Merge tag 'v3.6-rc6' into for-3.7

Linux 3.6-rc6 has all our bug fixes. Conflicts (trivial overlap): sound/soc/omap/am3517evm.c
author: Mark Brown <broonie@opensource.wolfsonmicro.com> 2012-09-22 11:26:27 -0400
committer: Mark Brown <broonie@opensource.wolfsonmicro.com> 2012-09-22 11:26:27 -0400
commit: ddfb43f3881edb47aa0083651ad31983cdc42c33 (patch)
tree: 7128cb13b599d2903a4deb05bbae37508b1c261e /net
parent: 2d6d649a2e0fa0268c0d03d5b1d330ca7907d33c (diff)
parent: 5698bd757d55b1bb87edd1a9744ab09c142abfc2 (diff)
48 files changed, 286 insertions, 179 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 5ad7da217474..3c094e78dde9 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -29,6 +29,7 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
 #include <net/bluetooth/a2mp.h>
+#include <net/bluetooth/smp.h>
 static void hci_le_connect(struct hci_conn *conn)
 {
@@ -619,6 +620,9 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
 {
        BT_DBG("hcon %p", conn);
+        if (conn->type == LE_LINK)
+                return smp_conn_security(conn, sec_level);
        /* For sdp we don't need the link key. */
        if (sec_level == BT_SECURITY_SDP)
                return 1;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index daa149b7003c..4ea1710a4783 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1199,14 +1199,15 @@ clean:
 static void l2cap_conn_ready(struct l2cap_conn *conn)
 {
        struct l2cap_chan *chan;
+        struct hci_conn *hcon = conn->hcon;
        BT_DBG("conn %p", conn);
-        if (!conn->hcon->out && conn->hcon->type == LE_LINK)
+        if (!hcon->out && hcon->type == LE_LINK)
                l2cap_le_conn_ready(conn);
-        if (conn->hcon->out && conn->hcon->type == LE_LINK)
+        if (hcon->out && hcon->type == LE_LINK)
-                smp_conn_security(conn, conn->hcon->pending_sec_level);
+                smp_conn_security(hcon, hcon->pending_sec_level);
        mutex_lock(&conn->chan_lock);
@@ -1219,8 +1220,8 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
                        continue;
                }
-                if (conn->hcon->type == LE_LINK) {
+                if (hcon->type == LE_LINK) {
-                        if (smp_conn_security(conn, chan->sec_level))
+                        if (smp_conn_security(hcon, chan->sec_level))
                                l2cap_chan_ready(chan);
                } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 1497edd191a2..34bbe1c5e389 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -616,7 +616,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
                                break;
                        }
-                        if (smp_conn_security(conn, sec.level))
+                        if (smp_conn_security(conn->hcon, sec.level))
                                break;
                        sk->sk_state = BT_CONFIG;
                        chan->state = BT_CONFIG;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 901a616c8083..8c225ef349cd 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -267,10 +267,10 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
        mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type,
                         hcon->dst_type, reason);
-        if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
+        cancel_delayed_work_sync(&conn->security_timer);
-                cancel_delayed_work_sync(&conn->security_timer);
+        if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
                smp_chan_destroy(conn);
-        }
 }
 #define JUST_WORKS      0x00
@@ -760,9 +760,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        return 0;
 }
-int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
+int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
 {
-        struct hci_conn *hcon = conn->hcon;
+        struct l2cap_conn *conn = hcon->l2cap_data;
        struct smp_chan *smp = conn->smp_chan;
        __u8 authreq;
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index f88ee537fb2b..92de5e5f9db2 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -80,7 +80,7 @@ ebt_log_packet(u_int8_t pf, unsigned int hooknum,
        unsigned int bitmask;
        spin_lock_bh(&ebt_log_lock);
-        printk("<%c>%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x",
+        printk(KERN_SOH "%c%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x",
               '0' + loginfo->u.log.level, prefix,
               in ? in->name : "", out ? out->name : "",
               eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
diff --git a/net/caif/cfsrvl.c b/net/caif/cfsrvl.c
index dd485f6128e8..ba217e90765e 100644
--- a/net/caif/cfsrvl.c
+++ b/net/caif/cfsrvl.c
@@ -211,9 +211,10 @@ void caif_client_register_refcnt(struct cflayer *adapt_layer,
                                        void (*put)(struct cflayer *lyr))
 {
        struct cfsrvl *service;
-        service = container_of(adapt_layer->dn, struct cfsrvl, layer);
-        WARN_ON(adapt_layer == NULL || adapt_layer->dn == NULL);
+        if (WARN_ON(adapt_layer == NULL || adapt_layer->dn == NULL))
+                return;
+        service = container_of(adapt_layer->dn, struct cfsrvl, layer);
        service->hold = hold;
        service->put = put;
 }
diff --git a/net/core/dev.c b/net/core/dev.c
index 83988362805e..d7fe32c946c1 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2647,15 +2647,16 @@ void __skb_get_rxhash(struct sk_buff *skb)
        if (!skb_flow_dissect(skb, &keys))
                return;
-        if (keys.ports) {
+        if (keys.ports)
-                if ((__force u16)keys.port16[1] < (__force u16)keys.port16[0])
-                        swap(keys.port16[0], keys.port16[1]);
                skb->l4_rxhash = 1;
-        }
        /* get a consistent hash (same value on both flow directions) */
-        if ((__force u32)keys.dst < (__force u32)keys.src)
+        if (((__force u32)keys.dst < (__force u32)keys.src) ||
+            (((__force u32)keys.dst == (__force u32)keys.src) &&
+             ((__force u16)keys.port16[1] < (__force u16)keys.port16[0]))) {
                swap(keys.dst, keys.src);
+                swap(keys.port16[0], keys.port16[1]);
+        }
        hash = jhash_3words((__force u32)keys.dst,
                            (__force u32)keys.src,
