28 files changed, 330 insertions, 155 deletions
diff --git a/MAINTAINERS b/MAINTAINERS
index 5483e0c93b4b..b3bc88d9c03a 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2460,7 +2460,7 @@ S:	Supported
 F:      drivers/infiniband/hw/ehca/
 EHEA (IBM pSeries eHEA 10Gb ethernet adapter) DRIVER
-M:      Breno Leitao <leitao@linux.vnet.ibm.com>
+M:      Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
 L:      netdev@vger.kernel.org
 S:      Maintained
 F:      drivers/net/ehea/
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 6d79b78cfc75..de3d351ccb6b 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1435,6 +1435,8 @@ static rx_handler_result_t bond_handle_frame(struct sk_buff **pskb)
        struct sk_buff *skb = *pskb;
        struct slave *slave;
        struct bonding *bond;
+        void (*recv_probe)(struct sk_buff *, struct bonding *,
+                                struct slave *);
        skb = skb_share_check(skb, GFP_ATOMIC);
        if (unlikely(!skb))
@@ -1448,11 +1450,12 @@ static rx_handler_result_t bond_handle_frame(struct sk_buff **pskb)
        if (bond->params.arp_interval)
                slave->dev->last_rx = jiffies;
-        if (bond->recv_probe) {
+        recv_probe = ACCESS_ONCE(bond->recv_probe);
+        if (recv_probe) {
                struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
                if (likely(nskb)) {
-                        bond->recv_probe(nskb, bond, slave);
+                        recv_probe(nskb, bond, slave);
                        dev_kfree_skb(nskb);
                }
        }
diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
index ed2a3977c6e7..e8882023576b 100644
--- a/drivers/net/netconsole.c
+++ b/drivers/net/netconsole.c
@@ -307,6 +307,11 @@ static ssize_t store_enabled(struct netconsole_target *nt,
                return err;
        if (enabled < 0 || enabled > 1)
                return -EINVAL;
+        if (enabled == nt->enabled) {
+                printk(KERN_INFO "netconsole: network logging has already %s\n",
+                                nt->enabled ? "started" : "stopped");
+                return -EINVAL;
+        }
        if (enabled) {  /* 1 */
diff --git a/drivers/net/pptp.c b/drivers/net/pptp.c
index eae542a7e987..89f829f5f725 100644
--- a/drivers/net/pptp.c
+++ b/drivers/net/pptp.c
@@ -285,8 +285,10 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
        ip_send_check(iph);
        ip_local_out(skb);
+        return 1;
 tx_error:
+        kfree_skb(skb);
        return 1;
 }
@@ -305,11 +307,18 @@ static int pptp_rcv_core(struct sock *sk, struct sk_buff *skb)
        }
        header = (struct pptp_gre_header *)(skb->data);
+        headersize  = sizeof(*header);
        /* test if acknowledgement present */
        if (PPTP_GRE_IS_A(header->ver)) {
-                __u32 ack = (PPTP_GRE_IS_S(header->flags)) ?
+                __u32 ack;
-                                header->ack : header->seq; /* ack in different place if S = 0 */
+                if (!pskb_may_pull(skb, headersize))
+                        goto drop;
+                header = (struct pptp_gre_header *)(skb->data);
+                /* ack in different place if S = 0 */
+                ack = PPTP_GRE_IS_S(header->flags) ? header->ack : header->seq;
                ack = ntohl(ack);
@@ -318,21 +327,18 @@ static int pptp_rcv_core(struct sock *sk, struct sk_buff *skb)
                /* also handle sequence number wrap-around  */
                if (WRAPPED(ack, opt->ack_recv))
                        opt->ack_recv = ack;
+        } else {
+                headersize -= sizeof(header->ack);
        }
        /* test if payload present */
        if (!PPTP_GRE_IS_S(header->flags))
                goto drop;
-        headersize  = sizeof(*header);
        payload_len = ntohs(header->payload_len);
        seq         = ntohl(header->seq);
-        /* no ack present? */
-        if (!PPTP_GRE_IS_A(header->ver))
-                headersize -= sizeof(header->ack);
        /* check for incomplete packet (length smaller than expected) */
-        if (skb->len - headersize < payload_len)
+        if (!pskb_may_pull(skb, headersize + payload_len))
                goto drop;
        payload = skb->data + headersize;
diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
index c23667017922..6d657cabb951 100644
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -2859,7 +2859,7 @@ static void rtl8168e_2_hw_phy_config(struct rtl8169_private *tp)
        rtl_writephy(tp, 0x1f, 0x0004);
        rtl_writephy(tp, 0x1f, 0x0007);
        rtl_writephy(tp, 0x1e, 0x0020);
-        rtl_w1w0_phy(tp, 0x06, 0x0000, 0x0100);
+        rtl_w1w0_phy(tp, 0x15, 0x0000, 0x0100);
        rtl_writephy(tp, 0x1f, 0x0002);
        rtl_writephy(tp, 0x1f, 0x0000);
        rtl_writephy(tp, 0x0d, 0x0007);
@@ -3316,6 +3316,37 @@ static void __devinit rtl_init_mdio_ops(struct rtl8169_private *tp)
        }
 }
+static void rtl_wol_suspend_quirk(struct rtl8169_private *tp)
+{
+        void __iomem *ioaddr = tp->mmio_addr;
+        switch (tp->mac_version) {
+        case RTL_GIGA_MAC_VER_29:
+        case RTL_GIGA_MAC_VER_30:
+        case RTL_GIGA_MAC_VER_32:
+        case RTL_GIGA_MAC_VER_33:
+        case RTL_GIGA_MAC_VER_34:
+                RTL_W32(RxConfig, RTL_R32(RxConfig) |
+                        AcceptBroadcast | AcceptMulticast | AcceptMyPhys);
+                break;
+        default:
+                break;
+        }
+}
+static bool rtl_wol_pll_power_down(struct rtl8169_private *tp)
+{
+        if (!(__rtl8169_get_wol(tp) & WAKE_ANY))
+                return false;
