389 files changed, 15572 insertions, 8354 deletions
diff --git a/net/802/garp.c b/net/802/garp.c
index c1df2dad8c6b..16102951d36a 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -554,8 +554,7 @@ static void garp_release_port(struct net_device *dev)
                        return;
        }
        rcu_assign_pointer(dev->garp_port, NULL);
-        synchronize_rcu();
+        kfree_rcu(port, rcu);
-        kfree(port);
 }
 int garp_init_applicant(struct net_device *dev, struct garp_application *appl)
@@ -607,7 +606,6 @@ void garp_uninit_applicant(struct net_device *dev, struct garp_application *appl
        ASSERT_RTNL();
        rcu_assign_pointer(port->applicants[appl->type], NULL);
-        synchronize_rcu();
        /* Delete timer and generate a final TRANSMIT_PDU event to flush out
         * all pending messages before the applicant is gone. */
@@ -617,7 +615,7 @@ void garp_uninit_applicant(struct net_device *dev, struct garp_application *appl
        garp_queue_xmit(app);
        dev_mc_del(dev, appl->proto.group_address);
-        kfree(app);
+        kfree_rcu(app, rcu);
        garp_release_port(dev);
 }
 EXPORT_SYMBOL_GPL(garp_uninit_applicant);
diff --git a/net/802/psnap.c b/net/802/psnap.c
index 21cde8fd5795..db6baf7cf6e9 100644
--- a/net/802/psnap.c
+++ b/net/802/psnap.c
@@ -147,7 +147,6 @@ struct datalink_proto *register_snap_client(const unsigned char *desc,
 out:
        spin_unlock_bh(&snap_lock);
-        synchronize_net();
        return proto;
 }
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 0eb1a886b370..917ecb93ea28 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -46,13 +46,6 @@ int vlan_net_id __read_mostly;
 const char vlan_fullname[] = "802.1Q VLAN Support";
 const char vlan_version[] = DRV_VERSION;
-static const char vlan_copyright[] = "Ben Greear <greearb@candelatech.com>";
-static const char vlan_buggyright[] = "David S. Miller <davem@redhat.com>";
-static struct packet_type vlan_packet_type __read_mostly = {
-        .type = cpu_to_be16(ETH_P_8021Q),
-        .func = vlan_skb_recv, /* VLAN receive method */
-};
 /* End of global variables definitions. */
@@ -128,9 +121,10 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head)
                vlan_gvrp_request_leave(dev);
        vlan_group_set_device(grp, vlan_id, NULL);
-        if (!grp->killall)
+        /* Because unregister_netdevice_queue() makes sure at least one rcu
-                synchronize_net();
+         * grace period is respected before device freeing,
+         * we dont need to call synchronize_net() here.
+         */
        unregister_netdevice_queue(dev, head);
        /* If the group is now empty, kill off the group. */
@@ -211,7 +205,7 @@ int register_vlan_dev(struct net_device *dev)
        grp->nr_vlans++;
        if (ngrp) {
-                if (ops->ndo_vlan_rx_register)
+                if (ops->ndo_vlan_rx_register && (real_dev->features & NETIF_F_HW_VLAN_RX))
                        ops->ndo_vlan_rx_register(real_dev, ngrp);
                rcu_assign_pointer(real_dev->vlgrp, ngrp);
        }
@@ -330,10 +324,6 @@ static void vlan_sync_address(struct net_device *dev,
 static void vlan_transfer_features(struct net_device *dev,
                                   struct net_device *vlandev)
 {
-        u32 old_features = vlandev->features;
-        vlandev->features &= ~dev->vlan_features;
-        vlandev->features |= dev->features & dev->vlan_features;
        vlandev->gso_max_size = dev->gso_max_size;
        if (dev->features & NETIF_F_HW_VLAN_TX)
@@ -344,8 +334,8 @@ static void vlan_transfer_features(struct net_device *dev,
 #if defined(CONFIG_FCOE) || defined(CONFIG_FCOE_MODULE)
        vlandev->fcoe_ddp_xid = dev->fcoe_ddp_xid;
 #endif
-        if (old_features != vlandev->features)
-                netdev_features_change(vlandev);
+        netdev_update_features(vlandev);
 }
 static void __vlan_device_event(struct net_device *dev, unsigned long event)
@@ -490,9 +480,6 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event,
                if (dev->reg_state != NETREG_UNREGISTERING)
                        break;
-                /* Delete all VLANs for this dev. */
-                grp->killall = 1;
                for (i = 0; i < VLAN_N_VID; i++) {
                        vlandev = vlan_group_get_device(grp, i);
                        if (!vlandev)
@@ -511,6 +498,18 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event,
        case NETDEV_PRE_TYPE_CHANGE:
                /* Forbid underlaying device to change its type. */
                return NOTIFY_BAD;
+        case NETDEV_NOTIFY_PEERS:
+        case NETDEV_BONDING_FAILOVER:
+                /* Propagate to vlan devices */
+                for (i = 0; i < VLAN_N_VID; i++) {
+                        vlandev = vlan_group_get_device(grp, i);
+                        if (!vlandev)
+                                continue;
+                        call_netdevice_notifiers(event, vlandev);
+                }
+                break;
        }
 out:
@@ -672,8 +671,7 @@ static int __init vlan_proto_init(void)
 {
        int err;
-        pr_info("%s v%s %s\n", vlan_fullname, vlan_version, vlan_copyright);
+        pr_info("%s v%s\n", vlan_fullname, vlan_version);
-        pr_info("All bugs added by %s\n", vlan_buggyright);
        err = register_pernet_subsys(&vlan_net_ops);
        if (err < 0)
@@ -691,7 +689,6 @@ static int __init vlan_proto_init(void)
        if (err < 0)
                goto err4;
-        dev_add_pack(&vlan_packet_type);
        vlan_ioctl_set(vlan_ioctl_handler);
        return 0;
@@ -712,8 +709,6 @@ static void __exit vlan_cleanup_module(void)
        unregister_netdevice_notifier(&vlan_notifier_block);
-        dev_remove_pack(&vlan_packet_type);
        unregister_pernet_subsys(&vlan_net_ops);
        rcu_barrier(); /* Wait for completion of call_rcu()'s */
diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h
index 5687c9b95f33..9da07e30d1a2 100644
--- a/net/8021q/vlan.h
+++ b/net/8021q/vlan.h
@@ -75,8 +75,6 @@ static inline struct vlan_dev_info *vlan_dev_info(const struct net_device *dev)
 }
 /* found in vlan_dev.c */
-int vlan_skb_recv(struct sk_buff *skb, struct net_device *dev,
-                  struct packet_type *ptype, struct net_device *orig_dev);
 void vlan_dev_set_ingress_priority(const struct net_device *dev,
                                   u32 skb_prio, u16 vlan_prio);
 int vlan_dev_set_egress_priority(const struct net_device *dev,
@@ -120,11 +118,6 @@ extern void vlan_netlink_fini(void);
 extern struct rtnl_link_ops vlan_link_ops;
-static inline int is_vlan_dev(struct net_device *dev)
-{
-        return dev->priv_flags & IFF_802_1Q_VLAN;
-}
 extern int vlan_net_id;
 struct proc_dir_entry;
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index ce8e3ab3e7a5..fcc684678af6 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -4,7 +4,7 @@
 #include <linux/netpoll.h>
 #include "vlan.h"
-bool vlan_hwaccel_do_receive(struct sk_buff **skbp)
+bool vlan_do_receive(struct sk_buff **skbp)
 {
        struct sk_buff *skb = *skbp;
        u16 vlan_id = skb->vlan_tci & VLAN_VID_MASK;
@@ -23,6 +23,31 @@ bool vlan_hwaccel_do_receive(struct sk_buff **skbp)
                return false;
        skb->dev = vlan_dev;
+        if (skb->pkt_type == PACKET_OTHERHOST) {
+                /* Our lower layer thinks this is not local, let's make sure.
+                 * This allows the VLAN to have a different MAC than the
+                 * underlying device, and still route correctly. */
+                if (!compare_ether_addr(eth_hdr(skb)->h_dest,
+                                        vlan_dev->dev_addr))
+                        skb->pkt_type = PACKET_HOST;
+        }
+        if (!(vlan_dev_info(vlan_dev)->flags & VLAN_FLAG_REORDER_HDR)) {
+                unsigned int offset = skb->data - skb_mac_header(skb);
+                /*
+                 * vlan_insert_tag expect skb->data pointing to mac header.
+                 * So change skb->data before calling it and change back to
+                 * original position later
+                 */
+                skb_push(skb, offset);
+                skb = *skbp = vlan_insert_tag(skb, skb->vlan_tci);
+                if (!skb)
+                        return false;
+                skb_pull(skb, offset + VLAN_HLEN);
+                skb_reset_mac_len(skb);
+        }
        skb->priority = vlan_get_ingress_priority(vlan_dev, skb->vlan_tci);
        skb->vlan_tci = 0;
@@ -31,22 +56,8 @@ bool vlan_hwaccel_do_receive(struct sk_buff **skbp)
        u64_stats_update_begin(&rx_stats->syncp);
        rx_stats->rx_packets++;
        rx_stats->rx_bytes += skb->len;
+        if (skb->pkt_type == PACKET_MULTICAST)
-        switch (skb->pkt_type) {
-        case PACKET_BROADCAST:
-                break;
-        case PACKET_MULTICAST:
                rx_stats->rx_multicast++;
-                break;
-        case PACKET_OTHERHOST:
-                /* Our lower layer thinks this is not local, let's make sure.
-                 * This allows the VLAN to have a different MAC than the
-                 * underlying device, and still route correctly. */
-                if (!compare_ether_addr(eth_hdr(skb)->h_dest,
-                                        vlan_dev->dev_addr))
-                        skb->pkt_type = PACKET_HOST;
-                break;
-        }
        u64_stats_update_end(&rx_stats->syncp);
        return true;
@@ -88,3 +99,81 @@ gro_result_t vlan_gro_frags(struct napi_struct *napi, struct vlan_group *grp,
        return napi_gro_frags(napi);
 }
 EXPORT_SYMBOL(vlan_gro_frags);
+static struct sk_buff *vlan_reorder_header(struct sk_buff *skb)
+{
+        if (skb_cow(skb, skb_headroom(skb)) < 0)
+                return NULL;
+        memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN);
+        skb->mac_header += VLAN_HLEN;
+        skb_reset_mac_len(skb);
+        return skb;
+}
+static void vlan_set_encap_proto(struct sk_buff *skb, struct vlan_hdr *vhdr)
+{
+        __be16 proto;
+        unsigned char *rawp;
+        /*
+         * Was a VLAN packet, grab the encapsulated protocol, which the layer
+         * three protocols care about.
+         */
+        proto = vhdr->h_vlan_encapsulated_proto;
+        if (ntohs(proto) >= 1536) {
+                skb->protocol = proto;
+                return;
+        }
+        rawp = skb->data;
+        if (*(unsigned short *) rawp == 0xFFFF)
+                /*
+                 * This is a magic hack to spot IPX packets. Older Novell
+                 * breaks the protocol design and runs IPX over 802.3 without
+                 * an 802.2 LLC layer. We look for FFFF which isn't a used
+                 * 802.2 SSAP/DSAP. This won't work for fault tolerant netware
+                 * but does for the rest.
+                 */
+                skb->protocol = htons(ETH_P_802_3);
+        else
+                /*
+                 * Real 802.2 LLC
+                 */
+                skb->protocol = htons(ETH_P_802_2);
+}
+struct sk_buff *vlan_untag(struct sk_buff *skb)
+{
+        struct vlan_hdr *vhdr;
+        u16 vlan_tci;
+        if (unlikely(vlan_tx_tag_present(skb))) {
+                /* vlan_tci is already set-up so leave this for another time */
+                return skb;
+        }
+        skb = skb_share_check(skb, GFP_ATOMIC);
+        if (unlikely(!skb))
+                goto err_free;
+        if (unlikely(!pskb_may_pull(skb, VLAN_HLEN)))
+                goto err_free;
+        vhdr = (struct vlan_hdr *) skb->data;
+        vlan_tci = ntohs(vhdr->h_vlan_TCI);
+        __vlan_hwaccel_put_tag(skb, vlan_tci);
+        skb_pull_rcsum(skb, VLAN_HLEN);
+        vlan_set_encap_proto(skb, vhdr);
+        skb = vlan_reorder_header(skb);
+        if (unlikely(!skb))
+                goto err_free;
+        return skb;
+err_free:
+        kfree_skb(skb);
+        return NULL;
+}
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index b2ff6c8d3603..6e82148edfc8 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -65,179 +65,6 @@ static int vlan_dev_rebuild_header(struct sk_buff *skb)
        return 0;
 }
-static inline struct sk_buff *vlan_check_reorder_header(struct sk_buff *skb)
-{
-        if (vlan_dev_info(skb->dev)->flags & VLAN_FLAG_REORDER_HDR) {
-                if (skb_cow(skb, skb_headroom(skb)) < 0)
-                        skb = NULL;
-                if (skb) {
-                        /* Lifted from Gleb's VLAN code... */
-                        memmove(skb->data - ETH_HLEN,
-                                skb->data - VLAN_ETH_HLEN, 12);
-                        skb->mac_header += VLAN_HLEN;
-                }
-        }
-        return skb;
-}
-static inline void vlan_set_encap_proto(struct sk_buff *skb,
-                struct vlan_hdr *vhdr)
-{
-        __be16 proto;
-        unsigned char *rawp;
-        /*
-         * Was a VLAN packet, grab the encapsulated protocol, which the layer
-         * three protocols care about.
-         */
-        proto = vhdr->h_vlan_encapsulated_proto;
-        if (ntohs(proto) >= 1536) {
-                skb->protocol = proto;
-                return;
-        }
-        rawp = skb->data;
-        if (*(unsigned short *)rawp == 0xFFFF)
-                /*
-                 * This is a magic hack to spot IPX packets. Older Novell
-                 * breaks the protocol design and runs IPX over 802.3 without
-                 * an 802.2 LLC layer. We look for FFFF which isn't a used
-                 * 802.2 SSAP/DSAP. This won't work for fault tolerant netware
-                 * but does for the rest.
-                 */
-                skb->protocol = htons(ETH_P_802_3);
-        else
-                /*
-                 * Real 802.2 LLC
-                 */
-                skb->protocol = htons(ETH_P_802_2);
-}
-/*
- *      Determine the packet's protocol ID. The rule here is that we
- *      assume 802.3 if the type field is short enough to be a length.
- *      This is normal practice and works for any 'now in use' protocol.
- *
- *  Also, at this point we assume that we ARE dealing exclusively with
- *  VLAN packets, or packets that should be made into VLAN packets based
- *  on a default VLAN ID.
- *
- *  NOTE:  Should be similar to ethernet/eth.c.
- *
- *  SANITY NOTE:  This method is called when a packet is moving up the stack
- *                towards userland.  To get here, it would have already passed
- *                through the ethernet/eth.c eth_type_trans() method.
- *  SANITY NOTE 2: We are referencing to the VLAN_HDR frields, which MAY be
- *                 stored UNALIGNED in the memory.  RISC systems don't like
- *                 such cases very much...
- *  SANITY NOTE 2a: According to Dave Miller & Alexey, it will always be
- *                  aligned, so there doesn't need to be any of the unaligned
- *                  stuff.  It has been commented out now...  --Ben
- *
- */
-int vlan_skb_recv(struct sk_buff *skb, struct net_device *dev,
-                  struct packet_type *ptype, struct net_device *orig_dev)
-{
-        struct vlan_hdr *vhdr;
-        struct vlan_pcpu_stats *rx_stats;
-        struct net_device *vlan_dev;
-        u16 vlan_id;
-        u16 vlan_tci;
-        skb = skb_share_check(skb, GFP_ATOMIC);
-        if (skb == NULL)
-                goto err_free;
-        if (unlikely(!pskb_may_pull(skb, VLAN_HLEN)))
-                goto err_free;
-        vhdr = (struct vlan_hdr *)skb->data;
-        vlan_tci = ntohs(vhdr->h_vlan_TCI);
-        vlan_id = vlan_tci & VLAN_VID_MASK;
-        rcu_read_lock();
-        vlan_dev = vlan_find_dev(dev, vlan_id);
-        /* If the VLAN device is defined, we use it.
-         * If not, and the VID is 0, it is a 802.1p packet (not
-         * really a VLAN), so we will just netif_rx it later to the
-         * original interface, but with the skb->proto set to the
-         * wrapped proto: we do nothing here.
-         */
-        if (!vlan_dev) {
-                if (vlan_id) {
-                        pr_debug("%s: ERROR: No net_device for VID: %u on dev: %s\n",
-                                 __func__, vlan_id, dev->name);
-                        goto err_unlock;
-                }
-                rx_stats = NULL;
-        } else {
-                skb->dev = vlan_dev;
-                rx_stats = this_cpu_ptr(vlan_dev_info(skb->dev)->vlan_pcpu_stats);
-                u64_stats_update_begin(&rx_stats->syncp);
-                rx_stats->rx_packets++;
-                rx_stats->rx_bytes += skb->len;
-                skb->priority = vlan_get_ingress_priority(skb->dev, vlan_tci);
-                pr_debug("%s: priority: %u for TCI: %hu\n",
-                         __func__, skb->priority, vlan_tci);
-                switch (skb->pkt_type) {
-                case PACKET_BROADCAST:
-                        /* Yeah, stats collect these together.. */
-                        /* stats->broadcast ++; // no such counter :-( */
-                        break;
-                case PACKET_MULTICAST:
-                        rx_stats->rx_multicast++;
-                        break;
-                case PACKET_OTHERHOST:
-                        /* Our lower layer thinks this is not local, let's make
-                         * sure.
-                         * This allows the VLAN to have a different MAC than the
-                         * underlying device, and still route correctly.
-                         */
-                        if (!compare_ether_addr(eth_hdr(skb)->h_dest,
-                                                skb->dev->dev_addr))
-                                skb->pkt_type = PACKET_HOST;
-                        break;
-                default:
-                        break;
-                }
-                u64_stats_update_end(&rx_stats->syncp);
-        }
-        skb_pull_rcsum(skb, VLAN_HLEN);
-        vlan_set_encap_proto(skb, vhdr);
-        if (vlan_dev) {
-                skb = vlan_check_reorder_header(skb);
-                if (!skb) {
-                        rx_stats->rx_errors++;
-                        goto err_unlock;
-                }
-        }
-        netif_rx(skb);
-        rcu_read_unlock();
-        return NET_RX_SUCCESS;
-err_unlock:
-        rcu_read_unlock();
-err_free:
-        atomic_long_inc(&dev->rx_dropped);
-        kfree_skb(skb);
-        return NET_RX_DROP;
-}
 static inline u16
 vlan_dev_get_egress_qos_mask(struct net_device *dev, struct sk_buff *skb)
 {
@@ -338,7 +165,7 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
                u64_stats_update_begin(&stats->syncp);
                stats->tx_packets++;
                stats->tx_bytes += len;
-                u64_stats_update_begin(&stats->syncp);
+                u64_stats_update_end(&stats->syncp);
        } else {
                this_cpu_inc(vlan_dev_info(dev)->vlan_pcpu_stats->tx_dropped);
        }
@@ -701,8 +528,12 @@ static int vlan_dev_init(struct net_device *dev)
                                          (1<<__LINK_STATE_DORMANT))) |
                      (1<<__LINK_STATE_PRESENT);
-        dev->features |= real_dev->features & real_dev->vlan_features;
+        dev->hw_features = NETIF_F_ALL_CSUM | NETIF_F_SG |
-        dev->features |= NETIF_F_LLTX;
+                           NETIF_F_FRAGLIST | NETIF_F_ALL_TSO |
+                           NETIF_F_HIGHDMA | NETIF_F_SCTP_CSUM |
+                           NETIF_F_ALL_FCOE;
+        dev->features |= real_dev->vlan_features | NETIF_F_LLTX;
        dev->gso_max_size = real_dev->gso_max_size;
        /* ipv6 shared card related stuff */
@@ -756,6 +587,24 @@ static void vlan_dev_uninit(struct net_device *dev)
        }
 }
+static u32 vlan_dev_fix_features(struct net_device *dev, u32 features)
+{
+        struct net_device *real_dev = vlan_dev_info(dev)->real_dev;
+        u32 old_features = features;
+        features &= real_dev->features;
+        features &= real_dev->vlan_features;
+        if (old_features & NETIF_F_SOFT_FEATURES)
+                features |= old_features & NETIF_F_SOFT_FEATURES;
+        if (dev_ethtool_get_rx_csum(real_dev))
+                features |= NETIF_F_RXCSUM;
+        features |= NETIF_F_LLTX;
+        return features;
+}
 static int vlan_ethtool_get_settings(struct net_device *dev,
                                     struct ethtool_cmd *cmd)
 {
@@ -771,18 +620,6 @@ static void vlan_ethtool_get_drvinfo(struct net_device *dev,
        strcpy(info->fw_version, "N/A");
 }
-static u32 vlan_ethtool_get_rx_csum(struct net_device *dev)
-{
-        const struct vlan_dev_info *vlan = vlan_dev_info(dev);
-        return dev_ethtool_get_rx_csum(vlan->real_dev);
-}
-static u32 vlan_ethtool_get_flags(struct net_device *dev)
-{
-        const struct vlan_dev_info *vlan = vlan_dev_info(dev);
-        return dev_ethtool_get_flags(vlan->real_dev);
-}
 static struct rtnl_link_stats64 *vlan_dev_get_stats64(struct net_device *dev, struct rtnl_link_stats64 *stats)
 {
@@ -820,32 +657,10 @@ static struct rtnl_link_stats64 *vlan_dev_get_stats64(struct net_device *dev, st
        return stats;
 }
-static int vlan_ethtool_set_tso(struct net_device *dev, u32 data)
-{
-       if (data) {
-                struct net_device *real_dev = vlan_dev_info(dev)->real_dev;
-                /* Underlying device must support TSO for VLAN-tagged packets
-                 * and must have TSO enabled now.
-                 */
-                if (!(real_dev->vlan_features & NETIF_F_TSO))
-                        return -EOPNOTSUPP;
-                if (!(real_dev->features & NETIF_F_TSO))
-                        return -EINVAL;
-                dev->features |= NETIF_F_TSO;
-        } else {
-                dev->features &= ~NETIF_F_TSO;
-        }
-        return 0;
-}
 static const struct ethtool_ops vlan_ethtool_ops = {
        .get_settings           = vlan_ethtool_get_settings,
        .get_drvinfo            = vlan_ethtool_get_drvinfo,
        .get_link               = ethtool_op_get_link,
-        .get_rx_csum            = vlan_ethtool_get_rx_csum,
-        .get_flags              = vlan_ethtool_get_flags,
-        .set_tso                = vlan_ethtool_set_tso,
 };
 static const struct net_device_ops vlan_netdev_ops = {
@@ -871,6 +686,7 @@ static const struct net_device_ops vlan_netdev_ops = {
        .ndo_fcoe_get_wwn       = vlan_dev_fcoe_get_wwn,
        .ndo_fcoe_ddp_target    = vlan_dev_fcoe_ddp_target,
 #endif
+        .ndo_fix_features       = vlan_dev_fix_features,
 };
 void vlan_setup(struct net_device *dev)
diff --git a/net/9p/Kconfig b/net/9p/Kconfig
index 7ed75c7bd5d1..d9ea09b11cf8 100644
--- a/net/9p/Kconfig
+++ b/net/9p/Kconfig
@@ -3,8 +3,8 @@
 #
 menuconfig NET_9P
-        depends on NET && EXPERIMENTAL
+        depends on NET
-        tristate "Plan 9 Resource Sharing Support (9P2000) (Experimental)"
+        tristate "Plan 9 Resource Sharing Support (9P2000)"
        help
          If you say Y here, you will get experimental support for
          Plan 9 resource sharing via the 9P2000 protocol.
@@ -16,8 +16,8 @@ menuconfig NET_9P
 if NET_9P
 config NET_9P_VIRTIO
-        depends on EXPERIMENTAL && VIRTIO
+        depends on VIRTIO
-        tristate "9P Virtio Transport (Experimental)"
+        tristate "9P Virtio Transport"
        help
          This builds support for a transports between
          guest partitions and a host partition.
diff --git a/net/9p/client.c b/net/9p/client.c
index a9aa2dd66482..9e3b0e640da1 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -92,9 +92,6 @@ static int get_protocol_version(const substring_t *name)
        return version;
 }
-static struct p9_req_t *
-p9_client_rpc(struct p9_client *c, int8_t type, const char *fmt, ...);
 /**
 * parse_options - parse mount options into client structure
 * @opts: options string passed from mount
@@ -307,12 +304,13 @@ static int p9_tag_init(struct p9_client *c)
        c->tagpool = p9_idpool_create();
        if (IS_ERR(c->tagpool)) {
                err = PTR_ERR(c->tagpool);
-                c->tagpool = NULL;
                goto error;
        }
+        err = p9_idpool_get(c->tagpool); /* reserve tag 0 */
-        p9_idpool_get(c->tagpool); /* reserve tag 0 */
+        if (err < 0) {
+                p9_idpool_destroy(c->tagpool);
+                goto error;
+        }
        c->max_tag = 0;
 error:
        return err;
@@ -518,12 +516,15 @@ out_err:
        return err;
 }
+static struct p9_req_t *
+p9_client_rpc(struct p9_client *c, int8_t type, const char *fmt, ...);
 /**
 * p9_client_flush - flush (cancel) a request
 * @c: client state
 * @oldreq: request to cancel
 *
- * This sents a flush for a particular requests and links
+ * This sents a flush for a particular request and links
 * the flush request to the original request.  The current
 * code only supports a single flush request although the protocol
 * allows for multiple flush requests to be sent for a single request.
@@ -789,11 +790,13 @@ struct p9_client *p9_client_create(const char *dev_name, char *options)
        spin_lock_init(&clnt->lock);
        INIT_LIST_HEAD(&clnt->fidlist);
-        p9_tag_init(clnt);
+        err = p9_tag_init(clnt);
+        if (err < 0)
+                goto free_client;
        err = parse_opts(options, clnt);
        if (err < 0)
-                goto free_client;
+                goto destroy_tagpool;
        if (!clnt->trans_mod)
                clnt->trans_mod = v9fs_get_default_trans();
@@ -802,13 +805,12 @@ struct p9_client *p9_client_create(const char *dev_name, char *options)
                err = -EPROTONOSUPPORT;
                P9_DPRINTK(P9_DEBUG_ERROR,
                                "No transport defined or default transport\n");
-                goto free_client;
+                goto destroy_tagpool;
        }
        clnt->fidpool = p9_idpool_create();
        if (IS_ERR(clnt->fidpool)) {
                err = PTR_ERR(clnt->fidpool);
-                clnt->fidpool = NULL;
                goto put_trans;
        }
@@ -834,6 +836,8 @@ destroy_fidpool:
        p9_idpool_destroy(clnt->fidpool);
 put_trans:
        v9fs_put_trans(clnt->trans_mod);
+destroy_tagpool:
+        p9_idpool_destroy(clnt->tagpool);
 free_client:
        kfree(clnt);
        return ERR_PTR(err);
@@ -1281,7 +1285,7 @@ int
 p9_client_read(struct p9_fid *fid, char *data, char __user *udata, u64 offset,
                                                                u32 count)
 {
-        int err, rsize, total;
+        int err, rsize;
        struct p9_client *clnt;
        struct p9_req_t *req;
        char *dataptr;
@@ -1290,7 +1294,6 @@ p9_client_read(struct p9_fid *fid, char *data, char __user *udata, u64 offset,
                                        (long long unsigned) offset, count);
        err = 0;
        clnt = fid->clnt;
-        total = 0;
        rsize = fid->iounit;
        if (!rsize || rsize > clnt->msize-P9_IOHDRSZ)
@@ -1299,7 +1302,7 @@ p9_client_read(struct p9_fid *fid, char *data, char __user *udata, u64 offset,
        if (count < rsize)
                rsize = count;
-        /* Don't bother zerocopy form small IO (< 1024) */
+        /* Don't bother zerocopy for small IO (< 1024) */
        if (((clnt->trans_mod->pref & P9_TRANS_PREF_PAYLOAD_MASK) ==
                        P9_TRANS_PREF_PAYLOAD_SEP) && (rsize > 1024)) {
                req = p9_client_rpc(clnt, P9_TREAD, "dqE", fid->fid, offset,
@@ -1346,7 +1349,7 @@ int
 p9_client_write(struct p9_fid *fid, char *data, const char __user *udata,
                                                        u64 offset, u32 count)
 {
-        int err, rsize, total;
+        int err, rsize;
        struct p9_client *clnt;
        struct p9_req_t *req;
@@ -1354,7 +1357,6 @@ p9_client_write(struct p9_fid *fid, char *data, const char __user *udata,
                                fid->fid, (long long unsigned) offset, count);
        err = 0;
        clnt = fid->clnt;
-        total = 0;
        rsize = fid->iounit;
        if (!rsize || rsize > clnt->msize-P9_IOHDRSZ)
@@ -1745,7 +1747,7 @@ EXPORT_SYMBOL_GPL(p9_client_xattrcreate);
 int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
 {
-        int err, rsize, total;
+        int err, rsize;
        struct p9_client *clnt;
        struct p9_req_t *req;
        char *dataptr;
@@ -1755,7 +1757,6 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
        err = 0;
        clnt = fid->clnt;
-        total = 0;
        rsize = fid->iounit;
        if (!rsize || rsize > clnt->msize-P9_READDIRHDRSZ)
diff --git a/net/9p/mod.c b/net/9p/mod.c
index cf8a4128cd5c..72c398275051 100644
--- a/net/9p/mod.c
+++ b/net/9p/mod.c
@@ -139,7 +139,7 @@ void v9fs_put_trans(struct p9_trans_module *m)
 }
 /**
- * v9fs_init - Initialize module
+ * init_p9 - Initialize module
 *
 */
 static int __init init_p9(void)
@@ -154,7 +154,7 @@ static int __init init_p9(void)
 }
 /**
- * v9fs_init - shutdown module
+ * exit_p9 - shutdown module
 *
 */
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index aa5672b15eae..fdfdb5747f63 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -716,7 +716,6 @@ static int parse_opts(char *params, struct p9_fd_opts *opts)
        substring_t args[MAX_OPT_ARGS];
        int option;
        char *options, *tmp_options;
-        int ret;
        opts->port = P9_PORT;
        opts->rfd = ~0;
@@ -744,7 +743,6 @@ static int parse_opts(char *params, struct p9_fd_opts *opts)
                        if (r < 0) {
                                P9_DPRINTK(P9_DEBUG_ERROR,
                                "integer field, but no integer?\n");
-                                ret = r;
                                continue;
                        }
                }
@@ -918,8 +916,8 @@ p9_fd_create_tcp(struct p9_client *client, const char *addr, char *args)
        sin_server.sin_family = AF_INET;
        sin_server.sin_addr.s_addr = in_aton(addr);
        sin_server.sin_port = htons(opts.port);
-        err = sock_create_kern(PF_INET, SOCK_STREAM, IPPROTO_TCP, &csocket);
+        err = __sock_create(read_pnet(&current->nsproxy->net_ns), PF_INET,
+                            SOCK_STREAM, IPPROTO_TCP, &csocket, 1);
        if (err) {
                P9_EPRINTK(KERN_ERR, "p9_trans_tcp: problem creating socket\n");
                return err;
@@ -956,7 +954,8 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
        sun_server.sun_family = PF_UNIX;
        strcpy(sun_server.sun_path, addr);
-        err = sock_create_kern(PF_UNIX, SOCK_STREAM, 0, &csocket);
+        err = __sock_create(read_pnet(&current->nsproxy->net_ns), PF_UNIX,
+                            SOCK_STREAM, 0, &csocket, 1);
        if (err < 0) {
                P9_EPRINTK(KERN_ERR, "p9_trans_unix: problem creating socket\n");
                return err;
diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
index 150e0c4bbf40..159c50f1c6bf 100644
--- a/net/9p/trans_rdma.c
+++ b/net/9p/trans_rdma.c
@@ -167,7 +167,6 @@ static int parse_opts(char *params, struct p9_rdma_opts *opts)
        substring_t args[MAX_OPT_ARGS];
        int option;
        char *options, *tmp_options;
-        int ret;
        opts->port = P9_PORT;
        opts->sq_depth = P9_RDMA_SQ_DEPTH;
@@ -195,7 +194,6 @@ static int parse_opts(char *params, struct p9_rdma_opts *opts)
                if (r < 0) {
                        P9_DPRINTK(P9_DEBUG_ERROR,
                                   "integer field, but no integer?\n");
-                        ret = r;
                        continue;
                }
                switch (token) {
@@ -591,7 +589,8 @@ rdma_create_trans(struct p9_client *client, const char *addr, char *args)
                return -ENOMEM;
        /* Create the RDMA CM ID */
-        rdma->cm_id = rdma_create_id(p9_cm_event_handler, client, RDMA_PS_TCP);
+        rdma->cm_id = rdma_create_id(p9_cm_event_handler, client, RDMA_PS_TCP,
+                                     IB_QPT_RC);
        if (IS_ERR(rdma->cm_id))
                goto error;
diff --git a/net/9p/util.c b/net/9p/util.c
index da6af81e59d9..9c1c9348ac35 100644
--- a/net/9p/util.c
+++ b/net/9p/util.c
@@ -93,7 +93,7 @@ int p9_idpool_get(struct p9_idpool *p)
 retry:
        if (idr_pre_get(&p->pool, GFP_NOFS) == 0)
-                return 0;
+                return -1;
        spin_lock_irqsave(&p->lock, flags);
diff --git a/net/Kconfig b/net/Kconfig
index 79cabf1ee68b..878151c772c9 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -232,6 +232,20 @@ config XPS
        depends on SMP && SYSFS && USE_GENERIC_SMP_HELPERS
        default y
+config HAVE_BPF_JIT
+        bool
+config BPF_JIT
+        bool "enable BPF Just In Time compiler"
+        depends on HAVE_BPF_JIT
+        depends on MODULES
+        ---help---
+          Berkeley Packet Filter filtering capabilities are normally handled
+          by an interpreter. This option allows kernel to generate a native
+          code when filter is loaded in memory. This should speedup
+          packet sniffing (libpcap/tcpdump). Note : Admin should enable
+          this feature changing /proc/sys/net/core/bpf_jit_enable
 menu "Network testing"
 config NET_PKTGEN
diff --git a/net/atm/atm_sysfs.c b/net/atm/atm_sysfs.c
index f7fa67c78766..f49da5814bc3 100644
--- a/net/atm/atm_sysfs.c
+++ b/net/atm/atm_sysfs.c
@@ -59,6 +59,14 @@ static ssize_t show_atmaddress(struct device *cdev,
        return pos - buf;
 }
+static ssize_t show_atmindex(struct device *cdev,
+                             struct device_attribute *attr, char *buf)
+{
+        struct atm_dev *adev = to_atm_dev(cdev);
+        return sprintf(buf, "%d\n", adev->number);
+}
 static ssize_t show_carrier(struct device *cdev,
                            struct device_attribute *attr, char *buf)
 {
@@ -99,6 +107,7 @@ static ssize_t show_link_rate(struct device *cdev,
 static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
 static DEVICE_ATTR(atmaddress, S_IRUGO, show_atmaddress, NULL);
+static DEVICE_ATTR(atmindex, S_IRUGO, show_atmindex, NULL);
 static DEVICE_ATTR(carrier, S_IRUGO, show_carrier, NULL);
 static DEVICE_ATTR(type, S_IRUGO, show_type, NULL);
 static DEVICE_ATTR(link_rate, S_IRUGO, show_link_rate, NULL);
@@ -106,6 +115,7 @@ static DEVICE_ATTR(link_rate, S_IRUGO, show_link_rate, NULL);
 static struct device_attribute *atm_attrs[] = {
        &dev_attr_atmaddress,
        &dev_attr_address,
+        &dev_attr_atmindex,
        &dev_attr_carrier,
        &dev_attr_type,
        &dev_attr_link_rate,
diff --git a/net/atm/lec.c b/net/atm/lec.c
index 38754fdb88ba..ba48daa68c1f 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -129,7 +129,6 @@ static struct net_device *dev_lec[MAX_LEC_ITF];
 #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
 static void lec_handle_bridge(struct sk_buff *skb, struct net_device *dev)
 {
-        struct ethhdr *eth;
        char *buff;
        struct lec_priv *priv;
@@ -138,7 +137,6 @@ static void lec_handle_bridge(struct sk_buff *skb, struct net_device *dev)
         * LE_TOPOLOGY_REQUEST with the same value of Topology Change bit
         * as the Config BPDU has
         */
-        eth = (struct ethhdr *)skb->data;
        buff = skb->data + skb->dev->hard_header_len;
        if (*buff++ == 0x42 && *buff++ == 0x42 && *buff++ == 0x03) {
                struct sock *sk;
@@ -1173,14 +1171,13 @@ static int __init lane_module_init(void)
 #endif
        register_atm_ioctl(&lane_ioctl_ops);
-        pr_info("lec.c: " __DATE__ " " __TIME__ " initialized\n");
+        pr_info("lec.c: initialized\n");
        return 0;
 }
 static void __exit lane_module_cleanup(void)
 {
        int i;
-        struct lec_priv *priv;
        remove_proc_entry("lec", atm_proc_root);
@@ -1188,7 +1185,6 @@ static void __exit lane_module_cleanup(void)
        for (i = 0; i < MAX_LEC_ITF; i++) {
                if (dev_lec[i] != NULL) {
-                        priv = netdev_priv(dev_lec[i]);
                        unregister_netdev(dev_lec[i]);
                        free_netdev(dev_lec[i]);
                        dev_lec[i] = NULL;
diff --git a/net/atm/mpc.c b/net/atm/mpc.c
index 644cdf071642..3ccca42e6f90 100644
--- a/net/atm/mpc.c
+++ b/net/atm/mpc.c
@@ -1482,7 +1482,7 @@ static __init int atm_mpoa_init(void)
        if (mpc_proc_init() != 0)
                pr_info("failed to initialize /proc/mpoa\n");
-        pr_info("mpc.c: " __DATE__ " " __TIME__ " initialized\n");
+        pr_info("mpc.c: initialized\n");
        return 0;
 }
diff --git a/net/atm/proc.c b/net/atm/proc.c
index f85da0779e5e..be3afdefec58 100644
--- a/net/atm/proc.c
+++ b/net/atm/proc.c
@@ -191,7 +191,7 @@ static void vcc_info(struct seq_file *seq, struct atm_vcc *vcc)
 {
        struct sock *sk = sk_atm(vcc);
-        seq_printf(seq, "%p ", vcc);
+        seq_printf(seq, "%pK ", vcc);
        if (!vcc->dev)
                seq_printf(seq, "Unassigned    ");
        else
@@ -218,7 +218,7 @@ static void svc_info(struct seq_file *seq, struct atm_vcc *vcc)
 {
        if (!vcc->dev)
                seq_printf(seq, sizeof(void *) == 4 ?
-                           "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
+                           "N/A@%pK%10s" : "N/A@%pK%2s", vcc, "");
        else
                seq_printf(seq, "%3d %3d %5d         ",
                           vcc->dev->number, vcc->vpi, vcc->vci);
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 6da5daeebab7..e7c69f4619ec 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1538,8 +1538,6 @@ static int ax25_sendmsg(struct kiocb *iocb, struct socket *sock,
        }
        /* Build a packet */
-        SOCK_DEBUG(sk, "AX.25: sendto: Addresses built. Building packet.\n");
        /* Assume the worst case */
        size = len + ax25->ax25_dev->dev->hard_header_len;
@@ -1549,8 +1547,6 @@ static int ax25_sendmsg(struct kiocb *iocb, struct socket *sock,
        skb_reserve(skb, size - len);
-        SOCK_DEBUG(sk, "AX.25: Appending user data\n");
        /* User data follows immediately after the AX.25 data */
        if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
                err = -EFAULT;
@@ -1564,8 +1560,6 @@ static int ax25_sendmsg(struct kiocb *iocb, struct socket *sock,
        if (!ax25->pidincl)
                *skb_push(skb, 1) = sk->sk_protocol;
-        SOCK_DEBUG(sk, "AX.25: Transmitting buffer\n");
        if (sk->sk_type == SOCK_SEQPACKET) {
                /* Connected mode sockets go via the LAPB machine */
                if (sk->sk_state != TCP_ESTABLISHED) {
@@ -1583,22 +1577,14 @@ static int ax25_sendmsg(struct kiocb *iocb, struct socket *sock,
        skb_push(skb, 1 + ax25_addr_size(dp));
-        SOCK_DEBUG(sk, "Building AX.25 Header (dp=%p).\n", dp);
+        /* Building AX.25 Header */
-        if (dp != NULL)
-                SOCK_DEBUG(sk, "Num digipeaters=%d\n", dp->ndigi);
        /* Build an AX.25 header */
        lv = ax25_addr_build(skb->data, &ax25->source_addr, &sax.sax25_call,
                             dp, AX25_COMMAND, AX25_MODULUS);
-        SOCK_DEBUG(sk, "Built header (%d bytes)\n",lv);
        skb_set_transport_header(skb, lv);
-        SOCK_DEBUG(sk, "base=%p pos=%p\n",
-                   skb->data, skb_transport_header(skb));
        *skb_transport_header(skb) = AX25_UI;
        /* Datagram frames go straight out of the door as UI */
diff --git a/net/ax25/ax25_iface.c b/net/ax25/ax25_iface.c
index 5a0dda8df492..60b545e2822a 100644
--- a/net/ax25/ax25_iface.c
+++ b/net/ax25/ax25_iface.c
@@ -58,7 +58,7 @@ EXPORT_SYMBOL_GPL(ax25_register_pid);
 void ax25_protocol_release(unsigned int pid)
 {
-        struct ax25_protocol *s, *protocol;
+        struct ax25_protocol *protocol;
        write_lock_bh(&protocol_list_lock);
        protocol = protocol_list;
@@ -72,7 +72,6 @@ void ax25_protocol_release(unsigned int pid)
        while (protocol != NULL && protocol->next != NULL) {
                if (protocol->next->pid == pid) {
-                        s = protocol->next;
                        protocol->next = protocol->next->next;
                        goto out;
                }
diff --git a/net/batman-adv/aggregation.c b/net/batman-adv/aggregation.c
index af45d6b2031f..a8c32030527c 100644
--- a/net/batman-adv/aggregation.c
+++ b/net/batman-adv/aggregation.c
@@ -23,11 +23,12 @@
 #include "aggregation.h"
 #include "send.h"
 #include "routing.h"
+#include "hard-interface.h"
-/* calculate the size of the hna information for a given packet */
+/* calculate the size of the tt information for a given packet */
-static int hna_len(struct batman_packet *batman_packet)
+static int tt_len(struct batman_packet *batman_packet)
 {
-        return batman_packet->num_hna * ETH_ALEN;
+        return batman_packet->num_tt * ETH_ALEN;
 }
 /* return true if new_packet can be aggregated with forw_packet */
@@ -95,7 +96,6 @@ static bool can_aggregate_with(struct batman_packet *new_batman_packet,
        return false;
 }
-#define atomic_dec_not_zero(v)          atomic_add_unless((v), -1, 0)
 /* create a new aggregated packet and add this packet to it */
 static void new_aggregated_packet(unsigned char *packet_buff, int packet_len,
                                  unsigned long send_time, bool direct_link,
@@ -106,12 +106,15 @@ static void new_aggregated_packet(unsigned char *packet_buff, int packet_len,
        struct forw_packet *forw_packet_aggr;
        unsigned char *skb_buff;
+        if (!atomic_inc_not_zero(&if_incoming->refcount))
+                return;
        /* own packet should always be scheduled */
        if (!own_packet) {
                if (!atomic_dec_not_zero(&bat_priv->batman_queue_left)) {
                        bat_dbg(DBG_BATMAN, bat_priv,
                                "batman packet queue full\n");
-                        return;
+                        goto out;
                }
        }
@@ -119,7 +122,7 @@ static void new_aggregated_packet(unsigned char *packet_buff, int packet_len,
        if (!forw_packet_aggr) {
                if (!own_packet)
                        atomic_inc(&bat_priv->batman_queue_left);
-                return;
+                goto out;
        }
        if ((atomic_read(&bat_priv->aggregated_ogms)) &&
@@ -134,7 +137,7 @@ static void new_aggregated_packet(unsigned char *packet_buff, int packet_len,
                if (!own_packet)
                        atomic_inc(&bat_priv->batman_queue_left);
                kfree(forw_packet_aggr);
-                return;
+                goto out;
        }
        skb_reserve(forw_packet_aggr->skb, sizeof(struct ethhdr));
@@ -165,6 +168,10 @@ static void new_aggregated_packet(unsigned char *packet_buff, int packet_len,
        queue_delayed_work(bat_event_workqueue,
                           &forw_packet_aggr->delayed_work,
                           send_time - jiffies);
+        return;
+out:
+        hardif_free_ref(if_incoming);
 }
 /* aggregate a new packet into the existing aggregation */
@@ -251,7 +258,7 @@ void receive_aggr_bat_packet(struct ethhdr *ethhdr, unsigned char *packet_buff,
 {
        struct batman_packet *batman_packet;
        int buff_pos = 0;
-        unsigned char *hna_buff;
+        unsigned char *tt_buff;
        batman_packet = (struct batman_packet *)packet_buff;
@@ -260,14 +267,14 @@ void receive_aggr_bat_packet(struct ethhdr *ethhdr, unsigned char *packet_buff,
                   orig_interval. */
                batman_packet->seqno = ntohl(batman_packet->seqno);
-                hna_buff = packet_buff + buff_pos + BAT_PACKET_LEN;
+                tt_buff = packet_buff + buff_pos + BAT_PACKET_LEN;
                receive_bat_packet(ethhdr, batman_packet,
-                                   hna_buff, hna_len(batman_packet),
+                                   tt_buff, tt_len(batman_packet),
                                   if_incoming);
-                buff_pos += BAT_PACKET_LEN + hna_len(batman_packet);
+                buff_pos += BAT_PACKET_LEN + tt_len(batman_packet);
                batman_packet = (struct batman_packet *)
                        (packet_buff + buff_pos);
        } while (aggregated_packet(buff_pos, packet_len,
-                                   batman_packet->num_hna));
+                                   batman_packet->num_tt));
 }
diff --git a/net/batman-adv/aggregation.h b/net/batman-adv/aggregation.h
index 062204289d1f..7e6d72fbf540 100644
--- a/net/batman-adv/aggregation.h
+++ b/net/batman-adv/aggregation.h
@@ -25,9 +25,9 @@
 #include "main.h"
 /* is there another aggregated packet here? */
-static inline int aggregated_packet(int buff_pos, int packet_len, int num_hna)
+static inline int aggregated_packet(int buff_pos, int packet_len, int num_tt)
 {
-        int next_buff_pos = buff_pos + BAT_PACKET_LEN + (num_hna * ETH_ALEN);
+        int next_buff_pos = buff_pos + BAT_PACKET_LEN + (num_tt * ETH_ALEN);
        return (next_buff_pos <= packet_len) &&
                (next_buff_pos <= MAX_AGGREGATION_BYTES);
diff --git a/net/batman-adv/bat_debugfs.c b/net/batman-adv/bat_debugfs.c
index 0e9d43509935..abaeec5f6247 100644
--- a/net/batman-adv/bat_debugfs.c
+++ b/net/batman-adv/bat_debugfs.c
@@ -241,13 +241,13 @@ static int softif_neigh_open(struct inode *inode, struct file *file)
 static int transtable_global_open(struct inode *inode, struct file *file)
 {
        struct net_device *net_dev = (struct net_device *)inode->i_private;
-        return single_open(file, hna_global_seq_print_text, net_dev);
+        return single_open(file, tt_global_seq_print_text, net_dev);
 }
 static int transtable_local_open(struct inode *inode, struct file *file)
 {
        struct net_device *net_dev = (struct net_device *)inode->i_private;
-        return single_open(file, hna_local_seq_print_text, net_dev);
+        return single_open(file, tt_local_seq_print_text, net_dev);
 }
 static int vis_data_open(struct inode *inode, struct file *file)
diff --git a/net/batman-adv/bat_sysfs.c b/net/batman-adv/bat_sysfs.c
index e449bf6353e0..497a0700cc3c 100644
--- a/net/batman-adv/bat_sysfs.c
+++ b/net/batman-adv/bat_sysfs.c
@@ -488,22 +488,24 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr,
            (strncmp(hard_iface->soft_iface->name, buff, IFNAMSIZ) == 0))
                goto out;
+        if (!rtnl_trylock()) {
+                ret = -ERESTARTSYS;
+                goto out;
+        }
        if (status_tmp == IF_NOT_IN_USE) {
-                rtnl_lock();
                hardif_disable_interface(hard_iface);
-                rtnl_unlock();
+                goto unlock;
-                goto out;
        }
        /* if the interface already is in use */
-        if (hard_iface->if_status != IF_NOT_IN_USE) {
+        if (hard_iface->if_status != IF_NOT_IN_USE)
-                rtnl_lock();
                hardif_disable_interface(hard_iface);
-                rtnl_unlock();
-        }
        ret = hardif_enable_interface(hard_iface, buff);
+unlock:
+        rtnl_unlock();
 out:
        hardif_free_ref(hard_iface);
        return ret;
diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index 3cc43558cf9c..61605a0f3f39 100644
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -23,80 +23,88 @@
 #include "gateway_client.h"
 #include "gateway_common.h"
 #include "hard-interface.h"
+#include "originator.h"
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <linux/udp.h>
 #include <linux/if_vlan.h>
-static void gw_node_free_rcu(struct rcu_head *rcu)
-{
-        struct gw_node *gw_node;
-        gw_node = container_of(rcu, struct gw_node, rcu);
-        kfree(gw_node);
-}
 static void gw_node_free_ref(struct gw_node *gw_node)
 {
        if (atomic_dec_and_test(&gw_node->refcount))
-                call_rcu(&gw_node->rcu, gw_node_free_rcu);
+                kfree_rcu(gw_node, rcu);
 }
-void *gw_get_selected(struct bat_priv *bat_priv)
+static struct gw_node *gw_get_selected_gw_node(struct bat_priv *bat_priv)
 {
-        struct gw_node *curr_gateway_tmp;
+        struct gw_node *gw_node;
-        struct orig_node *orig_node = NULL;
        rcu_read_lock();
-        curr_gateway_tmp = rcu_dereference(bat_priv->curr_gw);
+        gw_node = rcu_dereference(bat_priv->curr_gw);
-        if (!curr_gateway_tmp)
+        if (!gw_node)
                goto out;
-        orig_node = curr_gateway_tmp->orig_node;
+        if (!atomic_inc_not_zero(&gw_node->refcount))
-        if (!orig_node)
+                gw_node = NULL;
-                goto out;
-        if (!atomic_inc_not_zero(&orig_node->refcount))
-                orig_node = NULL;
 out:
        rcu_read_unlock();
-        return orig_node;
+        return gw_node;
 }
-void gw_deselect(struct bat_priv *bat_priv)
+struct orig_node *gw_get_selected_orig(struct bat_priv *bat_priv)
 {
        struct gw_node *gw_node;
+        struct orig_node *orig_node = NULL;
-        spin_lock_bh(&bat_priv->gw_list_lock);
+        gw_node = gw_get_selected_gw_node(bat_priv);
-        gw_node = rcu_dereference(bat_priv->curr_gw);
+        if (!gw_node)
-        rcu_assign_pointer(bat_priv->curr_gw, NULL);
+                goto out;
-        spin_unlock_bh(&bat_priv->gw_list_lock);
+        rcu_read_lock();
+        orig_node = gw_node->orig_node;
+        if (!orig_node)
+                goto unlock;
+        if (!atomic_inc_not_zero(&orig_node->refcount))
+                orig_node = NULL;
+unlock:
+        rcu_read_unlock();
+out:
        if (gw_node)
                gw_node_free_ref(gw_node);
+        return orig_node;
 }
 static void gw_select(struct bat_priv *bat_priv, struct gw_node *new_gw_node)
 {
        struct gw_node *curr_gw_node;
+        spin_lock_bh(&bat_priv->gw_list_lock);
        if (new_gw_node && !atomic_inc_not_zero(&new_gw_node->refcount))
                new_gw_node = NULL;
-        spin_lock_bh(&bat_priv->gw_list_lock);
+        curr_gw_node = bat_priv->curr_gw;
-        curr_gw_node = rcu_dereference(bat_priv->curr_gw);
        rcu_assign_pointer(bat_priv->curr_gw, new_gw_node);
-        spin_unlock_bh(&bat_priv->gw_list_lock);
        if (curr_gw_node)
                gw_node_free_ref(curr_gw_node);
+        spin_unlock_bh(&bat_priv->gw_list_lock);
+}
+void gw_deselect(struct bat_priv *bat_priv)
+{
+        gw_select(bat_priv, NULL);
 }
 void gw_election(struct bat_priv *bat_priv)
 {
        struct hlist_node *node;
-        struct gw_node *gw_node, *curr_gw, *curr_gw_tmp = NULL;
+        struct gw_node *gw_node, *curr_gw = NULL, *curr_gw_tmp = NULL;
+        struct neigh_node *router;
        uint8_t max_tq = 0;
        uint32_t max_gw_factor = 0, tmp_gw_factor = 0;
        int down, up;
@@ -110,32 +118,25 @@ void gw_election(struct bat_priv *bat_priv)
        if (atomic_read(&bat_priv->gw_mode) != GW_MODE_CLIENT)
                return;
-        rcu_read_lock();
+        curr_gw = gw_get_selected_gw_node(bat_priv);
-        curr_gw = rcu_dereference(bat_priv->curr_gw);
+        if (curr_gw)
-        if (curr_gw) {
+                goto out;
-                rcu_read_unlock();
-                return;
-        }
+        rcu_read_lock();
        if (hlist_empty(&bat_priv->gw_list)) {
+                bat_dbg(DBG_BATMAN, bat_priv,
-                if (curr_gw) {
+                        "Removing selected gateway - "
-                        rcu_read_unlock();
+                        "no gateway in range\n");
-                        bat_dbg(DBG_BATMAN, bat_priv,
+                gw_deselect(bat_priv);
-                                "Removing selected gateway - "
+                goto unlock;
-                                "no gateway in range\n");
-                        gw_deselect(bat_priv);
-                } else
-                        rcu_read_unlock();
-                return;
        }
        hlist_for_each_entry_rcu(gw_node, node, &bat_priv->gw_list, list) {
-                if (!gw_node->orig_node->router)
+                if (gw_node->deleted)
                        continue;
-                if (gw_node->deleted)
+                router = orig_node_get_router(gw_node->orig_node);
+                if (!router)
                        continue;
                switch (atomic_read(&bat_priv->gw_sel_class)) {
@@ -143,15 +144,14 @@ void gw_election(struct bat_priv *bat_priv)
                        gw_bandwidth_to_kbit(gw_node->orig_node->gw_flags,
                                             &down, &up);
-                        tmp_gw_factor = (gw_node->orig_node->router->tq_avg *
+                        tmp_gw_factor = (router->tq_avg * router->tq_avg *
-                                         gw_node->orig_node->router->tq_avg *
                                         down * 100 * 100) /
                                         (TQ_LOCAL_WINDOW_SIZE *
                                         TQ_LOCAL_WINDOW_SIZE * 64);
                        if ((tmp_gw_factor > max_gw_factor) ||
                            ((tmp_gw_factor == max_gw_factor) &&
-                             (gw_node->orig_node->router->tq_avg > max_tq)))
+                             (router->tq_avg > max_tq)))
                                curr_gw_tmp = gw_node;
                        break;
@@ -163,19 +163,25 @@ void gw_election(struct bat_priv *bat_priv)
                          *     soon as a better gateway appears which has
                          *     $routing_class more tq points)
                          **/
-                        if (gw_node->orig_node->router->tq_avg > max_tq)
+                        if (router->tq_avg > max_tq)
                                curr_gw_tmp = gw_node;
                        break;
                }
-                if (gw_node->orig_node->router->tq_avg > max_tq)
+                if (router->tq_avg > max_tq)
-                        max_tq = gw_node->orig_node->router->tq_avg;
+                        max_tq = router->tq_avg;
                if (tmp_gw_factor > max_gw_factor)
                        max_gw_factor = tmp_gw_factor;
+                neigh_node_free_ref(router);
        }
        if (curr_gw != curr_gw_tmp) {
+                router = orig_node_get_router(curr_gw_tmp->orig_node);
+                if (!router)
+                        goto unlock;
                if ((curr_gw) && (!curr_gw_tmp))
                        bat_dbg(DBG_BATMAN, bat_priv,
                                "Removing selected gateway - "
@@ -186,48 +192,50 @@ void gw_election(struct bat_priv *bat_priv)
                                "(gw_flags: %i, tq: %i)\n",
                                curr_gw_tmp->orig_node->orig,
                                curr_gw_tmp->orig_node->gw_flags,
-                                curr_gw_tmp->orig_node->router->tq_avg);
+                                router->tq_avg);
                else
                        bat_dbg(DBG_BATMAN, bat_priv,
                                "Changing route to gateway %pM "
                                "(gw_flags: %i, tq: %i)\n",
                                curr_gw_tmp->orig_node->orig,
                                curr_gw_tmp->orig_node->gw_flags,
-                                curr_gw_tmp->orig_node->router->tq_avg);
+                                router->tq_avg);
+                neigh_node_free_ref(router);
                gw_select(bat_priv, curr_gw_tmp);
        }
+unlock:
        rcu_read_unlock();
+out:
+        if (curr_gw)
+                gw_node_free_ref(curr_gw);
 }
 void gw_check_election(struct bat_priv *bat_priv, struct orig_node *orig_node)
 {
-        struct gw_node *curr_gateway_tmp;
+        struct orig_node *curr_gw_orig;
+        struct neigh_node *router_gw = NULL, *router_orig = NULL;
        uint8_t gw_tq_avg, orig_tq_avg;
-        rcu_read_lock();
+        curr_gw_orig = gw_get_selected_orig(bat_priv);
-        curr_gateway_tmp = rcu_dereference(bat_priv->curr_gw);
+        if (!curr_gw_orig)
-        if (!curr_gateway_tmp)
+                goto deselect;
-                goto out_rcu;
-        if (!curr_gateway_tmp->orig_node)
-                goto deselect_rcu;
-        if (!curr_gateway_tmp->orig_node->router)
+        router_gw = orig_node_get_router(curr_gw_orig);
-                goto deselect_rcu;
+        if (!router_gw)
+                goto deselect;
        /* this node already is the gateway */
-        if (curr_gateway_tmp->orig_node == orig_node)
+        if (curr_gw_orig == orig_node)
-                goto out_rcu;
+                goto out;
-        if (!orig_node->router)
-                goto out_rcu;
-        gw_tq_avg = curr_gateway_tmp->orig_node->router->tq_avg;
+        router_orig = orig_node_get_router(orig_node);
-        rcu_read_unlock();
+        if (!router_orig)
+                goto out;
-        orig_tq_avg = orig_node->router->tq_avg;
+        gw_tq_avg = router_gw->tq_avg;
+        orig_tq_avg = router_orig->tq_avg;
        /* the TQ value has to be better */
        if (orig_tq_avg < gw_tq_avg)
@@ -245,16 +253,17 @@ void gw_check_election(struct bat_priv *bat_priv, struct orig_node *orig_node)
                "Restarting gateway selection: better gateway found (tq curr: "
                "%i, tq new: %i)\n",
                gw_tq_avg, orig_tq_avg);
-        goto deselect;
-out_rcu:
-        rcu_read_unlock();
-        goto out;
-deselect_rcu:
-        rcu_read_unlock();
 deselect:
        gw_deselect(bat_priv);
 out:
+        if (curr_gw_orig)
+                orig_node_free_ref(curr_gw_orig);
+        if (router_gw)
+                neigh_node_free_ref(router_gw);
+        if (router_orig)
+                neigh_node_free_ref(router_orig);
        return;
 }
@@ -291,7 +300,15 @@ void gw_node_update(struct bat_priv *bat_priv,
                    struct orig_node *orig_node, uint8_t new_gwflags)
 {
        struct hlist_node *node;
-        struct gw_node *gw_node;
+        struct gw_node *gw_node, *curr_gw;
+        /**
+         * Note: We don't need a NULL check here, since curr_gw never gets
+         * dereferenced. If curr_gw is NULL we also should not exit as we may
+         * have this gateway in our list (duplication check!) even though we
+         * have no currently selected gateway.