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 346b1eb83a1f..e4ba3e70c174 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -168,24 +168,16 @@ static void poll_napi(struct net_device *dev)
        struct napi_struct *napi;
        int budget = 16;
-        WARN_ON_ONCE(!irqs_disabled());
        list_for_each_entry(napi, &dev->napi_list, dev_list) {
-                local_irq_enable();
                if (napi->poll_owner != smp_processor_id() &&
                    spin_trylock(&napi->poll_lock)) {
-                        rcu_read_lock_bh();
                        budget = poll_one_napi(rcu_dereference_bh(dev->npinfo),
                                               napi, budget);
-                        rcu_read_unlock_bh();
                        spin_unlock(&napi->poll_lock);
-                        if (!budget) {
+                        if (!budget)
-                                local_irq_disable();
                                break;
-                        }
                }
-                local_irq_disable();
        }
 }
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index cce9e53528b1..148e73d2c451 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -2721,7 +2721,7 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev,
        /* Eth + IPh + UDPh + mpls */
        datalen = pkt_dev->cur_pkt_size - 14 - 20 - 8 -
                  pkt_dev->pkt_overhead;
-        if (datalen < sizeof(struct pktgen_hdr))
+        if (datalen < 0 || datalen < sizeof(struct pktgen_hdr))
                datalen = sizeof(struct pktgen_hdr);
        udph->source = htons(pkt_dev->cur_udp_src);
diff --git a/net/core/sock.c b/net/core/sock.c
index 8f67ced8d6a8..305792076121 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1523,7 +1523,14 @@ EXPORT_SYMBOL(sock_rfree);
 void sock_edemux(struct sk_buff *skb)
 {
-        sock_put(skb->sk);
+        struct sock *sk = skb->sk;
+#ifdef CONFIG_INET
+        if (sk->sk_state == TCP_TIME_WAIT)
+                inet_twsk_put(inet_twsk(sk));
+        else
+#endif
+                sock_put(sk);
 }
 EXPORT_SYMBOL(sock_edemux);
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 8eec8f4a0536..ebdf06f938bf 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -124,6 +124,8 @@ static DEFINE_SPINLOCK(mfc_unres_lock);
 static struct kmem_cache *mrt_cachep __read_mostly;
 static struct mr_table *ipmr_new_table(struct net *net, u32 id);
+static void ipmr_free_table(struct mr_table *mrt);
 static int ip_mr_forward(struct net *net, struct mr_table *mrt,
                         struct sk_buff *skb, struct mfc_cache *cache,
                         int local);
@@ -131,6 +133,7 @@ static int ipmr_cache_report(struct mr_table *mrt,
                             struct sk_buff *pkt, vifi_t vifi, int assert);
 static int __ipmr_fill_mroute(struct mr_table *mrt, struct sk_buff *skb,
                              struct mfc_cache *c, struct rtmsg *rtm);
+static void mroute_clean_tables(struct mr_table *mrt);
 static void ipmr_expire_process(unsigned long arg);
 #ifdef CONFIG_IP_MROUTE_MULTIPLE_TABLES
@@ -271,7 +274,7 @@ static void __net_exit ipmr_rules_exit(struct net *net)
        list_for_each_entry_safe(mrt, next, &net->ipv4.mr_tables, list) {
                list_del(&mrt->list);
-                kfree(mrt);
+                ipmr_free_table(mrt);
        }
        fib_rules_unregister(net->ipv4.mr_rules_ops);
 }
@@ -299,7 +302,7 @@ static int __net_init ipmr_rules_init(struct net *net)
 static void __net_exit ipmr_rules_exit(struct net *net)
 {
-        kfree(net->ipv4.mrt);
+        ipmr_free_table(net->ipv4.mrt);
 }
 #endif
@@ -336,6 +339,13 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id)
        return mrt;
 }
+static void ipmr_free_table(struct mr_table *mrt)
+{
+        del_timer_sync(&mrt->ipmr_expire_timer);
+        mroute_clean_tables(mrt);
+        kfree(mrt);
+}
 /* Service routines creating virtual interfaces: DVMRP tunnels and PIMREG */
 static void ipmr_del_tunnel(struct net_device *dev, struct vifctl *v)
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index 4ad9cf173992..9c87cde28ff8 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -502,7 +502,10 @@ static unsigned int ip_nat_sdp_media(struct sk_buff *skb, unsigned int dataoff,
                ret = nf_ct_expect_related(rtcp_exp);
                if (ret == 0)
                        break;
-                else if (ret != -EBUSY) {
+                else if (ret == -EBUSY) {
+                        nf_ct_unexpect_related(rtp_exp);
+                        continue;
+                } else if (ret < 0) {
                        nf_ct_unexpect_related(rtp_exp);
                        port = 0;
                        break;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index fd9ecb52c66b..82cf2a722b23 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -934,12 +934,14 @@ static u32 __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
        if (mtu < ip_rt_min_pmtu)
                mtu = ip_rt_min_pmtu;
+        rcu_read_lock();
        if (fib_lookup(dev_net(rt->dst.dev), fl4, &res) == 0) {
                struct fib_nh *nh = &FIB_RES_NH(res);
                update_or_create_fnhe(nh, fl4->daddr, 0, mtu,
                                      jiffies + ip_rt_mtu_expires);
        }
+        rcu_read_unlock();
        return mtu;
 }
@@ -956,7 +958,7 @@ static void ip_rt_update_pmtu(struct dst_entry *dst, struct sock *sk,
                dst->obsolete = DST_OBSOLETE_KILL;
        } else {
                rt->rt_pmtu = mtu;
-                dst_set_expires(&rt->dst, ip_rt_mtu_expires);
+                rt->dst.expires = max(1UL, jiffies + ip_rt_mtu_expires);
        }
 }
@@ -1263,7 +1265,7 @@ static void ipv4_dst_destroy(struct dst_entry *dst)
 {
        struct rtable *rt = (struct rtable *) dst;
-        if (dst->flags & DST_NOCACHE) {
+        if (!list_empty(&rt->rt_uncached)) {
                spin_lock_bh(&rt_uncached_lock);
                list_del(&rt->rt_uncached);
                spin_unlock_bh(&rt_uncached_lock);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 85308b90df80..6e38c6c23caa 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2926,13 +2926,14 @@ static void tcp_enter_recovery(struct sock *sk, bool ece_ack)
 * tcp_xmit_retransmit_queue().
