if (!gid_valid(kgid))
-                        goto badcred;
                 GROUP_AT(cred->cr_group_info, i) = kgid;
         }
         if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index dfdb5e643211..b14b7e3cb6e6 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -1564,12 +1564,17 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
         struct cfg80211_registered_device *dev;
         s64 filter_wiphy = -1;
         bool split = false;
-        struct nlattr **tb = nl80211_fam.attrbuf;
+        struct nlattr **tb;
         int res;
 
+        /* will be zeroed in nlmsg_parse() */
+        tb = kmalloc(sizeof(*tb) * (NL80211_ATTR_MAX + 1), GFP_KERNEL);
+        if (!tb)
+                return -ENOMEM;
+
         mutex_lock(&cfg80211_mutex);
         res = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
-                          tb, nl80211_fam.maxattr, nl80211_policy);
+                          tb, NL80211_ATTR_MAX, nl80211_policy);
         if (res == 0) {
                 split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
                 if (tb[NL80211_ATTR_WIPHY])
@@ -1583,6 +1588,7 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
                         netdev = dev_get_by_index(sock_net(skb->sk), ifidx);
                         if (!netdev) {
                                 mutex_unlock(&cfg80211_mutex);
+                                kfree(tb);
                                 return -ENODEV;
                         }
                         if (netdev->ieee80211_ptr) {
@@ -1593,6 +1599,7 @@ static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
                         dev_put(netdev);
                 }
         }
+        kfree(tb);
 
         list_for_each_entry(dev, &cfg80211_rdev_list, list) {
                 if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
@@ -3411,7 +3418,7 @@ static int nl80211_send_station(struct sk_buff *msg, u32 portid, u32 seq,
                         (u32)sinfo->rx_bytes))
                 goto nla_put_failure;
         if ((sinfo->filled & (STATION_INFO_TX_BYTES |
-                              NL80211_STA_INFO_TX_BYTES64)) &&
+                              STATION_INFO_TX_BYTES64)) &&
             nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
                         (u32)sinfo->tx_bytes))
                 goto nla_put_failure;
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 8b5eddfba1e5..3ed35c345cae 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -231,6 +231,9 @@ void cfg80211_conn_work(struct work_struct *work)
         mutex_lock(&rdev->sched_scan_mtx);
 
         list_for_each_entry(wdev, &rdev->wdev_list, list) {
+                if (!wdev->netdev)
+                        continue;
+
                 wdev_lock(wdev);
                 if (!netif_running(wdev->netdev)) {
                         wdev_unlock(wdev);
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 23cea0f74336..ea970b8002a2 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2557,11 +2557,12 @@ static void __xfrm_garbage_collect(struct net *net)
         }
 }
 
-static void xfrm_garbage_collect(struct net *net)
+void xfrm_garbage_collect(struct net *net)
 {
         flow_cache_flush();
         __xfrm_garbage_collect(net);
 }
+EXPORT_SYMBOL(xfrm_garbage_collect);
 
 static void xfrm_garbage_collect_deferred(struct net *net)
 {
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index aa778748c565..3f565e495ac6 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1681,6 +1681,8 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
 
 out:
         xfrm_pol_put(xp);
+        if (delete && err == 0)
+                xfrm_garbage_collect(net);
         return err;
 }