+         */
+        curr_gw = gw_get_selected_gw_node(bat_priv);
        rcu_read_lock();
        hlist_for_each_entry_rcu(gw_node, node, &bat_priv->gw_list, list) {
@@ -312,22 +329,26 @@ void gw_node_update(struct bat_priv *bat_priv,
                                "Gateway %pM removed from gateway list\n",
                                orig_node->orig);
-                        if (gw_node == rcu_dereference(bat_priv->curr_gw)) {
+                        if (gw_node == curr_gw)
-                                rcu_read_unlock();
+                                goto deselect;
-                                gw_deselect(bat_priv);
-                                return;
-                        }
                }
-                rcu_read_unlock();
+                goto unlock;
-                return;
        }
-        rcu_read_unlock();
        if (new_gwflags == 0)
-                return;
+                goto unlock;
        gw_node_add(bat_priv, orig_node, new_gwflags);
+        goto unlock;
+deselect:
+        gw_deselect(bat_priv);
+unlock:
+        rcu_read_unlock();
+        if (curr_gw)
+                gw_node_free_ref(curr_gw);
 }
 void gw_node_delete(struct bat_priv *bat_priv, struct orig_node *orig_node)
@@ -337,9 +358,12 @@ void gw_node_delete(struct bat_priv *bat_priv, struct orig_node *orig_node)
 void gw_node_purge(struct bat_priv *bat_priv)
 {
-        struct gw_node *gw_node;
+        struct gw_node *gw_node, *curr_gw;
        struct hlist_node *node, *node_tmp;
        unsigned long timeout = 2 * PURGE_TIMEOUT * HZ;
+        char do_deselect = 0;
+        curr_gw = gw_get_selected_gw_node(bat_priv);
        spin_lock_bh(&bat_priv->gw_list_lock);
@@ -350,41 +374,56 @@ void gw_node_purge(struct bat_priv *bat_priv)
                    atomic_read(&bat_priv->mesh_state) == MESH_ACTIVE)
                        continue;
-                if (rcu_dereference(bat_priv->curr_gw) == gw_node)
+                if (curr_gw == gw_node)
-                        gw_deselect(bat_priv);
+                        do_deselect = 1;
                hlist_del_rcu(&gw_node->list);
                gw_node_free_ref(gw_node);
        }
        spin_unlock_bh(&bat_priv->gw_list_lock);
+        /* gw_deselect() needs to acquire the gw_list_lock */
+        if (do_deselect)
+                gw_deselect(bat_priv);
+        if (curr_gw)
+                gw_node_free_ref(curr_gw);
 }
+/**
+ * fails if orig_node has no router
+ */
 static int _write_buffer_text(struct bat_priv *bat_priv,
                              struct seq_file *seq, struct gw_node *gw_node)
 {
        struct gw_node *curr_gw;
-        int down, up, ret;
+        struct neigh_node *router;
+        int down, up, ret = -1;
        gw_bandwidth_to_kbit(gw_node->orig_node->gw_flags, &down, &up);
-        rcu_read_lock();
+        router = orig_node_get_router(gw_node->orig_node);
-        curr_gw = rcu_dereference(bat_priv->curr_gw);
+        if (!router)
+                goto out;
-        ret = seq_printf(seq, "%s %pM (%3i) %pM [%10s]: %3i - %i%s/%i%s\n",
+        curr_gw = gw_get_selected_gw_node(bat_priv);
-                       (curr_gw == gw_node ? "=>" : "  "),
-                       gw_node->orig_node->orig,
-                       gw_node->orig_node->router->tq_avg,
-                       gw_node->orig_node->router->addr,
-                       gw_node->orig_node->router->if_incoming->net_dev->name,
-                       gw_node->orig_node->gw_flags,
-                       (down > 2048 ? down / 1024 : down),
-                       (down > 2048 ? "MBit" : "KBit"),
-                       (up > 2048 ? up / 1024 : up),
-                       (up > 2048 ? "MBit" : "KBit"));
-        rcu_read_unlock();
+        ret = seq_printf(seq, "%s %pM (%3i) %pM [%10s]: %3i - %i%s/%i%s\n",
+                         (curr_gw == gw_node ? "=>" : "  "),
+                         gw_node->orig_node->orig,
+                         router->tq_avg, router->addr,
+                         router->if_incoming->net_dev->name,
+                         gw_node->orig_node->gw_flags,
+                         (down > 2048 ? down / 1024 : down),
+                         (down > 2048 ? "MBit" : "KBit"),
+                         (up > 2048 ? up / 1024 : up),
+                         (up > 2048 ? "MBit" : "KBit"));
+        neigh_node_free_ref(router);
+        if (curr_gw)
+                gw_node_free_ref(curr_gw);
+out:
        return ret;
 }
@@ -392,40 +431,42 @@ int gw_client_seq_print_text(struct seq_file *seq, void *offset)
 {
        struct net_device *net_dev = (struct net_device *)seq->private;
        struct bat_priv *bat_priv = netdev_priv(net_dev);
+        struct hard_iface *primary_if;
        struct gw_node *gw_node;
        struct hlist_node *node;
-        int gw_count = 0;
+        int gw_count = 0, ret = 0;
-        if (!bat_priv->primary_if) {
-                return seq_printf(seq, "BATMAN mesh %s disabled - please "
+        primary_if = primary_if_get_selected(bat_priv);
-                                  "specify interfaces to enable it\n",
+        if (!primary_if) {
-                                  net_dev->name);
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - please "
+                                 "specify interfaces to enable it\n",
+                                 net_dev->name);
+                goto out;
        }
-        if (bat_priv->primary_if->if_status != IF_ACTIVE) {
+        if (primary_if->if_status != IF_ACTIVE) {
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
-                return seq_printf(seq, "BATMAN mesh %s disabled - "
+                                 "primary interface not active\n",
-                                       "primary interface not active\n",
+                                 net_dev->name);
-                                       net_dev->name);
+                goto out;
        }
        seq_printf(seq, "      %-12s (%s/%i) %17s [%10s]: gw_class ... "
                   "[B.A.T.M.A.N. adv %s%s, MainIF/MAC: %s/%pM (%s)]\n",
                   "Gateway", "#", TQ_MAX_VALUE, "Nexthop",
                   "outgoingIF", SOURCE_VERSION, REVISION_VERSION_STR,
-                   bat_priv->primary_if->net_dev->name,
+                   primary_if->net_dev->name,
-                   bat_priv->primary_if->net_dev->dev_addr, net_dev->name);
+                   primary_if->net_dev->dev_addr, net_dev->name);
        rcu_read_lock();
        hlist_for_each_entry_rcu(gw_node, node, &bat_priv->gw_list, list) {
                if (gw_node->deleted)
                        continue;
-                if (!gw_node->orig_node->router)
+                /* fails if orig_node has no router */
+                if (_write_buffer_text(bat_priv, seq, gw_node) < 0)
                        continue;
-                _write_buffer_text(bat_priv, seq, gw_node);
                gw_count++;
        }
        rcu_read_unlock();
@@ -433,7 +474,10 @@ int gw_client_seq_print_text(struct seq_file *seq, void *offset)
        if (gw_count == 0)
                seq_printf(seq, "No gateways in range ...\n");
-        return 0;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
 int gw_is_target(struct bat_priv *bat_priv, struct sk_buff *skb)
@@ -442,6 +486,7 @@ int gw_is_target(struct bat_priv *bat_priv, struct sk_buff *skb)
        struct iphdr *iphdr;
        struct ipv6hdr *ipv6hdr;
        struct udphdr *udphdr;
+        struct gw_node *curr_gw;
        unsigned int header_len = 0;
        if (atomic_read(&bat_priv->gw_mode) == GW_MODE_OFF)
@@ -506,12 +551,11 @@ int gw_is_target(struct bat_priv *bat_priv, struct sk_buff *skb)
        if (atomic_read(&bat_priv->gw_mode) == GW_MODE_SERVER)
                return -1;
-        rcu_read_lock();
+        curr_gw = gw_get_selected_gw_node(bat_priv);
-        if (!rcu_dereference(bat_priv->curr_gw)) {
+        if (!curr_gw)
-                rcu_read_unlock();
                return 0;
-        }
-        rcu_read_unlock();
+        if (curr_gw)
+                gw_node_free_ref(curr_gw);
        return 1;
 }
diff --git a/net/batman-adv/gateway_client.h b/net/batman-adv/gateway_client.h
index 2aa439124ee3..1ce8c6066da1 100644
--- a/net/batman-adv/gateway_client.h
+++ b/net/batman-adv/gateway_client.h
@@ -24,7 +24,7 @@
 void gw_deselect(struct bat_priv *bat_priv);
 void gw_election(struct bat_priv *bat_priv);
-void *gw_get_selected(struct bat_priv *bat_priv);
+struct orig_node *gw_get_selected_orig(struct bat_priv *bat_priv);
 void gw_check_election(struct bat_priv *bat_priv, struct orig_node *orig_node);
 void gw_node_update(struct bat_priv *bat_priv,
                    struct orig_node *orig_node, uint8_t new_gwflags);
diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
index b3058e46ee6b..dfbfccc9fe40 100644
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -31,9 +31,6 @@
 #include <linux/if_arp.h>
-/* protect update critical side of hardif_list - but not the content */
-static DEFINE_SPINLOCK(hardif_list_lock);
 static int batman_skb_recv(struct sk_buff *skb,
                           struct net_device *dev,
@@ -110,47 +107,57 @@ out:
        return hard_iface;
 }
-static void update_primary_addr(struct bat_priv *bat_priv)
+static void primary_if_update_addr(struct bat_priv *bat_priv)
 {
        struct vis_packet *vis_packet;
+        struct hard_iface *primary_if;
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
+                goto out;
        vis_packet = (struct vis_packet *)
                                bat_priv->my_vis_info->skb_packet->data;
-        memcpy(vis_packet->vis_orig,
+        memcpy(vis_packet->vis_orig, primary_if->net_dev->dev_addr, ETH_ALEN);
-               bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
        memcpy(vis_packet->sender_orig,
-               bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+               primary_if->net_dev->dev_addr, ETH_ALEN);
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
 }
-static void set_primary_if(struct bat_priv *bat_priv,
+static void primary_if_select(struct bat_priv *bat_priv,
-                           struct hard_iface *hard_iface)
+                              struct hard_iface *new_hard_iface)
 {
+        struct hard_iface *curr_hard_iface;
        struct batman_packet *batman_packet;
-        struct hard_iface *old_if;
-        if (hard_iface && !atomic_inc_not_zero(&hard_iface->refcount))
+        ASSERT_RTNL();
-                hard_iface = NULL;
+        if (new_hard_iface && !atomic_inc_not_zero(&new_hard_iface->refcount))
+                new_hard_iface = NULL;
-        old_if = bat_priv->primary_if;
+        curr_hard_iface = bat_priv->primary_if;
-        bat_priv->primary_if = hard_iface;
+        rcu_assign_pointer(bat_priv->primary_if, new_hard_iface);
-        if (old_if)
+        if (curr_hard_iface)
-                hardif_free_ref(old_if);
+                hardif_free_ref(curr_hard_iface);
-        if (!bat_priv->primary_if)
+        if (!new_hard_iface)
                return;
-        batman_packet = (struct batman_packet *)(hard_iface->packet_buff);
+        batman_packet = (struct batman_packet *)(new_hard_iface->packet_buff);
        batman_packet->flags = PRIMARIES_FIRST_HOP;
        batman_packet->ttl = TTL;
-        update_primary_addr(bat_priv);
+        primary_if_update_addr(bat_priv);
        /***
-         * hacky trick to make sure that we send the HNA information via
+         * hacky trick to make sure that we send the TT information via
         * our new primary interface
         */
-        atomic_set(&bat_priv->hna_local_changed, 1);
+        atomic_set(&bat_priv->tt_local_changed, 1);
 }
 static bool hardif_is_iface_up(struct hard_iface *hard_iface)
@@ -236,9 +243,10 @@ void update_min_mtu(struct net_device *soft_iface)
 static void hardif_activate_interface(struct hard_iface *hard_iface)
 {
        struct bat_priv *bat_priv;
+        struct hard_iface *primary_if = NULL;
        if (hard_iface->if_status != IF_INACTIVE)
-                return;
+                goto out;
        bat_priv = netdev_priv(hard_iface->soft_iface);
@@ -249,14 +257,18 @@ static void hardif_activate_interface(struct hard_iface *hard_iface)
         * the first active interface becomes our primary interface or
         * the next active interface after the old primay interface was removed
         */
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
-                set_primary_if(bat_priv, hard_iface);
+        if (!primary_if)
+                primary_if_select(bat_priv, hard_iface);
        bat_info(hard_iface->soft_iface, "Interface activated: %s\n",
                 hard_iface->net_dev->name);
        update_min_mtu(hard_iface->soft_iface);
-        return;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
 }
 static void hardif_deactivate_interface(struct hard_iface *hard_iface)
@@ -327,7 +339,7 @@ int hardif_enable_interface(struct hard_iface *hard_iface, char *iface_name)
        batman_packet->flags = 0;
        batman_packet->ttl = 2;
        batman_packet->tq = TQ_MAX_VALUE;
-        batman_packet->num_hna = 0;
+        batman_packet->num_tt = 0;
        hard_iface->if_num = bat_priv->num_ifaces;
        bat_priv->num_ifaces++;
@@ -386,12 +398,13 @@ err:
 void hardif_disable_interface(struct hard_iface *hard_iface)
 {
        struct bat_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+        struct hard_iface *primary_if = NULL;
        if (hard_iface->if_status == IF_ACTIVE)
                hardif_deactivate_interface(hard_iface);
        if (hard_iface->if_status != IF_INACTIVE)
-                return;
+                goto out;
        bat_info(hard_iface->soft_iface, "Removing interface: %s\n",
                 hard_iface->net_dev->name);
@@ -400,11 +413,12 @@ void hardif_disable_interface(struct hard_iface *hard_iface)
        bat_priv->num_ifaces--;
        orig_hash_del_if(hard_iface, bat_priv->num_ifaces);
-        if (hard_iface == bat_priv->primary_if) {
+        primary_if = primary_if_get_selected(bat_priv);
+        if (hard_iface == primary_if) {
                struct hard_iface *new_if;
                new_if = hardif_get_active(hard_iface->soft_iface);
-                set_primary_if(bat_priv, new_if);
+                primary_if_select(bat_priv, new_if);
                if (new_if)
                        hardif_free_ref(new_if);
@@ -425,6 +439,10 @@ void hardif_disable_interface(struct hard_iface *hard_iface)
        hard_iface->soft_iface = NULL;
        hardif_free_ref(hard_iface);
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
 }
 static struct hard_iface *hardif_add_interface(struct net_device *net_dev)
@@ -432,6 +450,8 @@ static struct hard_iface *hardif_add_interface(struct net_device *net_dev)
        struct hard_iface *hard_iface;
        int ret;
+        ASSERT_RTNL();
        ret = is_valid_iface(net_dev);
        if (ret != 1)
                goto out;
@@ -458,10 +478,7 @@ static struct hard_iface *hardif_add_interface(struct net_device *net_dev)
        atomic_set(&hard_iface->refcount, 2);
        check_known_mac_addr(hard_iface->net_dev);
-        spin_lock(&hardif_list_lock);
        list_add_tail_rcu(&hard_iface->list, &hardif_list);
-        spin_unlock(&hardif_list_lock);
        return hard_iface;
@@ -475,6 +492,8 @@ out:
 static void hardif_remove_interface(struct hard_iface *hard_iface)
 {
+        ASSERT_RTNL();
        /* first deactivate interface */
        if (hard_iface->if_status != IF_NOT_IN_USE)
                hardif_disable_interface(hard_iface);
@@ -490,20 +509,11 @@ static void hardif_remove_interface(struct hard_iface *hard_iface)
 void hardif_remove_interfaces(void)
 {
        struct hard_iface *hard_iface, *hard_iface_tmp;
-        struct list_head if_queue;
-        INIT_LIST_HEAD(&if_queue);
-        spin_lock(&hardif_list_lock);
+        rtnl_lock();
        list_for_each_entry_safe(hard_iface, hard_iface_tmp,
                                 &hardif_list, list) {
                list_del_rcu(&hard_iface->list);
-                list_add_tail(&hard_iface->list, &if_queue);
-        }
-        spin_unlock(&hardif_list_lock);
-        rtnl_lock();
-        list_for_each_entry_safe(hard_iface, hard_iface_tmp, &if_queue, list) {
                hardif_remove_interface(hard_iface);
        }
        rtnl_unlock();
@@ -514,6 +524,7 @@ static int hard_if_event(struct notifier_block *this,
 {
        struct net_device *net_dev = (struct net_device *)ptr;
        struct hard_iface *hard_iface = hardif_get_by_netdev(net_dev);
+        struct hard_iface *primary_if = NULL;
        struct bat_priv *bat_priv;
        if (!hard_iface && event == NETDEV_REGISTER)
@@ -531,9 +542,7 @@ static int hard_if_event(struct notifier_block *this,
                hardif_deactivate_interface(hard_iface);
                break;
        case NETDEV_UNREGISTER:
-                spin_lock(&hardif_list_lock);
                list_del_rcu(&hard_iface->list);
-                spin_unlock(&hardif_list_lock);
                hardif_remove_interface(hard_iface);
                break;
@@ -549,8 +558,12 @@ static int hard_if_event(struct notifier_block *this,
                update_mac_addresses(hard_iface);
                bat_priv = netdev_priv(hard_iface->soft_iface);
-                if (hard_iface == bat_priv->primary_if)
+                primary_if = primary_if_get_selected(bat_priv);
-                        update_primary_addr(bat_priv);
+                if (!primary_if)
+                        goto hardif_put;
+                if (hard_iface == primary_if)
+                        primary_if_update_addr(bat_priv);
                break;
        default:
                break;
@@ -559,6 +572,8 @@ static int hard_if_event(struct notifier_block *this,
 hardif_put:
        hardif_free_ref(hard_iface);
 out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
        return NOTIFY_DONE;
 }
diff --git a/net/batman-adv/hard-interface.h b/net/batman-adv/hard-interface.h
index a9ddf36e51c8..64265991460b 100644
--- a/net/batman-adv/hard-interface.h
+++ b/net/batman-adv/hard-interface.h
@@ -45,4 +45,22 @@ static inline void hardif_free_ref(struct hard_iface *hard_iface)
                call_rcu(&hard_iface->rcu, hardif_free_rcu);
 }
+static inline struct hard_iface *primary_if_get_selected(
+                                                struct bat_priv *bat_priv)
+{
+        struct hard_iface *hard_iface;
+        rcu_read_lock();
+        hard_iface = rcu_dereference(bat_priv->primary_if);
+        if (!hard_iface)
+                goto out;
+        if (!atomic_inc_not_zero(&hard_iface->refcount))
+                hard_iface = NULL;
+out:
+        rcu_read_unlock();
+        return hard_iface;
+}
 #endif /* _NET_BATMAN_ADV_HARD_INTERFACE_H_ */
diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c
index 34ce56c358e5..fa22ba2bb832 100644
--- a/net/batman-adv/icmp_socket.c
+++ b/net/batman-adv/icmp_socket.c
@@ -153,6 +153,7 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff,
 {
        struct socket_client *socket_client = file->private_data;
        struct bat_priv *bat_priv = socket_client->bat_priv;
+        struct hard_iface *primary_if = NULL;
        struct sk_buff *skb;
        struct icmp_packet_rr *icmp_packet;
@@ -167,15 +168,21 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff,
                return -EINVAL;
        }
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
-                return -EFAULT;
+        if (!primary_if) {
+                len = -EFAULT;
+                goto out;
+        }
        if (len >= sizeof(struct icmp_packet_rr))
                packet_len = sizeof(struct icmp_packet_rr);
        skb = dev_alloc_skb(packet_len + sizeof(struct ethhdr));
-        if (!skb)
+        if (!skb) {
-                return -ENOMEM;
+                len = -ENOMEM;
+                goto out;
+        }
        skb_reserve(skb, sizeof(struct ethhdr));
        icmp_packet = (struct icmp_packet_rr *)skb_put(skb, packet_len);
@@ -218,23 +225,13 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff,
        if (atomic_read(&bat_priv->mesh_state) != MESH_ACTIVE)
                goto dst_unreach;
-        rcu_read_lock();
        orig_node = orig_hash_find(bat_priv, icmp_packet->dst);
        if (!orig_node)
-                goto unlock;
+                goto dst_unreach;
-        neigh_node = orig_node->router;
+        neigh_node = orig_node_get_router(orig_node);
        if (!neigh_node)
-                goto unlock;
+                goto dst_unreach;
-        if (!atomic_inc_not_zero(&neigh_node->refcount)) {
-                neigh_node = NULL;
-                goto unlock;
-        }
-        rcu_read_unlock();
        if (!neigh_node->if_incoming)
                goto dst_unreach;
@@ -243,7 +240,7 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff,
                goto dst_unreach;
        memcpy(icmp_packet->orig,
-               bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+               primary_if->net_dev->dev_addr, ETH_ALEN);
        if (packet_len == sizeof(struct icmp_packet_rr))
                memcpy(icmp_packet->rr,
@@ -252,14 +249,14 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff,
        send_skb_packet(skb, neigh_node->if_incoming, neigh_node->addr);
        goto out;
-unlock:
-        rcu_read_unlock();
 dst_unreach:
        icmp_packet->msg_type = DESTINATION_UNREACHABLE;
        bat_socket_add_packet(socket_client, icmp_packet, packet_len);
 free_skb:
        kfree_skb(skb);
 out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
        if (neigh_node)
                neigh_node_free_ref(neigh_node);
        if (orig_node)
diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c
index 709b33bbdf43..0a7cee0076f4 100644
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -33,6 +33,9 @@
 #include "vis.h"
 #include "hash.h"
+/* List manipulations on hardif_list have to be rtnl_lock()'ed,
+ * list traversals just rcu-locked */
 struct list_head hardif_list;
 unsigned char broadcast_addr[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
@@ -81,28 +84,29 @@ int mesh_init(struct net_device *soft_iface)
        spin_lock_init(&bat_priv->forw_bat_list_lock);
        spin_lock_init(&bat_priv->forw_bcast_list_lock);
-        spin_lock_init(&bat_priv->hna_lhash_lock);
+        spin_lock_init(&bat_priv->tt_lhash_lock);
-        spin_lock_init(&bat_priv->hna_ghash_lock);
+        spin_lock_init(&bat_priv->tt_ghash_lock);
        spin_lock_init(&bat_priv->gw_list_lock);
        spin_lock_init(&bat_priv->vis_hash_lock);
        spin_lock_init(&bat_priv->vis_list_lock);
        spin_lock_init(&bat_priv->softif_neigh_lock);
+        spin_lock_init(&bat_priv->softif_neigh_vid_lock);
        INIT_HLIST_HEAD(&bat_priv->forw_bat_list);
        INIT_HLIST_HEAD(&bat_priv->forw_bcast_list);
        INIT_HLIST_HEAD(&bat_priv->gw_list);
-        INIT_HLIST_HEAD(&bat_priv->softif_neigh_list);
+        INIT_HLIST_HEAD(&bat_priv->softif_neigh_vids);
        if (originator_init(bat_priv) < 1)
                goto err;
-        if (hna_local_init(bat_priv) < 1)
+        if (tt_local_init(bat_priv) < 1)
                goto err;
-        if (hna_global_init(bat_priv) < 1)
+        if (tt_global_init(bat_priv) < 1)
                goto err;
-        hna_local_add(soft_iface, soft_iface->dev_addr);
+        tt_local_add(soft_iface, soft_iface->dev_addr);
        if (vis_init(bat_priv) < 1)
                goto err;
@@ -133,8 +137,8 @@ void mesh_free(struct net_device *soft_iface)
        gw_node_purge(bat_priv);
        originator_free(bat_priv);
-        hna_local_free(bat_priv);
+        tt_local_free(bat_priv);
-        hna_global_free(bat_priv);
+        tt_global_free(bat_priv);
        softif_neigh_purge(bat_priv);
diff --git a/net/batman-adv/main.h b/net/batman-adv/main.h
index dc248697de71..148b49e02642 100644
--- a/net/batman-adv/main.h
+++ b/net/batman-adv/main.h
@@ -34,16 +34,18 @@
 #define TQ_MAX_VALUE 255
 #define JITTER 20
-#define TTL 50                    /* Time To Live of broadcast messages */
-#define PURGE_TIMEOUT 200       /* purge originators after time in seconds if no
+ /* Time To Live of broadcast messages */
-                                   * valid packet comes in -> TODO: check
+#define TTL 50
-                                   * influence on TQ_LOCAL_WINDOW_SIZE */
-#define LOCAL_HNA_TIMEOUT 3600 /* in seconds */
-#define TQ_LOCAL_WINDOW_SIZE 64   /* sliding packet range of received originator
+/* purge originators after time in seconds if no valid packet comes in
-                                   * messages in squence numbers (should be a
+ * -> TODO: check influence on TQ_LOCAL_WINDOW_SIZE */
-                                   * multiple of our word size) */
+#define PURGE_TIMEOUT 200
+#define TT_LOCAL_TIMEOUT 3600 /* in seconds */
+/* sliding packet range of received originator messages in squence numbers
+ * (should be a multiple of our word size) */
+#define TQ_LOCAL_WINDOW_SIZE 64
 #define TQ_GLOBAL_WINDOW_SIZE 5
 #define TQ_LOCAL_BIDRECT_SEND_MINIMUM 1
 #define TQ_LOCAL_BIDRECT_RECV_MINIMUM 1
@@ -55,21 +57,20 @@
 #define VIS_INTERVAL 5000       /* 5 seconds */
-/* how much worse secondary interfaces may be to
+/* how much worse secondary interfaces may be to be considered as bonding
- * to be considered as bonding candidates */
+ * candidates */
 #define BONDING_TQ_THRESHOLD    50
-#define MAX_AGGREGATION_BYTES 512 /* should not be bigger than 512 bytes or
+/* should not be bigger than 512 bytes or change the size of
-                                   * change the size of
+ * forw_packet->direct_link_flags */
-                                   * forw_packet->direct_link_flags */
+#define MAX_AGGREGATION_BYTES 512
 #define MAX_AGGREGATION_MS 100
 #define SOFTIF_NEIGH_TIMEOUT 180000 /* 3 minutes */
+/* don't reset again within 30 seconds */
 #define RESET_PROTECTION_MS 30000
 #define EXPECTED_SEQNO_RANGE    65536
-/* don't reset again within 30 seconds */
 #define MESH_INACTIVE 0
 #define MESH_ACTIVE 1
@@ -84,12 +85,13 @@
 #ifdef pr_fmt
 #undef pr_fmt
 #endif
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt /* Append 'batman-adv: ' before
+/* Append 'batman-adv: ' before kernel messages */
-                                             * kernel messages */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-#define DBG_BATMAN 1    /* all messages related to routing / flooding /
+/* all messages related to routing / flooding / broadcasting / etc */
-                         * broadcasting / etc */
+#define DBG_BATMAN 1
-#define DBG_ROUTES 2    /* route or hna added / changed / deleted */
+/* route or tt entry added / changed / deleted */
+#define DBG_ROUTES 2
 #define DBG_ALL 3
@@ -175,4 +177,6 @@ static inline int compare_eth(void *data1, void *data2)
        return (memcmp(data1, data2, ETH_ALEN) == 0 ? 1 : 0);
 }
+#define atomic_dec_not_zero(v)  atomic_add_unless((v), -1, 0)
 #endif /* _NET_BATMAN_ADV_MAIN_H_ */
diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c
index 0b9133022d2d..40a30bbcd147 100644
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -19,8 +19,6 @@
 *
 */
-/* increase the reference counter for this originator */
 #include "main.h"
 #include "originator.h"
 #include "hash.h"
@@ -56,18 +54,25 @@ err:
        return 0;
 }
-static void neigh_node_free_rcu(struct rcu_head *rcu)
+void neigh_node_free_ref(struct neigh_node *neigh_node)
 {
-        struct neigh_node *neigh_node;
+        if (atomic_dec_and_test(&neigh_node->refcount))
+                kfree_rcu(neigh_node, rcu);
-        neigh_node = container_of(rcu, struct neigh_node, rcu);
-        kfree(neigh_node);
 }
-void neigh_node_free_ref(struct neigh_node *neigh_node)
+/* increases the refcounter of a found router */
+struct neigh_node *orig_node_get_router(struct orig_node *orig_node)
 {
-        if (atomic_dec_and_test(&neigh_node->refcount))
+        struct neigh_node *router;
-                call_rcu(&neigh_node->rcu, neigh_node_free_rcu);
+        rcu_read_lock();
+        router = rcu_dereference(orig_node->router);
+        if (router && !atomic_inc_not_zero(&router->refcount))
+                router = NULL;
+        rcu_read_unlock();
+        return router;
 }
 struct neigh_node *create_neighbor(struct orig_node *orig_node,
@@ -87,6 +92,7 @@ struct neigh_node *create_neighbor(struct orig_node *orig_node,
        INIT_HLIST_NODE(&neigh_node->list);
        INIT_LIST_HEAD(&neigh_node->bonding_list);
+        spin_lock_init(&neigh_node->tq_lock);
        memcpy(neigh_node->addr, neigh, ETH_ALEN);
        neigh_node->orig_node = orig_neigh_node;
@@ -128,7 +134,7 @@ static void orig_node_free_rcu(struct rcu_head *rcu)
        spin_unlock_bh(&orig_node->neigh_list_lock);
        frag_list_free(&orig_node->frag_list);
-        hna_global_del_orig(orig_node->bat_priv, orig_node,
+        tt_global_del_orig(orig_node->bat_priv, orig_node,
                            "originator timed out");
        kfree(orig_node->bcast_own);
@@ -206,7 +212,7 @@ struct orig_node *get_orig_node(struct bat_priv *bat_priv, uint8_t *addr)
        orig_node->bat_priv = bat_priv;
        memcpy(orig_node->orig, addr, ETH_ALEN);
        orig_node->router = NULL;
-        orig_node->hna_buff = NULL;
+        orig_node->tt_buff = NULL;
        orig_node->bcast_seqno_reset = jiffies - 1
                                        - msecs_to_jiffies(RESET_PROTECTION_MS);
        orig_node->batman_seqno_reset = jiffies - 1
@@ -317,8 +323,8 @@ static bool purge_orig_node(struct bat_priv *bat_priv,
                                                        &best_neigh_node)) {
                        update_routes(bat_priv, orig_node,
                                      best_neigh_node,
-                                      orig_node->hna_buff,
+                                      orig_node->tt_buff,
-                                      orig_node->hna_buff_len);
+                                      orig_node->tt_buff_len);
                }
        }
@@ -389,29 +395,34 @@ int orig_seq_print_text(struct seq_file *seq, void *offset)
        struct hashtable_t *hash = bat_priv->orig_hash;
        struct hlist_node *node, *node_tmp;
        struct hlist_head *head;
+        struct hard_iface *primary_if;
        struct orig_node *orig_node;
-        struct neigh_node *neigh_node;
+        struct neigh_node *neigh_node, *neigh_node_tmp;
        int batman_count = 0;
        int last_seen_secs;
        int last_seen_msecs;
-        int i;
+        int i, ret = 0;
+        primary_if = primary_if_get_selected(bat_priv);
-        if ((!bat_priv->primary_if) ||
+        if (!primary_if) {
-            (bat_priv->primary_if->if_status != IF_ACTIVE)) {
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
-                if (!bat_priv->primary_if)
+                                 "please specify interfaces to enable it\n",
-                        return seq_printf(seq, "BATMAN mesh %s disabled - "
+                                 net_dev->name);
-                                     "please specify interfaces to enable it\n",
+                goto out;
-                                     net_dev->name);
+        }
-                return seq_printf(seq, "BATMAN mesh %s "
+        if (primary_if->if_status != IF_ACTIVE) {
-                                  "disabled - primary interface not active\n",
+                ret = seq_printf(seq, "BATMAN mesh %s "
-                                  net_dev->name);
+                                 "disabled - primary interface not active\n",
+                                 net_dev->name);
+                goto out;
        }
        seq_printf(seq, "[B.A.T.M.A.N. adv %s%s, MainIF/MAC: %s/%pM (%s)]\n",
                   SOURCE_VERSION, REVISION_VERSION_STR,
-                   bat_priv->primary_if->net_dev->name,
+                   primary_if->net_dev->name,
-                   bat_priv->primary_if->net_dev->dev_addr, net_dev->name);
+                   primary_if->net_dev->dev_addr, net_dev->name);
        seq_printf(seq, "  %-15s %s (%s/%i) %17s [%10s]: %20s ...\n",
                   "Originator", "last-seen", "#", TQ_MAX_VALUE, "Nexthop",
                   "outgoingIF", "Potential nexthops");
@@ -421,40 +432,47 @@ int orig_seq_print_text(struct seq_file *seq, void *offset)
                rcu_read_lock();
                hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
-                        if (!orig_node->router)
+                        neigh_node = orig_node_get_router(orig_node);
+                        if (!neigh_node)
                                continue;
-                        if (orig_node->router->tq_avg == 0)
+                        if (neigh_node->tq_avg == 0)
-                                continue;
+                                goto next;
                        last_seen_secs = jiffies_to_msecs(jiffies -
                                                orig_node->last_valid) / 1000;
                        last_seen_msecs = jiffies_to_msecs(jiffies -
                                                orig_node->last_valid) % 1000;
-                        neigh_node = orig_node->router;
                        seq_printf(seq, "%pM %4i.%03is   (%3i) %pM [%10s]:",
                                   orig_node->orig, last_seen_secs,
                                   last_seen_msecs, neigh_node->tq_avg,
                                   neigh_node->addr,
                                   neigh_node->if_incoming->net_dev->name);
-                        hlist_for_each_entry_rcu(neigh_node, node_tmp,
+                        hlist_for_each_entry_rcu(neigh_node_tmp, node_tmp,
                                                 &orig_node->neigh_list, list) {
-                                seq_printf(seq, " %pM (%3i)", neigh_node->addr,
+                                seq_printf(seq, " %pM (%3i)",
-                                                neigh_node->tq_avg);
+                                           neigh_node_tmp->addr,
+                                           neigh_node_tmp->tq_avg);
                        }
                        seq_printf(seq, "\n");
                        batman_count++;
+next:
+                        neigh_node_free_ref(neigh_node);
                }
                rcu_read_unlock();
        }
-        if ((batman_count == 0))
+        if (batman_count == 0)
                seq_printf(seq, "No batman nodes in range ...\n");
-        return 0;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
 static int orig_node_add_if(struct orig_node *orig_node, int max_if_num)
diff --git a/net/batman-adv/originator.h b/net/batman-adv/originator.h
index 5cc011057da1..e1d641f27aa9 100644
--- a/net/batman-adv/originator.h
+++ b/net/batman-adv/originator.h
@@ -34,6 +34,7 @@ struct neigh_node *create_neighbor(struct orig_node *orig_node,
                                   uint8_t *neigh,
                                   struct hard_iface *if_incoming);
 void neigh_node_free_ref(struct neigh_node *neigh_node);
+struct neigh_node *orig_node_get_router(struct orig_node *orig_node);
 int orig_seq_print_text(struct seq_file *seq, void *offset);
 int orig_hash_add_if(struct hard_iface *hard_iface, int max_if_num);
 int orig_hash_del_if(struct hard_iface *hard_iface, int max_if_num);
diff --git a/net/batman-adv/packet.h b/net/batman-adv/packet.h
index e7571879af3f..eda99650e9f8 100644
--- a/net/batman-adv/packet.h
+++ b/net/batman-adv/packet.h
@@ -61,7 +61,7 @@ struct batman_packet {
        uint8_t  orig[6];
        uint8_t  prev_sender[6];
        uint8_t  ttl;
-        uint8_t  num_hna;
+        uint8_t  num_tt;
        uint8_t  gw_flags;  /* flags related to gateway class */
        uint8_t  align;
 } __packed;
@@ -128,8 +128,7 @@ struct vis_packet {
        uint8_t  entries;        /* number of entries behind this struct */
        uint32_t seqno;          /* sequence number */
        uint8_t  ttl;            /* TTL */
-        uint8_t  vis_orig[6];    /* originator that informs about its
+        uint8_t  vis_orig[6];    /* originator that announces its neighbors */
-                                  * neighbors */
        uint8_t  target_orig[6]; /* who should receive this packet */
        uint8_t  sender_orig[6]; /* who sent or rebroadcasted this packet */
 } __packed;
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index c172f5d0e05a..bb1c3ec7e3ff 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -64,80 +64,97 @@ void slide_own_bcast_window(struct hard_iface *hard_iface)
        }
 }
-static void update_HNA(struct bat_priv *bat_priv, struct orig_node *orig_node,
+static void update_TT(struct bat_priv *bat_priv, struct orig_node *orig_node,
-                       unsigned char *hna_buff, int hna_buff_len)
+                       unsigned char *tt_buff, int tt_buff_len)
 {
-        if ((hna_buff_len != orig_node->hna_buff_len) ||
+        if ((tt_buff_len != orig_node->tt_buff_len) ||
-            ((hna_buff_len > 0) &&
+            ((tt_buff_len > 0) &&
-             (orig_node->hna_buff_len > 0) &&
+             (orig_node->tt_buff_len > 0) &&
-             (memcmp(orig_node->hna_buff, hna_buff, hna_buff_len) != 0))) {
+             (memcmp(orig_node->tt_buff, tt_buff, tt_buff_len) != 0))) {
-                if (orig_node->hna_buff_len > 0)
+                if (orig_node->tt_buff_len > 0)
-                        hna_global_del_orig(bat_priv, orig_node,
+                        tt_global_del_orig(bat_priv, orig_node,
-                                            "originator changed hna");
+                                            "originator changed tt");
-                if ((hna_buff_len > 0) && (hna_buff))
+                if ((tt_buff_len > 0) && (tt_buff))
-                        hna_global_add_orig(bat_priv, orig_node,
+                        tt_global_add_orig(bat_priv, orig_node,
-                                            hna_buff, hna_buff_len);
+                                            tt_buff, tt_buff_len);
        }
 }
 static void update_route(struct bat_priv *bat_priv,
                         struct orig_node *orig_node,
                         struct neigh_node *neigh_node,
-                         unsigned char *hna_buff, int hna_buff_len)
+                         unsigned char *tt_buff, int tt_buff_len)
 {
-        struct neigh_node *neigh_node_tmp;
+        struct neigh_node *curr_router;
+        curr_router = orig_node_get_router(orig_node);
        /* route deleted */
-        if ((orig_node->router) && (!neigh_node)) {
+        if ((curr_router) && (!neigh_node)) {
                bat_dbg(DBG_ROUTES, bat_priv, "Deleting route towards: %pM\n",
                        orig_node->orig);
-                hna_global_del_orig(bat_priv, orig_node,
+                tt_global_del_orig(bat_priv, orig_node,
                                    "originator timed out");
-                /* route added */
+        /* route added */
-        } else if ((!orig_node->router) && (neigh_node)) {
+        } else if ((!curr_router) && (neigh_node)) {
                bat_dbg(DBG_ROUTES, bat_priv,
                        "Adding route towards: %pM (via %pM)\n",
                        orig_node->orig, neigh_node->addr);
-                hna_global_add_orig(bat_priv, orig_node,
+                tt_global_add_orig(bat_priv, orig_node,
-                                    hna_buff, hna_buff_len);
+                                    tt_buff, tt_buff_len);
-                /* route changed */
+        /* route changed */
        } else {
                bat_dbg(DBG_ROUTES, bat_priv,
                        "Changing route towards: %pM "
                        "(now via %pM - was via %pM)\n",
                        orig_node->orig, neigh_node->addr,
-                        orig_node->router->addr);
+                        curr_router->addr);
        }
+        if (curr_router)
+                neigh_node_free_ref(curr_router);
+        /* increase refcount of new best neighbor */
        if (neigh_node && !atomic_inc_not_zero(&neigh_node->refcount))
                neigh_node = NULL;
-        neigh_node_tmp = orig_node->router;
-        orig_node->router = neigh_node;
+        spin_lock_bh(&orig_node->neigh_list_lock);
-        if (neigh_node_tmp)
+        rcu_assign_pointer(orig_node->router, neigh_node);
-                neigh_node_free_ref(neigh_node_tmp);
+        spin_unlock_bh(&orig_node->neigh_list_lock);
+        /* decrease refcount of previous best neighbor */
+        if (curr_router)
+                neigh_node_free_ref(curr_router);
 }
 void update_routes(struct bat_priv *bat_priv, struct orig_node *orig_node,
-                   struct neigh_node *neigh_node, unsigned char *hna_buff,
+                   struct neigh_node *neigh_node, unsigned char *tt_buff,
-                   int hna_buff_len)
+                   int tt_buff_len)
 {
+        struct neigh_node *router = NULL;
        if (!orig_node)
-                return;
+                goto out;
+        router = orig_node_get_router(orig_node);
-        if (orig_node->router != neigh_node)
+        if (router != neigh_node)
                update_route(bat_priv, orig_node, neigh_node,
-                             hna_buff, hna_buff_len);
+                             tt_buff, tt_buff_len);
-        /* may be just HNA changed */
+        /* may be just TT changed */
        else
-                update_HNA(bat_priv, orig_node, hna_buff, hna_buff_len);
+                update_TT(bat_priv, orig_node, tt_buff, tt_buff_len);
+out:
+        if (router)
+                neigh_node_free_ref(router);
 }
 static int is_bidirectional_neigh(struct orig_node *orig_node,
@@ -152,65 +169,41 @@ static int is_bidirectional_neigh(struct orig_node *orig_node,
        uint8_t orig_eq_count, neigh_rq_count, tq_own;
        int tq_asym_penalty, ret = 0;
-        if (orig_node == orig_neigh_node) {
+        /* find corresponding one hop neighbor */
-                rcu_read_lock();
+        rcu_read_lock();
-                hlist_for_each_entry_rcu(tmp_neigh_node, node,
+        hlist_for_each_entry_rcu(tmp_neigh_node, node,
-                                         &orig_node->neigh_list, list) {
+                                 &orig_neigh_node->neigh_list, list) {
-                        if (!compare_eth(tmp_neigh_node->addr,
-                                         orig_neigh_node->orig))
-                                continue;
-                        if (tmp_neigh_node->if_incoming != if_incoming)
-                                continue;
-                        if (!atomic_inc_not_zero(&tmp_neigh_node->refcount))
-                                continue;
-                        neigh_node = tmp_neigh_node;
-                }
-                rcu_read_unlock();
-                if (!neigh_node)
+                if (!compare_eth(tmp_neigh_node->addr, orig_neigh_node->orig))
-                        neigh_node = create_neighbor(orig_node,
+                        continue;
-                                                     orig_neigh_node,
-                                                     orig_neigh_node->orig,
-                                                     if_incoming);
-                if (!neigh_node)
-                        goto out;
-                neigh_node->last_valid = jiffies;
+                if (tmp_neigh_node->if_incoming != if_incoming)
-        } else {
+                        continue;
-                /* find packet count of corresponding one hop neighbor */
-                rcu_read_lock();
-                hlist_for_each_entry_rcu(tmp_neigh_node, node,
-                                         &orig_neigh_node->neigh_list, list) {
-                        if (!compare_eth(tmp_neigh_node->addr,
+                if (!atomic_inc_not_zero(&tmp_neigh_node->refcount))
-                                         orig_neigh_node->orig))
+                        continue;
-                                continue;
-                        if (tmp_neigh_node->if_incoming != if_incoming)
+                neigh_node = tmp_neigh_node;
-                                continue;
+                break;
+        }
+        rcu_read_unlock();
-                        if (!atomic_inc_not_zero(&tmp_neigh_node->refcount))
+        if (!neigh_node)
-                                continue;
+                neigh_node = create_neighbor(orig_neigh_node,
+                                             orig_neigh_node,
+                                             orig_neigh_node->orig,
+                                             if_incoming);
-                        neigh_node = tmp_neigh_node;
+        if (!neigh_node)
-                }
+                goto out;
-                rcu_read_unlock();
-                if (!neigh_node)
+        /* if orig_node is direct neighbour update neigh_node last_valid */
-                        neigh_node = create_neighbor(orig_neigh_node,
+        if (orig_node == orig_neigh_node)
-                                                     orig_neigh_node,
+                neigh_node->last_valid = jiffies;
-                                                     orig_neigh_node->orig,
-                                                     if_incoming);
-                if (!neigh_node)
-                        goto out;
-        }
        orig_node->last_valid = jiffies;
+        /* find packet count of corresponding one hop neighbor */
        spin_lock_bh(&orig_node->ogm_cnt_lock);
        orig_eq_count = orig_neigh_node->bcast_own_sum[if_incoming->if_num];
        neigh_rq_count = neigh_node->real_packet_count;
@@ -288,8 +281,8 @@ static void bonding_candidate_add(struct orig_node *orig_node,
                                  struct neigh_node *neigh_node)
 {
        struct hlist_node *node;
-        struct neigh_node *tmp_neigh_node;
+        struct neigh_node *tmp_neigh_node, *router = NULL;
-        uint8_t best_tq, interference_candidate = 0;
+        uint8_t interference_candidate = 0;
        spin_lock_bh(&orig_node->neigh_list_lock);
@@ -298,13 +291,12 @@ static void bonding_candidate_add(struct orig_node *orig_node,
                         neigh_node->orig_node->primary_addr))
                goto candidate_del;
-        if (!orig_node->router)
+        router = orig_node_get_router(orig_node);
+        if (!router)
                goto candidate_del;
-        best_tq = orig_node->router->tq_avg;
        /* ... and is good enough to be considered */
-        if (neigh_node->tq_avg < best_tq - BONDING_TQ_THRESHOLD)
+        if (neigh_node->tq_avg < router->tq_avg - BONDING_TQ_THRESHOLD)
                goto candidate_del;
        /**
@@ -350,7 +342,9 @@ candidate_del:
 out:
        spin_unlock_bh(&orig_node->neigh_list_lock);
-        return;
+        if (router)
+                neigh_node_free_ref(router);
 }
 /* copy primary address for bonding */
@@ -369,13 +363,14 @@ static void update_orig(struct bat_priv *bat_priv,
                        struct ethhdr *ethhdr,
                        struct batman_packet *batman_packet,
                        struct hard_iface *if_incoming,
-                        unsigned char *hna_buff, int hna_buff_len,
+                        unsigned char *tt_buff, int tt_buff_len,
                        char is_duplicate)
 {
        struct neigh_node *neigh_node = NULL, *tmp_neigh_node = NULL;
+        struct neigh_node *router = NULL;
        struct orig_node *orig_node_tmp;
        struct hlist_node *node;
-        int tmp_hna_buff_len;
+        int tmp_tt_buff_len;
        uint8_t bcast_own_sum_orig, bcast_own_sum_neigh;
        bat_dbg(DBG_BATMAN, bat_priv, "update_originator(): "
@@ -396,10 +391,12 @@ static void update_orig(struct bat_priv *bat_priv,
                if (is_duplicate)
                        continue;
+                spin_lock_bh(&tmp_neigh_node->tq_lock);
                ring_buffer_set(tmp_neigh_node->tq_recv,
                                &tmp_neigh_node->tq_index, 0);
                tmp_neigh_node->tq_avg =
                        ring_buffer_avg(tmp_neigh_node->tq_recv);
+                spin_unlock_bh(&tmp_neigh_node->tq_lock);
        }
        if (!neigh_node) {
@@ -424,10 +421,12 @@ static void update_orig(struct bat_priv *bat_priv,
        orig_node->flags = batman_packet->flags;
        neigh_node->last_valid = jiffies;
+        spin_lock_bh(&neigh_node->tq_lock);
        ring_buffer_set(neigh_node->tq_recv,
                        &neigh_node->tq_index,
                        batman_packet->tq);
        neigh_node->tq_avg = ring_buffer_avg(neigh_node->tq_recv);
+        spin_unlock_bh(&neigh_node->tq_lock);
        if (!is_duplicate) {
                orig_node->last_ttl = batman_packet->ttl;
@@ -436,24 +435,23 @@ static void update_orig(struct bat_priv *bat_priv,
        bonding_candidate_add(orig_node, neigh_node);
-        tmp_hna_buff_len = (hna_buff_len > batman_packet->num_hna * ETH_ALEN ?
+        tmp_tt_buff_len = (tt_buff_len > batman_packet->num_tt * ETH_ALEN ?
-                            batman_packet->num_hna * ETH_ALEN : hna_buff_len);
+                            batman_packet->num_tt * ETH_ALEN : tt_buff_len);
        /* if this neighbor already is our next hop there is nothing
         * to change */
-        if (orig_node->router == neigh_node)
+        router = orig_node_get_router(orig_node);
-                goto update_hna;
+        if (router == neigh_node)
+                goto update_tt;
        /* if this neighbor does not offer a better TQ we won't consider it */
-        if ((orig_node->router) &&
+        if (router && (router->tq_avg > neigh_node->tq_avg))
-            (orig_node->router->tq_avg > neigh_node->tq_avg))
+                goto update_tt;
-                goto update_hna;
        /* if the TQ is the same and the link not more symetric we
         * won't consider it either */
-        if ((orig_node->router) &&
+        if (router && (neigh_node->tq_avg == router->tq_avg)) {
-             (neigh_node->tq_avg == orig_node->router->tq_avg)) {
+                orig_node_tmp = router->orig_node;
-                orig_node_tmp = orig_node->router->orig_node;
                spin_lock_bh(&orig_node_tmp->ogm_cnt_lock);
                bcast_own_sum_orig =
                        orig_node_tmp->bcast_own_sum[if_incoming->if_num];
@@ -466,16 +464,16 @@ static void update_orig(struct bat_priv *bat_priv,
                spin_unlock_bh(&orig_node_tmp->ogm_cnt_lock);
                if (bcast_own_sum_orig >= bcast_own_sum_neigh)
-                        goto update_hna;
+                        goto update_tt;
        }
        update_routes(bat_priv, orig_node, neigh_node,
-                      hna_buff, tmp_hna_buff_len);
+                      tt_buff, tmp_tt_buff_len);
        goto update_gw;
-update_hna:
+update_tt:
-        update_routes(bat_priv, orig_node, orig_node->router,
+        update_routes(bat_priv, orig_node, router,
-                      hna_buff, tmp_hna_buff_len);
+                      tt_buff, tmp_tt_buff_len);
 update_gw:
        if (orig_node->gw_flags != batman_packet->gw_flags)
@@ -496,6 +494,8 @@ unlock:
 out:
        if (neigh_node)
                neigh_node_free_ref(neigh_node);
+        if (router)
+                neigh_node_free_ref(router);
 }
 /* checks whether the host restarted and is in the protection time.
@@ -597,12 +597,14 @@ out:
 void receive_bat_packet(struct ethhdr *ethhdr,
                        struct batman_packet *batman_packet,
-                        unsigned char *hna_buff, int hna_buff_len,
+                        unsigned char *tt_buff, int tt_buff_len,
                        struct hard_iface *if_incoming)
 {
        struct bat_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
        struct hard_iface *hard_iface;
        struct orig_node *orig_neigh_node, *orig_node;
+        struct neigh_node *router = NULL, *router_router = NULL;
+        struct neigh_node *orig_neigh_router = NULL;
        char has_directlink_flag;
        char is_my_addr = 0, is_my_orig = 0, is_my_oldorig = 0;
        char is_broadcast = 0, is_bidirectional, is_single_hop_neigh;
@@ -747,14 +749,15 @@ void receive_bat_packet(struct ethhdr *ethhdr,
                goto out;
        }
+        router = orig_node_get_router(orig_node);
+        if (router)
+                router_router = orig_node_get_router(router->orig_node);
        /* avoid temporary routing loops */
-        if ((orig_node->router) &&
+        if (router && router_router &&
-            (orig_node->router->orig_node->router) &&
+            (compare_eth(router->addr, batman_packet->prev_sender)) &&
-            (compare_eth(orig_node->router->addr,
-                         batman_packet->prev_sender)) &&
            !(compare_eth(batman_packet->orig, batman_packet->prev_sender)) &&
-            (compare_eth(orig_node->router->addr,
+            (compare_eth(router->addr, router_router->addr))) {
-                         orig_node->router->orig_node->router->addr))) {
                bat_dbg(DBG_BATMAN, bat_priv,
                        "Drop packet: ignoring all rebroadcast packets that "
                        "may make me loop (sender: %pM)\n", ethhdr->h_source);
@@ -769,9 +772,11 @@ void receive_bat_packet(struct ethhdr *ethhdr,
        if (!orig_neigh_node)
                goto out;
+        orig_neigh_router = orig_node_get_router(orig_neigh_node);
        /* drop packet if sender is not a direct neighbor and if we
         * don't route towards it */
-        if (!is_single_hop_neigh && (!orig_neigh_node->router)) {
+        if (!is_single_hop_neigh && (!orig_neigh_router)) {
                bat_dbg(DBG_BATMAN, bat_priv,
                        "Drop packet: OGM via unknown neighbor!\n");
                goto out_neigh;
@@ -789,14 +794,14 @@ void receive_bat_packet(struct ethhdr *ethhdr,
             ((orig_node->last_real_seqno == batman_packet->seqno) &&
              (orig_node->last_ttl - 3 <= batman_packet->ttl))))
                update_orig(bat_priv, orig_node, ethhdr, batman_packet,
-                            if_incoming, hna_buff, hna_buff_len, is_duplicate);
+                            if_incoming, tt_buff, tt_buff_len, is_duplicate);
        /* is single hop (direct) neighbor */
        if (is_single_hop_neigh) {
                /* mark direct link on incoming interface */
                schedule_forward_packet(orig_node, ethhdr, batman_packet,
-                                        1, hna_buff_len, if_incoming);
+                                        1, tt_buff_len, if_incoming);
                bat_dbg(DBG_BATMAN, bat_priv, "Forwarding packet: "
                        "rebroadcast neighbor packet with direct link flag\n");
@@ -819,12 +824,19 @@ void receive_bat_packet(struct ethhdr *ethhdr,
        bat_dbg(DBG_BATMAN, bat_priv,
                "Forwarding packet: rebroadcast originator packet\n");
        schedule_forward_packet(orig_node, ethhdr, batman_packet,
-                                0, hna_buff_len, if_incoming);
+                                0, tt_buff_len, if_incoming);
 out_neigh:
        if ((orig_neigh_node) && (!is_single_hop_neigh))
                orig_node_free_ref(orig_neigh_node);
 out:
+        if (router)
+                neigh_node_free_ref(router);
+        if (router_router)
+                neigh_node_free_ref(router_router);
+        if (orig_neigh_router)
+                neigh_node_free_ref(orig_neigh_router);
        orig_node_free_ref(orig_node);
 }
@@ -868,8 +880,9 @@ int recv_bat_packet(struct sk_buff *skb, struct hard_iface *hard_iface)
 static int recv_my_icmp_packet(struct bat_priv *bat_priv,
                               struct sk_buff *skb, size_t icmp_len)
 {
+        struct hard_iface *primary_if = NULL;
        struct orig_node *orig_node = NULL;
-        struct neigh_node *neigh_node = NULL;
+        struct neigh_node *router = NULL;
        struct icmp_packet_rr *icmp_packet;
        int ret = NET_RX_DROP;
@@ -881,28 +894,19 @@ static int recv_my_icmp_packet(struct bat_priv *bat_priv,
                goto out;
        }
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
                goto out;
        /* answer echo request (ping) */
        /* get routing information */
-        rcu_read_lock();
        orig_node = orig_hash_find(bat_priv, icmp_packet->orig);
        if (!orig_node)
-                goto unlock;
+                goto out;
-        neigh_node = orig_node->router;
-        if (!neigh_node)
-                goto unlock;
-        if (!atomic_inc_not_zero(&neigh_node->refcount)) {
-                neigh_node = NULL;
-                goto unlock;
-        }
-        rcu_read_unlock();
+        router = orig_node_get_router(orig_node);
+        if (!router)
+                goto out;
        /* create a copy of the skb, if needed, to modify it. */
        if (skb_cow(skb, sizeof(struct ethhdr)) < 0)
@@ -911,20 +915,18 @@ static int recv_my_icmp_packet(struct bat_priv *bat_priv,
        icmp_packet = (struct icmp_packet_rr *)skb->data;
        memcpy(icmp_packet->dst, icmp_packet->orig, ETH_ALEN);
-        memcpy(icmp_packet->orig,
+        memcpy(icmp_packet->orig, primary_if->net_dev->dev_addr, ETH_ALEN);
-                bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
        icmp_packet->msg_type = ECHO_REPLY;
        icmp_packet->ttl = TTL;
-        send_skb_packet(skb, neigh_node->if_incoming, neigh_node->addr);
+        send_skb_packet(skb, router->if_incoming, router->addr);
        ret = NET_RX_SUCCESS;
-        goto out;
-unlock:
-        rcu_read_unlock();
 out:
-        if (neigh_node)
+        if (primary_if)
-                neigh_node_free_ref(neigh_node);
+                hardif_free_ref(primary_if);
+        if (router)
+                neigh_node_free_ref(router);
        if (orig_node)
                orig_node_free_ref(orig_node);
        return ret;
@@ -933,8 +935,9 @@ out:
 static int recv_icmp_ttl_exceeded(struct bat_priv *bat_priv,
                                  struct sk_buff *skb)
 {
+        struct hard_iface *primary_if = NULL;
        struct orig_node *orig_node = NULL;
-        struct neigh_node *neigh_node = NULL;
+        struct neigh_node *router = NULL;
        struct icmp_packet *icmp_packet;
        int ret = NET_RX_DROP;
@@ -948,27 +951,18 @@ static int recv_icmp_ttl_exceeded(struct bat_priv *bat_priv,
                goto out;
        }
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
                goto out;
        /* get routing information */
-        rcu_read_lock();
        orig_node = orig_hash_find(bat_priv, icmp_packet->orig);
        if (!orig_node)
-                goto unlock;
+                goto out;
-        neigh_node = orig_node->router;
-        if (!neigh_node)
-                goto unlock;
-        if (!atomic_inc_not_zero(&neigh_node->refcount)) {
-                neigh_node = NULL;
-                goto unlock;
-        }
-        rcu_read_unlock();
+        router = orig_node_get_router(orig_node);
+        if (!router)
+                goto out;
        /* create a copy of the skb, if needed, to modify it. */
        if (skb_cow(skb, sizeof(struct ethhdr)) < 0)
@@ -977,20 +971,18 @@ static int recv_icmp_ttl_exceeded(struct bat_priv *bat_priv,
        icmp_packet = (struct icmp_packet *)skb->data;
        memcpy(icmp_packet->dst, icmp_packet->orig, ETH_ALEN);
-        memcpy(icmp_packet->orig,
+        memcpy(icmp_packet->orig, primary_if->net_dev->dev_addr, ETH_ALEN);
-                bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
        icmp_packet->msg_type = TTL_EXCEEDED;
        icmp_packet->ttl = TTL;
-        send_skb_packet(skb, neigh_node->if_incoming, neigh_node->addr);
+        send_skb_packet(skb, router->if_incoming, router->addr);
        ret = NET_RX_SUCCESS;
-        goto out;
-unlock:
-        rcu_read_unlock();
 out:
-        if (neigh_node)
+        if (primary_if)
-                neigh_node_free_ref(neigh_node);
+                hardif_free_ref(primary_if);
+        if (router)
+                neigh_node_free_ref(router);
        if (orig_node)
                orig_node_free_ref(orig_node);
        return ret;
@@ -1003,7 +995,7 @@ int recv_icmp_packet(struct sk_buff *skb, struct hard_iface *recv_if)
        struct icmp_packet_rr *icmp_packet;
        struct ethhdr *ethhdr;
        struct orig_node *orig_node = NULL;
-        struct neigh_node *neigh_node = NULL;
+        struct neigh_node *router = NULL;
        int hdr_size = sizeof(struct icmp_packet);
        int ret = NET_RX_DROP;
@@ -1050,23 +1042,13 @@ int recv_icmp_packet(struct sk_buff *skb, struct hard_iface *recv_if)
                return recv_icmp_ttl_exceeded(bat_priv, skb);
        /* get routing information */
-        rcu_read_lock();
        orig_node = orig_hash_find(bat_priv, icmp_packet->dst);
        if (!orig_node)
-                goto unlock;
+                goto out;
-        neigh_node = orig_node->router;
-        if (!neigh_node)
-                goto unlock;
-        if (!atomic_inc_not_zero(&neigh_node->refcount)) {
-                neigh_node = NULL;
-                goto unlock;
-        }
-        rcu_read_unlock();
+        router = orig_node_get_router(orig_node);
+        if (!router)
+                goto out;
        /* create a copy of the skb, if needed, to modify it. */
        if (skb_cow(skb, sizeof(struct ethhdr)) < 0)
@@ -1078,20 +1060,117 @@ int recv_icmp_packet(struct sk_buff *skb, struct hard_iface *recv_if)
        icmp_packet->ttl--;
        /* route it */
-        send_skb_packet(skb, neigh_node->if_incoming, neigh_node->addr);
+        send_skb_packet(skb, router->if_incoming, router->addr);
        ret = NET_RX_SUCCESS;
-        goto out;
-unlock:
-        rcu_read_unlock();
 out:
-        if (neigh_node)
+        if (router)
-                neigh_node_free_ref(neigh_node);
+                neigh_node_free_ref(router);
        if (orig_node)
                orig_node_free_ref(orig_node);
        return ret;
 }
+/* In the bonding case, send the packets in a round
+ * robin fashion over the remaining interfaces.
+ *
+ * This method rotates the bonding list and increases the
+ * returned router's refcount. */
+static struct neigh_node *find_bond_router(struct orig_node *primary_orig,
+                                           struct hard_iface *recv_if)
+{
+        struct neigh_node *tmp_neigh_node;
+        struct neigh_node *router = NULL, *first_candidate = NULL;
+        rcu_read_lock();
+        list_for_each_entry_rcu(tmp_neigh_node, &primary_orig->bond_list,
+                                bonding_list) {
+                if (!first_candidate)
+                        first_candidate = tmp_neigh_node;
+                /* recv_if == NULL on the first node. */
+                if (tmp_neigh_node->if_incoming == recv_if)
+                        continue;
+                if (!atomic_inc_not_zero(&tmp_neigh_node->refcount))
+                        continue;
+                router = tmp_neigh_node;
+                break;
+        }
+        /* use the first candidate if nothing was found. */
+        if (!router && first_candidate &&
+            atomic_inc_not_zero(&first_candidate->refcount))
+                router = first_candidate;
+        if (!router)
+                goto out;
+        /* selected should point to the next element
+         * after the current router */
+        spin_lock_bh(&primary_orig->neigh_list_lock);
+        /* this is a list_move(), which unfortunately
+         * does not exist as rcu version */
+        list_del_rcu(&primary_orig->bond_list);
+        list_add_rcu(&primary_orig->bond_list,
+                     &router->bonding_list);
+        spin_unlock_bh(&primary_orig->neigh_list_lock);
+out:
+        rcu_read_unlock();
+        return router;
+}
+/* Interface Alternating: Use the best of the
+ * remaining candidates which are not using
+ * this interface.
+ *
+ * Increases the returned router's refcount */
+static struct neigh_node *find_ifalter_router(struct orig_node *primary_orig,
+                                              struct hard_iface *recv_if)
+{
+        struct neigh_node *tmp_neigh_node;
+        struct neigh_node *router = NULL, *first_candidate = NULL;
+        rcu_read_lock();
+        list_for_each_entry_rcu(tmp_neigh_node, &primary_orig->bond_list,
+                                bonding_list) {
+                if (!first_candidate)
+                        first_candidate = tmp_neigh_node;
+                /* recv_if == NULL on the first node. */
+                if (tmp_neigh_node->if_incoming == recv_if)
+                        continue;
+                if (!atomic_inc_not_zero(&tmp_neigh_node->refcount))
+                        continue;
+                /* if we don't have a router yet
+                 * or this one is better, choose it. */
+                if ((!router) ||
+                    (tmp_neigh_node->tq_avg > router->tq_avg)) {
+                        /* decrement refcount of
+                         * previously selected router */
+                        if (router)
+                                neigh_node_free_ref(router);
+                        router = tmp_neigh_node;
+                        atomic_inc_not_zero(&router->refcount);
+                }
+                neigh_node_free_ref(tmp_neigh_node);
+        }
+        /* use the first candidate if nothing was found. */
+        if (!router && first_candidate &&
+            atomic_inc_not_zero(&first_candidate->refcount))
+                router = first_candidate;
+        rcu_read_unlock();
+        return router;
+}
 /* find a suitable router for this originator, and use
 * bonding if possible. increases the found neighbors
 * refcount.*/
@@ -1101,15 +1180,16 @@ struct neigh_node *find_router(struct bat_priv *bat_priv,
 {
        struct orig_node *primary_orig_node;
        struct orig_node *router_orig;
-        struct neigh_node *router, *first_candidate, *tmp_neigh_node;
+        struct neigh_node *router;
        static uint8_t zero_mac[ETH_ALEN] = {0, 0, 0, 0, 0, 0};
        int bonding_enabled;
        if (!orig_node)
                return NULL;
-        if (!orig_node->router)
+        router = orig_node_get_router(orig_node);
-                return NULL;
+        if (!router)
+                goto err;
        /* without bonding, the first node should
         * always choose the default router. */
@@ -1117,12 +1197,9 @@ struct neigh_node *find_router(struct bat_priv *bat_priv,
        rcu_read_lock();
        /* select default router to output */
-        router = orig_node->router;
+        router_orig = router->orig_node;
-        router_orig = orig_node->router->orig_node;
+        if (!router_orig)
-        if (!router_orig || !atomic_inc_not_zero(&router->refcount)) {
+                goto err_unlock;
-                rcu_read_unlock();
-                return NULL;
-        }
        if ((!recv_if) && (!bonding_enabled))
                goto return_router;
@@ -1151,91 +1228,26 @@ struct neigh_node *find_router(struct bat_priv *bat_priv,
        if (atomic_read(&primary_orig_node->bond_candidates) < 2)
                goto return_router;
        /* all nodes between should choose a candidate which
         * is is not on the interface where the packet came
         * in. */
        neigh_node_free_ref(router);
-        first_candidate = NULL;
-        router = NULL;
-        if (bonding_enabled) {
-                /* in the bonding case, send the packets in a round
-                 * robin fashion over the remaining interfaces. */
-                list_for_each_entry_rcu(tmp_neigh_node,
-                                &primary_orig_node->bond_list, bonding_list) {
-                        if (!first_candidate)
-                                first_candidate = tmp_neigh_node;
-                        /* recv_if == NULL on the first node. */
-                        if (tmp_neigh_node->if_incoming != recv_if &&
-                            atomic_inc_not_zero(&tmp_neigh_node->refcount)) {
-                                router = tmp_neigh_node;
-                                break;
-                        }
-                }
-                /* use the first candidate if nothing was found. */
-                if (!router && first_candidate &&
-                    atomic_inc_not_zero(&first_candidate->refcount))
-                        router = first_candidate;
-                if (!router) {
+        if (bonding_enabled)
-                        rcu_read_unlock();
+                router = find_bond_router(primary_orig_node, recv_if);
-                        return NULL;
+        else
-                }
+                router = find_ifalter_router(primary_orig_node, recv_if);
-                /* selected should point to the next element
-                 * after the current router */
-                spin_lock_bh(&primary_orig_node->neigh_list_lock);
-                /* this is a list_move(), which unfortunately
-                 * does not exist as rcu version */
-                list_del_rcu(&primary_orig_node->bond_list);
-                list_add_rcu(&primary_orig_node->bond_list,
-                                &router->bonding_list);
-                spin_unlock_bh(&primary_orig_node->neigh_list_lock);
-        } else {
-                /* if bonding is disabled, use the best of the
-                 * remaining candidates which are not using
-                 * this interface. */
-                list_for_each_entry_rcu(tmp_neigh_node,
-                        &primary_orig_node->bond_list, bonding_list) {
-                        if (!first_candidate)
-                                first_candidate = tmp_neigh_node;
-                        /* recv_if == NULL on the first node. */
-                        if (tmp_neigh_node->if_incoming == recv_if)
-                                continue;
-                        if (!atomic_inc_not_zero(&tmp_neigh_node->refcount))
-                                continue;
-                        /* if we don't have a router yet
-                         * or this one is better, choose it. */
-                        if ((!router) ||
-                            (tmp_neigh_node->tq_avg > router->tq_avg)) {
-                                /* decrement refcount of
-                                 * previously selected router */
-                                if (router)
-                                        neigh_node_free_ref(router);
-                                router = tmp_neigh_node;
-                                atomic_inc_not_zero(&router->refcount);
-                        }
-                        neigh_node_free_ref(tmp_neigh_node);
-                }
-                /* use the first candidate if nothing was found. */
-                if (!router && first_candidate &&
-                    atomic_inc_not_zero(&first_candidate->refcount))
-                        router = first_candidate;
-        }
 return_router:
        rcu_read_unlock();
        return router;
+err_unlock:
+        rcu_read_unlock();
+err:
+        if (router)
+                neigh_node_free_ref(router);
+        return NULL;
 }
 static int check_unicast_packet(struct sk_buff *skb, int hdr_size)
@@ -1284,13 +1296,10 @@ int route_unicast_packet(struct sk_buff *skb, struct hard_iface *recv_if)
        }
        /* get routing information */
-        rcu_read_lock();
        orig_node = orig_hash_find(bat_priv, unicast_packet->dest);
        if (!orig_node)
-                goto unlock;
+                goto out;
-        rcu_read_unlock();
        /* find_router() increases neigh_nodes refcount if found. */
        neigh_node = find_router(bat_priv, orig_node, recv_if);
@@ -1336,10 +1345,7 @@ int route_unicast_packet(struct sk_buff *skb, struct hard_iface *recv_if)
        /* route it */
        send_skb_packet(skb, neigh_node->if_incoming, neigh_node->addr);
        ret = NET_RX_SUCCESS;
-        goto out;
-unlock:
-        rcu_read_unlock();
 out:
        if (neigh_node)
                neigh_node_free_ref(neigh_node);
@@ -1438,13 +1444,10 @@ int recv_bcast_packet(struct sk_buff *skb, struct hard_iface *recv_if)
        if (bcast_packet->ttl < 2)
                goto out;
-        rcu_read_lock();
        orig_node = orig_hash_find(bat_priv, bcast_packet->orig);
        if (!orig_node)
-                goto rcu_unlock;
+                goto out;
-        rcu_read_unlock();
        spin_lock_bh(&orig_node->bcast_seqno_lock);
@@ -1475,9 +1478,6 @@ int recv_bcast_packet(struct sk_buff *skb, struct hard_iface *recv_if)
        ret = NET_RX_SUCCESS;
        goto out;
-rcu_unlock:
-        rcu_read_unlock();
-        goto out;
 spin_unlock:
        spin_unlock_bh(&orig_node->bcast_seqno_lock);
 out:
diff --git a/net/batman-adv/routing.h b/net/batman-adv/routing.h
index b5a064c88a4f..870f29842b28 100644
--- a/net/batman-adv/routing.h
+++ b/net/batman-adv/routing.h
@@ -25,11 +25,11 @@
 void slide_own_bcast_window(struct hard_iface *hard_iface);
 void receive_bat_packet(struct ethhdr *ethhdr,
                                struct batman_packet *batman_packet,
-                                unsigned char *hna_buff, int hna_buff_len,
+                                unsigned char *tt_buff, int tt_buff_len,
                                struct hard_iface *if_incoming);
 void update_routes(struct bat_priv *bat_priv, struct orig_node *orig_node,
-                   struct neigh_node *neigh_node, unsigned char *hna_buff,
+                   struct neigh_node *neigh_node, unsigned char *tt_buff,
-                   int hna_buff_len);
+                   int tt_buff_len);
 int route_unicast_packet(struct sk_buff *skb, struct hard_iface *recv_if);
 int recv_icmp_packet(struct sk_buff *skb, struct hard_iface *recv_if);
 int recv_unicast_packet(struct sk_buff *skb, struct hard_iface *recv_if);
diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c
index d49e54d932af..33779278f1b2 100644
--- a/net/batman-adv/send.c
+++ b/net/batman-adv/send.c
@@ -121,7 +121,7 @@ static void send_packet_to_if(struct forw_packet *forw_packet,
        /* adjust all flags and log packets */
        while (aggregated_packet(buff_pos,
                                 forw_packet->packet_len,
-                                 batman_packet->num_hna)) {
+                                 batman_packet->num_tt)) {
                /* we might have aggregated direct link packets with an
                 * ordinary base packet */
@@ -146,7 +146,7 @@ static void send_packet_to_if(struct forw_packet *forw_packet,
                        hard_iface->net_dev->dev_addr);
                buff_pos += sizeof(struct batman_packet) +
-                        (batman_packet->num_hna * ETH_ALEN);
+                        (batman_packet->num_tt * ETH_ALEN);
                packet_num++;
                batman_packet = (struct batman_packet *)
                        (forw_packet->skb->data + buff_pos);
@@ -222,7 +222,7 @@ static void rebuild_batman_packet(struct bat_priv *bat_priv,
        struct batman_packet *batman_packet;
        new_len = sizeof(struct batman_packet) +
-                        (bat_priv->num_local_hna * ETH_ALEN);
+                        (bat_priv->num_local_tt * ETH_ALEN);
        new_buff = kmalloc(new_len, GFP_ATOMIC);
        /* keep old buffer if kmalloc should fail */
@@ -231,7 +231,7 @@ static void rebuild_batman_packet(struct bat_priv *bat_priv,
                       sizeof(struct batman_packet));
                batman_packet = (struct batman_packet *)new_buff;
-                batman_packet->num_hna = hna_local_fill_buffer(bat_priv,
+                batman_packet->num_tt = tt_local_fill_buffer(bat_priv,
                                new_buff + sizeof(struct batman_packet),
                                new_len - sizeof(struct batman_packet));
@@ -244,6 +244,7 @@ static void rebuild_batman_packet(struct bat_priv *bat_priv,
 void schedule_own_packet(struct hard_iface *hard_iface)
 {
        struct bat_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+        struct hard_iface *primary_if;
        unsigned long send_time;
        struct batman_packet *batman_packet;
        int vis_server;
@@ -253,6 +254,7 @@ void schedule_own_packet(struct hard_iface *hard_iface)
                return;
        vis_server = atomic_read(&bat_priv->vis_mode);
+        primary_if = primary_if_get_selected(bat_priv);
        /**
         * the interface gets activated here to avoid race conditions between
@@ -264,9 +266,9 @@ void schedule_own_packet(struct hard_iface *hard_iface)
        if (hard_iface->if_status == IF_TO_BE_ACTIVATED)
                hard_iface->if_status = IF_ACTIVE;
-        /* if local hna has changed and interface is a primary interface */
+        /* if local tt has changed and interface is a primary interface */
-        if ((atomic_read(&bat_priv->hna_local_changed)) &&
+        if ((atomic_read(&bat_priv->tt_local_changed)) &&
-            (hard_iface == bat_priv->primary_if))
+            (hard_iface == primary_if))
                rebuild_batman_packet(bat_priv, hard_iface);
        /**
@@ -284,7 +286,7 @@ void schedule_own_packet(struct hard_iface *hard_iface)
        else
                batman_packet->flags &= ~VIS_SERVER;
-        if ((hard_iface == bat_priv->primary_if) &&
+        if ((hard_iface == primary_if) &&
            (atomic_read(&bat_priv->gw_mode) == GW_MODE_SERVER))
                batman_packet->gw_flags =
                                (uint8_t)atomic_read(&bat_priv->gw_bandwidth);
@@ -299,15 +301,19 @@ void schedule_own_packet(struct hard_iface *hard_iface)
                               hard_iface->packet_buff,
                               hard_iface->packet_len,
                               hard_iface, 1, send_time);
+        if (primary_if)
+                hardif_free_ref(primary_if);
 }
 void schedule_forward_packet(struct orig_node *orig_node,
                             struct ethhdr *ethhdr,
                             struct batman_packet *batman_packet,
-                             uint8_t directlink, int hna_buff_len,
+                             uint8_t directlink, int tt_buff_len,
                             struct hard_iface *if_incoming)
 {
        struct bat_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
+        struct neigh_node *router;
        unsigned char in_tq, in_ttl, tq_avg = 0;
        unsigned long send_time;
@@ -316,6 +322,8 @@ void schedule_forward_packet(struct orig_node *orig_node,
                return;
        }
+        router = orig_node_get_router(orig_node);
        in_tq = batman_packet->tq;
        in_ttl = batman_packet->ttl;
@@ -324,20 +332,22 @@ void schedule_forward_packet(struct orig_node *orig_node,
        /* rebroadcast tq of our best ranking neighbor to ensure the rebroadcast
         * of our best tq value */
-        if ((orig_node->router) && (orig_node->router->tq_avg != 0)) {
+        if (router && router->tq_avg != 0) {
                /* rebroadcast ogm of best ranking neighbor as is */
-                if (!compare_eth(orig_node->router->addr, ethhdr->h_source)) {
+                if (!compare_eth(router->addr, ethhdr->h_source)) {
-                        batman_packet->tq = orig_node->router->tq_avg;
+                        batman_packet->tq = router->tq_avg;
-                        if (orig_node->router->last_ttl)
+                        if (router->last_ttl)
-                                batman_packet->ttl = orig_node->router->last_ttl
+                                batman_packet->ttl = router->last_ttl - 1;
-                                                        - 1;
                }
-                tq_avg = orig_node->router->tq_avg;
+                tq_avg = router->tq_avg;
        }
+        if (router)
+                neigh_node_free_ref(router);
        /* apply hop penalty */
        batman_packet->tq = hop_penalty(batman_packet->tq, bat_priv);
@@ -359,7 +369,7 @@ void schedule_forward_packet(struct orig_node *orig_node,
        send_time = forward_send_time();
        add_bat_packet_to_list(bat_priv,
                               (unsigned char *)batman_packet,
-                               sizeof(struct batman_packet) + hna_buff_len,
+                               sizeof(struct batman_packet) + tt_buff_len,
                               if_incoming, 0, send_time);
 }
@@ -367,6 +377,8 @@ static void forw_packet_free(struct forw_packet *forw_packet)
 {
        if (forw_packet->skb)
                kfree_skb(forw_packet->skb);
+        if (forw_packet->if_incoming)
+                hardif_free_ref(forw_packet->if_incoming);
        kfree(forw_packet);
 }
@@ -388,7 +400,6 @@ static void _add_bcast_packet_to_list(struct bat_priv *bat_priv,
                           send_time);
 }
-#define atomic_dec_not_zero(v)          atomic_add_unless((v), -1, 0)
 /* add a broadcast packet to the queue and setup timers. broadcast packets
 * are sent multiple times to increase probability for beeing received.