 */
 static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked,
-                                  int newly_acked_sacked, bool is_dupack,
+                                  int prior_sacked, bool is_dupack,
                                  int flag)
 {
        struct inet_connection_sock *icsk = inet_csk(sk);
        struct tcp_sock *tp = tcp_sk(sk);
        int do_lost = is_dupack || ((flag & FLAG_DATA_SACKED) &&
                                    (tcp_fackets_out(tp) > tp->reordering));
+        int newly_acked_sacked = 0;
        int fast_rexmit = 0;
        if (WARN_ON(!tp->packets_out && tp->sacked_out))
@@ -2992,6 +2993,7 @@ static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked,
                                tcp_add_reno_sack(sk);
                } else
                        do_lost = tcp_try_undo_partial(sk, pkts_acked);
+                newly_acked_sacked = pkts_acked + tp->sacked_out - prior_sacked;
                break;
        case TCP_CA_Loss:
                if (flag & FLAG_DATA_ACKED)
@@ -3013,6 +3015,7 @@ static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked,
                        if (is_dupack)
                                tcp_add_reno_sack(sk);
                }
+                newly_acked_sacked = pkts_acked + tp->sacked_out - prior_sacked;
                if (icsk->icsk_ca_state <= TCP_CA_Disorder)
                        tcp_try_undo_dsack(sk);
@@ -3590,7 +3593,6 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
        int prior_packets;
        int prior_sacked = tp->sacked_out;
        int pkts_acked = 0;
-        int newly_acked_sacked = 0;
        bool frto_cwnd = false;
        /* If the ack is older than previous acks
@@ -3666,8 +3668,6 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
        flag |= tcp_clean_rtx_queue(sk, prior_fackets, prior_snd_una);
        pkts_acked = prior_packets - tp->packets_out;
-        newly_acked_sacked = (prior_packets - prior_sacked) -
-                             (tp->packets_out - tp->sacked_out);
        if (tp->frto_counter)
                frto_cwnd = tcp_process_frto(sk, flag);
@@ -3681,7 +3681,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
                    tcp_may_raise_cwnd(sk, flag))
                        tcp_cong_avoid(sk, ack, prior_in_flight);
                is_dupack = !(flag & (FLAG_SND_UNA_ADVANCED | FLAG_NOT_DUP));
-                tcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked,
+                tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
                                      is_dupack, flag);
        } else {
                if ((flag & FLAG_DATA_ACKED) && !frto_cwnd)
@@ -3698,7 +3698,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
 no_queue:
        /* If data was DSACKed, see if we can undo a cwnd reduction. */
        if (flag & FLAG_DSACKING_ACK)
-                tcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked,
+                tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
                                      is_dupack, flag);
        /* If this ack opens up a zero window, clear backoff.  It was
         * being used to time the probes, and is probably far higher than
@@ -3718,8 +3718,7 @@ old_ack:
         */
        if (TCP_SKB_CB(skb)->sacked) {
                flag |= tcp_sacktag_write_queue(sk, skb, prior_snd_una);
-                newly_acked_sacked = tp->sacked_out - prior_sacked;
+                tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
-                tcp_fastretrans_alert(sk, pkts_acked, newly_acked_sacked,
                                      is_dupack, flag);
        }
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 6f6d1aca3c3d..2814f66dac64 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1226,6 +1226,11 @@ try_again:
        if (unlikely(err)) {
                trace_kfree_skb(skb, udp_recvmsg);
+                if (!peeked) {
+                        atomic_inc(&sk->sk_drops);
+                        UDP_INC_STATS_USER(sock_net(sk),
+                                           UDP_MIB_INERRORS, is_udplite);
+                }
                goto out_free;
        }
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 6dc7fd353ef5..282f3723ee19 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -167,8 +167,6 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
        struct esp_data *esp = x->data;
        /* skb is pure payload to encrypt */
-        err = -ENOMEM;
        aead = esp->aead;
        alen = crypto_aead_authsize(aead);
@@ -203,8 +201,10 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
        }
        tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
-        if (!tmp)
+        if (!tmp) {
+                err = -ENOMEM;
                goto error;
+        }
        seqhi = esp_tmp_seqhi(tmp);
        iv = esp_tmp_iv(aead, tmp, seqhilen);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index a3e60cc04a8a..acd32e3f1b68 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -403,8 +403,9 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                tp->mtu_info = ntohl(info);
                if (!sock_owned_by_user(sk))
                        tcp_v6_mtu_reduced(sk);
-                else
+                else if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED,
-                        set_bit(TCP_MTU_REDUCED_DEFERRED, &tp->tsq_flags);
+                                           &tp->tsq_flags))
+                        sock_hold(sk);
                goto out;
        }
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 99d0077b56b8..07e2bfef6845 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -394,6 +394,17 @@ try_again:
        }
        if (unlikely(err)) {
                trace_kfree_skb(skb, udpv6_recvmsg);
+                if (!peeked) {
+                        atomic_inc(&sk->sk_drops);
+                        if (is_udp4)
+                                UDP_INC_STATS_USER(sock_net(sk),
+                                                   UDP_MIB_INERRORS,
+                                                   is_udplite);
+                        else
+                                UDP6_INC_STATS_USER(sock_net(sk),
+                                                    UDP_MIB_INERRORS,
+                                                    is_udplite);
+                }
                goto out_free;
        }
        if (!peeked) {
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 393355d37b47..1a9f3723c13c 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1347,11 +1347,10 @@ static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
        /* Remove from tunnel list */
        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
        list_del_rcu(&tunnel->list);
+        kfree_rcu(tunnel, rcu);
        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
-        synchronize_rcu();
        atomic_dec(&l2tp_tunnel_count);
-        kfree(tunnel);
 }
 /* Create a socket for the tunnel, if one isn't set up by
@@ -1502,6 +1501,8 @@ out:
        return err;
 }
+static struct lock_class_key l2tp_socket_class;
 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
 {
        struct l2tp_tunnel *tunnel = NULL;
@@ -1606,6 +1607,8 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
        tunnel->old_sk_destruct = sk->sk_destruct;
        sk->sk_destruct = &l2tp_tunnel_destruct;
        tunnel->sock = sk;
+        lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
        sk->sk_allocation = GFP_ATOMIC;
        /* Add tunnel to our list */
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index a38ec6cdeee1..56d583e083a7 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -163,6 +163,7 @@ struct l2tp_tunnel_cfg {
 struct l2tp_tunnel {
        int                     magic;          /* Should be L2TP_TUNNEL_MAGIC */
+        struct rcu_head rcu;
        rwlock_t                hlist_lock;     /* protect session_hlist */
        struct hlist_head       session_hlist[L2TP_HASH_SIZE];
                                                /* hashed list of sessions,
diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index f9ee74deeac2..3bfb34aaee29 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -153,7 +153,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
                print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
        }
-        if (!pskb_may_pull(skb, sizeof(ETH_HLEN)))
+        if (!pskb_may_pull(skb, ETH_HLEN))
                goto error;
        secpath_reset(skb);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index d41974aacf51..a58c0b649ba1 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1378,6 +1378,8 @@ static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
        else
                memset(next_hop, 0, ETH_ALEN);
+        memset(pinfo, 0, sizeof(*pinfo));
        pinfo->generation = mesh_paths_generation;
        pinfo->filled = MPATH_INFO_FRAME_QLEN |
@@ -1396,7 +1398,6 @@ static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
        pinfo->discovery_timeout =
                        jiffies_to_msecs(mpath->discovery_timeout);
        pinfo->discovery_retries = mpath->discovery_retries;
-        pinfo->flags = 0;
        if (mpath->flags & MESH_PATH_ACTIVE)
                pinfo->flags |= NL80211_MPATH_FLAG_ACTIVE;
        if (mpath->flags & MESH_PATH_RESOLVING)
@@ -1405,10 +1406,8 @@ static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
                pinfo->flags |= NL80211_MPATH_FLAG_SN_VALID;
        if (mpath->flags & MESH_PATH_FIXED)
                pinfo->flags |= NL80211_MPATH_FLAG_FIXED;
-        if (mpath->flags & MESH_PATH_RESOLVING)
+        if (mpath->flags & MESH_PATH_RESOLVED)
-                pinfo->flags |= NL80211_MPATH_FLAG_RESOLVING;
+                pinfo->flags |= NL80211_MPATH_FLAG_RESOLVED;
-        pinfo->flags = mpath->flags;
 }
 static int ieee80211_get_mpath(struct wiphy *wiphy, struct net_device *dev,
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index a4a5acdbaa4d..f76b83341cf9 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3248,6 +3248,8 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
        goto out_unlock;
 err_clear:
+        memset(ifmgd->bssid, 0, ETH_ALEN);
+        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
        ifmgd->auth_data = NULL;
 err_free:
        kfree(auth_data);
@@ -3439,6 +3441,8 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
        err = 0;
        goto out;
 err_clear:
+        memset(ifmgd->bssid, 0, ETH_ALEN);
+        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
        ifmgd->assoc_data = NULL;
 err_free:
        kfree(assoc_data);
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index acf712ffb5e6..c5e8c9c31f76 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1811,37 +1811,31 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                        meshhdrlen = ieee80211_new_mesh_header(&mesh_hdr,
                                        sdata, NULL, NULL);
                } else {
-                        int is_mesh_mcast = 1;
+                        /* DS -> MBSS (802.11-2012 13.11.3.3).