+        rtl_writephy(tp, 0x1f, 0x0000);
+        rtl_writephy(tp, MII_BMCR, 0x0000);
+        rtl_wol_suspend_quirk(tp);
+        return true;
+}
 static void r810x_phy_power_down(struct rtl8169_private *tp)
 {
        rtl_writephy(tp, 0x1f, 0x0000);
@@ -3330,18 +3361,8 @@ static void r810x_phy_power_up(struct rtl8169_private *tp)
 static void r810x_pll_power_down(struct rtl8169_private *tp)
 {
-        void __iomem *ioaddr = tp->mmio_addr;
+        if (rtl_wol_pll_power_down(tp))
-        if (__rtl8169_get_wol(tp) & WAKE_ANY) {
-                rtl_writephy(tp, 0x1f, 0x0000);
-                rtl_writephy(tp, MII_BMCR, 0x0000);
-                if (tp->mac_version == RTL_GIGA_MAC_VER_29 ||
-                    tp->mac_version == RTL_GIGA_MAC_VER_30)
-                        RTL_W32(RxConfig, RTL_R32(RxConfig) | AcceptBroadcast |
-                                AcceptMulticast | AcceptMyPhys);
                return;
-        }
        r810x_phy_power_down(tp);
 }
@@ -3430,17 +3451,8 @@ static void r8168_pll_power_down(struct rtl8169_private *tp)
            tp->mac_version == RTL_GIGA_MAC_VER_33)
                rtl_ephy_write(ioaddr, 0x19, 0xff64);
-        if (__rtl8169_get_wol(tp) & WAKE_ANY) {
+        if (rtl_wol_pll_power_down(tp))
-                rtl_writephy(tp, 0x1f, 0x0000);
-                rtl_writephy(tp, MII_BMCR, 0x0000);
-                if (tp->mac_version == RTL_GIGA_MAC_VER_32 ||
-                    tp->mac_version == RTL_GIGA_MAC_VER_33 ||
-                    tp->mac_version == RTL_GIGA_MAC_VER_34)
-                        RTL_W32(RxConfig, RTL_R32(RxConfig) | AcceptBroadcast |
-                                AcceptMulticast | AcceptMyPhys);
                return;
-        }
        r8168_phy_power_down(tp);
@@ -5788,11 +5800,30 @@ static const struct dev_pm_ops rtl8169_pm_ops = {
 #endif /* !CONFIG_PM */
+static void rtl_wol_shutdown_quirk(struct rtl8169_private *tp)
+{
+        void __iomem *ioaddr = tp->mmio_addr;
+        /* WoL fails with 8168b when the receiver is disabled. */
+        switch (tp->mac_version) {
+        case RTL_GIGA_MAC_VER_11:
+        case RTL_GIGA_MAC_VER_12:
+        case RTL_GIGA_MAC_VER_17:
+                pci_clear_master(tp->pci_dev);
+                RTL_W8(ChipCmd, CmdRxEnb);
+                /* PCI commit */
+                RTL_R8(ChipCmd);
+                break;
+        default:
+                break;
+        }
+}
 static void rtl_shutdown(struct pci_dev *pdev)
 {
        struct net_device *dev = pci_get_drvdata(pdev);
        struct rtl8169_private *tp = netdev_priv(dev);
-        void __iomem *ioaddr = tp->mmio_addr;
        rtl8169_net_suspend(dev);
@@ -5806,16 +5837,9 @@ static void rtl_shutdown(struct pci_dev *pdev)
        spin_unlock_irq(&tp->lock);
        if (system_state == SYSTEM_POWER_OFF) {
-                /* WoL fails with 8168b when the receiver is disabled. */
+                if (__rtl8169_get_wol(tp) & WAKE_ANY) {
-                if ((tp->mac_version == RTL_GIGA_MAC_VER_11 ||
+                        rtl_wol_suspend_quirk(tp);
-                     tp->mac_version == RTL_GIGA_MAC_VER_12 ||
+                        rtl_wol_shutdown_quirk(tp);
-                     tp->mac_version == RTL_GIGA_MAC_VER_17) &&
-                    (tp->features & RTL_FEATURE_WOL)) {
-                        pci_clear_master(pdev);
-                        RTL_W8(ChipCmd, CmdRxEnb);
-                        /* PCI commit */
-                        RTL_R8(ChipCmd);
                }
                pci_wake_from_d3(pdev, true);
diff --git a/drivers/net/smsc911x.c b/drivers/net/smsc911x.c
index b9016a30cdc5..c90ddb61cc56 100644
--- a/drivers/net/smsc911x.c
+++ b/drivers/net/smsc911x.c
@@ -26,6 +26,7 @@
 *   LAN9215, LAN9216, LAN9217, LAN9218
 *   LAN9210, LAN9211
 *   LAN9220, LAN9221
+ *   LAN89218
 *
 */
@@ -1983,6 +1984,7 @@ static int __devinit smsc911x_init(struct net_device *dev)
        case 0x01170000:
        case 0x01160000:
        case 0x01150000:
+        case 0x218A0000:
                /* LAN911[5678] family */
                pdata->generation = pdata->idrev & 0x0000FFFF;
                break;
diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c
index 4a1374df6084..c11a2b8327f3 100644
--- a/drivers/net/tg3.c
+++ b/drivers/net/tg3.c
@@ -15577,7 +15577,7 @@ static void __devexit tg3_remove_one(struct pci_dev *pdev)
                cancel_work_sync(&tp->reset_task);
-                if (!tg3_flag(tp, USE_PHYLIB)) {
+                if (tg3_flag(tp, USE_PHYLIB)) {
                        tg3_phy_fini(tp);
                        tg3_mdio_fini(tp);
                }
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 1aaf915656f3..8fa4430f99c1 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -900,6 +900,7 @@ struct netns_ipvs {
        volatile int            sync_state;
        volatile int            master_syncid;
        volatile int            backup_syncid;
+        struct mutex            sync_mutex;
        /* multicast interface name */
        char                    master_mcast_ifn[IP_VS_IFNAME_MAXLEN];
        char                    backup_mcast_ifn[IP_VS_IFNAME_MAXLEN];
diff --git a/include/net/udplite.h b/include/net/udplite.h
index 673a024c6b2a..5f097ca7d5c5 100644
--- a/include/net/udplite.h
+++ b/include/net/udplite.h
@@ -66,40 +66,34 @@ static inline int udplite_checksum_init(struct sk_buff *skb, struct udphdr *uh)
        return 0;
 }
-static inline int udplite_sender_cscov(struct udp_sock *up, struct udphdr *uh)
+/* Slow-path computation of checksum. Socket is locked. */
+static inline __wsum udplite_csum_outgoing(struct sock *sk, struct sk_buff *skb)