 *
@@ -399,6 +410,7 @@ static void _add_bcast_packet_to_list(struct bat_priv *bat_priv,
 * skb is freed. */
 int add_bcast_packet_to_list(struct bat_priv *bat_priv, struct sk_buff *skb)
 {
+        struct hard_iface *primary_if = NULL;
        struct forw_packet *forw_packet;
        struct bcast_packet *bcast_packet;
@@ -407,8 +419,9 @@ int add_bcast_packet_to_list(struct bat_priv *bat_priv, struct sk_buff *skb)
                goto out;
        }
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
-                goto out;
+        if (!primary_if)
+                goto out_and_inc;
        forw_packet = kmalloc(sizeof(struct forw_packet), GFP_ATOMIC);
@@ -426,7 +439,7 @@ int add_bcast_packet_to_list(struct bat_priv *bat_priv, struct sk_buff *skb)
        skb_reset_mac_header(skb);
        forw_packet->skb = skb;
-        forw_packet->if_incoming = bat_priv->primary_if;
+        forw_packet->if_incoming = primary_if;
        /* how often did we send the bcast packet ? */
        forw_packet->num_packets = 0;
@@ -439,6 +452,8 @@ packet_free:
 out_and_inc:
        atomic_inc(&bat_priv->bcast_queue_left);
 out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
        return NETDEV_TX_BUSY;
 }
@@ -526,6 +541,7 @@ void purge_outstanding_packets(struct bat_priv *bat_priv,
 {
        struct forw_packet *forw_packet;
        struct hlist_node *tmp_node, *safe_tmp_node;
+        bool pending;
        if (hard_iface)
                bat_dbg(DBG_BATMAN, bat_priv,
@@ -554,8 +570,13 @@ void purge_outstanding_packets(struct bat_priv *bat_priv,
                 * send_outstanding_bcast_packet() will lock the list to
                 * delete the item from the list
                 */
-                cancel_delayed_work_sync(&forw_packet->delayed_work);
+                pending = cancel_delayed_work_sync(&forw_packet->delayed_work);
                spin_lock_bh(&bat_priv->forw_bcast_list_lock);
+                if (pending) {
+                        hlist_del(&forw_packet->list);
+                        forw_packet_free(forw_packet);
+                }
        }
        spin_unlock_bh(&bat_priv->forw_bcast_list_lock);
@@ -578,8 +599,13 @@ void purge_outstanding_packets(struct bat_priv *bat_priv,
                 * send_outstanding_bat_packet() will lock the list to
                 * delete the item from the list
                 */
-                cancel_delayed_work_sync(&forw_packet->delayed_work);
+                pending = cancel_delayed_work_sync(&forw_packet->delayed_work);
                spin_lock_bh(&bat_priv->forw_bat_list_lock);
+                if (pending) {
+                        hlist_del(&forw_packet->list);
+                        forw_packet_free(forw_packet);
+                }
        }
        spin_unlock_bh(&bat_priv->forw_bat_list_lock);
 }
diff --git a/net/batman-adv/send.h b/net/batman-adv/send.h
index 7b2ff19c05e7..247172d71e4b 100644
--- a/net/batman-adv/send.h
+++ b/net/batman-adv/send.h
@@ -29,7 +29,7 @@ void schedule_own_packet(struct hard_iface *hard_iface);
 void schedule_forward_packet(struct orig_node *orig_node,
                             struct ethhdr *ethhdr,
                             struct batman_packet *batman_packet,
-                             uint8_t directlink, int hna_buff_len,
+                             uint8_t directlink, int tt_buff_len,
                             struct hard_iface *if_outgoing);
 int add_bcast_packet_to_list(struct bat_priv *bat_priv, struct sk_buff *skb);
 void send_outstanding_bat_packet(struct work_struct *work);
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 824e1f6e50f2..d5aa60999e83 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -43,8 +43,6 @@ static void bat_get_drvinfo(struct net_device *dev,
 static u32 bat_get_msglevel(struct net_device *dev);
 static void bat_set_msglevel(struct net_device *dev, u32 value);
 static u32 bat_get_link(struct net_device *dev);
-static u32 bat_get_rx_csum(struct net_device *dev);
-static int bat_set_rx_csum(struct net_device *dev, u32 data);
 static const struct ethtool_ops bat_ethtool_ops = {
        .get_settings = bat_get_settings,
@@ -52,8 +50,6 @@ static const struct ethtool_ops bat_ethtool_ops = {
        .get_msglevel = bat_get_msglevel,
        .set_msglevel = bat_set_msglevel,
        .get_link = bat_get_link,
-        .get_rx_csum = bat_get_rx_csum,
-        .set_rx_csum = bat_set_rx_csum
 };
 int my_skb_head_push(struct sk_buff *skb, unsigned int len)
@@ -76,120 +72,371 @@ int my_skb_head_push(struct sk_buff *skb, unsigned int len)
        return 0;
 }
-static void softif_neigh_free_rcu(struct rcu_head *rcu)
-{
-        struct softif_neigh *softif_neigh;
-        softif_neigh = container_of(rcu, struct softif_neigh, rcu);
-        kfree(softif_neigh);
-}
 static void softif_neigh_free_ref(struct softif_neigh *softif_neigh)
 {
        if (atomic_dec_and_test(&softif_neigh->refcount))
-                call_rcu(&softif_neigh->rcu, softif_neigh_free_rcu);
+                kfree_rcu(softif_neigh, rcu);
 }
-void softif_neigh_purge(struct bat_priv *bat_priv)
+static void softif_neigh_vid_free_rcu(struct rcu_head *rcu)
 {
-        struct softif_neigh *softif_neigh, *softif_neigh_tmp;
+        struct softif_neigh_vid *softif_neigh_vid;
+        struct softif_neigh *softif_neigh;
        struct hlist_node *node, *node_tmp;
+        struct bat_priv *bat_priv;
-        spin_lock_bh(&bat_priv->softif_neigh_lock);
+        softif_neigh_vid = container_of(rcu, struct softif_neigh_vid, rcu);
+        bat_priv = softif_neigh_vid->bat_priv;
+        spin_lock_bh(&bat_priv->softif_neigh_lock);
        hlist_for_each_entry_safe(softif_neigh, node, node_tmp,
-                                  &bat_priv->softif_neigh_list, list) {
+                                  &softif_neigh_vid->softif_neigh_list, list) {
+                hlist_del_rcu(&softif_neigh->list);
+                softif_neigh_free_ref(softif_neigh);
+        }
+        spin_unlock_bh(&bat_priv->softif_neigh_lock);
-                if ((!time_after(jiffies, softif_neigh->last_seen +
+        kfree(softif_neigh_vid);
-                                msecs_to_jiffies(SOFTIF_NEIGH_TIMEOUT))) &&
+}
-                    (atomic_read(&bat_priv->mesh_state) == MESH_ACTIVE))
-                        continue;
-                hlist_del_rcu(&softif_neigh->list);
+static void softif_neigh_vid_free_ref(struct softif_neigh_vid *softif_neigh_vid)
+{
+        if (atomic_dec_and_test(&softif_neigh_vid->refcount))
+                call_rcu(&softif_neigh_vid->rcu, softif_neigh_vid_free_rcu);
+}
-                if (bat_priv->softif_neigh == softif_neigh) {
+static struct softif_neigh_vid *softif_neigh_vid_get(struct bat_priv *bat_priv,
-                        bat_dbg(DBG_ROUTES, bat_priv,
+                                                     short vid)
-                                 "Current mesh exit point '%pM' vanished "
+{
-                                 "(vid: %d).\n",
+        struct softif_neigh_vid *softif_neigh_vid;
-                                 softif_neigh->addr, softif_neigh->vid);
+        struct hlist_node *node;
-                        softif_neigh_tmp = bat_priv->softif_neigh;
-                        bat_priv->softif_neigh = NULL;
-                        softif_neigh_free_ref(softif_neigh_tmp);
-                }
-                softif_neigh_free_ref(softif_neigh);
+        rcu_read_lock();
+        hlist_for_each_entry_rcu(softif_neigh_vid, node,
+                                 &bat_priv->softif_neigh_vids, list) {
+                if (softif_neigh_vid->vid != vid)
+                        continue;
+                if (!atomic_inc_not_zero(&softif_neigh_vid->refcount))
+                        continue;
+                goto out;
        }
-        spin_unlock_bh(&bat_priv->softif_neigh_lock);
+        softif_neigh_vid = kzalloc(sizeof(struct softif_neigh_vid),
+                                   GFP_ATOMIC);
+        if (!softif_neigh_vid)
+                goto out;
+        softif_neigh_vid->vid = vid;
+        softif_neigh_vid->bat_priv = bat_priv;
+        /* initialize with 2 - caller decrements counter by one */
+        atomic_set(&softif_neigh_vid->refcount, 2);
+        INIT_HLIST_HEAD(&softif_neigh_vid->softif_neigh_list);
+        INIT_HLIST_NODE(&softif_neigh_vid->list);
+        spin_lock_bh(&bat_priv->softif_neigh_vid_lock);
+        hlist_add_head_rcu(&softif_neigh_vid->list,
+                           &bat_priv->softif_neigh_vids);
+        spin_unlock_bh(&bat_priv->softif_neigh_vid_lock);
+out:
+        rcu_read_unlock();
+        return softif_neigh_vid;
 }
 static struct softif_neigh *softif_neigh_get(struct bat_priv *bat_priv,
                                             uint8_t *addr, short vid)
 {
-        struct softif_neigh *softif_neigh;
+        struct softif_neigh_vid *softif_neigh_vid;
+        struct softif_neigh *softif_neigh = NULL;
        struct hlist_node *node;
+        softif_neigh_vid = softif_neigh_vid_get(bat_priv, vid);
+        if (!softif_neigh_vid)
+                goto out;
        rcu_read_lock();
        hlist_for_each_entry_rcu(softif_neigh, node,
-                                 &bat_priv->softif_neigh_list, list) {
+                                 &softif_neigh_vid->softif_neigh_list,
+                                 list) {
                if (!compare_eth(softif_neigh->addr, addr))
                        continue;
-                if (softif_neigh->vid != vid)
-                        continue;
                if (!atomic_inc_not_zero(&softif_neigh->refcount))
                        continue;
                softif_neigh->last_seen = jiffies;
-                goto out;
+                goto unlock;
        }
        softif_neigh = kzalloc(sizeof(struct softif_neigh), GFP_ATOMIC);
        if (!softif_neigh)
-                goto out;
+                goto unlock;
        memcpy(softif_neigh->addr, addr, ETH_ALEN);
-        softif_neigh->vid = vid;
        softif_neigh->last_seen = jiffies;
        /* initialize with 2 - caller decrements counter by one */
        atomic_set(&softif_neigh->refcount, 2);
        INIT_HLIST_NODE(&softif_neigh->list);
        spin_lock_bh(&bat_priv->softif_neigh_lock);
-        hlist_add_head_rcu(&softif_neigh->list, &bat_priv->softif_neigh_list);
+        hlist_add_head_rcu(&softif_neigh->list,
+                           &softif_neigh_vid->softif_neigh_list);
        spin_unlock_bh(&bat_priv->softif_neigh_lock);
+unlock:
+        rcu_read_unlock();
 out:
+        if (softif_neigh_vid)
+                softif_neigh_vid_free_ref(softif_neigh_vid);
+        return softif_neigh;
+}
+static struct softif_neigh *softif_neigh_get_selected(
+                                struct softif_neigh_vid *softif_neigh_vid)
+{
+        struct softif_neigh *softif_neigh;
+        rcu_read_lock();
+        softif_neigh = rcu_dereference(softif_neigh_vid->softif_neigh);
+        if (softif_neigh && !atomic_inc_not_zero(&softif_neigh->refcount))
+                softif_neigh = NULL;
        rcu_read_unlock();
        return softif_neigh;
 }
+static struct softif_neigh *softif_neigh_vid_get_selected(
+                                                struct bat_priv *bat_priv,
+                                                short vid)
+{
+        struct softif_neigh_vid *softif_neigh_vid;
+        struct softif_neigh *softif_neigh = NULL;
+        softif_neigh_vid = softif_neigh_vid_get(bat_priv, vid);
+        if (!softif_neigh_vid)
+                goto out;
+        softif_neigh = softif_neigh_get_selected(softif_neigh_vid);
+out:
+        if (softif_neigh_vid)
+                softif_neigh_vid_free_ref(softif_neigh_vid);
+        return softif_neigh;
+}
+static void softif_neigh_vid_select(struct bat_priv *bat_priv,
+                                    struct softif_neigh *new_neigh,
+                                    short vid)
+{
+        struct softif_neigh_vid *softif_neigh_vid;
+        struct softif_neigh *curr_neigh;
+        softif_neigh_vid = softif_neigh_vid_get(bat_priv, vid);
+        if (!softif_neigh_vid)
+                goto out;
+        spin_lock_bh(&bat_priv->softif_neigh_lock);
+        if (new_neigh && !atomic_inc_not_zero(&new_neigh->refcount))
+                new_neigh = NULL;
+        curr_neigh = softif_neigh_vid->softif_neigh;
+        rcu_assign_pointer(softif_neigh_vid->softif_neigh, new_neigh);
+        if ((curr_neigh) && (!new_neigh))
+                bat_dbg(DBG_ROUTES, bat_priv,
+                        "Removing mesh exit point on vid: %d (prev: %pM).\n",
+                        vid, curr_neigh->addr);
+        else if ((curr_neigh) && (new_neigh))
+                bat_dbg(DBG_ROUTES, bat_priv,
+                        "Changing mesh exit point on vid: %d from %pM "
+                        "to %pM.\n", vid, curr_neigh->addr, new_neigh->addr);
+        else if ((!curr_neigh) && (new_neigh))
+                bat_dbg(DBG_ROUTES, bat_priv,
+                        "Setting mesh exit point on vid: %d to %pM.\n",
+                        vid, new_neigh->addr);
+        if (curr_neigh)
+                softif_neigh_free_ref(curr_neigh);
+        spin_unlock_bh(&bat_priv->softif_neigh_lock);
+out:
+        if (softif_neigh_vid)
+                softif_neigh_vid_free_ref(softif_neigh_vid);
+}
+static void softif_neigh_vid_deselect(struct bat_priv *bat_priv,
+                                      struct softif_neigh_vid *softif_neigh_vid)
+{
+        struct softif_neigh *curr_neigh;
+        struct softif_neigh *softif_neigh = NULL, *softif_neigh_tmp;
+        struct hard_iface *primary_if = NULL;
+        struct hlist_node *node;
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
+                goto out;
+        /* find new softif_neigh immediately to avoid temporary loops */
+        rcu_read_lock();
+        curr_neigh = rcu_dereference(softif_neigh_vid->softif_neigh);
+        hlist_for_each_entry_rcu(softif_neigh_tmp, node,
+                                 &softif_neigh_vid->softif_neigh_list,
+                                 list) {
+                if (softif_neigh_tmp == curr_neigh)
+                        continue;
+                /* we got a neighbor but its mac is 'bigger' than ours  */
+                if (memcmp(primary_if->net_dev->dev_addr,
+                           softif_neigh_tmp->addr, ETH_ALEN) < 0)
+                        continue;
+                if (!atomic_inc_not_zero(&softif_neigh_tmp->refcount))
+                        continue;
+                softif_neigh = softif_neigh_tmp;
+                goto unlock;
+        }
+unlock:
+        rcu_read_unlock();
+out:
+        softif_neigh_vid_select(bat_priv, softif_neigh, softif_neigh_vid->vid);
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        if (softif_neigh)
+                softif_neigh_free_ref(softif_neigh);
+}
 int softif_neigh_seq_print_text(struct seq_file *seq, void *offset)
 {
        struct net_device *net_dev = (struct net_device *)seq->private;
        struct bat_priv *bat_priv = netdev_priv(net_dev);
+        struct softif_neigh_vid *softif_neigh_vid;
        struct softif_neigh *softif_neigh;
-        struct hlist_node *node;
+        struct hard_iface *primary_if;
+        struct hlist_node *node, *node_tmp;
+        struct softif_neigh *curr_softif_neigh;
+        int ret = 0, last_seen_secs, last_seen_msecs;
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if) {
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
+                                 "please specify interfaces to enable it\n",
+                                 net_dev->name);
+                goto out;
+        }
-        if (!bat_priv->primary_if) {
+        if (primary_if->if_status != IF_ACTIVE) {
-                return seq_printf(seq, "BATMAN mesh %s disabled - "
+                ret = seq_printf(seq, "BATMAN mesh %s "
-                               "please specify interfaces to enable it\n",
+                                 "disabled - primary interface not active\n",
-                               net_dev->name);
+                                 net_dev->name);
+                goto out;
        }
        seq_printf(seq, "Softif neighbor list (%s)\n", net_dev->name);
        rcu_read_lock();
-        hlist_for_each_entry_rcu(softif_neigh, node,
+        hlist_for_each_entry_rcu(softif_neigh_vid, node,
-                                 &bat_priv->softif_neigh_list, list)
+                                 &bat_priv->softif_neigh_vids, list) {
-                seq_printf(seq, "%s %pM (vid: %d)\n",
+                seq_printf(seq, "     %-15s %s on vid: %d\n",
-                                bat_priv->softif_neigh == softif_neigh
+                           "Originator", "last-seen", softif_neigh_vid->vid);
-                                ? "=>" : "  ", softif_neigh->addr,
-                                softif_neigh->vid);
+                curr_softif_neigh = softif_neigh_get_selected(softif_neigh_vid);
+                hlist_for_each_entry_rcu(softif_neigh, node_tmp,
+                                         &softif_neigh_vid->softif_neigh_list,
+                                         list) {
+                        last_seen_secs = jiffies_to_msecs(jiffies -
+                                                softif_neigh->last_seen) / 1000;
+                        last_seen_msecs = jiffies_to_msecs(jiffies -
+                                                softif_neigh->last_seen) % 1000;
+                        seq_printf(seq, "%s %pM  %3i.%03is\n",
+                                   curr_softif_neigh == softif_neigh
+                                   ? "=>" : "  ", softif_neigh->addr,
+                                   last_seen_secs, last_seen_msecs);
+                }
+                if (curr_softif_neigh)
+                        softif_neigh_free_ref(curr_softif_neigh);
+                seq_printf(seq, "\n");
+        }
        rcu_read_unlock();
-        return 0;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
+}
+void softif_neigh_purge(struct bat_priv *bat_priv)
+{
+        struct softif_neigh *softif_neigh, *curr_softif_neigh;
+        struct softif_neigh_vid *softif_neigh_vid;
+        struct hlist_node *node, *node_tmp, *node_tmp2;
+        char do_deselect;
+        rcu_read_lock();
+        hlist_for_each_entry_rcu(softif_neigh_vid, node,
+                                 &bat_priv->softif_neigh_vids, list) {
+                if (!atomic_inc_not_zero(&softif_neigh_vid->refcount))
+                        continue;
+                curr_softif_neigh = softif_neigh_get_selected(softif_neigh_vid);
+                do_deselect = 0;
+                spin_lock_bh(&bat_priv->softif_neigh_lock);
+                hlist_for_each_entry_safe(softif_neigh, node_tmp, node_tmp2,
+                                          &softif_neigh_vid->softif_neigh_list,
+                                          list) {
+                        if ((!time_after(jiffies, softif_neigh->last_seen +
+                                msecs_to_jiffies(SOFTIF_NEIGH_TIMEOUT))) &&
+                            (atomic_read(&bat_priv->mesh_state) == MESH_ACTIVE))
+                                continue;
+                        if (curr_softif_neigh == softif_neigh) {
+                                bat_dbg(DBG_ROUTES, bat_priv,
+                                        "Current mesh exit point on vid: %d "
+                                        "'%pM' vanished.\n",
+                                        softif_neigh_vid->vid,
+                                        softif_neigh->addr);
+                                do_deselect = 1;
+                        }
+                        hlist_del_rcu(&softif_neigh->list);
+                        softif_neigh_free_ref(softif_neigh);
+                }
+                spin_unlock_bh(&bat_priv->softif_neigh_lock);
+                /* soft_neigh_vid_deselect() needs to acquire the
+                 * softif_neigh_lock */
+                if (do_deselect)
+                        softif_neigh_vid_deselect(bat_priv, softif_neigh_vid);
+                if (curr_softif_neigh)
+                        softif_neigh_free_ref(curr_softif_neigh);
+                softif_neigh_vid_free_ref(softif_neigh_vid);
+        }
+        rcu_read_unlock();
+        spin_lock_bh(&bat_priv->softif_neigh_vid_lock);
+        hlist_for_each_entry_safe(softif_neigh_vid, node, node_tmp,
+                                  &bat_priv->softif_neigh_vids, list) {
+                if (!hlist_empty(&softif_neigh_vid->softif_neigh_list))
+                        continue;
+                hlist_del_rcu(&softif_neigh_vid->list);
+                softif_neigh_vid_free_ref(softif_neigh_vid);
+        }
+        spin_unlock_bh(&bat_priv->softif_neigh_vid_lock);
 }
 static void softif_batman_recv(struct sk_buff *skb, struct net_device *dev,
@@ -198,7 +445,9 @@ static void softif_batman_recv(struct sk_buff *skb, struct net_device *dev,
        struct bat_priv *bat_priv = netdev_priv(dev);
        struct ethhdr *ethhdr = (struct ethhdr *)skb->data;
        struct batman_packet *batman_packet;
-        struct softif_neigh *softif_neigh, *softif_neigh_tmp;
+        struct softif_neigh *softif_neigh = NULL;
+        struct hard_iface *primary_if = NULL;
+        struct softif_neigh *curr_softif_neigh = NULL;
        if (ntohs(ethhdr->h_proto) == ETH_P_8021Q)
                batman_packet = (struct batman_packet *)
@@ -207,63 +456,52 @@ static void softif_batman_recv(struct sk_buff *skb, struct net_device *dev,
                batman_packet = (struct batman_packet *)(skb->data + ETH_HLEN);
        if (batman_packet->version != COMPAT_VERSION)
-                goto err;
+                goto out;
        if (batman_packet->packet_type != BAT_PACKET)
-                goto err;
+                goto out;
        if (!(batman_packet->flags & PRIMARIES_FIRST_HOP))
-                goto err;
+                goto out;
        if (is_my_mac(batman_packet->orig))
-                goto err;
+                goto out;
        softif_neigh = softif_neigh_get(bat_priv, batman_packet->orig, vid);
        if (!softif_neigh)
-                goto err;
+                goto out;
+        curr_softif_neigh = softif_neigh_vid_get_selected(bat_priv, vid);
+        if (curr_softif_neigh == softif_neigh)
+                goto out;
-        if (bat_priv->softif_neigh == softif_neigh)
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
                goto out;
        /* we got a neighbor but its mac is 'bigger' than ours  */
-        if (memcmp(bat_priv->primary_if->net_dev->dev_addr,
+        if (memcmp(primary_if->net_dev->dev_addr,
                   softif_neigh->addr, ETH_ALEN) < 0)
                goto out;
-        /* switch to new 'smallest neighbor' */
-        if ((bat_priv->softif_neigh) &&
-            (memcmp(softif_neigh->addr, bat_priv->softif_neigh->addr,
-                                                        ETH_ALEN) < 0)) {
-                bat_dbg(DBG_ROUTES, bat_priv,
-                        "Changing mesh exit point from %pM (vid: %d) "
-                        "to %pM (vid: %d).\n",
-                         bat_priv->softif_neigh->addr,
-                         bat_priv->softif_neigh->vid,
-                         softif_neigh->addr, softif_neigh->vid);
-                softif_neigh_tmp = bat_priv->softif_neigh;
-                bat_priv->softif_neigh = softif_neigh;
-                softif_neigh_free_ref(softif_neigh_tmp);
-                /* we need to hold the additional reference */
-                goto err;
-        }
        /* close own batX device and use softif_neigh as exit node */
-        if ((!bat_priv->softif_neigh) &&
+        if (!curr_softif_neigh) {
-            (memcmp(softif_neigh->addr,
+                softif_neigh_vid_select(bat_priv, softif_neigh, vid);
-                    bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN) < 0)) {
+                goto out;
-                bat_dbg(DBG_ROUTES, bat_priv,
-                        "Setting mesh exit point to %pM (vid: %d).\n",
-                        softif_neigh->addr, softif_neigh->vid);
-                bat_priv->softif_neigh = softif_neigh;
-                /* we need to hold the additional reference */
-                goto err;
        }
+        /* switch to new 'smallest neighbor' */
+        if (memcmp(softif_neigh->addr, curr_softif_neigh->addr, ETH_ALEN) < 0)
+                softif_neigh_vid_select(bat_priv, softif_neigh, vid);
 out:
-        softif_neigh_free_ref(softif_neigh);
-err:
        kfree_skb(skb);
+        if (softif_neigh)
+                softif_neigh_free_ref(softif_neigh);
+        if (curr_softif_neigh)
+                softif_neigh_free_ref(curr_softif_neigh);
+        if (primary_if)
+                hardif_free_ref(primary_if);
        return;
 }
@@ -293,11 +531,11 @@ static int interface_set_mac_addr(struct net_device *dev, void *p)
        if (!is_valid_ether_addr(addr->sa_data))
                return -EADDRNOTAVAIL;
-        /* only modify hna-table if it has been initialised before */
+        /* only modify transtable if it has been initialised before */
        if (atomic_read(&bat_priv->mesh_state) == MESH_ACTIVE) {
-                hna_local_remove(bat_priv, dev->dev_addr,
+                tt_local_remove(bat_priv, dev->dev_addr,
                                 "mac address changed");
-                hna_local_add(dev, addr->sa_data);
+                tt_local_add(dev, addr->sa_data);
        }
        memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN);
@@ -319,8 +557,10 @@ int interface_tx(struct sk_buff *skb, struct net_device *soft_iface)
 {
        struct ethhdr *ethhdr = (struct ethhdr *)skb->data;
        struct bat_priv *bat_priv = netdev_priv(soft_iface);
+        struct hard_iface *primary_if = NULL;
        struct bcast_packet *bcast_packet;
        struct vlan_ethhdr *vhdr;
+        struct softif_neigh *curr_softif_neigh = NULL;
        int data_len = skb->len, ret;
        short vid = -1;
        bool do_bcast = false;
@@ -348,11 +588,12 @@ int interface_tx(struct sk_buff *skb, struct net_device *soft_iface)
         * if we have a another chosen mesh exit node in range
         * it will transport the packets to the mesh
         */
-        if ((bat_priv->softif_neigh) && (bat_priv->softif_neigh->vid == vid))
+        curr_softif_neigh = softif_neigh_vid_get_selected(bat_priv, vid);
+        if (curr_softif_neigh)
                goto dropped;
        /* TODO: check this for locks */
-        hna_local_add(soft_iface, ethhdr->h_source);
+        tt_local_add(soft_iface, ethhdr->h_source);
        if (is_multicast_ether_addr(ethhdr->h_dest)) {
                ret = gw_is_target(bat_priv, skb);
@@ -366,7 +607,8 @@ int interface_tx(struct sk_buff *skb, struct net_device *soft_iface)
        /* ethernet packet should be broadcasted */
        if (do_bcast) {
-                if (!bat_priv->primary_if)
+                primary_if = primary_if_get_selected(bat_priv);
+                if (!primary_if)
                        goto dropped;
                if (my_skb_head_push(skb, sizeof(struct bcast_packet)) < 0)
@@ -382,7 +624,7 @@ int interface_tx(struct sk_buff *skb, struct net_device *soft_iface)
                /* hw address of first interface is the orig mac because only
                 * this mac is known throughout the mesh */
                memcpy(bcast_packet->orig,
-                       bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+                       primary_if->net_dev->dev_addr, ETH_ALEN);
                /* set broadcast sequence number */
                bcast_packet->seqno =
@@ -410,6 +652,10 @@ dropped:
 dropped_freed:
        bat_priv->stats.tx_dropped++;
 end:
+        if (curr_softif_neigh)
+                softif_neigh_free_ref(curr_softif_neigh);
+        if (primary_if)
+                hardif_free_ref(primary_if);
        return NETDEV_TX_OK;
 }
@@ -421,6 +667,7 @@ void interface_rx(struct net_device *soft_iface,
        struct unicast_packet *unicast_packet;
        struct ethhdr *ethhdr;
        struct vlan_ethhdr *vhdr;
+        struct softif_neigh *curr_softif_neigh = NULL;
        short vid = -1;
        int ret;
@@ -450,7 +697,8 @@ void interface_rx(struct net_device *soft_iface,
         * if we have a another chosen mesh exit node in range
         * it will transport the packets to the non-mesh network
         */
-        if ((bat_priv->softif_neigh) && (bat_priv->softif_neigh->vid == vid)) {
+        curr_softif_neigh = softif_neigh_vid_get_selected(bat_priv, vid);
+        if (curr_softif_neigh) {
                skb_push(skb, hdr_size);
                unicast_packet = (struct unicast_packet *)skb->data;
@@ -461,7 +709,7 @@ void interface_rx(struct net_device *soft_iface,
                skb_reset_mac_header(skb);
                memcpy(unicast_packet->dest,
-                       bat_priv->softif_neigh->addr, ETH_ALEN);
+                       curr_softif_neigh->addr, ETH_ALEN);
                ret = route_unicast_packet(skb, recv_if);
                if (ret == NET_RX_DROP)
                        goto dropped;
@@ -486,11 +734,13 @@ void interface_rx(struct net_device *soft_iface,
        soft_iface->last_rx = jiffies;
        netif_rx(skb);
-        return;
+        goto out;
 dropped:
        kfree_skb(skb);
 out:
+        if (curr_softif_neigh)
+                softif_neigh_free_ref(curr_softif_neigh);
        return;
 }
@@ -524,14 +774,15 @@ static void interface_setup(struct net_device *dev)
        dev->hard_start_xmit = interface_tx;
 #endif
        dev->destructor = free_netdev;
+        dev->tx_queue_len = 0;
        /**
         * can't call min_mtu, because the needed variables
         * have not been initialized yet
         */
        dev->mtu = ETH_DATA_LEN;
-        dev->hard_header_len = BAT_HEADER_LEN; /* reserve more space in the
+        /* reserve more space in the skbuff for our header */
-                                                * skbuff for our header */
+        dev->hard_header_len = BAT_HEADER_LEN;
        /* generate random address */
        random_ether_addr(dev_addr);
@@ -556,7 +807,7 @@ struct net_device *softif_create(char *name)
                goto out;
        }
-        ret = register_netdev(soft_iface);
+        ret = register_netdevice(soft_iface);
        if (ret < 0) {
                pr_err("Unable to register the batman interface '%s': %i\n",
                       name, ret);
@@ -580,11 +831,10 @@ struct net_device *softif_create(char *name)
        atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
        atomic_set(&bat_priv->bcast_seqno, 1);
-        atomic_set(&bat_priv->hna_local_changed, 0);
+        atomic_set(&bat_priv->tt_local_changed, 0);
        bat_priv->primary_if = NULL;
        bat_priv->num_ifaces = 0;
-        bat_priv->softif_neigh = NULL;
        ret = sysfs_add_meshif(soft_iface);
        if (ret < 0)
@@ -640,7 +890,7 @@ static int bat_get_settings(struct net_device *dev, struct ethtool_cmd *cmd)
 {
        cmd->supported = 0;
        cmd->advertising = 0;
-        cmd->speed = SPEED_10;
+        ethtool_cmd_speed_set(cmd, SPEED_10);
        cmd->duplex = DUPLEX_FULL;
        cmd->port = PORT_TP;
        cmd->phy_address = 0;
@@ -675,12 +925,3 @@ static u32 bat_get_link(struct net_device *dev)
        return 1;
 }
-static u32 bat_get_rx_csum(struct net_device *dev)
-{
-        return 0;
-}
-static int bat_set_rx_csum(struct net_device *dev, u32 data)
-{
-        return -EOPNOTSUPP;
-}
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 8d15b48d1692..7b729660cbfd 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -22,43 +22,44 @@
 #include "main.h"
 #include "translation-table.h"
 #include "soft-interface.h"
+#include "hard-interface.h"
 #include "hash.h"
 #include "originator.h"
-static void hna_local_purge(struct work_struct *work);
+static void tt_local_purge(struct work_struct *work);
-static void _hna_global_del_orig(struct bat_priv *bat_priv,
+static void _tt_global_del_orig(struct bat_priv *bat_priv,
-                                 struct hna_global_entry *hna_global_entry,
+                                 struct tt_global_entry *tt_global_entry,
                                 char *message);
 /* returns 1 if they are the same mac addr */
-static int compare_lhna(struct hlist_node *node, void *data2)
+static int compare_ltt(struct hlist_node *node, void *data2)
 {
-        void *data1 = container_of(node, struct hna_local_entry, hash_entry);
+        void *data1 = container_of(node, struct tt_local_entry, hash_entry);
        return (memcmp(data1, data2, ETH_ALEN) == 0 ? 1 : 0);
 }
 /* returns 1 if they are the same mac addr */
-static int compare_ghna(struct hlist_node *node, void *data2)
+static int compare_gtt(struct hlist_node *node, void *data2)
 {
-        void *data1 = container_of(node, struct hna_global_entry, hash_entry);
+        void *data1 = container_of(node, struct tt_global_entry, hash_entry);
        return (memcmp(data1, data2, ETH_ALEN) == 0 ? 1 : 0);
 }
-static void hna_local_start_timer(struct bat_priv *bat_priv)
+static void tt_local_start_timer(struct bat_priv *bat_priv)
 {
-        INIT_DELAYED_WORK(&bat_priv->hna_work, hna_local_purge);
+        INIT_DELAYED_WORK(&bat_priv->tt_work, tt_local_purge);
-        queue_delayed_work(bat_event_workqueue, &bat_priv->hna_work, 10 * HZ);
+        queue_delayed_work(bat_event_workqueue, &bat_priv->tt_work, 10 * HZ);
 }
-static struct hna_local_entry *hna_local_hash_find(struct bat_priv *bat_priv,
+static struct tt_local_entry *tt_local_hash_find(struct bat_priv *bat_priv,
                                                   void *data)
 {
-        struct hashtable_t *hash = bat_priv->hna_local_hash;
+        struct hashtable_t *hash = bat_priv->tt_local_hash;
        struct hlist_head *head;
        struct hlist_node *node;
-        struct hna_local_entry *hna_local_entry, *hna_local_entry_tmp = NULL;
+        struct tt_local_entry *tt_local_entry, *tt_local_entry_tmp = NULL;
        int index;
        if (!hash)
@@ -68,26 +69,26 @@ static struct hna_local_entry *hna_local_hash_find(struct bat_priv *bat_priv,
        head = &hash->table[index];
        rcu_read_lock();
-        hlist_for_each_entry_rcu(hna_local_entry, node, head, hash_entry) {
+        hlist_for_each_entry_rcu(tt_local_entry, node, head, hash_entry) {
-                if (!compare_eth(hna_local_entry, data))
+                if (!compare_eth(tt_local_entry, data))
                        continue;
-                hna_local_entry_tmp = hna_local_entry;
+                tt_local_entry_tmp = tt_local_entry;
                break;
        }
        rcu_read_unlock();
-        return hna_local_entry_tmp;
+        return tt_local_entry_tmp;
 }
-static struct hna_global_entry *hna_global_hash_find(struct bat_priv *bat_priv,
+static struct tt_global_entry *tt_global_hash_find(struct bat_priv *bat_priv,
                                                     void *data)
 {
-        struct hashtable_t *hash = bat_priv->hna_global_hash;
+        struct hashtable_t *hash = bat_priv->tt_global_hash;
        struct hlist_head *head;
        struct hlist_node *node;
-        struct hna_global_entry *hna_global_entry;
+        struct tt_global_entry *tt_global_entry;
-        struct hna_global_entry *hna_global_entry_tmp = NULL;
+        struct tt_global_entry *tt_global_entry_tmp = NULL;
        int index;
        if (!hash)
@@ -97,125 +98,125 @@ static struct hna_global_entry *hna_global_hash_find(struct bat_priv *bat_priv,
        head = &hash->table[index];
        rcu_read_lock();
-        hlist_for_each_entry_rcu(hna_global_entry, node, head, hash_entry) {
+        hlist_for_each_entry_rcu(tt_global_entry, node, head, hash_entry) {
-                if (!compare_eth(hna_global_entry, data))
+                if (!compare_eth(tt_global_entry, data))
                        continue;
-                hna_global_entry_tmp = hna_global_entry;
+                tt_global_entry_tmp = tt_global_entry;
                break;
        }
        rcu_read_unlock();
-        return hna_global_entry_tmp;
+        return tt_global_entry_tmp;
 }
-int hna_local_init(struct bat_priv *bat_priv)
+int tt_local_init(struct bat_priv *bat_priv)
 {
-        if (bat_priv->hna_local_hash)
+        if (bat_priv->tt_local_hash)
                return 1;
-        bat_priv->hna_local_hash = hash_new(1024);
+        bat_priv->tt_local_hash = hash_new(1024);
-        if (!bat_priv->hna_local_hash)
+        if (!bat_priv->tt_local_hash)
                return 0;
-        atomic_set(&bat_priv->hna_local_changed, 0);
+        atomic_set(&bat_priv->tt_local_changed, 0);
-        hna_local_start_timer(bat_priv);
+        tt_local_start_timer(bat_priv);
        return 1;
 }
-void hna_local_add(struct net_device *soft_iface, uint8_t *addr)
+void tt_local_add(struct net_device *soft_iface, uint8_t *addr)
 {
        struct bat_priv *bat_priv = netdev_priv(soft_iface);
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
-        struct hna_global_entry *hna_global_entry;
+        struct tt_global_entry *tt_global_entry;
        int required_bytes;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
-        hna_local_entry = hna_local_hash_find(bat_priv, addr);
+        tt_local_entry = tt_local_hash_find(bat_priv, addr);
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
-        if (hna_local_entry) {
+        if (tt_local_entry) {
-                hna_local_entry->last_seen = jiffies;
+                tt_local_entry->last_seen = jiffies;
                return;
        }
        /* only announce as many hosts as possible in the batman-packet and
-           space in batman_packet->num_hna That also should give a limit to
+           space in batman_packet->num_tt That also should give a limit to
           MAC-flooding. */
-        required_bytes = (bat_priv->num_local_hna + 1) * ETH_ALEN;
+        required_bytes = (bat_priv->num_local_tt + 1) * ETH_ALEN;
        required_bytes += BAT_PACKET_LEN;
        if ((required_bytes > ETH_DATA_LEN) ||
            (atomic_read(&bat_priv->aggregated_ogms) &&
             required_bytes > MAX_AGGREGATION_BYTES) ||
-            (bat_priv->num_local_hna + 1 > 255)) {
+            (bat_priv->num_local_tt + 1 > 255)) {
                bat_dbg(DBG_ROUTES, bat_priv,
-                        "Can't add new local hna entry (%pM): "
+                        "Can't add new local tt entry (%pM): "
-                        "number of local hna entries exceeds packet size\n",
+                        "number of local tt entries exceeds packet size\n",
                        addr);
                return;
        }
        bat_dbg(DBG_ROUTES, bat_priv,
-                "Creating new local hna entry: %pM\n", addr);
+                "Creating new local tt entry: %pM\n", addr);
-        hna_local_entry = kmalloc(sizeof(struct hna_local_entry), GFP_ATOMIC);
+        tt_local_entry = kmalloc(sizeof(struct tt_local_entry), GFP_ATOMIC);
-        if (!hna_local_entry)
+        if (!tt_local_entry)
                return;
-        memcpy(hna_local_entry->addr, addr, ETH_ALEN);
+        memcpy(tt_local_entry->addr, addr, ETH_ALEN);
-        hna_local_entry->last_seen = jiffies;
+        tt_local_entry->last_seen = jiffies;
        /* the batman interface mac address should never be purged */
        if (compare_eth(addr, soft_iface->dev_addr))
-                hna_local_entry->never_purge = 1;
+                tt_local_entry->never_purge = 1;
        else
-                hna_local_entry->never_purge = 0;
+                tt_local_entry->never_purge = 0;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
-        hash_add(bat_priv->hna_local_hash, compare_lhna, choose_orig,
+        hash_add(bat_priv->tt_local_hash, compare_ltt, choose_orig,
-                 hna_local_entry, &hna_local_entry->hash_entry);
+                 tt_local_entry, &tt_local_entry->hash_entry);
-        bat_priv->num_local_hna++;
+        bat_priv->num_local_tt++;
-        atomic_set(&bat_priv->hna_local_changed, 1);
+        atomic_set(&bat_priv->tt_local_changed, 1);
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
        /* remove address from global hash if present */
-        spin_lock_bh(&bat_priv->hna_ghash_lock);
+        spin_lock_bh(&bat_priv->tt_ghash_lock);
-        hna_global_entry = hna_global_hash_find(bat_priv, addr);
+        tt_global_entry = tt_global_hash_find(bat_priv, addr);
-        if (hna_global_entry)
+        if (tt_global_entry)
-                _hna_global_del_orig(bat_priv, hna_global_entry,
+                _tt_global_del_orig(bat_priv, tt_global_entry,
-                                     "local hna received");
+                                     "local tt received");
-        spin_unlock_bh(&bat_priv->hna_ghash_lock);
+        spin_unlock_bh(&bat_priv->tt_ghash_lock);
 }
-int hna_local_fill_buffer(struct bat_priv *bat_priv,
+int tt_local_fill_buffer(struct bat_priv *bat_priv,
                          unsigned char *buff, int buff_len)
 {
-        struct hashtable_t *hash = bat_priv->hna_local_hash;
+        struct hashtable_t *hash = bat_priv->tt_local_hash;
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
        struct hlist_node *node;
        struct hlist_head *head;
        int i, count = 0;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
                rcu_read_lock();
-                hlist_for_each_entry_rcu(hna_local_entry, node,
+                hlist_for_each_entry_rcu(tt_local_entry, node,
                                         head, hash_entry) {
                        if (buff_len < (count + 1) * ETH_ALEN)
                                break;
-                        memcpy(buff + (count * ETH_ALEN), hna_local_entry->addr,
+                        memcpy(buff + (count * ETH_ALEN), tt_local_entry->addr,
                               ETH_ALEN);
                        count++;
@@ -223,37 +224,47 @@ int hna_local_fill_buffer(struct bat_priv *bat_priv,
                rcu_read_unlock();
        }
-        /* if we did not get all new local hnas see you next time  ;-) */
+        /* if we did not get all new local tts see you next time  ;-) */
-        if (count == bat_priv->num_local_hna)
+        if (count == bat_priv->num_local_tt)
-                atomic_set(&bat_priv->hna_local_changed, 0);
+                atomic_set(&bat_priv->tt_local_changed, 0);
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
        return count;
 }
-int hna_local_seq_print_text(struct seq_file *seq, void *offset)
+int tt_local_seq_print_text(struct seq_file *seq, void *offset)
 {
        struct net_device *net_dev = (struct net_device *)seq->private;
        struct bat_priv *bat_priv = netdev_priv(net_dev);
-        struct hashtable_t *hash = bat_priv->hna_local_hash;
+        struct hashtable_t *hash = bat_priv->tt_local_hash;
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
+        struct hard_iface *primary_if;
        struct hlist_node *node;
        struct hlist_head *head;
        size_t buf_size, pos;
        char *buff;
-        int i;
+        int i, ret = 0;
-        if (!bat_priv->primary_if) {
+        primary_if = primary_if_get_selected(bat_priv);
-                return seq_printf(seq, "BATMAN mesh %s disabled - "
+        if (!primary_if) {
-                               "please specify interfaces to enable it\n",
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
-                               net_dev->name);
+                                 "please specify interfaces to enable it\n",
+                                 net_dev->name);
+                goto out;
+        }
+        if (primary_if->if_status != IF_ACTIVE) {
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
+                                 "primary interface not active\n",
+                                 net_dev->name);
+                goto out;
        }
        seq_printf(seq, "Locally retrieved addresses (from %s) "
-                   "announced via HNA:\n",
+                   "announced via TT:\n",
                   net_dev->name);
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
        buf_size = 1;
        /* Estimate length for: " * xx:xx:xx:xx:xx:xx\n" */
@@ -268,8 +279,9 @@ int hna_local_seq_print_text(struct seq_file *seq, void *offset)
        buff = kmalloc(buf_size, GFP_ATOMIC);
        if (!buff) {
-                spin_unlock_bh(&bat_priv->hna_lhash_lock);
+                spin_unlock_bh(&bat_priv->tt_lhash_lock);
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto out;
        }
        buff[0] = '\0';
@@ -279,211 +291,225 @@ int hna_local_seq_print_text(struct seq_file *seq, void *offset)
                head = &hash->table[i];
                rcu_read_lock();
-                hlist_for_each_entry_rcu(hna_local_entry, node,
+                hlist_for_each_entry_rcu(tt_local_entry, node,
                                         head, hash_entry) {
                        pos += snprintf(buff + pos, 22, " * %pM\n",
-                                        hna_local_entry->addr);
+                                        tt_local_entry->addr);
                }
                rcu_read_unlock();
        }
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
        seq_printf(seq, "%s", buff);
        kfree(buff);
-        return 0;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
-static void _hna_local_del(struct hlist_node *node, void *arg)
+static void _tt_local_del(struct hlist_node *node, void *arg)
 {
        struct bat_priv *bat_priv = (struct bat_priv *)arg;
-        void *data = container_of(node, struct hna_local_entry, hash_entry);
+        void *data = container_of(node, struct tt_local_entry, hash_entry);
        kfree(data);
-        bat_priv->num_local_hna--;
+        bat_priv->num_local_tt--;
-        atomic_set(&bat_priv->hna_local_changed, 1);
+        atomic_set(&bat_priv->tt_local_changed, 1);
 }
-static void hna_local_del(struct bat_priv *bat_priv,
+static void tt_local_del(struct bat_priv *bat_priv,
-                          struct hna_local_entry *hna_local_entry,
+                          struct tt_local_entry *tt_local_entry,
                          char *message)
 {
-        bat_dbg(DBG_ROUTES, bat_priv, "Deleting local hna entry (%pM): %s\n",
+        bat_dbg(DBG_ROUTES, bat_priv, "Deleting local tt entry (%pM): %s\n",
-                hna_local_entry->addr, message);
+                tt_local_entry->addr, message);
-        hash_remove(bat_priv->hna_local_hash, compare_lhna, choose_orig,
+        hash_remove(bat_priv->tt_local_hash, compare_ltt, choose_orig,
-                    hna_local_entry->addr);
+                    tt_local_entry->addr);
-        _hna_local_del(&hna_local_entry->hash_entry, bat_priv);
+        _tt_local_del(&tt_local_entry->hash_entry, bat_priv);
 }
-void hna_local_remove(struct bat_priv *bat_priv,
+void tt_local_remove(struct bat_priv *bat_priv,
                      uint8_t *addr, char *message)
 {
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
-        hna_local_entry = hna_local_hash_find(bat_priv, addr);
+        tt_local_entry = tt_local_hash_find(bat_priv, addr);
-        if (hna_local_entry)
+        if (tt_local_entry)
-                hna_local_del(bat_priv, hna_local_entry, message);
+                tt_local_del(bat_priv, tt_local_entry, message);
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
 }
-static void hna_local_purge(struct work_struct *work)
+static void tt_local_purge(struct work_struct *work)
 {
        struct delayed_work *delayed_work =
                container_of(work, struct delayed_work, work);
        struct bat_priv *bat_priv =
-                container_of(delayed_work, struct bat_priv, hna_work);
+                container_of(delayed_work, struct bat_priv, tt_work);
-        struct hashtable_t *hash = bat_priv->hna_local_hash;
+        struct hashtable_t *hash = bat_priv->tt_local_hash;
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
        struct hlist_node *node, *node_tmp;
        struct hlist_head *head;
        unsigned long timeout;
        int i;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry_safe(hna_local_entry, node, node_tmp,
+                hlist_for_each_entry_safe(tt_local_entry, node, node_tmp,
                                          head, hash_entry) {
-                        if (hna_local_entry->never_purge)
+                        if (tt_local_entry->never_purge)
                                continue;
-                        timeout = hna_local_entry->last_seen;
+                        timeout = tt_local_entry->last_seen;
-                        timeout += LOCAL_HNA_TIMEOUT * HZ;
+                        timeout += TT_LOCAL_TIMEOUT * HZ;
                        if (time_before(jiffies, timeout))
                                continue;
-                        hna_local_del(bat_priv, hna_local_entry,
+                        tt_local_del(bat_priv, tt_local_entry,
                                      "address timed out");
                }
        }
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
-        hna_local_start_timer(bat_priv);
+        tt_local_start_timer(bat_priv);
 }
-void hna_local_free(struct bat_priv *bat_priv)
+void tt_local_free(struct bat_priv *bat_priv)
 {
-        if (!bat_priv->hna_local_hash)
+        if (!bat_priv->tt_local_hash)
                return;
-        cancel_delayed_work_sync(&bat_priv->hna_work);
+        cancel_delayed_work_sync(&bat_priv->tt_work);
-        hash_delete(bat_priv->hna_local_hash, _hna_local_del, bat_priv);
+        hash_delete(bat_priv->tt_local_hash, _tt_local_del, bat_priv);
-        bat_priv->hna_local_hash = NULL;
+        bat_priv->tt_local_hash = NULL;
 }
-int hna_global_init(struct bat_priv *bat_priv)
+int tt_global_init(struct bat_priv *bat_priv)
 {
-        if (bat_priv->hna_global_hash)
+        if (bat_priv->tt_global_hash)
                return 1;
-        bat_priv->hna_global_hash = hash_new(1024);
+        bat_priv->tt_global_hash = hash_new(1024);
-        if (!bat_priv->hna_global_hash)
+        if (!bat_priv->tt_global_hash)
                return 0;
        return 1;
 }
-void hna_global_add_orig(struct bat_priv *bat_priv,
+void tt_global_add_orig(struct bat_priv *bat_priv,
                         struct orig_node *orig_node,
-                         unsigned char *hna_buff, int hna_buff_len)
+                         unsigned char *tt_buff, int tt_buff_len)
 {
-        struct hna_global_entry *hna_global_entry;
+        struct tt_global_entry *tt_global_entry;
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
-        int hna_buff_count = 0;
+        int tt_buff_count = 0;
-        unsigned char *hna_ptr;
+        unsigned char *tt_ptr;
-        while ((hna_buff_count + 1) * ETH_ALEN <= hna_buff_len) {
+        while ((tt_buff_count + 1) * ETH_ALEN <= tt_buff_len) {
-                spin_lock_bh(&bat_priv->hna_ghash_lock);
+                spin_lock_bh(&bat_priv->tt_ghash_lock);
-                hna_ptr = hna_buff + (hna_buff_count * ETH_ALEN);
+                tt_ptr = tt_buff + (tt_buff_count * ETH_ALEN);
-                hna_global_entry = hna_global_hash_find(bat_priv, hna_ptr);
+                tt_global_entry = tt_global_hash_find(bat_priv, tt_ptr);
-                if (!hna_global_entry) {
+                if (!tt_global_entry) {
-                        spin_unlock_bh(&bat_priv->hna_ghash_lock);
+                        spin_unlock_bh(&bat_priv->tt_ghash_lock);
-                        hna_global_entry =
+                        tt_global_entry =
-                                kmalloc(sizeof(struct hna_global_entry),
+                                kmalloc(sizeof(struct tt_global_entry),
                                        GFP_ATOMIC);
-                        if (!hna_global_entry)
+                        if (!tt_global_entry)
                                break;
-                        memcpy(hna_global_entry->addr, hna_ptr, ETH_ALEN);
+                        memcpy(tt_global_entry->addr, tt_ptr, ETH_ALEN);
                        bat_dbg(DBG_ROUTES, bat_priv,
-                                "Creating new global hna entry: "
+                                "Creating new global tt entry: "
                                "%pM (via %pM)\n",
-                                hna_global_entry->addr, orig_node->orig);
+                                tt_global_entry->addr, orig_node->orig);
-                        spin_lock_bh(&bat_priv->hna_ghash_lock);
+                        spin_lock_bh(&bat_priv->tt_ghash_lock);
-                        hash_add(bat_priv->hna_global_hash, compare_ghna,
+                        hash_add(bat_priv->tt_global_hash, compare_gtt,
-                                 choose_orig, hna_global_entry,
+                                 choose_orig, tt_global_entry,
-                                 &hna_global_entry->hash_entry);
+                                 &tt_global_entry->hash_entry);
                }
-                hna_global_entry->orig_node = orig_node;
+                tt_global_entry->orig_node = orig_node;
-                spin_unlock_bh(&bat_priv->hna_ghash_lock);
+                spin_unlock_bh(&bat_priv->tt_ghash_lock);
                /* remove address from local hash if present */
-                spin_lock_bh(&bat_priv->hna_lhash_lock);
+                spin_lock_bh(&bat_priv->tt_lhash_lock);
-                hna_ptr = hna_buff + (hna_buff_count * ETH_ALEN);
+                tt_ptr = tt_buff + (tt_buff_count * ETH_ALEN);
-                hna_local_entry = hna_local_hash_find(bat_priv, hna_ptr);
+                tt_local_entry = tt_local_hash_find(bat_priv, tt_ptr);
-                if (hna_local_entry)
+                if (tt_local_entry)
-                        hna_local_del(bat_priv, hna_local_entry,
+                        tt_local_del(bat_priv, tt_local_entry,
-                                      "global hna received");
+                                      "global tt received");
-                spin_unlock_bh(&bat_priv->hna_lhash_lock);
+                spin_unlock_bh(&bat_priv->tt_lhash_lock);
-                hna_buff_count++;
+                tt_buff_count++;
        }
        /* initialize, and overwrite if malloc succeeds */
-        orig_node->hna_buff = NULL;
+        orig_node->tt_buff = NULL;
-        orig_node->hna_buff_len = 0;
+        orig_node->tt_buff_len = 0;
-        if (hna_buff_len > 0) {
+        if (tt_buff_len > 0) {
-                orig_node->hna_buff = kmalloc(hna_buff_len, GFP_ATOMIC);
+                orig_node->tt_buff = kmalloc(tt_buff_len, GFP_ATOMIC);
-                if (orig_node->hna_buff) {
+                if (orig_node->tt_buff) {
-                        memcpy(orig_node->hna_buff, hna_buff, hna_buff_len);
+                        memcpy(orig_node->tt_buff, tt_buff, tt_buff_len);
-                        orig_node->hna_buff_len = hna_buff_len;
+                        orig_node->tt_buff_len = tt_buff_len;
                }
        }
 }
-int hna_global_seq_print_text(struct seq_file *seq, void *offset)
+int tt_global_seq_print_text(struct seq_file *seq, void *offset)
 {
        struct net_device *net_dev = (struct net_device *)seq->private;
        struct bat_priv *bat_priv = netdev_priv(net_dev);
-        struct hashtable_t *hash = bat_priv->hna_global_hash;
+        struct hashtable_t *hash = bat_priv->tt_global_hash;
-        struct hna_global_entry *hna_global_entry;
+        struct tt_global_entry *tt_global_entry;
+        struct hard_iface *primary_if;
        struct hlist_node *node;
        struct hlist_head *head;
        size_t buf_size, pos;
        char *buff;
-        int i;
+        int i, ret = 0;
-        if (!bat_priv->primary_if) {
+        primary_if = primary_if_get_selected(bat_priv);
-                return seq_printf(seq, "BATMAN mesh %s disabled - "
+        if (!primary_if) {
-                                  "please specify interfaces to enable it\n",
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - please "
-                                  net_dev->name);
+                                 "specify interfaces to enable it\n",
+                                 net_dev->name);
+                goto out;
        }
-        seq_printf(seq, "Globally announced HNAs received via the mesh %s\n",
+        if (primary_if->if_status != IF_ACTIVE) {
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
+                                 "primary interface not active\n",
+                                 net_dev->name);
+                goto out;
+        }
+        seq_printf(seq,
+                   "Globally announced TT entries received via the mesh %s\n",
                   net_dev->name);
-        spin_lock_bh(&bat_priv->hna_ghash_lock);
+        spin_lock_bh(&bat_priv->tt_ghash_lock);
        buf_size = 1;
        /* Estimate length for: " * xx:xx:xx:xx:xx:xx via xx:xx:xx:xx:xx:xx\n"*/
@@ -498,8 +524,9 @@ int hna_global_seq_print_text(struct seq_file *seq, void *offset)
        buff = kmalloc(buf_size, GFP_ATOMIC);
        if (!buff) {
-                spin_unlock_bh(&bat_priv->hna_ghash_lock);
+                spin_unlock_bh(&bat_priv->tt_ghash_lock);
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto out;
        }
        buff[0] = '\0';
        pos = 0;
@@ -508,101 +535,104 @@ int hna_global_seq_print_text(struct seq_file *seq, void *offset)
                head = &hash->table[i];
                rcu_read_lock();
-                hlist_for_each_entry_rcu(hna_global_entry, node,
+                hlist_for_each_entry_rcu(tt_global_entry, node,
                                         head, hash_entry) {
                        pos += snprintf(buff + pos, 44,
                                        " * %pM via %pM\n",
-                                        hna_global_entry->addr,
+                                        tt_global_entry->addr,
-                                        hna_global_entry->orig_node->orig);
+                                        tt_global_entry->orig_node->orig);
                }
                rcu_read_unlock();
        }
-        spin_unlock_bh(&bat_priv->hna_ghash_lock);
+        spin_unlock_bh(&bat_priv->tt_ghash_lock);
        seq_printf(seq, "%s", buff);
        kfree(buff);
-        return 0;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
-static void _hna_global_del_orig(struct bat_priv *bat_priv,
+static void _tt_global_del_orig(struct bat_priv *bat_priv,
-                                 struct hna_global_entry *hna_global_entry,
+                                 struct tt_global_entry *tt_global_entry,
                                 char *message)
 {
        bat_dbg(DBG_ROUTES, bat_priv,
-                "Deleting global hna entry %pM (via %pM): %s\n",
+                "Deleting global tt entry %pM (via %pM): %s\n",
-                hna_global_entry->addr, hna_global_entry->orig_node->orig,
+                tt_global_entry->addr, tt_global_entry->orig_node->orig,
                message);
-        hash_remove(bat_priv->hna_global_hash, compare_ghna, choose_orig,
+        hash_remove(bat_priv->tt_global_hash, compare_gtt, choose_orig,
-                    hna_global_entry->addr);
+                    tt_global_entry->addr);
-        kfree(hna_global_entry);
+        kfree(tt_global_entry);
 }
-void hna_global_del_orig(struct bat_priv *bat_priv,
+void tt_global_del_orig(struct bat_priv *bat_priv,
                         struct orig_node *orig_node, char *message)
 {
-        struct hna_global_entry *hna_global_entry;
+        struct tt_global_entry *tt_global_entry;
-        int hna_buff_count = 0;
+        int tt_buff_count = 0;
-        unsigned char *hna_ptr;
+        unsigned char *tt_ptr;
-        if (orig_node->hna_buff_len == 0)
+        if (orig_node->tt_buff_len == 0)
                return;
-        spin_lock_bh(&bat_priv->hna_ghash_lock);
+        spin_lock_bh(&bat_priv->tt_ghash_lock);
-        while ((hna_buff_count + 1) * ETH_ALEN <= orig_node->hna_buff_len) {
+        while ((tt_buff_count + 1) * ETH_ALEN <= orig_node->tt_buff_len) {
-                hna_ptr = orig_node->hna_buff + (hna_buff_count * ETH_ALEN);
+                tt_ptr = orig_node->tt_buff + (tt_buff_count * ETH_ALEN);
-                hna_global_entry = hna_global_hash_find(bat_priv, hna_ptr);
+                tt_global_entry = tt_global_hash_find(bat_priv, tt_ptr);
-                if ((hna_global_entry) &&
+                if ((tt_global_entry) &&
-                    (hna_global_entry->orig_node == orig_node))
+                    (tt_global_entry->orig_node == orig_node))
-                        _hna_global_del_orig(bat_priv, hna_global_entry,
+                        _tt_global_del_orig(bat_priv, tt_global_entry,
                                             message);
-                hna_buff_count++;
+                tt_buff_count++;
        }
-        spin_unlock_bh(&bat_priv->hna_ghash_lock);
+        spin_unlock_bh(&bat_priv->tt_ghash_lock);
-        orig_node->hna_buff_len = 0;
+        orig_node->tt_buff_len = 0;
-        kfree(orig_node->hna_buff);
+        kfree(orig_node->tt_buff);
-        orig_node->hna_buff = NULL;
+        orig_node->tt_buff = NULL;
 }
-static void hna_global_del(struct hlist_node *node, void *arg)
+static void tt_global_del(struct hlist_node *node, void *arg)
 {
-        void *data = container_of(node, struct hna_global_entry, hash_entry);
+        void *data = container_of(node, struct tt_global_entry, hash_entry);
        kfree(data);
 }
-void hna_global_free(struct bat_priv *bat_priv)
+void tt_global_free(struct bat_priv *bat_priv)
 {
-        if (!bat_priv->hna_global_hash)
+        if (!bat_priv->tt_global_hash)
                return;
-        hash_delete(bat_priv->hna_global_hash, hna_global_del, NULL);
+        hash_delete(bat_priv->tt_global_hash, tt_global_del, NULL);
-        bat_priv->hna_global_hash = NULL;
+        bat_priv->tt_global_hash = NULL;
 }
 struct orig_node *transtable_search(struct bat_priv *bat_priv, uint8_t *addr)
 {
-        struct hna_global_entry *hna_global_entry;
+        struct tt_global_entry *tt_global_entry;
        struct orig_node *orig_node = NULL;
-        spin_lock_bh(&bat_priv->hna_ghash_lock);
+        spin_lock_bh(&bat_priv->tt_ghash_lock);
-        hna_global_entry = hna_global_hash_find(bat_priv, addr);
+        tt_global_entry = tt_global_hash_find(bat_priv, addr);
-        if (!hna_global_entry)
+        if (!tt_global_entry)
                goto out;
-        if (!atomic_inc_not_zero(&hna_global_entry->orig_node->refcount))
+        if (!atomic_inc_not_zero(&tt_global_entry->orig_node->refcount))
                goto out;
-        orig_node = hna_global_entry->orig_node;
+        orig_node = tt_global_entry->orig_node;
 out:
-        spin_unlock_bh(&bat_priv->hna_ghash_lock);
+        spin_unlock_bh(&bat_priv->tt_ghash_lock);
        return orig_node;
 }
diff --git a/net/batman-adv/translation-table.h b/net/batman-adv/translation-table.h
index f19931ca1457..46152c38cc95 100644
--- a/net/batman-adv/translation-table.h
+++ b/net/batman-adv/translation-table.h
@@ -22,22 +22,22 @@
 #ifndef _NET_BATMAN_ADV_TRANSLATION_TABLE_H_
 #define _NET_BATMAN_ADV_TRANSLATION_TABLE_H_
-int hna_local_init(struct bat_priv *bat_priv);
+int tt_local_init(struct bat_priv *bat_priv);
-void hna_local_add(struct net_device *soft_iface, uint8_t *addr);
+void tt_local_add(struct net_device *soft_iface, uint8_t *addr);
-void hna_local_remove(struct bat_priv *bat_priv,
+void tt_local_remove(struct bat_priv *bat_priv,
                      uint8_t *addr, char *message);
-int hna_local_fill_buffer(struct bat_priv *bat_priv,
+int tt_local_fill_buffer(struct bat_priv *bat_priv,
                          unsigned char *buff, int buff_len);
-int hna_local_seq_print_text(struct seq_file *seq, void *offset);
+int tt_local_seq_print_text(struct seq_file *seq, void *offset);
-void hna_local_free(struct bat_priv *bat_priv);
+void tt_local_free(struct bat_priv *bat_priv);
-int hna_global_init(struct bat_priv *bat_priv);
+int tt_global_init(struct bat_priv *bat_priv);
-void hna_global_add_orig(struct bat_priv *bat_priv,
+void tt_global_add_orig(struct bat_priv *bat_priv,
                         struct orig_node *orig_node,
-                         unsigned char *hna_buff, int hna_buff_len);
+                         unsigned char *tt_buff, int tt_buff_len);
-int hna_global_seq_print_text(struct seq_file *seq, void *offset);
+int tt_global_seq_print_text(struct seq_file *seq, void *offset);
-void hna_global_del_orig(struct bat_priv *bat_priv,
+void tt_global_del_orig(struct bat_priv *bat_priv,
                         struct orig_node *orig_node, char *message);
-void hna_global_free(struct bat_priv *bat_priv);
+void tt_global_free(struct bat_priv *bat_priv);
 struct orig_node *transtable_search(struct bat_priv *bat_priv, uint8_t *addr);
 #endif /* _NET_BATMAN_ADV_TRANSLATION_TABLE_H_ */
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 83445cf0cc9f..fab70e8b16ee 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -67,7 +67,7 @@ struct hard_iface {
 struct orig_node {
        uint8_t orig[ETH_ALEN];
        uint8_t primary_addr[ETH_ALEN];
-        struct neigh_node *router;
+        struct neigh_node __rcu *router; /* rcu protected pointer */
        unsigned long *bcast_own;
        uint8_t *bcast_own_sum;
        unsigned long last_valid;
@@ -75,25 +75,25 @@ struct orig_node {
        unsigned long batman_seqno_reset;
        uint8_t gw_flags;
        uint8_t flags;
-        unsigned char *hna_buff;
+        unsigned char *tt_buff;
-        int16_t hna_buff_len;
+        int16_t tt_buff_len;
        uint32_t last_real_seqno;
        uint8_t last_ttl;
        unsigned long bcast_bits[NUM_WORDS];
        uint32_t last_bcast_seqno;
        struct hlist_head neigh_list;
        struct list_head frag_list;
-        spinlock_t neigh_list_lock; /* protects neighbor list */
+        spinlock_t neigh_list_lock; /* protects neigh_list and router */
        atomic_t refcount;
        struct rcu_head rcu;
        struct hlist_node hash_entry;
        struct bat_priv *bat_priv;
        unsigned long last_frag_packet;
-        spinlock_t ogm_cnt_lock; /* protects: bcast_own, bcast_own_sum,
+        /* ogm_cnt_lock protects: bcast_own, bcast_own_sum,
-                                  * neigh_node->real_bits,
+         * neigh_node->real_bits, neigh_node->real_packet_count */
-                                  * neigh_node->real_packet_count */
+        spinlock_t ogm_cnt_lock;
-        spinlock_t bcast_seqno_lock; /* protects bcast_bits,
+        /* bcast_seqno_lock protects bcast_bits, last_bcast_seqno */
-                                      *  last_bcast_seqno */
+        spinlock_t bcast_seqno_lock;
        atomic_t bond_candidates;
        struct list_head bond_list;
 };
@@ -125,6 +125,7 @@ struct neigh_node {
        struct rcu_head rcu;
        struct orig_node *orig_node;
        struct hard_iface *if_incoming;
+        spinlock_t tq_lock;     /* protects: tq_recv, tq_index */
 };
@@ -145,34 +146,34 @@ struct bat_priv {
        atomic_t bcast_queue_left;
        atomic_t batman_queue_left;
        char num_ifaces;
-        struct hlist_head softif_neigh_list;
-        struct softif_neigh *softif_neigh;
        struct debug_log *debug_log;
-        struct hard_iface *primary_if;
        struct kobject *mesh_obj;
        struct dentry *debug_dir;
        struct hlist_head forw_bat_list;
        struct hlist_head forw_bcast_list;
        struct hlist_head gw_list;
+        struct hlist_head softif_neigh_vids;
        struct list_head vis_send_list;
        struct hashtable_t *orig_hash;
-        struct hashtable_t *hna_local_hash;
+        struct hashtable_t *tt_local_hash;
-        struct hashtable_t *hna_global_hash;
+        struct hashtable_t *tt_global_hash;
        struct hashtable_t *vis_hash;
        spinlock_t forw_bat_list_lock; /* protects forw_bat_list */
        spinlock_t forw_bcast_list_lock; /* protects  */
-        spinlock_t hna_lhash_lock; /* protects hna_local_hash */
+        spinlock_t tt_lhash_lock; /* protects tt_local_hash */
-        spinlock_t hna_ghash_lock; /* protects hna_global_hash */
+        spinlock_t tt_ghash_lock; /* protects tt_global_hash */
        spinlock_t gw_list_lock; /* protects gw_list and curr_gw */
        spinlock_t vis_hash_lock; /* protects vis_hash */
        spinlock_t vis_list_lock; /* protects vis_info::recv_list */
        spinlock_t softif_neigh_lock; /* protects soft-interface neigh list */
-        int16_t num_local_hna;
+        spinlock_t softif_neigh_vid_lock; /* protects soft-interface vid list */
-        atomic_t hna_local_changed;
+        int16_t num_local_tt;
-        struct delayed_work hna_work;
+        atomic_t tt_local_changed;
+        struct delayed_work tt_work;
        struct delayed_work orig_work;
        struct delayed_work vis_work;
        struct gw_node __rcu *curr_gw;  /* rcu protected pointer */
+        struct hard_iface __rcu *primary_if;  /* rcu protected pointer */
        struct vis_info *my_vis_info;
 };
@@ -191,14 +192,14 @@ struct socket_packet {
        struct icmp_packet_rr icmp_packet;
 };
-struct hna_local_entry {
+struct tt_local_entry {
        uint8_t addr[ETH_ALEN];
        unsigned long last_seen;
        char never_purge;
        struct hlist_node hash_entry;
 };
-struct hna_global_entry {
+struct tt_global_entry {
        uint8_t addr[ETH_ALEN];
        struct orig_node *orig_node;
        struct hlist_node hash_entry;
@@ -261,7 +262,7 @@ struct vis_info {
 struct vis_info_entry {
        uint8_t  src[ETH_ALEN];
        uint8_t  dest[ETH_ALEN];
-        uint8_t  quality;       /* quality = 0 means HNA */
+        uint8_t  quality;       /* quality = 0 client */
 } __packed;
 struct recvlist_node {
@@ -269,11 +270,20 @@ struct recvlist_node {
        uint8_t mac[ETH_ALEN];
 };
+struct softif_neigh_vid {
+        struct hlist_node list;
+        struct bat_priv *bat_priv;
+        short vid;
+        atomic_t refcount;
+        struct softif_neigh __rcu *softif_neigh;
+        struct rcu_head rcu;
+        struct hlist_head softif_neigh_list;
+};
 struct softif_neigh {
        struct hlist_node list;
        uint8_t addr[ETH_ALEN];
        unsigned long last_seen;
-        short vid;
        atomic_t refcount;
        struct rcu_head rcu;
 };
diff --git a/net/batman-adv/unicast.c b/net/batman-adv/unicast.c
index 19f84bd443af..19c3daf34ac6 100644
--- a/net/batman-adv/unicast.c
+++ b/net/batman-adv/unicast.c
@@ -221,15 +221,17 @@ int frag_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv,
                  struct hard_iface *hard_iface, uint8_t dstaddr[])
 {
        struct unicast_packet tmp_uc, *unicast_packet;
+        struct hard_iface *primary_if;
        struct sk_buff *frag_skb;
        struct unicast_frag_packet *frag1, *frag2;
        int uc_hdr_len = sizeof(struct unicast_packet);
        int ucf_hdr_len = sizeof(struct unicast_frag_packet);
        int data_len = skb->len - uc_hdr_len;
-        int large_tail = 0;
+        int large_tail = 0, ret = NET_RX_DROP;
        uint16_t seqno;
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
                goto dropped;
        frag_skb = dev_alloc_skb(data_len - (data_len / 2) + ucf_hdr_len);
@@ -254,7 +256,7 @@ int frag_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv,
        frag1->version = COMPAT_VERSION;
        frag1->packet_type = BAT_UNICAST_FRAG;
-        memcpy(frag1->orig, bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+        memcpy(frag1->orig, primary_if->net_dev->dev_addr, ETH_ALEN);
        memcpy(frag2, frag1, sizeof(struct unicast_frag_packet));
        if (data_len & 1)
@@ -269,13 +271,17 @@ int frag_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv,
        send_skb_packet(skb, hard_iface, dstaddr);
        send_skb_packet(frag_skb, hard_iface, dstaddr);
-        return NET_RX_SUCCESS;
+        ret = NET_RX_SUCCESS;
+        goto out;
 drop_frag:
        kfree_skb(frag_skb);
 dropped:
        kfree_skb(skb);
-        return NET_RX_DROP;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
 int unicast_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv)
@@ -289,12 +295,12 @@ int unicast_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv)
        /* get routing information */
        if (is_multicast_ether_addr(ethhdr->h_dest)) {
-                orig_node = (struct orig_node *)gw_get_selected(bat_priv);
+                orig_node = (struct orig_node *)gw_get_selected_orig(bat_priv);
                if (orig_node)
                        goto find_router;
        }
-        /* check for hna host - increases orig_node refcount */
+        /* check for tt host - increases orig_node refcount */
        orig_node = transtable_search(bat_priv, ethhdr->h_dest);
 find_router:
diff --git a/net/batman-adv/vis.c b/net/batman-adv/vis.c
index f90212f42082..c39f20cc1ba6 100644
--- a/net/batman-adv/vis.c
+++ b/net/batman-adv/vis.c
@@ -194,7 +194,7 @@ static ssize_t vis_data_read_entry(char *buff, struct vis_info_entry *entry,
 {
        /* maximal length: max(4+17+2, 3+17+1+3+2) == 26 */
        if (primary && entry->quality == 0)
-                return sprintf(buff, "HNA %pM, ", entry->dest);
+                return sprintf(buff, "TT %pM, ", entry->dest);
        else if (compare_eth(entry->src, src))
                return sprintf(buff, "TQ %pM %d, ", entry->dest,
                               entry->quality);
@@ -204,6 +204,7 @@ static ssize_t vis_data_read_entry(char *buff, struct vis_info_entry *entry,
 int vis_seq_print_text(struct seq_file *seq, void *offset)
 {
+        struct hard_iface *primary_if;
        struct hlist_node *node;
        struct hlist_head *head;
        struct vis_info *info;
@@ -215,15 +216,18 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
        HLIST_HEAD(vis_if_list);
        struct if_list_entry *entry;
        struct hlist_node *pos, *n;
-        int i, j;
+        int i, j, ret = 0;
        int vis_server = atomic_read(&bat_priv->vis_mode);
        size_t buff_pos, buf_size;
        char *buff;
        int compare;
-        if ((!bat_priv->primary_if) ||
+        primary_if = primary_if_get_selected(bat_priv);
-            (vis_server == VIS_TYPE_CLIENT_UPDATE))
+        if (!primary_if)
-                return 0;
+                goto out;
+        if (vis_server == VIS_TYPE_CLIENT_UPDATE)
+                goto out;
        buf_size = 1;
        /* Estimate length */
@@ -270,7 +274,8 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
        buff = kmalloc(buf_size, GFP_ATOMIC);
        if (!buff) {
                spin_unlock_bh(&bat_priv->vis_hash_lock);
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto out;
        }
        buff[0] = '\0';
        buff_pos = 0;
@@ -328,7 +333,10 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
        seq_printf(seq, "%s", buff);
        kfree(buff);
-        return 0;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
 /* add the info packet to the send list, if it was not
@@ -558,6 +566,7 @@ static int find_best_vis_server(struct bat_priv *bat_priv,
                                struct vis_info *info)
 {
        struct hashtable_t *hash = bat_priv->orig_hash;
+        struct neigh_node *router;
        struct hlist_node *node;
        struct hlist_head *head;
        struct orig_node *orig_node;
@@ -571,13 +580,17 @@ static int find_best_vis_server(struct bat_priv *bat_priv,
                rcu_read_lock();
                hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
-                        if ((orig_node) && (orig_node->router) &&
+                        router = orig_node_get_router(orig_node);
-                            (orig_node->flags & VIS_SERVER) &&
+                        if (!router)
-                            (orig_node->router->tq_avg > best_tq)) {
+                                continue;
-                                best_tq = orig_node->router->tq_avg;
+                        if ((orig_node->flags & VIS_SERVER) &&
+                            (router->tq_avg > best_tq)) {
+                                best_tq = router->tq_avg;
                                memcpy(packet->target_orig, orig_node->orig,
                                       ETH_ALEN);
                        }
+                        neigh_node_free_ref(router);
                }
                rcu_read_unlock();
        }
@@ -605,11 +618,11 @@ static int generate_vis_packet(struct bat_priv *bat_priv)
        struct hlist_node *node;
        struct hlist_head *head;
        struct orig_node *orig_node;
-        struct neigh_node *neigh_node;
+        struct neigh_node *router;
        struct vis_info *info = (struct vis_info *)bat_priv->my_vis_info;
        struct vis_packet *packet = (struct vis_packet *)info->skb_packet->data;
        struct vis_info_entry *entry;
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
        int best_tq = -1, i;
        info->first_seen = jiffies;
@@ -633,59 +646,61 @@ static int generate_vis_packet(struct bat_priv *bat_priv)
                rcu_read_lock();
                hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
-                        neigh_node = orig_node->router;
+                        router = orig_node_get_router(orig_node);
+                        if (!router)
-                        if (!neigh_node)
                                continue;
-                        if (!compare_eth(neigh_node->addr, orig_node->orig))
+                        if (!compare_eth(router->addr, orig_node->orig))
-                                continue;
+                                goto next;
-                        if (neigh_node->if_incoming->if_status != IF_ACTIVE)
+                        if (router->if_incoming->if_status != IF_ACTIVE)
-                                continue;
+                                goto next;
-                        if (neigh_node->tq_avg < 1)
+                        if (router->tq_avg < 1)
-                                continue;
+                                goto next;
                        /* fill one entry into buffer. */
                        entry = (struct vis_info_entry *)
                                      skb_put(info->skb_packet, sizeof(*entry));
                        memcpy(entry->src,
-                               neigh_node->if_incoming->net_dev->dev_addr,
+                               router->if_incoming->net_dev->dev_addr,
                               ETH_ALEN);
                        memcpy(entry->dest, orig_node->orig, ETH_ALEN);
-                        entry->quality = neigh_node->tq_avg;
+                        entry->quality = router->tq_avg;
                        packet->entries++;
+next:
+                        neigh_node_free_ref(router);
                        if (vis_packet_full(info))
                                goto unlock;
                }
                rcu_read_unlock();
        }
-        hash = bat_priv->hna_local_hash;
+        hash = bat_priv->tt_local_hash;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(hna_local_entry, node, head, hash_entry) {
+                hlist_for_each_entry(tt_local_entry, node, head, hash_entry) {
                        entry = (struct vis_info_entry *)
                                        skb_put(info->skb_packet,
                                                sizeof(*entry));
                        memset(entry->src, 0, ETH_ALEN);
-                        memcpy(entry->dest, hna_local_entry->addr, ETH_ALEN);
+                        memcpy(entry->dest, tt_local_entry->addr, ETH_ALEN);
-                        entry->quality = 0; /* 0 means HNA */
+                        entry->quality = 0; /* 0 means TT */
                        packet->entries++;
                        if (vis_packet_full(info)) {
-                                spin_unlock_bh(&bat_priv->hna_lhash_lock);
+                                spin_unlock_bh(&bat_priv->tt_lhash_lock);
                                return 0;
                        }
                }
        }
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
        return 0;
 unlock:
@@ -725,6 +740,7 @@ static void purge_vis_packets(struct bat_priv *bat_priv)
 static void broadcast_vis_packet(struct bat_priv *bat_priv,
                                 struct vis_info *info)
 {
+        struct neigh_node *router;
        struct hashtable_t *hash = bat_priv->orig_hash;
        struct hlist_node *node;
        struct hlist_head *head;
@@ -745,19 +761,26 @@ static void broadcast_vis_packet(struct bat_priv *bat_priv,
                rcu_read_lock();
                hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
                        /* if it's a vis server and reachable, send it. */
-                        if ((!orig_node) || (!orig_node->router))
-                                continue;
                        if (!(orig_node->flags & VIS_SERVER))
                                continue;
+                        router = orig_node_get_router(orig_node);
+                        if (!router)
+                                continue;
                        /* don't send it if we already received the packet from
-                        * this node. */
+                         * this node. */
                        if (recv_list_is_in(bat_priv, &info->recv_list,
-                                            orig_node->orig))
+                                            orig_node->orig)) {
+                                neigh_node_free_ref(router);
                                continue;
+                        }
                        memcpy(packet->target_orig, orig_node->orig, ETH_ALEN);
-                        hard_iface = orig_node->router->if_incoming;
+                        hard_iface = router->if_incoming;
-                        memcpy(dstaddr, orig_node->router->addr, ETH_ALEN);
+                        memcpy(dstaddr, router->addr, ETH_ALEN);
+                        neigh_node_free_ref(router);
                        skb = skb_clone(info->skb_packet, GFP_ATOMIC);
                        if (skb)
@@ -772,60 +795,48 @@ static void unicast_vis_packet(struct bat_priv *bat_priv,
                               struct vis_info *info)
 {
        struct orig_node *orig_node;
-        struct neigh_node *neigh_node = NULL;
+        struct neigh_node *router = NULL;
        struct sk_buff *skb;
        struct vis_packet *packet;
        packet = (struct vis_packet *)info->skb_packet->data;
-        rcu_read_lock();
        orig_node = orig_hash_find(bat_priv, packet->target_orig);
        if (!orig_node)
-                goto unlock;
+                goto out;
-        neigh_node = orig_node->router;
-        if (!neigh_node)
+        router = orig_node_get_router(orig_node);
-                goto unlock;
+        if (!router)
+                goto out;
-        if (!atomic_inc_not_zero(&neigh_node->refcount)) {
-                neigh_node = NULL;
-                goto unlock;
-        }
-        rcu_read_unlock();
        skb = skb_clone(info->skb_packet, GFP_ATOMIC);
        if (skb)
-                send_skb_packet(skb, neigh_node->if_incoming,
+                send_skb_packet(skb, router->if_incoming, router->addr);
-                                neigh_node->addr);
-        goto out;
-unlock:
-        rcu_read_unlock();
 out:
-        if (neigh_node)
+        if (router)
-                neigh_node_free_ref(neigh_node);
+                neigh_node_free_ref(router);
        if (orig_node)
                orig_node_free_ref(orig_node);
-        return;
 }
 /* only send one vis packet. called from send_vis_packets() */
 static void send_vis_packet(struct bat_priv *bat_priv, struct vis_info *info)
 {
+        struct hard_iface *primary_if;
        struct vis_packet *packet;
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
+                goto out;
        packet = (struct vis_packet *)info->skb_packet->data;
        if (packet->ttl < 2) {
                pr_debug("Error - can't send vis packet: ttl exceeded\n");
-                return;
+                goto out;
        }
-        memcpy(packet->sender_orig, bat_priv->primary_if->net_dev->dev_addr,
+        memcpy(packet->sender_orig, primary_if->net_dev->dev_addr, ETH_ALEN);
-               ETH_ALEN);
        packet->ttl--;
        if (is_broadcast_ether_addr(packet->target_orig))
@@ -833,6 +844,10 @@ static void send_vis_packet(struct bat_priv *bat_priv, struct vis_info *info)
        else
                unicast_vis_packet(bat_priv, info);
        packet->ttl++; /* restore TTL */
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
 }
 /* called from timer; send (and maybe generate) vis packet. */
@@ -859,8 +874,7 @@ static void send_vis_packets(struct work_struct *work)
                kref_get(&info->refcount);
                spin_unlock_bh(&bat_priv->vis_hash_lock);
-                if (bat_priv->primary_if)
+                send_vis_packet(bat_priv, info);
-                        send_vis_packet(bat_priv, info);
                spin_lock_bh(&bat_priv->vis_hash_lock);
                send_list_del(info);
diff --git a/net/bluetooth/bnep/bnep.h b/net/bluetooth/bnep/bnep.h
index 70672544db86..8e6c06158f8e 100644
--- a/net/bluetooth/bnep/bnep.h
+++ b/net/bluetooth/bnep/bnep.h
@@ -23,88 +23,88 @@
 #include <linux/crc32.h>
 #include <net/bluetooth/bluetooth.h>
-// Limits
+/* Limits */
-#define BNEP_MAX_PROTO_FILTERS     5
+#define BNEP_MAX_PROTO_FILTERS          5
-#define BNEP_MAX_MULTICAST_FILTERS 20
+#define BNEP_MAX_MULTICAST_FILTERS      20
-// UUIDs
+/* UUIDs */
-#define BNEP_BASE_UUID 0x0000000000001000800000805F9B34FB
+#define BNEP_BASE_UUID  0x0000000000001000800000805F9B34FB
-#define BNEP_UUID16    0x02
+#define BNEP_UUID16     0x02
-#define BNEP_UUID32    0x04
+#define BNEP_UUID32     0x04
-#define BNEP_UUID128   0x16
+#define BNEP_UUID128    0x16
-#define BNEP_SVC_PANU  0x1115
+#define BNEP_SVC_PANU   0x1115
-#define BNEP_SVC_NAP   0x1116
+#define BNEP_SVC_NAP    0x1116
-#define BNEP_SVC_GN    0x1117
+#define BNEP_SVC_GN     0x1117
-// Packet types
+/* Packet types */
-#define BNEP_GENERAL               0x00
+#define BNEP_GENERAL                    0x00
-#define BNEP_CONTROL               0x01
+#define BNEP_CONTROL                    0x01
-#define BNEP_COMPRESSED            0x02
+#define BNEP_COMPRESSED                 0x02
-#define BNEP_COMPRESSED_SRC_ONLY   0x03
+#define BNEP_COMPRESSED_SRC_ONLY        0x03
-#define BNEP_COMPRESSED_DST_ONLY   0x04
+#define BNEP_COMPRESSED_DST_ONLY        0x04
-// Control types
+/* Control types */
-#define BNEP_CMD_NOT_UNDERSTOOD    0x00
+#define BNEP_CMD_NOT_UNDERSTOOD         0x00
-#define BNEP_SETUP_CONN_REQ        0x01
+#define BNEP_SETUP_CONN_REQ             0x01
-#define BNEP_SETUP_CONN_RSP        0x02
+#define BNEP_SETUP_CONN_RSP             0x02
-#define BNEP_FILTER_NET_TYPE_SET   0x03
+#define BNEP_FILTER_NET_TYPE_SET        0x03
-#define BNEP_FILTER_NET_TYPE_RSP   0x04
+#define BNEP_FILTER_NET_TYPE_RSP        0x04
-#define BNEP_FILTER_MULTI_ADDR_SET 0x05
+#define BNEP_FILTER_MULTI_ADDR_SET      0x05
-#define BNEP_FILTER_MULTI_ADDR_RSP 0x06
+#define BNEP_FILTER_MULTI_ADDR_RSP      0x06
-// Extension types
+/* Extension types */
-#define BNEP_EXT_CONTROL           0x00
+#define BNEP_EXT_CONTROL 0x00
-// Response messages
+/* Response messages */
-#define BNEP_SUCCESS               0x00
+#define BNEP_SUCCESS 0x00
-#define BNEP_CONN_INVALID_DST      0x01
+#define BNEP_CONN_INVALID_DST 0x01
-#define BNEP_CONN_INVALID_SRC      0x02
+#define BNEP_CONN_INVALID_SRC 0x02
-#define BNEP_CONN_INVALID_SVC      0x03
+#define BNEP_CONN_INVALID_SVC 0x03
-#define BNEP_CONN_NOT_ALLOWED      0x04
+#define BNEP_CONN_NOT_ALLOWED 0x04
-#define BNEP_FILTER_UNSUPPORTED_REQ    0x01
+#define BNEP_FILTER_UNSUPPORTED_REQ     0x01
-#define BNEP_FILTER_INVALID_RANGE      0x02
+#define BNEP_FILTER_INVALID_RANGE       0x02
-#define BNEP_FILTER_INVALID_MCADDR     0x02
+#define BNEP_FILTER_INVALID_MCADDR      0x02
-#define BNEP_FILTER_LIMIT_REACHED      0x03
+#define BNEP_FILTER_LIMIT_REACHED       0x03
-#define BNEP_FILTER_DENIED_SECURITY    0x04
+#define BNEP_FILTER_DENIED_SECURITY     0x04
-// L2CAP settings
+/* L2CAP settings */
-#define BNEP_MTU         1691
+#define BNEP_MTU        1691
-#define BNEP_PSM         0x0f
+#define BNEP_PSM        0x0f
-#define BNEP_FLUSH_TO    0xffff
+#define BNEP_FLUSH_TO   0xffff
-#define BNEP_CONNECT_TO  15
+#define BNEP_CONNECT_TO 15
-#define BNEP_FILTER_TO   15
+#define BNEP_FILTER_TO  15
-// Headers
+/* Headers */
-#define BNEP_TYPE_MASK   0x7f
+#define BNEP_TYPE_MASK  0x7f
-#define BNEP_EXT_HEADER  0x80
+#define BNEP_EXT_HEADER 0x80
 struct bnep_setup_conn_req {
-        __u8  type;
+        __u8 type;
-        __u8  ctrl;
+        __u8 ctrl;
-        __u8  uuid_size;
+        __u8 uuid_size;
-        __u8  service[0];
+        __u8 service[0];
 } __packed;
 struct bnep_set_filter_req {
-        __u8  type;
+        __u8 type;
-        __u8  ctrl;
+        __u8 ctrl;
        __be16 len;
-        __u8  list[0];
+        __u8 list[0];
 } __packed;
 struct bnep_control_rsp {
-        __u8  type;
+        __u8 type;
-        __u8  ctrl;
+        __u8 ctrl;
        __be16 resp;
 } __packed;
 struct bnep_ext_hdr {
-        __u8  type;
+        __u8 type;
-        __u8  len;
+        __u8 len;
-        __u8  data[0];
+        __u8 data[0];
 } __packed;
 /* BNEP ioctl defines */
@@ -114,10 +114,10 @@ struct bnep_ext_hdr {
 #define BNEPGETCONNINFO _IOR('B', 211, int)
 struct bnep_connadd_req {
-        int   sock;       // Connected socket
+        int   sock;             /* Connected socket */
        __u32 flags;
        __u16 role;
-        char  device[16]; // Name of the Ethernet device
+        char  device[16];       /* Name of the Ethernet device */
 };
 struct bnep_conndel_req {
@@ -148,14 +148,14 @@ int bnep_del_connection(struct bnep_conndel_req *req);
 int bnep_get_connlist(struct bnep_connlist_req *req);
 int bnep_get_conninfo(struct bnep_conninfo *ci);
-// BNEP sessions
+/* BNEP sessions */
 struct bnep_session {
        struct list_head list;
        unsigned int  role;
        unsigned long state;
        unsigned long flags;
-        atomic_t      killed;
+        struct task_struct *task;
        struct ethhdr eh;
        struct msghdr msg;
@@ -173,7 +173,7 @@ void bnep_sock_cleanup(void);
 static inline int bnep_mc_hash(__u8 *addr)
 {
-        return (crc32_be(~0, addr, ETH_ALEN) >> 26);
+        return crc32_be(~0, addr, ETH_ALEN) >> 26;
 }
 #endif
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 03d4d1245d58..ca39fcf010ce 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -36,6 +36,7 @@
 #include <linux/errno.h>
 #include <linux/net.h>
 #include <linux/slab.h>
+#include <linux/kthread.h>
 #include <net/sock.h>
 #include <linux/socket.h>
@@ -131,7 +132,8 @@ static int bnep_ctrl_set_netfilter(struct bnep_session *s, __be16 *data, int len
                return -EILSEQ;
        n = get_unaligned_be16(data);
-        data++; len -= 2;
+        data++;
+        len -= 2;
        if (len < n)
                return -EILSEQ;
@@ -176,7 +178,8 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
                return -EILSEQ;
        n = get_unaligned_be16(data);
-        data += 2; len -= 2;
+        data += 2;
+        len -= 2;
        if (len < n)
                return -EILSEQ;
@@ -187,6 +190,8 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
        n /= (ETH_ALEN * 2);
        if (n > 0) {
+                int i;
                s->mc_filter = 0;
                /* Always send broadcast */
@@ -196,18 +201,22 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
                for (; n > 0; n--) {
                        u8 a1[6], *a2;
-                        memcpy(a1, data, ETH_ALEN); data += ETH_ALEN;
+                        memcpy(a1, data, ETH_ALEN);
-                        a2 = data; data += ETH_ALEN;
+                        data += ETH_ALEN;
+                        a2 = data;
+                        data += ETH_ALEN;
                        BT_DBG("mc filter %s -> %s",
                                batostr((void *) a1), batostr((void *) a2));
-                        #define INCA(a) { int i = 5; while (i >=0 && ++a[i--] == 0); }
                        /* Iterate from a1 to a2 */
                        set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
                        while (memcmp(a1, a2, 6) < 0 && s->mc_filter != ~0LL) {
-                                INCA(a1);
+                                /* Increment a1 */
+                                i = 5;
+                                while (i >= 0 && ++a1[i--] == 0)
+                                        ;
                                set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
                        }
                }
@@ -227,7 +236,8 @@ static int bnep_rx_control(struct bnep_session *s, void *data, int len)
        u8  cmd = *(u8 *)data;
        int err = 0;
-        data++; len--;
+        data++;
+        len--;
        switch (cmd) {
        case BNEP_CMD_NOT_UNDERSTOOD:
@@ -302,7 +312,6 @@ static u8 __bnep_rx_hlen[] = {
        ETH_ALEN + 2, /* BNEP_COMPRESSED_SRC_ONLY */
        ETH_ALEN + 2  /* BNEP_COMPRESSED_DST_ONLY */
 };
-#define BNEP_RX_TYPES   (sizeof(__bnep_rx_hlen) - 1)
 static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
 {
@@ -312,9 +321,10 @@ static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
        dev->stats.rx_bytes += skb->len;
-        type = *(u8 *) skb->data; skb_pull(skb, 1);
+        type = *(u8 *) skb->data;
+        skb_pull(skb, 1);
-        if ((type & BNEP_TYPE_MASK) > BNEP_RX_TYPES)
+        if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
                goto badframe;
        if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
@@ -367,14 +377,14 @@ static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
        case BNEP_COMPRESSED_DST_ONLY:
                memcpy(__skb_put(nskb, ETH_ALEN), skb_mac_header(skb),
-                       ETH_ALEN);
+                                                                ETH_ALEN);
                memcpy(__skb_put(nskb, ETH_ALEN + 2), s->eh.h_source,
-                       ETH_ALEN + 2);
+                                                                ETH_ALEN + 2);
                break;
        case BNEP_GENERAL:
                memcpy(__skb_put(nskb, ETH_ALEN * 2), skb_mac_header(skb),
-                       ETH_ALEN * 2);
+                                                                ETH_ALEN * 2);
                put_unaligned(s->eh.h_proto, (__be16 *) __skb_put(nskb, 2));
                break;
        }
@@ -470,15 +480,14 @@ static int bnep_session(void *arg)
        BT_DBG("");
-        daemonize("kbnepd %s", dev->name);
        set_user_nice(current, -15);
        init_waitqueue_entry(&wait, current);
        add_wait_queue(sk_sleep(sk), &wait);
-        while (!atomic_read(&s->killed)) {
+        while (!kthread_should_stop()) {
                set_current_state(TASK_INTERRUPTIBLE);
-                // RX
+                /* RX */
                while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
                        skb_orphan(skb);
                        bnep_rx_frame(s, skb);
@@ -487,7 +496,7 @@ static int bnep_session(void *arg)
                if (sk->sk_state != BT_CONNECTED)
                        break;
-                // TX
+                /* TX */
                while ((skb = skb_dequeue(&sk->sk_write_queue)))
                        if (bnep_tx_frame(s, skb))
                                break;
@@ -555,8 +564,8 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
        /* session struct allocated as private part of net_device */
        dev = alloc_netdev(sizeof(struct bnep_session),
-                           (*req->device) ? req->device : "bnep%d",
+                                (*req->device) ? req->device : "bnep%d",
-                           bnep_net_setup);
+                                bnep_net_setup);
        if (!dev)
                return -ENOMEM;
@@ -571,7 +580,7 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
        s = netdev_priv(dev);
        /* This is rx header therefore addresses are swapped.