-                        const u8 *mesh_da;
+                         * For unicast with unknown forwarding information,
+                         * destination might be in the MBSS or if that fails
+                         * forwarded to another mesh gate. In either case
+                         * resolution will be handled in ieee80211_xmit(), so
+                         * leave the original DA. This also works for mcast */
+                        const u8 *mesh_da = skb->data;
+                        if (mppath)
+                                mesh_da = mppath->mpp;
+                        else if (mpath)
+                                mesh_da = mpath->dst;
+                        rcu_read_unlock();
-                        if (is_multicast_ether_addr(skb->data))
-                                /* DA TA mSA AE:SA */
-                                mesh_da = skb->data;
-                        else {
-                                static const u8 bcast[ETH_ALEN] =
-                                        { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
-                                if (mppath) {
-                                        /* RA TA mDA mSA AE:DA SA */
-                                        mesh_da = mppath->mpp;
-                                        is_mesh_mcast = 0;
-                                } else if (mpath) {
-                                        mesh_da = mpath->dst;
-                                        is_mesh_mcast = 0;
-                                } else {
-                                        /* DA TA mSA AE:SA */
-                                        mesh_da = bcast;
-                                }
-                        }
                        hdrlen = ieee80211_fill_mesh_addresses(&hdr, &fc,
                                        mesh_da, sdata->vif.addr);
-                        rcu_read_unlock();
+                        if (is_multicast_ether_addr(mesh_da))
-                        if (is_mesh_mcast)
+                                /* DA TA mSA AE:SA */
                                meshhdrlen =
                                        ieee80211_new_mesh_header(&mesh_hdr,
                                                        sdata,
                                                        skb->data + ETH_ALEN,
                                                        NULL);
                        else
+                                /* RA TA mDA mSA AE:DA SA */
                                meshhdrlen =
                                        ieee80211_new_mesh_header(&mesh_hdr,
                                                        sdata,
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 72bf32a84874..f51013c07b9f 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1171,8 +1171,10 @@ ip_vs_add_service(struct net *net, struct ip_vs_service_user_kern *u,
                goto out_err;
        }
        svc->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
-        if (!svc->stats.cpustats)
+        if (!svc->stats.cpustats) {
+                ret = -ENOMEM;
                goto out_err;
+        }
        /* I'm the first user of the service */
        atomic_set(&svc->usecnt, 0);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index cf4875565d67..2ceec64b19f9 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -249,12 +249,15 @@ static void death_by_event(unsigned long ul_conntrack)
 {
        struct nf_conn *ct = (void *)ul_conntrack;
        struct net *net = nf_ct_net(ct);
+        struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
+        BUG_ON(ecache == NULL);
        if (nf_conntrack_event(IPCT_DESTROY, ct) < 0) {
                /* bad luck, let's retry again */
-                ct->timeout.expires = jiffies +
+                ecache->timeout.expires = jiffies +
                        (random32() % net->ct.sysctl_events_retry_timeout);
-                add_timer(&ct->timeout);
+                add_timer(&ecache->timeout);
                return;
        }
        /* we've got the event delivered, now it's dying */
@@ -268,6 +271,9 @@ static void death_by_event(unsigned long ul_conntrack)
 void nf_ct_insert_dying_list(struct nf_conn *ct)
 {
        struct net *net = nf_ct_net(ct);
+        struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
+        BUG_ON(ecache == NULL);
        /* add this conntrack to the dying list */
        spin_lock_bh(&nf_conntrack_lock);
@@ -275,10 +281,10 @@ void nf_ct_insert_dying_list(struct nf_conn *ct)
                             &net->ct.dying);
        spin_unlock_bh(&nf_conntrack_lock);
        /* set a new timer to retry event delivery */
-        setup_timer(&ct->timeout, death_by_event, (unsigned long)ct);
+        setup_timer(&ecache->timeout, death_by_event, (unsigned long)ct);
-        ct->timeout.expires = jiffies +
+        ecache->timeout.expires = jiffies +
                (random32() % net->ct.sysctl_events_retry_timeout);
-        add_timer(&ct->timeout);
+        add_timer(&ecache->timeout);
 }
 EXPORT_SYMBOL_GPL(nf_ct_insert_dying_list);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index da4fc37a8578..9807f3278fcb 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2790,7 +2790,8 @@ static int __init ctnetlink_init(void)
                goto err_unreg_subsys;
        }
-        if (register_pernet_subsys(&ctnetlink_net_ops)) {
+        ret = register_pernet_subsys(&ctnetlink_net_ops);
+        if (ret < 0) {
                pr_err("ctnetlink_init: cannot register pernet operations\n");
                goto err_unreg_exp_subsys;
        }
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index a5ac11ebef33..e046b3756aab 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -158,21 +158,18 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
 *      sCL -> sSS
 */
 /*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
-/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
+/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
 /*
 *      sNO -> sIV      Too late and no reason to do anything
 *      sSS -> sIV      Client can't send SYN and then SYN/ACK
 *      sS2 -> sSR      SYN/ACK sent to SYN2 in simultaneous open
- *      sSR -> sIG
+ *      sSR -> sSR      Late retransmitted SYN/ACK in simultaneous open
- *      sES -> sIG      Error: SYNs in window outside the SYN_SENT state
+ *      sES -> sIV      Invalid SYN/ACK packets sent by the client
- *                      are errors. Receiver will reply with RST
+ *      sFW -> sIV
- *                      and close the connection.
+ *      sCW -> sIV
- *                      Or we are not in sync and hold a dead connection.