 {
+        const struct udp_sock *up = udp_sk(skb->sk);
        int cscov = up->len;
+        __wsum csum = 0;
-        /*
+        if (up->pcflag & UDPLITE_SEND_CC) {
-         * Sender has set `partial coverage' option on UDP-Lite socket
+                /*
-         */
+                 * Sender has set `partial coverage' option on UDP-Lite socket.
-        if (up->pcflag & UDPLITE_SEND_CC)    {
+                 * The special case "up->pcslen == 0" signifies full coverage.
+                 */
                if (up->pcslen < up->len) {
-                /* up->pcslen == 0 means that full coverage is required,
+                        if (0 < up->pcslen)
-                 * partial coverage only if  0 < up->pcslen < up->len */
+                                cscov = up->pcslen;
-                        if (0 < up->pcslen) {
+                        udp_hdr(skb)->len = htons(up->pcslen);
-                               cscov = up->pcslen;
-                        }
-                        uh->len = htons(up->pcslen);
                }
-        /*
+                /*
-         * NOTE: Causes for the error case  `up->pcslen > up->len':
+                 * NOTE: Causes for the error case  `up->pcslen > up->len':
-         *        (i)  Application error (will not be penalized).
+                 *        (i)  Application error (will not be penalized).
-         *       (ii)  Payload too big for send buffer: data is split
+                 *       (ii)  Payload too big for send buffer: data is split
-         *             into several packets, each with its own header.
+                 *             into several packets, each with its own header.
-         *             In this case (e.g. last segment), coverage may
+                 *             In this case (e.g. last segment), coverage may
-         *             exceed packet length.
+                 *             exceed packet length.
-         *       Since packets with coverage length > packet length are
+                 *       Since packets with coverage length > packet length are
-         *       illegal, we fall back to the defaults here.
+                 *       illegal, we fall back to the defaults here.
-         */
+                 */
        }
-        return cscov;
-}
-static inline __wsum udplite_csum_outgoing(struct sock *sk, struct sk_buff *skb)
-{
-        int cscov = udplite_sender_cscov(udp_sk(sk), udp_hdr(skb));
-        __wsum csum = 0;
        skb->ip_summed = CHECKSUM_NONE;     /* no HW support for checksumming */
@@ -115,16 +109,21 @@ static inline __wsum udplite_csum_outgoing(struct sock *sk, struct sk_buff *skb)
        return csum;
 }
+/* Fast-path computation of checksum. Socket may not be locked. */
 static inline __wsum udplite_csum(struct sk_buff *skb)
 {
-        struct sock *sk = skb->sk;
+        const struct udp_sock *up = udp_sk(skb->sk);
-        int cscov = udplite_sender_cscov(udp_sk(sk), udp_hdr(skb));
        const int off = skb_transport_offset(skb);
-        const int len = skb->len - off;
+        int len = skb->len - off;
+        if ((up->pcflag & UDPLITE_SEND_CC) && up->pcslen < len) {
+                if (0 < up->pcslen)
+                        len = up->pcslen;
+                udp_hdr(skb)->len = htons(up->pcslen);
+        }
        skb->ip_summed = CHECKSUM_NONE;     /* no HW support for checksumming */
-        return skb_checksum(skb, off, min(cscov, len), 0);
+        return skb_checksum(skb, off, len, 0);
 }
 extern void     udplite4_register(void);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 61f1f623091d..e8292369cdcf 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -26,6 +26,8 @@
 /* Bluetooth L2CAP sockets. */
+#include <linux/security.h>
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
 #include <net/bluetooth/l2cap.h>
@@ -933,6 +935,8 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent)
                chan->force_reliable = pchan->force_reliable;
                chan->flushable = pchan->flushable;
                chan->force_active = pchan->force_active;
+                security_sk_clone(parent, sk);
        } else {
                switch (sk->sk_type) {
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 482722bbc7a0..5417f6127323 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -42,6 +42,7 @@
 #include <linux/device.h>
 #include <linux/debugfs.h>
 #include <linux/seq_file.h>
+#include <linux/security.h>
 #include <net/sock.h>
 #include <asm/system.h>
@@ -264,6 +265,8 @@ static void rfcomm_sock_init(struct sock *sk, struct sock *parent)
                pi->sec_level = rfcomm_pi(parent)->sec_level;
                pi->role_switch = rfcomm_pi(parent)->role_switch;
+                security_sk_clone(parent, sk);
        } else {
                pi->dlc->defer_setup = 0;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 8270f05e3f1f..a324b009e34b 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -41,6 +41,7 @@
 #include <linux/debugfs.h>
 #include <linux/seq_file.h>
 #include <linux/list.h>
+#include <linux/security.h>
 #include <net/sock.h>
 #include <asm/system.h>
@@ -403,8 +404,10 @@ static void sco_sock_init(struct sock *sk, struct sock *parent)
 {
        BT_DBG("sk %p", sk);
-        if (parent)
+        if (parent) {
                sk->sk_type = parent->sk_type;
+                security_sk_clone(parent, sk);
+        }
 }
 static struct proto sco_proto = {
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index e73815456adf..1d420f64ff27 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -161,9 +161,10 @@ static void del_nbp(struct net_bridge_port *p)