-         * ie eh.h_dest is our local address. */
+         * ie. eh.h_dest is our local address. */
        memcpy(s->eh.h_dest,   &src, ETH_ALEN);
        memcpy(s->eh.h_source, &dst, ETH_ALEN);
        memcpy(dev->dev_addr, s->eh.h_dest, ETH_ALEN);
@@ -597,17 +606,17 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
        SET_NETDEV_DEVTYPE(dev, &bnep_type);
        err = register_netdev(dev);
-        if (err) {
+        if (err)
                goto failed;
-        }
        __bnep_link_session(s);
-        err = kernel_thread(bnep_session, s, CLONE_KERNEL);
+        s->task = kthread_run(bnep_session, s, "kbnepd %s", dev->name);
-        if (err < 0) {
+        if (IS_ERR(s->task)) {
                /* Session thread start failed, gotta cleanup. */
                unregister_netdev(dev);
                __bnep_unlink_session(s);
+                err = PTR_ERR(s->task);
                goto failed;
        }
@@ -631,15 +640,9 @@ int bnep_del_connection(struct bnep_conndel_req *req)
        down_read(&bnep_session_sem);
        s = __bnep_get_session(req->dst);
-        if (s) {
+        if (s)
-                /* Wakeup user-space which is polling for socket errors.
+                kthread_stop(s->task);
-                 * This is temporary hack until we have shutdown in L2CAP */
+        else
-                s->sock->sk->sk_err = EUNATCH;
-                /* Kill session thread */
-                atomic_inc(&s->killed);
-                wake_up_interruptible(sk_sleep(s->sock->sk));
-        } else
                err = -ENOENT;
        up_read(&bnep_session_sem);
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index d935da71ab3b..17800b1d28ea 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -39,10 +39,10 @@
 #include <linux/init.h>
 #include <linux/compat.h>
 #include <linux/gfp.h>
+#include <linux/uaccess.h>
 #include <net/sock.h>
 #include <asm/system.h>
-#include <asm/uaccess.h>
 #include "bnep.h"
diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
index 67cff810c77d..744233cba244 100644
--- a/net/bluetooth/cmtp/capi.c
+++ b/net/bluetooth/cmtp/capi.c
@@ -35,6 +35,7 @@
 #include <linux/ioctl.h>
 #include <linux/file.h>
 #include <linux/wait.h>
+#include <linux/kthread.h>
 #include <net/sock.h>
 #include <linux/isdn/capilli.h>
@@ -143,7 +144,7 @@ static void cmtp_send_capimsg(struct cmtp_session *session, struct sk_buff *skb)
        skb_queue_tail(&session->transmit, skb);
-        cmtp_schedule(session);
+        wake_up_interruptible(sk_sleep(session->sock->sk));
 }
 static void cmtp_send_interopmsg(struct cmtp_session *session,
@@ -386,8 +387,7 @@ static void cmtp_reset_ctr(struct capi_ctr *ctrl)
        capi_ctr_down(ctrl);
-        atomic_inc(&session->terminate);
+        kthread_stop(session->task);
-        cmtp_schedule(session);
 }
 static void cmtp_register_appl(struct capi_ctr *ctrl, __u16 appl, capi_register_params *rp)
diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
index 785e79e953c5..db43b54ac9af 100644
--- a/net/bluetooth/cmtp/cmtp.h
+++ b/net/bluetooth/cmtp/cmtp.h
@@ -37,7 +37,7 @@
 #define CMTP_LOOPBACK   0
 struct cmtp_connadd_req {
-        int   sock;     // Connected socket
+        int   sock;     /* Connected socket */
        __u32 flags;
 };
@@ -81,7 +81,7 @@ struct cmtp_session {
        char name[BTNAMSIZ];
-        atomic_t terminate;
+        struct task_struct *task;
        wait_queue_head_t wait;
@@ -121,13 +121,6 @@ void cmtp_detach_device(struct cmtp_session *session);
 void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb);
-static inline void cmtp_schedule(struct cmtp_session *session)
-{
-        struct sock *sk = session->sock->sk;
-        wake_up_interruptible(sk_sleep(sk));
-}
 /* CMTP init defines */
 int cmtp_init_sockets(void);
 void cmtp_cleanup_sockets(void);
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
index 964ea9126f9f..c5b11af908be 100644
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -35,6 +35,7 @@
 #include <linux/ioctl.h>
 #include <linux/file.h>
 #include <linux/init.h>
+#include <linux/kthread.h>
 #include <net/sock.h>
 #include <linux/isdn/capilli.h>
@@ -235,9 +236,12 @@ static void cmtp_process_transmit(struct cmtp_session *session)
                size = min_t(uint, ((tail < 258) ? (tail - 2) : (tail - 3)), skb->len);
-                if ((scb->id < 0) && ((scb->id = cmtp_alloc_block_id(session)) < 0)) {
+                if (scb->id < 0) {
-                        skb_queue_head(&session->transmit, skb);
+                        scb->id = cmtp_alloc_block_id(session);
-                        break;
+                        if (scb->id < 0) {
+                                skb_queue_head(&session->transmit, skb);
+                                break;
+                        }
                }
                if (size < 256) {
@@ -284,12 +288,11 @@ static int cmtp_session(void *arg)
        BT_DBG("session %p", session);
-        daemonize("kcmtpd_ctr_%d", session->num);
        set_user_nice(current, -15);
        init_waitqueue_entry(&wait, current);
        add_wait_queue(sk_sleep(sk), &wait);
-        while (!atomic_read(&session->terminate)) {
+        while (!kthread_should_stop()) {
                set_current_state(TASK_INTERRUPTIBLE);
                if (sk->sk_state != BT_CONNECTED)
@@ -343,7 +346,8 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
        bacpy(&session->bdaddr, &bt_sk(sock->sk)->dst);
-        session->mtu = min_t(uint, l2cap_pi(sock->sk)->omtu, l2cap_pi(sock->sk)->imtu);
+        session->mtu = min_t(uint, l2cap_pi(sock->sk)->chan->omtu,
+                                        l2cap_pi(sock->sk)->chan->imtu);
        BT_DBG("mtu %d", session->mtu);
@@ -367,9 +371,12 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
        __cmtp_link_session(session);
-        err = kernel_thread(cmtp_session, session, CLONE_KERNEL);
+        session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d",
-        if (err < 0)
+                                                                session->num);
+        if (IS_ERR(session->task)) {
+                err = PTR_ERR(session->task);
                goto unlink;
+        }
        if (!(session->flags & (1 << CMTP_LOOPBACK))) {
                err = cmtp_attach_device(session);
@@ -406,9 +413,8 @@ int cmtp_del_connection(struct cmtp_conndel_req *req)
                /* Flush the transmit queue */
                skb_queue_purge(&session->transmit);
-                /* Kill session thread */
+                /* Stop session thread */
-                atomic_inc(&session->terminate);
+                kthread_stop(session->task);
-                cmtp_schedule(session);
        } else
                err = -ENOENT;
diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c
index 7ea1979a8e4f..3f2dd5c25ae5 100644
--- a/net/bluetooth/cmtp/sock.c
+++ b/net/bluetooth/cmtp/sock.c
@@ -34,12 +34,12 @@
 #include <linux/file.h>
 #include <linux/compat.h>
 #include <linux/gfp.h>
+#include <linux/uaccess.h>
 #include <net/sock.h>
 #include <linux/isdn/capilli.h>
 #include <asm/system.h>
-#include <asm/uaccess.h>
 #include "cmtp.h"
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 7a6f56b2f49d..bcd158f40bb9 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -269,6 +269,19 @@ static void hci_conn_idle(unsigned long arg)
        hci_conn_enter_sniff_mode(conn);
 }
+static void hci_conn_auto_accept(unsigned long arg)
+{
+        struct hci_conn *conn = (void *) arg;
+        struct hci_dev *hdev = conn->hdev;
+        hci_dev_lock(hdev);
+        hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
+                                                                &conn->dst);
+        hci_dev_unlock(hdev);
+}
 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
 {
        struct hci_conn *conn;
@@ -287,6 +300,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
        conn->auth_type = HCI_AT_GENERAL_BONDING;
        conn->io_capability = hdev->io_capability;
        conn->remote_auth = 0xff;
+        conn->key_type = 0xff;
        conn->power_save = 1;
        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
@@ -311,6 +325,8 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
        setup_timer(&conn->disc_timer, hci_conn_timeout, (unsigned long)conn);
        setup_timer(&conn->idle_timer, hci_conn_idle, (unsigned long)conn);
+        setup_timer(&conn->auto_accept_timer, hci_conn_auto_accept,
+                                                        (unsigned long) conn);
        atomic_set(&conn->refcnt, 0);
@@ -341,6 +357,8 @@ int hci_conn_del(struct hci_conn *conn)
        del_timer(&conn->disc_timer);
+        del_timer(&conn->auto_accept_timer);
        if (conn->type == ACL_LINK) {
                struct hci_conn *sco = conn->link;
                if (sco)
@@ -375,6 +393,9 @@ int hci_conn_del(struct hci_conn *conn)
        hci_dev_put(hdev);
+        if (conn->handle == 0)
+                kfree(conn);
        return 0;
 }
@@ -535,36 +556,93 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
        return 0;
 }
+/* Encrypt the the link */
+static void hci_conn_encrypt(struct hci_conn *conn)
+{
+        BT_DBG("conn %p", conn);
+        if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) {
+                struct hci_cp_set_conn_encrypt cp;
+                cp.handle  = cpu_to_le16(conn->handle);
+                cp.encrypt = 0x01;
+                hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
+                                                                        &cp);
+        }
+}
 /* Enable security */
 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
 {
        BT_DBG("conn %p", conn);
+        /* For sdp we don't need the link key. */
        if (sec_level == BT_SECURITY_SDP)
                return 1;
+        /* For non 2.1 devices and low security level we don't need the link
+           key. */
        if (sec_level == BT_SECURITY_LOW &&
                                (!conn->ssp_mode || !conn->hdev->ssp_mode))
                return 1;
-        if (conn->link_mode & HCI_LM_ENCRYPT)
+        /* For other security levels we need the link key. */
-                return hci_conn_auth(conn, sec_level, auth_type);
+        if (!(conn->link_mode & HCI_LM_AUTH))
+                goto auth;
+        /* An authenticated combination key has sufficient security for any
+           security level. */
+        if (conn->key_type == HCI_LK_AUTH_COMBINATION)
+                goto encrypt;
+        /* An unauthenticated combination key has sufficient security for
+           security level 1 and 2. */
+        if (conn->key_type == HCI_LK_UNAUTH_COMBINATION &&
+                        (sec_level == BT_SECURITY_MEDIUM ||
+                        sec_level == BT_SECURITY_LOW))
+                goto encrypt;
+        /* A combination key has always sufficient security for the security
+           levels 1 or 2. High security level requires the combination key
+           is generated using maximum PIN code length (16).
+           For pre 2.1 units. */
+        if (conn->key_type == HCI_LK_COMBINATION &&
+                        (sec_level != BT_SECURITY_HIGH ||
+                        conn->pin_length == 16))
+                goto encrypt;
+auth:
+        if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend))
+                return 0;
-        if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend))
+        if (!hci_conn_auth(conn, sec_level, auth_type))
                return 0;
-        if (hci_conn_auth(conn, sec_level, auth_type)) {
+encrypt:
-                struct hci_cp_set_conn_encrypt cp;
+        if (conn->link_mode & HCI_LM_ENCRYPT)
-                cp.handle  = cpu_to_le16(conn->handle);
+                return 1;
-                cp.encrypt = 1;
-                hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT,
-                                                        sizeof(cp), &cp);
-        }
+        hci_conn_encrypt(conn);
        return 0;
 }
 EXPORT_SYMBOL(hci_conn_security);
+/* Check secure link requirement */
+int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
+{
+        BT_DBG("conn %p", conn);
+        if (sec_level != BT_SECURITY_HIGH)
+                return 1; /* Accept if non-secure is required */
+        if (conn->key_type == HCI_LK_AUTH_COMBINATION ||
+                        (conn->key_type == HCI_LK_COMBINATION &&
+                        conn->pin_length == 16))
+                return 1;
+        return 0; /* Reject not secure link */
+}
+EXPORT_SYMBOL(hci_conn_check_secure);
 /* Change link key */
 int hci_conn_change_link_key(struct hci_conn *conn)
 {
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index b5a8afc2be33..815269b07f20 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -56,7 +56,6 @@
 static void hci_cmd_task(unsigned long arg);
 static void hci_rx_task(unsigned long arg);
 static void hci_tx_task(unsigned long arg);
-static void hci_notify(struct hci_dev *hdev, int event);
 static DEFINE_RWLOCK(hci_task_lock);
@@ -1021,18 +1020,54 @@ struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
        return NULL;
 }
-int hci_add_link_key(struct hci_dev *hdev, int new_key, bdaddr_t *bdaddr,
+static int hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
-                                                u8 *val, u8 type, u8 pin_len)
+                                                u8 key_type, u8 old_key_type)
+{
+        /* Legacy key */
+        if (key_type < 0x03)
+                return 1;
+        /* Debug keys are insecure so don't store them persistently */
+        if (key_type == HCI_LK_DEBUG_COMBINATION)
+                return 0;
+        /* Changed combination key and there's no previous one */
+        if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
+                return 0;
+        /* Security mode 3 case */
+        if (!conn)
+                return 1;
+        /* Neither local nor remote side had no-bonding as requirement */
+        if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
+                return 1;
+        /* Local side had dedicated bonding as requirement */
+        if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
+                return 1;
+        /* Remote side had dedicated bonding as requirement */
+        if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
+                return 1;
+        /* If none of the above criteria match, then don't store the key
+         * persistently */
+        return 0;
+}
+int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
+                                bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
 {
        struct link_key *key, *old_key;
-        u8 old_key_type;
+        u8 old_key_type, persistent;
        old_key = hci_find_link_key(hdev, bdaddr);
        if (old_key) {
                old_key_type = old_key->type;
                key = old_key;
        } else {
-                old_key_type = 0xff;
+                old_key_type = conn ? conn->key_type : 0xff;
                key = kzalloc(sizeof(*key), GFP_ATOMIC);
                if (!key)
                        return -ENOMEM;
@@ -1041,16 +1076,37 @@ int hci_add_link_key(struct hci_dev *hdev, int new_key, bdaddr_t *bdaddr,
        BT_DBG("%s key for %s type %u", hdev->name, batostr(bdaddr), type);
+        /* Some buggy controller combinations generate a changed
+         * combination key for legacy pairing even when there's no
+         * previous key */
+        if (type == HCI_LK_CHANGED_COMBINATION &&
+                                        (!conn || conn->remote_auth == 0xff) &&
+                                        old_key_type == 0xff) {
+                type = HCI_LK_COMBINATION;
+                if (conn)
+                        conn->key_type = type;
+        }
        bacpy(&key->bdaddr, bdaddr);
        memcpy(key->val, val, 16);
-        key->type = type;
        key->pin_len = pin_len;
-        if (new_key)
+        if (type == HCI_LK_CHANGED_COMBINATION)
-                mgmt_new_key(hdev->id, key, old_key_type);
-        if (type == 0x06)
                key->type = old_key_type;
+        else
+                key->type = type;
+        if (!new_key)
+                return 0;
+        persistent = hci_persistent_key(hdev, conn, type, old_key_type);
+        mgmt_new_key(hdev->id, key, persistent);
+        if (!persistent) {
+                list_del(&key->list);
+                kfree(key);
+        }
        return 0;
 }
@@ -1082,6 +1138,70 @@ static void hci_cmd_timer(unsigned long arg)
        tasklet_schedule(&hdev->cmd_task);
 }
+struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
+                                                        bdaddr_t *bdaddr)
+{
+        struct oob_data *data;
+        list_for_each_entry(data, &hdev->remote_oob_data, list)
+                if (bacmp(bdaddr, &data->bdaddr) == 0)
+                        return data;
+        return NULL;
+}
+int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
+{
+        struct oob_data *data;
+        data = hci_find_remote_oob_data(hdev, bdaddr);
+        if (!data)
+                return -ENOENT;
+        BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
+        list_del(&data->list);
+        kfree(data);
+        return 0;
+}
+int hci_remote_oob_data_clear(struct hci_dev *hdev)
+{
+        struct oob_data *data, *n;
+        list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
+                list_del(&data->list);
+                kfree(data);
+        }
+        return 0;
+}
+int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
+                                                                u8 *randomizer)
+{
+        struct oob_data *data;
+        data = hci_find_remote_oob_data(hdev, bdaddr);
+        if (!data) {
+                data = kmalloc(sizeof(*data), GFP_ATOMIC);
+                if (!data)
+                        return -ENOMEM;
+                bacpy(&data->bdaddr, bdaddr);
+                list_add(&data->list, &hdev->remote_oob_data);
+        }
+        memcpy(data->hash, hash, sizeof(data->hash));
+        memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
+        BT_DBG("%s for %s", hdev->name, batostr(bdaddr));
+        return 0;
+}
 /* Register HCI device */
 int hci_register_dev(struct hci_dev *hdev)
 {
@@ -1146,6 +1266,8 @@ int hci_register_dev(struct hci_dev *hdev)
        INIT_LIST_HEAD(&hdev->link_keys);
+        INIT_LIST_HEAD(&hdev->remote_oob_data);
        INIT_WORK(&hdev->power_on, hci_power_on);
        INIT_WORK(&hdev->power_off, hci_power_off);
        setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev);
@@ -1225,6 +1347,7 @@ int hci_unregister_dev(struct hci_dev *hdev)
        hci_blacklist_clear(hdev);
        hci_uuids_clear(hdev);
        hci_link_keys_clear(hdev);
+        hci_remote_oob_data_clear(hdev);
        hci_dev_unlock_bh(hdev);
        __hci_dev_put(hdev);
@@ -1274,7 +1397,7 @@ int hci_recv_frame(struct sk_buff *skb)
 EXPORT_SYMBOL(hci_recv_frame);
 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
-                          int count, __u8 index, gfp_t gfp_mask)
+                                                  int count, __u8 index)
 {
        int len = 0;
        int hlen = 0;
@@ -1304,7 +1427,7 @@ static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
                        break;
                }
-                skb = bt_skb_alloc(len, gfp_mask);
+                skb = bt_skb_alloc(len, GFP_ATOMIC);
                if (!skb)
                        return -ENOMEM;
@@ -1390,8 +1513,7 @@ int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
                return -EILSEQ;
        while (count) {
-                rem = hci_reassembly(hdev, type, data, count,
+                rem = hci_reassembly(hdev, type, data, count, type - 1);
-                                                type - 1, GFP_ATOMIC);
                if (rem < 0)
                        return rem;
@@ -1425,8 +1547,8 @@ int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
                } else
                        type = bt_cb(skb)->pkt_type;
-                rem = hci_reassembly(hdev, type, data,
+                rem = hci_reassembly(hdev, type, data, count,
-                                        count, STREAM_REASSEMBLY, GFP_ATOMIC);
+                                                        STREAM_REASSEMBLY);
                if (rem < 0)
                        return rem;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index b2570159a044..77930aa522e3 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -56,7 +56,9 @@ static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
        if (status)
                return;
-        clear_bit(HCI_INQUIRY, &hdev->flags);
+        if (test_bit(HCI_MGMT, &hdev->flags) &&
+                                test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
+                mgmt_discovering(hdev->id, 0);
        hci_req_complete(hdev, HCI_OP_INQUIRY_CANCEL, status);
@@ -72,7 +74,9 @@ static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
        if (status)
                return;
-        clear_bit(HCI_INQUIRY, &hdev->flags);
+        if (test_bit(HCI_MGMT, &hdev->flags) &&
+                                test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
+                mgmt_discovering(hdev->id, 0);
        hci_conn_check_pending(hdev);
 }
@@ -195,14 +199,17 @@ static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
        BT_DBG("%s status 0x%x", hdev->name, status);
-        if (status)
-                return;
        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
        if (!sent)
                return;
-        memcpy(hdev->dev_name, sent, 248);
+        if (test_bit(HCI_MGMT, &hdev->flags))
+                mgmt_set_local_name_complete(hdev->id, sent, status);
+        if (status)
+                return;
+        memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
 }
 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
@@ -214,7 +221,7 @@ static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
        if (rp->status)
                return;
-        memcpy(hdev->dev_name, rp->name, 248);
+        memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
 }
 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
@@ -470,14 +477,16 @@ static void hci_setup_event_mask(struct hci_dev *hdev)
         * command otherwise */
        u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
-        /* Events for 1.2 and newer controllers */
+        /* CSR 1.1 dongles does not accept any bitfield so don't try to set
-        if (hdev->lmp_ver > 1) {
+         * any event mask for pre 1.2 devices */
-                events[4] |= 0x01; /* Flow Specification Complete */
+        if (hdev->lmp_ver <= 1)
-                events[4] |= 0x02; /* Inquiry Result with RSSI */
+                return;
-                events[4] |= 0x04; /* Read Remote Extended Features Complete */
-                events[5] |= 0x08; /* Synchronous Connection Complete */
+        events[4] |= 0x01; /* Flow Specification Complete */
-                events[5] |= 0x10; /* Synchronous Connection Changed */
+        events[4] |= 0x02; /* Inquiry Result with RSSI */
-        }
+        events[4] |= 0x04; /* Read Remote Extended Features Complete */
+        events[5] |= 0x08; /* Synchronous Connection Complete */
+        events[5] |= 0x10; /* Synchronous Connection Changed */
        if (hdev->features[3] & LMP_RSSI_INQ)
                events[4] |= 0x04; /* Inquiry Result with RSSI */
@@ -821,16 +830,31 @@ static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
                                                                rp->status);
 }
+static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
+                                                        struct sk_buff *skb)
+{
+        struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
+        BT_DBG("%s status 0x%x", hdev->name, rp->status);
+        mgmt_read_local_oob_data_reply_complete(hdev->id, rp->hash,
+                                                rp->randomizer, rp->status);
+}
 static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
 {
        BT_DBG("%s status 0x%x", hdev->name, status);
        if (status) {
                hci_req_complete(hdev, HCI_OP_INQUIRY, status);
                hci_conn_check_pending(hdev);
-        } else
+                return;
-                set_bit(HCI_INQUIRY, &hdev->flags);
+        }
+        if (test_bit(HCI_MGMT, &hdev->flags) &&
+                                        !test_and_set_bit(HCI_INQUIRY,
+                                                        &hdev->flags))
+                mgmt_discovering(hdev->id, 1);
 }
 static inline void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
@@ -999,12 +1023,19 @@ static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
        hci_dev_lock(hdev);
        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
-        if (conn && hci_outgoing_auth_needed(hdev, conn)) {
+        if (!conn)
+                goto unlock;
+        if (!hci_outgoing_auth_needed(hdev, conn))
+                goto unlock;
+        if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
                struct hci_cp_auth_requested cp;
                cp.handle = __cpu_to_le16(conn->handle);
                hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
        }
+unlock:
        hci_dev_unlock(hdev);
 }
@@ -1194,7 +1225,9 @@ static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff
        BT_DBG("%s status %d", hdev->name, status);
-        clear_bit(HCI_INQUIRY, &hdev->flags);
+        if (test_bit(HCI_MGMT, &hdev->flags) &&
+                                test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
+                mgmt_discovering(hdev->id, 0);
        hci_req_complete(hdev, HCI_OP_INQUIRY, status);
@@ -1214,7 +1247,13 @@ static inline void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *
        hci_dev_lock(hdev);
-        for (; num_rsp; num_rsp--) {
+        if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
+                if (test_bit(HCI_MGMT, &hdev->flags))
+                        mgmt_discovering(hdev->id, 1);
+        }
+        for (; num_rsp; num_rsp--, info++) {
                bacpy(&data.bdaddr, &info->bdaddr);
                data.pscan_rep_mode     = info->pscan_rep_mode;
                data.pscan_period_mode  = info->pscan_period_mode;
@@ -1223,8 +1262,9 @@ static inline void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *
                data.clock_offset       = info->clock_offset;
                data.rssi               = 0x00;
                data.ssp_mode           = 0x00;
-                info++;
                hci_inquiry_cache_update(hdev, &data);
+                mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class, 0,
+                                                                        NULL);
        }
        hci_dev_unlock(hdev);
@@ -1402,7 +1442,7 @@ static inline void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff
        conn->state = BT_CLOSED;
-        if (conn->type == ACL_LINK)
+        if (conn->type == ACL_LINK || conn->type == LE_LINK)
                mgmt_disconnected(hdev->id, &conn->dst);
        hci_proto_disconn_cfm(conn, ev->reason);
@@ -1428,7 +1468,6 @@ static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *s
                        conn->sec_level = conn->pending_sec_level;
                } else {
                        mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
-                        conn->sec_level = BT_SECURITY_LOW;
                }
                clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
@@ -1482,13 +1521,23 @@ static inline void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb
        hci_dev_lock(hdev);
+        if (ev->status == 0 && test_bit(HCI_MGMT, &hdev->flags))
+                mgmt_remote_name(hdev->id, &ev->bdaddr, ev->name);
        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
-        if (conn && hci_outgoing_auth_needed(hdev, conn)) {
+        if (!conn)
+                goto unlock;
+        if (!hci_outgoing_auth_needed(hdev, conn))
+                goto unlock;
+        if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
                struct hci_cp_auth_requested cp;
                cp.handle = __cpu_to_le16(conn->handle);
                hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
        }
+unlock:
        hci_dev_unlock(hdev);
 }
@@ -1751,6 +1800,10 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
                hci_cc_pin_code_neg_reply(hdev, skb);
                break;
+        case HCI_OP_READ_LOCAL_OOB_DATA:
+                hci_cc_read_local_oob_data_reply(hdev, skb);
+                break;
        case HCI_OP_LE_READ_BUFFER_SIZE:
                hci_cc_le_read_buffer_size(hdev, skb);
                break;
@@ -1984,9 +2037,16 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff
        if (!test_bit(HCI_PAIRABLE, &hdev->flags))
                hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
                                        sizeof(ev->bdaddr), &ev->bdaddr);
+        else if (test_bit(HCI_MGMT, &hdev->flags)) {
+                u8 secure;
-        if (test_bit(HCI_MGMT, &hdev->flags))
+                if (conn->pending_sec_level == BT_SECURITY_HIGH)
-                mgmt_pin_code_request(hdev->id, &ev->bdaddr);
+                        secure = 1;
+                else
+                        secure = 0;
+                mgmt_pin_code_request(hdev->id, &ev->bdaddr, secure);
+        }
        hci_dev_unlock(hdev);
 }
@@ -2015,17 +2075,30 @@ static inline void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff
        BT_DBG("%s found key type %u for %s", hdev->name, key->type,
                                                        batostr(&ev->bdaddr));
-        if (!test_bit(HCI_DEBUG_KEYS, &hdev->flags) && key->type == 0x03) {
+        if (!test_bit(HCI_DEBUG_KEYS, &hdev->flags) &&
+                                key->type == HCI_LK_DEBUG_COMBINATION) {
                BT_DBG("%s ignoring debug key", hdev->name);
                goto not_found;
        }
        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
+        if (conn) {
+                if (key->type == HCI_LK_UNAUTH_COMBINATION &&
+                                conn->auth_type != 0xff &&
+                                (conn->auth_type & 0x01)) {
+                        BT_DBG("%s ignoring unauthenticated key", hdev->name);
+                        goto not_found;
+                }
-        if (key->type == 0x04 && conn && conn->auth_type != 0xff &&
+                if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
-                                                (conn->auth_type & 0x01)) {
+                                conn->pending_sec_level == BT_SECURITY_HIGH) {
-                BT_DBG("%s ignoring unauthenticated key", hdev->name);
+                        BT_DBG("%s ignoring key unauthenticated for high \
-                goto not_found;
+                                                        security", hdev->name);
+                        goto not_found;
+                }
+                conn->key_type = key->type;
+                conn->pin_length = key->pin_len;
        }
        bacpy(&cp.bdaddr, &ev->bdaddr);
@@ -2057,11 +2130,15 @@ static inline void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff
                hci_conn_hold(conn);
                conn->disc_timeout = HCI_DISCONN_TIMEOUT;
                pin_len = conn->pin_length;
+                if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
+                        conn->key_type = ev->key_type;
                hci_conn_put(conn);
        }
        if (test_bit(HCI_LINK_KEYS, &hdev->flags))
-                hci_add_link_key(hdev, 1, &ev->bdaddr, ev->link_key,
+                hci_add_link_key(hdev, conn, 1, &ev->bdaddr, ev->link_key,
                                                        ev->key_type, pin_len);
        hci_dev_unlock(hdev);
@@ -2136,11 +2213,17 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
        hci_dev_lock(hdev);
+        if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
+                if (test_bit(HCI_MGMT, &hdev->flags))
+                        mgmt_discovering(hdev->id, 1);
+        }
        if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
                struct inquiry_info_with_rssi_and_pscan_mode *info;
                info = (void *) (skb->data + 1);
-                for (; num_rsp; num_rsp--) {
+                for (; num_rsp; num_rsp--, info++) {
                        bacpy(&data.bdaddr, &info->bdaddr);
                        data.pscan_rep_mode     = info->pscan_rep_mode;
                        data.pscan_period_mode  = info->pscan_period_mode;
@@ -2149,13 +2232,15 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
                        data.clock_offset       = info->clock_offset;
                        data.rssi               = info->rssi;
                        data.ssp_mode           = 0x00;
-                        info++;
                        hci_inquiry_cache_update(hdev, &data);
+                        mgmt_device_found(hdev->id, &info->bdaddr,
+                                                info->dev_class, info->rssi,
+                                                NULL);
                }
        } else {
                struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
-                for (; num_rsp; num_rsp--) {
+                for (; num_rsp; num_rsp--, info++) {
                        bacpy(&data.bdaddr, &info->bdaddr);
                        data.pscan_rep_mode     = info->pscan_rep_mode;
                        data.pscan_period_mode  = info->pscan_period_mode;
@@ -2164,8 +2249,10 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
                        data.clock_offset       = info->clock_offset;
                        data.rssi               = info->rssi;
                        data.ssp_mode           = 0x00;
-                        info++;
                        hci_inquiry_cache_update(hdev, &data);
+                        mgmt_device_found(hdev->id, &info->bdaddr,
+                                                info->dev_class, info->rssi,
+                                                NULL);
                }
        }
@@ -2294,9 +2381,15 @@ static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct
        if (!num_rsp)
                return;
+        if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
+                if (test_bit(HCI_MGMT, &hdev->flags))
+                        mgmt_discovering(hdev->id, 1);
+        }
        hci_dev_lock(hdev);
-        for (; num_rsp; num_rsp--) {
+        for (; num_rsp; num_rsp--, info++) {
                bacpy(&data.bdaddr, &info->bdaddr);
                data.pscan_rep_mode     = info->pscan_rep_mode;
                data.pscan_period_mode  = info->pscan_period_mode;
@@ -2305,8 +2398,9 @@ static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct
                data.clock_offset       = info->clock_offset;
                data.rssi               = info->rssi;
                data.ssp_mode           = 0x01;
-                info++;
                hci_inquiry_cache_update(hdev, &data);
+                mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class,
+                                                info->rssi, info->data);
        }
        hci_dev_unlock(hdev);
@@ -2326,7 +2420,7 @@ static inline u8 hci_get_auth_req(struct hci_conn *conn)
        /* If remote requests no-bonding follow that lead */
        if (conn->remote_auth == 0x00 || conn->remote_auth == 0x01)
-                return 0x00;
+                return conn->remote_auth | (conn->auth_type & 0x01);
        return conn->auth_type;
 }
@@ -2355,8 +2449,14 @@ static inline void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff
                bacpy(&cp.bdaddr, &ev->bdaddr);
                cp.capability = conn->io_capability;
-                cp.oob_data = 0;
+                conn->auth_type = hci_get_auth_req(conn);
-                cp.authentication = hci_get_auth_req(conn);
+                cp.authentication = conn->auth_type;
+                if ((conn->out == 0x01 || conn->remote_oob == 0x01) &&
+                                hci_find_remote_oob_data(hdev, &conn->dst))
+                        cp.oob_data = 0x01;
+                else
+                        cp.oob_data = 0x00;
                hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
                                                        sizeof(cp), &cp);
@@ -2364,7 +2464,7 @@ static inline void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff
                struct hci_cp_io_capability_neg_reply cp;
                bacpy(&cp.bdaddr, &ev->bdaddr);
-                cp.reason = 0x16; /* Pairing not allowed */
+                cp.reason = 0x18; /* Pairing not allowed */
                hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
                                                        sizeof(cp), &cp);
@@ -2399,14 +2499,67 @@ static inline void hci_user_confirm_request_evt(struct hci_dev *hdev,
                                                        struct sk_buff *skb)
 {
        struct hci_ev_user_confirm_req *ev = (void *) skb->data;
+        int loc_mitm, rem_mitm, confirm_hint = 0;
+        struct hci_conn *conn;
        BT_DBG("%s", hdev->name);
        hci_dev_lock(hdev);
-        if (test_bit(HCI_MGMT, &hdev->flags))
+        if (!test_bit(HCI_MGMT, &hdev->flags))
-                mgmt_user_confirm_request(hdev->id, &ev->bdaddr, ev->passkey);
+                goto unlock;
+        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
+        if (!conn)
+                goto unlock;
+        loc_mitm = (conn->auth_type & 0x01);
+        rem_mitm = (conn->remote_auth & 0x01);
+        /* If we require MITM but the remote device can't provide that
+         * (it has NoInputNoOutput) then reject the confirmation
+         * request. The only exception is when we're dedicated bonding
+         * initiators (connect_cfm_cb set) since then we always have the MITM
+         * bit set. */
+        if (!conn->connect_cfm_cb && loc_mitm && conn->remote_cap == 0x03) {
+                BT_DBG("Rejecting request: remote device can't provide MITM");
+                hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
+                                        sizeof(ev->bdaddr), &ev->bdaddr);
+                goto unlock;
+        }
+        /* If no side requires MITM protection; auto-accept */
+        if ((!loc_mitm || conn->remote_cap == 0x03) &&
+                                (!rem_mitm || conn->io_capability == 0x03)) {
+                /* If we're not the initiators request authorization to
+                 * proceed from user space (mgmt_user_confirm with
+                 * confirm_hint set to 1). */
+                if (!test_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
+                        BT_DBG("Confirming auto-accept as acceptor");
+                        confirm_hint = 1;
+                        goto confirm;
+                }
+                BT_DBG("Auto-accept of user confirmation with %ums delay",
+                                                hdev->auto_accept_delay);
+                if (hdev->auto_accept_delay > 0) {
+                        int delay = msecs_to_jiffies(hdev->auto_accept_delay);
+                        mod_timer(&conn->auto_accept_timer, jiffies + delay);
+                        goto unlock;
+                }
+                hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
+                                                sizeof(ev->bdaddr), &ev->bdaddr);
+                goto unlock;
+        }
+confirm:
+        mgmt_user_confirm_request(hdev->id, &ev->bdaddr, ev->passkey,
+                                                                confirm_hint);
+unlock:
        hci_dev_unlock(hdev);
 }
@@ -2453,6 +2606,41 @@ static inline void hci_remote_host_features_evt(struct hci_dev *hdev, struct sk_
        hci_dev_unlock(hdev);
 }
+static inline void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
+                                                        struct sk_buff *skb)
+{
+        struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
+        struct oob_data *data;
+        BT_DBG("%s", hdev->name);
+        hci_dev_lock(hdev);
+        if (!test_bit(HCI_MGMT, &hdev->flags))
+                goto unlock;
+        data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
+        if (data) {
+                struct hci_cp_remote_oob_data_reply cp;
+                bacpy(&cp.bdaddr, &ev->bdaddr);
+                memcpy(cp.hash, data->hash, sizeof(cp.hash));
+                memcpy(cp.randomizer, data->randomizer, sizeof(cp.randomizer));
+                hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, sizeof(cp),
+                                                                        &cp);
+        } else {
+                struct hci_cp_remote_oob_data_neg_reply cp;
+                bacpy(&cp.bdaddr, &ev->bdaddr);
+                hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, sizeof(cp),
+                                                                        &cp);
+        }
+unlock:
+        hci_dev_unlock(hdev);
+}
 static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
        struct hci_ev_le_conn_complete *ev = (void *) skb->data;
@@ -2473,12 +2661,15 @@ static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff
        }
        if (ev->status) {
+                mgmt_connect_failed(hdev->id, &ev->bdaddr, ev->status);
                hci_proto_connect_cfm(conn, ev->status);
                conn->state = BT_CLOSED;
                hci_conn_del(conn);
                goto unlock;
        }
+        mgmt_connected(hdev->id, &ev->bdaddr);
        conn->handle = __le16_to_cpu(ev->handle);
        conn->state = BT_CONNECTED;
@@ -2655,6 +2846,10 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
                hci_le_meta_evt(hdev, skb);
                break;
+        case HCI_EV_REMOTE_OOB_DATA_REQUEST:
+                hci_remote_oob_data_request_evt(hdev, skb);
+                break;
        default:
                BT_DBG("%s event 0x%x", hdev->name, event);
                break;
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 3c838a65a75a..a6c3aa8be1f7 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -216,13 +216,13 @@ static ssize_t show_type(struct device *dev, struct device_attribute *attr, char
 static ssize_t show_name(struct device *dev, struct device_attribute *attr, char *buf)
 {
        struct hci_dev *hdev = dev_get_drvdata(dev);
-        char name[249];
+        char name[HCI_MAX_NAME_LENGTH + 1];
        int i;
-        for (i = 0; i < 248; i++)
+        for (i = 0; i < HCI_MAX_NAME_LENGTH; i++)
                name[i] = hdev->dev_name[i];
-        name[248] = '\0';
+        name[HCI_MAX_NAME_LENGTH] = '\0';
        return sprintf(buf, "%s\n", name);
 }
@@ -277,10 +277,12 @@ static ssize_t show_idle_timeout(struct device *dev, struct device_attribute *at
 static ssize_t store_idle_timeout(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
 {
        struct hci_dev *hdev = dev_get_drvdata(dev);
-        unsigned long val;
+        unsigned int val;
+        int rv;
-        if (strict_strtoul(buf, 0, &val) < 0)
+        rv = kstrtouint(buf, 0, &val);
-                return -EINVAL;
+        if (rv < 0)
+                return rv;
        if (val != 0 && (val < 500 || val > 3600000))
                return -EINVAL;
@@ -299,15 +301,14 @@ static ssize_t show_sniff_max_interval(struct device *dev, struct device_attribu
 static ssize_t store_sniff_max_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
 {
        struct hci_dev *hdev = dev_get_drvdata(dev);
-        unsigned long val;
+        u16 val;
+        int rv;
-        if (strict_strtoul(buf, 0, &val) < 0)
-                return -EINVAL;
-        if (val < 0x0002 || val > 0xFFFE || val % 2)
+        rv = kstrtou16(buf, 0, &val);
-                return -EINVAL;
+        if (rv < 0)
+                return rv;
-        if (val < hdev->sniff_min_interval)
+        if (val == 0 || val % 2 || val < hdev->sniff_min_interval)
                return -EINVAL;
        hdev->sniff_max_interval = val;
@@ -324,15 +325,14 @@ static ssize_t show_sniff_min_interval(struct device *dev, struct device_attribu
 static ssize_t store_sniff_min_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
 {
        struct hci_dev *hdev = dev_get_drvdata(dev);
-        unsigned long val;
+        u16 val;
+        int rv;
-        if (strict_strtoul(buf, 0, &val) < 0)
+        rv = kstrtou16(buf, 0, &val);
-                return -EINVAL;
+        if (rv < 0)
+                return rv;
-        if (val < 0x0002 || val > 0xFFFE || val % 2)
-                return -EINVAL;
-        if (val > hdev->sniff_max_interval)
+        if (val == 0 || val % 2 || val > hdev->sniff_max_interval)
                return -EINVAL;
        hdev->sniff_min_interval = val;
@@ -511,6 +511,35 @@ static const struct file_operations uuids_fops = {
        .release        = single_release,
 };
+static int auto_accept_delay_set(void *data, u64 val)
+{
+        struct hci_dev *hdev = data;
+        hci_dev_lock_bh(hdev);
+        hdev->auto_accept_delay = val;
+        hci_dev_unlock_bh(hdev);
+        return 0;
+}
+static int auto_accept_delay_get(void *data, u64 *val)
+{
+        struct hci_dev *hdev = data;
+        hci_dev_lock_bh(hdev);
+        *val = hdev->auto_accept_delay;
+        hci_dev_unlock_bh(hdev);
+        return 0;
+}
+DEFINE_SIMPLE_ATTRIBUTE(auto_accept_delay_fops, auto_accept_delay_get,
+                                        auto_accept_delay_set, "%llu\n");
 int hci_register_sysfs(struct hci_dev *hdev)
 {
        struct device *dev = &hdev->dev;
@@ -545,6 +574,8 @@ int hci_register_sysfs(struct hci_dev *hdev)
        debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops);
+        debugfs_create_file("auto_accept_delay", 0444, hdev->debugfs, hdev,
+                                                &auto_accept_delay_fops);
        return 0;
 }
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 5ec12971af6b..43b4c2deb7cc 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -37,6 +37,7 @@
 #include <linux/init.h>
 #include <linux/wait.h>
 #include <linux/mutex.h>
+#include <linux/kthread.h>
 #include <net/sock.h>
 #include <linux/input.h>
@@ -55,22 +56,24 @@ static DECLARE_RWSEM(hidp_session_sem);
 static LIST_HEAD(hidp_session_list);
 static unsigned char hidp_keycode[256] = {
-          0,  0,  0,  0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36, 37, 38,
+          0,   0,   0,   0,  30,  48,  46,  32,  18,  33,  34,  35,  23,  36,
-         50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45, 21, 44,  2,  3,
+         37,  38,  50,  49,  24,  25,  16,  19,  31,  20,  22,  47,  17,  45,
-          4,  5,  6,  7,  8,  9, 10, 11, 28,  1, 14, 15, 57, 12, 13, 26,
+         21,  44,   2,   3,   4,   5,   6,   7,   8,   9,  10,  11,  28,   1,
-         27, 43, 43, 39, 40, 41, 51, 52, 53, 58, 59, 60, 61, 62, 63, 64,
+         14,  15,  57,  12,  13,  26,  27,  43,  43,  39,  40,  41,  51,  52,
-         65, 66, 67, 68, 87, 88, 99, 70,119,110,102,104,111,107,109,106,
+         53,  58,  59,  60,  61,  62,  63,  64,  65,  66,  67,  68,  87,  88,
-        105,108,103, 69, 98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71,
+         99,  70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103,  69,
-         72, 73, 82, 83, 86,127,116,117,183,184,185,186,187,188,189,190,
+         98,  55,  74,  78,  96,  79,  80,  81,  75,  76,  77,  71,  72,  73,
-        191,192,193,194,134,138,130,132,128,129,131,137,133,135,136,113,
+         82,  83,  86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190,
-        115,114,  0,  0,  0,121,  0, 89, 93,124, 92, 94, 95,  0,  0,  0,
+        191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135,
-        122,123, 90, 91, 85,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+        136, 113, 115, 114,   0,   0,   0, 121,   0,  89,  93, 124,  92,  94,
-          0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+         95,   0,   0,   0, 122, 123,  90,  91,  85,   0,   0,   0,   0,   0,
-          0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+          0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
-          0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+          0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
-          0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+          0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
-         29, 42, 56,125, 97, 54,100,126,164,166,165,163,161,115,114,113,
+          0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
-        150,158,159,128,136,177,178,176,142,152,173,140
+          0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
+         29,  42,  56, 125,  97,  54, 100, 126, 164, 166, 165, 163, 161, 115,
+        114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140
 };
 static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
@@ -462,7 +465,7 @@ static void hidp_idle_timeout(unsigned long arg)
        struct hidp_session *session = (struct hidp_session *) arg;
        atomic_inc(&session->terminate);
-        hidp_schedule(session);
+        wake_up_process(session->task);
 }
 static void hidp_set_timer(struct hidp_session *session)
@@ -533,9 +536,8 @@ static void hidp_process_hid_control(struct hidp_session *session,
                skb_queue_purge(&session->ctrl_transmit);
                skb_queue_purge(&session->intr_transmit);
-                /* Kill session thread */
                atomic_inc(&session->terminate);
-                hidp_schedule(session);
+                wake_up_process(current);
        }
 }
@@ -694,22 +696,10 @@ static int hidp_session(void *arg)
        struct sock *ctrl_sk = session->ctrl_sock->sk;
        struct sock *intr_sk = session->intr_sock->sk;
        struct sk_buff *skb;
-        int vendor = 0x0000, product = 0x0000;
        wait_queue_t ctrl_wait, intr_wait;
        BT_DBG("session %p", session);
-        if (session->input) {
-                vendor  = session->input->id.vendor;
-                product = session->input->id.product;
-        }
-        if (session->hid) {
-                vendor  = session->hid->vendor;
-                product = session->hid->product;
-        }
-        daemonize("khidpd_%04x%04x", vendor, product);
        set_user_nice(current, -15);
        init_waitqueue_entry(&ctrl_wait, current);
@@ -718,10 +708,10 @@ static int hidp_session(void *arg)
        add_wait_queue(sk_sleep(intr_sk), &intr_wait);
        session->waiting_for_startup = 0;
        wake_up_interruptible(&session->startup_queue);
+        set_current_state(TASK_INTERRUPTIBLE);
        while (!atomic_read(&session->terminate)) {
-                set_current_state(TASK_INTERRUPTIBLE);
+                if (ctrl_sk->sk_state != BT_CONNECTED ||
+                                intr_sk->sk_state != BT_CONNECTED)
-                if (ctrl_sk->sk_state != BT_CONNECTED || intr_sk->sk_state != BT_CONNECTED)
                        break;
                while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
@@ -737,6 +727,7 @@ static int hidp_session(void *arg)
                hidp_process_transmit(session);
                schedule();
+                set_current_state(TASK_INTERRUPTIBLE);
        }
        set_current_state(TASK_RUNNING);
        remove_wait_queue(sk_sleep(intr_sk), &intr_wait);
@@ -965,6 +956,7 @@ fault:
 int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock)
 {
        struct hidp_session *session, *s;
+        int vendor, product;
        int err;
        BT_DBG("");
@@ -989,8 +981,10 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
        bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst);
-        session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->omtu, l2cap_pi(ctrl_sock->sk)->imtu);
+        session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->chan->omtu,
-        session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->omtu, l2cap_pi(intr_sock->sk)->imtu);
+                                        l2cap_pi(ctrl_sock->sk)->chan->imtu);
+        session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->chan->omtu,
+                                        l2cap_pi(intr_sock->sk)->chan->imtu);
        BT_DBG("ctrl mtu %d intr mtu %d", session->ctrl_mtu, session->intr_mtu);
@@ -1026,9 +1020,24 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
        hidp_set_timer(session);
-        err = kernel_thread(hidp_session, session, CLONE_KERNEL);
+        if (session->hid) {
-        if (err < 0)
+                vendor  = session->hid->vendor;
+                product = session->hid->product;
+        } else if (session->input) {
+                vendor  = session->input->id.vendor;
+                product = session->input->id.product;
+        } else {
+                vendor = 0x0000;
+                product = 0x0000;
+        }
+        session->task = kthread_run(hidp_session, session, "khidpd_%04x%04x",
+                                                        vendor, product);
+        if (IS_ERR(session->task)) {
+                err = PTR_ERR(session->task);
                goto unlink;
+        }
        while (session->waiting_for_startup) {
                wait_event_interruptible(session->startup_queue,
                        !session->waiting_for_startup);
@@ -1054,7 +1063,7 @@ err_add_device:
        hid_destroy_device(session->hid);
        session->hid = NULL;
        atomic_inc(&session->terminate);
-        hidp_schedule(session);
+        wake_up_process(session->task);
 unlink:
        hidp_del_timer(session);
@@ -1105,13 +1114,8 @@ int hidp_del_connection(struct hidp_conndel_req *req)
                        skb_queue_purge(&session->ctrl_transmit);
                        skb_queue_purge(&session->intr_transmit);
-                        /* Wakeup user-space polling for socket errors */
-                        session->intr_sock->sk->sk_err = EUNATCH;
-                        session->ctrl_sock->sk->sk_err = EUNATCH;
-                        /* Kill session thread */
                        atomic_inc(&session->terminate);
-                        hidp_schedule(session);
+                        wake_up_process(session->task);
                }
        } else
                err = -ENOENT;
diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
index 13de5fa03480..af1bcc823f26 100644
--- a/net/bluetooth/hidp/hidp.h
+++ b/net/bluetooth/hidp/hidp.h
@@ -80,12 +80,12 @@
 #define HIDP_VIRTUAL_CABLE_UNPLUG       0
 #define HIDP_BOOT_PROTOCOL_MODE         1
 #define HIDP_BLUETOOTH_VENDOR_ID        9
-#define HIDP_WAITING_FOR_RETURN         10
+#define HIDP_WAITING_FOR_RETURN         10
 #define HIDP_WAITING_FOR_SEND_ACK       11
 struct hidp_connadd_req {
-        int   ctrl_sock;        // Connected control socket
+        int   ctrl_sock;        /* Connected control socket */
-        int   intr_sock;        // Connteted interrupt socket
+        int   intr_sock;        /* Connected interrupt socket */
        __u16 parser;
        __u16 rd_size;
        __u8 __user *rd_data;
@@ -143,6 +143,7 @@ struct hidp_session {
        uint intr_mtu;
        atomic_t terminate;
+        struct task_struct *task;
        unsigned char keys[8];
        unsigned char leds;
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 250dfd46237d..178ac7f127ad 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -85,7 +85,8 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
                        return err;
                }
-                if (csock->sk->sk_state != BT_CONNECTED || isock->sk->sk_state != BT_CONNECTED) {
+                if (csock->sk->sk_state != BT_CONNECTED ||
+                                isock->sk->sk_state != BT_CONNECTED) {
                        sockfd_put(csock);
                        sockfd_put(isock);
                        return -EBADFD;
@@ -140,8 +141,8 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 #ifdef CONFIG_COMPAT
 struct compat_hidp_connadd_req {
-        int   ctrl_sock;        // Connected control socket
+        int   ctrl_sock;        /* Connected control socket */
-        int   intr_sock;        // Connteted interrupt socket
+        int   intr_sock;        /* Connected interrupt socket */
        __u16 parser;
        __u16 rd_size;
        compat_uptr_t rd_data;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2c8dd4494c63..7705e26e699f 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -62,168 +62,233 @@ static u8 l2cap_fixed_chan[8] = { 0x02, };
 static struct workqueue_struct *_busy_wq;
-struct bt_sock_list l2cap_sk_list = {
+LIST_HEAD(chan_list);
-        .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
+DEFINE_RWLOCK(chan_list_lock);
-};
 static void l2cap_busy_work(struct work_struct *work);
 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
                                u8 code, u8 ident, u16 dlen, void *data);
+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
 static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
 /* ---- L2CAP channels ---- */
-static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
+static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
 {
-        struct sock *s;
+        struct l2cap_chan *c;
-        for (s = l->head; s; s = l2cap_pi(s)->next_c) {
-                if (l2cap_pi(s)->dcid == cid)
+        list_for_each_entry(c, &conn->chan_l, list) {
-                        break;
+                if (c->dcid == cid)
+                        return c;
        }
-        return s;
+        return NULL;
 }
-static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
+static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
 {
-        struct sock *s;
+        struct l2cap_chan *c;
-        for (s = l->head; s; s = l2cap_pi(s)->next_c) {
-                if (l2cap_pi(s)->scid == cid)
+        list_for_each_entry(c, &conn->chan_l, list) {
-                        break;
+                if (c->scid == cid)
+                        return c;
        }
-        return s;
+        return NULL;
 }
 /* Find channel with given SCID.