+ *      sLA -> sIV
- *      sFW -> sIG
+ *      sTW -> sIV
- *      sCW -> sIG
+ *      sCL -> sIV
- *      sLA -> sIG
- *      sTW -> sIG
- *      sCL -> sIG
 */
 /*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 /*fin*/    { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
@@ -633,15 +630,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
                ack = sack = receiver->td_end;
        }
-        if (seq == end
+        if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
-            && (!tcph->rst
-                || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
                /*
-                 * Packets contains no data: we assume it is valid
+                 * RST sent answering SYN.
-                 * and check the ack value only.
-                 * However RST segments are always validated by their
-                 * SEQ number, except when seq == 0 (reset sent answering
-                 * SYN.
                 */
                seq = end = sender->td_end;
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 169ab59ed9d4..5cfb5bedb2b8 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -381,6 +381,7 @@ __build_packet_message(struct nfulnl_instance *inst,
        struct nlmsghdr *nlh;
        struct nfgenmsg *nfmsg;
        sk_buff_data_t old_tail = inst->skb->tail;
+        struct sock *sk;
        nlh = nlmsg_put(inst->skb, 0, 0,
                        NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
@@ -480,7 +481,7 @@ __build_packet_message(struct nfulnl_instance *inst,
        }
        if (indev && skb_mac_header_was_set(skb)) {
-                if (nla_put_be32(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)) ||
+                if (nla_put_be16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)) ||
                    nla_put_be16(inst->skb, NFULA_HWLEN,
                                 htons(skb->dev->hard_header_len)) ||
                    nla_put(inst->skb, NFULA_HWHEADER, skb->dev->hard_header_len,
@@ -499,18 +500,19 @@ __build_packet_message(struct nfulnl_instance *inst,
        }
        /* UID */
-        if (skb->sk) {
+        sk = skb->sk;
-                read_lock_bh(&skb->sk->sk_callback_lock);
+        if (sk && sk->sk_state != TCP_TIME_WAIT) {
-                if (skb->sk->sk_socket && skb->sk->sk_socket->file) {
+                read_lock_bh(&sk->sk_callback_lock);
-                        struct file *file = skb->sk->sk_socket->file;
+                if (sk->sk_socket && sk->sk_socket->file) {
+                        struct file *file = sk->sk_socket->file;
                        __be32 uid = htonl(file->f_cred->fsuid);
                        __be32 gid = htonl(file->f_cred->fsgid);
-                        read_unlock_bh(&skb->sk->sk_callback_lock);
+                        read_unlock_bh(&sk->sk_callback_lock);
                        if (nla_put_be32(inst->skb, NFULA_UID, uid) ||
                            nla_put_be32(inst->skb, NFULA_GID, gid))
                                goto nla_put_failure;
                } else
-                        read_unlock_bh(&skb->sk->sk_callback_lock);
+                        read_unlock_bh(&sk->sk_callback_lock);
        }
        /* local sequence number */
@@ -996,8 +998,10 @@ static int __init nfnetlink_log_init(void)
 #ifdef CONFIG_PROC_FS
        if (!proc_create("nfnetlink_log", 0440,
-                         proc_net_netfilter, &nful_file_ops))
+                         proc_net_netfilter, &nful_file_ops)) {
+                status = -ENOMEM;
                goto cleanup_logger;
+        }
 #endif
        return status;
diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c
index ff5f75fddb15..91e9af4d1f42 100644
--- a/net/netfilter/xt_LOG.c
+++ b/net/netfilter/xt_LOG.c
@@ -145,6 +145,19 @@ static int dump_tcp_header(struct sbuff *m, const struct sk_buff *skb,
        return 0;
 }
+static void dump_sk_uid_gid(struct sbuff *m, struct sock *sk)
+{
+        if (!sk || sk->sk_state == TCP_TIME_WAIT)
+                return;
+        read_lock_bh(&sk->sk_callback_lock);
+        if (sk->sk_socket && sk->sk_socket->file)
+                sb_add(m, "UID=%u GID=%u ",
+                        sk->sk_socket->file->f_cred->fsuid,
+                        sk->sk_socket->file->f_cred->fsgid);
+        read_unlock_bh(&sk->sk_callback_lock);
+}
 /* One level of recursion won't kill us */
 static void dump_ipv4_packet(struct sbuff *m,
                        const struct nf_loginfo *info,
@@ -361,14 +374,8 @@ static void dump_ipv4_packet(struct sbuff *m,
        }
        /* Max length: 15 "UID=4294967295 " */
-        if ((logflags & XT_LOG_UID) && !iphoff && skb->sk) {
+        if ((logflags & XT_LOG_UID) && !iphoff)
-                read_lock_bh(&skb->sk->sk_callback_lock);
+                dump_sk_uid_gid(m, skb->sk);
-                if (skb->sk->sk_socket && skb->sk->sk_socket->file)
-                        sb_add(m, "UID=%u GID=%u ",
-                                skb->sk->sk_socket->file->f_cred->fsuid,
-                                skb->sk->sk_socket->file->f_cred->fsgid);
-                read_unlock_bh(&skb->sk->sk_callback_lock);
-        }
        /* Max length: 16 "MARK=0xFFFFFFFF " */
        if (!iphoff && skb->mark)
@@ -436,8 +443,8 @@ log_packet_common(struct sbuff *m,
                  const struct nf_loginfo *loginfo,
                  const char *prefix)
 {
-        sb_add(m, "<%d>%sIN=%s OUT=%s ", loginfo->u.log.level,
+        sb_add(m, KERN_SOH "%c%sIN=%s OUT=%s ",
-               prefix,
+               '0' + loginfo->u.log.level, prefix,
               in ? in->name : "",
               out ? out->name : "");
 #ifdef CONFIG_BRIDGE_NETFILTER
@@ -717,14 +724,8 @@ static void dump_ipv6_packet(struct sbuff *m,
        }
        /* Max length: 15 "UID=4294967295 " */
-        if ((logflags & XT_LOG_UID) && recurse && skb->sk) {
+        if ((logflags & XT_LOG_UID) && recurse)
-                read_lock_bh(&skb->sk->sk_callback_lock);
+                dump_sk_uid_gid(m, skb->sk);
-                if (skb->sk->sk_socket && skb->sk->sk_socket->file)
-                        sb_add(m, "UID=%u GID=%u ",
-                                skb->sk->sk_socket->file->f_cred->fsuid,
-                                skb->sk->sk_socket->file->f_cred->fsgid);
-                read_unlock_bh(&skb->sk->sk_callback_lock);
-        }
        /* Max length: 16 "MARK=0xFFFFFFFF " */
        if (!recurse && skb->mark)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 1445d73533ed..527023823b5c 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1373,7 +1373,8 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
                dst_pid = addr->nl_pid;
                dst_group = ffs(addr->nl_groups);
                err =  -EPERM;
-                if (dst_group && !netlink_capable(sock, NL_NONROOT_SEND))
+                if ((dst_group || dst_pid) &&
+                    !netlink_capable(sock, NL_NONROOT_SEND))
