Merge branch 'master' into upstream

56 files changed, 420 insertions, 364 deletions

diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 3d59c9bf8feb..3bccdd12a264 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -510,7 +510,8 @@ static int vlan_dev_open(struct net_device *dev)
         if (vlan->flags & VLAN_FLAG_GVRP)
                 vlan_gvrp_request_join(dev);
 
-        netif_carrier_on(dev);
+        if (netif_carrier_ok(real_dev))
+                netif_carrier_on(dev);
         return 0;
 
 clear_allmulti:
diff --git a/net/9p/client.c b/net/9p/client.c
index dc6f2f26d023..9eb72505308f 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -331,8 +331,10 @@ static void p9_tag_cleanup(struct p9_client *c)
                 }
         }
 
-        if (c->tagpool)
+        if (c->tagpool) {
+                p9_idpool_put(0, c->tagpool); /* free reserved tag 0 */
                 p9_idpool_destroy(c->tagpool);
+        }
 
         /* free requests associated with tags */
         for (row = 0; row < (c->max_tag/P9_ROW_MAXTAG); row++) {
@@ -944,6 +946,7 @@ struct p9_fid *p9_client_walk(struct p9_fid *oldfid, int nwname, char **wnames,
         int16_t nwqids, count;
 
         err = 0;
+        wqids = NULL;
         clnt = oldfid->clnt;
         if (clone) {
                 fid = p9_fid_create(clnt);
@@ -994,9 +997,11 @@ struct p9_fid *p9_client_walk(struct p9_fid *oldfid, int nwname, char **wnames,
         else
                 fid->qid = oldfid->qid;
 
+        kfree(wqids);
         return fid;
 
 clunk_fid:
+        kfree(wqids);
         p9_client_clunk(fid);
         fid = NULL;
 
diff --git a/net/Kconfig b/net/Kconfig
index e330594d3709..e926884c1675 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -217,7 +217,7 @@ source "net/dns_resolver/Kconfig"
 
 config RPS
         boolean
-        depends on SMP && SYSFS
+        depends on SMP && SYSFS && USE_GENERIC_SMP_HELPERS
         default y
 
 menu "Network testing"
diff --git a/net/ax25/ax25_ds_timer.c b/net/ax25/ax25_ds_timer.c
index 2ce79df00680..c7d81436213d 100644
--- a/net/ax25/ax25_ds_timer.c
+++ b/net/ax25/ax25_ds_timer.c
@@ -112,8 +112,8 @@ void ax25_ds_heartbeat_expiry(ax25_cb *ax25)
                         if (sk) {
                                 sock_hold(sk);
                                 ax25_destroy_socket(ax25);
-                                sock_put(sk);
                                 bh_unlock_sock(sk);
+                                sock_put(sk);
                         } else
                                 ax25_destroy_socket(ax25);
                         return;
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 2c911c0759c2..137f23259a93 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -162,8 +162,8 @@ static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
                 if (tmp) {
                         memcpy(tmp, nf_bridge, sizeof(struct nf_bridge_info));
                         atomic_set(&tmp->use, 1);
-                        nf_bridge_put(nf_bridge);
                 }
+                nf_bridge_put(nf_bridge);
                 nf_bridge = tmp;
         }
         return nf_bridge;
@@ -761,9 +761,11 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb)
 {
         if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
             skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
-            !skb_is_gso(skb))
+            !skb_is_gso(skb)) {
+                /* BUG: Should really parse the IP options here. */
+                memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
                 return ip_fragment(skb, br_dev_queue_push_xmit);
-        else
+        } else
                 return br_dev_queue_push_xmit(skb);
 }
 #else
diff --git a/net/caif/cfrfml.c b/net/caif/cfrfml.c
index eb1602022ac0..9a699242d104 100644
--- a/net/caif/cfrfml.c
+++ b/net/caif/cfrfml.c
@@ -7,7 +7,7 @@
 #include <linux/stddef.h>
 #include <linux/spinlock.h>
 #include <linux/slab.h>
-#include <linux/unaligned/le_byteshift.h>
+#include <asm/unaligned.h>
 #include <net/caif/caif_layer.h>
 #include <net/caif/cfsrvl.h>
 #include <net/caif/cfpkt.h>
diff --git a/net/core/dev.c b/net/core/dev.c
index 3721fbb9a83c..660dd41aaaa6 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2058,16 +2058,16 @@ static struct netdev_queue *dev_pick_tx(struct net_device *dev,
                                         struct sk_buff *skb)
 {
         int queue_index;
-        struct sock *sk = skb->sk;
+        const struct net_device_ops *ops = dev->netdev_ops;
 
-        queue_index = sk_tx_queue_get(sk);
-        if (queue_index < 0) {
-                const struct net_device_ops *ops = dev->netdev_ops;
+        if (ops->ndo_select_queue) {
+                queue_index = ops->ndo_select_queue(dev, skb);
+                queue_index = dev_cap_txqueue(dev, queue_index);
+        } else {
+                struct sock *sk = skb->sk;
+                queue_index = sk_tx_queue_get(sk);
+                if (queue_index < 0) {
 
-                if (ops->ndo_select_queue) {
-                        queue_index = ops->ndo_select_queue(dev, skb);
-                        queue_index = dev_cap_txqueue(dev, queue_index);
-                } else {
                         queue_index = 0;
                         if (dev->real_num_tx_queues > 1)
                                 queue_index = skb_tx_hash(dev, skb);
@@ -4845,7 +4845,7 @@ static void rollback_registered_many(struct list_head *head)
         dev = list_first_entry(head, struct net_device, unreg_list);
         call_netdevice_notifiers(NETDEV_UNREGISTER_BATCH, dev);
 
-        synchronize_net();
+        rcu_barrier();
 
         list_for_each_entry(dev, head, unreg_list)
                 dev_put(dev);
diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c
index 9fbe7f7429b0..6743146e4d6b 100644
--- a/net/core/gen_estimator.c
+++ b/net/core/gen_estimator.c
@@ -232,7 +232,7 @@ int gen_new_estimator(struct gnet_stats_basic_packed *bstats,
         est->last_packets = bstats->packets;
         est->avpps = rate_est->pps<<10;
 
-        spin_lock(&est_tree_lock);
+        spin_lock_bh(&est_tree_lock);
         if (!elist[idx].timer.function) {
                 INIT_LIST_HEAD(&elist[idx].list);
                 setup_timer(&elist[idx].timer, est_timer, idx);
@@ -243,7 +243,7 @@ int gen_new_estimator(struct gnet_stats_basic_packed *bstats,
 
         list_add_rcu(&est->list, &elist[idx].list);
         gen_add_node(est);
-        spin_unlock(&est_tree_lock);
+        spin_unlock_bh(&est_tree_lock);
 
         return 0;
 }
@@ -270,7 +270,7 @@ void gen_kill_estimator(struct gnet_stats_basic_packed *bstats,
 {
         struct gen_estimator *e;
 
-        spin_lock(&est_tree_lock);
+        spin_lock_bh(&est_tree_lock);
         while ((e = gen_find_node(bstats, rate_est))) {
                 rb_erase(&e->node, &est_root);
 
@@ -281,7 +281,7 @@ void gen_kill_estimator(struct gnet_stats_basic_packed *bstats,
                 list_del_rcu(&e->list);
                 call_rcu(&e->e_rcu, __gen_kill_estimator);
         }
-        spin_unlock(&est_tree_lock);
+        spin_unlock_bh(&est_tree_lock);
 }
 EXPORT_SYMBOL(gen_kill_estimator);
 
@@ -320,9 +320,9 @@ bool gen_estimator_active(const struct gnet_stats_basic_packed *bstats,
 
         ASSERT_RTNL();
 
-        spin_lock(&est_tree_lock);
+        spin_lock_bh(&est_tree_lock);
         res = gen_find_node(bstats, rate_est) != NULL;
-        spin_unlock(&est_tree_lock);
+        spin_unlock_bh(&est_tree_lock);
 
         return res;
 }
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 3a2513f0d0c3..c83b421341c0 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2573,6 +2573,10 @@ struct sk_buff *skb_segment(struct sk_buff *skb, int features)
                 __copy_skb_header(nskb, skb);
                 nskb->mac_len = skb->mac_len;
 