 * Returns locked socket */
-static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
+static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
 {
-        struct sock *s;
+        struct l2cap_chan *c;
-        read_lock(&l->lock);
-        s = __l2cap_get_chan_by_scid(l, cid);
+        read_lock(&conn->chan_lock);
-        if (s)
+        c = __l2cap_get_chan_by_scid(conn, cid);
-                bh_lock_sock(s);
+        if (c)
-        read_unlock(&l->lock);
+                bh_lock_sock(c->sk);
-        return s;
+        read_unlock(&conn->chan_lock);
+        return c;
 }
-static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
+static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
 {
-        struct sock *s;
+        struct l2cap_chan *c;
-        for (s = l->head; s; s = l2cap_pi(s)->next_c) {
-                if (l2cap_pi(s)->ident == ident)
+        list_for_each_entry(c, &conn->chan_l, list) {
-                        break;
+                if (c->ident == ident)
+                        return c;
+        }
+        return NULL;
+}
+static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
+{
+        struct l2cap_chan *c;
+        read_lock(&conn->chan_lock);
+        c = __l2cap_get_chan_by_ident(conn, ident);
+        if (c)
+                bh_lock_sock(c->sk);
+        read_unlock(&conn->chan_lock);
+        return c;
+}
+static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
+{
+        struct l2cap_chan *c;
+        list_for_each_entry(c, &chan_list, global_l) {
+                if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
+                        goto found;
+        }
+        c = NULL;
+found:
+        return c;
+}
+int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
+{
+        int err;
+        write_lock_bh(&chan_list_lock);
+        if (psm && __l2cap_global_chan_by_addr(psm, src)) {
+                err = -EADDRINUSE;
+                goto done;
+        }
+        if (psm) {
+                chan->psm = psm;
+                chan->sport = psm;
+                err = 0;
+        } else {
+                u16 p;
+                err = -EINVAL;
+                for (p = 0x1001; p < 0x1100; p += 2)
+                        if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
+                                chan->psm   = cpu_to_le16(p);
+                                chan->sport = cpu_to_le16(p);
+                                err = 0;
+                                break;
+                        }
        }
-        return s;
+done:
+        write_unlock_bh(&chan_list_lock);
+        return err;
 }
-static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
+int l2cap_add_scid(struct l2cap_chan *chan,  __u16 scid)
 {
-        struct sock *s;
+        write_lock_bh(&chan_list_lock);
-        read_lock(&l->lock);
-        s = __l2cap_get_chan_by_ident(l, ident);
+        chan->scid = scid;
-        if (s)
-                bh_lock_sock(s);
+        write_unlock_bh(&chan_list_lock);
-        read_unlock(&l->lock);
-        return s;
+        return 0;
 }
-static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
+static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
 {
        u16 cid = L2CAP_CID_DYN_START;
        for (; cid < L2CAP_CID_DYN_END; cid++) {
-                if (!__l2cap_get_chan_by_scid(l, cid))
+                if (!__l2cap_get_chan_by_scid(conn, cid))
                        return cid;
        }
        return 0;
 }
-static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
+struct l2cap_chan *l2cap_chan_create(struct sock *sk)
 {
-        sock_hold(sk);
+        struct l2cap_chan *chan;
-        if (l->head)
+        chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
-                l2cap_pi(l->head)->prev_c = sk;
+        if (!chan)
+                return NULL;
-        l2cap_pi(sk)->next_c = l->head;
+        chan->sk = sk;
-        l2cap_pi(sk)->prev_c = NULL;
-        l->head = sk;
-}
-static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
+        write_lock_bh(&chan_list_lock);
-{
+        list_add(&chan->global_l, &chan_list);
-        struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
+        write_unlock_bh(&chan_list_lock);
-        write_lock_bh(&l->lock);
+        return chan;
-        if (sk == l->head)
+}
-                l->head = next;
-        if (next)
+void l2cap_chan_destroy(struct l2cap_chan *chan)
-                l2cap_pi(next)->prev_c = prev;
+{
-        if (prev)
+        write_lock_bh(&chan_list_lock);
-                l2cap_pi(prev)->next_c = next;
+        list_del(&chan->global_l);
-        write_unlock_bh(&l->lock);
+        write_unlock_bh(&chan_list_lock);
-        __sock_put(sk);
+        kfree(chan);
 }
-static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
+static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
 {
-        struct l2cap_chan_list *l = &conn->chan_list;
+        struct sock *sk = chan->sk;
        BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
-                        l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
+                        chan->psm, chan->dcid);
        conn->disc_reason = 0x13;
-        l2cap_pi(sk)->conn = conn;
+        chan->conn = conn;
        if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
                if (conn->hcon->type == LE_LINK) {
                        /* LE connection */
-                        l2cap_pi(sk)->omtu = L2CAP_LE_DEFAULT_MTU;
+                        chan->omtu = L2CAP_LE_DEFAULT_MTU;
-                        l2cap_pi(sk)->scid = L2CAP_CID_LE_DATA;
+                        chan->scid = L2CAP_CID_LE_DATA;
-                        l2cap_pi(sk)->dcid = L2CAP_CID_LE_DATA;
+                        chan->dcid = L2CAP_CID_LE_DATA;
                } else {
                        /* Alloc CID for connection-oriented socket */
-                        l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
+                        chan->scid = l2cap_alloc_cid(conn);
-                        l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
+                        chan->omtu = L2CAP_DEFAULT_MTU;
                }
        } else if (sk->sk_type == SOCK_DGRAM) {
                /* Connectionless socket */
-                l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
+                chan->scid = L2CAP_CID_CONN_LESS;
-                l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
+                chan->dcid = L2CAP_CID_CONN_LESS;
-                l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
+                chan->omtu = L2CAP_DEFAULT_MTU;
        } else {
                /* Raw socket can send/recv signalling messages only */
-                l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
+                chan->scid = L2CAP_CID_SIGNALING;
-                l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
+                chan->dcid = L2CAP_CID_SIGNALING;
-                l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
+                chan->omtu = L2CAP_DEFAULT_MTU;
        }
-        __l2cap_chan_link(l, sk);
+        sock_hold(sk);
-        if (parent)
+        list_add(&chan->list, &conn->chan_l);
-                bt_accept_enqueue(parent, sk);
 }
 /* Delete channel.
 * Must be called on the locked socket. */
-void l2cap_chan_del(struct sock *sk, int err)
+void l2cap_chan_del(struct l2cap_chan *chan, int err)
 {
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
+        struct sock *sk = chan->sk;
+        struct l2cap_conn *conn = chan->conn;
        struct sock *parent = bt_sk(sk)->parent;
        l2cap_sock_clear_timer(sk);
-        BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
+        BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
        if (conn) {
-                /* Unlink from channel list */
+                /* Delete from channel list */
-                l2cap_chan_unlink(&conn->chan_list, sk);
+                write_lock_bh(&conn->chan_lock);
-                l2cap_pi(sk)->conn = NULL;
+                list_del(&chan->list);
+                write_unlock_bh(&conn->chan_lock);
+                __sock_put(sk);
+                chan->conn = NULL;
                hci_conn_put(conn->hcon);
        }
@@ -239,29 +304,35 @@ void l2cap_chan_del(struct sock *sk, int err)
        } else
                sk->sk_state_change(sk);
-        skb_queue_purge(TX_QUEUE(sk));
+        if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
+                        chan->conf_state & L2CAP_CONF_INPUT_DONE))
+                return;
+        skb_queue_purge(&chan->tx_q);
-        if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
+        if (chan->mode == L2CAP_MODE_ERTM) {
                struct srej_list *l, *tmp;
-                del_timer(&l2cap_pi(sk)->retrans_timer);
+                del_timer(&chan->retrans_timer);
-                del_timer(&l2cap_pi(sk)->monitor_timer);
+                del_timer(&chan->monitor_timer);
-                del_timer(&l2cap_pi(sk)->ack_timer);
+                del_timer(&chan->ack_timer);
-                skb_queue_purge(SREJ_QUEUE(sk));
+                skb_queue_purge(&chan->srej_q);
-                skb_queue_purge(BUSY_QUEUE(sk));
+                skb_queue_purge(&chan->busy_q);
-                list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
+                list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
                        list_del(&l->list);
                        kfree(l);
                }
        }
 }
-static inline u8 l2cap_get_auth_type(struct sock *sk)
+static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
 {
+        struct sock *sk = chan->sk;
        if (sk->sk_type == SOCK_RAW) {
-                switch (l2cap_pi(sk)->sec_level) {
+                switch (chan->sec_level) {
                case BT_SECURITY_HIGH:
                        return HCI_AT_DEDICATED_BONDING_MITM;
                case BT_SECURITY_MEDIUM:
@@ -269,16 +340,16 @@ static inline u8 l2cap_get_auth_type(struct sock *sk)
                default:
                        return HCI_AT_NO_BONDING;
                }
-        } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
+        } else if (chan->psm == cpu_to_le16(0x0001)) {
-                if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
+                if (chan->sec_level == BT_SECURITY_LOW)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
+                        chan->sec_level = BT_SECURITY_SDP;
-                if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
+                if (chan->sec_level == BT_SECURITY_HIGH)
                        return HCI_AT_NO_BONDING_MITM;
                else
                        return HCI_AT_NO_BONDING;
        } else {
-                switch (l2cap_pi(sk)->sec_level) {
+                switch (chan->sec_level) {
                case BT_SECURITY_HIGH:
                        return HCI_AT_GENERAL_BONDING_MITM;
                case BT_SECURITY_MEDIUM:
@@ -290,15 +361,14 @@ static inline u8 l2cap_get_auth_type(struct sock *sk)
 }
 /* Service level security */
-static inline int l2cap_check_security(struct sock *sk)
+static inline int l2cap_check_security(struct l2cap_chan *chan)
 {
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
+        struct l2cap_conn *conn = chan->conn;
        __u8 auth_type;
-        auth_type = l2cap_get_auth_type(sk);
+        auth_type = l2cap_get_auth_type(chan);
-        return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
+        return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
-                                                                auth_type);
 }
 u8 l2cap_get_ident(struct l2cap_conn *conn)
@@ -341,11 +411,12 @@ void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *d
        hci_send_acl(conn->hcon, skb, flags);
 }
-static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
+static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
 {
        struct sk_buff *skb;
        struct l2cap_hdr *lh;
-        struct l2cap_conn *conn = pi->conn;
+        struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
+        struct l2cap_conn *conn = chan->conn;
        struct sock *sk = (struct sock *)pi;
        int count, hlen = L2CAP_HDR_SIZE + 2;
        u8 flags;
@@ -353,22 +424,22 @@ static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
        if (sk->sk_state != BT_CONNECTED)
                return;
-        if (pi->fcs == L2CAP_FCS_CRC16)
+        if (chan->fcs == L2CAP_FCS_CRC16)
                hlen += 2;
-        BT_DBG("pi %p, control 0x%2.2x", pi, control);
+        BT_DBG("chan %p, control 0x%2.2x", chan, control);
        count = min_t(unsigned int, conn->mtu, hlen);
        control |= L2CAP_CTRL_FRAME_TYPE;
-        if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
+        if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
                control |= L2CAP_CTRL_FINAL;
-                pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
+                chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
        }
-        if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
+        if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
                control |= L2CAP_CTRL_POLL;
-                pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
+                chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
        }
        skb = bt_skb_alloc(count, GFP_ATOMIC);
@@ -377,10 +448,10 @@ static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
        lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
-        lh->cid = cpu_to_le16(pi->dcid);
+        lh->cid = cpu_to_le16(chan->dcid);
        put_unaligned_le16(control, skb_put(skb, 2));
-        if (pi->fcs == L2CAP_FCS_CRC16) {
+        if (chan->fcs == L2CAP_FCS_CRC16) {
                u16 fcs = crc16(0, (u8 *)lh, count - 2);
                put_unaligned_le16(fcs, skb_put(skb, 2));
        }
@@ -390,45 +461,46 @@ static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
        else
                flags = ACL_START;
-        hci_send_acl(pi->conn->hcon, skb, flags);
+        hci_send_acl(chan->conn->hcon, skb, flags);
 }
-static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
+static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
 {
-        if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
+        if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
                control |= L2CAP_SUPER_RCV_NOT_READY;
-                pi->conn_state |= L2CAP_CONN_RNR_SENT;
+                chan->conn_state |= L2CAP_CONN_RNR_SENT;
        } else
                control |= L2CAP_SUPER_RCV_READY;
-        control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+        control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-        l2cap_send_sframe(pi, control);
+        l2cap_send_sframe(chan, control);
 }
-static inline int __l2cap_no_conn_pending(struct sock *sk)
+static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
 {
-        return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
+        return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
 }
-static void l2cap_do_start(struct sock *sk)
+static void l2cap_do_start(struct l2cap_chan *chan)
 {
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
+        struct l2cap_conn *conn = chan->conn;
        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
                if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
                        return;
-                if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
+                if (l2cap_check_security(chan) &&
+                                __l2cap_no_conn_pending(chan)) {
                        struct l2cap_conn_req req;
-                        req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
+                        req.scid = cpu_to_le16(chan->scid);
-                        req.psm  = l2cap_pi(sk)->psm;
+                        req.psm  = chan->psm;
-                        l2cap_pi(sk)->ident = l2cap_get_ident(conn);
+                        chan->ident = l2cap_get_ident(conn);
-                        l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
+                        chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
-                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
+                        l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
-                                        L2CAP_CONN_REQ, sizeof(req), &req);
+                                                        sizeof(req), &req);
                }
        } else {
                struct l2cap_info_req req;
@@ -461,23 +533,24 @@ static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
        }
 }
-void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
+void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
 {
+        struct sock *sk;
        struct l2cap_disconn_req req;
        if (!conn)
                return;
-        skb_queue_purge(TX_QUEUE(sk));
+        sk = chan->sk;
-        if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
+        if (chan->mode == L2CAP_MODE_ERTM) {
-                del_timer(&l2cap_pi(sk)->retrans_timer);
+                del_timer(&chan->retrans_timer);
-                del_timer(&l2cap_pi(sk)->monitor_timer);
+                del_timer(&chan->monitor_timer);
-                del_timer(&l2cap_pi(sk)->ack_timer);
+                del_timer(&chan->ack_timer);
        }
-        req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
+        req.dcid = cpu_to_le16(chan->dcid);
-        req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
+        req.scid = cpu_to_le16(chan->scid);
        l2cap_send_cmd(conn, l2cap_get_ident(conn),
                        L2CAP_DISCONN_REQ, sizeof(req), &req);
@@ -488,17 +561,15 @@ void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
 /* ---- L2CAP connections ---- */
 static void l2cap_conn_start(struct l2cap_conn *conn)
 {
-        struct l2cap_chan_list *l = &conn->chan_list;
+        struct l2cap_chan *chan, *tmp;
-        struct sock_del_list del, *tmp1, *tmp2;
-        struct sock *sk;
        BT_DBG("conn %p", conn);
-        INIT_LIST_HEAD(&del.list);
+        read_lock(&conn->chan_lock);
-        read_lock(&l->lock);
+        list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
+                struct sock *sk = chan->sk;
-        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
                bh_lock_sock(sk);
                if (sk->sk_type != SOCK_SEQPACKET &&
@@ -510,45 +581,47 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
                if (sk->sk_state == BT_CONNECT) {
                        struct l2cap_conn_req req;
-                        if (!l2cap_check_security(sk) ||
+                        if (!l2cap_check_security(chan) ||
-                                        !__l2cap_no_conn_pending(sk)) {
+                                        !__l2cap_no_conn_pending(chan)) {
                                bh_unlock_sock(sk);
                                continue;
                        }
-                        if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
+                        if (!l2cap_mode_supported(chan->mode,
                                        conn->feat_mask)
-                                        && l2cap_pi(sk)->conf_state &
+                                        && chan->conf_state &
                                        L2CAP_CONF_STATE2_DEVICE) {
-                                tmp1 = kzalloc(sizeof(struct sock_del_list),
+                                /* __l2cap_sock_close() calls list_del(chan)
-                                                GFP_ATOMIC);
+                                 * so release the lock */
-                                tmp1->sk = sk;
+                                read_unlock_bh(&conn->chan_lock);
-                                list_add_tail(&tmp1->list, &del.list);
+                                 __l2cap_sock_close(sk, ECONNRESET);
+                                read_lock_bh(&conn->chan_lock);
                                bh_unlock_sock(sk);
                                continue;
                        }
-                        req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
+                        req.scid = cpu_to_le16(chan->scid);
-                        req.psm  = l2cap_pi(sk)->psm;
+                        req.psm  = chan->psm;
-                        l2cap_pi(sk)->ident = l2cap_get_ident(conn);
+                        chan->ident = l2cap_get_ident(conn);
-                        l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
+                        chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
-                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
+                        l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
-                                L2CAP_CONN_REQ, sizeof(req), &req);
+                                                        sizeof(req), &req);
                } else if (sk->sk_state == BT_CONNECT2) {
                        struct l2cap_conn_rsp rsp;
                        char buf[128];
-                        rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
+                        rsp.scid = cpu_to_le16(chan->dcid);
-                        rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
+                        rsp.dcid = cpu_to_le16(chan->scid);
-                        if (l2cap_check_security(sk)) {
+                        if (l2cap_check_security(chan)) {
                                if (bt_sk(sk)->defer_setup) {
                                        struct sock *parent = bt_sk(sk)->parent;
                                        rsp.result = cpu_to_le16(L2CAP_CR_PEND);
                                        rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
-                                        parent->sk_data_ready(parent, 0);
+                                        if (parent)
+                                                parent->sk_data_ready(parent, 0);
                                } else {
                                        sk->sk_state = BT_CONFIG;
@@ -560,80 +633,77 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
                                rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
                        }
-                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
+                        l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
-                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
+                                                        sizeof(rsp), &rsp);
-                        if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT ||
+                        if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
                                        rsp.result != L2CAP_CR_SUCCESS) {
                                bh_unlock_sock(sk);
                                continue;
                        }
-                        l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
+                        chan->conf_state |= L2CAP_CONF_REQ_SENT;
                        l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                                l2cap_build_conf_req(sk, buf), buf);
+                                                l2cap_build_conf_req(chan, buf), buf);
-                        l2cap_pi(sk)->num_conf_req++;
+                        chan->num_conf_req++;
                }
                bh_unlock_sock(sk);
        }
-        read_unlock(&l->lock);
+        read_unlock(&conn->chan_lock);
-        list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
-                bh_lock_sock(tmp1->sk);
-                __l2cap_sock_close(tmp1->sk, ECONNRESET);
-                bh_unlock_sock(tmp1->sk);
-                list_del(&tmp1->list);
-                kfree(tmp1);
-        }
 }
 /* Find socket with cid and source bdaddr.
 * Returns closest match, locked.
 */
-static struct sock *l2cap_get_sock_by_scid(int state, __le16 cid, bdaddr_t *src)
+static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
 {
-        struct sock *s, *sk = NULL, *sk1 = NULL;
+        struct l2cap_chan *c, *c1 = NULL;
-        struct hlist_node *node;
+        read_lock(&chan_list_lock);
-        read_lock(&l2cap_sk_list.lock);
+        list_for_each_entry(c, &chan_list, global_l) {
+                struct sock *sk = c->sk;
-        sk_for_each(sk, node, &l2cap_sk_list.head) {
                if (state && sk->sk_state != state)
                        continue;
-                if (l2cap_pi(sk)->scid == cid) {
+                if (c->scid == cid) {
                        /* Exact match. */
-                        if (!bacmp(&bt_sk(sk)->src, src))
+                        if (!bacmp(&bt_sk(sk)->src, src)) {
-                                break;
+                                read_unlock(&chan_list_lock);
+                                return c;
+                        }
                        /* Closest match */
                        if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
-                                sk1 = sk;
+                                c1 = c;
                }
        }
-        s = node ? sk : sk1;
-        if (s)
-                bh_lock_sock(s);
-        read_unlock(&l2cap_sk_list.lock);
-        return s;
+        read_unlock(&chan_list_lock);
+        return c1;
 }
 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
 {
-        struct l2cap_chan_list *list = &conn->chan_list;
+        struct sock *parent, *sk;
-        struct sock *parent, *uninitialized_var(sk);
+        struct l2cap_chan *chan, *pchan;
        BT_DBG("");
        /* Check if we have socket listening on cid */
-        parent = l2cap_get_sock_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
+        pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
                                                        conn->src);
-        if (!parent)
+        if (!pchan)
                return;
+        parent = pchan->sk;
+        bh_lock_sock(parent);
        /* Check for backlog size */
        if (sk_acceptq_is_full(parent)) {
                BT_DBG("backlog full %d", parent->sk_ack_backlog);
@@ -644,22 +714,33 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
        if (!sk)
                goto clean;
-        write_lock_bh(&list->lock);
+        chan = l2cap_chan_create(sk);
+        if (!chan) {
+                l2cap_sock_kill(sk);
+                goto clean;
+        }
+        l2cap_pi(sk)->chan = chan;
+        write_lock_bh(&conn->chan_lock);
        hci_conn_hold(conn->hcon);
        l2cap_sock_init(sk, parent);
        bacpy(&bt_sk(sk)->src, conn->src);
        bacpy(&bt_sk(sk)->dst, conn->dst);
-        __l2cap_chan_add(conn, sk, parent);
+        bt_accept_enqueue(parent, sk);
+        __l2cap_chan_add(conn, chan);
        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
        sk->sk_state = BT_CONNECTED;
        parent->sk_data_ready(parent, 0);
-        write_unlock_bh(&list->lock);
+        write_unlock_bh(&conn->chan_lock);
 clean:
        bh_unlock_sock(parent);
@@ -667,17 +748,18 @@ clean:
 static void l2cap_conn_ready(struct l2cap_conn *conn)
 {
-        struct l2cap_chan_list *l = &conn->chan_list;
+        struct l2cap_chan *chan;
-        struct sock *sk;
        BT_DBG("conn %p", conn);
        if (!conn->hcon->out && conn->hcon->type == LE_LINK)
                l2cap_le_conn_ready(conn);
-        read_lock(&l->lock);
+        read_lock(&conn->chan_lock);
+        list_for_each_entry(chan, &conn->chan_l, list) {
+                struct sock *sk = chan->sk;
-        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
                bh_lock_sock(sk);
                if (conn->hcon->type == LE_LINK) {
@@ -692,30 +774,31 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
                        sk->sk_state = BT_CONNECTED;
                        sk->sk_state_change(sk);
                } else if (sk->sk_state == BT_CONNECT)
-                        l2cap_do_start(sk);
+                        l2cap_do_start(chan);
                bh_unlock_sock(sk);
        }
-        read_unlock(&l->lock);
+        read_unlock(&conn->chan_lock);
 }
 /* Notify sockets that we cannot guaranty reliability anymore */
 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
 {
-        struct l2cap_chan_list *l = &conn->chan_list;
+        struct l2cap_chan *chan;
-        struct sock *sk;
        BT_DBG("conn %p", conn);
-        read_lock(&l->lock);
+        read_lock(&conn->chan_lock);
-        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
+        list_for_each_entry(chan, &conn->chan_l, list) {
-                if (l2cap_pi(sk)->force_reliable)
+                struct sock *sk = chan->sk;
+                if (chan->force_reliable)
                        sk->sk_err = err;
        }
-        read_unlock(&l->lock);
+        read_unlock(&conn->chan_lock);
 }
 static void l2cap_info_timeout(unsigned long arg)
@@ -755,7 +838,9 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
        conn->feat_mask = 0;
        spin_lock_init(&conn->lock);
-        rwlock_init(&conn->chan_list.lock);
+        rwlock_init(&conn->chan_lock);
+        INIT_LIST_HEAD(&conn->chan_l);
        if (hcon->type != LE_LINK)
                setup_timer(&conn->info_timer, l2cap_info_timeout,
@@ -769,6 +854,7 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
 static void l2cap_conn_del(struct hci_conn *hcon, int err)
 {
        struct l2cap_conn *conn = hcon->l2cap_data;
+        struct l2cap_chan *chan, *l;
        struct sock *sk;
        if (!conn)
@@ -779,9 +865,10 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
        kfree_skb(conn->rx_skb);
        /* Kill channels */
-        while ((sk = conn->chan_list.head)) {
+        list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
+                sk = chan->sk;
                bh_lock_sock(sk);
-                l2cap_chan_del(sk, err);
+                l2cap_chan_del(chan, err);
                bh_unlock_sock(sk);
                l2cap_sock_kill(sk);
        }
@@ -793,12 +880,11 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
        kfree(conn);
 }
-static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
+static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
 {
-        struct l2cap_chan_list *l = &conn->chan_list;
+        write_lock_bh(&conn->chan_lock);
-        write_lock_bh(&l->lock);
+        __l2cap_chan_add(conn, chan);
-        __l2cap_chan_add(conn, sk, parent);
+        write_unlock_bh(&conn->chan_lock);
-        write_unlock_bh(&l->lock);
 }
 /* ---- Socket interface ---- */
@@ -806,35 +892,39 @@ static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, stru
 /* Find socket with psm and source bdaddr.
 * Returns closest match.
 */
-static struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
+static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
 {
-        struct sock *sk = NULL, *sk1 = NULL;
+        struct l2cap_chan *c, *c1 = NULL;
-        struct hlist_node *node;
+        read_lock(&chan_list_lock);
-        read_lock(&l2cap_sk_list.lock);
+        list_for_each_entry(c, &chan_list, global_l) {
+                struct sock *sk = c->sk;
-        sk_for_each(sk, node, &l2cap_sk_list.head) {
                if (state && sk->sk_state != state)
                        continue;
-                if (l2cap_pi(sk)->psm == psm) {
+                if (c->psm == psm) {
                        /* Exact match. */
-                        if (!bacmp(&bt_sk(sk)->src, src))
+                        if (!bacmp(&bt_sk(sk)->src, src)) {
-                                break;
+                                read_unlock(&chan_list_lock);
+                                return c;
+                        }
                        /* Closest match */
                        if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
-                                sk1 = sk;
+                                c1 = c;
                }
        }
-        read_unlock(&l2cap_sk_list.lock);
+        read_unlock(&chan_list_lock);
-        return node ? sk : sk1;
+        return c1;
 }
-int l2cap_do_connect(struct sock *sk)
+int l2cap_chan_connect(struct l2cap_chan *chan)
 {
+        struct sock *sk = chan->sk;
        bdaddr_t *src = &bt_sk(sk)->src;
        bdaddr_t *dst = &bt_sk(sk)->dst;
        struct l2cap_conn *conn;
@@ -844,7 +934,7 @@ int l2cap_do_connect(struct sock *sk)
        int err;
        BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
-                                                        l2cap_pi(sk)->psm);
+                                                        chan->psm);
        hdev = hci_get_route(dst, src);
        if (!hdev)
@@ -852,14 +942,14 @@ int l2cap_do_connect(struct sock *sk)
        hci_dev_lock_bh(hdev);
-        auth_type = l2cap_get_auth_type(sk);
+        auth_type = l2cap_get_auth_type(chan);
-        if (l2cap_pi(sk)->dcid == L2CAP_CID_LE_DATA)
+        if (chan->dcid == L2CAP_CID_LE_DATA)
                hcon = hci_connect(hdev, LE_LINK, dst,
-                                        l2cap_pi(sk)->sec_level, auth_type);
+                                        chan->sec_level, auth_type);
        else
                hcon = hci_connect(hdev, ACL_LINK, dst,
-                                        l2cap_pi(sk)->sec_level, auth_type);
+                                        chan->sec_level, auth_type);
        if (IS_ERR(hcon)) {
                err = PTR_ERR(hcon);
@@ -876,7 +966,7 @@ int l2cap_do_connect(struct sock *sk)
        /* Update source addr of the socket */
        bacpy(src, conn->src);
-        l2cap_chan_add(conn, sk, NULL);
+        l2cap_chan_add(conn, chan);
        sk->sk_state = BT_CONNECT;
        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
@@ -885,10 +975,10 @@ int l2cap_do_connect(struct sock *sk)
                if (sk->sk_type != SOCK_SEQPACKET &&
                                sk->sk_type != SOCK_STREAM) {
                        l2cap_sock_clear_timer(sk);
-                        if (l2cap_check_security(sk))
+                        if (l2cap_check_security(chan))
                                sk->sk_state = BT_CONNECTED;
                } else
-                        l2cap_do_start(sk);
+                        l2cap_do_start(chan);
        }
        err = 0;
@@ -901,12 +991,13 @@ done:
 int __l2cap_wait_ack(struct sock *sk)
 {
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        DECLARE_WAITQUEUE(wait, current);
        int err = 0;
        int timeo = HZ/5;
        add_wait_queue(sk_sleep(sk), &wait);
-        while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
+        while ((chan->unacked_frames > 0 && chan->conn)) {
                set_current_state(TASK_INTERRUPTIBLE);
                if (!timeo)
@@ -932,68 +1023,69 @@ int __l2cap_wait_ack(struct sock *sk)
 static void l2cap_monitor_timeout(unsigned long arg)
 {
-        struct sock *sk = (void *) arg;
+        struct l2cap_chan *chan = (void *) arg;
+        struct sock *sk = chan->sk;
-        BT_DBG("sk %p", sk);
+        BT_DBG("chan %p", chan);
        bh_lock_sock(sk);
-        if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
+        if (chan->retry_count >= chan->remote_max_tx) {
-                l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
+                l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
                bh_unlock_sock(sk);
                return;
        }
-        l2cap_pi(sk)->retry_count++;
+        chan->retry_count++;
        __mod_monitor_timer();
-        l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
+        l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
        bh_unlock_sock(sk);
 }
 static void l2cap_retrans_timeout(unsigned long arg)
 {
-        struct sock *sk = (void *) arg;
+        struct l2cap_chan *chan = (void *) arg;
+        struct sock *sk = chan->sk;
-        BT_DBG("sk %p", sk);
+        BT_DBG("chan %p", chan);
        bh_lock_sock(sk);
-        l2cap_pi(sk)->retry_count = 1;
+        chan->retry_count = 1;
        __mod_monitor_timer();
-        l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
+        chan->conn_state |= L2CAP_CONN_WAIT_F;
-        l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
+        l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
        bh_unlock_sock(sk);
 }
-static void l2cap_drop_acked_frames(struct sock *sk)
+static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
 {
        struct sk_buff *skb;
-        while ((skb = skb_peek(TX_QUEUE(sk))) &&
+        while ((skb = skb_peek(&chan->tx_q)) &&
-                        l2cap_pi(sk)->unacked_frames) {
+                        chan->unacked_frames) {
-                if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
+                if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
                        break;
-                skb = skb_dequeue(TX_QUEUE(sk));
+                skb = skb_dequeue(&chan->tx_q);
                kfree_skb(skb);
-                l2cap_pi(sk)->unacked_frames--;
+                chan->unacked_frames--;
        }
-        if (!l2cap_pi(sk)->unacked_frames)
+        if (!chan->unacked_frames)
-                del_timer(&l2cap_pi(sk)->retrans_timer);
+                del_timer(&chan->retrans_timer);
 }
-void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
+void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
+        struct hci_conn *hcon = chan->conn->hcon;
-        struct hci_conn *hcon = pi->conn->hcon;
        u16 flags;
-        BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
+        BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
-        if (!pi->flushable && lmp_no_flush_capable(hcon->hdev))
+        if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
                flags = ACL_START_NO_FLUSH;
        else
                flags = ACL_START;
@@ -1001,35 +1093,33 @@ void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
        hci_send_acl(hcon, skb, flags);
 }
-void l2cap_streaming_send(struct sock *sk)
+void l2cap_streaming_send(struct l2cap_chan *chan)
 {
        struct sk_buff *skb;
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        u16 control, fcs;
-        while ((skb = skb_dequeue(TX_QUEUE(sk)))) {
+        while ((skb = skb_dequeue(&chan->tx_q))) {
                control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
-                control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
+                control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
                put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
-                if (pi->fcs == L2CAP_FCS_CRC16) {
+                if (chan->fcs == L2CAP_FCS_CRC16) {
                        fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
                        put_unaligned_le16(fcs, skb->data + skb->len - 2);
                }
-                l2cap_do_send(sk, skb);
+                l2cap_do_send(chan, skb);
-                pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
+                chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
        }
 }
-static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
+static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        struct sk_buff *skb, *tx_skb;
        u16 control, fcs;
-        skb = skb_peek(TX_QUEUE(sk));
+        skb = skb_peek(&chan->tx_q);
        if (!skb)
                return;
@@ -1037,14 +1127,14 @@ static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
                if (bt_cb(skb)->tx_seq == tx_seq)
                        break;
-                if (skb_queue_is_last(TX_QUEUE(sk), skb))
+                if (skb_queue_is_last(&chan->tx_q, skb))
                        return;
-        } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
+        } while ((skb = skb_queue_next(&chan->tx_q, skb)));
-        if (pi->remote_max_tx &&
+        if (chan->remote_max_tx &&
-                        bt_cb(skb)->retries == pi->remote_max_tx) {
+                        bt_cb(skb)->retries == chan->remote_max_tx) {
-                l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
+                l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
                return;
        }
@@ -1053,39 +1143,39 @@ static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
        control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
        control &= L2CAP_CTRL_SAR;
-        if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
+        if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
                control |= L2CAP_CTRL_FINAL;
-                pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
+                chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
        }
-        control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
+        control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
                        | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
        put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
-        if (pi->fcs == L2CAP_FCS_CRC16) {
+        if (chan->fcs == L2CAP_FCS_CRC16) {
                fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
                put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
        }
-        l2cap_do_send(sk, tx_skb);
+        l2cap_do_send(chan, tx_skb);
 }
-int l2cap_ertm_send(struct sock *sk)
+int l2cap_ertm_send(struct l2cap_chan *chan)
 {
        struct sk_buff *skb, *tx_skb;
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
+        struct sock *sk = chan->sk;
        u16 control, fcs;
        int nsent = 0;
        if (sk->sk_state != BT_CONNECTED)
                return -ENOTCONN;
-        while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
+        while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
-                if (pi->remote_max_tx &&
+                if (chan->remote_max_tx &&
-                                bt_cb(skb)->retries == pi->remote_max_tx) {
+                                bt_cb(skb)->retries == chan->remote_max_tx) {
-                        l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
+                        l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
                        break;
                }
@@ -1096,36 +1186,36 @@ int l2cap_ertm_send(struct sock *sk)
                control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
                control &= L2CAP_CTRL_SAR;
-                if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
+                if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
                        control |= L2CAP_CTRL_FINAL;
-                        pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
+                        chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
                }
-                control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
+                control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
-                                | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
+                                | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
                put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
-                if (pi->fcs == L2CAP_FCS_CRC16) {
+                if (chan->fcs == L2CAP_FCS_CRC16) {
                        fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
                        put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
                }
-                l2cap_do_send(sk, tx_skb);
+                l2cap_do_send(chan, tx_skb);
                __mod_retrans_timer();
-                bt_cb(skb)->tx_seq = pi->next_tx_seq;
+                bt_cb(skb)->tx_seq = chan->next_tx_seq;
-                pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
+                chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
                if (bt_cb(skb)->retries == 1)
-                        pi->unacked_frames++;
+                        chan->unacked_frames++;
-                pi->frames_sent++;
+                chan->frames_sent++;
-                if (skb_queue_is_last(TX_QUEUE(sk), skb))
+                if (skb_queue_is_last(&chan->tx_q, skb))
-                        sk->sk_send_head = NULL;
+                        chan->tx_send_head = NULL;
                else
-                        sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
+                        chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
                nsent++;
        }
@@ -1133,41 +1223,39 @@ int l2cap_ertm_send(struct sock *sk)
        return nsent;
 }
-static int l2cap_retransmit_frames(struct sock *sk)
+static int l2cap_retransmit_frames(struct l2cap_chan *chan)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        int ret;
-        if (!skb_queue_empty(TX_QUEUE(sk)))
+        if (!skb_queue_empty(&chan->tx_q))
-                sk->sk_send_head = TX_QUEUE(sk)->next;
+                chan->tx_send_head = chan->tx_q.next;
-        pi->next_tx_seq = pi->expected_ack_seq;
+        chan->next_tx_seq = chan->expected_ack_seq;
-        ret = l2cap_ertm_send(sk);
+        ret = l2cap_ertm_send(chan);
        return ret;
 }
-static void l2cap_send_ack(struct l2cap_pinfo *pi)
+static void l2cap_send_ack(struct l2cap_chan *chan)
 {
-        struct sock *sk = (struct sock *)pi;
        u16 control = 0;
-        control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+        control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-        if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
+        if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
                control |= L2CAP_SUPER_RCV_NOT_READY;
-                pi->conn_state |= L2CAP_CONN_RNR_SENT;
+                chan->conn_state |= L2CAP_CONN_RNR_SENT;
-                l2cap_send_sframe(pi, control);
+                l2cap_send_sframe(chan, control);
                return;
        }
-        if (l2cap_ertm_send(sk) > 0)
+        if (l2cap_ertm_send(chan) > 0)
                return;
        control |= L2CAP_SUPER_RCV_READY;
-        l2cap_send_sframe(pi, control);
+        l2cap_send_sframe(chan, control);
 }
-static void l2cap_send_srejtail(struct sock *sk)
+static void l2cap_send_srejtail(struct l2cap_chan *chan)
 {
        struct srej_list *tail;
        u16 control;
@@ -1175,15 +1263,15 @@ static void l2cap_send_srejtail(struct sock *sk)
        control = L2CAP_SUPER_SELECT_REJECT;
        control |= L2CAP_CTRL_FINAL;
-        tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
+        tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
        control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-        l2cap_send_sframe(l2cap_pi(sk), control);
+        l2cap_send_sframe(chan, control);
 }
 static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
 {
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
+        struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
        struct sk_buff **frag;
        int err, sent = 0;
@@ -1213,9 +1301,10 @@ static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, in
        return sent;
 }
-struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
+struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
 {
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
+        struct sock *sk = chan->sk;
+        struct l2cap_conn *conn = chan->conn;
        struct sk_buff *skb;
        int err, count, hlen = L2CAP_HDR_SIZE + 2;
        struct l2cap_hdr *lh;
@@ -1230,9 +1319,9 @@ struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, s
        /* Create L2CAP header */
        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
-        lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
+        lh->cid = cpu_to_le16(chan->dcid);
        lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
-        put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
+        put_unaligned_le16(chan->psm, skb_put(skb, 2));
        err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
        if (unlikely(err < 0)) {
@@ -1242,9 +1331,10 @@ struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, s
        return skb;
 }
-struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
+struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
 {
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
+        struct sock *sk = chan->sk;
+        struct l2cap_conn *conn = chan->conn;
        struct sk_buff *skb;
        int err, count, hlen = L2CAP_HDR_SIZE;
        struct l2cap_hdr *lh;
@@ -1259,7 +1349,7 @@ struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size
        /* Create L2CAP header */
        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
-        lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
+        lh->cid = cpu_to_le16(chan->dcid);
        lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
        err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
@@ -1270,9 +1360,10 @@ struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size
        return skb;
 }
-struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
+struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
 {
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
+        struct sock *sk = chan->sk;
+        struct l2cap_conn *conn = chan->conn;
        struct sk_buff *skb;
        int err, count, hlen = L2CAP_HDR_SIZE + 2;
        struct l2cap_hdr *lh;
@@ -1285,7 +1376,7 @@ struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, siz
        if (sdulen)
                hlen += 2;
-        if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
+        if (chan->fcs == L2CAP_FCS_CRC16)
                hlen += 2;
        count = min_t(unsigned int, (conn->mtu - hlen), len);
@@ -1296,7 +1387,7 @@ struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, siz
        /* Create L2CAP header */
        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
-        lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
+        lh->cid = cpu_to_le16(chan->dcid);
        lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
        put_unaligned_le16(control, skb_put(skb, 2));
        if (sdulen)
@@ -1308,16 +1399,15 @@ struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, siz
                return ERR_PTR(err);
        }
-        if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
+        if (chan->fcs == L2CAP_FCS_CRC16)
                put_unaligned_le16(0, skb_put(skb, 2));
        bt_cb(skb)->retries = 0;
        return skb;
 }
-int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
+int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        struct sk_buff *skb;
        struct sk_buff_head sar_queue;
        u16 control;
@@ -1325,26 +1415,26 @@ int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
        skb_queue_head_init(&sar_queue);
        control = L2CAP_SDU_START;
-        skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
+        skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
        if (IS_ERR(skb))
                return PTR_ERR(skb);
        __skb_queue_tail(&sar_queue, skb);
-        len -= pi->remote_mps;
+        len -= chan->remote_mps;
-        size += pi->remote_mps;
+        size += chan->remote_mps;
        while (len > 0) {
                size_t buflen;
-                if (len > pi->remote_mps) {
+                if (len > chan->remote_mps) {
                        control = L2CAP_SDU_CONTINUE;
-                        buflen = pi->remote_mps;
+                        buflen = chan->remote_mps;
                } else {
                        control = L2CAP_SDU_END;
                        buflen = len;
                }
-                skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
+                skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
                if (IS_ERR(skb)) {
                        skb_queue_purge(&sar_queue);
                        return PTR_ERR(skb);
@@ -1354,9 +1444,9 @@ int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
                len -= buflen;
                size += buflen;
        }
-        skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
+        skb_queue_splice_tail(&sar_queue, &chan->tx_q);
-        if (sk->sk_send_head == NULL)
+        if (chan->tx_send_head == NULL)
-                sk->sk_send_head = sar_queue.next;
+                chan->tx_send_head = sar_queue.next;
        return size;
 }
@@ -1364,10 +1454,11 @@ int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
 static void l2cap_chan_ready(struct sock *sk)
 {
        struct sock *parent = bt_sk(sk)->parent;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        BT_DBG("sk %p, parent %p", sk, parent);
-        l2cap_pi(sk)->conf_state = 0;
+        chan->conf_state = 0;
        l2cap_sock_clear_timer(sk);
        if (!parent) {
@@ -1387,14 +1478,14 @@ static void l2cap_chan_ready(struct sock *sk)
 /* Copy frame to all raw sockets on that connection */
 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
 {
-        struct l2cap_chan_list *l = &conn->chan_list;
        struct sk_buff *nskb;
-        struct sock *sk;
+        struct l2cap_chan *chan;
        BT_DBG("conn %p", conn);
-        read_lock(&l->lock);
+        read_lock(&conn->chan_lock);
-        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
+        list_for_each_entry(chan, &conn->chan_l, list) {
+                struct sock *sk = chan->sk;
                if (sk->sk_type != SOCK_RAW)
                        continue;
@@ -1408,7 +1499,7 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
                if (sock_queue_rcv_skb(sk, nskb))
                        kfree_skb(nskb);
        }
-        read_unlock(&l->lock);
+        read_unlock(&conn->chan_lock);
 }
 /* ---- L2CAP signalling commands ---- */
@@ -1540,32 +1631,35 @@ static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
 static void l2cap_ack_timeout(unsigned long arg)
 {
-        struct sock *sk = (void *) arg;
+        struct l2cap_chan *chan = (void *) arg;
-        bh_lock_sock(sk);
+        bh_lock_sock(chan->sk);
-        l2cap_send_ack(l2cap_pi(sk));
+        l2cap_send_ack(chan);
-        bh_unlock_sock(sk);
+        bh_unlock_sock(chan->sk);
 }
-static inline void l2cap_ertm_init(struct sock *sk)
+static inline void l2cap_ertm_init(struct l2cap_chan *chan)
 {
-        l2cap_pi(sk)->expected_ack_seq = 0;
+        struct sock *sk = chan->sk;
-        l2cap_pi(sk)->unacked_frames = 0;
-        l2cap_pi(sk)->buffer_seq = 0;
+        chan->expected_ack_seq = 0;
-        l2cap_pi(sk)->num_acked = 0;
+        chan->unacked_frames = 0;
-        l2cap_pi(sk)->frames_sent = 0;
+        chan->buffer_seq = 0;
+        chan->num_acked = 0;
+        chan->frames_sent = 0;
+        setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
+                                                        (unsigned long) chan);
+        setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
+                                                        (unsigned long) chan);
+        setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
-        setup_timer(&l2cap_pi(sk)->retrans_timer,
+        skb_queue_head_init(&chan->srej_q);
-                        l2cap_retrans_timeout, (unsigned long) sk);
+        skb_queue_head_init(&chan->busy_q);
-        setup_timer(&l2cap_pi(sk)->monitor_timer,
-                        l2cap_monitor_timeout, (unsigned long) sk);
-        setup_timer(&l2cap_pi(sk)->ack_timer,
-                        l2cap_ack_timeout, (unsigned long) sk);
-        __skb_queue_head_init(SREJ_QUEUE(sk));
+        INIT_LIST_HEAD(&chan->srej_l);
-        __skb_queue_head_init(BUSY_QUEUE(sk));
-        INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
+        INIT_WORK(&chan->busy_work, l2cap_busy_work);
        sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
 }
@@ -1583,38 +1677,37 @@ static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
        }
 }
-int l2cap_build_conf_req(struct sock *sk, void *data)
+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        struct l2cap_conf_req *req = data;
-        struct l2cap_conf_rfc rfc = { .mode = pi->mode };
+        struct l2cap_conf_rfc rfc = { .mode = chan->mode };
        void *ptr = req->data;
-        BT_DBG("sk %p", sk);
+        BT_DBG("chan %p", chan);
-        if (pi->num_conf_req || pi->num_conf_rsp)
+        if (chan->num_conf_req || chan->num_conf_rsp)
                goto done;
-        switch (pi->mode) {
+        switch (chan->mode) {
        case L2CAP_MODE_STREAMING:
        case L2CAP_MODE_ERTM:
-                if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
+                if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
                        break;
                /* fall through */
        default:
-                pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
+                chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
                break;
        }
 done:
-        if (pi->imtu != L2CAP_DEFAULT_MTU)
+        if (chan->imtu != L2CAP_DEFAULT_MTU)
-                l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
+                l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
-        switch (pi->mode) {
+        switch (chan->mode) {
        case L2CAP_MODE_BASIC:
-                if (!(pi->conn->feat_mask & L2CAP_FEAT_ERTM) &&
+                if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
-                                !(pi->conn->feat_mask & L2CAP_FEAT_STREAMING))
+                                !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
                        break;
                rfc.mode            = L2CAP_MODE_BASIC;
@@ -1630,24 +1723,24 @@ done:
        case L2CAP_MODE_ERTM:
                rfc.mode            = L2CAP_MODE_ERTM;
-                rfc.txwin_size      = pi->tx_win;
+                rfc.txwin_size      = chan->tx_win;
-                rfc.max_transmit    = pi->max_tx;
+                rfc.max_transmit    = chan->max_tx;
                rfc.retrans_timeout = 0;
                rfc.monitor_timeout = 0;
                rfc.max_pdu_size    = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
-                if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
+                if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
-                        rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
+                        rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
                                                        (unsigned long) &rfc);
-                if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
+                if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
                        break;
-                if (pi->fcs == L2CAP_FCS_NONE ||
+                if (chan->fcs == L2CAP_FCS_NONE ||
-                                pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
+                                chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
-                        pi->fcs = L2CAP_FCS_NONE;
+                        chan->fcs = L2CAP_FCS_NONE;
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
                }
                break;
@@ -1658,43 +1751,42 @@ done:
                rfc.retrans_timeout = 0;
                rfc.monitor_timeout = 0;
                rfc.max_pdu_size    = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
-                if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
+                if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
-                        rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
+                        rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
                                                        (unsigned long) &rfc);
-                if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
+                if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
                        break;
-                if (pi->fcs == L2CAP_FCS_NONE ||
+                if (chan->fcs == L2CAP_FCS_NONE ||
-                                pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
+                                chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
-                        pi->fcs = L2CAP_FCS_NONE;
+                        chan->fcs = L2CAP_FCS_NONE;
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
                }
                break;
        }
-        req->dcid  = cpu_to_le16(pi->dcid);
+        req->dcid  = cpu_to_le16(chan->dcid);
        req->flags = cpu_to_le16(0);
        return ptr - data;
 }
-static int l2cap_parse_conf_req(struct sock *sk, void *data)
+static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        struct l2cap_conf_rsp *rsp = data;
        void *ptr = rsp->data;
-        void *req = pi->conf_req;
+        void *req = chan->conf_req;
-        int len = pi->conf_len;
+        int len = chan->conf_len;
        int type, hint, olen;
        unsigned long val;
        struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
        u16 mtu = L2CAP_DEFAULT_MTU;
        u16 result = L2CAP_CONF_SUCCESS;
-        BT_DBG("sk %p", sk);
+        BT_DBG("chan %p", chan);
        while (len >= L2CAP_CONF_OPT_SIZE) {
                len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
@@ -1708,7 +1800,7 @@ static int l2cap_parse_conf_req(struct sock *sk, void *data)
                        break;
                case L2CAP_CONF_FLUSH_TO:
-                        pi->flush_to = val;
+                        chan->flush_to = val;
                        break;
                case L2CAP_CONF_QOS:
@@ -1721,7 +1813,7 @@ static int l2cap_parse_conf_req(struct sock *sk, void *data)
                case L2CAP_CONF_FCS:
                        if (val == L2CAP_FCS_NONE)
-                                pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
+                                chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
                        break;
@@ -1735,30 +1827,30 @@ static int l2cap_parse_conf_req(struct sock *sk, void *data)
                }
        }
-        if (pi->num_conf_rsp || pi->num_conf_req > 1)
+        if (chan->num_conf_rsp || chan->num_conf_req > 1)
                goto done;
-        switch (pi->mode) {
+        switch (chan->mode) {
        case L2CAP_MODE_STREAMING:
        case L2CAP_MODE_ERTM:
-                if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
+                if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
-                        pi->mode = l2cap_select_mode(rfc.mode,
+                        chan->mode = l2cap_select_mode(rfc.mode,
-                                        pi->conn->feat_mask);
+                                        chan->conn->feat_mask);
                        break;
                }
-                if (pi->mode != rfc.mode)
+                if (chan->mode != rfc.mode)
                        return -ECONNREFUSED;
                break;
        }
 done:
-        if (pi->mode != rfc.mode) {
+        if (chan->mode != rfc.mode) {
                result = L2CAP_CONF_UNACCEPT;
-                rfc.mode = pi->mode;
+                rfc.mode = chan->mode;
-                if (pi->num_conf_rsp == 1)
+                if (chan->num_conf_rsp == 1)
                        return -ECONNREFUSED;
                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
@@ -1773,32 +1865,32 @@ done:
                if (mtu < L2CAP_DEFAULT_MIN_MTU)
                        result = L2CAP_CONF_UNACCEPT;
                else {
-                        pi->omtu = mtu;
+                        chan->omtu = mtu;
-                        pi->conf_state |= L2CAP_CONF_MTU_DONE;
+                        chan->conf_state |= L2CAP_CONF_MTU_DONE;
                }
-                l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
+                l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
                switch (rfc.mode) {
                case L2CAP_MODE_BASIC:
-                        pi->fcs = L2CAP_FCS_NONE;
+                        chan->fcs = L2CAP_FCS_NONE;
-                        pi->conf_state |= L2CAP_CONF_MODE_DONE;
+                        chan->conf_state |= L2CAP_CONF_MODE_DONE;
                        break;
                case L2CAP_MODE_ERTM:
-                        pi->remote_tx_win = rfc.txwin_size;
+                        chan->remote_tx_win = rfc.txwin_size;
-                        pi->remote_max_tx = rfc.max_transmit;
+                        chan->remote_max_tx = rfc.max_transmit;
-                        if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
+                        if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
-                                rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
+                                rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
-                        pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
+                        chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
                        rfc.retrans_timeout =
                                le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
                        rfc.monitor_timeout =
                                le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
-                        pi->conf_state |= L2CAP_CONF_MODE_DONE;
+                        chan->conf_state |= L2CAP_CONF_MODE_DONE;
                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
                                        sizeof(rfc), (unsigned long) &rfc);
@@ -1806,12 +1898,12 @@ done:
                        break;
                case L2CAP_MODE_STREAMING:
-                        if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
+                        if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
-                                rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
+                                rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
-                        pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
+                        chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
-                        pi->conf_state |= L2CAP_CONF_MODE_DONE;
+                        chan->conf_state |= L2CAP_CONF_MODE_DONE;
                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
                                        sizeof(rfc), (unsigned long) &rfc);
@@ -1822,29 +1914,28 @@ done:
                        result = L2CAP_CONF_UNACCEPT;
                        memset(&rfc, 0, sizeof(rfc));
-                        rfc.mode = pi->mode;
+                        rfc.mode = chan->mode;
                }
                if (result == L2CAP_CONF_SUCCESS)
-                        pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
+                        chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
        }
-        rsp->scid   = cpu_to_le16(pi->dcid);
+        rsp->scid   = cpu_to_le16(chan->dcid);
        rsp->result = cpu_to_le16(result);
        rsp->flags  = cpu_to_le16(0x0000);
        return ptr - data;
 }
-static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
+static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        struct l2cap_conf_req *req = data;
        void *ptr = req->data;
        int type, olen;
        unsigned long val;
        struct l2cap_conf_rfc rfc;
-        BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
+        BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
        while (len >= L2CAP_CONF_OPT_SIZE) {
                len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
@@ -1853,27 +1944,27 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data,
                case L2CAP_CONF_MTU:
                        if (val < L2CAP_DEFAULT_MIN_MTU) {
                                *result = L2CAP_CONF_UNACCEPT;
-                                pi->imtu = L2CAP_DEFAULT_MIN_MTU;
+                                chan->imtu = L2CAP_DEFAULT_MIN_MTU;
                        } else
-                                pi->imtu = val;
+                                chan->imtu = val;
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
                        break;
                case L2CAP_CONF_FLUSH_TO:
-                        pi->flush_to = val;
+                        chan->flush_to = val;
                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
-                                                        2, pi->flush_to);
+                                                        2, chan->flush_to);
                        break;
                case L2CAP_CONF_RFC:
                        if (olen == sizeof(rfc))
                                memcpy(&rfc, (void *)val, olen);
-                        if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
+                        if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
-                                                        rfc.mode != pi->mode)
+                                                        rfc.mode != chan->mode)
                                return -ECONNREFUSED;
-                        pi->fcs = 0;
+                        chan->fcs = 0;
                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
                                        sizeof(rfc), (unsigned long) &rfc);
@@ -1881,53 +1972,74 @@ static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data,
                }
        }
-        if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
+        if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
                return -ECONNREFUSED;
-        pi->mode = rfc.mode;
+        chan->mode = rfc.mode;
        if (*result == L2CAP_CONF_SUCCESS) {
                switch (rfc.mode) {
                case L2CAP_MODE_ERTM:
-                        pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
+                        chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
-                        pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
+                        chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
-                        pi->mps    = le16_to_cpu(rfc.max_pdu_size);
+                        chan->mps    = le16_to_cpu(rfc.max_pdu_size);
                        break;
                case L2CAP_MODE_STREAMING:
-                        pi->mps    = le16_to_cpu(rfc.max_pdu_size);
+                        chan->mps    = le16_to_cpu(rfc.max_pdu_size);
                }
        }
-        req->dcid   = cpu_to_le16(pi->dcid);
+        req->dcid   = cpu_to_le16(chan->dcid);
        req->flags  = cpu_to_le16(0x0000);
        return ptr - data;
 }
-static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
+static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
 {
        struct l2cap_conf_rsp *rsp = data;
        void *ptr = rsp->data;
-        BT_DBG("sk %p", sk);
+        BT_DBG("chan %p", chan);
-        rsp->scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
+        rsp->scid   = cpu_to_le16(chan->dcid);
        rsp->result = cpu_to_le16(result);
        rsp->flags  = cpu_to_le16(flags);
        return ptr - data;
 }
-static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
+void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
+{
+        struct l2cap_conn_rsp rsp;
+        struct l2cap_conn *conn = chan->conn;
+        u8 buf[128];
+        rsp.scid   = cpu_to_le16(chan->dcid);
+        rsp.dcid   = cpu_to_le16(chan->scid);
+        rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
+        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
+        l2cap_send_cmd(conn, chan->ident,
+                                L2CAP_CONN_RSP, sizeof(rsp), &rsp);
+        if (chan->conf_state & L2CAP_CONF_REQ_SENT)
+                return;
+        chan->conf_state |= L2CAP_CONF_REQ_SENT;
+        l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+                        l2cap_build_conf_req(chan, buf), buf);
+        chan->num_conf_req++;
+}
+static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        int type, olen;
        unsigned long val;
        struct l2cap_conf_rfc rfc;
-        BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
+        BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
-        if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
+        if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
                return;
        while (len >= L2CAP_CONF_OPT_SIZE) {
@@ -1944,12 +2056,12 @@ static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
 done:
        switch (rfc.mode) {
        case L2CAP_MODE_ERTM:
-                pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
+                chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
-                pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
+                chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
-                pi->mps    = le16_to_cpu(rfc.max_pdu_size);
+                chan->mps    = le16_to_cpu(rfc.max_pdu_size);
                break;
        case L2CAP_MODE_STREAMING:
-                pi->mps    = le16_to_cpu(rfc.max_pdu_size);
+                chan->mps    = le16_to_cpu(rfc.max_pdu_size);
        }
 }
@@ -1975,9 +2087,9 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hd
 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
 {
-        struct l2cap_chan_list *list = &conn->chan_list;
        struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
        struct l2cap_conn_rsp rsp;
+        struct l2cap_chan *chan = NULL, *pchan;
        struct sock *parent, *sk = NULL;
        int result, status = L2CAP_CS_NO_INFO;
@@ -1987,12 +2099,14 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
        BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
        /* Check if we have socket listening on psm */
-        parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
+        pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
-        if (!parent) {
+        if (!pchan) {
                result = L2CAP_CR_BAD_PSM;
                goto sendresp;
        }
+        parent = pchan->sk;
        bh_lock_sock(parent);
        /* Check if the ACL is secure enough (if not SDP) */
@@ -2015,11 +2129,19 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
        if (!sk)
                goto response;
-        write_lock_bh(&list->lock);
+        chan = l2cap_chan_create(sk);
+        if (!chan) {
+                l2cap_sock_kill(sk);
+                goto response;
+        }
+        l2cap_pi(sk)->chan = chan;
+        write_lock_bh(&conn->chan_lock);
        /* Check if we already have channel with that dcid */
-        if (__l2cap_get_chan_by_dcid(list, scid)) {
+        if (__l2cap_get_chan_by_dcid(conn, scid)) {
-                write_unlock_bh(&list->lock);
+                write_unlock_bh(&conn->chan_lock);
                sock_set_flag(sk, SOCK_ZAPPED);
                l2cap_sock_kill(sk);
                goto response;
@@ -2030,18 +2152,21 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
        l2cap_sock_init(sk, parent);
        bacpy(&bt_sk(sk)->src, conn->src);
        bacpy(&bt_sk(sk)->dst, conn->dst);
-        l2cap_pi(sk)->psm  = psm;
+        chan->psm  = psm;
-        l2cap_pi(sk)->dcid = scid;
+        chan->dcid = scid;
+        bt_accept_enqueue(parent, sk);
+        __l2cap_chan_add(conn, chan);
-        __l2cap_chan_add(conn, sk, parent);
+        dcid = chan->scid;
-        dcid = l2cap_pi(sk)->scid;
        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
-        l2cap_pi(sk)->ident = cmd->ident;
+        chan->ident = cmd->ident;
        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
-                if (l2cap_check_security(sk)) {
+                if (l2cap_check_security(chan)) {
                        if (bt_sk(sk)->defer_setup) {
                                sk->sk_state = BT_CONNECT2;
                                result = L2CAP_CR_PEND;
@@ -2063,7 +2188,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
                status = L2CAP_CS_NO_INFO;
        }
-        write_unlock_bh(&list->lock);
+        write_unlock_bh(&conn->chan_lock);
 response:
        bh_unlock_sock(parent);
@@ -2089,13 +2214,13 @@ sendresp:
                                        L2CAP_INFO_REQ, sizeof(info), &info);
        }
-        if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
+        if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
                                result == L2CAP_CR_SUCCESS) {
                u8 buf[128];
-                l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
+                chan->conf_state |= L2CAP_CONF_REQ_SENT;
                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                        l2cap_build_conf_req(sk, buf), buf);
+                                        l2cap_build_conf_req(chan, buf), buf);
-                l2cap_pi(sk)->num_conf_req++;
+                chan->num_conf_req++;
        }
        return 0;
@@ -2105,6 +2230,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
 {
        struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
        u16 scid, dcid, result, status;
+        struct l2cap_chan *chan;
        struct sock *sk;
        u8 req[128];
@@ -2116,34 +2242,36 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
        BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
        if (scid) {
-                sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
+                chan = l2cap_get_chan_by_scid(conn, scid);
-                if (!sk)
+                if (!chan)
                        return -EFAULT;
        } else {
-                sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
+                chan = l2cap_get_chan_by_ident(conn, cmd->ident);
-                if (!sk)
+                if (!chan)
                        return -EFAULT;
        }
+        sk = chan->sk;
        switch (result) {
        case L2CAP_CR_SUCCESS:
                sk->sk_state = BT_CONFIG;
-                l2cap_pi(sk)->ident = 0;
+                chan->ident = 0;
-                l2cap_pi(sk)->dcid = dcid;
+                chan->dcid = dcid;
-                l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
+                chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
-                if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)
+                if (chan->conf_state & L2CAP_CONF_REQ_SENT)
                        break;
-                l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
+                chan->conf_state |= L2CAP_CONF_REQ_SENT;
                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                        l2cap_build_conf_req(sk, req), req);
+                                        l2cap_build_conf_req(chan, req), req);
-                l2cap_pi(sk)->num_conf_req++;
+                chan->num_conf_req++;
                break;
        case L2CAP_CR_PEND:
-                l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
+                chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
                break;
        default:
@@ -2155,7 +2283,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
                        break;
                }
-                l2cap_chan_del(sk, ECONNREFUSED);
+                l2cap_chan_del(chan, ECONNREFUSED);
                break;
        }
@@ -2163,15 +2291,17 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
        return 0;
 }
-static inline void set_default_fcs(struct l2cap_pinfo *pi)
+static inline void set_default_fcs(struct l2cap_chan *chan)
 {
+        struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
        /* FCS is enabled only in ERTM or streaming mode, if one or both
         * sides request it.