                        goto out;
        } else {
                dst_pid = nlk->dst_pid;
@@ -2147,6 +2148,7 @@ static void __init netlink_add_usersock_entry(void)
        rcu_assign_pointer(nl_table[NETLINK_USERSOCK].listeners, listeners);
        nl_table[NETLINK_USERSOCK].module = THIS_MODULE;
        nl_table[NETLINK_USERSOCK].registered = 1;
+        nl_table[NETLINK_USERSOCK].nl_nonroot = NL_NONROOT_SEND;
        netlink_table_ungrab();
 }
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 06592d8b4a2b..1b9024ee963c 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1169,7 +1169,12 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
                msg->msg_flags |= MSG_TRUNC;
        }
-        skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+        er = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+        if (er < 0) {
+                skb_free_datagram(sk, skb);
+                release_sock(sk);
+                return er;
+        }
        if (sax != NULL) {
                sax->sax25_family = AF_NETROM;
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index f3f96badf5aa..954405ceae9e 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -45,7 +45,7 @@ static int make_writable(struct sk_buff *skb, int write_len)
        return pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
 }
-/* remove VLAN header from packet and update csum accrodingly. */
+/* remove VLAN header from packet and update csum accordingly. */
 static int __pop_vlan_tci(struct sk_buff *skb, __be16 *current_tci)
 {
        struct vlan_hdr *vhdr;
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index d8277d29e710..cf58cedad083 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -425,10 +425,10 @@ static int validate_sample(const struct nlattr *attr,
 static int validate_tp_port(const struct sw_flow_key *flow_key)
 {
        if (flow_key->eth.type == htons(ETH_P_IP)) {
-                if (flow_key->ipv4.tp.src && flow_key->ipv4.tp.dst)
+                if (flow_key->ipv4.tp.src || flow_key->ipv4.tp.dst)
                        return 0;
        } else if (flow_key->eth.type == htons(ETH_P_IPV6)) {
-                if (flow_key->ipv6.tp.src && flow_key->ipv6.tp.dst)
+                if (flow_key->ipv6.tp.src || flow_key->ipv6.tp.dst)
                        return 0;
        }
@@ -460,7 +460,7 @@ static int validate_set(const struct nlattr *a,
                if (flow_key->eth.type != htons(ETH_P_IP))
                        return -EINVAL;
-                if (!flow_key->ipv4.addr.src || !flow_key->ipv4.addr.dst)
+                if (!flow_key->ip.proto)
                        return -EINVAL;
                ipv4_key = nla_data(ovs_key);
diff --git a/net/openvswitch/flow.h b/net/openvswitch/flow.h
index 9b75617ca4e0..c30df1a10c67 100644
--- a/net/openvswitch/flow.h
+++ b/net/openvswitch/flow.h
@@ -145,15 +145,17 @@ u64 ovs_flow_used_time(unsigned long flow_jiffies);
 *  OVS_KEY_ATTR_PRIORITY      4    --     4      8
 *  OVS_KEY_ATTR_IN_PORT       4    --     4      8
 *  OVS_KEY_ATTR_ETHERNET     12    --     4     16
+ *  OVS_KEY_ATTR_ETHERTYPE     2     2     4      8  (outer VLAN ethertype)
 *  OVS_KEY_ATTR_8021Q         4    --     4      8
- *  OVS_KEY_ATTR_ETHERTYPE     2     2     4      8
+ *  OVS_KEY_ATTR_ENCAP         0    --     4      4  (VLAN encapsulation)
+ *  OVS_KEY_ATTR_ETHERTYPE     2     2     4      8  (inner VLAN ethertype)
 *  OVS_KEY_ATTR_IPV6         40    --     4     44
 *  OVS_KEY_ATTR_ICMPV6        2     2     4      8
 *  OVS_KEY_ATTR_ND           28    --     4     32
 *  -------------------------------------------------
- *  total                                       132
+ *  total                                       144
 */
-#define FLOW_BUFSIZE 132
+#define FLOW_BUFSIZE 144
 int ovs_flow_to_nlattrs(const struct sw_flow_key *, struct sk_buff *);
 int ovs_flow_from_nlattrs(struct sw_flow_key *swkey, int *key_lenp,
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index aee7196aac36..c5c9e2a54218 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1273,7 +1273,7 @@ static void __fanout_unlink(struct sock *sk, struct packet_sock *po)
        spin_unlock(&f->lock);
 }
-bool match_fanout_group(struct packet_type *ptype, struct sock * sk)
+static bool match_fanout_group(struct packet_type *ptype, struct sock * sk)
 {
        if (ptype->af_packet_priv == (void*)((struct packet_sock *)sk)->fanout)
                return true;
diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
index 6aabd77d1cfd..564b9fc8efd3 100644
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -250,10 +250,11 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
                        else if ((cl = defmap[res.classid & TC_PRIO_MAX]) == NULL)
                                cl = defmap[TC_PRIO_BESTEFFORT];
-                        if (cl == NULL || cl->level >= head->level)
+                        if (cl == NULL)
                                goto fallback;
                }
+                if (cl->level >= head->level)
+                        goto fallback;
 #ifdef CONFIG_NET_CLS_ACT
                switch (result) {
                case TC_ACT_QUEUED:
diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index 9fc1c62ec80e..4e606fcb2534 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -191,7 +191,6 @@ static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        if (list_empty(&flow->flowchain)) {
                list_add_tail(&flow->flowchain, &q->new_flows);
-                codel_vars_init(&flow->cvars);
                q->new_flow_count++;
                flow->deficit = q->quantum;
                flow->dropped = 0;
@@ -418,6 +417,7 @@ static int fq_codel_init(struct Qdisc *sch, struct nlattr *opt)
                        struct fq_codel_flow *flow = q->flows + i;
                        INIT_LIST_HEAD(&flow->flowchain);
+                        codel_vars_init(&flow->cvars);
                }
        }
        if (sch->limit >= 1)
diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
index e901583e4ea5..d42234c0f13b 100644
--- a/net/sched/sch_gred.c
+++ b/net/sched/sch_gred.c
@@ -102,9 +102,8 @@ static inline int gred_wred_mode_check(struct Qdisc *sch)
                if (q == NULL)
                        continue;
-                for (n = 0; n < table->DPs; n++)
+                for (n = i + 1; n < table->DPs; n++)
-                        if (table->tab[n] && table->tab[n] != q &&
+                        if (table->tab[n] && table->tab[n]->prio == q->prio)
-                            table->tab[n]->prio == q->prio)
                                return 1;
        }
@@ -137,6 +136,7 @@ static inline void gred_store_wred_set(struct gred_sched *table,
                                       struct gred_sched_data *q)
 {
        table->wred_set.qavg = q->vars.qavg;
+        table->wred_set.qidlestart = q->vars.qidlestart;
 }
 static inline int gred_use_ecn(struct gred_sched *t)
@@ -176,7 +176,7 @@ static int gred_enqueue(struct sk_buff *skb, struct Qdisc *sch)