+                /* nskb and skb might have different headroom */
+                if (nskb->ip_summed == CHECKSUM_PARTIAL)
+                        nskb->csum_start += skb_headroom(nskb) - headroom;
+
                 skb_reset_mac_header(nskb);
                 skb_set_network_header(nskb, skb->mac_len);
                 nskb->transport_header = (nskb->network_header +
@@ -2703,7 +2707,7 @@ int skb_gro_receive(struct sk_buff **head, struct sk_buff *skb)
                 return -E2BIG;
 
         headroom = skb_headroom(p);
-        nskb = netdev_alloc_skb(p->dev, headroom + skb_gro_offset(p));
+        nskb = alloc_skb(headroom + skb_gro_offset(p), GFP_ATOMIC);
         if (unlikely(!nskb))
                 return -ENOMEM;
 
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 7c3a7d191249..571f8950ed06 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -46,7 +46,7 @@ config IP_ADVANCED_ROUTER
           rp_filter on use:
 
           echo 1 > /proc/sys/net/ipv4/conf/<device>/rp_filter
-           and
+           or
           echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
 
           Note that some distributions enable it in startup scripts.
diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
index f0550941df7b..721a8a37b45c 100644
--- a/net/ipv4/datagram.c
+++ b/net/ipv4/datagram.c
@@ -62,8 +62,11 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
         }
         if (!inet->inet_saddr)
                 inet->inet_saddr = rt->rt_src;  /* Update source address */
-        if (!inet->inet_rcv_saddr)
+        if (!inet->inet_rcv_saddr) {
                 inet->inet_rcv_saddr = rt->rt_src;
+                if (sk->sk_prot->rehash)
+                        sk->sk_prot->rehash(sk);
+        }
         inet->inet_daddr = rt->rt_dst;
         inet->inet_dport = usin->sin_port;
         sk->sk_state = TCP_ESTABLISHED;
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index a43968918350..7d02a9f999fa 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -246,6 +246,7 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
 
         struct fib_result res;
         int no_addr, rpf, accept_local;
+        bool dev_match;
         int ret;
         struct net *net;
 
@@ -273,12 +274,22 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
         }
         *spec_dst = FIB_RES_PREFSRC(res);
         fib_combine_itag(itag, &res);
+        dev_match = false;
+
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
-        if (FIB_RES_DEV(res) == dev || res.fi->fib_nhs > 1)
+        for (ret = 0; ret < res.fi->fib_nhs; ret++) {
+                struct fib_nh *nh = &res.fi->fib_nh[ret];
+
+                if (nh->nh_dev == dev) {
+                        dev_match = true;
+                        break;
+                }
+        }
 #else
         if (FIB_RES_DEV(res) == dev)
+                dev_match = true;
 #endif
-        {
+        if (dev_match) {
                 ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST;
                 fib_res_put(&res);
                 return ret;
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 79d057a939ba..4a8e370862bc 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -186,7 +186,9 @@ static inline struct tnode *node_parent_rcu(struct node *node)
 {
         struct tnode *ret = node_parent(node);
 
-        return rcu_dereference(ret);
+        return rcu_dereference_check(ret,
+                                     rcu_read_lock_held() ||
+                                     lockdep_rtnl_is_held());
 }
 
 /* Same as rcu_assign_pointer
@@ -1753,7 +1755,9 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct node *c)
 
 static struct leaf *trie_firstleaf(struct trie *t)
 {
-        struct tnode *n = (struct tnode *) rcu_dereference(t->trie);
+        struct tnode *n = (struct tnode *) rcu_dereference_check(t->trie,
+                                                        rcu_read_lock_held() ||
+                                                        lockdep_rtnl_is_held());
 
         if (!n)
                 return NULL;
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index a1ad0e7180d2..1fdcacd36ce7 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -834,7 +834,7 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
         int                     mark = 0;
 
 
-        if (len == 8) {
+        if (len == 8 || IGMP_V2_SEEN(in_dev)) {
                 if (ih->code == 0) {
                         /* Alas, old v1 router presents here. */
 
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 6c40a8c46e79..64b70ad162e3 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1129,6 +1129,9 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
         case IP_HDRINCL:
                 val = inet->hdrincl;
                 break;
+        case IP_NODEFRAG:
+                val = inet->nodefrag;
+                break;
         case IP_MTU_DISCOVER:
                 val = inet->pmtudisc;
                 break;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 51d6c3167975..e8f4f9a57f12 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1420,6 +1420,9 @@ static int translate_compat_table(const char *name,
                 if (ret != 0)
                         break;
                 ++i;
+                if (strcmp(arpt_get_target(iter1)->u.user.name,
+                    XT_ERROR_TARGET) == 0)
+                        ++newinfo->stacksize;
         }
         if (ret) {
                 /*
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 97b64b22c412..d163f2e3b2e9 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1751,6 +1751,9 @@ translate_compat_table(struct net *net,
                 if (ret != 0)
                         break;
                 ++i;
+                if (strcmp(ipt_get_target(iter1)->u.user.name,
+                    XT_ERROR_TARGET) == 0)
+                        ++newinfo->stacksize;
         }
         if (ret) {
                 /*
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 3f56b6e6c6aa..6298f75d5e93 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2738,6 +2738,11 @@ slow_output:
 }
 EXPORT_SYMBOL_GPL(__ip_route_output_key);
 
+static struct dst_entry *ipv4_blackhole_dst_check(struct dst_entry *dst, u32 cookie)
+{
+        return NULL;
+}
+
 static void ipv4_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
 {
 }
@@ -2746,7 +2751,7 @@ static struct dst_ops ipv4_dst_blackhole_ops = {
         .family                 =       AF_INET,
         .protocol               =       cpu_to_be16(ETH_P_IP),
         .destroy                =       ipv4_dst_destroy,
-        .check                  =       ipv4_dst_check,
+        .check                  =       ipv4_blackhole_dst_check,
         .update_pmtu            =       ipv4_rt_blackhole_update_pmtu,
         .entries                =       ATOMIC_INIT(0),
 };
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 176e11aaea77..3fb1428e526e 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -451,7 +451,8 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
                                 if (sk_stream_wspace(sk) >= sk_stream_min_wspace(sk))
                                         mask |= POLLOUT | POLLWRNORM;
                         }
-                }
+                } else
+                        mask |= POLLOUT | POLLWRNORM;
 
                 if (tp->urg_data & TCP_URG_VALID)
                         mask |= POLLPRI;
@@ -2011,11 +2012,8 @@ adjudge_to_death:
                 }
         }
         if (sk->sk_state != TCP_CLOSE) {
-                int orphan_count = percpu_counter_read_positive(
-                                                sk->sk_prot->orphan_count);
-
                 sk_mem_reclaim(sk);
-                if (tcp_too_many_orphans(sk, orphan_count)) {
+                if (tcp_too_many_orphans(sk, 0)) {
                         if (net_ratelimit())
                                 printk(KERN_INFO "TCP: too many of orphaned "
                                        "sockets\n");
@@ -3212,7 +3210,7 @@ void __init tcp_init(void)
 {
         struct sk_buff *skb = NULL;
         unsigned long nr_pages, limit;
-        int order, i, max_share;
+        int i, max_share, cnt;
         unsigned long jiffy = jiffies;
 
         BUILD_BUG_ON(sizeof(struct tcp_skb_cb) > sizeof(skb->cb));
@@ -3261,22 +3259,12 @@ void __init tcp_init(void)
                 INIT_HLIST_HEAD(&tcp_hashinfo.bhash[i].chain);
         }
 
-        /* Try to be a bit smarter and adjust defaults depending
-         * on available memory.
-         */
-        for (order = 0; ((1 << order) << PAGE_SHIFT) <
-                        (tcp_hashinfo.bhash_size * sizeof(struct inet_bind_hashbucket));
-                        order++)
-                ;
-        if (order >= 4) {
-                tcp_death_row.sysctl_max_tw_buckets = 180000;
-                sysctl_tcp_max_orphans = 4096 << (order - 4);
-                sysctl_max_syn_backlog = 1024;
-        } else if (order < 3) {
-                tcp_death_row.sysctl_max_tw_buckets >>= (3 - order);
-                sysctl_tcp_max_orphans >>= (3 - order);
-                sysctl_max_syn_backlog = 128;
-        }
+
+        cnt = tcp_hashinfo.ehash_mask + 1;
+
+        tcp_death_row.sysctl_max_tw_buckets = cnt / 2;
+        sysctl_tcp_max_orphans = cnt / 2;
+        sysctl_max_syn_backlog = max(128, cnt / 256);
 