        call_rcu(&p->rcu, destroy_nbp_rcu);
 }
-/* called with RTNL */
+/* Delete bridge device */
-static void del_br(struct net_bridge *br, struct list_head *head)
+void br_dev_delete(struct net_device *dev, struct list_head *head)
 {
+        struct net_bridge *br = netdev_priv(dev);
        struct net_bridge_port *p, *n;
        list_for_each_entry_safe(p, n, &br->port_list, list) {
@@ -268,7 +269,7 @@ int br_del_bridge(struct net *net, const char *name)
        }
        else
-                del_br(netdev_priv(dev), NULL);
+                br_dev_delete(dev, NULL);
        rtnl_unlock();
        return ret;
@@ -449,7 +450,7 @@ void __net_exit br_net_exit(struct net *net)
        rtnl_lock();
        for_each_netdev(net, dev)
                if (dev->priv_flags & IFF_EBRIDGE)
-                        del_br(netdev_priv(dev), &list);
+                        br_dev_delete(dev, &list);
        unregister_netdevice_many(&list);
        rtnl_unlock();
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 5b1ed1ba9aa7..e5f9ece3c9a0 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -210,6 +210,7 @@ static struct rtnl_link_ops br_link_ops __read_mostly = {
        .priv_size      = sizeof(struct net_bridge),
        .setup          = br_dev_setup,
        .validate       = br_validate,
+        .dellink        = br_dev_delete,
 };
 int __init br_netlink_init(void)
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 78cc364997d9..857a021deea9 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -294,6 +294,7 @@ static inline int br_is_root_bridge(const struct net_bridge *br)
 /* br_device.c */
 extern void br_dev_setup(struct net_device *dev);
+extern void br_dev_delete(struct net_device *dev, struct list_head *list);
 extern netdev_tx_t br_dev_xmit(struct sk_buff *skb,
                               struct net_device *dev);
 #ifdef CONFIG_NET_POLL_CONTROLLER
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 3231b468bb72..27071ee2a4e1 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -475,8 +475,11 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
                list_del_rcu(&rule->list);
-                if (rule->action == FR_ACT_GOTO)
+                if (rule->action == FR_ACT_GOTO) {
                        ops->nr_goto_rules--;
+                        if (rtnl_dereference(rule->ctarget) == NULL)
+                                ops->unresolved_rules--;
+                }
                /*
                 * Check if this rule is a target to any of them. If so,
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index d2fe4e06b472..0ce3d06dce60 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -328,6 +328,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo)
                struct tcp_timewait_sock *tcptw = tcp_twsk((struct sock *)tw);
                const int rto = (icsk->icsk_rto << 2) - (icsk->icsk_rto >> 1);
+                tw->tw_transparent      = inet_sk(sk)->transparent;
                tw->tw_rcv_wscale       = tp->rx_opt.rcv_wscale;
                tcptw->tw_rcv_nxt       = tp->rcv_nxt;
                tcptw->tw_snd_nxt       = tp->snd_nxt;
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index ad4ac2601a56..34b2ddeacb67 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1045,8 +1045,10 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
        headroom = NET_SKB_PAD + sizeof(struct iphdr) +
                uhlen + hdr_len;
        old_headroom = skb_headroom(skb);
-        if (skb_cow_head(skb, headroom))
+        if (skb_cow_head(skb, headroom)) {
+                dev_kfree_skb(skb);
                goto abort;
+        }
        new_headroom = skb_headroom(skb);
        skb_orphan(skb);
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 5290ac353a5e..e3be48bf4dcd 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2283,6 +2283,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
        struct ip_vs_service *svc;
        struct ip_vs_dest_user *udest_compat;
        struct ip_vs_dest_user_kern udest;
+        struct netns_ipvs *ipvs = net_ipvs(net);
        if (!capable(CAP_NET_ADMIN))
                return -EPERM;
@@ -2303,6 +2304,24 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
        /* increase the module use count */
        ip_vs_use_count_inc();
+        /* Handle daemons since they have another lock */
+        if (cmd == IP_VS_SO_SET_STARTDAEMON ||
+            cmd == IP_VS_SO_SET_STOPDAEMON) {
+                struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
+                if (mutex_lock_interruptible(&ipvs->sync_mutex)) {
+                        ret = -ERESTARTSYS;
+                        goto out_dec;
+                }
+                if (cmd == IP_VS_SO_SET_STARTDAEMON)
+                        ret = start_sync_thread(net, dm->state, dm->mcast_ifn,
+                                                dm->syncid);
+                else
+                        ret = stop_sync_thread(net, dm->state);
+                mutex_unlock(&ipvs->sync_mutex);
+                goto out_dec;
+        }
        if (mutex_lock_interruptible(&__ip_vs_mutex)) {
                ret = -ERESTARTSYS;
                goto out_dec;
@@ -2316,15 +2335,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
                /* Set timeout values for (tcp tcpfin udp) */
                ret = ip_vs_set_timeout(net, (struct ip_vs_timeout_user *)arg);
                goto out_unlock;
-        } else if (cmd == IP_VS_SO_SET_STARTDAEMON) {
-                struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
-                ret = start_sync_thread(net, dm->state, dm->mcast_ifn,