         */
-        if (pi->mode != L2CAP_MODE_ERTM && pi->mode != L2CAP_MODE_STREAMING)
+        if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
-                pi->fcs = L2CAP_FCS_NONE;
+                chan->fcs = L2CAP_FCS_NONE;
-        else if (!(pi->conf_state & L2CAP_CONF_NO_FCS_RECV))
+        else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
-                pi->fcs = L2CAP_FCS_CRC16;
+                chan->fcs = L2CAP_FCS_CRC16;
 }
 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
@@ -2179,6 +2309,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
        struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
        u16 dcid, flags;
        u8 rsp[64];
+        struct l2cap_chan *chan;
        struct sock *sk;
        int len;
@@ -2187,11 +2318,13 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
        BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
-        sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
+        chan = l2cap_get_chan_by_scid(conn, dcid);
-        if (!sk)
+        if (!chan)
                return -ENOENT;
-        if (sk->sk_state != BT_CONFIG) {
+        sk = chan->sk;
+        if (sk->sk_state != BT_CONFIG && sk->sk_state != BT_CONNECT2) {
                struct l2cap_cmd_rej rej;
                rej.reason = cpu_to_le16(0x0002);
@@ -2202,62 +2335,62 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
        /* Reject if config buffer is too small. */
        len = cmd_len - sizeof(*req);
-        if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+        if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
-                                l2cap_build_conf_rsp(sk, rsp,
+                                l2cap_build_conf_rsp(chan, rsp,
                                        L2CAP_CONF_REJECT, flags), rsp);
                goto unlock;
        }
        /* Store config. */
-        memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
+        memcpy(chan->conf_req + chan->conf_len, req->data, len);
-        l2cap_pi(sk)->conf_len += len;
+        chan->conf_len += len;
        if (flags & 0x0001) {
                /* Incomplete config. Send empty response. */
                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
-                                l2cap_build_conf_rsp(sk, rsp,
+                                l2cap_build_conf_rsp(chan, rsp,
                                        L2CAP_CONF_SUCCESS, 0x0001), rsp);
                goto unlock;
        }
        /* Complete config. */
-        len = l2cap_parse_conf_req(sk, rsp);
+        len = l2cap_parse_conf_req(chan, rsp);
        if (len < 0) {
-                l2cap_send_disconn_req(conn, sk, ECONNRESET);
+                l2cap_send_disconn_req(conn, chan, ECONNRESET);
                goto unlock;
        }
        l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
-        l2cap_pi(sk)->num_conf_rsp++;
+        chan->num_conf_rsp++;
        /* Reset config buffer. */
-        l2cap_pi(sk)->conf_len = 0;
+        chan->conf_len = 0;
-        if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
+        if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
                goto unlock;
-        if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
+        if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
-                set_default_fcs(l2cap_pi(sk));
+                set_default_fcs(chan);
                sk->sk_state = BT_CONNECTED;
-                l2cap_pi(sk)->next_tx_seq = 0;
+                chan->next_tx_seq = 0;
-                l2cap_pi(sk)->expected_tx_seq = 0;
+                chan->expected_tx_seq = 0;
-                __skb_queue_head_init(TX_QUEUE(sk));
+                skb_queue_head_init(&chan->tx_q);
-                if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
+                if (chan->mode == L2CAP_MODE_ERTM)
-                        l2cap_ertm_init(sk);
+                        l2cap_ertm_init(chan);
                l2cap_chan_ready(sk);
                goto unlock;
        }
-        if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
+        if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
                u8 buf[64];
-                l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
+                chan->conf_state |= L2CAP_CONF_REQ_SENT;
                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                        l2cap_build_conf_req(sk, buf), buf);
+                                        l2cap_build_conf_req(chan, buf), buf);
-                l2cap_pi(sk)->num_conf_req++;
+                chan->num_conf_req++;
        }
 unlock:
@@ -2269,6 +2402,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
 {
        struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
        u16 scid, flags, result;
+        struct l2cap_chan *chan;
        struct sock *sk;
        int len = cmd->len - sizeof(*rsp);
@@ -2279,36 +2413,38 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
        BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
                        scid, flags, result);
-        sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
+        chan = l2cap_get_chan_by_scid(conn, scid);
-        if (!sk)
+        if (!chan)
                return 0;
+        sk = chan->sk;
        switch (result) {
        case L2CAP_CONF_SUCCESS:
-                l2cap_conf_rfc_get(sk, rsp->data, len);
+                l2cap_conf_rfc_get(chan, rsp->data, len);
                break;
        case L2CAP_CONF_UNACCEPT:
-                if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
+                if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
                        char req[64];
                        if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
-                                l2cap_send_disconn_req(conn, sk, ECONNRESET);
+                                l2cap_send_disconn_req(conn, chan, ECONNRESET);
                                goto done;
                        }
                        /* throw out any old stored conf requests */
                        result = L2CAP_CONF_SUCCESS;
-                        len = l2cap_parse_conf_rsp(sk, rsp->data,
+                        len = l2cap_parse_conf_rsp(chan, rsp->data, len,
-                                                        len, req, &result);
+                                                                req, &result);
                        if (len < 0) {
-                                l2cap_send_disconn_req(conn, sk, ECONNRESET);
+                                l2cap_send_disconn_req(conn, chan, ECONNRESET);
                                goto done;
                        }
                        l2cap_send_cmd(conn, l2cap_get_ident(conn),
                                                L2CAP_CONF_REQ, len, req);
-                        l2cap_pi(sk)->num_conf_req++;
+                        chan->num_conf_req++;
                        if (result != L2CAP_CONF_SUCCESS)
                                goto done;
                        break;
@@ -2317,24 +2453,24 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
        default:
                sk->sk_err = ECONNRESET;
                l2cap_sock_set_timer(sk, HZ * 5);
-                l2cap_send_disconn_req(conn, sk, ECONNRESET);
+                l2cap_send_disconn_req(conn, chan, ECONNRESET);
                goto done;
        }
        if (flags & 0x01)
                goto done;
-        l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
+        chan->conf_state |= L2CAP_CONF_INPUT_DONE;
-        if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
+        if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
-                set_default_fcs(l2cap_pi(sk));
+                set_default_fcs(chan);
                sk->sk_state = BT_CONNECTED;
-                l2cap_pi(sk)->next_tx_seq = 0;
+                chan->next_tx_seq = 0;
-                l2cap_pi(sk)->expected_tx_seq = 0;
+                chan->expected_tx_seq = 0;
-                __skb_queue_head_init(TX_QUEUE(sk));
+                skb_queue_head_init(&chan->tx_q);
-                if (l2cap_pi(sk)->mode ==  L2CAP_MODE_ERTM)
+                if (chan->mode ==  L2CAP_MODE_ERTM)
-                        l2cap_ertm_init(sk);
+                        l2cap_ertm_init(chan);
                l2cap_chan_ready(sk);
        }
@@ -2349,6 +2485,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
        struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
        struct l2cap_disconn_rsp rsp;
        u16 dcid, scid;
+        struct l2cap_chan *chan;
        struct sock *sk;
        scid = __le16_to_cpu(req->scid);
@@ -2356,12 +2493,14 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
        BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
-        sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
+        chan = l2cap_get_chan_by_scid(conn, dcid);
-        if (!sk)
+        if (!chan)
                return 0;
-        rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
+        sk = chan->sk;
-        rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
+        rsp.dcid = cpu_to_le16(chan->scid);
+        rsp.scid = cpu_to_le16(chan->dcid);
        l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
        sk->sk_shutdown = SHUTDOWN_MASK;
@@ -2375,7 +2514,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
                return 0;
        }
-        l2cap_chan_del(sk, ECONNRESET);
+        l2cap_chan_del(chan, ECONNRESET);
        bh_unlock_sock(sk);
        l2cap_sock_kill(sk);
@@ -2386,6 +2525,7 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
 {
        struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
        u16 dcid, scid;
+        struct l2cap_chan *chan;
        struct sock *sk;
        scid = __le16_to_cpu(rsp->scid);
@@ -2393,10 +2533,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
        BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
-        sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
+        chan = l2cap_get_chan_by_scid(conn, scid);
-        if (!sk)
+        if (!chan)
                return 0;
+        sk = chan->sk;
        /* don't delete l2cap channel if sk is owned by user */
        if (sock_owned_by_user(sk)) {
                sk->sk_state = BT_DISCONN;
@@ -2406,7 +2548,7 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
                return 0;
        }
-        l2cap_chan_del(sk, 0);
+        l2cap_chan_del(chan, 0);
        bh_unlock_sock(sk);
        l2cap_sock_kill(sk);
@@ -2463,6 +2605,11 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
        BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
+        /* L2CAP Info req/rsp are unbound to channels, add extra checks */
+        if (cmd->ident != conn->info_ident ||
+                        conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
+                return 0;
        del_timer(&conn->info_timer);
        if (result != L2CAP_IR_SUCCESS) {
@@ -2673,7 +2820,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
                if (err) {
                        struct l2cap_cmd_rej rej;
-                        BT_DBG("error %d", err);
+                        BT_ERR("Wrong link type (%d)", err);
                        /* FIXME: Map err to a valid reason */
                        rej.reason = cpu_to_le16(0);
@@ -2687,12 +2835,12 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
        kfree_skb(skb);
 }
-static int l2cap_check_fcs(struct l2cap_pinfo *pi,  struct sk_buff *skb)
+static int l2cap_check_fcs(struct l2cap_chan *chan,  struct sk_buff *skb)
 {
        u16 our_fcs, rcv_fcs;
        int hdr_size = L2CAP_HDR_SIZE + 2;
-        if (pi->fcs == L2CAP_FCS_CRC16) {
+        if (chan->fcs == L2CAP_FCS_CRC16) {
                skb_trim(skb, skb->len - 2);
                rcv_fcs = get_unaligned_le16(skb->data + skb->len);
                our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
@@ -2703,49 +2851,47 @@ static int l2cap_check_fcs(struct l2cap_pinfo *pi,  struct sk_buff *skb)
        return 0;
 }
-static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
+static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        u16 control = 0;
-        pi->frames_sent = 0;
+        chan->frames_sent = 0;
-        control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+        control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-        if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
+        if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
                control |= L2CAP_SUPER_RCV_NOT_READY;
-                l2cap_send_sframe(pi, control);
+                l2cap_send_sframe(chan, control);
-                pi->conn_state |= L2CAP_CONN_RNR_SENT;
+                chan->conn_state |= L2CAP_CONN_RNR_SENT;
        }
-        if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
+        if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
-                l2cap_retransmit_frames(sk);
+                l2cap_retransmit_frames(chan);
-        l2cap_ertm_send(sk);
+        l2cap_ertm_send(chan);
-        if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
+        if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
-                        pi->frames_sent == 0) {
+                        chan->frames_sent == 0) {
                control |= L2CAP_SUPER_RCV_READY;
-                l2cap_send_sframe(pi, control);
+                l2cap_send_sframe(chan, control);
        }
 }
-static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
+static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
 {
        struct sk_buff *next_skb;
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        int tx_seq_offset, next_tx_seq_offset;
        bt_cb(skb)->tx_seq = tx_seq;
        bt_cb(skb)->sar = sar;
-        next_skb = skb_peek(SREJ_QUEUE(sk));
+        next_skb = skb_peek(&chan->srej_q);
        if (!next_skb) {
-                __skb_queue_tail(SREJ_QUEUE(sk), skb);
+                __skb_queue_tail(&chan->srej_q, skb);
                return 0;
        }
-        tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
+        tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
        if (tx_seq_offset < 0)
                tx_seq_offset += 64;
@@ -2754,53 +2900,52 @@ static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_s
                        return -EINVAL;
                next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
-                                                pi->buffer_seq) % 64;
+                                                chan->buffer_seq) % 64;
                if (next_tx_seq_offset < 0)
                        next_tx_seq_offset += 64;
                if (next_tx_seq_offset > tx_seq_offset) {
-                        __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
+                        __skb_queue_before(&chan->srej_q, next_skb, skb);
                        return 0;
                }
-                if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
+                if (skb_queue_is_last(&chan->srej_q, next_skb))
                        break;
-        } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
+        } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
-        __skb_queue_tail(SREJ_QUEUE(sk), skb);
+        __skb_queue_tail(&chan->srej_q, skb);
        return 0;
 }
-static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
+static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        struct sk_buff *_skb;
        int err;
        switch (control & L2CAP_CTRL_SAR) {
        case L2CAP_SDU_UNSEGMENTED:
-                if (pi->conn_state & L2CAP_CONN_SAR_SDU)
+                if (chan->conn_state & L2CAP_CONN_SAR_SDU)
                        goto drop;
-                err = sock_queue_rcv_skb(sk, skb);
+                err = sock_queue_rcv_skb(chan->sk, skb);
                if (!err)
                        return err;
                break;
        case L2CAP_SDU_START:
-                if (pi->conn_state & L2CAP_CONN_SAR_SDU)
+                if (chan->conn_state & L2CAP_CONN_SAR_SDU)
                        goto drop;
-                pi->sdu_len = get_unaligned_le16(skb->data);
+                chan->sdu_len = get_unaligned_le16(skb->data);
-                if (pi->sdu_len > pi->imtu)
+                if (chan->sdu_len > chan->imtu)
                        goto disconnect;
-                pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
+                chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
-                if (!pi->sdu)
+                if (!chan->sdu)
                        return -ENOMEM;
                /* pull sdu_len bytes only after alloc, because of Local Busy
@@ -2808,63 +2953,63 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c
                 * only once, i.e., when alloc does not fail */
                skb_pull(skb, 2);
-                memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
+                memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
-                pi->conn_state |= L2CAP_CONN_SAR_SDU;
+                chan->conn_state |= L2CAP_CONN_SAR_SDU;
-                pi->partial_sdu_len = skb->len;
+                chan->partial_sdu_len = skb->len;
                break;
        case L2CAP_SDU_CONTINUE:
-                if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
+                if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
                        goto disconnect;
-                if (!pi->sdu)
+                if (!chan->sdu)
                        goto disconnect;
-                pi->partial_sdu_len += skb->len;
+                chan->partial_sdu_len += skb->len;
-                if (pi->partial_sdu_len > pi->sdu_len)
+                if (chan->partial_sdu_len > chan->sdu_len)
                        goto drop;
-                memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
+                memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
                break;
        case L2CAP_SDU_END:
-                if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
+                if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
                        goto disconnect;
-                if (!pi->sdu)
+                if (!chan->sdu)
                        goto disconnect;
-                if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
+                if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
-                        pi->partial_sdu_len += skb->len;
+                        chan->partial_sdu_len += skb->len;
-                        if (pi->partial_sdu_len > pi->imtu)
+                        if (chan->partial_sdu_len > chan->imtu)
                                goto drop;
-                        if (pi->partial_sdu_len != pi->sdu_len)
+                        if (chan->partial_sdu_len != chan->sdu_len)
                                goto drop;
-                        memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
+                        memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
                }
-                _skb = skb_clone(pi->sdu, GFP_ATOMIC);
+                _skb = skb_clone(chan->sdu, GFP_ATOMIC);
                if (!_skb) {
-                        pi->conn_state |= L2CAP_CONN_SAR_RETRY;
+                        chan->conn_state |= L2CAP_CONN_SAR_RETRY;
                        return -ENOMEM;
                }
-                err = sock_queue_rcv_skb(sk, _skb);
+                err = sock_queue_rcv_skb(chan->sk, _skb);
                if (err < 0) {
                        kfree_skb(_skb);
-                        pi->conn_state |= L2CAP_CONN_SAR_RETRY;
+                        chan->conn_state |= L2CAP_CONN_SAR_RETRY;
                        return err;
                }
-                pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
+                chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
-                pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
+                chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
-                kfree_skb(pi->sdu);
+                kfree_skb(chan->sdu);
                break;
        }
@@ -2872,51 +3017,50 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c
        return 0;
 drop:
-        kfree_skb(pi->sdu);
+        kfree_skb(chan->sdu);
-        pi->sdu = NULL;
+        chan->sdu = NULL;
 disconnect:
-        l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
+        l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
        kfree_skb(skb);
        return 0;
 }
-static int l2cap_try_push_rx_skb(struct sock *sk)
+static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        struct sk_buff *skb;
        u16 control;
        int err;
-        while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
+        while ((skb = skb_dequeue(&chan->busy_q))) {
                control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
-                err = l2cap_ertm_reassembly_sdu(sk, skb, control);
+                err = l2cap_ertm_reassembly_sdu(chan, skb, control);
                if (err < 0) {
-                        skb_queue_head(BUSY_QUEUE(sk), skb);
+                        skb_queue_head(&chan->busy_q, skb);
                        return -EBUSY;
                }
-                pi->buffer_seq = (pi->buffer_seq + 1) % 64;
+                chan->buffer_seq = (chan->buffer_seq + 1) % 64;
        }
-        if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
+        if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
                goto done;
-        control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+        control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
        control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
-        l2cap_send_sframe(pi, control);
+        l2cap_send_sframe(chan, control);
-        l2cap_pi(sk)->retry_count = 1;
+        chan->retry_count = 1;
-        del_timer(&pi->retrans_timer);
+        del_timer(&chan->retrans_timer);
        __mod_monitor_timer();
-        l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
+        chan->conn_state |= L2CAP_CONN_WAIT_F;
 done:
-        pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
+        chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
-        pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
+        chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
-        BT_DBG("sk %p, Exit local busy", sk);
+        BT_DBG("chan %p, Exit local busy", chan);
        return 0;
 }
@@ -2924,21 +3068,21 @@ done:
 static void l2cap_busy_work(struct work_struct *work)
 {
        DECLARE_WAITQUEUE(wait, current);
-        struct l2cap_pinfo *pi =
+        struct l2cap_chan *chan =
-                container_of(work, struct l2cap_pinfo, busy_work);
+                container_of(work, struct l2cap_chan, busy_work);
-        struct sock *sk = (struct sock *)pi;
+        struct sock *sk = chan->sk;
        int n_tries = 0, timeo = HZ/5, err;
        struct sk_buff *skb;
        lock_sock(sk);
        add_wait_queue(sk_sleep(sk), &wait);
-        while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
+        while ((skb = skb_peek(&chan->busy_q))) {
                set_current_state(TASK_INTERRUPTIBLE);
                if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
                        err = -EBUSY;
-                        l2cap_send_disconn_req(pi->conn, sk, EBUSY);
+                        l2cap_send_disconn_req(chan->conn, chan, EBUSY);
                        break;
                }
@@ -2958,7 +3102,7 @@ static void l2cap_busy_work(struct work_struct *work)
                if (err)
                        break;
-                if (l2cap_try_push_rx_skb(sk) == 0)
+                if (l2cap_try_push_rx_skb(chan) == 0)
                        break;
        }
@@ -2968,48 +3112,46 @@ static void l2cap_busy_work(struct work_struct *work)
        release_sock(sk);
 }
-static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
+static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        int sctrl, err;
-        if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
+        if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
                bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
-                __skb_queue_tail(BUSY_QUEUE(sk), skb);
+                __skb_queue_tail(&chan->busy_q, skb);
-                return l2cap_try_push_rx_skb(sk);
+                return l2cap_try_push_rx_skb(chan);
        }
-        err = l2cap_ertm_reassembly_sdu(sk, skb, control);
+        err = l2cap_ertm_reassembly_sdu(chan, skb, control);
        if (err >= 0) {
-                pi->buffer_seq = (pi->buffer_seq + 1) % 64;
+                chan->buffer_seq = (chan->buffer_seq + 1) % 64;
                return err;
        }
        /* Busy Condition */
-        BT_DBG("sk %p, Enter local busy", sk);
+        BT_DBG("chan %p, Enter local busy", chan);
-        pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
+        chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
        bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
-        __skb_queue_tail(BUSY_QUEUE(sk), skb);
+        __skb_queue_tail(&chan->busy_q, skb);
-        sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+        sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
        sctrl |= L2CAP_SUPER_RCV_NOT_READY;
-        l2cap_send_sframe(pi, sctrl);
+        l2cap_send_sframe(chan, sctrl);
-        pi->conn_state |= L2CAP_CONN_RNR_SENT;
+        chan->conn_state |= L2CAP_CONN_RNR_SENT;
-        del_timer(&pi->ack_timer);
+        del_timer(&chan->ack_timer);
-        queue_work(_busy_wq, &pi->busy_work);
+        queue_work(_busy_wq, &chan->busy_work);
        return err;
 }
-static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
+static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        struct sk_buff *_skb;
        int err = -EINVAL;
@@ -3020,80 +3162,80 @@ static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb,
        switch (control & L2CAP_CTRL_SAR) {
        case L2CAP_SDU_UNSEGMENTED:
-                if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
+                if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
-                        kfree_skb(pi->sdu);
+                        kfree_skb(chan->sdu);
                        break;
                }
-                err = sock_queue_rcv_skb(sk, skb);
+                err = sock_queue_rcv_skb(chan->sk, skb);
                if (!err)
                        return 0;
                break;
        case L2CAP_SDU_START:
-                if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
+                if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
-                        kfree_skb(pi->sdu);
+                        kfree_skb(chan->sdu);
                        break;
                }
-                pi->sdu_len = get_unaligned_le16(skb->data);
+                chan->sdu_len = get_unaligned_le16(skb->data);
                skb_pull(skb, 2);
-                if (pi->sdu_len > pi->imtu) {
+                if (chan->sdu_len > chan->imtu) {
                        err = -EMSGSIZE;
                        break;
                }
-                pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
+                chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
-                if (!pi->sdu) {
+                if (!chan->sdu) {
                        err = -ENOMEM;
                        break;
                }
-                memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
+                memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
-                pi->conn_state |= L2CAP_CONN_SAR_SDU;
+                chan->conn_state |= L2CAP_CONN_SAR_SDU;
-                pi->partial_sdu_len = skb->len;
+                chan->partial_sdu_len = skb->len;
                err = 0;
                break;
        case L2CAP_SDU_CONTINUE:
-                if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
+                if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
                        break;
-                memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
+                memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
-                pi->partial_sdu_len += skb->len;
+                chan->partial_sdu_len += skb->len;
-                if (pi->partial_sdu_len > pi->sdu_len)
+                if (chan->partial_sdu_len > chan->sdu_len)
-                        kfree_skb(pi->sdu);
+                        kfree_skb(chan->sdu);
                else
                        err = 0;
                break;
        case L2CAP_SDU_END:
-                if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
+                if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
                        break;
-                memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
+                memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
-                pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
+                chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
-                pi->partial_sdu_len += skb->len;
+                chan->partial_sdu_len += skb->len;
-                if (pi->partial_sdu_len > pi->imtu)
+                if (chan->partial_sdu_len > chan->imtu)
                        goto drop;
-                if (pi->partial_sdu_len == pi->sdu_len) {
+                if (chan->partial_sdu_len == chan->sdu_len) {
-                        _skb = skb_clone(pi->sdu, GFP_ATOMIC);
+                        _skb = skb_clone(chan->sdu, GFP_ATOMIC);
-                        err = sock_queue_rcv_skb(sk, _skb);
+                        err = sock_queue_rcv_skb(chan->sk, _skb);
                        if (err < 0)
                                kfree_skb(_skb);
                }
                err = 0;
 drop:
-                kfree_skb(pi->sdu);
+                kfree_skb(chan->sdu);
                break;
        }
@@ -3101,31 +3243,30 @@ drop:
        return err;
 }
-static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
+static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
 {
        struct sk_buff *skb;
        u16 control;
-        while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
+        while ((skb = skb_peek(&chan->srej_q))) {
                if (bt_cb(skb)->tx_seq != tx_seq)
                        break;
-                skb = skb_dequeue(SREJ_QUEUE(sk));
+                skb = skb_dequeue(&chan->srej_q);
                control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
-                l2cap_ertm_reassembly_sdu(sk, skb, control);
+                l2cap_ertm_reassembly_sdu(chan, skb, control);
-                l2cap_pi(sk)->buffer_seq_srej =
+                chan->buffer_seq_srej =
-                        (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
+                        (chan->buffer_seq_srej + 1) % 64;
                tx_seq = (tx_seq + 1) % 64;
        }
 }
-static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
+static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        struct srej_list *l, *tmp;
        u16 control;
-        list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
+        list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
                if (l->tx_seq == tx_seq) {
                        list_del(&l->list);
                        kfree(l);
@@ -3133,107 +3274,105 @@ static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
                }
                control = L2CAP_SUPER_SELECT_REJECT;
                control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-                l2cap_send_sframe(pi, control);
+                l2cap_send_sframe(chan, control);
                list_del(&l->list);
-                list_add_tail(&l->list, SREJ_LIST(sk));
+                list_add_tail(&l->list, &chan->srej_l);
        }
 }
-static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
+static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        struct srej_list *new;
        u16 control;
-        while (tx_seq != pi->expected_tx_seq) {
+        while (tx_seq != chan->expected_tx_seq) {
                control = L2CAP_SUPER_SELECT_REJECT;
-                control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+                control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-                l2cap_send_sframe(pi, control);
+                l2cap_send_sframe(chan, control);
                new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
-                new->tx_seq = pi->expected_tx_seq;
+                new->tx_seq = chan->expected_tx_seq;
-                pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
+                chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
-                list_add_tail(&new->list, SREJ_LIST(sk));
+                list_add_tail(&new->list, &chan->srej_l);
        }
-        pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
+        chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
 }
-static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
+static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        u8 tx_seq = __get_txseq(rx_control);
        u8 req_seq = __get_reqseq(rx_control);
        u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
        int tx_seq_offset, expected_tx_seq_offset;
-        int num_to_ack = (pi->tx_win/6) + 1;
+        int num_to_ack = (chan->tx_win/6) + 1;
        int err = 0;
-        BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
+        BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
-                                                                rx_control);
+                                                        tx_seq, rx_control);
        if (L2CAP_CTRL_FINAL & rx_control &&
-                        l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
+                        chan->conn_state & L2CAP_CONN_WAIT_F) {
-                del_timer(&pi->monitor_timer);
+                del_timer(&chan->monitor_timer);
-                if (pi->unacked_frames > 0)
+                if (chan->unacked_frames > 0)
                        __mod_retrans_timer();
-                pi->conn_state &= ~L2CAP_CONN_WAIT_F;
+                chan->conn_state &= ~L2CAP_CONN_WAIT_F;
        }
-        pi->expected_ack_seq = req_seq;
+        chan->expected_ack_seq = req_seq;
-        l2cap_drop_acked_frames(sk);
+        l2cap_drop_acked_frames(chan);
-        if (tx_seq == pi->expected_tx_seq)
+        if (tx_seq == chan->expected_tx_seq)
                goto expected;
-        tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
+        tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
        if (tx_seq_offset < 0)
                tx_seq_offset += 64;
        /* invalid tx_seq */
-        if (tx_seq_offset >= pi->tx_win) {
+        if (tx_seq_offset >= chan->tx_win) {
-                l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
+                l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
                goto drop;
        }
-        if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
+        if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY)
                goto drop;
-        if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
+        if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
                struct srej_list *first;
-                first = list_first_entry(SREJ_LIST(sk),
+                first = list_first_entry(&chan->srej_l,
                                struct srej_list, list);
                if (tx_seq == first->tx_seq) {
-                        l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
+                        l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
-                        l2cap_check_srej_gap(sk, tx_seq);
+                        l2cap_check_srej_gap(chan, tx_seq);
                        list_del(&first->list);
                        kfree(first);
-                        if (list_empty(SREJ_LIST(sk))) {
+                        if (list_empty(&chan->srej_l)) {
-                                pi->buffer_seq = pi->buffer_seq_srej;
+                                chan->buffer_seq = chan->buffer_seq_srej;
-                                pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
+                                chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
-                                l2cap_send_ack(pi);
+                                l2cap_send_ack(chan);
-                                BT_DBG("sk %p, Exit SREJ_SENT", sk);
+                                BT_DBG("chan %p, Exit SREJ_SENT", chan);
                        }
                } else {
                        struct srej_list *l;
                        /* duplicated tx_seq */
-                        if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
+                        if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
                                goto drop;
-                        list_for_each_entry(l, SREJ_LIST(sk), list) {
+                        list_for_each_entry(l, &chan->srej_l, list) {
                                if (l->tx_seq == tx_seq) {
-                                        l2cap_resend_srejframe(sk, tx_seq);
+                                        l2cap_resend_srejframe(chan, tx_seq);
                                        return 0;
                                }
                        }
-                        l2cap_send_srejframe(sk, tx_seq);
+                        l2cap_send_srejframe(chan, tx_seq);
                }
        } else {
                expected_tx_seq_offset =
-                        (pi->expected_tx_seq - pi->buffer_seq) % 64;
+                        (chan->expected_tx_seq - chan->buffer_seq) % 64;
                if (expected_tx_seq_offset < 0)
                        expected_tx_seq_offset += 64;
@@ -3241,51 +3380,51 @@ static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, str
                if (tx_seq_offset < expected_tx_seq_offset)
                        goto drop;
-                pi->conn_state |= L2CAP_CONN_SREJ_SENT;
+                chan->conn_state |= L2CAP_CONN_SREJ_SENT;
-                BT_DBG("sk %p, Enter SREJ", sk);
+                BT_DBG("chan %p, Enter SREJ", chan);
-                INIT_LIST_HEAD(SREJ_LIST(sk));
+                INIT_LIST_HEAD(&chan->srej_l);
-                pi->buffer_seq_srej = pi->buffer_seq;
+                chan->buffer_seq_srej = chan->buffer_seq;
-                __skb_queue_head_init(SREJ_QUEUE(sk));
+                __skb_queue_head_init(&chan->srej_q);
-                __skb_queue_head_init(BUSY_QUEUE(sk));
+                __skb_queue_head_init(&chan->busy_q);
-                l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
+                l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
-                pi->conn_state |= L2CAP_CONN_SEND_PBIT;
+                chan->conn_state |= L2CAP_CONN_SEND_PBIT;
-                l2cap_send_srejframe(sk, tx_seq);
+                l2cap_send_srejframe(chan, tx_seq);
-                del_timer(&pi->ack_timer);
+                del_timer(&chan->ack_timer);
        }
        return 0;
 expected:
-        pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
+        chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
-        if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
+        if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
                bt_cb(skb)->tx_seq = tx_seq;
                bt_cb(skb)->sar = sar;
-                __skb_queue_tail(SREJ_QUEUE(sk), skb);
+                __skb_queue_tail(&chan->srej_q, skb);
                return 0;
        }
-        err = l2cap_push_rx_skb(sk, skb, rx_control);
+        err = l2cap_push_rx_skb(chan, skb, rx_control);
        if (err < 0)
                return 0;
        if (rx_control & L2CAP_CTRL_FINAL) {
-                if (pi->conn_state & L2CAP_CONN_REJ_ACT)
+                if (chan->conn_state & L2CAP_CONN_REJ_ACT)
-                        pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
+                        chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
                else
-                        l2cap_retransmit_frames(sk);
+                        l2cap_retransmit_frames(chan);
        }
        __mod_ack_timer();
-        pi->num_acked = (pi->num_acked + 1) % num_to_ack;
+        chan->num_acked = (chan->num_acked + 1) % num_to_ack;
-        if (pi->num_acked == num_to_ack - 1)
+        if (chan->num_acked == num_to_ack - 1)
-                l2cap_send_ack(pi);
+                l2cap_send_ack(chan);
        return 0;
@@ -3294,165 +3433,160 @@ drop:
        return 0;
 }
-static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
+static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
+        BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
-        BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
                                                rx_control);
-        pi->expected_ack_seq = __get_reqseq(rx_control);
+        chan->expected_ack_seq = __get_reqseq(rx_control);
-        l2cap_drop_acked_frames(sk);
+        l2cap_drop_acked_frames(chan);
        if (rx_control & L2CAP_CTRL_POLL) {
-                pi->conn_state |= L2CAP_CONN_SEND_FBIT;
+                chan->conn_state |= L2CAP_CONN_SEND_FBIT;
-                if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
+                if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
-                        if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
+                        if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
-                                        (pi->unacked_frames > 0))
+                                        (chan->unacked_frames > 0))
                                __mod_retrans_timer();
-                        pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
+                        chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
-                        l2cap_send_srejtail(sk);
+                        l2cap_send_srejtail(chan);
                } else {
-                        l2cap_send_i_or_rr_or_rnr(sk);
+                        l2cap_send_i_or_rr_or_rnr(chan);
                }
        } else if (rx_control & L2CAP_CTRL_FINAL) {
-                pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
+                chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
-                if (pi->conn_state & L2CAP_CONN_REJ_ACT)
+                if (chan->conn_state & L2CAP_CONN_REJ_ACT)
-                        pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
+                        chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
                else
-                        l2cap_retransmit_frames(sk);
+                        l2cap_retransmit_frames(chan);
        } else {
-                if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
+                if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
-                                (pi->unacked_frames > 0))
+                                (chan->unacked_frames > 0))
                        __mod_retrans_timer();
-                pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
+                chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
-                if (pi->conn_state & L2CAP_CONN_SREJ_SENT)
+                if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
-                        l2cap_send_ack(pi);
+                        l2cap_send_ack(chan);
                else
-                        l2cap_ertm_send(sk);
+                        l2cap_ertm_send(chan);
        }
 }
-static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
+static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        u8 tx_seq = __get_reqseq(rx_control);
-        BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
+        BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
-        pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
+        chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
-        pi->expected_ack_seq = tx_seq;
+        chan->expected_ack_seq = tx_seq;
-        l2cap_drop_acked_frames(sk);
+        l2cap_drop_acked_frames(chan);
        if (rx_control & L2CAP_CTRL_FINAL) {
-                if (pi->conn_state & L2CAP_CONN_REJ_ACT)
+                if (chan->conn_state & L2CAP_CONN_REJ_ACT)
-                        pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
+                        chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
                else
-                        l2cap_retransmit_frames(sk);
+                        l2cap_retransmit_frames(chan);
        } else {
-                l2cap_retransmit_frames(sk);
+                l2cap_retransmit_frames(chan);
-                if (pi->conn_state & L2CAP_CONN_WAIT_F)
+                if (chan->conn_state & L2CAP_CONN_WAIT_F)
-                        pi->conn_state |= L2CAP_CONN_REJ_ACT;
+                        chan->conn_state |= L2CAP_CONN_REJ_ACT;
        }
 }
-static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
+static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        u8 tx_seq = __get_reqseq(rx_control);
-        BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
+        BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
-        pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
+        chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
        if (rx_control & L2CAP_CTRL_POLL) {
-                pi->expected_ack_seq = tx_seq;
+                chan->expected_ack_seq = tx_seq;
-                l2cap_drop_acked_frames(sk);
+                l2cap_drop_acked_frames(chan);
-                pi->conn_state |= L2CAP_CONN_SEND_FBIT;
+                chan->conn_state |= L2CAP_CONN_SEND_FBIT;
-                l2cap_retransmit_one_frame(sk, tx_seq);
+                l2cap_retransmit_one_frame(chan, tx_seq);
-                l2cap_ertm_send(sk);
+                l2cap_ertm_send(chan);
-                if (pi->conn_state & L2CAP_CONN_WAIT_F) {
+                if (chan->conn_state & L2CAP_CONN_WAIT_F) {
-                        pi->srej_save_reqseq = tx_seq;
+                        chan->srej_save_reqseq = tx_seq;
-                        pi->conn_state |= L2CAP_CONN_SREJ_ACT;
+                        chan->conn_state |= L2CAP_CONN_SREJ_ACT;
                }
        } else if (rx_control & L2CAP_CTRL_FINAL) {
-                if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
+                if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
-                                pi->srej_save_reqseq == tx_seq)
+                                chan->srej_save_reqseq == tx_seq)
-                        pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
+                        chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
                else
-                        l2cap_retransmit_one_frame(sk, tx_seq);
+                        l2cap_retransmit_one_frame(chan, tx_seq);
        } else {
-                l2cap_retransmit_one_frame(sk, tx_seq);
+                l2cap_retransmit_one_frame(chan, tx_seq);
-                if (pi->conn_state & L2CAP_CONN_WAIT_F) {
+                if (chan->conn_state & L2CAP_CONN_WAIT_F) {
-                        pi->srej_save_reqseq = tx_seq;
+                        chan->srej_save_reqseq = tx_seq;
-                        pi->conn_state |= L2CAP_CONN_SREJ_ACT;
+                        chan->conn_state |= L2CAP_CONN_SREJ_ACT;
                }
        }
 }
-static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
+static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
        u8 tx_seq = __get_reqseq(rx_control);
-        BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
+        BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
-        pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
+        chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
-        pi->expected_ack_seq = tx_seq;
+        chan->expected_ack_seq = tx_seq;
-        l2cap_drop_acked_frames(sk);
+        l2cap_drop_acked_frames(chan);
        if (rx_control & L2CAP_CTRL_POLL)
-                pi->conn_state |= L2CAP_CONN_SEND_FBIT;
+                chan->conn_state |= L2CAP_CONN_SEND_FBIT;
-        if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
+        if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
-                del_timer(&pi->retrans_timer);
+                del_timer(&chan->retrans_timer);
                if (rx_control & L2CAP_CTRL_POLL)
-                        l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
+                        l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
                return;
        }
        if (rx_control & L2CAP_CTRL_POLL)
-                l2cap_send_srejtail(sk);
+                l2cap_send_srejtail(chan);
        else
-                l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
+                l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
 }
-static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
+static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
 {
-        BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
+        BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
        if (L2CAP_CTRL_FINAL & rx_control &&
-                        l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
+                        chan->conn_state & L2CAP_CONN_WAIT_F) {
-                del_timer(&l2cap_pi(sk)->monitor_timer);
+                del_timer(&chan->monitor_timer);
-                if (l2cap_pi(sk)->unacked_frames > 0)
+                if (chan->unacked_frames > 0)
                        __mod_retrans_timer();
-                l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
+                chan->conn_state &= ~L2CAP_CONN_WAIT_F;
        }
        switch (rx_control & L2CAP_CTRL_SUPERVISE) {
        case L2CAP_SUPER_RCV_READY:
-                l2cap_data_channel_rrframe(sk, rx_control);
+                l2cap_data_channel_rrframe(chan, rx_control);
                break;
        case L2CAP_SUPER_REJECT:
-                l2cap_data_channel_rejframe(sk, rx_control);
+                l2cap_data_channel_rejframe(chan, rx_control);
                break;
        case L2CAP_SUPER_SELECT_REJECT:
-                l2cap_data_channel_srejframe(sk, rx_control);
+                l2cap_data_channel_srejframe(chan, rx_control);
                break;
        case L2CAP_SUPER_RCV_NOT_READY:
-                l2cap_data_channel_rnrframe(sk, rx_control);
+                l2cap_data_channel_rnrframe(chan, rx_control);
                break;
        }
@@ -3462,7 +3596,7 @@ static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, str
 static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
 {
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        u16 control;
        u8 req_seq;
        int len, next_tx_seq_offset, req_seq_offset;
@@ -3476,51 +3610,51 @@ static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
         * Receiver will miss it and start proper recovery
         * procedures and ask retransmission.
         */
-        if (l2cap_check_fcs(pi, skb))
+        if (l2cap_check_fcs(chan, skb))
                goto drop;
        if (__is_sar_start(control) && __is_iframe(control))
                len -= 2;
-        if (pi->fcs == L2CAP_FCS_CRC16)
+        if (chan->fcs == L2CAP_FCS_CRC16)
                len -= 2;
-        if (len > pi->mps) {
+        if (len > chan->mps) {
-                l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
+                l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
                goto drop;
        }
        req_seq = __get_reqseq(control);
-        req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
+        req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
        if (req_seq_offset < 0)
                req_seq_offset += 64;
        next_tx_seq_offset =
-                (pi->next_tx_seq - pi->expected_ack_seq) % 64;
+                (chan->next_tx_seq - chan->expected_ack_seq) % 64;
        if (next_tx_seq_offset < 0)
                next_tx_seq_offset += 64;
        /* check for invalid req-seq */
        if (req_seq_offset > next_tx_seq_offset) {
-                l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
+                l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
                goto drop;
        }
        if (__is_iframe(control)) {
                if (len < 0) {
-                        l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
+                        l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
                        goto drop;
                }
-                l2cap_data_channel_iframe(sk, control, skb);
+                l2cap_data_channel_iframe(chan, control, skb);
        } else {
                if (len != 0) {
                        BT_ERR("%d", len);
-                        l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
+                        l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
                        goto drop;
                }
-                l2cap_data_channel_sframe(sk, control, skb);
+                l2cap_data_channel_sframe(chan, control, skb);
        }
        return 0;
@@ -3532,33 +3666,35 @@ drop:
 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
 {
-        struct sock *sk;
+        struct l2cap_chan *chan;
+        struct sock *sk = NULL;
        struct l2cap_pinfo *pi;
        u16 control;
        u8 tx_seq;
        int len;
-        sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
+        chan = l2cap_get_chan_by_scid(conn, cid);
-        if (!sk) {
+        if (!chan) {
                BT_DBG("unknown cid 0x%4.4x", cid);
                goto drop;
        }
+        sk = chan->sk;
        pi = l2cap_pi(sk);
-        BT_DBG("sk %p, len %d", sk, skb->len);
+        BT_DBG("chan %p, len %d", chan, skb->len);
        if (sk->sk_state != BT_CONNECTED)
                goto drop;
-        switch (pi->mode) {
+        switch (chan->mode) {
        case L2CAP_MODE_BASIC:
                /* If socket recv buffers overflows we drop data here
                 * which is *bad* because L2CAP has to be reliable.
                 * But we don't have any other choice. L2CAP doesn't
                 * provide flow control mechanism. */
-                if (pi->imtu < skb->len)
+                if (chan->imtu < skb->len)
                        goto drop;
                if (!sock_queue_rcv_skb(sk, skb))
@@ -3580,31 +3716,31 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
                skb_pull(skb, 2);
                len = skb->len;
-                if (l2cap_check_fcs(pi, skb))
+                if (l2cap_check_fcs(chan, skb))
                        goto drop;
                if (__is_sar_start(control))
                        len -= 2;
-                if (pi->fcs == L2CAP_FCS_CRC16)
+                if (chan->fcs == L2CAP_FCS_CRC16)
                        len -= 2;
-                if (len > pi->mps || len < 0 || __is_sframe(control))
+                if (len > chan->mps || len < 0 || __is_sframe(control))
                        goto drop;
                tx_seq = __get_txseq(control);
-                if (pi->expected_tx_seq == tx_seq)
+                if (chan->expected_tx_seq == tx_seq)
-                        pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
+                        chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
                else
-                        pi->expected_tx_seq = (tx_seq + 1) % 64;
+                        chan->expected_tx_seq = (tx_seq + 1) % 64;
-                l2cap_streaming_reassembly_sdu(sk, skb, control);
+                l2cap_streaming_reassembly_sdu(chan, skb, control);
                goto done;
        default:
-                BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
+                BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
                break;
        }
@@ -3620,12 +3756,15 @@ done:
 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
 {
-        struct sock *sk;
+        struct sock *sk = NULL;
+        struct l2cap_chan *chan;
-        sk = l2cap_get_sock_by_psm(0, psm, conn->src);
+        chan = l2cap_global_chan_by_psm(0, psm, conn->src);
-        if (!sk)
+        if (!chan)
                goto drop;
+        sk = chan->sk;
        bh_lock_sock(sk);
        BT_DBG("sk %p, len %d", sk, skb->len);
@@ -3633,7 +3772,40 @@ static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, str
        if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
                goto drop;
-        if (l2cap_pi(sk)->imtu < skb->len)
+        if (l2cap_pi(sk)->chan->imtu < skb->len)
+                goto drop;
+        if (!sock_queue_rcv_skb(sk, skb))
+                goto done;
+drop:
+        kfree_skb(skb);
+done:
+        if (sk)
+                bh_unlock_sock(sk);
+        return 0;
+}
+static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
+{
+        struct sock *sk = NULL;
+        struct l2cap_chan *chan;
+        chan = l2cap_global_chan_by_scid(0, cid, conn->src);
+        if (!chan)
+                goto drop;
+        sk = chan->sk;
+        bh_lock_sock(sk);
+        BT_DBG("sk %p, len %d", sk, skb->len);
+        if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
+                goto drop;
+        if (l2cap_pi(sk)->chan->imtu < skb->len)
                goto drop;
        if (!sock_queue_rcv_skb(sk, skb))
@@ -3677,6 +3849,10 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
                l2cap_conless_channel(conn, psm, skb);
                break;
+        case L2CAP_CID_LE_DATA:
+                l2cap_att_channel(conn, cid, skb);
+                break;
        default:
                l2cap_data_channel(conn, cid, skb);
                break;
@@ -3688,8 +3864,7 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
 static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
 {
        int exact = 0, lm1 = 0, lm2 = 0;
-        register struct sock *sk;
+        struct l2cap_chan *c;
-        struct hlist_node *node;
        if (type != ACL_LINK)
                return -EINVAL;
@@ -3697,23 +3872,25 @@ static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
        BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
        /* Find listening sockets and check their link_mode */
-        read_lock(&l2cap_sk_list.lock);
+        read_lock(&chan_list_lock);
-        sk_for_each(sk, node, &l2cap_sk_list.head) {
+        list_for_each_entry(c, &chan_list, global_l) {
+                struct sock *sk = c->sk;
                if (sk->sk_state != BT_LISTEN)
                        continue;
                if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
                        lm1 |= HCI_LM_ACCEPT;
-                        if (l2cap_pi(sk)->role_switch)
+                        if (c->role_switch)
                                lm1 |= HCI_LM_MASTER;
                        exact++;
                } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
                        lm2 |= HCI_LM_ACCEPT;
-                        if (l2cap_pi(sk)->role_switch)
+                        if (c->role_switch)
                                lm2 |= HCI_LM_MASTER;
                }
        }
-        read_unlock(&l2cap_sk_list.lock);
+        read_unlock(&chan_list_lock);
        return exact ? lm1 : lm2;
 }
@@ -3761,49 +3938,50 @@ static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
        return 0;
 }
-static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
+static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
 {
+        struct sock *sk = chan->sk;
        if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
                return;
        if (encrypt == 0x00) {
-                if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
+                if (chan->sec_level == BT_SECURITY_MEDIUM) {
                        l2cap_sock_clear_timer(sk);
                        l2cap_sock_set_timer(sk, HZ * 5);
-                } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
+                } else if (chan->sec_level == BT_SECURITY_HIGH)
                        __l2cap_sock_close(sk, ECONNREFUSED);
        } else {
-                if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
+                if (chan->sec_level == BT_SECURITY_MEDIUM)
                        l2cap_sock_clear_timer(sk);
        }
 }
 static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
 {
-        struct l2cap_chan_list *l;
        struct l2cap_conn *conn = hcon->l2cap_data;
-        struct sock *sk;
+        struct l2cap_chan *chan;
        if (!conn)
                return 0;
-        l = &conn->chan_list;
        BT_DBG("conn %p", conn);
-        read_lock(&l->lock);
+        read_lock(&conn->chan_lock);
+        list_for_each_entry(chan, &conn->chan_l, list) {
+                struct sock *sk = chan->sk;
-        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
                bh_lock_sock(sk);
-                if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
+                if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
                        bh_unlock_sock(sk);
                        continue;
                }
                if (!status && (sk->sk_state == BT_CONNECTED ||
                                                sk->sk_state == BT_CONFIG)) {
-                        l2cap_check_encryption(sk, encrypt);
+                        l2cap_check_encryption(chan, encrypt);
                        bh_unlock_sock(sk);
                        continue;
                }
@@ -3811,13 +3989,13 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
                if (sk->sk_state == BT_CONNECT) {
                        if (!status) {
                                struct l2cap_conn_req req;
-                                req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
+                                req.scid = cpu_to_le16(chan->scid);
-                                req.psm  = l2cap_pi(sk)->psm;
+                                req.psm  = chan->psm;
-                                l2cap_pi(sk)->ident = l2cap_get_ident(conn);
+                                chan->ident = l2cap_get_ident(conn);
-                                l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
+                                chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
-                                l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
+                                l2cap_send_cmd(conn, chan->ident,
                                        L2CAP_CONN_REQ, sizeof(req), &req);
                        } else {
                                l2cap_sock_clear_timer(sk);
@@ -3825,29 +4003,39 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
                        }
                } else if (sk->sk_state == BT_CONNECT2) {
                        struct l2cap_conn_rsp rsp;
-                        __u16 result;
+                        __u16 res, stat;
                        if (!status) {
-                                sk->sk_state = BT_CONFIG;
+                                if (bt_sk(sk)->defer_setup) {
-                                result = L2CAP_CR_SUCCESS;
+                                        struct sock *parent = bt_sk(sk)->parent;
+                                        res = L2CAP_CR_PEND;
+                                        stat = L2CAP_CS_AUTHOR_PEND;
+                                        if (parent)
+                                                parent->sk_data_ready(parent, 0);
+                                } else {
+                                        sk->sk_state = BT_CONFIG;
+                                        res = L2CAP_CR_SUCCESS;
+                                        stat = L2CAP_CS_NO_INFO;
+                                }
                        } else {
                                sk->sk_state = BT_DISCONN;
                                l2cap_sock_set_timer(sk, HZ / 10);
-                                result = L2CAP_CR_SEC_BLOCK;
+                                res = L2CAP_CR_SEC_BLOCK;
+                                stat = L2CAP_CS_NO_INFO;
                        }
-                        rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
+                        rsp.scid   = cpu_to_le16(chan->dcid);
-                        rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
+                        rsp.dcid   = cpu_to_le16(chan->scid);
-                        rsp.result = cpu_to_le16(result);
+                        rsp.result = cpu_to_le16(res);
-                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
+                        rsp.status = cpu_to_le16(stat);
-                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
+                        l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
-                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
+                                                        sizeof(rsp), &rsp);
                }
                bh_unlock_sock(sk);
        }
-        read_unlock(&l->lock);
+        read_unlock(&conn->chan_lock);
        return 0;
 }
@@ -3866,7 +4054,7 @@ static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 fl
        if (!(flags & ACL_CONT)) {
                struct l2cap_hdr *hdr;
-                struct sock *sk;
+                struct l2cap_chan *chan;
                u16 cid;
                int len;
@@ -3904,18 +4092,21 @@ static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 fl
                        goto drop;
                }
-                sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
+                chan = l2cap_get_chan_by_scid(conn, cid);
-                if (sk && l2cap_pi(sk)->imtu < len - L2CAP_HDR_SIZE) {
+                if (chan && chan->sk) {
-                        BT_ERR("Frame exceeding recv MTU (len %d, MTU %d)",
+                        struct sock *sk = chan->sk;
-                                        len, l2cap_pi(sk)->imtu);
-                        bh_unlock_sock(sk);
-                        l2cap_conn_unreliable(conn, ECOMM);
-                        goto drop;
-                }
-                if (sk)
+                        if (chan->imtu < len - L2CAP_HDR_SIZE) {
+                                BT_ERR("Frame exceeding recv MTU (len %d, "
+                                                        "MTU %d)", len,
+                                                        chan->imtu);
+                                bh_unlock_sock(sk);
+                                l2cap_conn_unreliable(conn, ECOMM);
+                                goto drop;
+                        }
                        bh_unlock_sock(sk);
+                }
                /* Allocate skb for the complete frame (with header) */
                conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
@@ -3962,24 +4153,22 @@ drop:
 static int l2cap_debugfs_show(struct seq_file *f, void *p)
 {
-        struct sock *sk;
+        struct l2cap_chan *c;
-        struct hlist_node *node;
-        read_lock_bh(&l2cap_sk_list.lock);
+        read_lock_bh(&chan_list_lock);
-        sk_for_each(sk, node, &l2cap_sk_list.head) {
+        list_for_each_entry(c, &chan_list, global_l) {
-                struct l2cap_pinfo *pi = l2cap_pi(sk);
+                struct sock *sk = c->sk;
                seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
                                        batostr(&bt_sk(sk)->src),
                                        batostr(&bt_sk(sk)->dst),
-                                        sk->sk_state, __le16_to_cpu(pi->psm),
+                                        sk->sk_state, __le16_to_cpu(c->psm),
-                                        pi->scid, pi->dcid,
+                                        c->scid, c->dcid, c->imtu, c->omtu,
-                                        pi->imtu, pi->omtu, pi->sec_level,
+                                        c->sec_level, c->mode);
-                                        pi->mode);
        }
-        read_unlock_bh(&l2cap_sk_list.lock);
+        read_unlock_bh(&chan_list_lock);
        return 0;
 }
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 299fe56a9668..8248303f44e8 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -30,6 +30,8 @@
 #include <net/bluetooth/hci_core.h>
 #include <net/bluetooth/l2cap.h>
+static const struct proto_ops l2cap_sock_ops;
 /* ---- L2CAP timers ---- */
 static void l2cap_sock_timeout(unsigned long arg)
 {
@@ -51,7 +53,7 @@ static void l2cap_sock_timeout(unsigned long arg)
        if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
                reason = ECONNREFUSED;
        else if (sk->sk_state == BT_CONNECT &&
-                                l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
+                        l2cap_pi(sk)->chan->sec_level != BT_SECURITY_SDP)
                reason = ECONNREFUSED;
        else
                reason = ETIMEDOUT;
@@ -76,21 +78,10 @@ void l2cap_sock_clear_timer(struct sock *sk)
        sk_stop_timer(sk, &sk->sk_timer);
 }
-static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
-{
-        struct sock *sk;
-        struct hlist_node *node;
-        sk_for_each(sk, node, &l2cap_sk_list.head)
-                if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
-                        goto found;
-        sk = NULL;
-found:
-        return sk;
-}
 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
 {
        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        struct sockaddr_l2 la;
        int len, err = 0;
@@ -129,26 +120,20 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
                }
        }
-        write_lock_bh(&l2cap_sk_list.lock);
+        if (la.l2_cid)
+                err = l2cap_add_scid(chan, la.l2_cid);
+        else
+                err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
-        if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
+        if (err < 0)
-                err = -EADDRINUSE;
+                goto done;
-        } else {
-                /* Save source address */
-                bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
-                l2cap_pi(sk)->psm   = la.l2_psm;
-                l2cap_pi(sk)->sport = la.l2_psm;
-                sk->sk_state = BT_BOUND;
-                if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
-                                        __le16_to_cpu(la.l2_psm) == 0x0003)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
-        }
-        if (la.l2_cid)
+        if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
-                l2cap_pi(sk)->scid = la.l2_cid;
+                                __le16_to_cpu(la.l2_psm) == 0x0003)
+                chan->sec_level = BT_SECURITY_SDP;
-        write_unlock_bh(&l2cap_sk_list.lock);
+        bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
+        sk->sk_state = BT_BOUND;
 done:
        release_sock(sk);
@@ -158,6 +143,7 @@ done:
 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
 {
        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        struct sockaddr_l2 la;
        int len, err = 0;
@@ -182,7 +168,7 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
                goto done;
        }
-        switch (l2cap_pi(sk)->mode) {
+        switch (chan->mode) {
        case L2CAP_MODE_BASIC:
                break;
        case L2CAP_MODE_ERTM:
@@ -226,10 +212,10 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
        /* Set destination address and psm */
        bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
-        l2cap_pi(sk)->psm = la.l2_psm;
+        chan->psm = la.l2_psm;
-        l2cap_pi(sk)->dcid = la.l2_cid;
+        chan->dcid = la.l2_cid;
-        err = l2cap_do_connect(sk);
+        err = l2cap_chan_connect(l2cap_pi(sk)->chan);
        if (err)
                goto done;
@@ -244,6 +230,7 @@ done:
 static int l2cap_sock_listen(struct socket *sock, int backlog)
 {
        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        int err = 0;
        BT_DBG("sk %p backlog %d", sk, backlog);
@@ -256,7 +243,7 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
                goto done;
        }
-        switch (l2cap_pi(sk)->mode) {
+        switch (chan->mode) {
        case L2CAP_MODE_BASIC:
                break;
        case L2CAP_MODE_ERTM:
@@ -269,28 +256,6 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
                goto done;
        }
-        if (!l2cap_pi(sk)->psm && !l2cap_pi(sk)->dcid) {
-                bdaddr_t *src = &bt_sk(sk)->src;
-                u16 psm;
-                err = -EINVAL;
-                write_lock_bh(&l2cap_sk_list.lock);
-                for (psm = 0x1001; psm < 0x1100; psm += 2)
-                        if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
-                                l2cap_pi(sk)->psm   = cpu_to_le16(psm);
-                                l2cap_pi(sk)->sport = cpu_to_le16(psm);
-                                err = 0;
-                                break;
-                        }
-                write_unlock_bh(&l2cap_sk_list.lock);
-                if (err < 0)
-                        goto done;
-        }
        sk->sk_max_ack_backlog = backlog;
        sk->sk_ack_backlog = 0;
        sk->sk_state = BT_LISTEN;
@@ -360,6 +325,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
 {
        struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        BT_DBG("sock %p, sk %p", sock, sk);
@@ -367,13 +333,13 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
        *len = sizeof(struct sockaddr_l2);
        if (peer) {
-                la->l2_psm = l2cap_pi(sk)->psm;
+                la->l2_psm = chan->psm;
                bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
-                la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
+                la->l2_cid = cpu_to_le16(chan->dcid);
        } else {
-                la->l2_psm = l2cap_pi(sk)->sport;
+                la->l2_psm = chan->sport;
                bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
-                la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
+                la->l2_cid = cpu_to_le16(chan->scid);
        }
        return 0;
@@ -382,6 +348,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
 {
        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        struct l2cap_options opts;
        struct l2cap_conninfo cinfo;
        int len, err = 0;
@@ -397,13 +364,13 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
        switch (optname) {
        case L2CAP_OPTIONS:
                memset(&opts, 0, sizeof(opts));
-                opts.imtu     = l2cap_pi(sk)->imtu;
+                opts.imtu     = chan->imtu;
-                opts.omtu     = l2cap_pi(sk)->omtu;
+                opts.omtu     = chan->omtu;
-                opts.flush_to = l2cap_pi(sk)->flush_to;
+                opts.flush_to = chan->flush_to;
-                opts.mode     = l2cap_pi(sk)->mode;
+                opts.mode     = chan->mode;
-                opts.fcs      = l2cap_pi(sk)->fcs;
+                opts.fcs      = chan->fcs;
-                opts.max_tx   = l2cap_pi(sk)->max_tx;
+                opts.max_tx   = chan->max_tx;
-                opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
+                opts.txwin_size = (__u16)chan->tx_win;
                len = min_t(unsigned int, len, sizeof(opts));
                if (copy_to_user(optval, (char *) &opts, len))
@@ -412,7 +379,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
                break;
        case L2CAP_LM:
-                switch (l2cap_pi(sk)->sec_level) {
+                switch (chan->sec_level) {
                case BT_SECURITY_LOW:
                        opt = L2CAP_LM_AUTH;
                        break;
@@ -428,10 +395,10 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
                        break;
                }
-                if (l2cap_pi(sk)->role_switch)
+                if (chan->role_switch)
                        opt |= L2CAP_LM_MASTER;
-                if (l2cap_pi(sk)->force_reliable)
+                if (chan->force_reliable)
                        opt |= L2CAP_LM_RELIABLE;
                if (put_user(opt, (u32 __user *) optval))
@@ -446,8 +413,9 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
                        break;
                }
-                cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
+                memset(&cinfo, 0, sizeof(cinfo));
-                memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
+                cinfo.hci_handle = chan->conn->hcon->handle;
+                memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
                len = min_t(unsigned int, len, sizeof(cinfo));
                if (copy_to_user(optval, (char *) &cinfo, len))
@@ -467,6 +435,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
 {
        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        struct bt_security sec;
        int len, err = 0;
@@ -491,7 +460,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
                        break;
                }
-                sec.level = l2cap_pi(sk)->sec_level;
+                sec.level = chan->sec_level;
                len = min_t(unsigned int, len, sizeof(sec));
                if (copy_to_user(optval, (char *) &sec, len))
@@ -511,7 +480,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
                break;
        case BT_FLUSHABLE:
-                if (put_user(l2cap_pi(sk)->flushable, (u32 __user *) optval))
+                if (put_user(chan->flushable, (u32 __user *) optval))
                        err = -EFAULT;
                break;
@@ -528,6 +497,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
 {
        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        struct l2cap_options opts;
        int len, err = 0;
        u32 opt;
@@ -543,13 +513,13 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
                        break;
                }
-                opts.imtu     = l2cap_pi(sk)->imtu;
+                opts.imtu     = chan->imtu;
-                opts.omtu     = l2cap_pi(sk)->omtu;
+                opts.omtu     = chan->omtu;
-                opts.flush_to = l2cap_pi(sk)->flush_to;
+                opts.flush_to = chan->flush_to;
-                opts.mode     = l2cap_pi(sk)->mode;
+                opts.mode     = chan->mode;
-                opts.fcs      = l2cap_pi(sk)->fcs;
+                opts.fcs      = chan->fcs;
-                opts.max_tx   = l2cap_pi(sk)->max_tx;
+                opts.max_tx   = chan->max_tx;
-                opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
+                opts.txwin_size = (__u16)chan->tx_win;
                len = min_t(unsigned int, sizeof(opts), optlen);
                if (copy_from_user((char *) &opts, optval, len)) {
@@ -562,10 +532,10 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
                        break;
                }
-                l2cap_pi(sk)->mode = opts.mode;
+                chan->mode = opts.mode;
-                switch (l2cap_pi(sk)->mode) {
+                switch (chan->mode) {
                case L2CAP_MODE_BASIC:
-                        l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
+                        chan->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
                        break;
                case L2CAP_MODE_ERTM:
                case L2CAP_MODE_STREAMING:
@@ -577,11 +547,11 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
                        break;
                }
-                l2cap_pi(sk)->imtu = opts.imtu;
+                chan->imtu = opts.imtu;
-                l2cap_pi(sk)->omtu = opts.omtu;
+                chan->omtu = opts.omtu;
-                l2cap_pi(sk)->fcs  = opts.fcs;
+                chan->fcs  = opts.fcs;
-                l2cap_pi(sk)->max_tx = opts.max_tx;
+                chan->max_tx = opts.max_tx;
-                l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
+                chan->tx_win = (__u8)opts.txwin_size;
                break;
        case L2CAP_LM:
@@ -591,14 +561,14 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
                }
                if (opt & L2CAP_LM_AUTH)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
+                        chan->sec_level = BT_SECURITY_LOW;
                if (opt & L2CAP_LM_ENCRYPT)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
+                        chan->sec_level = BT_SECURITY_MEDIUM;
                if (opt & L2CAP_LM_SECURE)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
+                        chan->sec_level = BT_SECURITY_HIGH;
-                l2cap_pi(sk)->role_switch    = (opt & L2CAP_LM_MASTER);
+                chan->role_switch    = (opt & L2CAP_LM_MASTER);
-                l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
+                chan->force_reliable = (opt & L2CAP_LM_RELIABLE);
                break;
        default:
@@ -613,6 +583,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
 {
        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        struct bt_security sec;
        int len, err = 0;
        u32 opt;
@@ -649,7 +620,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
                        break;
                }
-                l2cap_pi(sk)->sec_level = sec.level;
+                chan->sec_level = sec.level;
                break;
        case BT_DEFER_SETUP:
@@ -678,7 +649,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
                }
                if (opt == BT_FLUSHABLE_OFF) {
-                        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
+                        struct l2cap_conn *conn = chan->conn;
                        /* proceed further only when we have l2cap_conn and
                           No Flush support in the LM */
                        if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
@@ -687,7 +658,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
                        }
                }
-                l2cap_pi(sk)->flushable = opt;
+                chan->flushable = opt;
                break;
        default:
@@ -702,7 +673,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
 static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
 {
        struct sock *sk = sock->sk;
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        struct sk_buff *skb;
        u16 control;
        int err;
@@ -725,74 +696,77 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
        /* Connectionless channel */
        if (sk->sk_type == SOCK_DGRAM) {
-                skb = l2cap_create_connless_pdu(sk, msg, len);
+                skb = l2cap_create_connless_pdu(chan, msg, len);
                if (IS_ERR(skb)) {
                        err = PTR_ERR(skb);
                } else {
-                        l2cap_do_send(sk, skb);
+                        l2cap_do_send(chan, skb);
                        err = len;
                }
                goto done;
        }
-        switch (pi->mode) {
+        switch (chan->mode) {
        case L2CAP_MODE_BASIC:
                /* Check outgoing MTU */
-                if (len > pi->omtu) {
+                if (len > chan->omtu) {
                        err = -EMSGSIZE;
                        goto done;
                }
                /* Create a basic PDU */
-                skb = l2cap_create_basic_pdu(sk, msg, len);
+                skb = l2cap_create_basic_pdu(chan, msg, len);
                if (IS_ERR(skb)) {
                        err = PTR_ERR(skb);
                        goto done;
                }
-                l2cap_do_send(sk, skb);
+                l2cap_do_send(chan, skb);
                err = len;
                break;
        case L2CAP_MODE_ERTM:
        case L2CAP_MODE_STREAMING:
                /* Entire SDU fits into one PDU */
-                if (len <= pi->remote_mps) {
+                if (len <= chan->remote_mps) {
                        control = L2CAP_SDU_UNSEGMENTED;
-                        skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
+                        skb = l2cap_create_iframe_pdu(chan, msg, len, control,
+                                                                        0);
                        if (IS_ERR(skb)) {
                                err = PTR_ERR(skb);
                                goto done;
                        }
-                        __skb_queue_tail(TX_QUEUE(sk), skb);
+                        __skb_queue_tail(&chan->tx_q, skb);
-                        if (sk->sk_send_head == NULL)
+                        if (chan->tx_send_head == NULL)
-                                sk->sk_send_head = skb;
+                                chan->tx_send_head = skb;
                } else {
                /* Segment SDU into multiples PDUs */
-                        err = l2cap_sar_segment_sdu(sk, msg, len);
+                        err = l2cap_sar_segment_sdu(chan, msg, len);
                        if (err < 0)
                                goto done;
                }
-                if (pi->mode == L2CAP_MODE_STREAMING) {
+                if (chan->mode == L2CAP_MODE_STREAMING) {
-                        l2cap_streaming_send(sk);
+                        l2cap_streaming_send(chan);
-                } else {
+                        err = len;
-                        if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
+                        break;
-                                        (pi->conn_state & L2CAP_CONN_WAIT_F)) {
+                }
-                                err = len;
-                                break;
+                if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
-                        }
+                                (chan->conn_state & L2CAP_CONN_WAIT_F)) {
-                        err = l2cap_ertm_send(sk);
+                        err = len;
+                        break;
                }
+                err = l2cap_ertm_send(chan);
                if (err >= 0)
                        err = len;
                break;
        default:
-                BT_DBG("bad state %1.1x", pi->mode);
+                BT_DBG("bad state %1.1x", chan->mode);
                err = -EBADFD;
        }
@@ -808,29 +782,9 @@ static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct ms
        lock_sock(sk);
        if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
-                struct l2cap_conn_rsp rsp;
-                struct l2cap_conn *conn = l2cap_pi(sk)->conn;
-                u8 buf[128];
                sk->sk_state = BT_CONFIG;
-                rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
+                __l2cap_connect_rsp_defer(l2cap_pi(sk)->chan);
-                rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
-                rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
-                rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
-                l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
-                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
-                if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) {
-                        release_sock(sk);
-                        return 0;
-                }
-                l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
-                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                l2cap_build_conf_req(sk, buf), buf);
-                l2cap_pi(sk)->num_conf_req++;
                release_sock(sk);
                return 0;
        }
@@ -854,7 +808,8 @@ void l2cap_sock_kill(struct sock *sk)
        BT_DBG("sk %p state %d", sk, sk->sk_state);
        /* Kill poor orphan */
-        bt_sock_unlink(&l2cap_sk_list, sk);
+        l2cap_chan_destroy(l2cap_pi(sk)->chan);
        sock_set_flag(sk, SOCK_DEAD);
        sock_put(sk);
 }
@@ -885,7 +840,8 @@ static void l2cap_sock_cleanup_listen(struct sock *parent)
 void __l2cap_sock_close(struct sock *sk, int reason)
 {
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        struct l2cap_conn *conn = chan->conn;
        BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
@@ -900,9 +856,9 @@ void __l2cap_sock_close(struct sock *sk, int reason)
                                        sk->sk_type == SOCK_STREAM) &&
                                        conn->hcon->type == ACL_LINK) {
                        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
-                        l2cap_send_disconn_req(conn, sk, reason);
+                        l2cap_send_disconn_req(conn, chan, reason);
                } else
-                        l2cap_chan_del(sk, reason);
+                        l2cap_chan_del(chan, reason);
                break;
        case BT_CONNECT2:
@@ -917,20 +873,20 @@ void __l2cap_sock_close(struct sock *sk, int reason)
                        else
                                result = L2CAP_CR_BAD_PSM;
-                        rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
+                        rsp.scid   = cpu_to_le16(chan->dcid);
-                        rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
+                        rsp.dcid   = cpu_to_le16(chan->scid);
                        rsp.result = cpu_to_le16(result);
                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
-                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
+                        l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
-                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
+                                                        sizeof(rsp), &rsp);
                }
-                l2cap_chan_del(sk, reason);
+                l2cap_chan_del(chan, reason);
                break;
        case BT_CONNECT:
        case BT_DISCONN:
-                l2cap_chan_del(sk, reason);
+                l2cap_chan_del(chan, reason);
                break;
        default:
@@ -942,6 +898,7 @@ void __l2cap_sock_close(struct sock *sk, int reason)
 static int l2cap_sock_shutdown(struct socket *sock, int how)
 {
        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
        int err = 0;
        BT_DBG("sock %p, sk %p", sock, sk);
@@ -951,7 +908,7 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
        lock_sock(sk);
        if (!sk->sk_shutdown) {
-                if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
+                if (chan->mode == L2CAP_MODE_ERTM)
                        err = __l2cap_wait_ack(sk);
                sk->sk_shutdown = SHUTDOWN_MASK;
@@ -998,49 +955,47 @@ static void l2cap_sock_destruct(struct sock *sk)
 void l2cap_sock_init(struct sock *sk, struct sock *parent)
 {
        struct l2cap_pinfo *pi = l2cap_pi(sk);
+        struct l2cap_chan *chan = pi->chan;
        BT_DBG("sk %p", sk);
        if (parent) {
+                struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
                sk->sk_type = parent->sk_type;
                bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
-                pi->imtu = l2cap_pi(parent)->imtu;
+                chan->imtu = pchan->imtu;
-                pi->omtu = l2cap_pi(parent)->omtu;
+                chan->omtu = pchan->omtu;
-                pi->conf_state = l2cap_pi(parent)->conf_state;
+                chan->conf_state = pchan->conf_state;
-                pi->mode = l2cap_pi(parent)->mode;
+                chan->mode = pchan->mode;
-                pi->fcs  = l2cap_pi(parent)->fcs;
+                chan->fcs  = pchan->fcs;
-                pi->max_tx = l2cap_pi(parent)->max_tx;
+                chan->max_tx = pchan->max_tx;
-                pi->tx_win = l2cap_pi(parent)->tx_win;
+                chan->tx_win = pchan->tx_win;
-                pi->sec_level = l2cap_pi(parent)->sec_level;
+                chan->sec_level = pchan->sec_level;
-                pi->role_switch = l2cap_pi(parent)->role_switch;
+                chan->role_switch = pchan->role_switch;
-                pi->force_reliable = l2cap_pi(parent)->force_reliable;
+                chan->force_reliable = pchan->force_reliable;
-                pi->flushable = l2cap_pi(parent)->flushable;
+                chan->flushable = pchan->flushable;
        } else {
-                pi->imtu = L2CAP_DEFAULT_MTU;
+                chan->imtu = L2CAP_DEFAULT_MTU;
-                pi->omtu = 0;
+                chan->omtu = 0;
                if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
-                        pi->mode = L2CAP_MODE_ERTM;
+                        chan->mode = L2CAP_MODE_ERTM;
-                        pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
+                        chan->conf_state |= L2CAP_CONF_STATE2_DEVICE;
                } else {
-                        pi->mode = L2CAP_MODE_BASIC;
+                        chan->mode = L2CAP_MODE_BASIC;
                }
-                pi->max_tx = L2CAP_DEFAULT_MAX_TX;
+                chan->max_tx = L2CAP_DEFAULT_MAX_TX;
-                pi->fcs  = L2CAP_FCS_CRC16;
+                chan->fcs  = L2CAP_FCS_CRC16;
-                pi->tx_win = L2CAP_DEFAULT_TX_WINDOW;
+                chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
-                pi->sec_level = BT_SECURITY_LOW;
+                chan->sec_level = BT_SECURITY_LOW;
-                pi->role_switch = 0;
+                chan->role_switch = 0;
-                pi->force_reliable = 0;
+                chan->force_reliable = 0;
-                pi->flushable = BT_FLUSHABLE_OFF;
+                chan->flushable = BT_FLUSHABLE_OFF;
        }
        /* Default config options */
-        pi->conf_len = 0;
+        chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
-        pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
-        skb_queue_head_init(TX_QUEUE(sk));
-        skb_queue_head_init(SREJ_QUEUE(sk));
-        skb_queue_head_init(BUSY_QUEUE(sk));
-        INIT_LIST_HEAD(SREJ_LIST(sk));
 }
 static struct proto l2cap_proto = {
@@ -1070,7 +1025,6 @@ struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, g
        setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
-        bt_sock_link(&l2cap_sk_list, sk);
        return sk;
 }
@@ -1078,6 +1032,7 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
                             int kern)
 {
        struct sock *sk;
+        struct l2cap_chan *chan;
        BT_DBG("sock %p", sock);
@@ -1096,11 +1051,19 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
        if (!sk)
                return -ENOMEM;
+        chan = l2cap_chan_create(sk);
+        if (!chan) {
+                l2cap_sock_kill(sk);
+                return -ENOMEM;
+        }
+        l2cap_pi(sk)->chan = chan;
        l2cap_sock_init(sk, NULL);
        return 0;
 }
-const struct proto_ops l2cap_sock_ops = {
+static const struct proto_ops l2cap_sock_ops = {
        .family         = PF_BLUETOOTH,
        .owner          = THIS_MODULE,
        .release        = l2cap_sock_release,
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 4476d8e3c0f2..dae382ce7020 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -36,7 +36,7 @@ struct pending_cmd {
        struct list_head list;
        __u16 opcode;
        int index;
-        void *cmd;
+        void *param;
        struct sock *sk;
        void *user_data;
 };
@@ -179,10 +179,12 @@ static int read_controller_info(struct sock *sk, u16 index)
        hci_del_off_timer(hdev);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        set_bit(HCI_MGMT, &hdev->flags);
+        memset(&rp, 0, sizeof(rp));
        rp.type = hdev->dev_type;
        rp.powered = test_bit(HCI_UP, &hdev->flags);
@@ -204,7 +206,9 @@ static int read_controller_info(struct sock *sk, u16 index)
        rp.hci_ver = hdev->hci_ver;
        put_unaligned_le16(hdev->hci_rev, &rp.hci_rev);
-        hci_dev_unlock_bh(hdev);
+        memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp));
@@ -213,7 +217,7 @@ static int read_controller_info(struct sock *sk, u16 index)
 static void mgmt_pending_free(struct pending_cmd *cmd)
 {
        sock_put(cmd->sk);
-        kfree(cmd->cmd);
+        kfree(cmd->param);
        kfree(cmd);
 }
@@ -229,13 +233,14 @@ static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
        cmd->opcode = opcode;
        cmd->index = index;
-        cmd->cmd = kmalloc(len, GFP_ATOMIC);
+        cmd->param = kmalloc(len, GFP_ATOMIC);
-        if (!cmd->cmd) {
+        if (!cmd->param) {
                kfree(cmd);
                return NULL;
        }
-        memcpy(cmd->cmd, data, len);
+        if (data)
+                memcpy(cmd->param, data, len);
        cmd->sk = sk;
        sock_hold(sk);
@@ -311,7 +316,7 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_SET_POWERED, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        up = test_bit(HCI_UP, &hdev->flags);
        if ((cp->val && up) || (!cp->val && !up)) {
@@ -338,7 +343,7 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
        err = 0;
 failed:
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
 }
@@ -363,7 +368,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        if (!test_bit(HCI_UP, &hdev->flags)) {
                err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENETDOWN);
@@ -398,7 +403,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
                mgmt_pending_remove(cmd);
 failed:
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
@@ -424,7 +429,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        if (!test_bit(HCI_UP, &hdev->flags)) {
                err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENETDOWN);
@@ -458,7 +463,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
                mgmt_pending_remove(cmd);
 failed:
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
@@ -517,7 +522,7 @@ static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        if (cp->val)
                set_bit(HCI_PAIRABLE, &hdev->flags);
@@ -533,12 +538,156 @@ static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
        err = mgmt_event(MGMT_EV_PAIRABLE, index, &ev, sizeof(ev), sk);
 failed:
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
 }
+#define EIR_FLAGS               0x01 /* flags */
+#define EIR_UUID16_SOME         0x02 /* 16-bit UUID, more available */
+#define EIR_UUID16_ALL          0x03 /* 16-bit UUID, all listed */
+#define EIR_UUID32_SOME         0x04 /* 32-bit UUID, more available */
+#define EIR_UUID32_ALL          0x05 /* 32-bit UUID, all listed */
+#define EIR_UUID128_SOME        0x06 /* 128-bit UUID, more available */
+#define EIR_UUID128_ALL         0x07 /* 128-bit UUID, all listed */
+#define EIR_NAME_SHORT          0x08 /* shortened local name */
+#define EIR_NAME_COMPLETE       0x09 /* complete local name */
+#define EIR_TX_POWER            0x0A /* transmit power level */
+#define EIR_DEVICE_ID           0x10 /* device ID */
+#define PNP_INFO_SVCLASS_ID             0x1200
+static u8 bluetooth_base_uuid[] = {
+                        0xFB, 0x34, 0x9B, 0x5F, 0x80, 0x00, 0x00, 0x80,
+                        0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+static u16 get_uuid16(u8 *uuid128)
+{
+        u32 val;
+        int i;
+        for (i = 0; i < 12; i++) {
+                if (bluetooth_base_uuid[i] != uuid128[i])
+                        return 0;
+        }
+        memcpy(&val, &uuid128[12], 4);
+        val = le32_to_cpu(val);
+        if (val > 0xffff)
+                return 0;
+        return (u16) val;
+}
+static void create_eir(struct hci_dev *hdev, u8 *data)
+{
+        u8 *ptr = data;
+        u16 eir_len = 0;
+        u16 uuid16_list[HCI_MAX_EIR_LENGTH / sizeof(u16)];
+        int i, truncated = 0;
+        struct list_head *p;
+        size_t name_len;
+        name_len = strlen(hdev->dev_name);
+        if (name_len > 0) {
+                /* EIR Data type */
+                if (name_len > 48) {
+                        name_len = 48;
+                        ptr[1] = EIR_NAME_SHORT;
+                } else
+                        ptr[1] = EIR_NAME_COMPLETE;
+                /* EIR Data length */
+                ptr[0] = name_len + 1;
+                memcpy(ptr + 2, hdev->dev_name, name_len);
+                eir_len += (name_len + 2);
+                ptr += (name_len + 2);
+        }
+        memset(uuid16_list, 0, sizeof(uuid16_list));
+        /* Group all UUID16 types */
+        list_for_each(p, &hdev->uuids) {
+                struct bt_uuid *uuid = list_entry(p, struct bt_uuid, list);
+                u16 uuid16;
+                uuid16 = get_uuid16(uuid->uuid);
+                if (uuid16 == 0)
+                        return;
+                if (uuid16 < 0x1100)
+                        continue;
+                if (uuid16 == PNP_INFO_SVCLASS_ID)
+                        continue;
+                /* Stop if not enough space to put next UUID */
+                if (eir_len + 2 + sizeof(u16) > HCI_MAX_EIR_LENGTH) {
+                        truncated = 1;
+                        break;
+                }
+                /* Check for duplicates */
+                for (i = 0; uuid16_list[i] != 0; i++)
+                        if (uuid16_list[i] == uuid16)
+                                break;
+                if (uuid16_list[i] == 0) {
+                        uuid16_list[i] = uuid16;
+                        eir_len += sizeof(u16);
+                }
+        }
+        if (uuid16_list[0] != 0) {
+                u8 *length = ptr;
+                /* EIR Data type */
+                ptr[1] = truncated ? EIR_UUID16_SOME : EIR_UUID16_ALL;
+                ptr += 2;
+                eir_len += 2;
+                for (i = 0; uuid16_list[i] != 0; i++) {
+                        *ptr++ = (uuid16_list[i] & 0x00ff);
+                        *ptr++ = (uuid16_list[i] & 0xff00) >> 8;
+                }
+                /* EIR Data length */
+                *length = (i * sizeof(u16)) + 1;
+        }
+}
+static int update_eir(struct hci_dev *hdev)
+{
+        struct hci_cp_write_eir cp;
+        if (!(hdev->features[6] & LMP_EXT_INQ))
+                return 0;
+        if (hdev->ssp_mode == 0)
+                return 0;
+        if (test_bit(HCI_SERVICE_CACHE, &hdev->flags))
+                return 0;
+        memset(&cp, 0, sizeof(cp));
+        create_eir(hdev, cp.data);
+        if (memcmp(cp.data, hdev->eir, sizeof(cp.data)) == 0)
+                return 0;
+        memcpy(hdev->eir, cp.data, sizeof(cp.data));
+        return hci_send_cmd(hdev, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
+}
 static u8 get_service_classes(struct hci_dev *hdev)
 {
        struct list_head *p;
@@ -590,7 +739,7 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_ADD_UUID, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC);
        if (!uuid) {
@@ -607,10 +756,14 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
        if (err < 0)
                goto failed;
+        err = update_eir(hdev);
+        if (err < 0)
+                goto failed;
        err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0);
 failed:
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
@@ -635,7 +788,7 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
                err = hci_uuids_clear(hdev);
@@ -663,10 +816,14 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
        if (err < 0)
                goto unlock;
+        err = update_eir(hdev);
+        if (err < 0)
+                goto unlock;
        err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0);
 unlock:
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
@@ -690,7 +847,7 @@ static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        hdev->major_class = cp->major;
        hdev->minor_class = cp->minor;
@@ -700,7 +857,7 @@ static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
        if (err == 0)
                err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0);
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
@@ -722,7 +879,7 @@ static int set_service_cache(struct sock *sk, u16 index,  unsigned char *data,
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        BT_DBG("hci%u enable %d", index, cp->enable);
@@ -732,13 +889,15 @@ static int set_service_cache(struct sock *sk, u16 index,  unsigned char *data,
        } else {
                clear_bit(HCI_SERVICE_CACHE, &hdev->flags);
                err = update_class(hdev);
+                if (err == 0)
+                        err = update_eir(hdev);
        }
        if (err == 0)
                err = cmd_complete(sk, index, MGMT_OP_SET_SERVICE_CACHE, NULL,
                                                                        0);
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
@@ -772,7 +931,7 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
        BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys,
                                                                key_count);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        hci_link_keys_clear(hdev);
@@ -786,11 +945,11 @@ static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
        for (i = 0; i < key_count; i++) {
                struct mgmt_key_info *key = &cp->keys[i];
-                hci_add_link_key(hdev, 0, &key->bdaddr, key->val, key->type,
+                hci_add_link_key(hdev, NULL, 0, &key->bdaddr, key->val, key->type,
                                                                key->pin_len);
        }
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return 0;
@@ -812,7 +971,7 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_REMOVE_KEY, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        err = hci_remove_link_key(hdev, &cp->bdaddr);
        if (err < 0) {
@@ -835,7 +994,7 @@ static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
        }
 unlock:
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
@@ -861,7 +1020,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_DISCONNECT, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        if (!test_bit(HCI_UP, &hdev->flags)) {
                err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENETDOWN);
@@ -874,6 +1033,9 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
        }
        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
+        if (!conn)
+                conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->bdaddr);
        if (!conn) {
                err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENOTCONN);
                goto failed;
@@ -893,7 +1055,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
                mgmt_pending_remove(cmd);
 failed:
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
@@ -914,7 +1076,7 @@ static int get_connections(struct sock *sk, u16 index)
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        count = 0;
        list_for_each(p, &hdev->conn_hash.list) {
@@ -945,7 +1107,7 @@ static int get_connections(struct sock *sk, u16 index)
 unlock:
        kfree(rp);
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
 }
@@ -970,7 +1132,7 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        if (!test_bit(HCI_UP, &hdev->flags)) {
                err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENETDOWN);
@@ -992,7 +1154,7 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
                mgmt_pending_remove(cmd);
 failed:
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
@@ -1019,7 +1181,7 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
                return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
                                                                        ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        if (!test_bit(HCI_UP, &hdev->flags)) {
                err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
@@ -1040,7 +1202,7 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
                mgmt_pending_remove(cmd);
 failed:
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
@@ -1063,14 +1225,14 @@ static int set_io_capability(struct sock *sk, u16 index, unsigned char *data,
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        hdev->io_capability = cp->io_capability;
        BT_DBG("%s IO capability set to 0x%02x", hdev->name,
                                                        hdev->io_capability);
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0);
@@ -1156,7 +1318,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
        if (!hdev)
                return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        if (cp->io_cap == 0x03) {
                sec_level = BT_SECURITY_MEDIUM;
@@ -1198,7 +1360,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
        err = 0;
 unlock:
-        hci_dev_unlock_bh(hdev);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
        return err;
@@ -1230,7 +1392,7 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
        if (!hdev)
                return cmd_status(sk, index, mgmt_op, ENODEV);
-        hci_dev_lock_bh(hdev);
+        hci_dev_lock(hdev);
        if (!test_bit(HCI_UP, &hdev->flags)) {
                err = cmd_status(sk, index, mgmt_op, ENETDOWN);
@@ -1248,6 +1410,231 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
                mgmt_pending_remove(cmd);
 failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int set_local_name(struct sock *sk, u16 index, unsigned char *data,
+                                                                u16 len)
+{
+        struct mgmt_cp_set_local_name *mgmt_cp = (void *) data;
+        struct hci_cp_write_local_name hci_cp;
+        struct hci_dev *hdev;
+        struct pending_cmd *cmd;
+        int err;
+        BT_DBG("");
+        if (len != sizeof(*mgmt_cp))
+                return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, ENODEV);
+        hci_dev_lock(hdev);
+        cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, index, data, len);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        memcpy(hci_cp.name, mgmt_cp->name, sizeof(hci_cp.name));
+        err = hci_send_cmd(hdev, HCI_OP_WRITE_LOCAL_NAME, sizeof(hci_cp),
+                                                                &hci_cp);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int read_local_oob_data(struct sock *sk, u16 index)
+{
+        struct hci_dev *hdev;
+        struct pending_cmd *cmd;
+        int err;
+        BT_DBG("hci%u", index);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+                                                                        ENODEV);
+        hci_dev_lock(hdev);
+        if (!test_bit(HCI_UP, &hdev->flags)) {
+                err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+                                                                ENETDOWN);
+                goto unlock;
+        }
+        if (!(hdev->features[6] & LMP_SIMPLE_PAIR)) {
+                err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+                                                                EOPNOTSUPP);
+                goto unlock;
+        }
+        if (mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index)) {
+                err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, EBUSY);
+                goto unlock;
+        }
+        cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, index, NULL, 0);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto unlock;
+        }
+        err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+unlock:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
+                                                                        u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_add_remote_oob_data *cp = (void *) data;
+        int err;
+        BT_DBG("hci%u ", index);
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
+                                                                        EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
+                                                                        ENODEV);
+        hci_dev_lock(hdev);
+        err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash,
+                                                                cp->randomizer);
+        if (err < 0)
+                err = cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, -err);
+        else
+                err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL,
+                                                                        0);
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int remove_remote_oob_data(struct sock *sk, u16 index,
+                                                unsigned char *data, u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_remove_remote_oob_data *cp = (void *) data;
+        int err;
+        BT_DBG("hci%u ", index);
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+                                                                        EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+                                                                        ENODEV);
+        hci_dev_lock(hdev);
+        err = hci_remove_remote_oob_data(hdev, &cp->bdaddr);
+        if (err < 0)
+                err = cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+                                                                        -err);
+        else
+                err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+                                                                NULL, 0);
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int start_discovery(struct sock *sk, u16 index)
+{
+        u8 lap[3] = { 0x33, 0x8b, 0x9e };
+        struct hci_cp_inquiry cp;
+        struct pending_cmd *cmd;
+        struct hci_dev *hdev;
+        int err;
+        BT_DBG("hci%u", index);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_START_DISCOVERY, ENODEV);
+        hci_dev_lock_bh(hdev);
+        cmd = mgmt_pending_add(sk, MGMT_OP_START_DISCOVERY, index, NULL, 0);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        memset(&cp, 0, sizeof(cp));
+        memcpy(&cp.lap, lap, 3);
+        cp.length  = 0x08;
+        cp.num_rsp = 0x00;
+        err = hci_send_cmd(hdev, HCI_OP_INQUIRY, sizeof(cp), &cp);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
+        hci_dev_unlock_bh(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int stop_discovery(struct sock *sk, u16 index)
+{
+        struct hci_dev *hdev;
+        struct pending_cmd *cmd;
+        int err;
+        BT_DBG("hci%u", index);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_STOP_DISCOVERY, ENODEV);
+        hci_dev_lock_bh(hdev);
+        cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, index, NULL, 0);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        err = hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
        hci_dev_unlock_bh(hdev);
        hci_dev_put(hdev);
@@ -1266,7 +1653,7 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
        if (msglen < sizeof(*hdr))
                return -EINVAL;
-        buf = kmalloc(msglen, GFP_ATOMIC);
+        buf = kmalloc(msglen, GFP_KERNEL);
        if (!buf)
                return -ENOMEM;
@@ -1349,6 +1736,25 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
        case MGMT_OP_USER_CONFIRM_NEG_REPLY:
                err = user_confirm_reply(sk, index, buf + sizeof(*hdr), len, 0);
                break;
+        case MGMT_OP_SET_LOCAL_NAME:
+                err = set_local_name(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_READ_LOCAL_OOB_DATA:
+                err = read_local_oob_data(sk, index);
+                break;
+        case MGMT_OP_ADD_REMOTE_OOB_DATA:
+                err = add_remote_oob_data(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_REMOVE_REMOTE_OOB_DATA:
+                err = remove_remote_oob_data(sk, index, buf + sizeof(*hdr),
+                                                                        len);
+                break;
+        case MGMT_OP_START_DISCOVERY:
+                err = start_discovery(sk, index);
+                break;
+        case MGMT_OP_STOP_DISCOVERY:
+                err = stop_discovery(sk, index);
+                break;
        default:
                BT_DBG("Unknown op %u", opcode);
                err = cmd_status(sk, index, opcode, 0x01);
@@ -1382,7 +1788,7 @@ struct cmd_lookup {
 static void mode_rsp(struct pending_cmd *cmd, void *data)
 {
-        struct mgmt_mode *cp = cmd->cmd;
+        struct mgmt_mode *cp = cmd->param;
        struct cmd_lookup *match = data;
        if (cp->val != match->val)
@@ -1455,17 +1861,17 @@ int mgmt_connectable(u16 index, u8 connectable)
        return ret;
 }
-int mgmt_new_key(u16 index, struct link_key *key, u8 old_key_type)
+int mgmt_new_key(u16 index, struct link_key *key, u8 persistent)
 {
        struct mgmt_ev_new_key ev;
        memset(&ev, 0, sizeof(ev));
+        ev.store_hint = persistent;
        bacpy(&ev.key.bdaddr, &key->bdaddr);
        ev.key.type = key->type;
        memcpy(ev.key.val, key->val, 16);
        ev.key.pin_len = key->pin_len;
-        ev.old_key_type = old_key_type;
        return mgmt_event(MGMT_EV_NEW_KEY, index, &ev, sizeof(ev), NULL);
 }
@@ -1481,7 +1887,7 @@ int mgmt_connected(u16 index, bdaddr_t *bdaddr)
 static void disconnect_rsp(struct pending_cmd *cmd, void *data)
 {
-        struct mgmt_cp_disconnect *cp = cmd->cmd;
+        struct mgmt_cp_disconnect *cp = cmd->param;
        struct sock **sk = data;
        struct mgmt_rp_disconnect rp;
@@ -1539,11 +1945,12 @@ int mgmt_connect_failed(u16 index, bdaddr_t *bdaddr, u8 status)
        return mgmt_event(MGMT_EV_CONNECT_FAILED, index, &ev, sizeof(ev), NULL);
 }
-int mgmt_pin_code_request(u16 index, bdaddr_t *bdaddr)
+int mgmt_pin_code_request(u16 index, bdaddr_t *bdaddr, u8 secure)
 {
        struct mgmt_ev_pin_code_request ev;
        bacpy(&ev.bdaddr, bdaddr);
+        ev.secure = secure;
        return mgmt_event(MGMT_EV_PIN_CODE_REQUEST, index, &ev, sizeof(ev),
                                                                        NULL);
@@ -1591,13 +1998,15 @@ int mgmt_pin_code_neg_reply_complete(u16 index, bdaddr_t *bdaddr, u8 status)
        return err;
 }
-int mgmt_user_confirm_request(u16 index, bdaddr_t *bdaddr, __le32 value)
+int mgmt_user_confirm_request(u16 index, bdaddr_t *bdaddr, __le32 value,
+                                                        u8 confirm_hint)
 {
        struct mgmt_ev_user_confirm_request ev;
        BT_DBG("hci%u", index);
        bacpy(&ev.bdaddr, bdaddr);
+        ev.confirm_hint = confirm_hint;
        put_unaligned_le32(value, &ev.value);
        return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, index, &ev, sizeof(ev),
@@ -1645,3 +2054,110 @@ int mgmt_auth_failed(u16 index, bdaddr_t *bdaddr, u8 status)
        return mgmt_event(MGMT_EV_AUTH_FAILED, index, &ev, sizeof(ev), NULL);
 }
+int mgmt_set_local_name_complete(u16 index, u8 *name, u8 status)
+{
+        struct pending_cmd *cmd;
+        struct hci_dev *hdev;
+        struct mgmt_cp_set_local_name ev;
+        int err;
+        memset(&ev, 0, sizeof(ev));
+        memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
+        cmd = mgmt_pending_find(MGMT_OP_SET_LOCAL_NAME, index);
+        if (!cmd)
+                goto send_event;
+        if (status) {
+                err = cmd_status(cmd->sk, index, MGMT_OP_SET_LOCAL_NAME, EIO);
+                goto failed;
+        }
+        hdev = hci_dev_get(index);
+        if (hdev) {
+                hci_dev_lock_bh(hdev);
+                update_eir(hdev);
+                hci_dev_unlock_bh(hdev);
+                hci_dev_put(hdev);
+        }
+        err = cmd_complete(cmd->sk, index, MGMT_OP_SET_LOCAL_NAME, &ev,
+                                                                sizeof(ev));
+        if (err < 0)
+                goto failed;
+send_event:
+        err = mgmt_event(MGMT_EV_LOCAL_NAME_CHANGED, index, &ev, sizeof(ev),
+                                                        cmd ? cmd->sk : NULL);
+failed:
+        if (cmd)
+                mgmt_pending_remove(cmd);
+        return err;
+}
+int mgmt_read_local_oob_data_reply_complete(u16 index, u8 *hash, u8 *randomizer,
+                                                                u8 status)
+{
+        struct pending_cmd *cmd;
+        int err;
+        BT_DBG("hci%u status %u", index, status);
+        cmd = mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index);
+        if (!cmd)
+                return -ENOENT;
+        if (status) {
+                err = cmd_status(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+                                                                        EIO);
+        } else {
+                struct mgmt_rp_read_local_oob_data rp;
+                memcpy(rp.hash, hash, sizeof(rp.hash));
+                memcpy(rp.randomizer, randomizer, sizeof(rp.randomizer));
+                err = cmd_complete(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+                                                        &rp, sizeof(rp));
+        }
+        mgmt_pending_remove(cmd);
+        return err;
+}
+int mgmt_device_found(u16 index, bdaddr_t *bdaddr, u8 *dev_class, s8 rssi,
+                                                                u8 *eir)
+{
+        struct mgmt_ev_device_found ev;
+        memset(&ev, 0, sizeof(ev));
+        bacpy(&ev.bdaddr, bdaddr);
+        memcpy(ev.dev_class, dev_class, sizeof(ev.dev_class));
+        ev.rssi = rssi;
+        if (eir)
+                memcpy(ev.eir, eir, sizeof(ev.eir));
+        return mgmt_event(MGMT_EV_DEVICE_FOUND, index, &ev, sizeof(ev), NULL);
+}
+int mgmt_remote_name(u16 index, bdaddr_t *bdaddr, u8 *name)
+{
+        struct mgmt_ev_remote_name ev;
+        memset(&ev, 0, sizeof(ev));
+        bacpy(&ev.bdaddr, bdaddr);
+        memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
+        return mgmt_event(MGMT_EV_REMOTE_NAME, index, &ev, sizeof(ev), NULL);
+}
+int mgmt_discovering(u16 index, u8 discovering)
+{
+        return mgmt_event(MGMT_EV_DISCOVERING, index, &discovering,
+                                                sizeof(discovering), NULL);
+}
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index c9973932456f..5759bb7054f7 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -232,6 +232,8 @@ static int rfcomm_l2sock_create(struct socket **sock)
 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
 {
        struct sock *sk = d->session->sock->sk;
+        struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
        __u8 auth_type;
        switch (d->sec_level) {
@@ -246,8 +248,7 @@ static inline int rfcomm_check_security(struct rfcomm_dlc *d)
                break;
        }
-        return hci_conn_security(l2cap_pi(sk)->conn->hcon, d->sec_level,
+        return hci_conn_security(conn->hcon, d->sec_level, auth_type);
-                                                                auth_type);
 }
 static void rfcomm_session_timeout(unsigned long arg)
@@ -710,10 +711,10 @@ static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
        /* Set L2CAP options */
        sk = sock->sk;
        lock_sock(sk);
-        l2cap_pi(sk)->imtu = l2cap_mtu;
+        l2cap_pi(sk)->chan->imtu = l2cap_mtu;
-        l2cap_pi(sk)->sec_level = sec_level;
+        l2cap_pi(sk)->chan->sec_level = sec_level;
        if (l2cap_ertm)
-                l2cap_pi(sk)->mode = L2CAP_MODE_ERTM;
+                l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
        release_sock(sk);
        s = rfcomm_session_add(sock, BT_BOUND);
@@ -1241,6 +1242,7 @@ static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
 {
        struct sock *sk = d->session->sock->sk;
+        struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
        BT_DBG("dlc %p", d);
@@ -1254,7 +1256,7 @@ void rfcomm_dlc_accept(struct rfcomm_dlc *d)
        rfcomm_dlc_unlock(d);
        if (d->role_switch)
-                hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00);
+                hci_conn_switch_role(conn->hcon, 0x00);
        rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
 }
@@ -1890,7 +1892,8 @@ static inline void rfcomm_accept_connection(struct rfcomm_session *s)
                /* We should adjust MTU on incoming sessions.