         /* Set the pressure threshold to be a fraction of global memory that
          * is up to 1/2 at 256 MB, decreasing toward zero with the amount of
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index 0ec9bd0ae94f..850c737e08e2 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -196,10 +196,10 @@ void tcp_get_allowed_congestion_control(char *buf, size_t maxlen)
 int tcp_set_allowed_congestion_control(char *val)
 {
         struct tcp_congestion_ops *ca;
-        char *clone, *name;
+        char *saved_clone, *clone, *name;
         int ret = 0;
 
-        clone = kstrdup(val, GFP_USER);
+        saved_clone = clone = kstrdup(val, GFP_USER);
         if (!clone)
                 return -ENOMEM;
 
@@ -226,6 +226,7 @@ int tcp_set_allowed_congestion_control(char *val)
         }
 out:
         spin_unlock(&tcp_cong_list_lock);
+        kfree(saved_clone);
 
         return ret;
 }
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 808bb920c9f5..c35b469e851c 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -66,18 +66,18 @@ static void tcp_write_err(struct sock *sk)
 static int tcp_out_of_resources(struct sock *sk, int do_reset)
 {
         struct tcp_sock *tp = tcp_sk(sk);
-        int orphans = percpu_counter_read_positive(&tcp_orphan_count);
+        int shift = 0;
 
         /* If peer does not open window for long time, or did not transmit
          * anything for long time, penalize it. */
         if ((s32)(tcp_time_stamp - tp->lsndtime) > 2*TCP_RTO_MAX || !do_reset)
-                orphans <<= 1;
+                shift++;
 
         /* If some dubious ICMP arrived, penalize even more. */
         if (sk->sk_err_soft)
-                orphans <<= 1;
+                shift++;
 
-        if (tcp_too_many_orphans(sk, orphans)) {
+        if (tcp_too_many_orphans(sk, shift)) {
                 if (net_ratelimit())
                         printk(KERN_INFO "Out of socket memory\n");
 
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 32e0bef60d0a..fb23c2e63b52 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1260,6 +1260,49 @@ void udp_lib_unhash(struct sock *sk)
 }
 EXPORT_SYMBOL(udp_lib_unhash);
 
+/*
+ * inet_rcv_saddr was changed, we must rehash secondary hash
+ */
+void udp_lib_rehash(struct sock *sk, u16 newhash)
+{
+        if (sk_hashed(sk)) {
+                struct udp_table *udptable = sk->sk_prot->h.udp_table;
+                struct udp_hslot *hslot, *hslot2, *nhslot2;
+
+                hslot2 = udp_hashslot2(udptable, udp_sk(sk)->udp_portaddr_hash);
+                nhslot2 = udp_hashslot2(udptable, newhash);
+                udp_sk(sk)->udp_portaddr_hash = newhash;
+                if (hslot2 != nhslot2) {
+                        hslot = udp_hashslot(udptable, sock_net(sk),
+                                             udp_sk(sk)->udp_port_hash);
+                        /* we must lock primary chain too */
+                        spin_lock_bh(&hslot->lock);
+
+                        spin_lock(&hslot2->lock);
+                        hlist_nulls_del_init_rcu(&udp_sk(sk)->udp_portaddr_node);
+                        hslot2->count--;
+                        spin_unlock(&hslot2->lock);
+
+                        spin_lock(&nhslot2->lock);
+                        hlist_nulls_add_head_rcu(&udp_sk(sk)->udp_portaddr_node,
+                                                 &nhslot2->head);
+                        nhslot2->count++;
+                        spin_unlock(&nhslot2->lock);
+
+                        spin_unlock_bh(&hslot->lock);
+                }
+        }
+}
+EXPORT_SYMBOL(udp_lib_rehash);
+
+static void udp_v4_rehash(struct sock *sk)
+{
+        u16 new_hash = udp4_portaddr_hash(sock_net(sk),
+                                          inet_sk(sk)->inet_rcv_saddr,
+                                          inet_sk(sk)->inet_num);
+        udp_lib_rehash(sk, new_hash);
+}
+
 static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
         int rc;
@@ -1843,6 +1886,7 @@ struct proto udp_prot = {
         .backlog_rcv       = __udp_queue_rcv_skb,
         .hash              = udp_lib_hash,
         .unhash            = udp_lib_unhash,
+        .rehash            = udp_v4_rehash,
         .get_port          = udp_v4_get_port,
         .memory_allocated  = &udp_memory_allocated,
         .sysctl_mem        = sysctl_udp_mem,
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 7d929a22cbc2..ef371aa01ac5 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -105,9 +105,12 @@ ipv4_connected:
                 if (ipv6_addr_any(&np->saddr))
                         ipv6_addr_set_v4mapped(inet->inet_saddr, &np->saddr);
 
-                if (ipv6_addr_any(&np->rcv_saddr))
+                if (ipv6_addr_any(&np->rcv_saddr)) {
                         ipv6_addr_set_v4mapped(inet->inet_rcv_saddr,
                                                &np->rcv_saddr);
+                        if (sk->sk_prot->rehash)
+                                sk->sk_prot->rehash(sk);
+                }
 
                 goto out;
         }
@@ -181,6 +184,8 @@ ipv4_connected:
         if (ipv6_addr_any(&np->rcv_saddr)) {
                 ipv6_addr_copy(&np->rcv_saddr, &fl.fl6_src);
                 inet->inet_rcv_saddr = LOOPBACK4_IPV6;
+                if (sk->sk_prot->rehash)
+                        sk->sk_prot->rehash(sk);
         }
 
         ip6_dst_store(sk, dst,
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 29a7bca29e3f..8e754be92c24 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1766,6 +1766,9 @@ translate_compat_table(struct net *net,
                 if (ret != 0)
                         break;
                 ++i;
+                if (strcmp(ip6t_get_target(iter1)->u.user.name,
+                    XT_ERROR_TARGET) == 0)
+                        ++newinfo->stacksize;
         }
         if (ret) {
                 /*
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 13ef5bc05cf5..578f3c1a16db 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -113,14 +113,6 @@ static void nf_skb_free(struct sk_buff *skb)
                 kfree_skb(NFCT_FRAG6_CB(skb)->orig);
 }
 
-/* Memory Tracking Functions. */
-static void frag_kfree_skb(struct sk_buff *skb)
-{
-        atomic_sub(skb->truesize, &nf_init_frags.mem);
-        nf_skb_free(skb);
-        kfree_skb(skb);
-}
-
 /* Destruction primitives. */
 
 static __inline__ void fq_put(struct nf_ct_frag6_queue *fq)
@@ -282,66 +274,22 @@ static int nf_ct_frag6_queue(struct nf_ct_frag6_queue *fq, struct sk_buff *skb,
         }
 
 found:
-        /* We found where to put this one.  Check for overlap with
-         * preceding fragment, and, if needed, align things so that
-         * any overlaps are eliminated.
-         */
-        if (prev) {
-                int i = (NFCT_FRAG6_CB(prev)->offset + prev->len) - offset;
-
-                if (i > 0) {
-                        offset += i;
-                        if (end <= offset) {
-                                pr_debug("overlap\n");
-                                goto err;
-                        }
-                        if (!pskb_pull(skb, i)) {
-                                pr_debug("Can't pull\n");
-                                goto err;
-                        }
-                        if (skb->ip_summed != CHECKSUM_UNNECESSARY)
-                                skb->ip_summed = CHECKSUM_NONE;
-                }
-        }
-
-        /* Look for overlap with succeeding segments.
-         * If we can merge fragments, do it.
+        /* RFC5722, Section 4:
+         *                                  When reassembling an IPv6 datagram, if
+         *   one or more its constituent fragments is determined to be an
+         *   overlapping fragment, the entire datagram (and any constituent
+         *   fragments, including those not yet received) MUST be silently
+         *   discarded.
          */
-        while (next && NFCT_FRAG6_CB(next)->offset < end) {
-                /* overlap is 'i' bytes */
-                int i = end - NFCT_FRAG6_CB(next)->offset;
-
-                if (i < next->len) {
-                        /* Eat head of the next overlapped fragment
-                         * and leave the loop. The next ones cannot overlap.
-                         */
-                        pr_debug("Eat head of the overlapped parts.: %d", i);
-                        if (!pskb_pull(next, i))
-                                goto err;
 