                skb->tc_index = (skb->tc_index & ~GRED_VQ_MASK) | dp;
        }
-        /* sum up all the qaves of prios <= to ours to get the new qave */
+        /* sum up all the qaves of prios < ours to get the new qave */
        if (!gred_wred_mode(t) && gred_rio_mode(t)) {
                int i;
@@ -260,16 +260,18 @@ static struct sk_buff *gred_dequeue(struct Qdisc *sch)
                } else {
                        q->backlog -= qdisc_pkt_len(skb);
-                        if (!q->backlog && !gred_wred_mode(t))
+                        if (gred_wred_mode(t)) {
-                                red_start_of_idle_period(&q->vars);
+                                if (!sch->qstats.backlog)
+                                        red_start_of_idle_period(&t->wred_set);
+                        } else {
+                                if (!q->backlog)
+                                        red_start_of_idle_period(&q->vars);
+                        }
                }
                return skb;
        }
-        if (gred_wred_mode(t) && !red_is_idling(&t->wred_set))
-                red_start_of_idle_period(&t->wred_set);
        return NULL;
 }
@@ -291,19 +293,20 @@ static unsigned int gred_drop(struct Qdisc *sch)
                        q->backlog -= len;
                        q->stats.other++;
-                        if (!q->backlog && !gred_wred_mode(t))
+                        if (gred_wred_mode(t)) {
-                                red_start_of_idle_period(&q->vars);
+                                if (!sch->qstats.backlog)
+                                        red_start_of_idle_period(&t->wred_set);
+                        } else {
+                                if (!q->backlog)
+                                        red_start_of_idle_period(&q->vars);
+                        }
                }
                qdisc_drop(skb, sch);
                return len;
        }
-        if (gred_wred_mode(t) && !red_is_idling(&t->wred_set))
-                red_start_of_idle_period(&t->wred_set);
        return 0;
 }
 static void gred_reset(struct Qdisc *sch)
@@ -535,6 +538,7 @@ static int gred_dump(struct Qdisc *sch, struct sk_buff *skb)
        for (i = 0; i < MAX_DPs; i++) {
                struct gred_sched_data *q = table->tab[i];
                struct tc_gred_qopt opt;
+                unsigned long qavg;
                memset(&opt, 0, sizeof(opt));
@@ -566,7 +570,9 @@ static int gred_dump(struct Qdisc *sch, struct sk_buff *skb)
                if (gred_wred_mode(table))
                        gred_load_wred_set(table, q);
-                opt.qave = red_calc_qavg(&q->parms, &q->vars, q->vars.qavg);
+                qavg = red_calc_qavg(&q->parms, &q->vars,
+                                     q->vars.qavg >> q->parms.Wlog);
+                opt.qave = qavg >> q->parms.Wlog;
 append_opt:
                if (nla_append(skb, sizeof(opt), &opt) < 0)
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 838e18b4d7ea..be50aa234dcd 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -364,6 +364,25 @@ finish:
        return retval;
 }
+static void sctp_packet_release_owner(struct sk_buff *skb)
+{
+        sk_free(skb->sk);
+}
+static void sctp_packet_set_owner_w(struct sk_buff *skb, struct sock *sk)
+{
+        skb_orphan(skb);
+        skb->sk = sk;
+        skb->destructor = sctp_packet_release_owner;
+        /*
+         * The data chunks have already been accounted for in sctp_sendmsg(),
+         * therefore only reserve a single byte to keep socket around until
+         * the packet has been transmitted.
+         */
+        atomic_inc(&sk->sk_wmem_alloc);
+}
 /* All packets are sent to the network through this function from
 * sctp_outq_tail().
 *
@@ -405,7 +424,7 @@ int sctp_packet_transmit(struct sctp_packet *packet)
        /* Set the owning socket so that we know where to get the
         * destination IP address.
         */
-        skb_set_owner_w(nskb, sk);
+        sctp_packet_set_owner_w(nskb, sk);
        if (!sctp_transport_dst_check(tp)) {
                sctp_transport_route(tp, NULL, sctp_sk(sk));
diff --git a/net/socket.c b/net/socket.c
index a5471f804d99..edc3c4af9085 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2604,7 +2604,7 @@ static int do_siocgstamp(struct net *net, struct socket *sock,
        err = sock_do_ioctl(net, sock, cmd, (unsigned long)&ktv);
        set_fs(old_fs);
        if (!err)
-                err = compat_put_timeval(up, &ktv);
+                err = compat_put_timeval(&ktv, up);
        return err;
 }
@@ -2620,7 +2620,7 @@ static int do_siocgstampns(struct net *net, struct socket *sock,
        err = sock_do_ioctl(net, sock, cmd, (unsigned long)&kts);
        set_fs(old_fs);
        if (!err)
-                err = compat_put_timespec(up, &kts);
+                err = compat_put_timespec(&kts, up);
        return err;
 }
diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index a5a402a7d21f..5d7f61d7559c 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -969,11 +969,11 @@ static bool xprt_dynamic_free_slot(struct rpc_xprt *xprt, struct rpc_rqst *req)
        return false;
 }
-static void xprt_alloc_slot(struct rpc_task *task)
+void xprt_alloc_slot(struct rpc_xprt *xprt, struct rpc_task *task)
 {
-        struct rpc_xprt *xprt = task->tk_xprt;
        struct rpc_rqst *req;
+        spin_lock(&xprt->reserve_lock);
        if (!list_empty(&xprt->free)) {
                req = list_entry(xprt->free.next, struct rpc_rqst, rq_list);
                list_del(&req->rq_list);
@@ -994,12 +994,29 @@ static void xprt_alloc_slot(struct rpc_task *task)
        default:
                task->tk_status = -EAGAIN;
        }
+        spin_unlock(&xprt->reserve_lock);
        return;
 out_init_req:
        task->tk_status = 0;
        task->tk_rqstp = req;
        xprt_request_init(task, xprt);
+        spin_unlock(&xprt->reserve_lock);
+}
+EXPORT_SYMBOL_GPL(xprt_alloc_slot);
+void xprt_lock_and_alloc_slot(struct rpc_xprt *xprt, struct rpc_task *task)
+{
+        /* Note: grabbing the xprt_lock_write() ensures that we throttle
+         * new slot allocation if the transport is congested (i.e. when
+         * reconnecting a stream transport or when out of socket write
+         * buffer space).
+         */
+        if (xprt_lock_write(xprt, task)) {
+                xprt_alloc_slot(xprt, task);
+                xprt_release_write(xprt, task);
+        }
 }
+EXPORT_SYMBOL_GPL(xprt_lock_and_alloc_slot);
 static void xprt_free_slot(struct rpc_xprt *xprt, struct rpc_rqst *req)
 {
@@ -1083,20 +1100,9 @@ void xprt_reserve(struct rpc_task *task)
        if (task->tk_rqstp != NULL)
                return;
-        /* Note: grabbing the xprt_lock_write() here is not strictly needed,
-         * but ensures that we throttle new slot allocation if the transport
-         * is congested (e.g. if reconnecting or if we're out of socket
-         * write buffer space).