                 * L2CAP MTU minus UIH header and FCS. */
-                s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5;
+                s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
+                                l2cap_pi(nsock->sk)->chan->imtu) - 5;
                rfcomm_schedule();
        } else
@@ -1909,7 +1912,7 @@ static inline void rfcomm_check_connection(struct rfcomm_session *s)
                /* We can adjust MTU on outgoing sessions.
                 * L2CAP MTU minus UIH header and FCS. */
-                s->mtu = min(l2cap_pi(sk)->omtu, l2cap_pi(sk)->imtu) - 5;
+                s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
                rfcomm_send_sabm(s, 0);
                break;
@@ -1992,7 +1995,7 @@ static int rfcomm_add_listener(bdaddr_t *ba)
        /* Set L2CAP options */
        sk = sock->sk;
        lock_sock(sk);
-        l2cap_pi(sk)->imtu = l2cap_mtu;
+        l2cap_pi(sk)->chan->imtu = l2cap_mtu;
        release_sock(sk);
        /* Start listening on the socket */
@@ -2093,7 +2096,7 @@ static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
                if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
                        continue;
-                if (!status)
+                if (!status && hci_conn_check_secure(conn, d->sec_level))
                        set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
                else
                        set_bit(RFCOMM_AUTH_REJECT, &d->flags);
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 66cc1f0c3df8..1b10727ce523 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -743,6 +743,7 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
        struct sock *sk = sock->sk;
        struct sock *l2cap_sk;
        struct rfcomm_conninfo cinfo;
+        struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
        int len, err = 0;
        u32 opt;
@@ -787,8 +788,9 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
                l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
-                cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
+                memset(&cinfo, 0, sizeof(cinfo));
-                memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
+                cinfo.hci_handle = conn->hcon->handle;
+                memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
                len = min_t(unsigned int, len, sizeof(cinfo));
                if (copy_to_user(optval, (char *) &cinfo, len))
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 42fdffd1d76c..cb4fb7837e5c 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -369,6 +369,15 @@ static void __sco_sock_close(struct sock *sk)
        case BT_CONNECTED:
        case BT_CONFIG:
+                if (sco_pi(sk)->conn) {
+                        sk->sk_state = BT_DISCONN;
+                        sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
+                        hci_conn_put(sco_pi(sk)->conn->hcon);
+                        sco_pi(sk)->conn->hcon = NULL;
+                } else
+                        sco_chan_del(sk, ECONNRESET);
+                break;
        case BT_CONNECT:
        case BT_DISCONN:
                sco_chan_del(sk, ECONNRESET);
@@ -819,7 +828,9 @@ static void sco_chan_del(struct sock *sk, int err)
                conn->sk = NULL;
                sco_pi(sk)->conn = NULL;
                sco_conn_unlock(conn);
-                hci_conn_put(conn->hcon);
+                if (conn->hcon)
+                        hci_conn_put(conn->hcon);
        }
        sk->sk_state = BT_CLOSED;
diff --git a/net/bridge/br.c b/net/bridge/br.c
index 84bbb82599b2..f20c4fd915a8 100644
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -104,3 +104,4 @@ module_init(br_init)
 module_exit(br_deinit)
 MODULE_LICENSE("GPL");
 MODULE_VERSION(BR_VERSION);
+MODULE_ALIAS_RTNL_LINK("bridge");
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 21e5901186ea..32b8f9f7f79e 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -49,7 +49,9 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
        skb_pull(skb, ETH_HLEN);
        rcu_read_lock();
-        if (is_multicast_ether_addr(dest)) {
+        if (is_broadcast_ether_addr(dest))
+                br_flood_deliver(br, skb);
+        else if (is_multicast_ether_addr(dest)) {
                if (unlikely(netpoll_tx_running(dev))) {
                        br_flood_deliver(br, skb);
                        goto out;
@@ -74,13 +76,23 @@ out:
        return NETDEV_TX_OK;
 }
+static int br_dev_init(struct net_device *dev)
+{
+        struct net_bridge *br = netdev_priv(dev);
+        br->stats = alloc_percpu(struct br_cpu_netstats);
+        if (!br->stats)
+                return -ENOMEM;
+        return 0;
+}
 static int br_dev_open(struct net_device *dev)
 {
        struct net_bridge *br = netdev_priv(dev);
        netif_carrier_off(dev);
+        netdev_update_features(dev);
-        br_features_recompute(br);
        netif_start_queue(dev);
        br_stp_enable_bridge(br);
        br_multicast_open(br);
@@ -177,48 +189,11 @@ static void br_getinfo(struct net_device *dev, struct ethtool_drvinfo *info)
        strcpy(info->bus_info, "N/A");
 }
-static int br_set_sg(struct net_device *dev, u32 data)
+static u32 br_fix_features(struct net_device *dev, u32 features)
 {
        struct net_bridge *br = netdev_priv(dev);
-        if (data)
+        return br_features_recompute(br, features);
-                br->feature_mask |= NETIF_F_SG;
-        else
-                br->feature_mask &= ~NETIF_F_SG;
-        br_features_recompute(br);
-        return 0;
-}
-static int br_set_tso(struct net_device *dev, u32 data)
-{
-        struct net_bridge *br = netdev_priv(dev);
-        if (data)
-                br->feature_mask |= NETIF_F_TSO;
-        else
-                br->feature_mask &= ~NETIF_F_TSO;
-        br_features_recompute(br);
-        return 0;
-}
-static int br_set_tx_csum(struct net_device *dev, u32 data)
-{
-        struct net_bridge *br = netdev_priv(dev);
-        if (data)
-                br->feature_mask |= NETIF_F_NO_CSUM;
-        else
-                br->feature_mask &= ~NETIF_F_ALL_CSUM;
-        br_features_recompute(br);
-        return 0;
-}
-static int br_set_flags(struct net_device *netdev, u32 data)
-{
-        return ethtool_op_set_flags(netdev, data, ETH_FLAG_TXVLAN);
 }
 #ifdef CONFIG_NET_POLL_CONTROLLER
@@ -270,6 +245,7 @@ int br_netpoll_enable(struct net_bridge_port *p)
                goto out;
        np->dev = p->dev;
+        strlcpy(np->dev_name, p->dev->name, IFNAMSIZ);
        err = __netpoll_setup(np);
        if (err) {
@@ -319,21 +295,12 @@ static int br_del_slave(struct net_device *dev, struct net_device *slave_dev)
 static const struct ethtool_ops br_ethtool_ops = {
        .get_drvinfo    = br_getinfo,
        .get_link       = ethtool_op_get_link,
-        .get_tx_csum    = ethtool_op_get_tx_csum,
-        .set_tx_csum    = br_set_tx_csum,
-        .get_sg         = ethtool_op_get_sg,
-        .set_sg         = br_set_sg,
-        .get_tso        = ethtool_op_get_tso,
-        .set_tso        = br_set_tso,
-        .get_ufo        = ethtool_op_get_ufo,
-        .set_ufo        = ethtool_op_set_ufo,
-        .get_flags      = ethtool_op_get_flags,
-        .set_flags      = br_set_flags,
 };
 static const struct net_device_ops br_netdev_ops = {
        .ndo_open                = br_dev_open,
        .ndo_stop                = br_dev_stop,
+        .ndo_init                = br_dev_init,
        .ndo_start_xmit          = br_dev_xmit,
        .ndo_get_stats64         = br_get_stats64,
        .ndo_set_mac_address     = br_set_mac_address,
@@ -347,6 +314,7 @@ static const struct net_device_ops br_netdev_ops = {
 #endif
        .ndo_add_slave           = br_add_slave,
        .ndo_del_slave           = br_del_slave,
+        .ndo_fix_features        = br_fix_features,
 };
 static void br_dev_free(struct net_device *dev)
@@ -357,18 +325,49 @@ static void br_dev_free(struct net_device *dev)
        free_netdev(dev);
 }
+static struct device_type br_type = {
+        .name   = "bridge",
+};
 void br_dev_setup(struct net_device *dev)
 {
+        struct net_bridge *br = netdev_priv(dev);
        random_ether_addr(dev->dev_addr);
        ether_setup(dev);
        dev->netdev_ops = &br_netdev_ops;
        dev->destructor = br_dev_free;
        SET_ETHTOOL_OPS(dev, &br_ethtool_ops);
+        SET_NETDEV_DEVTYPE(dev, &br_type);
        dev->tx_queue_len = 0;
        dev->priv_flags = IFF_EBRIDGE;
        dev->features = NETIF_F_SG | NETIF_F_FRAGLIST | NETIF_F_HIGHDMA |
                        NETIF_F_GSO_MASK | NETIF_F_NO_CSUM | NETIF_F_LLTX |
-                        NETIF_F_NETNS_LOCAL | NETIF_F_GSO | NETIF_F_HW_VLAN_TX;
+                        NETIF_F_NETNS_LOCAL | NETIF_F_HW_VLAN_TX;
+        dev->hw_features = NETIF_F_SG | NETIF_F_FRAGLIST | NETIF_F_HIGHDMA |
+                           NETIF_F_GSO_MASK | NETIF_F_NO_CSUM |
+                           NETIF_F_HW_VLAN_TX;
+        br->dev = dev;
+        spin_lock_init(&br->lock);
+        INIT_LIST_HEAD(&br->port_list);
+        spin_lock_init(&br->hash_lock);
+        br->bridge_id.prio[0] = 0x80;
+        br->bridge_id.prio[1] = 0x00;
+        memcpy(br->group_addr, br_group_address, ETH_ALEN);
+        br->stp_enabled = BR_NO_STP;
+        br->designated_root = br->bridge_id;
+        br->bridge_max_age = br->max_age = 20 * HZ;
+        br->bridge_hello_time = br->hello_time = 2 * HZ;
+        br->bridge_forward_delay = br->forward_delay = 15 * HZ;
+        br->ageing_time = 300 * HZ;
+        br_netfilter_rtable_init(br);
+        br_stp_timer_init(br);
+        br_multicast_init(br);
 }
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index cc4d3c5ab1c6..e0dfbc151dd7 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -28,6 +28,7 @@
 static struct kmem_cache *br_fdb_cache __read_mostly;
 static int fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
                      const unsigned char *addr);
+static void fdb_notify(const struct net_bridge_fdb_entry *, int);
 static u32 fdb_salt __read_mostly;
@@ -62,7 +63,7 @@ static inline int has_expired(const struct net_bridge *br,
                                  const struct net_bridge_fdb_entry *fdb)
 {
        return !fdb->is_static &&
-                time_before_eq(fdb->ageing_timer + hold_time(br), jiffies);
+                time_before_eq(fdb->updated + hold_time(br), jiffies);
 }
 static inline int br_mac_hash(const unsigned char *mac)
@@ -81,6 +82,7 @@ static void fdb_rcu_free(struct rcu_head *head)
 static inline void fdb_delete(struct net_bridge_fdb_entry *f)
 {
+        fdb_notify(f, RTM_DELNEIGH);
        hlist_del_rcu(&f->hlist);
        call_rcu(&f->rcu, fdb_rcu_free);
 }
@@ -140,7 +142,7 @@ void br_fdb_cleanup(unsigned long _data)
                        unsigned long this_timer;
                        if (f->is_static)
                                continue;
-                        this_timer = f->ageing_timer + delay;
+                        this_timer = f->updated + delay;
                        if (time_before_eq(this_timer, jiffies))
                                fdb_delete(f);
                        else if (time_before(this_timer, next_timer))
@@ -293,7 +295,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
                        fe->is_local = f->is_local;
                        if (!f->is_static)
-                                fe->ageing_timer_value = jiffies_to_clock_t(jiffies - f->ageing_timer);
+                                fe->ageing_timer_value = jiffies_to_clock_t(jiffies - f->updated);
                        ++fe;
                        ++num;
                }
@@ -305,8 +307,21 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
        return num;
 }
-static inline struct net_bridge_fdb_entry *fdb_find(struct hlist_head *head,
+static struct net_bridge_fdb_entry *fdb_find(struct hlist_head *head,
-                                                    const unsigned char *addr)
+                                             const unsigned char *addr)
+{
+        struct hlist_node *h;
+        struct net_bridge_fdb_entry *fdb;
+        hlist_for_each_entry(fdb, h, head, hlist) {
+                if (!compare_ether_addr(fdb->addr.addr, addr))
+                        return fdb;
+        }
+        return NULL;
+}
+static struct net_bridge_fdb_entry *fdb_find_rcu(struct hlist_head *head,
+                                                 const unsigned char *addr)
 {
        struct hlist_node *h;
        struct net_bridge_fdb_entry *fdb;
@@ -320,8 +335,7 @@ static inline struct net_bridge_fdb_entry *fdb_find(struct hlist_head *head,
 static struct net_bridge_fdb_entry *fdb_create(struct hlist_head *head,
                                               struct net_bridge_port *source,
-                                               const unsigned char *addr,
+                                               const unsigned char *addr)
-                                               int is_local)
 {
        struct net_bridge_fdb_entry *fdb;
@@ -329,11 +343,11 @@ static struct net_bridge_fdb_entry *fdb_create(struct hlist_head *head,
        if (fdb) {
                memcpy(fdb->addr.addr, addr, ETH_ALEN);
                fdb->dst = source;
-                fdb->is_local = is_local;
+                fdb->is_local = 0;
-                fdb->is_static = is_local;
+                fdb->is_static = 0;
-                fdb->ageing_timer = jiffies;
+                fdb->updated = fdb->used = jiffies;
                hlist_add_head_rcu(&fdb->hlist, head);
+                fdb_notify(fdb, RTM_NEWNEIGH);
        }
        return fdb;
 }
@@ -360,12 +374,15 @@ static int fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
                fdb_delete(fdb);
        }
-        if (!fdb_create(head, source, addr, 1))
+        fdb = fdb_create(head, source, addr);
+        if (!fdb)
                return -ENOMEM;
+        fdb->is_local = fdb->is_static = 1;
        return 0;
 }
+/* Add entry for local address of interface */
 int br_fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
                  const unsigned char *addr)
 {
@@ -392,7 +409,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
              source->state == BR_STATE_FORWARDING))
                return;
-        fdb = fdb_find(head, addr);
+        fdb = fdb_find_rcu(head, addr);
        if (likely(fdb)) {
                /* attempt to update an entry for a local interface */
                if (unlikely(fdb->is_local)) {
@@ -403,15 +420,277 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
                } else {
                        /* fastpath: update of existing entry */
                        fdb->dst = source;
-                        fdb->ageing_timer = jiffies;
+                        fdb->updated = jiffies;
                }
        } else {
                spin_lock(&br->hash_lock);
-                if (!fdb_find(head, addr))
+                if (likely(!fdb_find(head, addr)))
-                        fdb_create(head, source, addr, 0);
+                        fdb_create(head, source, addr);
                /* else  we lose race and someone else inserts
                 * it first, don't bother updating
                 */
                spin_unlock(&br->hash_lock);
        }
 }
+static int fdb_to_nud(const struct net_bridge_fdb_entry *fdb)
+{
+        if (fdb->is_local)
+                return NUD_PERMANENT;
+        else if (fdb->is_static)
+                return NUD_NOARP;
+        else if (has_expired(fdb->dst->br, fdb))
+                return NUD_STALE;
+        else
+                return NUD_REACHABLE;
+}
+static int fdb_fill_info(struct sk_buff *skb,
+                         const struct net_bridge_fdb_entry *fdb,
+                         u32 pid, u32 seq, int type, unsigned int flags)
+{
+        unsigned long now = jiffies;
+        struct nda_cacheinfo ci;
+        struct nlmsghdr *nlh;
+        struct ndmsg *ndm;
+        nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ndm), flags);
+        if (nlh == NULL)
+                return -EMSGSIZE;
+        ndm = nlmsg_data(nlh);
+        ndm->ndm_family  = AF_BRIDGE;
+        ndm->ndm_pad1    = 0;
+        ndm->ndm_pad2    = 0;
+        ndm->ndm_flags   = 0;
+        ndm->ndm_type    = 0;
+        ndm->ndm_ifindex = fdb->dst->dev->ifindex;
+        ndm->ndm_state   = fdb_to_nud(fdb);
+        NLA_PUT(skb, NDA_LLADDR, ETH_ALEN, &fdb->addr);
+        ci.ndm_used      = jiffies_to_clock_t(now - fdb->used);
+        ci.ndm_confirmed = 0;
+        ci.ndm_updated   = jiffies_to_clock_t(now - fdb->updated);
+        ci.ndm_refcnt    = 0;
+        NLA_PUT(skb, NDA_CACHEINFO, sizeof(ci), &ci);
+        return nlmsg_end(skb, nlh);
+nla_put_failure:
+        nlmsg_cancel(skb, nlh);
+        return -EMSGSIZE;
+}
+static inline size_t fdb_nlmsg_size(void)
+{
+        return NLMSG_ALIGN(sizeof(struct ndmsg))
+                + nla_total_size(ETH_ALEN) /* NDA_LLADDR */
+                + nla_total_size(sizeof(struct nda_cacheinfo));
+}
+static void fdb_notify(const struct net_bridge_fdb_entry *fdb, int type)
+{
+        struct net *net = dev_net(fdb->dst->dev);
+        struct sk_buff *skb;
+        int err = -ENOBUFS;
+        skb = nlmsg_new(fdb_nlmsg_size(), GFP_ATOMIC);
+        if (skb == NULL)
+                goto errout;
+        err = fdb_fill_info(skb, fdb, 0, 0, type, 0);
+        if (err < 0) {
+                /* -EMSGSIZE implies BUG in fdb_nlmsg_size() */
+                WARN_ON(err == -EMSGSIZE);
+                kfree_skb(skb);
+                goto errout;
+        }
+        rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC);
+        return;
+errout:
+        if (err < 0)
+                rtnl_set_sk_err(net, RTNLGRP_NEIGH, err);
+}
+/* Dump information about entries, in response to GETNEIGH */
+int br_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb)
+{
+        struct net *net = sock_net(skb->sk);
+        struct net_device *dev;
+        int idx = 0;
+        rcu_read_lock();
+        for_each_netdev_rcu(net, dev) {
+                struct net_bridge *br = netdev_priv(dev);
+                int i;
+                if (!(dev->priv_flags & IFF_EBRIDGE))
+                        continue;
+                for (i = 0; i < BR_HASH_SIZE; i++) {
+                        struct hlist_node *h;
+                        struct net_bridge_fdb_entry *f;
+                        hlist_for_each_entry_rcu(f, h, &br->hash[i], hlist) {
+                                if (idx < cb->args[0])
+                                        goto skip;
+                                if (fdb_fill_info(skb, f,
+                                                  NETLINK_CB(cb->skb).pid,
+                                                  cb->nlh->nlmsg_seq,
+                                                  RTM_NEWNEIGH,
+                                                  NLM_F_MULTI) < 0)
+                                        break;
+skip:
+                                ++idx;
+                        }
+                }
+        }
+        rcu_read_unlock();
+        cb->args[0] = idx;
+        return skb->len;
+}
+/* Create new static fdb entry */
+static int fdb_add_entry(struct net_bridge_port *source, const __u8 *addr,
+                         __u16 state)
+{
+        struct net_bridge *br = source->br;
+        struct hlist_head *head = &br->hash[br_mac_hash(addr)];
+        struct net_bridge_fdb_entry *fdb;
+        fdb = fdb_find(head, addr);
+        if (fdb)
+                return -EEXIST;
+        fdb = fdb_create(head, source, addr);
+        if (!fdb)
+                return -ENOMEM;
+        if (state & NUD_PERMANENT)
+                fdb->is_local = fdb->is_static = 1;
+        else if (state & NUD_NOARP)
+                fdb->is_static = 1;
+        return 0;
+}
+/* Add new permanent fdb entry with RTM_NEWNEIGH */
+int br_fdb_add(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
+{
+        struct net *net = sock_net(skb->sk);
+        struct ndmsg *ndm;
+        struct nlattr *tb[NDA_MAX+1];
+        struct net_device *dev;
+        struct net_bridge_port *p;
+        const __u8 *addr;
+        int err;
+        ASSERT_RTNL();
+        err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL);
+        if (err < 0)
+                return err;
+        ndm = nlmsg_data(nlh);
+        if (ndm->ndm_ifindex == 0) {
+                pr_info("bridge: RTM_NEWNEIGH with invalid ifindex\n");
+                return -EINVAL;
+        }
+        dev = __dev_get_by_index(net, ndm->ndm_ifindex);
+        if (dev == NULL) {
+                pr_info("bridge: RTM_NEWNEIGH with unknown ifindex\n");
+                return -ENODEV;
+        }
+        if (!tb[NDA_LLADDR] || nla_len(tb[NDA_LLADDR]) != ETH_ALEN) {
+                pr_info("bridge: RTM_NEWNEIGH with invalid address\n");
+                return -EINVAL;
+        }
+        addr = nla_data(tb[NDA_LLADDR]);
+        if (!is_valid_ether_addr(addr)) {
+                pr_info("bridge: RTM_NEWNEIGH with invalid ether address\n");
+                return -EINVAL;
+        }
+        p = br_port_get_rtnl(dev);
+        if (p == NULL) {
+                pr_info("bridge: RTM_NEWNEIGH %s not a bridge port\n",
+                        dev->name);
+                return -EINVAL;
+        }
+        spin_lock_bh(&p->br->hash_lock);
+        err = fdb_add_entry(p, addr, ndm->ndm_state);
+        spin_unlock_bh(&p->br->hash_lock);
+        return err;
+}
+static int fdb_delete_by_addr(struct net_bridge_port *p, const u8 *addr)
+{
+        struct net_bridge *br = p->br;
+        struct hlist_head *head = &br->hash[br_mac_hash(addr)];
+        struct net_bridge_fdb_entry *fdb;
+        fdb = fdb_find(head, addr);
+        if (!fdb)
+                return -ENOENT;
+        fdb_delete(fdb);
+        return 0;
+}
+/* Remove neighbor entry with RTM_DELNEIGH */
+int br_fdb_delete(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
+{
+        struct net *net = sock_net(skb->sk);
+        struct ndmsg *ndm;
+        struct net_bridge_port *p;
+        struct nlattr *llattr;
+        const __u8 *addr;
+        struct net_device *dev;
+        int err;
+        ASSERT_RTNL();
+        if (nlmsg_len(nlh) < sizeof(*ndm))
+                return -EINVAL;
+        ndm = nlmsg_data(nlh);
+        if (ndm->ndm_ifindex == 0) {
+                pr_info("bridge: RTM_DELNEIGH with invalid ifindex\n");
+                return -EINVAL;
+        }
+        dev = __dev_get_by_index(net, ndm->ndm_ifindex);
+        if (dev == NULL) {
+                pr_info("bridge: RTM_DELNEIGH with unknown ifindex\n");
+                return -ENODEV;
+        }
+        llattr = nlmsg_find_attr(nlh, sizeof(*ndm), NDA_LLADDR);
+        if (llattr == NULL || nla_len(llattr) != ETH_ALEN) {
+                pr_info("bridge: RTM_DELNEIGH with invalid address\n");
+                return -EINVAL;
+        }
+        addr = nla_data(llattr);
+        p = br_port_get_rtnl(dev);
+        if (p == NULL) {
+                pr_info("bridge: RTM_DELNEIGH %s not a bridge port\n",
+                        dev->name);
+                return -EINVAL;
+        }
+        spin_lock_bh(&p->br->hash_lock);
+        err = fdb_delete_by_addr(p, addr);
+        spin_unlock_bh(&p->br->hash_lock);
+        return err;
+}
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 718b60366dfe..1bacca4cb676 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -36,8 +36,8 @@ static int port_cost(struct net_device *dev)
        if (dev->ethtool_ops && dev->ethtool_ops->get_settings) {
                struct ethtool_cmd ecmd = { .cmd = ETHTOOL_GSET, };
-                if (!dev->ethtool_ops->get_settings(dev, &ecmd)) {
+                if (!dev_ethtool_get_settings(dev, &ecmd)) {
-                        switch(ecmd.speed) {
+                        switch (ethtool_cmd_speed(&ecmd)) {
                        case SPEED_10000:
                                return 2;
                        case SPEED_1000:
@@ -147,6 +147,7 @@ static void del_nbp(struct net_bridge_port *p)
        dev->priv_flags &= ~IFF_BRIDGE_PORT;
        netdev_rx_handler_unregister(dev);
+        synchronize_net();
        netdev_set_master(dev, NULL);
@@ -175,56 +176,6 @@ static void del_br(struct net_bridge *br, struct list_head *head)
        unregister_netdevice_queue(br->dev, head);
 }
-static struct net_device *new_bridge_dev(struct net *net, const char *name)
-{
-        struct net_bridge *br;
-        struct net_device *dev;
-        dev = alloc_netdev(sizeof(struct net_bridge), name,
-                           br_dev_setup);
-        if (!dev)
-                return NULL;
-        dev_net_set(dev, net);
-        br = netdev_priv(dev);
-        br->dev = dev;
-        br->stats = alloc_percpu(struct br_cpu_netstats);
-        if (!br->stats) {
-                free_netdev(dev);
-                return NULL;
-        }
-        spin_lock_init(&br->lock);
-        INIT_LIST_HEAD(&br->port_list);
-        spin_lock_init(&br->hash_lock);
-        br->bridge_id.prio[0] = 0x80;
-        br->bridge_id.prio[1] = 0x00;
-        memcpy(br->group_addr, br_group_address, ETH_ALEN);
-        br->feature_mask = dev->features;
-        br->stp_enabled = BR_NO_STP;
-        br->designated_root = br->bridge_id;
-        br->root_path_cost = 0;
-        br->root_port = 0;
-        br->bridge_max_age = br->max_age = 20 * HZ;
-        br->bridge_hello_time = br->hello_time = 2 * HZ;
-        br->bridge_forward_delay = br->forward_delay = 15 * HZ;
-        br->topology_change = 0;
-        br->topology_change_detected = 0;
-        br->ageing_time = 300 * HZ;
-        br_netfilter_rtable_init(br);
-        br_stp_timer_init(br);
-        br_multicast_init(br);
-        return dev;
-}
 /* find an available port number */
 static int find_portno(struct net_bridge *br)
 {
@@ -277,42 +228,19 @@ static struct net_bridge_port *new_nbp(struct net_bridge *br,
        return p;
 }
-static struct device_type br_type = {
-        .name   = "bridge",
-};
 int br_add_bridge(struct net *net, const char *name)
 {
        struct net_device *dev;
-        int ret;
-        dev = new_bridge_dev(net, name);
+        dev = alloc_netdev(sizeof(struct net_bridge), name,
+                           br_dev_setup);
        if (!dev)
                return -ENOMEM;
-        rtnl_lock();
+        dev_net_set(dev, net);
-        if (strchr(dev->name, '%')) {
-                ret = dev_alloc_name(dev, dev->name);
-                if (ret < 0)
-                        goto out_free;
-        }
-        SET_NETDEV_DEVTYPE(dev, &br_type);
-        ret = register_netdevice(dev);
-        if (ret)
-                goto out_free;
-        ret = br_sysfs_addbr(dev);
-        if (ret)
-                unregister_netdevice(dev);
- out:
-        rtnl_unlock();
-        return ret;
-out_free:
+        return register_netdev(dev);
-        free_netdev(dev);
-        goto out;
 }
 int br_del_bridge(struct net *net, const char *name)
@@ -364,15 +292,15 @@ int br_min_mtu(const struct net_bridge *br)
 /*
 * Recomputes features using slave's features
 */
-void br_features_recompute(struct net_bridge *br)
+u32 br_features_recompute(struct net_bridge *br, u32 features)
 {
        struct net_bridge_port *p;
-        u32 features, mask;
+        u32 mask;
-        features = mask = br->feature_mask;
        if (list_empty(&br->port_list))
-                goto done;
+                return features;
+        mask = features;
        features &= ~NETIF_F_ONE_FOR_ALL;
        list_for_each_entry(p, &br->port_list, list) {
@@ -380,8 +308,7 @@ void br_features_recompute(struct net_bridge *br)
                                                     p->dev->features, mask);
        }
-done:
+        return features;
-        br->dev->features = netdev_fix_features(br->dev, features);
 }
 /* called with RTNL */
@@ -412,6 +339,8 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
        if (IS_ERR(p))
                return PTR_ERR(p);
+        call_netdevice_notifiers(NETDEV_JOIN, dev);
        err = dev_set_promiscuity(dev, 1);
        if (err)
                goto put_back;
@@ -446,9 +375,10 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
        list_add_rcu(&p->list, &br->port_list);
+        netdev_update_features(br->dev);
        spin_lock_bh(&br->lock);
        changed_addr = br_stp_recalculate_bridge_id(br);
-        br_features_recompute(br);
        if ((dev->flags & IFF_UP) && netif_carrier_ok(dev) &&
            (br->dev->flags & IFF_UP))
@@ -496,9 +426,10 @@ int br_del_if(struct net_bridge *br, struct net_device *dev)
        spin_lock_bh(&br->lock);
        br_stp_recalculate_bridge_id(br);
-        br_features_recompute(br);
        spin_unlock_bh(&br->lock);
+        netdev_update_features(br->dev);
        return 0;
 }
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 0c7badad62af..f06ee39c73fd 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -60,7 +60,7 @@ int br_handle_frame_finish(struct sk_buff *skb)
        br = p->br;
        br_fdb_update(br, p, eth_hdr(skb)->h_source);
-        if (is_multicast_ether_addr(dest) &&
+        if (!is_broadcast_ether_addr(dest) && is_multicast_ether_addr(dest) &&
            br_multicast_rcv(br, p, skb))
                goto drop;
@@ -77,7 +77,9 @@ int br_handle_frame_finish(struct sk_buff *skb)
        dst = NULL;
-        if (is_multicast_ether_addr(dest)) {
+        if (is_broadcast_ether_addr(dest))
+                skb2 = skb;
+        else if (is_multicast_ether_addr(dest)) {
                mdst = br_mdb_get(br, skb);
                if (mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) {
                        if ((mdst && mdst->mglist) ||
@@ -98,9 +100,10 @@ int br_handle_frame_finish(struct sk_buff *skb)
        }
        if (skb) {
-                if (dst)
+                if (dst) {
+                        dst->used = jiffies;
                        br_forward(dst->dst, skb, skb2);
-                else
+                } else
                        br_flood_forward(br, skb, skb2);
        }
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 3d9fca0e3370..7222fe1d5460 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -181,40 +181,19 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
-                spin_lock_bh(&br->lock);
+                return br_set_forward_delay(br, args[1]);
-                br->bridge_forward_delay = clock_t_to_jiffies(args[1]);
-                if (br_is_root_bridge(br))
-                        br->forward_delay = br->bridge_forward_delay;
-                spin_unlock_bh(&br->lock);
-                return 0;
        case BRCTL_SET_BRIDGE_HELLO_TIME:
-        {
-                unsigned long t = clock_t_to_jiffies(args[1]);
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
-                if (t < HZ)
+                return br_set_hello_time(br, args[1]);
-                        return -EINVAL;
-                spin_lock_bh(&br->lock);
-                br->bridge_hello_time = t;
-                if (br_is_root_bridge(br))
-                        br->hello_time = br->bridge_hello_time;
-                spin_unlock_bh(&br->lock);
-                return 0;
-        }
        case BRCTL_SET_BRIDGE_MAX_AGE:
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
-                spin_lock_bh(&br->lock);
+                return br_set_max_age(br, args[1]);
-                br->bridge_max_age = clock_t_to_jiffies(args[1]);
-                if (br_is_root_bridge(br))
-                        br->max_age = br->bridge_max_age;
-                spin_unlock_bh(&br->lock);
-                return 0;
        case BRCTL_SET_AGEING_TIME:
                if (!capable(CAP_NET_ADMIN))
@@ -275,19 +254,16 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
        case BRCTL_SET_PORT_PRIORITY:
        {
                struct net_bridge_port *p;
-                int ret = 0;
+                int ret;
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
-                if (args[2] >= (1<<(16-BR_PORT_BITS)))
-                        return -ERANGE;
                spin_lock_bh(&br->lock);
                if ((p = br_get_port(br, args[1])) == NULL)
                        ret = -EINVAL;
                else
-                        br_stp_set_port_priority(p, args[2]);
+                        ret = br_stp_set_port_priority(p, args[2]);
                spin_unlock_bh(&br->lock);
                return ret;
        }
@@ -295,15 +271,17 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
        case BRCTL_SET_PATH_COST:
        {
                struct net_bridge_port *p;
-                int ret = 0;
+                int ret;
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
+                spin_lock_bh(&br->lock);
                if ((p = br_get_port(br, args[1])) == NULL)
                        ret = -EINVAL;
                else
-                        br_stp_set_path_cost(p, args[2]);
+                        ret = br_stp_set_path_cost(p, args[2]);
+                spin_unlock_bh(&br->lock);
                return ret;
        }
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 59660c909a7c..2d85ca7111d3 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -413,7 +413,7 @@ out:
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
-                                                    struct in6_addr *group)
+                                                    const struct in6_addr *group)
 {
        struct sk_buff *skb;
        struct ipv6hdr *ip6h;
@@ -1115,7 +1115,7 @@ static int br_ip4_multicast_query(struct net_bridge *br,
                                  struct net_bridge_port *port,
                                  struct sk_buff *skb)
 {
-        struct iphdr *iph = ip_hdr(skb);
+        const struct iphdr *iph = ip_hdr(skb);
        struct igmphdr *ih = igmp_hdr(skb);
        struct net_bridge_mdb_entry *mp;
        struct igmpv3_query *ih3;
@@ -1190,7 +1190,7 @@ static int br_ip6_multicast_query(struct net_bridge *br,
                                  struct net_bridge_port *port,
                                  struct sk_buff *skb)
 {
-        struct ipv6hdr *ip6h = ipv6_hdr(skb);
+        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
        struct mld_msg *mld = (struct mld_msg *) icmp6_hdr(skb);
        struct net_bridge_mdb_entry *mp;
        struct mld2_query *mld2q;
@@ -1198,7 +1198,7 @@ static int br_ip6_multicast_query(struct net_bridge *br,
        struct net_bridge_port_group __rcu **pp;
        unsigned long max_delay;
        unsigned long now = jiffies;
-        struct in6_addr *group = NULL;
+        const struct in6_addr *group = NULL;
        int err = 0;
        spin_lock(&br->multicast_lock);
@@ -1356,7 +1356,7 @@ static int br_multicast_ipv4_rcv(struct net_bridge *br,
                                 struct sk_buff *skb)
 {
        struct sk_buff *skb2 = skb;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct igmphdr *ih;
        unsigned len;
        unsigned offset;
@@ -1379,8 +1379,11 @@ static int br_multicast_ipv4_rcv(struct net_bridge *br,
        if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
                return -EINVAL;
-        if (iph->protocol != IPPROTO_IGMP)
+        if (iph->protocol != IPPROTO_IGMP) {
+                if ((iph->daddr & IGMP_LOCAL_GROUP_MASK) != IGMP_LOCAL_GROUP)
+                        BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
                return 0;
+        }
        len = ntohs(iph->tot_len);
        if (skb->len < len || len < ip_hdrlen(skb))
@@ -1424,7 +1427,7 @@ static int br_multicast_ipv4_rcv(struct net_bridge *br,
        switch (ih->type) {
        case IGMP_HOST_MEMBERSHIP_REPORT:
        case IGMPV2_HOST_MEMBERSHIP_REPORT:
-                BR_INPUT_SKB_CB(skb2)->mrouters_only = 1;
+                BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
                err = br_ip4_multicast_add_group(br, port, ih->group);
                break;
        case IGMPV3_HOST_MEMBERSHIP_REPORT:
@@ -1452,7 +1455,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
                                 struct sk_buff *skb)
 {
        struct sk_buff *skb2;
-        struct ipv6hdr *ip6h;
+        const struct ipv6hdr *ip6h;
        struct icmp6hdr *icmp6h;
        u8 nexthdr;
        unsigned len;
@@ -1543,7 +1546,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
                        goto out;
                }
                mld = (struct mld_msg *)skb_transport_header(skb2);
-                BR_INPUT_SKB_CB(skb2)->mrouters_only = 1;
+                BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
                err = br_ip6_multicast_add_group(br, port, &mld->mld_mca);
                break;
            }
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 74ef4d4846a4..56149ec36d7f 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -104,10 +104,16 @@ static void fake_update_pmtu(struct dst_entry *dst, u32 mtu)
 {
 }
+static u32 *fake_cow_metrics(struct dst_entry *dst, unsigned long old)
+{
+        return NULL;
+}
 static struct dst_ops fake_dst_ops = {
        .family =               AF_INET,
        .protocol =             cpu_to_be16(ETH_P_IP),
        .update_pmtu =          fake_update_pmtu,
+        .cow_metrics =          fake_cow_metrics,
 };
 /*
@@ -117,6 +123,10 @@ static struct dst_ops fake_dst_ops = {
 * ipt_REJECT needs it.  Future netfilter modules might
 * require us to fill additional fields.
 */
+static const u32 br_dst_default_metrics[RTAX_MAX] = {
+        [RTAX_MTU - 1] = 1500,
+};
 void br_netfilter_rtable_init(struct net_bridge *br)
 {
        struct rtable *rt = &br->fake_rtable;
@@ -124,7 +134,7 @@ void br_netfilter_rtable_init(struct net_bridge *br)
        atomic_set(&rt->dst.__refcnt, 1);
        rt->dst.dev = br->dev;
        rt->dst.path = &rt->dst;
-        dst_metric_set(&rt->dst, RTAX_MTU, 1500);
+        dst_init_metrics(&rt->dst, br_dst_default_metrics, true);
        rt->dst.flags   = DST_NOXFRM;
        rt->dst.ops = &fake_dst_ops;
 }
@@ -219,7 +229,7 @@ static inline void nf_bridge_update_protocol(struct sk_buff *skb)
 static int br_parse_ip_options(struct sk_buff *skb)
 {
        struct ip_options *opt;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct net_device *dev = skb->dev;
        u32 len;
@@ -554,7 +564,7 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
                                           const struct net_device *out,
                                           int (*okfn)(struct sk_buff *))
 {
-        struct ipv6hdr *hdr;
+        const struct ipv6hdr *hdr;
        u32 pkt_len;
        if (skb->len < sizeof(struct ipv6hdr))
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index f8bf4c7f842c..ffb0dc4cc0e8 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -12,9 +12,11 @@
 #include <linux/kernel.h>
 #include <linux/slab.h>
+#include <linux/etherdevice.h>
 #include <net/rtnetlink.h>
 #include <net/net_namespace.h>
 #include <net/sock.h>
 #include "br_private.h"
 static inline size_t br_nlmsg_size(void)
@@ -118,8 +120,9 @@ static int br_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
        int idx;
        idx = 0;
-        for_each_netdev(net, dev) {
+        rcu_read_lock();
-                struct net_bridge_port *port = br_port_get_rtnl(dev);
+        for_each_netdev_rcu(net, dev) {
+                struct net_bridge_port *port = br_port_get_rcu(dev);
                /* not a bridge port */
                if (!port || idx < cb->args[0])
@@ -133,7 +136,7 @@ static int br_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
 skip:
                ++idx;
        }
+        rcu_read_unlock();
        cb->args[0] = idx;
        return skb->len;
@@ -188,20 +191,61 @@ static int br_rtm_setlink(struct sk_buff *skb,  struct nlmsghdr *nlh, void *arg)
        return 0;
 }
+static int br_validate(struct nlattr *tb[], struct nlattr *data[])
+{
+        if (tb[IFLA_ADDRESS]) {
+                if (nla_len(tb[IFLA_ADDRESS]) != ETH_ALEN)
+                        return -EINVAL;
+                if (!is_valid_ether_addr(nla_data(tb[IFLA_ADDRESS])))
+                        return -EADDRNOTAVAIL;
+        }
+        return 0;
+}
+static struct rtnl_link_ops br_link_ops __read_mostly = {
+        .kind           = "bridge",
+        .priv_size      = sizeof(struct net_bridge),
+        .setup          = br_dev_setup,
+        .validate       = br_validate,
+};
 int __init br_netlink_init(void)
 {
-        if (__rtnl_register(PF_BRIDGE, RTM_GETLINK, NULL, br_dump_ifinfo))
+        int err;
-                return -ENOBUFS;
-        /* Only the first call to __rtnl_register can fail */
+        err = rtnl_link_register(&br_link_ops);
-        __rtnl_register(PF_BRIDGE, RTM_SETLINK, br_rtm_setlink, NULL);
+        if (err < 0)
+                goto err1;
+        err = __rtnl_register(PF_BRIDGE, RTM_GETLINK, NULL, br_dump_ifinfo);
+        if (err)
+                goto err2;
+        err = __rtnl_register(PF_BRIDGE, RTM_SETLINK, br_rtm_setlink, NULL);
+        if (err)
+                goto err3;
+        err = __rtnl_register(PF_BRIDGE, RTM_NEWNEIGH, br_fdb_add, NULL);
+        if (err)
+                goto err3;
+        err = __rtnl_register(PF_BRIDGE, RTM_DELNEIGH, br_fdb_delete, NULL);
+        if (err)
+                goto err3;
+        err = __rtnl_register(PF_BRIDGE, RTM_GETNEIGH, NULL, br_fdb_dump);
+        if (err)
+                goto err3;
        return 0;
+err3:
+        rtnl_unregister_all(PF_BRIDGE);
+err2:
+        rtnl_link_unregister(&br_link_ops);
+err1:
+        return err;
 }
 void __exit br_netlink_fini(void)
 {
+        rtnl_link_unregister(&br_link_ops);
        rtnl_unregister_all(PF_BRIDGE);
 }
diff --git a/net/bridge/br_notify.c b/net/bridge/br_notify.c
index 7d337c9b6082..6545ee9591d1 100644
--- a/net/bridge/br_notify.c
+++ b/net/bridge/br_notify.c
@@ -36,6 +36,12 @@ static int br_device_event(struct notifier_block *unused, unsigned long event, v
        struct net_bridge *br;
        int err;
+        /* register of bridge completed, add sysfs entries */
+        if ((dev->priv_flags & IFF_EBRIDGE) && event == NETDEV_REGISTER) {
+                br_sysfs_addbr(dev);
+                return NOTIFY_DONE;
+        }
        /* not a port of a bridge */
        p = br_port_get_rtnl(dev);
        if (!p)
@@ -60,10 +66,7 @@ static int br_device_event(struct notifier_block *unused, unsigned long event, v
                break;
        case NETDEV_FEAT_CHANGE:
-                spin_lock_bh(&br->lock);
+                netdev_update_features(br->dev);
-                if (netif_running(br->dev))
-                        br_features_recompute(br);
-                spin_unlock_bh(&br->lock);
                break;
        case NETDEV_DOWN:
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 387013d33745..54578f274d85 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -64,7 +64,8 @@ struct net_bridge_fdb_entry
        struct net_bridge_port          *dst;
        struct rcu_head                 rcu;
-        unsigned long                   ageing_timer;
+        unsigned long                   updated;
+        unsigned long                   used;
        mac_addr                        addr;
        unsigned char                   is_local;
        unsigned char                   is_static;
@@ -182,7 +183,6 @@ struct net_bridge
        struct br_cpu_netstats __percpu *stats;
        spinlock_t                      hash_lock;
        struct hlist_head               hash[BR_HASH_SIZE];
-        u32                             feature_mask;
 #ifdef CONFIG_BRIDGE_NETFILTER
        struct rtable                   fake_rtable;
        bool                            nf_call_iptables;
@@ -353,6 +353,9 @@ extern int br_fdb_insert(struct net_bridge *br,
 extern void br_fdb_update(struct net_bridge *br,
                          struct net_bridge_port *source,
                          const unsigned char *addr);
+extern int br_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb);
+extern int br_fdb_add(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg);
+extern int br_fdb_delete(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg);
 /* br_forward.c */
 extern void br_deliver(const struct net_bridge_port *to,
@@ -375,7 +378,7 @@ extern int br_add_if(struct net_bridge *br,
 extern int br_del_if(struct net_bridge *br,
              struct net_device *dev);
 extern int br_min_mtu(const struct net_bridge *br);
-extern void br_features_recompute(struct net_bridge *br);
+extern u32 br_features_recompute(struct net_bridge *br, u32 features);
 /* br_input.c */
 extern int br_handle_frame_finish(struct sk_buff *skb);
@@ -491,6 +494,11 @@ extern struct net_bridge_port *br_get_port(struct net_bridge *br,
 extern void br_init_port(struct net_bridge_port *p);
 extern void br_become_designated_port(struct net_bridge_port *p);
+extern int br_set_forward_delay(struct net_bridge *br, unsigned long x);
+extern int br_set_hello_time(struct net_bridge *br, unsigned long x);
+extern int br_set_max_age(struct net_bridge *br, unsigned long x);
 /* br_stp_if.c */
 extern void br_stp_enable_bridge(struct net_bridge *br);
 extern void br_stp_disable_bridge(struct net_bridge *br);
@@ -501,10 +509,10 @@ extern bool br_stp_recalculate_bridge_id(struct net_bridge *br);
 extern void br_stp_change_bridge_id(struct net_bridge *br, const unsigned char *a);
 extern void br_stp_set_bridge_priority(struct net_bridge *br,
                                       u16 newprio);
-extern void br_stp_set_port_priority(struct net_bridge_port *p,
+extern int br_stp_set_port_priority(struct net_bridge_port *p,
-                                     u8 newprio);
+                                    unsigned long newprio);
-extern void br_stp_set_path_cost(struct net_bridge_port *p,
+extern int br_stp_set_path_cost(struct net_bridge_port *p,
-                                 u32 path_cost);
+                                unsigned long path_cost);
 extern ssize_t br_show_bridge_id(char *buf, const struct bridge_id *id);
 /* br_stp_bpdu.c */
diff --git a/net/bridge/br_private_stp.h b/net/bridge/br_private_stp.h
index 8b650f7fbfa0..642ef47a867e 100644
--- a/net/bridge/br_private_stp.h
+++ b/net/bridge/br_private_stp.h
@@ -16,6 +16,19 @@
 #define BPDU_TYPE_CONFIG 0
 #define BPDU_TYPE_TCN 0x80
+/* IEEE 802.1D-1998 timer values */
+#define BR_MIN_HELLO_TIME       (1*HZ)
+#define BR_MAX_HELLO_TIME       (10*HZ)
+#define BR_MIN_FORWARD_DELAY    (2*HZ)
+#define BR_MAX_FORWARD_DELAY    (30*HZ)
+#define BR_MIN_MAX_AGE          (6*HZ)
+#define BR_MAX_MAX_AGE          (40*HZ)
+#define BR_MIN_PATH_COST        1
+#define BR_MAX_PATH_COST        65535
 struct br_config_bpdu
 {
        unsigned        topology_change:1;
diff --git a/net/bridge/br_stp.c b/net/bridge/br_stp.c
index 7370d14f634d..bb4383e84de9 100644
--- a/net/bridge/br_stp.c
+++ b/net/bridge/br_stp.c
@@ -484,3 +484,51 @@ void br_received_tcn_bpdu(struct net_bridge_port *p)
                br_topology_change_acknowledge(p);
        }
 }
+/* Change bridge STP parameter */
+int br_set_hello_time(struct net_bridge *br, unsigned long val)
+{
+        unsigned long t = clock_t_to_jiffies(val);
+        if (t < BR_MIN_HELLO_TIME || t > BR_MAX_HELLO_TIME)
+                return -ERANGE;
+        spin_lock_bh(&br->lock);
+        br->bridge_hello_time = t;
+        if (br_is_root_bridge(br))
+                br->hello_time = br->bridge_hello_time;
+        spin_unlock_bh(&br->lock);
+        return 0;
+}
+int br_set_max_age(struct net_bridge *br, unsigned long val)
+{
+        unsigned long t = clock_t_to_jiffies(val);
+        if (t < BR_MIN_MAX_AGE || t > BR_MAX_MAX_AGE)
+                return -ERANGE;
+        spin_lock_bh(&br->lock);
+        br->bridge_max_age = t;
+        if (br_is_root_bridge(br))
+                br->max_age = br->bridge_max_age;
+        spin_unlock_bh(&br->lock);
+        return 0;
+}
+int br_set_forward_delay(struct net_bridge *br, unsigned long val)
+{
+        unsigned long t = clock_t_to_jiffies(val);
+        if (br->stp_enabled != BR_NO_STP &&
+            (t < BR_MIN_FORWARD_DELAY || t > BR_MAX_FORWARD_DELAY))
+                return -ERANGE;
+        spin_lock_bh(&br->lock);
+        br->bridge_forward_delay = t;
+        if (br_is_root_bridge(br))
+                br->forward_delay = br->bridge_forward_delay;
+        spin_unlock_bh(&br->lock);
+        return 0;
+}
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 9b61d09de9b9..6f615b8192f4 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -20,7 +20,7 @@
 /* Port id is composed of priority and port number.
- * NB: least significant bits of priority are dropped to
+ * NB: some bits of priority are dropped to
 *     make room for more ports.