-                        /* next fragment */
-                        NFCT_FRAG6_CB(next)->offset += i;
-                        fq->q.meat -= i;
-                        if (next->ip_summed != CHECKSUM_UNNECESSARY)
-                                next->ip_summed = CHECKSUM_NONE;
-                        break;
-                } else {
-                        struct sk_buff *free_it = next;
-
-                        /* Old fragmnet is completely overridden with
-                         * new one drop it.
-                         */
-                        next = next->next;
+        /* Check for overlap with preceding fragment. */
+        if (prev &&
+            (NFCT_FRAG6_CB(prev)->offset + prev->len) - offset > 0)
+                goto discard_fq;
 
-                        if (prev)
-                                prev->next = next;
-                        else
-                                fq->q.fragments = next;
-
-                        fq->q.meat -= free_it->len;
-                        frag_kfree_skb(free_it);
-                }
-        }
+        /* Look for overlap with succeeding segment. */
+        if (next && NFCT_FRAG6_CB(next)->offset < end)
+                goto discard_fq;
 
         NFCT_FRAG6_CB(skb)->offset = offset;
 
@@ -371,6 +319,8 @@ found:
         write_unlock(&nf_frags.lock);
         return 0;
 
+discard_fq:
+        fq_kill(fq);
 err:
         return -1;
 }
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 545c4141b755..64cfef1b0a4c 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -149,13 +149,6 @@ int ip6_frag_match(struct inet_frag_queue *q, void *a)
 }
 EXPORT_SYMBOL(ip6_frag_match);
 
-/* Memory Tracking Functions. */
-static void frag_kfree_skb(struct netns_frags *nf, struct sk_buff *skb)
-{
-        atomic_sub(skb->truesize, &nf->mem);
-        kfree_skb(skb);
-}
-
 void ip6_frag_init(struct inet_frag_queue *q, void *a)
 {
         struct frag_queue *fq = container_of(q, struct frag_queue, q);
@@ -346,58 +339,22 @@ static int ip6_frag_queue(struct frag_queue *fq, struct sk_buff *skb,
         }
 
 found:
-        /* We found where to put this one.  Check for overlap with
-         * preceding fragment, and, if needed, align things so that
-         * any overlaps are eliminated.
+        /* RFC5722, Section 4:
+         *                                  When reassembling an IPv6 datagram, if
+         *   one or more its constituent fragments is determined to be an
+         *   overlapping fragment, the entire datagram (and any constituent
+         *   fragments, including those not yet received) MUST be silently
+         *   discarded.
          */
-        if (prev) {
-                int i = (FRAG6_CB(prev)->offset + prev->len) - offset;
 
-                if (i > 0) {
-                        offset += i;
-                        if (end <= offset)
-                                goto err;
-                        if (!pskb_pull(skb, i))
-                                goto err;
-                        if (skb->ip_summed != CHECKSUM_UNNECESSARY)
-                                skb->ip_summed = CHECKSUM_NONE;
-                }
-        }
+        /* Check for overlap with preceding fragment. */
+        if (prev &&
+            (FRAG6_CB(prev)->offset + prev->len) - offset > 0)
+                goto discard_fq;
 
-        /* Look for overlap with succeeding segments.
-         * If we can merge fragments, do it.
-         */
-        while (next && FRAG6_CB(next)->offset < end) {
-                int i = end - FRAG6_CB(next)->offset; /* overlap is 'i' bytes */
-
-                if (i < next->len) {
-                        /* Eat head of the next overlapped fragment
-                         * and leave the loop. The next ones cannot overlap.
-                         */
-                        if (!pskb_pull(next, i))
-                                goto err;
-                        FRAG6_CB(next)->offset += i;    /* next fragment */
-                        fq->q.meat -= i;
-                        if (next->ip_summed != CHECKSUM_UNNECESSARY)
-                                next->ip_summed = CHECKSUM_NONE;
-                        break;
-                } else {
-                        struct sk_buff *free_it = next;
-
-                        /* Old fragment is completely overridden with
-                         * new one drop it.
-                         */
-                        next = next->next;
-
-                        if (prev)
-                                prev->next = next;
-                        else
-                                fq->q.fragments = next;
-
-                        fq->q.meat -= free_it->len;
-                        frag_kfree_skb(fq->q.net, free_it);
-                }
-        }
+        /* Look for overlap with succeeding segment. */
+        if (next && FRAG6_CB(next)->offset < end)
+                goto discard_fq;
 
         FRAG6_CB(skb)->offset = offset;
 
@@ -436,6 +393,8 @@ found:
         write_unlock(&ip6_frags.lock);
         return -1;
 
+discard_fq:
+        fq_kill(fq);
 err:
         IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
                       IPSTATS_MIB_REASMFAILS);
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 1dd1affdead2..5acb3560ff15 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -111,6 +111,15 @@ int udp_v6_get_port(struct sock *sk, unsigned short snum)
         return udp_lib_get_port(sk, snum, ipv6_rcv_saddr_equal, hash2_nulladdr);
 }
 
+static void udp_v6_rehash(struct sock *sk)
+{
+        u16 new_hash = udp6_portaddr_hash(sock_net(sk),
+                                          &inet6_sk(sk)->rcv_saddr,
+                                          inet_sk(sk)->inet_num);
+
+        udp_lib_rehash(sk, new_hash);
+}
+
 static inline int compute_score(struct sock *sk, struct net *net,
                                 unsigned short hnum,
                                 struct in6_addr *saddr, __be16 sport,
@@ -1447,6 +1456,7 @@ struct proto udpv6_prot = {
         .backlog_rcv       = udpv6_queue_rcv_skb,
         .hash              = udp_lib_hash,
         .unhash            = udp_lib_unhash,
+        .rehash            = udp_v6_rehash,
         .get_port          = udp_v6_get_port,
         .memory_allocated  = &udp_memory_allocated,
         .sysctl_mem        = sysctl_udp_mem,
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 79986a674f6e..fd55b5135de5 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 
         err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
         if (err < 0) {
-                kfree(self->ias_obj->name);
-                kfree(self->ias_obj);
+                irias_delete_object(self->ias_obj);
+                self->ias_obj = NULL;
                 goto out;
         }
 
diff --git a/net/irda/irlan/irlan_common.c b/net/irda/irlan/irlan_common.c
index a788f9e9427d..6130f9d9dbe1 100644
--- a/net/irda/irlan/irlan_common.c
+++ b/net/irda/irlan/irlan_common.c
@@ -1102,7 +1102,7 @@ int irlan_extract_param(__u8 *buf, char *name, char *value, __u16 *len)
         memcpy(&val_len, buf+n, 2); /* To avoid alignment problems */
         le16_to_cpus(&val_len); n+=2;
 
-        if (val_len > 1016) {
+        if (val_len >= 1016) {
                 IRDA_DEBUG(2, "%s(), parameter length to long\n", __func__ );
                 return -RSP_INVALID_COMMAND_FORMAT;
         }
diff --git a/net/irda/irlan/irlan_eth.c b/net/irda/irlan/irlan_eth.c
index 9616c32d1076..5bb8353105cc 100644
--- a/net/irda/irlan/irlan_eth.c
+++ b/net/irda/irlan/irlan_eth.c
@@ -169,6 +169,7 @@ static netdev_tx_t irlan_eth_xmit(struct sk_buff *skb,
 {
         struct irlan_cb *self = netdev_priv(dev);
         int ret;
+        unsigned int len;
 
         /* skb headroom large enough to contain all IrDA-headers? */
         if ((skb_headroom(skb) < self->max_header_size) || (skb_shared(skb))) {
@@ -188,6 +189,7 @@ static netdev_tx_t irlan_eth_xmit(struct sk_buff *skb,
 
         dev->trans_start = jiffies;
 
+        len = skb->len;
         /* Now queue the packet in the transport layer */
         if (self->use_udata)
                 ret = irttp_udata_request(self->tsap_data, skb);
@@ -209,7 +211,7 @@ static netdev_tx_t irlan_eth_xmit(struct sk_buff *skb,
                 self->stats.tx_dropped++;
         } else {
                 self->stats.tx_packets++;
-                self->stats.tx_bytes += skb->len;
+                self->stats.tx_bytes += len;
         }
 
         return NETDEV_TX_OK;
diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index 58c6c4cda73b..1ae697681bc7 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -132,7 +132,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
                 printk("\n");
         }
 