-                                        dm->syncid);
-                goto out_unlock;
-        } else if (cmd == IP_VS_SO_SET_STOPDAEMON) {
-                struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
-                ret = stop_sync_thread(net, dm->state);
-                goto out_unlock;
        }
        usvc_compat = (struct ip_vs_service_user *)arg;
@@ -2584,6 +2594,33 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
        if (copy_from_user(arg, user, copylen) != 0)
                return -EFAULT;
+        /*
+         * Handle daemons first since it has its own locking
+         */
+        if (cmd == IP_VS_SO_GET_DAEMON) {
+                struct ip_vs_daemon_user d[2];
+                memset(&d, 0, sizeof(d));
+                if (mutex_lock_interruptible(&ipvs->sync_mutex))
+                        return -ERESTARTSYS;
+                if (ipvs->sync_state & IP_VS_STATE_MASTER) {
+                        d[0].state = IP_VS_STATE_MASTER;
+                        strlcpy(d[0].mcast_ifn, ipvs->master_mcast_ifn,
+                                sizeof(d[0].mcast_ifn));
+                        d[0].syncid = ipvs->master_syncid;
+                }
+                if (ipvs->sync_state & IP_VS_STATE_BACKUP) {
+                        d[1].state = IP_VS_STATE_BACKUP;
+                        strlcpy(d[1].mcast_ifn, ipvs->backup_mcast_ifn,
+                                sizeof(d[1].mcast_ifn));
+                        d[1].syncid = ipvs->backup_syncid;
+                }
+                if (copy_to_user(user, &d, sizeof(d)) != 0)
+                        ret = -EFAULT;
+                mutex_unlock(&ipvs->sync_mutex);
+                return ret;
+        }
        if (mutex_lock_interruptible(&__ip_vs_mutex))
                return -ERESTARTSYS;
@@ -2681,28 +2718,6 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
        }
        break;
-        case IP_VS_SO_GET_DAEMON:
-        {
-                struct ip_vs_daemon_user d[2];
-                memset(&d, 0, sizeof(d));
-                if (ipvs->sync_state & IP_VS_STATE_MASTER) {
-                        d[0].state = IP_VS_STATE_MASTER;
-                        strlcpy(d[0].mcast_ifn, ipvs->master_mcast_ifn,
-                                sizeof(d[0].mcast_ifn));
-                        d[0].syncid = ipvs->master_syncid;
-                }
-                if (ipvs->sync_state & IP_VS_STATE_BACKUP) {
-                        d[1].state = IP_VS_STATE_BACKUP;
-                        strlcpy(d[1].mcast_ifn, ipvs->backup_mcast_ifn,
-                                sizeof(d[1].mcast_ifn));
-                        d[1].syncid = ipvs->backup_syncid;
-                }
-                if (copy_to_user(user, &d, sizeof(d)) != 0)
-                        ret = -EFAULT;
-        }
-        break;
        default:
                ret = -EINVAL;
        }
@@ -3205,7 +3220,7 @@ static int ip_vs_genl_dump_daemons(struct sk_buff *skb,
        struct net *net = skb_sknet(skb);
        struct netns_ipvs *ipvs = net_ipvs(net);
-        mutex_lock(&__ip_vs_mutex);
+        mutex_lock(&ipvs->sync_mutex);
        if ((ipvs->sync_state & IP_VS_STATE_MASTER) && !cb->args[0]) {
                if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_MASTER,
                                           ipvs->master_mcast_ifn,
@@ -3225,7 +3240,7 @@ static int ip_vs_genl_dump_daemons(struct sk_buff *skb,
        }
 nla_put_failure:
-        mutex_unlock(&__ip_vs_mutex);
+        mutex_unlock(&ipvs->sync_mutex);
        return skb->len;
 }
@@ -3271,13 +3286,9 @@ static int ip_vs_genl_set_config(struct net *net, struct nlattr **attrs)
        return ip_vs_set_timeout(net, &t);
 }
-static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
+static int ip_vs_genl_set_daemon(struct sk_buff *skb, struct genl_info *info)
 {
-        struct ip_vs_service *svc = NULL;
-        struct ip_vs_service_user_kern usvc;
-        struct ip_vs_dest_user_kern udest;
        int ret = 0, cmd;
-        int need_full_svc = 0, need_full_dest = 0;
        struct net *net;
        struct netns_ipvs *ipvs;
@@ -3285,19 +3296,10 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
        ipvs = net_ipvs(net);
        cmd = info->genlhdr->cmd;
-        mutex_lock(&__ip_vs_mutex);
+        if (cmd == IPVS_CMD_NEW_DAEMON || cmd == IPVS_CMD_DEL_DAEMON) {
-        if (cmd == IPVS_CMD_FLUSH) {
-                ret = ip_vs_flush(net);
-                goto out;
-        } else if (cmd == IPVS_CMD_SET_CONFIG) {
-                ret = ip_vs_genl_set_config(net, info->attrs);
-                goto out;
-        } else if (cmd == IPVS_CMD_NEW_DAEMON ||
-                   cmd == IPVS_CMD_DEL_DAEMON) {
                struct nlattr *daemon_attrs[IPVS_DAEMON_ATTR_MAX + 1];
+                mutex_lock(&ipvs->sync_mutex);
                if (!info->attrs[IPVS_CMD_ATTR_DAEMON] ||
                    nla_parse_nested(daemon_attrs, IPVS_DAEMON_ATTR_MAX,
                                     info->attrs[IPVS_CMD_ATTR_DAEMON],
@@ -3310,6 +3312,33 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
                        ret = ip_vs_genl_new_daemon(net, daemon_attrs);
                else
                        ret = ip_vs_genl_del_daemon(net, daemon_attrs);
+out:
+                mutex_unlock(&ipvs->sync_mutex);
+        }
+        return ret;
+}
+static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
+{
+        struct ip_vs_service *svc = NULL;
+        struct ip_vs_service_user_kern usvc;
+        struct ip_vs_dest_user_kern udest;
+        int ret = 0, cmd;
+        int need_full_svc = 0, need_full_dest = 0;