-         */
        task->tk_timeout = 0;
        task->tk_status = -EAGAIN;
-        if (!xprt_lock_write(xprt, task))
+        xprt->ops->alloc_slot(xprt, task);
-                return;
-        spin_lock(&xprt->reserve_lock);
-        xprt_alloc_slot(task);
-        spin_unlock(&xprt->reserve_lock);
-        xprt_release_write(xprt, task);
 }
 static inline __be32 xprt_alloc_xid(struct rpc_xprt *xprt)
diff --git a/net/sunrpc/xprtrdma/transport.c b/net/sunrpc/xprtrdma/transport.c
index 06cdbff79e4a..5d9202dc7cb1 100644
--- a/net/sunrpc/xprtrdma/transport.c
+++ b/net/sunrpc/xprtrdma/transport.c
@@ -713,6 +713,7 @@ static void xprt_rdma_print_stats(struct rpc_xprt *xprt, struct seq_file *seq)
 static struct rpc_xprt_ops xprt_rdma_procs = {
        .reserve_xprt           = xprt_rdma_reserve_xprt,
        .release_xprt           = xprt_release_xprt_cong, /* sunrpc/xprt.c */
+        .alloc_slot             = xprt_alloc_slot,
        .release_request        = xprt_release_rqst_cong,       /* ditto */
        .set_retrans_timeout    = xprt_set_retrans_timeout_def, /* ditto */
        .rpcbind                = rpcb_getport_async,   /* sunrpc/rpcb_clnt.c */
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 400567243f84..a35b8e52e551 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -2473,6 +2473,7 @@ static void bc_destroy(struct rpc_xprt *xprt)
 static struct rpc_xprt_ops xs_local_ops = {
        .reserve_xprt           = xprt_reserve_xprt,
        .release_xprt           = xs_tcp_release_xprt,
+        .alloc_slot             = xprt_alloc_slot,
        .rpcbind                = xs_local_rpcbind,
        .set_port               = xs_local_set_port,
        .connect                = xs_connect,
@@ -2489,6 +2490,7 @@ static struct rpc_xprt_ops xs_udp_ops = {
        .set_buffer_size        = xs_udp_set_buffer_size,
        .reserve_xprt           = xprt_reserve_xprt_cong,
        .release_xprt           = xprt_release_xprt_cong,
+        .alloc_slot             = xprt_alloc_slot,
        .rpcbind                = rpcb_getport_async,
        .set_port               = xs_set_port,
        .connect                = xs_connect,
@@ -2506,6 +2508,7 @@ static struct rpc_xprt_ops xs_udp_ops = {
 static struct rpc_xprt_ops xs_tcp_ops = {
        .reserve_xprt           = xprt_reserve_xprt,
        .release_xprt           = xs_tcp_release_xprt,
+        .alloc_slot             = xprt_lock_and_alloc_slot,
        .rpcbind                = rpcb_getport_async,
        .set_port               = xs_set_port,
        .connect                = xs_connect,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 97026f3b215a..1e37dbf00cb3 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5633,8 +5633,10 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
                       sizeof(connect.ht_capa_mask));
        if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
-                if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
+                if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
+                        kfree(connkeys);
                        return -EINVAL;
+                }
                memcpy(&connect.ht_capa,
                       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
                       sizeof(connect.ht_capa));
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 54a0dc2e2f8d..ab2bb42fe094 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -212,7 +212,7 @@ resume:
                /* only the first xfrm gets the encap type */
                encap_type = 0;
-                if (async && x->repl->check(x, skb, seq)) {
+                if (async && x->repl->recheck(x, skb, seq)) {
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
                        goto drop_unlock;
                }
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 2f6d11d04a2b..3efb07d3eb27 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -420,6 +420,18 @@ err:
        return -EINVAL;
 }
+static int xfrm_replay_recheck_esn(struct xfrm_state *x,
+                                   struct sk_buff *skb, __be32 net_seq)
+{
+        if (unlikely(XFRM_SKB_CB(skb)->seq.input.hi !=
+                     htonl(xfrm_replay_seqhi(x, net_seq)))) {
+                        x->stats.replay_window++;
+                        return -EINVAL;
+        }
+        return xfrm_replay_check_esn(x, skb, net_seq);
+}
 static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq)
 {
        unsigned int bitnr, nr, i;
@@ -479,6 +491,7 @@ static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq)
 static struct xfrm_replay xfrm_replay_legacy = {
        .advance        = xfrm_replay_advance,
        .check          = xfrm_replay_check,
+        .recheck        = xfrm_replay_check,
        .notify         = xfrm_replay_notify,
        .overflow       = xfrm_replay_overflow,
 };
@@ -486,6 +499,7 @@ static struct xfrm_replay xfrm_replay_legacy = {
 static struct xfrm_replay xfrm_replay_bmp = {
        .advance        = xfrm_replay_advance_bmp,
        .check          = xfrm_replay_check_bmp,
+        .recheck        = xfrm_replay_check_bmp,
        .notify         = xfrm_replay_notify_bmp,
        .overflow       = xfrm_replay_overflow_bmp,
 };
@@ -493,6 +507,7 @@ static struct xfrm_replay xfrm_replay_bmp = {
 static struct xfrm_replay xfrm_replay_esn = {
        .advance        = xfrm_replay_advance_esn,
        .check          = xfrm_replay_check_esn,
+        .recheck        = xfrm_replay_recheck_esn,
        .notify         = xfrm_replay_notify_bmp,
        .overflow       = xfrm_replay_overflow_esn,
 };
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 87cd0e4d4282..210be48d8ae3 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1994,8 +1994,10 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay)
                goto error;
        x->outer_mode = xfrm_get_mode(x->props.mode, family);
-        if (x->outer_mode == NULL)
+        if (x->outer_mode == NULL) {
+                err = -EPROTONOSUPPORT;
                goto error;
+        }
        if (init_replay) {
                err = xfrm_init_replay(x);
author	Mark Brown <broonie@opensource.wolfsonmicro.com>	2012-09-22 11:26:27 -0400
committer	Mark Brown <broonie@opensource.wolfsonmicro.com>	2012-09-22 11:26:27 -0400
commit	ddfb43f3881edb47aa0083651ad31983cdc42c33 (patch)
tree	7128cb13b599d2903a4deb05bbae37508b1c261e /net
parent	2d6d649a2e0fa0268c0d03d5b1d330ca7907d33c (diff)
parent	5698bd757d55b1bb87edd1a9744ab09c142abfc2 (diff)