-        if (data_len < ETH_HLEN)
+        if (!pskb_may_pull(skb, sizeof(ETH_HLEN)))
                 goto error;
 
         secpath_reset(skb);
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 023ba820236f..582612998211 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -1024,7 +1024,8 @@ static int llc_ui_setsockopt(struct socket *sock, int level, int optname,
 {
         struct sock *sk = sock->sk;
         struct llc_sock *llc = llc_sk(sk);
-        int rc = -EINVAL, opt;
+        unsigned int opt;
+        int rc = -EINVAL;
 
         lock_sock(sk);
         if (unlikely(level != SOL_LLC || optlen != sizeof(int)))
diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c
index e4dae0244d76..cf4aea3ba30f 100644
--- a/net/llc/llc_station.c
+++ b/net/llc/llc_station.c
@@ -689,7 +689,7 @@ static void llc_station_rcv(struct sk_buff *skb)
 
 int __init llc_station_init(void)
 {
-        u16 rc = -ENOBUFS;
+        int rc = -ENOBUFS;
         struct sk_buff *skb;
         struct llc_station_state_ev *ev;
 
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 798a91b100cc..ded5c3843e06 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -732,6 +732,12 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw)
 
         rtnl_unlock();
 
+        /*
+         * Now all work items will be gone, but the
+         * timer might still be armed, so delete it
+         */
+        del_timer_sync(&local->work_timer);
+
         cancel_work_sync(&local->reconfig_filter);
 
         ieee80211_clear_tx_pending(local);
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 4f8ddba48011..4c2f89df5cce 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -924,6 +924,7 @@ handle_response(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
 
         ip_vs_out_stats(cp, skb);
         ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pp);
+        ip_vs_update_conntrack(skb, cp, 0);
         ip_vs_conn_put(cp);
 
         skb->ipvs_property = 1;
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index f228a17ec649..7e9af5b76d9e 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -45,6 +45,7 @@
 #include <linux/netfilter.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_expect.h>
+#include <net/netfilter/nf_nat.h>
 #include <net/netfilter/nf_nat_helper.h>
 #include <linux/gfp.h>
 #include <net/protocol.h>
@@ -359,7 +360,7 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
                 buf_len = strlen(buf);
 
                 ct = nf_ct_get(skb, &ctinfo);
-                if (ct && !nf_ct_is_untracked(ct)) {
+                if (ct && !nf_ct_is_untracked(ct) && nfct_nat(ct)) {
                         /* If mangling fails this function will return 0
                          * which will cause the packet to be dropped.
                          * Mangling can only fail under memory pressure,
@@ -409,7 +410,6 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
         union nf_inet_addr to;
         __be16 port;
         struct ip_vs_conn *n_cp;
-        struct nf_conn *ct;
 
 #ifdef CONFIG_IP_VS_IPV6
         /* This application helper doesn't work with IPv6 yet,
@@ -496,11 +496,6 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
                 ip_vs_control_add(n_cp, cp);
         }
 
-        ct = (struct nf_conn *)skb->nfct;
-        if (ct && ct != &nf_conntrack_untracked)
-                ip_vs_expect_related(skb, ct, n_cp,
-                                     IPPROTO_TCP, &n_cp->dport, 1);
-
         /*
          *      Move tunnel to listen state
          */
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 21e1a5e9b9d3..49df6bea6a2d 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -349,8 +349,8 @@ ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
 }
 #endif
 
-static void
-ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp)
+void
+ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin)
 {
         struct nf_conn *ct = (struct nf_conn *)skb->nfct;
         struct nf_conntrack_tuple new_tuple;
@@ -365,11 +365,17 @@ ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp)
          * real-server we will see RIP->DIP.
          */
         new_tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
-        new_tuple.src.u3 = cp->daddr;
+        if (outin)
+                new_tuple.src.u3 = cp->daddr;
+        else
+                new_tuple.dst.u3 = cp->vaddr;
         /*
          * This will also take care of UDP and other protocols.
          */
-        new_tuple.src.u.tcp.port = cp->dport;
+        if (outin)
+                new_tuple.src.u.tcp.port = cp->dport;
+        else
+                new_tuple.dst.u.tcp.port = cp->vport;
         nf_conntrack_alter_reply(ct, &new_tuple);
 }
 
@@ -428,7 +434,7 @@ ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 
         IP_VS_DBG_PKT(10, pp, skb, 0, "After DNAT");
 
-        ip_vs_update_conntrack(skb, cp);
+        ip_vs_update_conntrack(skb, cp, 1);
 
         /* FIXME: when application helper enlarges the packet and the length
            is larger than the MTU of outgoing device, there will be still
@@ -506,7 +512,7 @@ ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
 
         IP_VS_DBG_PKT(10, pp, skb, 0, "After DNAT");
 
-        ip_vs_update_conntrack(skb, cp);
+        ip_vs_update_conntrack(skb, cp, 1);
 
         /* FIXME: when application helper enlarges the packet and the length
            is larger than the MTU of outgoing device, there will be still
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 8648a9922aab..cd96ed3ccee4 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1406,7 +1406,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
         struct netlink_sock *nlk = nlk_sk(sk);
         int noblock = flags&MSG_DONTWAIT;
         size_t copied;
-        struct sk_buff *skb, *frag __maybe_unused = NULL;
+        struct sk_buff *skb, *data_skb;
         int err;
 
         if (flags&MSG_OOB)
@@ -1418,45 +1418,35 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
         if (skb == NULL)
                 goto out;
 
+        data_skb = skb;
+
 #ifdef CONFIG_COMPAT_NETLINK_MESSAGES
         if (unlikely(skb_shinfo(skb)->frag_list)) {
-                bool need_compat = !!(flags & MSG_CMSG_COMPAT);
-
                 /*
-                 * If this skb has a frag_list, then here that means that
-                 * we will have to use the frag_list skb for compat tasks
-                 * and the regular skb for non-compat tasks.
+                 * If this skb has a frag_list, then here that means that we
+                 * will have to use the frag_list skb's data for compat tasks
+                 * and the regular skb's data for normal (non-compat) tasks.
                  *
-                 * The skb might (and likely will) be cloned, so we can't
-                 * just reset frag_list and go on with things -- we need to
-                 * keep that. For the compat case that's easy -- simply get
-                 * a reference to the compat skb and free the regular one
-                 * including the frag. For the non-compat case, we need to
-                 * avoid sending the frag to the user -- so assign NULL but
-                 * restore it below before freeing the skb.
+                 * If we need to send the compat skb, assign it to the
+                 * 'data_skb' variable so that it will be used below for data
+                 * copying. We keep 'skb' for everything else, including
+                 * freeing both later.
                  */
-                if (need_compat) {
-                        struct sk_buff *compskb = skb_shinfo(skb)->frag_list;
-                        skb_get(compskb);
-                        kfree_skb(skb);
-                        skb = compskb;
-                } else {
-                        frag = skb_shinfo(skb)->frag_list;
-                        skb_shinfo(skb)->frag_list = NULL;
-                }
+                if (flags & MSG_CMSG_COMPAT)
+                        data_skb = skb_shinfo(skb)->frag_list;
         }
 #endif
 
         msg->msg_namelen = 0;
 
-        copied = skb->len;
+        copied = data_skb->len;
         if (len < copied) {
                 msg->msg_flags |= MSG_TRUNC;
                 copied = len;
         }
 
-        skb_reset_transport_header(skb);
-        err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+        skb_reset_transport_header(data_skb);
+        err = skb_copy_datagram_iovec(data_skb, 0, msg->msg_iov, copied);
 
         if (msg->msg_name) {
                 struct sockaddr_nl *addr = (struct sockaddr_nl *)msg->msg_name;
@@ -1476,11 +1466,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
         }
         siocb->scm->creds = *NETLINK_CREDS(skb);
         if (flags & MSG_TRUNC)
-                copied = skb->len;
-
-#ifdef CONFIG_COMPAT_NETLINK_MESSAGES
-        skb_shinfo(skb)->frag_list = frag;
-#endif
+                copied = data_skb->len;
 
         skb_free_datagram(sk, skb);
 
@@ -2116,6 +2102,26 @@ static void __net_exit netlink_net_exit(struct net *net)
 #endif
 }
 