+        struct net *net;
+        struct netns_ipvs *ipvs;
+        net = skb_sknet(skb);
+        ipvs = net_ipvs(net);
+        cmd = info->genlhdr->cmd;
+        mutex_lock(&__ip_vs_mutex);
+        if (cmd == IPVS_CMD_FLUSH) {
+                ret = ip_vs_flush(net);
+                goto out;
+        } else if (cmd == IPVS_CMD_SET_CONFIG) {
+                ret = ip_vs_genl_set_config(net, info->attrs);
                goto out;
        } else if (cmd == IPVS_CMD_ZERO &&
                   !info->attrs[IPVS_CMD_ATTR_SERVICE]) {
@@ -3536,13 +3565,13 @@ static struct genl_ops ip_vs_genl_ops[] __read_mostly = {
                .cmd    = IPVS_CMD_NEW_DAEMON,
                .flags  = GENL_ADMIN_PERM,
                .policy = ip_vs_cmd_policy,
-                .doit   = ip_vs_genl_set_cmd,
+                .doit   = ip_vs_genl_set_daemon,
        },
        {
                .cmd    = IPVS_CMD_DEL_DAEMON,
                .flags  = GENL_ADMIN_PERM,
                .policy = ip_vs_cmd_policy,
-                .doit   = ip_vs_genl_set_cmd,
+                .doit   = ip_vs_genl_set_daemon,
        },
        {
                .cmd    = IPVS_CMD_GET_DAEMON,
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
index 7ee7215b8ba0..3cdd479f9b5d 100644
--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -61,6 +61,7 @@
 #define SYNC_PROTO_VER  1               /* Protocol version in header */
+static struct lock_class_key __ipvs_sync_key;
 /*
 *      IPVS sync connection entry
 *      Version 0, i.e. original version.
@@ -1545,6 +1546,7 @@ int start_sync_thread(struct net *net, int state, char *mcast_ifn, __u8 syncid)
        IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %Zd bytes\n",
                  sizeof(struct ip_vs_sync_conn_v0));
        if (state == IP_VS_STATE_MASTER) {
                if (ipvs->master_thread)
                        return -EEXIST;
@@ -1667,6 +1669,7 @@ int __net_init ip_vs_sync_net_init(struct net *net)
 {
        struct netns_ipvs *ipvs = net_ipvs(net);
+        __mutex_init(&ipvs->sync_mutex, "ipvs->sync_mutex", &__ipvs_sync_key);
        INIT_LIST_HEAD(&ipvs->sync_queue);
        spin_lock_init(&ipvs->sync_lock);
        spin_lock_init(&ipvs->sync_buff_lock);
@@ -1680,7 +1683,9 @@ int __net_init ip_vs_sync_net_init(struct net *net)
 void ip_vs_sync_net_cleanup(struct net *net)
 {
        int retc;
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        mutex_lock(&ipvs->sync_mutex);
        retc = stop_sync_thread(net, IP_VS_STATE_MASTER);
        if (retc && retc != -ESRCH)
                pr_err("Failed to stop Master Daemon\n");
@@ -1688,4 +1693,5 @@ void ip_vs_sync_net_cleanup(struct net *net)
        retc = stop_sync_thread(net, IP_VS_STATE_BACKUP);
        if (retc && retc != -ESRCH)
                pr_err("Failed to stop Backup Daemon\n");
+        mutex_unlock(&ipvs->sync_mutex);
 }
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index cf616e55ca41..d69facdd9a7a 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -241,8 +241,8 @@ static int gre_packet(struct nf_conn *ct,
                nf_ct_refresh_acct(ct, ctinfo, skb,
                                   ct->proto.gre.stream_timeout);
                /* Also, more likely to be important, and not a probe. */
-                set_bit(IPS_ASSURED_BIT, &ct->status);
+                if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
-                nf_conntrack_event_cache(IPCT_ASSURED, ct);
+                        nf_conntrack_event_cache(IPCT_ASSURED, ct);
        } else
                nf_ct_refresh_acct(ct, ctinfo, skb,
                                   ct->proto.gre.timeout);
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index d30615419b4d..5f03e4ea65bf 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -91,7 +91,7 @@ int x25_parse_address_block(struct sk_buff *skb,
        int needed;
        int rc;
-        if (skb->len < 1) {
+        if (!pskb_may_pull(skb, 1)) {
                /* packet has no address block */
                rc = 0;
                goto empty;
@@ -100,7 +100,7 @@ int x25_parse_address_block(struct sk_buff *skb,
        len = *skb->data;
        needed = 1 + (len >> 4) + (len & 0x0f);
-        if (skb->len < needed) {
+        if (!pskb_may_pull(skb, needed)) {
                /* packet is too short to hold the addresses it claims
                   to hold */
                rc = -1;
@@ -295,7 +295,8 @@ static struct sock *x25_find_listener(struct x25_address *addr,
                         * Found a listening socket, now check the incoming
                         * call user data vs this sockets call user data
                         */
-                        if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) {
+                        if (x25_sk(s)->cudmatchlength > 0 &&
+                                skb->len >= x25_sk(s)->cudmatchlength) {
                                if((memcmp(x25_sk(s)->calluserdata.cuddata,
                                        skb->data,
                                        x25_sk(s)->cudmatchlength)) == 0) {
@@ -951,14 +952,27 @@ int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb,
         *
         *      Facilities length is mandatory in call request packets
         */
-        if (skb->len < 1)
+        if (!pskb_may_pull(skb, 1))
                goto out_clear_request;
        len = skb->data[0] + 1;
-        if (skb->len < len)
+        if (!pskb_may_pull(skb, len))
                goto out_clear_request;
        skb_pull(skb,len);
        /*
+         *      Ensure that the amount of call user data is valid.