+static void __init netlink_add_usersock_entry(void)
+{
+        unsigned long *listeners;
+        int groups = 32;
+
+        listeners = kzalloc(NLGRPSZ(groups) + sizeof(struct listeners_rcu_head),
+                            GFP_KERNEL);
+        if (!listeners)
+                panic("netlink_add_usersock_entry: Cannot allocate listneres\n");
+
+        netlink_table_grab();
+
+        nl_table[NETLINK_USERSOCK].groups = groups;
+        nl_table[NETLINK_USERSOCK].listeners = listeners;
+        nl_table[NETLINK_USERSOCK].module = THIS_MODULE;
+        nl_table[NETLINK_USERSOCK].registered = 1;
+
+        netlink_table_ungrab();
+}
+
 static struct pernet_operations __net_initdata netlink_net_ops = {
         .init = netlink_net_init,
         .exit = netlink_net_exit,
@@ -2164,6 +2170,8 @@ static int __init netlink_proto_init(void)
                 hash->rehash_time = jiffies;
         }
 
+        netlink_add_usersock_entry();
+
         sock_register(&netlink_family_ops);
         register_pernet_subsys(&netlink_net_ops);
         /* The netlink device handler may be needed early. */
diff --git a/net/rds/recv.c b/net/rds/recv.c
index 795a00b7f2cb..c93588c2d553 100644
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -297,7 +297,7 @@ static int rds_still_queued(struct rds_sock *rs, struct rds_incoming *inc,
 int rds_notify_queue_get(struct rds_sock *rs, struct msghdr *msghdr)
 {
         struct rds_notifier *notifier;
-        struct rds_rdma_notify cmsg;
+        struct rds_rdma_notify cmsg = { 0 }; /* fill holes with zero */
         unsigned int count = 0, max_messages = ~0U;
         unsigned long flags;
         LIST_HEAD(copy);
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index 537a48732e9e..7ebf7439b478 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -350,22 +350,19 @@ tcf_act_police_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
 {
         unsigned char *b = skb_tail_pointer(skb);
         struct tcf_police *police = a->priv;
-        struct tc_police opt;
-
-        opt.index = police->tcf_index;
-        opt.action = police->tcf_action;
-        opt.mtu = police->tcfp_mtu;
-        opt.burst = police->tcfp_burst;
-        opt.refcnt = police->tcf_refcnt - ref;
-        opt.bindcnt = police->tcf_bindcnt - bind;
+        struct tc_police opt = {
+                .index = police->tcf_index,
+                .action = police->tcf_action,
+                .mtu = police->tcfp_mtu,
+                .burst = police->tcfp_burst,
+                .refcnt = police->tcf_refcnt - ref,
+                .bindcnt = police->tcf_bindcnt - bind,
+        };
+
         if (police->tcfp_R_tab)
                 opt.rate = police->tcfp_R_tab->rate;
-        else
-                memset(&opt.rate, 0, sizeof(opt.rate));
         if (police->tcfp_P_tab)
                 opt.peakrate = police->tcfp_P_tab->rate;
-        else
-                memset(&opt.peakrate, 0, sizeof(opt.peakrate));
         NLA_PUT(skb, TCA_POLICE_TBF, sizeof(opt), &opt);
         if (police->tcfp_result)
                 NLA_PUT_U32(skb, TCA_POLICE_RESULT, police->tcfp_result);
diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
index 340662789529..6318e1136b83 100644
--- a/net/sched/sch_atm.c
+++ b/net/sched/sch_atm.c
@@ -255,10 +255,6 @@ static int atm_tc_change(struct Qdisc *sch, u32 classid, u32 parent,
                         error = -EINVAL;
                         goto err_out;
                 }
-                if (!list_empty(&flow->list)) {
-                        error = -EEXIST;
-                        goto err_out;
-                }
         } else {
                 int i;
                 unsigned long cl;
diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index abd904be4287..47496098d35c 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -761,8 +761,8 @@ init_vf(struct hfsc_class *cl, unsigned int len)
                 if (f != cl->cl_f) {
                         cl->cl_f = f;
                         cftree_update(cl);
-                        update_cfmin(cl->cl_parent);
                 }
+                update_cfmin(cl->cl_parent);
         }
 }
 
diff --git a/net/sctp/output.c b/net/sctp/output.c
index a646681f5acd..bcc4590ccaf2 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -92,7 +92,6 @@ struct sctp_packet *sctp_packet_config(struct sctp_packet *packet,
         SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__,
                           packet, vtag);
 
-        sctp_packet_reset(packet);
         packet->vtag = vtag;
 
         if (ecn_capable && sctp_packet_empty(packet)) {
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 24b2cd555637..d344dc481ccc 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1232,6 +1232,18 @@ out:
         return 0;
 }
 
+static bool list_has_sctp_addr(const struct list_head *list,
+                               union sctp_addr *ipaddr)
+{
+        struct sctp_transport *addr;
+
+        list_for_each_entry(addr, list, transports) {
+                if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
+                        return true;
+        }
+
+        return false;
+}
 /* A restart is occurring, check to make sure no new addresses
  * are being added as we may be under a takeover attack.
  */
@@ -1240,10 +1252,10 @@ static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
                                        struct sctp_chunk *init,
                                        sctp_cmd_seq_t *commands)
 {
-        struct sctp_transport *new_addr, *addr;
-        int found;
+        struct sctp_transport *new_addr;
+        int ret = 1;
 
-        /* Implementor's Guide - Sectin 5.2.2
+        /* Implementor's Guide - Section 5.2.2
          * ...
          * Before responding the endpoint MUST check to see if the
          * unexpected INIT adds new addresses to the association. If new
@@ -1254,31 +1266,19 @@ static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
         /* Search through all current addresses and make sure
          * we aren't adding any new ones.
          */
-        new_addr = NULL;
-        found = 0;
-
         list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
-                        transports) {
-                found = 0;
-                list_for_each_entry(addr, &asoc->peer.transport_addr_list,
-                                transports) {
-                        if (sctp_cmp_addr_exact(&new_addr->ipaddr,
-                                                &addr->ipaddr)) {
-                                found = 1;
-                                break;
-                        }
-                }
-                if (!found)
+                            transports) {
+                if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
+                                        &new_addr->ipaddr)) {
+                        sctp_sf_send_restart_abort(&new_addr->ipaddr, init,
+                                                   commands);
+                        ret = 0;
                         break;
-        }
-
-        /* If a new address was added, ABORT the sender. */
-        if (!found && new_addr) {
-                sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands);
+                }
         }
 
         /* Return success if all addresses were found. */
-        return found;
+        return ret;
 }
 
 /* Populate the verification/tie tags based on overlapping INIT
diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c
index 36cb66022a27..e9eaaf7d43c1 100644
--- a/net/sunrpc/auth.c
+++ b/net/sunrpc/auth.c
@@ -38,7 +38,7 @@ static const struct rpc_authops *auth_flavors[RPC_AUTH_MAXFLAVOR] = {
 static LIST_HEAD(cred_unused);
 static unsigned long number_cred_unused;
 
-#define MAX_HASHTABLE_BITS (10) 
+#define MAX_HASHTABLE_BITS (14)
 static int param_set_hashtbl_sz(const char *val, const struct kernel_param *kp)
 {
         unsigned long num;
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index dcfc66bab2bb..12c485982814 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -745,17 +745,18 @@ gss_pipe_release(struct inode *inode)
         struct rpc_inode *rpci = RPC_I(inode);
         struct gss_upcall_msg *gss_msg;
 
+restart:
         spin_lock(&inode->i_lock);
-        while (!list_empty(&rpci->in_downcall)) {
+        list_for_each_entry(gss_msg, &rpci->in_downcall, list) {
 
-                gss_msg = list_entry(rpci->in_downcall.next,
-                                struct gss_upcall_msg, list);
+                if (!list_empty(&gss_msg->msg.list))
+                        continue;
                 gss_msg->msg.errno = -EPIPE;
                 atomic_inc(&gss_msg->count);
                 __gss_unhash_msg(gss_msg);
                 spin_unlock(&inode->i_lock);
                 gss_release_msg(gss_msg);
-                spin_lock(&inode->i_lock);
+                goto restart;
         }
         spin_unlock(&inode->i_lock);
 
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 032644610524..778e5dfc5144 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -237,6 +237,7 @@ get_key(const void *p, const void *end,
         if (!supported_gss_krb5_enctype(alg)) {
                 printk(KERN_WARNING "gss_kerberos_mech: unsupported "
                         "encryption key algorithm %d\n", alg);
+                p = ERR_PTR(-EINVAL);
                 goto out_err;
         }
         p = simple_get_netobj(p, end, &key);
@@ -282,15 +283,19 @@ gss_import_v1_context(const void *p, const void *end, struct krb5_ctx *ctx)
         ctx->enctype = ENCTYPE_DES_CBC_RAW;
 
         ctx->gk5e = get_gss_krb5_enctype(ctx->enctype);
-        if (ctx->gk5e == NULL)
+        if (ctx->gk5e == NULL) {
+                p = ERR_PTR(-EINVAL);
                 goto out_err;
+        }
 
         /* The downcall format was designed before we completely understood
          * the uses of the context fields; so it includes some stuff we
          * just give some minimal sanity-checking, and some we ignore
          * completely (like the next twenty bytes): */
-        if (unlikely(p + 20 > end || p + 20 < p))
+        if (unlikely(p + 20 > end || p + 20 < p)) {
+                p = ERR_PTR(-EFAULT);
                 goto out_err;
+        }
         p += 20;
         p = simple_get_bytes(p, end, &tmp, sizeof(tmp));
         if (IS_ERR(p))
@@ -619,6 +624,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
         if (ctx->seq_send64 != ctx->seq_send) {
                 dprintk("%s: seq_send64 %lx, seq_send %x overflow?\n", __func__,
                         (long unsigned)ctx->seq_send64, ctx->seq_send);
+                p = ERR_PTR(-EINVAL);
                 goto out_err;
         }
         p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype));
diff --git a/net/sunrpc/auth_gss/gss_spkm3_mech.c b/net/sunrpc/auth_gss/gss_spkm3_mech.c
index dc3f1f5ed865..adade3d313f2 100644
--- a/net/sunrpc/auth_gss/gss_spkm3_mech.c
+++ b/net/sunrpc/auth_gss/gss_spkm3_mech.c
@@ -100,6 +100,7 @@ gss_import_sec_context_spkm3(const void *p, size_t len,
         if (version != 1) {
                 dprintk("RPC:       unknown spkm3 token format: "
                                 "obsolete nfs-utils?\n");
+                p = ERR_PTR(-EINVAL);
                 goto out_err_free_ctx;
         }
 
@@ -135,8 +136,10 @@ gss_import_sec_context_spkm3(const void *p, size_t len,
         if (IS_ERR(p))
                 goto out_err_free_intg_alg;
 
-        if (p != end)
+        if (p != end) {
+                p = ERR_PTR(-EFAULT);
                 goto out_err_free_intg_key;
+        }
 
         ctx_id->internal_ctx_id = ctx;
 
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 2388d83b68ff..fa5549079d79 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -226,7 +226,7 @@ static struct rpc_clnt * rpc_new_client(const struct rpc_create_args *args, stru
                         goto out_no_principal;
         }
 
-        kref_init(&clnt->cl_kref);
+        atomic_set(&clnt->cl_count, 1);
 
         err = rpc_setup_pipedir(clnt, program->pipe_dir_name);
         if (err < 0)
@@ -390,14 +390,14 @@ rpc_clone_client(struct rpc_clnt *clnt)
                 if (new->cl_principal == NULL)
                         goto out_no_principal;
         }
-        kref_init(&new->cl_kref);
+        atomic_set(&new->cl_count, 1);
         err = rpc_setup_pipedir(new, clnt->cl_program->pipe_dir_name);
         if (err != 0)
                 goto out_no_path;
         if (new->cl_auth)
                 atomic_inc(&new->cl_auth->au_count);
         xprt_get(clnt->cl_xprt);
-        kref_get(&clnt->cl_kref);
+        atomic_inc(&clnt->cl_count);
         rpc_register_client(new);
         rpciod_up();
         return new;
@@ -465,10 +465,8 @@ EXPORT_SYMBOL_GPL(rpc_shutdown_client);
  * Free an RPC client
  */
 static void
-rpc_free_client(struct kref *kref)
+rpc_free_client(struct rpc_clnt *clnt)
 {
-        struct rpc_clnt *clnt = container_of(kref, struct rpc_clnt, cl_kref);
-
         dprintk("RPC:       destroying %s client for %s\n",
                         clnt->cl_protname, clnt->cl_server);
         if (!IS_ERR(clnt->cl_path.dentry)) {
@@ -495,12 +493,10 @@ out_free:
  * Free an RPC client
  */
 static void
-rpc_free_auth(struct kref *kref)
+rpc_free_auth(struct rpc_clnt *clnt)
 {
-        struct rpc_clnt *clnt = container_of(kref, struct rpc_clnt, cl_kref);
-
         if (clnt->cl_auth == NULL) {
-                rpc_free_client(kref);
+                rpc_free_client(clnt);
                 return;
         }
 
@@ -509,10 +505,11 @@ rpc_free_auth(struct kref *kref)
          *       release remaining GSS contexts. This mechanism ensures
          *       that it can do so safely.
          */
-        kref_init(kref);
+        atomic_inc(&clnt->cl_count);
         rpcauth_release(clnt->cl_auth);
         clnt->cl_auth = NULL;
-        kref_put(kref, rpc_free_client);
+        if (atomic_dec_and_test(&clnt->cl_count))
+                rpc_free_client(clnt);
 }
 
 /*
@@ -525,7 +522,8 @@ rpc_release_client(struct rpc_clnt *clnt)
 
         if (list_empty(&clnt->cl_tasks))
                 wake_up(&destroy_wait);
-        kref_put(&clnt->cl_kref, rpc_free_auth);
+        if (atomic_dec_and_test(&clnt->cl_count))
+                rpc_free_auth(clnt);
 }
 
 /**
@@ -588,7 +586,7 @@ void rpc_task_set_client(struct rpc_task *task, struct rpc_clnt *clnt)
         if (clnt != NULL) {
                 rpc_task_release_client(task);
                 task->tk_client = clnt;
-                kref_get(&clnt->cl_kref);
+                atomic_inc(&clnt->cl_count);
                 if (clnt->cl_softrtry)
                         task->tk_flags |= RPC_TASK_SOFT;
                 /* Add to the client's list of all tasks */
@@ -931,7 +929,7 @@ call_reserveresult(struct rpc_task *task)
         task->tk_status = 0;
         if (status >= 0) {
                 if (task->tk_rqstp) {
-                        task->tk_action = call_allocate;
+                        task->tk_action = call_refresh;
                         return;
                 }
 
@@ -966,13 +964,54 @@ call_reserveresult(struct rpc_task *task)
 }
 
 /*
- * 2.   Allocate the buffer. For details, see sched.c:rpc_malloc.
+ * 2.   Bind and/or refresh the credentials
+ */
+static void
+call_refresh(struct rpc_task *task)
+{
+        dprint_status(task);
+
+        task->tk_action = call_refreshresult;
+        task->tk_status = 0;
+        task->tk_client->cl_stats->rpcauthrefresh++;
+        rpcauth_refreshcred(task);
+}
+
+/*
+ * 2a.  Process the results of a credential refresh
+ */
+static void
+call_refreshresult(struct rpc_task *task)
+{
+        int status = task->tk_status;
+
+        dprint_status(task);
+
+        task->tk_status = 0;
+        task->tk_action = call_allocate;
+        if (status >= 0 && rpcauth_uptodatecred(task))
+                return;
+        switch (status) {
+        case -EACCES:
+                rpc_exit(task, -EACCES);
+                return;
+        case -ENOMEM:
+                rpc_exit(task, -ENOMEM);
+                return;
+        case -ETIMEDOUT:
+                rpc_delay(task, 3*HZ);
+        }
+        task->tk_action = call_refresh;
+}
+
+/*
+ * 2b.  Allocate the buffer. For details, see sched.c:rpc_malloc.
  *      (Note: buffer memory is freed in xprt_release).
  */
 static void
 call_allocate(struct rpc_task *task)
 {
-        unsigned int slack = task->tk_client->cl_auth->au_cslack;
+        unsigned int slack = task->tk_rqstp->rq_cred->cr_auth->au_cslack;
         struct rpc_rqst *req = task->tk_rqstp;
         struct rpc_xprt *xprt = task->tk_xprt;
         struct rpc_procinfo *proc = task->tk_msg.rpc_proc;
@@ -980,7 +1019,7 @@ call_allocate(struct rpc_task *task)
         dprint_status(task);
 
         task->tk_status = 0;
-        task->tk_action = call_refresh;
+        task->tk_action = call_bind;
 
         if (req->rq_buffer)
                 return;
@@ -1017,47 +1056,6 @@ call_allocate(struct rpc_task *task)
         rpc_exit(task, -ERESTARTSYS);
 }
 