+         */
+        if (skb->len > X25_MAX_CUD_LEN)
+                goto out_clear_request;
+        /*
+         *      Get all the call user data so it can be used in
+         *      x25_find_listener and skb_copy_from_linear_data up ahead.
+         */
+        if (!pskb_may_pull(skb, skb->len))
+                goto out_clear_request;
+        /*
         *      Find a listener for the particular address/cud pair.
         */
        sk = x25_find_listener(&source_addr,skb);
@@ -1166,6 +1180,9 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock,
         *      byte of the user data is the logical value of the Q Bit.
         */
        if (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {
+                if (!pskb_may_pull(skb, 1))
+                        goto out_kfree_skb;
                qbit = skb->data[0];
                skb_pull(skb, 1);
        }
@@ -1244,7 +1261,9 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
        struct x25_sock *x25 = x25_sk(sk);
        struct sockaddr_x25 *sx25 = (struct sockaddr_x25 *)msg->msg_name;
        size_t copied;
-        int qbit;
+        int qbit, header_len = x25->neighbour->extended ?
+                X25_EXT_MIN_LEN : X25_STD_MIN_LEN;
        struct sk_buff *skb;
        unsigned char *asmptr;
        int rc = -ENOTCONN;
@@ -1265,6 +1284,9 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
                skb = skb_dequeue(&x25->interrupt_in_queue);
+                if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
+                        goto out_free_dgram;
                skb_pull(skb, X25_STD_MIN_LEN);
                /*
@@ -1285,10 +1307,12 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
                if (!skb)
                        goto out;
+                if (!pskb_may_pull(skb, header_len))
+                        goto out_free_dgram;
                qbit = (skb->data[0] & X25_Q_BIT) == X25_Q_BIT;
-                skb_pull(skb, x25->neighbour->extended ?
+                skb_pull(skb, header_len);
-                                X25_EXT_MIN_LEN : X25_STD_MIN_LEN);
                if (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {
                        asmptr  = skb_push(skb, 1);
diff --git a/net/x25/x25_dev.c b/net/x25/x25_dev.c
index e547ca1578c3..fa2b41888bd9 100644
--- a/net/x25/x25_dev.c
+++ b/net/x25/x25_dev.c
@@ -32,6 +32,9 @@ static int x25_receive_data(struct sk_buff *skb, struct x25_neigh *nb)
        unsigned short frametype;
        unsigned int lci;
+        if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
+                return 0;
        frametype = skb->data[2];
        lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
@@ -115,6 +118,9 @@ int x25_lapb_receive_frame(struct sk_buff *skb, struct net_device *dev,
                goto drop;
        }
+        if (!pskb_may_pull(skb, 1))
+                return 0;
        switch (skb->data[0]) {
        case X25_IFACE_DATA:
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index f77e4e75f914..36384a1fa9f2 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -44,7 +44,7 @@
 int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
 {
-        unsigned char *p = skb->data;
+        unsigned char *p;
        unsigned int len;
        *vc_fac_mask = 0;
@@ -60,14 +60,16 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
        memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
        memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
-        if (skb->len < 1)
+        if (!pskb_may_pull(skb, 1))
                return 0;
-        len = *p++;
+        len = skb->data[0];
-        if (len >= skb->len)
+        if (!pskb_may_pull(skb, 1 + len))
                return -1;
+        p = skb->data + 1;
        while (len > 0) {
                switch (*p & X25_FAC_CLASS_MASK) {
                case X25_FAC_CLASS_A:
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index 0b073b51b183..a49cd4ec551a 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -107,6 +107,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                /*
                 *      Parse the data in the frame.
                 */
+                if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
+                        goto out_clear;
                skb_pull(skb, X25_STD_MIN_LEN);
                len = x25_parse_address_block(skb, &source_addr,
@@ -127,9 +129,11 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                 *      Copy any Call User Data.