-/*
- * 2a.  Bind and/or refresh the credentials
- */
-static void
-call_refresh(struct rpc_task *task)
-{
-        dprint_status(task);
-
-        task->tk_action = call_refreshresult;
-        task->tk_status = 0;
-        task->tk_client->cl_stats->rpcauthrefresh++;
-        rpcauth_refreshcred(task);
-}
-
-/*
- * 2b.  Process the results of a credential refresh
- */
-static void
-call_refreshresult(struct rpc_task *task)
-{
-        int status = task->tk_status;
-
-        dprint_status(task);
-
-        task->tk_status = 0;
-        task->tk_action = call_bind;
-        if (status >= 0 && rpcauth_uptodatecred(task))
-                return;
-        switch (status) {
-        case -EACCES:
-                rpc_exit(task, -EACCES);
-                return;
-        case -ENOMEM:
-                rpc_exit(task, -ENOMEM);
-                return;
-        case -ETIMEDOUT:
-                rpc_delay(task, 3*HZ);
-        }
-        task->tk_action = call_refresh;
-}
-
 static inline int
 rpc_task_need_encode(struct rpc_task *task)
 {
diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
index 95ccbcf45d3e..8c8eef2b8f26 100644
--- a/net/sunrpc/rpc_pipe.c
+++ b/net/sunrpc/rpc_pipe.c
@@ -48,7 +48,7 @@ static void rpc_purge_list(struct rpc_inode *rpci, struct list_head *head,
                 return;
         do {
                 msg = list_entry(head->next, struct rpc_pipe_msg, list);
-                list_del(&msg->list);
+                list_del_init(&msg->list);
                 msg->errno = err;
                 destroy_msg(msg);
         } while (!list_empty(head));
@@ -208,7 +208,7 @@ rpc_pipe_release(struct inode *inode, struct file *filp)
         if (msg != NULL) {
                 spin_lock(&inode->i_lock);
                 msg->errno = -EAGAIN;
-                list_del(&msg->list);
+                list_del_init(&msg->list);
                 spin_unlock(&inode->i_lock);
                 rpci->ops->destroy_msg(msg);
         }
@@ -268,7 +268,7 @@ rpc_pipe_read(struct file *filp, char __user *buf, size_t len, loff_t *offset)
         if (res < 0 || msg->len == msg->copied) {
                 filp->private_data = NULL;
                 spin_lock(&inode->i_lock);
-                list_del(&msg->list);
+                list_del_init(&msg->list);
                 spin_unlock(&inode->i_lock);
                 rpci->ops->destroy_msg(msg);
         }
@@ -371,21 +371,23 @@ rpc_show_info(struct seq_file *m, void *v)
 static int
 rpc_info_open(struct inode *inode, struct file *file)
 {
-        struct rpc_clnt *clnt;
+        struct rpc_clnt *clnt = NULL;
         int ret = single_open(file, rpc_show_info, NULL);
 
         if (!ret) {
                 struct seq_file *m = file->private_data;
-                mutex_lock(&inode->i_mutex);
-                clnt = RPC_I(inode)->private;
-                if (clnt) {
-                        kref_get(&clnt->cl_kref);
+
+                spin_lock(&file->f_path.dentry->d_lock);
+                if (!d_unhashed(file->f_path.dentry))
+                        clnt = RPC_I(inode)->private;
+                if (clnt != NULL && atomic_inc_not_zero(&clnt->cl_count)) {
+                        spin_unlock(&file->f_path.dentry->d_lock);
                         m->private = clnt;
                 } else {
+                        spin_unlock(&file->f_path.dentry->d_lock);
                         single_release(inode, file);
                         ret = -EINVAL;
                 }
-                mutex_unlock(&inode->i_mutex);
         }
         return ret;
 }
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 4414a18c63b4..0b39b2451ea5 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -692,6 +692,7 @@ static int unix_autobind(struct socket *sock)
         static u32 ordernum = 1;
         struct unix_address *addr;
         int err;
+        unsigned int retries = 0;
 
         mutex_lock(&u->readlock);
 
@@ -717,9 +718,17 @@ retry:
         if (__unix_find_socket_byname(net, addr->name, addr->len, sock->type,
                                       addr->hash)) {
                 spin_unlock(&unix_table_lock);
-                /* Sanity yield. It is unusual case, but yet... */
-                if (!(ordernum&0xFF))
-                        yield();
+                /*
+                 * __unix_find_socket_byname() may take long time if many names
+                 * are already in use.
+                 */
+                cond_resched();
+                /* Give up if all names seems to be in use. */
+                if (retries++ == 0xFFFFF) {
+                        err = -ENOSPC;
+                        kfree(addr);
+                        goto out;
+                }
                 goto retry;
         }
         addr->hash ^= sk->sk_type;
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 541e2fff5e9c..d6d046b9f6f2 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -475,12 +475,10 @@ int wiphy_register(struct wiphy *wiphy)
         mutex_lock(&cfg80211_mutex);
 
         res = device_add(&rdev->wiphy.dev);
-        if (res)
-                goto out_unlock;
-
-        res = rfkill_register(rdev->rfkill);
-        if (res)
-                goto out_rm_dev;
+        if (res) {
+                mutex_unlock(&cfg80211_mutex);
+                return res;
+        }
 
         /* set up regulatory info */
         wiphy_update_regulatory(wiphy, NL80211_REGDOM_SET_BY_CORE);
@@ -509,13 +507,18 @@ int wiphy_register(struct wiphy *wiphy)
         cfg80211_debugfs_rdev_add(rdev);
         mutex_unlock(&cfg80211_mutex);
 
+        /*
+         * due to a locking dependency this has to be outside of the
+         * cfg80211_mutex lock
+         */
+        res = rfkill_register(rdev->rfkill);
+        if (res)
+                goto out_rm_dev;
+
         return 0;
 
 out_rm_dev:
         device_del(&rdev->wiphy.dev);
-
-out_unlock:
-        mutex_unlock(&cfg80211_mutex);
         return res;
 }
 EXPORT_SYMBOL(wiphy_register);
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index bb5e0a5ecfa1..7e5c3a45f811 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -1420,6 +1420,9 @@ int cfg80211_wext_giwessid(struct net_device *dev,
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
 
+        data->flags = 0;
+        data->length = 0;
+
         switch (wdev->iftype) {
         case NL80211_IFTYPE_ADHOC:
                 return cfg80211_ibss_wext_giwessid(dev, info, data, ssid);
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index 0ef17bc42bac..8f5116f5af19 100644
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -782,6 +782,22 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
                 }
         }
 
+        if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
+                /*
+                 * If this is a GET, but not NOMAX, it means that the extra
+                 * data is not bounded by userspace, but by max_tokens. Thus
+                 * set the length to max_tokens. This matches the extra data
+                 * allocation.
+                 * The driver should fill it with the number of tokens it
+                 * provided, and it may check iwp->length rather than having
+                 * knowledge of max_tokens. If the driver doesn't change the
+                 * iwp->length, this ioctl just copies back max_token tokens
+                 * filled with zeroes. Hopefully the driver isn't claiming
+                 * them to be valid data.
+                 */
+                iwp->length = descr->max_tokens;
+        }
+
         err = handler(dev, info, (union iwreq_data *) iwp, extra);
 
         iwp->length += essid_compat;
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index a3cca0a94346..64f2ae1fdc15 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -101,7 +101,7 @@ resume:
                         err = -EHOSTUNREACH;
                         goto error_nolock;
                 }
-                skb_dst_set_noref(skb, dst);
+                skb_dst_set(skb, dst_clone(dst));
                 x = dst->xfrm;
         } while (x && !(x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL));
 
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b14ed4b1f27c..8bae6b22c846 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1801,7 +1801,7 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
         struct xfrm_user_expire *ue = nlmsg_data(nlh);
         struct xfrm_usersa_info *p = &ue->state;
         struct xfrm_mark m;
-        u32 mark = xfrm_mark_get(attrs, &m);;
+        u32 mark = xfrm_mark_get(attrs, &m);
 
         x = xfrm_state_lookup(net, mark, &p->id.daddr, p->id.spi, p->id.proto, p->family);