                 */
                if (skb->len > 0) {
-                        skb_copy_from_linear_data(skb,
+                        if (skb->len > X25_MAX_CUD_LEN)
-                                                  x25->calluserdata.cuddata,
+                                goto out_clear;
-                                                  skb->len);
+                        skb_copy_bits(skb, 0, x25->calluserdata.cuddata,
+                                skb->len);
                        x25->calluserdata.cudlength = skb->len;
                }
                if (!sock_flag(sk, SOCK_DEAD))
@@ -137,6 +141,9 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                break;
        }
        case X25_CLEAR_REQUEST:
+                if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
+                        goto out_clear;
                x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
                x25_disconnect(sk, ECONNREFUSED, skb->data[3], skb->data[4]);
                break;
@@ -164,6 +171,9 @@ static int x25_state2_machine(struct sock *sk, struct sk_buff *skb, int frametyp
        switch (frametype) {
                case X25_CLEAR_REQUEST:
+                        if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
+                                goto out_clear;
                        x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
                        x25_disconnect(sk, 0, skb->data[3], skb->data[4]);
                        break;
@@ -177,6 +187,11 @@ static int x25_state2_machine(struct sock *sk, struct sk_buff *skb, int frametyp
        }
        return 0;
+out_clear:
+        x25_write_internal(sk, X25_CLEAR_REQUEST);
+        x25_start_t23timer(sk);
+        return 0;
 }
 /*
@@ -206,6 +221,9 @@ static int x25_state3_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                        break;
                case X25_CLEAR_REQUEST:
+                        if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
+                                goto out_clear;
                        x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
                        x25_disconnect(sk, 0, skb->data[3], skb->data[4]);
                        break;
@@ -304,6 +322,12 @@ static int x25_state3_machine(struct sock *sk, struct sk_buff *skb, int frametyp
        }
        return queued;
+out_clear:
+        x25_write_internal(sk, X25_CLEAR_REQUEST);
+        x25->state = X25_STATE_2;
+        x25_start_t23timer(sk);
+        return 0;
 }
 /*
@@ -313,13 +337,13 @@ static int x25_state3_machine(struct sock *sk, struct sk_buff *skb, int frametyp
 */
 static int x25_state4_machine(struct sock *sk, struct sk_buff *skb, int frametype)
 {
+        struct x25_sock *x25 = x25_sk(sk);
        switch (frametype) {
                case X25_RESET_REQUEST:
                        x25_write_internal(sk, X25_RESET_CONFIRMATION);
                case X25_RESET_CONFIRMATION: {
-                        struct x25_sock *x25 = x25_sk(sk);
                        x25_stop_timer(sk);
                        x25->condition = 0x00;
                        x25->va        = 0;
@@ -331,6 +355,9 @@ static int x25_state4_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                        break;
                }
                case X25_CLEAR_REQUEST:
+                        if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
+                                goto out_clear;
                        x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
                        x25_disconnect(sk, 0, skb->data[3], skb->data[4]);
                        break;
@@ -340,6 +367,12 @@ static int x25_state4_machine(struct sock *sk, struct sk_buff *skb, int frametyp
        }
        return 0;
+out_clear:
+        x25_write_internal(sk, X25_CLEAR_REQUEST);
+        x25->state = X25_STATE_2;
+        x25_start_t23timer(sk);
+        return 0;
 }
 /* Higher level upcall for a LAPB frame */
diff --git a/net/x25/x25_link.c b/net/x25/x25_link.c
index 037958ff8eed..4acacf3c6617 100644
--- a/net/x25/x25_link.c
+++ b/net/x25/x25_link.c
@@ -90,6 +90,9 @@ void x25_link_control(struct sk_buff *skb, struct x25_neigh *nb,
                break;
        case X25_DIAGNOSTIC:
+                if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 4))
+                        break;
                printk(KERN_WARNING "x25: diagnostic #%d - %02X %02X %02X\n",
                       skb->data[3], skb->data[4],
                       skb->data[5], skb->data[6]);
diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c
index 24a342ebc7f5..5170d52bfd96 100644
--- a/net/x25/x25_subr.c
+++ b/net/x25/x25_subr.c
@@ -269,7 +269,11 @@ int x25_decode(struct sock *sk, struct sk_buff *skb, int *ns, int *nr, int *q,
               int *d, int *m)
 {
        struct x25_sock *x25 = x25_sk(sk);
-        unsigned char *frame = skb->data;
+        unsigned char *frame;
+        if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
+                return X25_ILLEGAL;
+        frame = skb->data;
        *ns = *nr = *q = *d = *m = 0;
@@ -294,6 +298,10 @@ int x25_decode(struct sock *sk, struct sk_buff *skb, int *ns, int *nr, int *q,
                if (frame[2] == X25_RR  ||
                    frame[2] == X25_RNR ||
                    frame[2] == X25_REJ) {
+                        if (!pskb_may_pull(skb, X25_EXT_MIN_LEN))
+                                return X25_ILLEGAL;
+                        frame = skb->data;
                        *nr = (frame[3] >> 1) & 0x7F;
                        return frame[2];
                }
@@ -308,6 +316,10 @@ int x25_decode(struct sock *sk, struct sk_buff *skb, int *ns, int *nr, int *q,
        if (x25->neighbour->extended) {
                if ((frame[2] & 0x01) == X25_DATA) {
+                        if (!pskb_may_pull(skb, X25_EXT_MIN_LEN))
+                                return X25_ILLEGAL;
+                        frame = skb->data;
                        *q  = (frame[0] & X25_Q_BIT) == X25_Q_BIT;
                        *d  = (frame[0] & X25_D_BIT) == X25_D_BIT;
                        *m  = (frame[3] & X25_EXT_M_BIT) == X25_EXT_M_BIT;
diff --git a/security/security.c b/security/security.c
index 0e4fccfef12c..d9e153390926 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1097,6 +1097,7 @@ void security_sk_clone(const struct sock *sk, struct sock *newsk)
 {
        security_ops->sk_clone_security(sk, newsk);
 }
+EXPORT_SYMBOL(security_sk_clone);
 void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
 {