 */
 static inline port_id br_make_port_id(__u8 priority, __u16 port_no)
@@ -29,6 +29,8 @@ static inline port_id br_make_port_id(__u8 priority, __u16 port_no)
                | (port_no & ((1<<BR_PORT_BITS)-1));
 }
+#define BR_MAX_PORT_PRIORITY ((u16)~0 >> BR_PORT_BITS)
 /* called under bridge lock */
 void br_init_port(struct net_bridge_port *p)
 {
@@ -255,10 +257,14 @@ void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)
 }
 /* called under bridge lock */
-void br_stp_set_port_priority(struct net_bridge_port *p, u8 newprio)
+int br_stp_set_port_priority(struct net_bridge_port *p, unsigned long newprio)
 {
-        port_id new_port_id = br_make_port_id(newprio, p->port_no);
+        port_id new_port_id;
+        if (newprio > BR_MAX_PORT_PRIORITY)
+                return -ERANGE;
+        new_port_id = br_make_port_id(newprio, p->port_no);
        if (br_is_designated_port(p))
                p->designated_port = new_port_id;
@@ -269,14 +275,21 @@ void br_stp_set_port_priority(struct net_bridge_port *p, u8 newprio)
                br_become_designated_port(p);
                br_port_state_selection(p->br);
        }
+        return 0;
 }
 /* called under bridge lock */
-void br_stp_set_path_cost(struct net_bridge_port *p, u32 path_cost)
+int br_stp_set_path_cost(struct net_bridge_port *p, unsigned long path_cost)
 {
+        if (path_cost < BR_MIN_PATH_COST ||
+            path_cost > BR_MAX_PATH_COST)
+                return -ERANGE;
        p->path_cost = path_cost;
        br_configuration_update(p->br);
        br_port_state_selection(p->br);
+        return 0;
 }
 ssize_t br_show_bridge_id(char *buf, const struct bridge_id *id)
diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
index 5c1e5559ebba..68b893ea8c3a 100644
--- a/net/bridge/br_sysfs_br.c
+++ b/net/bridge/br_sysfs_br.c
@@ -43,9 +43,7 @@ static ssize_t store_bridge_parm(struct device *d,
        if (endp == buf)
                return -EINVAL;
-        spin_lock_bh(&br->lock);
        err = (*set)(br, val);
-        spin_unlock_bh(&br->lock);
        return err ? err : len;
 }
@@ -57,20 +55,11 @@ static ssize_t show_forward_delay(struct device *d,
        return sprintf(buf, "%lu\n", jiffies_to_clock_t(br->forward_delay));
 }
-static int set_forward_delay(struct net_bridge *br, unsigned long val)
-{
-        unsigned long delay = clock_t_to_jiffies(val);
-        br->forward_delay = delay;
-        if (br_is_root_bridge(br))
-                br->bridge_forward_delay = delay;
-        return 0;
-}
 static ssize_t store_forward_delay(struct device *d,
                                   struct device_attribute *attr,
                                   const char *buf, size_t len)
 {
-        return store_bridge_parm(d, buf, len, set_forward_delay);
+        return store_bridge_parm(d, buf, len, br_set_forward_delay);
 }
 static DEVICE_ATTR(forward_delay, S_IRUGO | S_IWUSR,
                   show_forward_delay, store_forward_delay);
@@ -82,24 +71,11 @@ static ssize_t show_hello_time(struct device *d, struct device_attribute *attr,
                       jiffies_to_clock_t(to_bridge(d)->hello_time));
 }
-static int set_hello_time(struct net_bridge *br, unsigned long val)
-{
-        unsigned long t = clock_t_to_jiffies(val);
-        if (t < HZ)
-                return -EINVAL;
-        br->hello_time = t;
-        if (br_is_root_bridge(br))
-                br->bridge_hello_time = t;
-        return 0;
-}
 static ssize_t store_hello_time(struct device *d,
                                struct device_attribute *attr, const char *buf,
                                size_t len)
 {
-        return store_bridge_parm(d, buf, len, set_hello_time);
+        return store_bridge_parm(d, buf, len, br_set_hello_time);
 }
 static DEVICE_ATTR(hello_time, S_IRUGO | S_IWUSR, show_hello_time,
                   store_hello_time);
@@ -111,19 +87,10 @@ static ssize_t show_max_age(struct device *d, struct device_attribute *attr,
                       jiffies_to_clock_t(to_bridge(d)->max_age));
 }
-static int set_max_age(struct net_bridge *br, unsigned long val)
-{
-        unsigned long t = clock_t_to_jiffies(val);
-        br->max_age = t;
-        if (br_is_root_bridge(br))
-                br->bridge_max_age = t;
-        return 0;
-}
 static ssize_t store_max_age(struct device *d, struct device_attribute *attr,
                             const char *buf, size_t len)
 {
-        return store_bridge_parm(d, buf, len, set_max_age);
+        return store_bridge_parm(d, buf, len, br_set_max_age);
 }
 static DEVICE_ATTR(max_age, S_IRUGO | S_IWUSR, show_max_age, store_max_age);
diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c
index fd5799c9bc8d..6229b62749e8 100644
--- a/net/bridge/br_sysfs_if.c
+++ b/net/bridge/br_sysfs_if.c
@@ -23,7 +23,7 @@
 struct brport_attribute {
        struct attribute        attr;
        ssize_t (*show)(struct net_bridge_port *, char *);
-        ssize_t (*store)(struct net_bridge_port *, unsigned long);
+        int (*store)(struct net_bridge_port *, unsigned long);
 };
 #define BRPORT_ATTR(_name,_mode,_show,_store)                   \
@@ -38,27 +38,17 @@ static ssize_t show_path_cost(struct net_bridge_port *p, char *buf)
 {
        return sprintf(buf, "%d\n", p->path_cost);
 }
-static ssize_t store_path_cost(struct net_bridge_port *p, unsigned long v)
-{
-        br_stp_set_path_cost(p, v);
-        return 0;
-}
 static BRPORT_ATTR(path_cost, S_IRUGO | S_IWUSR,
-                   show_path_cost, store_path_cost);
+                   show_path_cost, br_stp_set_path_cost);
 static ssize_t show_priority(struct net_bridge_port *p, char *buf)
 {
        return sprintf(buf, "%d\n", p->priority);
 }
-static ssize_t store_priority(struct net_bridge_port *p, unsigned long v)
-{
-        if (v >= (1<<(16-BR_PORT_BITS)))
-                return -ERANGE;
-        br_stp_set_port_priority(p, v);
-        return 0;
-}
 static BRPORT_ATTR(priority, S_IRUGO | S_IWUSR,
-                         show_priority, store_priority);
+                         show_priority, br_stp_set_port_priority);
 static ssize_t show_designated_root(struct net_bridge_port *p, char *buf)
 {
@@ -136,7 +126,7 @@ static ssize_t show_hold_timer(struct net_bridge_port *p,
 }
 static BRPORT_ATTR(hold_timer, S_IRUGO, show_hold_timer, NULL);
-static ssize_t store_flush(struct net_bridge_port *p, unsigned long v)
+static int store_flush(struct net_bridge_port *p, unsigned long v)
 {
        br_fdb_delete_by_port(p->br, p, 0); // Don't delete local entry
        return 0;
@@ -148,7 +138,7 @@ static ssize_t show_hairpin_mode(struct net_bridge_port *p, char *buf)
        int hairpin_mode = (p->flags & BR_HAIRPIN_MODE) ? 1 : 0;
        return sprintf(buf, "%d\n", hairpin_mode);
 }
-static ssize_t store_hairpin_mode(struct net_bridge_port *p, unsigned long v)
+static int store_hairpin_mode(struct net_bridge_port *p, unsigned long v)
 {
        if (v)
                p->flags |= BR_HAIRPIN_MODE;
@@ -165,7 +155,7 @@ static ssize_t show_multicast_router(struct net_bridge_port *p, char *buf)
        return sprintf(buf, "%d\n", p->multicast_router);
 }
-static ssize_t store_multicast_router(struct net_bridge_port *p,
+static int store_multicast_router(struct net_bridge_port *p,
                                      unsigned long v)
 {
        return br_multicast_set_port_router(p, v);
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 1a92b369c820..2b5ca1a0054d 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1883,14 +1883,13 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
        struct xt_target *wt;
        void *dst = NULL;
        int off, pad = 0;
-        unsigned int size_kern, entry_offset, match_size = mwt->match_size;
+        unsigned int size_kern, match_size = mwt->match_size;
        strlcpy(name, mwt->u.name, sizeof(name));
        if (state->buf_kern_start)
                dst = state->buf_kern_start + state->buf_kern_offset;
-        entry_offset = (unsigned char *) mwt - base;
        switch (compat_mwt) {
        case EBT_COMPAT_MATCH:
                match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
@@ -1933,6 +1932,9 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
                size_kern = wt->targetsize;
                module_put(wt->me);
                break;
+        default:
+                return -EINVAL;
        }
        state->buf_kern_offset += match_size + off;
diff --git a/net/caif/Makefile b/net/caif/Makefile
index 9d38e406e4a4..ebcd4e7e6f47 100644
--- a/net/caif/Makefile
+++ b/net/caif/Makefile
@@ -5,7 +5,7 @@ caif-y := caif_dev.o \
        cffrml.o cfveil.o cfdbgl.o\
        cfserl.o cfdgml.o  \
        cfrfml.o cfvidl.o cfutill.o \
-        cfsrvl.o cfpkt_skbuff.o caif_config_util.o
+        cfsrvl.o cfpkt_skbuff.o
 obj-$(CONFIG_CAIF) += caif.o
 obj-$(CONFIG_CAIF_NETDEV) += chnl_net.o
diff --git a/net/caif/caif_config_util.c b/net/caif/caif_config_util.c
deleted file mode 100644
index d522d8c1703e..000000000000
--- a/net/caif/caif_config_util.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) ST-Ericsson AB 2010
- * Author:      Sjur Brendeland sjur.brandeland@stericsson.com
- * License terms: GNU General Public License (GPL) version 2
- */
-#include <linux/module.h>
-#include <linux/spinlock.h>
-#include <net/caif/cfctrl.h>
-#include <net/caif/cfcnfg.h>
-#include <net/caif/caif_dev.h>
-int connect_req_to_link_param(struct cfcnfg *cnfg,
-                                struct caif_connect_request *s,
-                                struct cfctrl_link_param *l)
-{
-        struct dev_info *dev_info;
-        enum cfcnfg_phy_preference pref;
-        int res;
-        memset(l, 0, sizeof(*l));
-        /* In caif protocol low value is high priority */
-        l->priority = CAIF_PRIO_MAX - s->priority + 1;
-        if (s->ifindex != 0){
-                res = cfcnfg_get_id_from_ifi(cnfg, s->ifindex);
-                if (res < 0)
-                        return res;
-                l->phyid = res;
-        }
-        else {
-                switch (s->link_selector) {
-                case CAIF_LINK_HIGH_BANDW:
-                        pref = CFPHYPREF_HIGH_BW;
-                        break;
-                case CAIF_LINK_LOW_LATENCY:
-                        pref = CFPHYPREF_LOW_LAT;
-                        break;
-                default:
-                        return -EINVAL;
-                }
-                dev_info = cfcnfg_get_phyid(cnfg, pref);
-                if (dev_info == NULL)
-                        return -ENODEV;
-                l->phyid = dev_info->id;
-        }
-        switch (s->protocol) {
-        case CAIFPROTO_AT:
-                l->linktype = CFCTRL_SRV_VEI;
-                if (s->sockaddr.u.at.type == CAIF_ATTYPE_PLAIN)
-                        l->chtype = 0x02;
-                else
-                        l->chtype = s->sockaddr.u.at.type;
-                l->endpoint = 0x00;
-                break;
-        case CAIFPROTO_DATAGRAM:
-                l->linktype = CFCTRL_SRV_DATAGRAM;
-                l->chtype = 0x00;
-                l->u.datagram.connid = s->sockaddr.u.dgm.connection_id;
-                break;
-        case CAIFPROTO_DATAGRAM_LOOP:
-                l->linktype = CFCTRL_SRV_DATAGRAM;
-                l->chtype = 0x03;
-                l->endpoint = 0x00;
-                l->u.datagram.connid = s->sockaddr.u.dgm.connection_id;
-                break;
-        case CAIFPROTO_RFM:
-                l->linktype = CFCTRL_SRV_RFM;
-                l->u.datagram.connid = s->sockaddr.u.rfm.connection_id;
-                strncpy(l->u.rfm.volume, s->sockaddr.u.rfm.volume,
-                        sizeof(l->u.rfm.volume)-1);
-                l->u.rfm.volume[sizeof(l->u.rfm.volume)-1] = 0;
-                break;
-        case CAIFPROTO_UTIL:
-                l->linktype = CFCTRL_SRV_UTIL;
-                l->endpoint = 0x00;
-                l->chtype = 0x00;
-                strncpy(l->u.utility.name, s->sockaddr.u.util.service,
-                        sizeof(l->u.utility.name)-1);
-                l->u.utility.name[sizeof(l->u.utility.name)-1] = 0;
-                caif_assert(sizeof(l->u.utility.name) > 10);
-                l->u.utility.paramlen = s->param.size;
-                if (l->u.utility.paramlen > sizeof(l->u.utility.params))
-                        l->u.utility.paramlen = sizeof(l->u.utility.params);
-                memcpy(l->u.utility.params, s->param.data,
-                       l->u.utility.paramlen);
-                break;
-        case CAIFPROTO_DEBUG:
-                l->linktype = CFCTRL_SRV_DBG;
-                l->endpoint = s->sockaddr.u.dbg.service;
-                l->chtype = s->sockaddr.u.dbg.type;
-                break;
-        default:
-                return -EINVAL;
-        }
-        return 0;
-}
diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
index a42a408306e4..682c0fedf360 100644
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -12,49 +12,51 @@
 #define pr_fmt(fmt) KBUILD_MODNAME ":%s(): " fmt, __func__
 #include <linux/version.h>
-#include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/if_arp.h>
 #include <linux/net.h>
 #include <linux/netdevice.h>
-#include <linux/skbuff.h>
+#include <linux/mutex.h>
-#include <linux/sched.h>
-#include <linux/wait.h>
 #include <net/netns/generic.h>
 #include <net/net_namespace.h>
 #include <net/pkt_sched.h>
 #include <net/caif/caif_device.h>
-#include <net/caif/caif_dev.h>
 #include <net/caif/caif_layer.h>
 #include <net/caif/cfpkt.h>
 #include <net/caif/cfcnfg.h>
 MODULE_LICENSE("GPL");
-#define TIMEOUT (HZ*5)
 /* Used for local tracking of the CAIF net devices */
 struct caif_device_entry {
        struct cflayer layer;
        struct list_head list;
-        atomic_t in_use;
-        atomic_t state;
-        u16 phyid;
        struct net_device *netdev;
-        wait_queue_head_t event;
+        int __percpu *pcpu_refcnt;
 };
 struct caif_device_entry_list {
        struct list_head list;
        /* Protects simulanous deletes in list */
-        spinlock_t lock;
+        struct mutex lock;
 };
 struct caif_net {
+        struct cfcnfg *cfg;
        struct caif_device_entry_list caifdevs;
 };
 static int caif_net_id;
-static struct cfcnfg *cfg;
+struct cfcnfg *get_cfcnfg(struct net *net)
+{
+        struct caif_net *caifn;
+        BUG_ON(!net);
+        caifn = net_generic(net, caif_net_id);
+        BUG_ON(!caifn);
+        return caifn->cfg;
+}
+EXPORT_SYMBOL(get_cfcnfg);
 static struct caif_device_entry_list *caif_device_list(struct net *net)
 {
@@ -65,19 +67,39 @@ static struct caif_device_entry_list *caif_device_list(struct net *net)
        return &caifn->caifdevs;
 }
+static void caifd_put(struct caif_device_entry *e)
+{
+        irqsafe_cpu_dec(*e->pcpu_refcnt);
+}
+static void caifd_hold(struct caif_device_entry *e)
+{
+        irqsafe_cpu_inc(*e->pcpu_refcnt);
+}
+static int caifd_refcnt_read(struct caif_device_entry *e)
+{
+        int i, refcnt = 0;
+        for_each_possible_cpu(i)
+                refcnt += *per_cpu_ptr(e->pcpu_refcnt, i);
+        return refcnt;
+}
 /* Allocate new CAIF device. */
 static struct caif_device_entry *caif_device_alloc(struct net_device *dev)
 {
        struct caif_device_entry_list *caifdevs;
        struct caif_device_entry *caifd;
        caifdevs = caif_device_list(dev_net(dev));
        BUG_ON(!caifdevs);
        caifd = kzalloc(sizeof(*caifd), GFP_ATOMIC);
        if (!caifd)
                return NULL;
+        caifd->pcpu_refcnt = alloc_percpu(int);
        caifd->netdev = dev;
-        list_add(&caifd->list, &caifdevs->list);
+        dev_hold(dev);
-        init_waitqueue_head(&caifd->event);
        return caifd;
 }
@@ -87,98 +109,65 @@ static struct caif_device_entry *caif_get(struct net_device *dev)
            caif_device_list(dev_net(dev));
        struct caif_device_entry *caifd;
        BUG_ON(!caifdevs);
-        list_for_each_entry(caifd, &caifdevs->list, list) {
+        list_for_each_entry_rcu(caifd, &caifdevs->list, list) {
                if (caifd->netdev == dev)
                        return caifd;
        }
        return NULL;
 }
-static void caif_device_destroy(struct net_device *dev)
-{
-        struct caif_device_entry_list *caifdevs =
-            caif_device_list(dev_net(dev));
-        struct caif_device_entry *caifd;
-        ASSERT_RTNL();
-        if (dev->type != ARPHRD_CAIF)
-                return;
-        spin_lock_bh(&caifdevs->lock);
-        caifd = caif_get(dev);
-        if (caifd == NULL) {
-                spin_unlock_bh(&caifdevs->lock);
-                return;
-        }
-        list_del(&caifd->list);
-        spin_unlock_bh(&caifdevs->lock);
-        kfree(caifd);
-}
 static int transmit(struct cflayer *layer, struct cfpkt *pkt)
 {
+        int err;
        struct caif_device_entry *caifd =
            container_of(layer, struct caif_device_entry, layer);
-        struct sk_buff *skb, *skb2;
+        struct sk_buff *skb;
-        int ret = -EINVAL;
        skb = cfpkt_tonative(pkt);
        skb->dev = caifd->netdev;
-        /*
-         * Don't allow SKB to be destroyed upon error, but signal resend
-         * notification to clients. We can't rely on the return value as
-         * congestion (NET_XMIT_CN) sometimes drops the packet, sometimes don't.
-         */
-        if (netif_queue_stopped(caifd->netdev))
-                return -EAGAIN;
-        skb2 = skb_get(skb);
-        ret = dev_queue_xmit(skb2);
-        if (!ret)
-                kfree_skb(skb);
-        else
-                return -EAGAIN;
-        return 0;
+        err = dev_queue_xmit(skb);
-}
+        if (err > 0)
+                err = -EIO;
-static int modemcmd(struct cflayer *layr, enum caif_modemcmd ctrl)
+        return err;
-{
-        struct caif_device_entry *caifd;
-        struct caif_dev_common *caifdev;
-        caifd = container_of(layr, struct caif_device_entry, layer);
-        caifdev = netdev_priv(caifd->netdev);
-        if (ctrl == _CAIF_MODEMCMD_PHYIF_USEFULL) {
-                atomic_set(&caifd->in_use, 1);
-                wake_up_interruptible(&caifd->event);
-        } else if (ctrl == _CAIF_MODEMCMD_PHYIF_USELESS) {
-                atomic_set(&caifd->in_use, 0);
-                wake_up_interruptible(&caifd->event);
-        }
-        return 0;
 }
 /*
- * Stuff received packets to associated sockets.
+ * Stuff received packets into the CAIF stack.
 * On error, returns non-zero and releases the skb.
 */
 static int receive(struct sk_buff *skb, struct net_device *dev,
                   struct packet_type *pkttype, struct net_device *orig_dev)
 {
-        struct net *net;
        struct cfpkt *pkt;
        struct caif_device_entry *caifd;
-        net = dev_net(dev);
+        int err;
        pkt = cfpkt_fromnative(CAIF_DIR_IN, skb);
+        rcu_read_lock();
        caifd = caif_get(dev);
-        if (!caifd || !caifd->layer.up || !caifd->layer.up->receive)
-                return NET_RX_DROP;
-        if (caifd->layer.up->receive(caifd->layer.up, pkt))
+        if (!caifd || !caifd->layer.up || !caifd->layer.up->receive ||
+                        !netif_oper_up(caifd->netdev)) {
+                rcu_read_unlock();
+                kfree_skb(skb);
                return NET_RX_DROP;
+        }
+        /* Hold reference to netdevice while using CAIF stack */
+        caifd_hold(caifd);
+        rcu_read_unlock();
+        err = caifd->layer.up->receive(caifd->layer.up, pkt);
+        /* For -EILSEQ the packet is not freed so so it now */
+        if (err == -EILSEQ)
+                cfpkt_destroy(pkt);
+        /* Release reference to stack upwards */
+        caifd_put(caifd);
        return 0;
 }
@@ -189,15 +178,25 @@ static struct packet_type caif_packet_type __read_mostly = {
 static void dev_flowctrl(struct net_device *dev, int on)
 {
-        struct caif_device_entry *caifd = caif_get(dev);
+        struct caif_device_entry *caifd;
-        if (!caifd || !caifd->layer.up || !caifd->layer.up->ctrlcmd)
+        rcu_read_lock();
+        caifd = caif_get(dev);
+        if (!caifd || !caifd->layer.up || !caifd->layer.up->ctrlcmd) {
+                rcu_read_unlock();
                return;
+        }
+        caifd_hold(caifd);
+        rcu_read_unlock();
        caifd->layer.up->ctrlcmd(caifd->layer.up,
                                 on ?
                                 _CAIF_CTRLCMD_PHYIF_FLOW_ON_IND :
                                 _CAIF_CTRLCMD_PHYIF_FLOW_OFF_IND,
                                 caifd->layer.id);
+        caifd_put(caifd);
 }
 /* notify Caif of device events */
@@ -208,37 +207,28 @@ static int caif_device_notify(struct notifier_block *me, unsigned long what,
        struct caif_device_entry *caifd = NULL;
        struct caif_dev_common *caifdev;
        enum cfcnfg_phy_preference pref;
-        int res = -EINVAL;
        enum cfcnfg_phy_type phy_type;
+        struct cfcnfg *cfg;
+        struct caif_device_entry_list *caifdevs =
+            caif_device_list(dev_net(dev));
        if (dev->type != ARPHRD_CAIF)
                return 0;
+        cfg = get_cfcnfg(dev_net(dev));
+        if (cfg == NULL)
+                return 0;
        switch (what) {
        case NETDEV_REGISTER:
-                netdev_info(dev, "register\n");
                caifd = caif_device_alloc(dev);
-                if (caifd == NULL)
+                if (!caifd)
-                        break;
+                        return 0;
                caifdev = netdev_priv(dev);
                caifdev->flowctrl = dev_flowctrl;
-                atomic_set(&caifd->state, what);
-                res = 0;
-                break;
-        case NETDEV_UP:
-                netdev_info(dev, "up\n");
-                caifd = caif_get(dev);
-                if (caifd == NULL)
-                        break;
-                caifdev = netdev_priv(dev);
-                if (atomic_read(&caifd->state) == NETDEV_UP) {
-                        netdev_info(dev, "already up\n");
-                        break;
-                }
-                atomic_set(&caifd->state, what);
                caifd->layer.transmit = transmit;
-                caifd->layer.modemcmd = modemcmd;
                if (caifdev->use_frag)
                        phy_type = CFPHYTYPE_FRAG;
@@ -256,62 +246,94 @@ static int caif_device_notify(struct notifier_block *me, unsigned long what,
                        pref = CFPHYPREF_HIGH_BW;
                        break;
                }
-                dev_hold(dev);
+                strncpy(caifd->layer.name, dev->name,
-                cfcnfg_add_phy_layer(get_caif_conf(),
+                        sizeof(caifd->layer.name) - 1);
+                caifd->layer.name[sizeof(caifd->layer.name) - 1] = 0;
+                mutex_lock(&caifdevs->lock);
+                list_add_rcu(&caifd->list, &caifdevs->list);
+                cfcnfg_add_phy_layer(cfg,
                                     phy_type,
                                     dev,
                                     &caifd->layer,
-                                     &caifd->phyid,
                                     pref,
                                     caifdev->use_fcs,
                                     caifdev->use_stx);
-                strncpy(caifd->layer.name, dev->name,
+                mutex_unlock(&caifdevs->lock);
-                        sizeof(caifd->layer.name) - 1);
-                caifd->layer.name[sizeof(caifd->layer.name) - 1] = 0;
                break;
-        case NETDEV_GOING_DOWN:
+        case NETDEV_UP:
+                rcu_read_lock();
                caifd = caif_get(dev);
-                if (caifd == NULL)
+                if (caifd == NULL) {
+                        rcu_read_unlock();
                        break;
-                netdev_info(dev, "going down\n");
+                }
-                if (atomic_read(&caifd->state) == NETDEV_GOING_DOWN ||
+                cfcnfg_set_phy_state(cfg, &caifd->layer, true);
-                        atomic_read(&caifd->state) == NETDEV_DOWN)
+                rcu_read_unlock();
-                        break;
-                atomic_set(&caifd->state, what);
-                if (!caifd || !caifd->layer.up || !caifd->layer.up->ctrlcmd)
-                        return -EINVAL;
-                caifd->layer.up->ctrlcmd(caifd->layer.up,
-                                         _CAIF_CTRLCMD_PHYIF_DOWN_IND,
-                                         caifd->layer.id);
-                might_sleep();
-                res = wait_event_interruptible_timeout(caifd->event,
-                                        atomic_read(&caifd->in_use) == 0,
-                                        TIMEOUT);
                break;
        case NETDEV_DOWN:
+                rcu_read_lock();
                caifd = caif_get(dev);
-                if (caifd == NULL)
+                if (!caifd || !caifd->layer.up || !caifd->layer.up->ctrlcmd) {
-                        break;
+                        rcu_read_unlock();
-                netdev_info(dev, "down\n");
+                        return -EINVAL;
-                if (atomic_read(&caifd->in_use))
+                }
-                        netdev_warn(dev,
-                                    "Unregistering an active CAIF device\n");
+                cfcnfg_set_phy_state(cfg, &caifd->layer, false);
-                cfcnfg_del_phy_layer(get_caif_conf(), &caifd->layer);
+                caifd_hold(caifd);
-                dev_put(dev);
+                rcu_read_unlock();
-                atomic_set(&caifd->state, what);
+                caifd->layer.up->ctrlcmd(caifd->layer.up,
+                                         _CAIF_CTRLCMD_PHYIF_DOWN_IND,
+                                         caifd->layer.id);
+                caifd_put(caifd);
                break;
        case NETDEV_UNREGISTER:
+                mutex_lock(&caifdevs->lock);
                caifd = caif_get(dev);
-                if (caifd == NULL)
+                if (caifd == NULL) {
+                        mutex_unlock(&caifdevs->lock);
+                        break;
+                }
+                list_del_rcu(&caifd->list);
+                /*
+                 * NETDEV_UNREGISTER is called repeatedly until all reference
+                 * counts for the net-device are released. If references to
+                 * caifd is taken, simply ignore NETDEV_UNREGISTER and wait for
+                 * the next call to NETDEV_UNREGISTER.
+                 *
+                 * If any packets are in flight down the CAIF Stack,
+                 * cfcnfg_del_phy_layer will return nonzero.
+                 * If no packets are in flight, the CAIF Stack associated
+                 * with the net-device un-registering is freed.
+                 */
+                if (caifd_refcnt_read(caifd) != 0 ||
+                        cfcnfg_del_phy_layer(cfg, &caifd->layer) != 0) {
+                        pr_info("Wait for device inuse\n");
+                        /* Enrole device if CAIF Stack is still in use */
+                        list_add_rcu(&caifd->list, &caifdevs->list);
+                        mutex_unlock(&caifdevs->lock);
                        break;
-                netdev_info(dev, "unregister\n");
+                }
-                atomic_set(&caifd->state, what);
-                caif_device_destroy(dev);
+                synchronize_rcu();
+                dev_put(caifd->netdev);
+                free_percpu(caifd->pcpu_refcnt);
+                kfree(caifd);
+                mutex_unlock(&caifdevs->lock);
                break;
        }
        return 0;
@@ -322,61 +344,60 @@ static struct notifier_block caif_device_notifier = {
        .priority = 0,
 };
-struct cfcnfg *get_caif_conf(void)
-{
-        return cfg;
-}
-EXPORT_SYMBOL(get_caif_conf);
-int caif_connect_client(struct caif_connect_request *conn_req,
-                        struct cflayer *client_layer, int *ifindex,
-                        int *headroom, int *tailroom)
-{
-        struct cfctrl_link_param param;
-        int ret;
-        ret = connect_req_to_link_param(get_caif_conf(), conn_req, &param);
-        if (ret)
-                return ret;
-        /* Hook up the adaptation layer. */
-        return cfcnfg_add_adaptation_layer(get_caif_conf(), &param,
-                                        client_layer, ifindex,
-                                        headroom, tailroom);
-}
-EXPORT_SYMBOL(caif_connect_client);
-int caif_disconnect_client(struct cflayer *adap_layer)
-{
-       return cfcnfg_disconn_adapt_layer(get_caif_conf(), adap_layer);
-}
-EXPORT_SYMBOL(caif_disconnect_client);
-void caif_release_client(struct cflayer *adap_layer)
-{
-       cfcnfg_release_adap_layer(adap_layer);
-}
-EXPORT_SYMBOL(caif_release_client);
 /* Per-namespace Caif devices handling */
 static int caif_init_net(struct net *net)
 {
        struct caif_net *caifn = net_generic(net, caif_net_id);
+        BUG_ON(!caifn);
        INIT_LIST_HEAD(&caifn->caifdevs.list);
-        spin_lock_init(&caifn->caifdevs.lock);
+        mutex_init(&caifn->caifdevs.lock);
+        caifn->cfg = cfcnfg_create();
+        if (!caifn->cfg) {
+                pr_warn("can't create cfcnfg\n");
+                return -ENOMEM;
+        }
        return 0;
 }
 static void caif_exit_net(struct net *net)
 {
-        struct net_device *dev;
+        struct caif_device_entry *caifd, *tmp;
-        int res;
+        struct caif_device_entry_list *caifdevs =
+            caif_device_list(net);
+        struct cfcnfg *cfg;
        rtnl_lock();
-        for_each_netdev(net, dev) {
+        mutex_lock(&caifdevs->lock);
-                if (dev->type != ARPHRD_CAIF)
-                        continue;
+        cfg = get_cfcnfg(net);
-                res = dev_close(dev);
+        if (cfg == NULL) {
-                caif_device_destroy(dev);
+                mutex_unlock(&caifdevs->lock);
+                return;
        }
+        list_for_each_entry_safe(caifd, tmp, &caifdevs->list, list) {
+                int i = 0;
+                list_del_rcu(&caifd->list);
+                cfcnfg_set_phy_state(cfg, &caifd->layer, false);
+                while (i < 10 &&
+                        (caifd_refcnt_read(caifd) != 0 ||
+                        cfcnfg_del_phy_layer(cfg, &caifd->layer) != 0)) {
+                        pr_info("Wait for device inuse\n");
+                        msleep(250);
+                        i++;
+                }
+                synchronize_rcu();
+                dev_put(caifd->netdev);
+                free_percpu(caifd->pcpu_refcnt);
+                kfree(caifd);
+        }
+        cfcnfg_remove(cfg);
+        mutex_unlock(&caifdevs->lock);
        rtnl_unlock();
 }
@@ -391,32 +412,23 @@ static struct pernet_operations caif_net_ops = {
 static int __init caif_device_init(void)
 {
        int result;
-        cfg = cfcnfg_create();
-        if (!cfg) {
-                pr_warn("can't create cfcnfg\n");
-                goto err_cfcnfg_create_failed;
-        }
        result = register_pernet_device(&caif_net_ops);
-        if (result) {
+        if (result)
-                kfree(cfg);
-                cfg = NULL;
                return result;
-        }
-        dev_add_pack(&caif_packet_type);
        register_netdevice_notifier(&caif_device_notifier);
+        dev_add_pack(&caif_packet_type);
        return result;
-err_cfcnfg_create_failed:
-        return -ENODEV;
 }
 static void __exit caif_device_exit(void)
 {
-        dev_remove_pack(&caif_packet_type);
        unregister_pernet_device(&caif_net_ops);
        unregister_netdevice_notifier(&caif_device_notifier);
-        cfcnfg_remove(cfg);
+        dev_remove_pack(&caif_packet_type);
 }
 module_init(caif_device_init);
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 37a4034dfc29..a98628086452 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -19,7 +19,7 @@
 #include <linux/uaccess.h>
 #include <linux/debugfs.h>
 #include <linux/caif/caif_socket.h>
-#include <asm/atomic.h>
+#include <linux/atomic.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
 #include <net/caif/caif_layer.h>
@@ -48,6 +48,7 @@ static struct dentry *debugfsdir;
 #ifdef CONFIG_DEBUG_FS
 struct debug_fs_counter {
        atomic_t caif_nr_socks;
+        atomic_t caif_sock_create;
        atomic_t num_connect_req;
        atomic_t num_connect_resp;
        atomic_t num_connect_fail_resp;
@@ -59,11 +60,11 @@ struct debug_fs_counter {
        atomic_t num_rx_flow_on;
 };
 static struct debug_fs_counter cnt;
-#define dbfs_atomic_inc(v) atomic_inc(v)
+#define dbfs_atomic_inc(v) atomic_inc_return(v)
-#define dbfs_atomic_dec(v) atomic_dec(v)
+#define dbfs_atomic_dec(v) atomic_dec_return(v)
 #else
-#define dbfs_atomic_inc(v)
+#define dbfs_atomic_inc(v) 0
-#define dbfs_atomic_dec(v)
+#define dbfs_atomic_dec(v) 0
 #endif
 struct caifsock {
@@ -155,9 +156,10 @@ static int caif_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
        if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
                (unsigned)sk->sk_rcvbuf && rx_flow_is_on(cf_sk)) {
-                pr_debug("sending flow OFF (queue len = %d %d)\n",
+                if (net_ratelimit())
-                        atomic_read(&cf_sk->sk.sk_rmem_alloc),
+                        pr_debug("sending flow OFF (queue len = %d %d)\n",
-                        sk_rcvbuf_lowwater(cf_sk));
+                                        atomic_read(&cf_sk->sk.sk_rmem_alloc),
+                                        sk_rcvbuf_lowwater(cf_sk));
                set_rx_flow_off(cf_sk);
                dbfs_atomic_inc(&cnt.num_rx_flow_off);
                caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
@@ -168,7 +170,8 @@ static int caif_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
                return err;
        if (!sk_rmem_schedule(sk, skb->truesize) && rx_flow_is_on(cf_sk)) {
                set_rx_flow_off(cf_sk);
-                pr_debug("sending flow OFF due to rmem_schedule\n");
+                if (net_ratelimit())
+                        pr_debug("sending flow OFF due to rmem_schedule\n");
                dbfs_atomic_inc(&cnt.num_rx_flow_off);
                caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
        }
@@ -202,13 +205,25 @@ static int caif_sktrecv_cb(struct cflayer *layr, struct cfpkt *pkt)
        skb = cfpkt_tonative(pkt);
        if (unlikely(cf_sk->sk.sk_state != CAIF_CONNECTED)) {
-                cfpkt_destroy(pkt);
+                kfree_skb(skb);
                return 0;
        }
        caif_queue_rcv_skb(&cf_sk->sk, skb);
        return 0;
 }
+static void cfsk_hold(struct cflayer *layr)
+{
+        struct caifsock *cf_sk = container_of(layr, struct caifsock, layer);
+        sock_hold(&cf_sk->sk);
+}
+static void cfsk_put(struct cflayer *layr)
+{
+        struct caifsock *cf_sk = container_of(layr, struct caifsock, layer);
+        sock_put(&cf_sk->sk);
+}
 /* Packet Control Callback function called from CAIF */
 static void caif_ctrl_cb(struct cflayer *layr,
                                enum caif_ctrlcmd flow,
@@ -232,6 +247,8 @@ static void caif_ctrl_cb(struct cflayer *layr,
        case CAIF_CTRLCMD_INIT_RSP:
                /* We're now connected */
+                caif_client_register_refcnt(&cf_sk->layer,
+                                                cfsk_hold, cfsk_put);
                dbfs_atomic_inc(&cnt.num_connect_resp);
                cf_sk->sk.sk_state = CAIF_CONNECTED;
                set_tx_flow_on(cf_sk);
@@ -242,7 +259,6 @@ static void caif_ctrl_cb(struct cflayer *layr,
                /* We're now disconnected */
                cf_sk->sk.sk_state = CAIF_DISCONNECTED;
                cf_sk->sk.sk_state_change(&cf_sk->sk);
-                cfcnfg_release_adap_layer(&cf_sk->layer);
                break;
        case CAIF_CTRLCMD_INIT_FAIL_RSP:
@@ -519,43 +535,14 @@ static int transmit_skb(struct sk_buff *skb, struct caifsock *cf_sk,
                        int noblock, long timeo)
 {
        struct cfpkt *pkt;
-        int ret, loopcnt = 0;
        pkt = cfpkt_fromnative(CAIF_DIR_OUT, skb);
-        memset(cfpkt_info(pkt), 0, sizeof(struct caif_payload_info));
+        memset(skb->cb, 0, sizeof(struct caif_payload_info));
-        do {
-                ret = -ETIMEDOUT;
+        if (cf_sk->layer.dn == NULL)
+                return -EINVAL;
-                /* Slight paranoia, probably not needed. */
+        return cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);
-                if (unlikely(loopcnt++ > 1000)) {
-                        pr_warn("transmit retries failed, error = %d\n", ret);
-                        break;
-                }
-                if (cf_sk->layer.dn != NULL)
-                        ret = cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);
-                if (likely(ret >= 0))
-                        break;
-                /* if transmit return -EAGAIN, then retry */
-                if (noblock && ret == -EAGAIN)
-                        break;
-                timeo = caif_wait_for_flow_on(cf_sk, 0, timeo, &ret);
-                if (signal_pending(current)) {
-                        ret = sock_intr_errno(timeo);
-                        break;
-                }
-                if (ret)
-                        break;
-                if (cf_sk->sk.sk_state != CAIF_CONNECTED ||
-                        sock_flag(&cf_sk->sk, SOCK_DEAD) ||
-                        (cf_sk->sk.sk_shutdown & RCV_SHUTDOWN)) {
-                        ret = -EPIPE;
-                        cf_sk->sk.sk_err = EPIPE;
-                        break;
-                }
-        } while (ret == -EAGAIN);
-        return ret;
 }
 /* Copied from af_unix:unix_dgram_sendmsg, and adapted to CAIF */
@@ -620,7 +607,9 @@ static int caif_seqpkt_sendmsg(struct kiocb *kiocb, struct socket *sock,
                goto err;
        ret = transmit_skb(skb, cf_sk, noblock, timeo);
        if (ret < 0)
-                goto err;
+                /* skb is already freed */
+                return ret;
        return len;
 err:
        kfree_skb(skb);
@@ -826,7 +815,8 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
                                sk->sk_state == CAIF_DISCONNECTED);
                if (sk->sk_shutdown & SHUTDOWN_MASK) {
                        /* Allow re-connect after SHUTDOWN_IND */
-                        caif_disconnect_client(&cf_sk->layer);
+                        caif_disconnect_client(sock_net(sk), &cf_sk->layer);
+                        caif_free_client(&cf_sk->layer);
                        break;
                }
                /* No reconnect on a seqpacket socket */
@@ -852,7 +842,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
        sock->state = SS_CONNECTING;
        sk->sk_state = CAIF_CONNECTING;
-        /* Check priority value coming from socket */
+        /* Check priority value comming from socket */
        /* if priority value is out of range it will be ajusted */
        if (cf_sk->sk.sk_priority > CAIF_PRIO_MAX)
                cf_sk->conn_req.priority = CAIF_PRIO_MAX;
@@ -866,8 +856,10 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
        dbfs_atomic_inc(&cnt.num_connect_req);
        cf_sk->layer.receive = caif_sktrecv_cb;
-        err = caif_connect_client(&cf_sk->conn_req,
+        err = caif_connect_client(sock_net(sk), &cf_sk->conn_req,
                                &cf_sk->layer, &ifindex, &headroom, &tailroom);
        if (err < 0) {
                cf_sk->sk.sk_socket->state = SS_UNCONNECTED;
                cf_sk->sk.sk_state = CAIF_DISCONNECTED;
@@ -935,7 +927,6 @@ static int caif_release(struct socket *sock)
 {
        struct sock *sk = sock->sk;
        struct caifsock *cf_sk = container_of(sk, struct caifsock, sk);
-        int res = 0;
        if (!sk)
                return 0;
@@ -947,13 +938,14 @@ static int caif_release(struct socket *sock)
         * caif_queue_rcv_skb checks SOCK_DEAD holding the queue lock,
         * this ensures no packets when sock is dead.
         */
-        spin_lock(&sk->sk_receive_queue.lock);
+        spin_lock_bh(&sk->sk_receive_queue.lock);
        sock_set_flag(sk, SOCK_DEAD);
-        spin_unlock(&sk->sk_receive_queue.lock);
+        spin_unlock_bh(&sk->sk_receive_queue.lock);
        sock->sk = NULL;
        dbfs_atomic_inc(&cnt.num_disconnect);
+        WARN_ON(IS_ERR(cf_sk->debugfs_socket_dir));
        if (cf_sk->debugfs_socket_dir != NULL)
                debugfs_remove_recursive(cf_sk->debugfs_socket_dir);
@@ -961,19 +953,15 @@ static int caif_release(struct socket *sock)
        sk->sk_state = CAIF_DISCONNECTED;
        sk->sk_shutdown = SHUTDOWN_MASK;
-        if (cf_sk->sk.sk_socket->state == SS_CONNECTED ||
+        caif_disconnect_client(sock_net(sk), &cf_sk->layer);
-                cf_sk->sk.sk_socket->state == SS_CONNECTING)
-                res = caif_disconnect_client(&cf_sk->layer);
        cf_sk->sk.sk_socket->state = SS_DISCONNECTING;
        wake_up_interruptible_poll(sk_sleep(sk), POLLERR|POLLHUP);
        sock_orphan(sk);
-        cf_sk->layer.dn = NULL;
        sk_stream_kill_queues(&cf_sk->sk);
        release_sock(sk);
        sock_put(sk);
-        return res;
+        return 0;
 }
 /* Copied from af_unix.c:unix_poll(), added CAIF tx_flow handling */
@@ -1060,16 +1048,18 @@ static void caif_sock_destructor(struct sock *sk)
        caif_assert(sk_unhashed(sk));
        caif_assert(!sk->sk_socket);
        if (!sock_flag(sk, SOCK_DEAD)) {
-                pr_info("Attempt to release alive CAIF socket: %p\n", sk);
+                pr_debug("Attempt to release alive CAIF socket: %p\n", sk);
                return;
        }
        sk_stream_kill_queues(&cf_sk->sk);
        dbfs_atomic_dec(&cnt.caif_nr_socks);
+        caif_free_client(&cf_sk->layer);
 }
 static int caif_create(struct net *net, struct socket *sock, int protocol,
                        int kern)
 {
+        int num;
        struct sock *sk = NULL;
        struct caifsock *cf_sk = NULL;
        static struct proto prot = {.name = "PF_CAIF",
@@ -1127,19 +1117,21 @@ static int caif_create(struct net *net, struct socket *sock, int protocol,
        set_rx_flow_on(cf_sk);
        /* Set default options on configuration */
-        cf_sk->sk.sk_priority= CAIF_PRIO_NORMAL;
+        cf_sk->sk.sk_priority = CAIF_PRIO_NORMAL;
        cf_sk->conn_req.link_selector = CAIF_LINK_LOW_LATENCY;
        cf_sk->conn_req.protocol = protocol;
        /* Increase the number of sockets created. */
        dbfs_atomic_inc(&cnt.caif_nr_socks);
+        num = dbfs_atomic_inc(&cnt.caif_sock_create);
 #ifdef CONFIG_DEBUG_FS
        if (!IS_ERR(debugfsdir)) {
                /* Fill in some information concerning the misc socket. */
-                snprintf(cf_sk->name, sizeof(cf_sk->name), "cfsk%d",
+                snprintf(cf_sk->name, sizeof(cf_sk->name), "cfsk%d", num);
-                                atomic_read(&cnt.caif_nr_socks));
                cf_sk->debugfs_socket_dir =
                        debugfs_create_dir(cf_sk->name, debugfsdir);
                debugfs_create_u32("sk_state", S_IRUSR | S_IWUSR,
                                cf_sk->debugfs_socket_dir,
                                (u32 *) &cf_sk->sk.sk_state);
@@ -1183,6 +1175,9 @@ static int __init caif_sktinit_module(void)
                debugfs_create_u32("num_sockets", S_IRUSR | S_IWUSR,
                                debugfsdir,
                                (u32 *) &cnt.caif_nr_socks);
+                debugfs_create_u32("num_create", S_IRUSR | S_IWUSR,
+                                debugfsdir,
+                                (u32 *) &cnt.caif_sock_create);
                debugfs_create_u32("num_connect_req", S_IRUSR | S_IWUSR,
                                debugfsdir,
                                (u32 *) &cnt.num_connect_req);
diff --git a/net/caif/cfcnfg.c b/net/caif/cfcnfg.c
index f1f98d967d8a..52fe33bee029 100644
--- a/net/caif/cfcnfg.c
+++ b/net/caif/cfcnfg.c
@@ -10,6 +10,7 @@
 #include <linux/stddef.h>
 #include <linux/slab.h>
 #include <linux/netdevice.h>
+#include <linux/module.h>
 #include <net/caif/caif_layer.h>
 #include <net/caif/cfpkt.h>
 #include <net/caif/cfcnfg.h>
@@ -18,11 +19,7 @@
 #include <net/caif/cffrml.h>
 #include <net/caif/cfserl.h>
 #include <net/caif/cfsrvl.h>
+#include <net/caif/caif_dev.h>
-#include <linux/module.h>
-#include <asm/atomic.h>
-#define MAX_PHY_LAYERS 7
 #define container_obj(layr) container_of(layr, struct cfcnfg, layer)
@@ -30,6 +27,9 @@
 * to manage physical interfaces
 */
 struct cfcnfg_phyinfo {
+        struct list_head node;
+        bool up;
        /* Pointer to the layer below the MUX (framing layer) */
        struct cflayer *frm_layer;
        /* Pointer to the lowest actual physical layer */
@@ -39,9 +39,6 @@ struct cfcnfg_phyinfo {
        /* Preference of the physical in interface */
        enum cfcnfg_phy_preference pref;
-        /* Reference count, number of channels using the device */
-        int phy_ref_count;
        /* Information about the physical device */
        struct dev_info dev_info;
@@ -59,8 +56,8 @@ struct cfcnfg {
        struct cflayer layer;
        struct cflayer *ctrl;
        struct cflayer *mux;
-        u8 last_phyid;
+        struct list_head phys;
-        struct cfcnfg_phyinfo phy_layers[MAX_PHY_LAYERS];
+        struct mutex lock;
 };
 static void cfcnfg_linkup_rsp(struct cflayer *layer, u8 channel_id,
@@ -76,6 +73,9 @@ struct cfcnfg *cfcnfg_create(void)
 {
        struct cfcnfg *this;
        struct cfctrl_rsp *resp;
+        might_sleep();
        /* Initiate this layer */
        this = kzalloc(sizeof(struct cfcnfg), GFP_ATOMIC);
        if (!this) {
@@ -99,27 +99,33 @@ struct cfcnfg *cfcnfg_create(void)
        resp->radioset_rsp = cfctrl_resp_func;
        resp->linksetup_rsp = cfcnfg_linkup_rsp;
        resp->reject_rsp = cfcnfg_reject_rsp;
+        INIT_LIST_HEAD(&this->phys);
-        this->last_phyid = 1;
        cfmuxl_set_uplayer(this->mux, this->ctrl, 0);
        layer_set_dn(this->ctrl, this->mux);
        layer_set_up(this->ctrl, this);
+        mutex_init(&this->lock);
        return this;
 out_of_mem:
        pr_warn("Out of memory\n");
+        synchronize_rcu();
        kfree(this->mux);
        kfree(this->ctrl);
        kfree(this);
        return NULL;
 }
-EXPORT_SYMBOL(cfcnfg_create);
 void cfcnfg_remove(struct cfcnfg *cfg)
 {
+        might_sleep();
        if (cfg) {
+                synchronize_rcu();
                kfree(cfg->mux);
-                kfree(cfg->ctrl);
+                cfctrl_remove(cfg->ctrl);
                kfree(cfg);
        }
 }
@@ -128,132 +134,83 @@ static void cfctrl_resp_func(void)
 {
 }
+static struct cfcnfg_phyinfo *cfcnfg_get_phyinfo_rcu(struct cfcnfg *cnfg,
+                                                        u8 phyid)
+{
+        struct cfcnfg_phyinfo *phy;
+        list_for_each_entry_rcu(phy, &cnfg->phys, node)
+                if (phy->id == phyid)
+                        return phy;
+        return NULL;
+}
 static void cfctrl_enum_resp(void)
 {
 }
-struct dev_info *cfcnfg_get_phyid(struct cfcnfg *cnfg,
+static struct dev_info *cfcnfg_get_phyid(struct cfcnfg *cnfg,
                                  enum cfcnfg_phy_preference phy_pref)
 {
-        u16 i;
        /* Try to match with specified preference */
-        for (i = 1; i < MAX_PHY_LAYERS; i++) {
+        struct cfcnfg_phyinfo *phy;
-                if (cnfg->phy_layers[i].id == i &&
-                     cnfg->phy_layers[i].pref == phy_pref &&
+        list_for_each_entry_rcu(phy, &cnfg->phys, node) {
-                     cnfg->phy_layers[i].frm_layer != NULL) {
+                if (phy->up && phy->pref == phy_pref &&
-                        caif_assert(cnfg->phy_layers != NULL);
+                                phy->frm_layer != NULL)
-                        caif_assert(cnfg->phy_layers[i].id == i);
-                        return &cnfg->phy_layers[i].dev_info;
+                        return &phy->dev_info;
-                }
        }
        /* Otherwise just return something */
-        for (i = 1; i < MAX_PHY_LAYERS; i++) {
+        list_for_each_entry_rcu(phy, &cnfg->phys, node)
-                if (cnfg->phy_layers[i].id == i) {
+                if (phy->up)
-                        caif_assert(cnfg->phy_layers != NULL);
+                        return &phy->dev_info;
-                        caif_assert(cnfg->phy_layers[i].id == i);
-                        return &cnfg->phy_layers[i].dev_info;
-                }
-        }
        return NULL;
 }
-static struct cfcnfg_phyinfo *cfcnfg_get_phyinfo(struct cfcnfg *cnfg,
+static int cfcnfg_get_id_from_ifi(struct cfcnfg *cnfg, int ifi)
-                                                        u8 phyid)
 {
-        int i;
+        struct cfcnfg_phyinfo *phy;
-        /* Try to match with specified preference */
-        for (i = 0; i < MAX_PHY_LAYERS; i++)
-                if (cnfg->phy_layers[i].frm_layer != NULL &&
-                    cnfg->phy_layers[i].id == phyid)
-                        return &cnfg->phy_layers[i];
-        return NULL;
-}
+        list_for_each_entry_rcu(phy, &cnfg->phys, node)
-int cfcnfg_get_id_from_ifi(struct cfcnfg *cnfg, int ifi)
+                if (phy->ifindex == ifi && phy->up)
-{
+                        return phy->id;
-        int i;
-        for (i = 0; i < MAX_PHY_LAYERS; i++)
-                if (cnfg->phy_layers[i].frm_layer != NULL &&
-                                cnfg->phy_layers[i].ifindex == ifi)
-                        return i;
        return -ENODEV;
 }
-int cfcnfg_disconn_adapt_layer(struct cfcnfg *cnfg, struct cflayer *adap_layer)
+int caif_disconnect_client(struct net *net, struct cflayer *adap_layer)
 {
-        u8 channel_id = 0;
+        u8 channel_id;
-        int ret = 0;
+        struct cfcnfg *cfg = get_cfcnfg(net);
-        struct cflayer *servl = NULL;
-        struct cfcnfg_phyinfo *phyinfo = NULL;
-        u8 phyid = 0;
        caif_assert(adap_layer != NULL);
+        cfctrl_cancel_req(cfg->ctrl, adap_layer);
        channel_id = adap_layer->id;
-        if (adap_layer->dn == NULL || channel_id == 0) {
+        if (channel_id != 0) {
-                pr_err("adap_layer->dn == NULL or adap_layer->id is 0\n");
+                struct cflayer *servl;
-                ret = -ENOTCONN;
+                servl = cfmuxl_remove_uplayer(cfg->mux, channel_id);
-                goto end;
+                if (servl != NULL)
-        }
+                        layer_set_up(servl, NULL);
-        servl = cfmuxl_remove_uplayer(cnfg->mux, channel_id);
+        } else
-        if (servl == NULL) {
+                pr_debug("nothing to disconnect\n");
-                pr_err("PROTOCOL ERROR - Error removing service_layer Channel_Id(%d)",
+        cfctrl_linkdown_req(cfg->ctrl, channel_id, adap_layer);
-                       channel_id);
-                ret = -EINVAL;
+        /* Do RCU sync before initiating cleanup */
-                goto end;
+        synchronize_rcu();
-        }
-        layer_set_up(servl, NULL);
-        ret = cfctrl_linkdown_req(cnfg->ctrl, channel_id, adap_layer);
-        if (ret)
-                goto end;
-        caif_assert(channel_id == servl->id);
-        if (adap_layer->dn != NULL) {
-                phyid = cfsrvl_getphyid(adap_layer->dn);
-                phyinfo = cfcnfg_get_phyinfo(cnfg, phyid);
-                if (phyinfo == NULL) {
-                        pr_warn("No interface to send disconnect to\n");
-                        ret = -ENODEV;
-                        goto end;
-                }
-                if (phyinfo->id != phyid ||
-                        phyinfo->phy_layer->id != phyid ||
-                        phyinfo->frm_layer->id != phyid) {
-                        pr_err("Inconsistency in phy registration\n");
-                        ret = -EINVAL;
-                        goto end;
-                }
-        }
-        if (phyinfo != NULL && --phyinfo->phy_ref_count == 0 &&
-                phyinfo->phy_layer != NULL &&
-                phyinfo->phy_layer->modemcmd != NULL) {
-                phyinfo->phy_layer->modemcmd(phyinfo->phy_layer,
-                                             _CAIF_MODEMCMD_PHYIF_USELESS);
-        }
-end:
-        cfsrvl_put(servl);
-        cfctrl_cancel_req(cnfg->ctrl, adap_layer);
        if (adap_layer->ctrlcmd != NULL)
                adap_layer->ctrlcmd(adap_layer, CAIF_CTRLCMD_DEINIT_RSP, 0);
-        return ret;
+        return 0;
-}
-EXPORT_SYMBOL(cfcnfg_disconn_adapt_layer);
-void cfcnfg_release_adap_layer(struct cflayer *adap_layer)
-{
-        if (adap_layer->dn)
-                cfsrvl_put(adap_layer->dn);
 }
-EXPORT_SYMBOL(cfcnfg_release_adap_layer);
+EXPORT_SYMBOL(caif_disconnect_client);
 static void cfcnfg_linkdestroy_rsp(struct cflayer *layer, u8 channel_id)
 {
 }
-int protohead[CFCTRL_SRV_MASK] = {
+static const int protohead[CFCTRL_SRV_MASK] = {
        [CFCTRL_SRV_VEI] = 4,
        [CFCTRL_SRV_DATAGRAM] = 7,
        [CFCTRL_SRV_UTIL] = 4,
@@ -261,49 +218,157 @@ int protohead[CFCTRL_SRV_MASK] = {
        [CFCTRL_SRV_DBG] = 3,
 };
-int cfcnfg_add_adaptation_layer(struct cfcnfg *cnfg,
-                                struct cfctrl_link_param *param,
+static int caif_connect_req_to_link_param(struct cfcnfg *cnfg,
-                                struct cflayer *adap_layer,
+                                   struct caif_connect_request *s,
-                                int *ifindex,
+                                   struct cfctrl_link_param *l)
+{
+        struct dev_info *dev_info;
+        enum cfcnfg_phy_preference pref;
+        int res;
+        memset(l, 0, sizeof(*l));
+        /* In caif protocol low value is high priority */
+        l->priority = CAIF_PRIO_MAX - s->priority + 1;
+        if (s->ifindex != 0) {
+                res = cfcnfg_get_id_from_ifi(cnfg, s->ifindex);
+                if (res < 0)
+                        return res;
+                l->phyid = res;
+        } else {
+                switch (s->link_selector) {
+                case CAIF_LINK_HIGH_BANDW:
+                        pref = CFPHYPREF_HIGH_BW;
+                        break;
+                case CAIF_LINK_LOW_LATENCY:
+                        pref = CFPHYPREF_LOW_LAT;
+                        break;
+                default:
+                        return -EINVAL;
+                }
+                dev_info = cfcnfg_get_phyid(cnfg, pref);
+                if (dev_info == NULL)
+                        return -ENODEV;
+                l->phyid = dev_info->id;
+        }
+        switch (s->protocol) {
+        case CAIFPROTO_AT:
+                l->linktype = CFCTRL_SRV_VEI;
+                l->endpoint = (s->sockaddr.u.at.type >> 2) & 0x3;
+                l->chtype = s->sockaddr.u.at.type & 0x3;
+                break;
+        case CAIFPROTO_DATAGRAM:
+                l->linktype = CFCTRL_SRV_DATAGRAM;
+                l->chtype = 0x00;
+                l->u.datagram.connid = s->sockaddr.u.dgm.connection_id;
+                break;
+        case CAIFPROTO_DATAGRAM_LOOP:
+                l->linktype = CFCTRL_SRV_DATAGRAM;
+                l->chtype = 0x03;
+                l->endpoint = 0x00;
+                l->u.datagram.connid = s->sockaddr.u.dgm.connection_id;
+                break;
+        case CAIFPROTO_RFM:
+                l->linktype = CFCTRL_SRV_RFM;
+                l->u.datagram.connid = s->sockaddr.u.rfm.connection_id;
+                strncpy(l->u.rfm.volume, s->sockaddr.u.rfm.volume,
+                        sizeof(l->u.rfm.volume)-1);
+                l->u.rfm.volume[sizeof(l->u.rfm.volume)-1] = 0;
+                break;
+        case CAIFPROTO_UTIL:
+                l->linktype = CFCTRL_SRV_UTIL;
+                l->endpoint = 0x00;
+                l->chtype = 0x00;
+                strncpy(l->u.utility.name, s->sockaddr.u.util.service,
+                        sizeof(l->u.utility.name)-1);
+                l->u.utility.name[sizeof(l->u.utility.name)-1] = 0;
+                caif_assert(sizeof(l->u.utility.name) > 10);
+                l->u.utility.paramlen = s->param.size;
+                if (l->u.utility.paramlen > sizeof(l->u.utility.params))
+                        l->u.utility.paramlen = sizeof(l->u.utility.params);
+                memcpy(l->u.utility.params, s->param.data,
+                       l->u.utility.paramlen);
+                break;
+        case CAIFPROTO_DEBUG:
+                l->linktype = CFCTRL_SRV_DBG;
+                l->endpoint = s->sockaddr.u.dbg.service;
+                l->chtype = s->sockaddr.u.dbg.type;
+                break;
+        default:
+                return -EINVAL;
+        }
+        return 0;
+}
+int caif_connect_client(struct net *net, struct caif_connect_request *conn_req,
+                        struct cflayer *adap_layer, int *ifindex,
                                int *proto_head,
                                int *proto_tail)
 {
        struct cflayer *frml;
+        struct cfcnfg_phyinfo *phy;
+        int err;
+        struct cfctrl_link_param param;
+        struct cfcnfg *cfg = get_cfcnfg(net);
+        caif_assert(cfg != NULL);
+        rcu_read_lock();
+        err = caif_connect_req_to_link_param(cfg, conn_req, &param);
+        if (err)
+                goto unlock;
+        phy = cfcnfg_get_phyinfo_rcu(cfg, param.phyid);
+        if (!phy) {
+                err = -ENODEV;
+                goto unlock;
+        }
+        err = -EINVAL;
        if (adap_layer == NULL) {
                pr_err("adap_layer is zero\n");
-                return -EINVAL;
+                goto unlock;
        }
        if (adap_layer->receive == NULL) {
                pr_err("adap_layer->receive is NULL\n");
-                return -EINVAL;
+                goto unlock;
        }
        if (adap_layer->ctrlcmd == NULL) {
                pr_err("adap_layer->ctrlcmd == NULL\n");
-                return -EINVAL;
+                goto unlock;
        }
-        frml = cnfg->phy_layers[param->phyid].frm_layer;
+        err = -ENODEV;
+        frml = phy->frm_layer;
        if (frml == NULL) {
                pr_err("Specified PHY type does not exist!\n");
-                return -ENODEV;
+                goto unlock;
        }
-        caif_assert(param->phyid == cnfg->phy_layers[param->phyid].id);
+        caif_assert(param.phyid == phy->id);
-        caif_assert(cnfg->phy_layers[param->phyid].frm_layer->id ==
+        caif_assert(phy->frm_layer->id ==
-                     param->phyid);
+                     param.phyid);
-        caif_assert(cnfg->phy_layers[param->phyid].phy_layer->id ==
+        caif_assert(phy->phy_layer->id ==
-                     param->phyid);
+                     param.phyid);
-        *ifindex = cnfg->phy_layers[param->phyid].ifindex;
+        *ifindex = phy->ifindex;
+        *proto_tail = 2;
        *proto_head =
-                protohead[param->linktype]+
-                (cnfg->phy_layers[param->phyid].use_stx ? 1 : 0);
-        *proto_tail = 2;
+        protohead[param.linktype] + (phy->use_stx ? 1 : 0);
+        rcu_read_unlock();
        /* FIXME: ENUMERATE INITIALLY WHEN ACTIVATING PHYSICAL INTERFACE */
-        cfctrl_enum_req(cnfg->ctrl, param->phyid);
+        cfctrl_enum_req(cfg->ctrl, param.phyid);
-        return cfctrl_linkup_request(cnfg->ctrl, param, adap_layer);
+        return cfctrl_linkup_request(cfg->ctrl, &param, adap_layer);
+unlock:
+        rcu_read_unlock();
+        return err;
 }
-EXPORT_SYMBOL(cfcnfg_add_adaptation_layer);
+EXPORT_SYMBOL(caif_connect_client);
 static void cfcnfg_reject_rsp(struct cflayer *layer, u8 channel_id,
                             struct cflayer *adapt_layer)
@@ -315,32 +380,45 @@ static void cfcnfg_reject_rsp(struct cflayer *layer, u8 channel_id,
 static void
 cfcnfg_linkup_rsp(struct cflayer *layer, u8 channel_id, enum cfctrl_srv serv,
-                 u8 phyid, struct cflayer *adapt_layer)
+                  u8 phyid, struct cflayer *adapt_layer)
 {
        struct cfcnfg *cnfg = container_obj(layer);
        struct cflayer *servicel = NULL;
        struct cfcnfg_phyinfo *phyinfo;
        struct net_device *netdev;
+        if (channel_id == 0) {
+                pr_warn("received channel_id zero\n");
+                if (adapt_layer != NULL && adapt_layer->ctrlcmd != NULL)
+                        adapt_layer->ctrlcmd(adapt_layer,
+                                                CAIF_CTRLCMD_INIT_FAIL_RSP, 0);
+                return;
+        }
+        rcu_read_lock();
        if (adapt_layer == NULL) {
-                pr_debug("link setup response but no client exist, send linkdown back\n");
+                pr_debug("link setup response but no client exist,"
+                                "send linkdown back\n");
                cfctrl_linkdown_req(cnfg->ctrl, channel_id, NULL);
-                return;
+                goto unlock;
        }
        caif_assert(cnfg != NULL);
        caif_assert(phyid != 0);
-        phyinfo = &cnfg->phy_layers[phyid];
+        phyinfo = cfcnfg_get_phyinfo_rcu(cnfg, phyid);
+        if (phyinfo == NULL) {
+                pr_err("ERROR: Link Layer Device dissapeared"
+                                "while connecting\n");
+                goto unlock;
+        }
+        caif_assert(phyinfo != NULL);
        caif_assert(phyinfo->id == phyid);
        caif_assert(phyinfo->phy_layer != NULL);
        caif_assert(phyinfo->phy_layer->id == phyid);
-        phyinfo->phy_ref_count++;
-        if (phyinfo->phy_ref_count == 1 &&
-            phyinfo->phy_layer->modemcmd != NULL) {
-                phyinfo->phy_layer->modemcmd(phyinfo->phy_layer,
-                                             _CAIF_MODEMCMD_PHYIF_USEFULL);
-        }
        adapt_layer->id = channel_id;
        switch (serv) {
@@ -348,7 +426,8 @@ cfcnfg_linkup_rsp(struct cflayer *layer, u8 channel_id, enum cfctrl_srv serv,
                servicel = cfvei_create(channel_id, &phyinfo->dev_info);
                break;
        case CFCTRL_SRV_DATAGRAM:
-                servicel = cfdgml_create(channel_id, &phyinfo->dev_info);
+                servicel = cfdgml_create(channel_id,
+                                        &phyinfo->dev_info);
                break;
        case CFCTRL_SRV_RFM:
                netdev = phyinfo->dev_info.dev;
@@ -365,94 +444,92 @@ cfcnfg_linkup_rsp(struct cflayer *layer, u8 channel_id, enum cfctrl_srv serv,
                servicel = cfdbgl_create(channel_id, &phyinfo->dev_info);
                break;
        default:
-                pr_err("Protocol error. Link setup response - unknown channel type\n");
+                pr_err("Protocol error. Link setup response "
-                return;
+                                "- unknown channel type\n");
+                goto unlock;
        }
        if (!servicel) {
                pr_warn("Out of memory\n");
-                return;
+                goto unlock;
        }
        layer_set_dn(servicel, cnfg->mux);
        cfmuxl_set_uplayer(cnfg->mux, servicel, channel_id);
        layer_set_up(servicel, adapt_layer);
        layer_set_dn(adapt_layer, servicel);
-        cfsrvl_get(servicel);
+        rcu_read_unlock();
        servicel->ctrlcmd(servicel, CAIF_CTRLCMD_INIT_RSP, 0);
+        return;
+unlock:
+        rcu_read_unlock();
 }
 void
 cfcnfg_add_phy_layer(struct cfcnfg *cnfg, enum cfcnfg_phy_type phy_type,
                     struct net_device *dev, struct cflayer *phy_layer,
-                     u16 *phyid, enum cfcnfg_phy_preference pref,
+                     enum cfcnfg_phy_preference pref,
                     bool fcs, bool stx)
 {
        struct cflayer *frml;
        struct cflayer *phy_driver = NULL;
+        struct cfcnfg_phyinfo *phyinfo;
        int i;
+        u8 phyid;
+        mutex_lock(&cnfg->lock);
-        if (cnfg->phy_layers[cnfg->last_phyid].frm_layer == NULL) {
+        /* CAIF protocol allow maximum 6 link-layers */
-                *phyid = cnfg->last_phyid;
+        for (i = 0; i < 7; i++) {
+                phyid = (dev->ifindex + i) & 0x7;
-                /* range: * 1..(MAX_PHY_LAYERS-1) */
+                if (phyid == 0)
-                cnfg->last_phyid =
+                        continue;
-                    (cnfg->last_phyid % (MAX_PHY_LAYERS - 1)) + 1;
+                if (cfcnfg_get_phyinfo_rcu(cnfg, phyid) == NULL)
-        } else {
+                        goto got_phyid;
-                *phyid = 0;
-                for (i = 1; i < MAX_PHY_LAYERS; i++) {
-                        if (cnfg->phy_layers[i].frm_layer == NULL) {
-                                *phyid = i;
-                                break;
-                        }
-                }
-        }
-        if (*phyid == 0) {
-                pr_err("No Available PHY ID\n");
-                return;
        }
+        pr_warn("Too many CAIF Link Layers (max 6)\n");
+        goto out;
+got_phyid:
+        phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC);
        switch (phy_type) {
        case CFPHYTYPE_FRAG:
                phy_driver =
-                    cfserl_create(CFPHYTYPE_FRAG, *phyid, stx);
+                    cfserl_create(CFPHYTYPE_FRAG, phyid, stx);
                if (!phy_driver) {
                        pr_warn("Out of memory\n");
-                        return;
+                        goto out;
                }
                break;
        case CFPHYTYPE_CAIF:
                phy_driver = NULL;
                break;
        default:
-                pr_err("%d\n", phy_type);
+                goto out;
-                return;
-                break;
        }
+        phy_layer->id = phyid;
+        phyinfo->pref = pref;
+        phyinfo->id = phyid;
+        phyinfo->dev_info.id = phyid;
+        phyinfo->dev_info.dev = dev;
+        phyinfo->phy_layer = phy_layer;
+        phyinfo->ifindex = dev->ifindex;
+        phyinfo->use_stx = stx;
+        phyinfo->use_fcs = fcs;
+        frml = cffrml_create(phyid, fcs);
-        phy_layer->id = *phyid;
-        cnfg->phy_layers[*phyid].pref = pref;
-        cnfg->phy_layers[*phyid].id = *phyid;
-        cnfg->phy_layers[*phyid].dev_info.id = *phyid;
-        cnfg->phy_layers[*phyid].dev_info.dev = dev;
-        cnfg->phy_layers[*phyid].phy_layer = phy_layer;
-        cnfg->phy_layers[*phyid].phy_ref_count = 0;
-        cnfg->phy_layers[*phyid].ifindex = dev->ifindex;
-        cnfg->phy_layers[*phyid].use_stx = stx;
-        cnfg->phy_layers[*phyid].use_fcs = fcs;
-        phy_layer->type = phy_type;
-        frml = cffrml_create(*phyid, fcs);
        if (!frml) {
                pr_warn("Out of memory\n");
-                return;
+                kfree(phyinfo);
+                goto out;
        }
-        cnfg->phy_layers[*phyid].frm_layer = frml;
+        phyinfo->frm_layer = frml;
-        cfmuxl_set_dnlayer(cnfg->mux, frml, *phyid);
        layer_set_up(frml, cnfg->mux);
        if (phy_driver != NULL) {
-                phy_driver->id = *phyid;
+                phy_driver->id = phyid;
                layer_set_dn(frml, phy_driver);
                layer_set_up(phy_driver, frml);
                layer_set_dn(phy_driver, phy_layer);
@@ -461,33 +538,95 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg, enum cfcnfg_phy_type phy_type,
                layer_set_dn(frml, phy_layer);
                layer_set_up(phy_layer, frml);
        }
+        list_add_rcu(&phyinfo->node, &cnfg->phys);
+out:
+        mutex_unlock(&cnfg->lock);
 }
 EXPORT_SYMBOL(cfcnfg_add_phy_layer);
+int cfcnfg_set_phy_state(struct cfcnfg *cnfg, struct cflayer *phy_layer,
+                bool up)
+{
+        struct cfcnfg_phyinfo *phyinfo;
+        rcu_read_lock();
+        phyinfo = cfcnfg_get_phyinfo_rcu(cnfg, phy_layer->id);
+        if (phyinfo == NULL) {
+                rcu_read_unlock();
+                return -ENODEV;
+        }
+        if (phyinfo->up == up) {
+                rcu_read_unlock();
+                return 0;
+        }
+        phyinfo->up = up;
+        if (up) {
+                cffrml_hold(phyinfo->frm_layer);
+                cfmuxl_set_dnlayer(cnfg->mux, phyinfo->frm_layer,
+                                        phy_layer->id);
+        } else {
+                cfmuxl_remove_dnlayer(cnfg->mux, phy_layer->id);
+                cffrml_put(phyinfo->frm_layer);
+        }
+        rcu_read_unlock();
+        return 0;
+}
+EXPORT_SYMBOL(cfcnfg_set_phy_state);
 int cfcnfg_del_phy_layer(struct cfcnfg *cnfg, struct cflayer *phy_layer)
 {
        struct cflayer *frml, *frml_dn;
        u16 phyid;
+        struct cfcnfg_phyinfo *phyinfo;
+        might_sleep();
+        mutex_lock(&cnfg->lock);
        phyid = phy_layer->id;
-        caif_assert(phyid == cnfg->phy_layers[phyid].id);
+        phyinfo = cfcnfg_get_phyinfo_rcu(cnfg, phyid);
-        caif_assert(phy_layer == cnfg->phy_layers[phyid].phy_layer);
+        if (phyinfo == NULL) {
+                mutex_unlock(&cnfg->lock);
+                return 0;
+        }
+        caif_assert(phyid == phyinfo->id);
+        caif_assert(phy_layer == phyinfo->phy_layer);
        caif_assert(phy_layer->id == phyid);
-        caif_assert(cnfg->phy_layers[phyid].frm_layer->id == phyid);
+        caif_assert(phyinfo->frm_layer->id == phyid);
+        list_del_rcu(&phyinfo->node);
+        synchronize_rcu();
-        memset(&cnfg->phy_layers[phy_layer->id], 0,
+        /* Fail if reference count is not zero */
-               sizeof(struct cfcnfg_phyinfo));
+        if (cffrml_refcnt_read(phyinfo->frm_layer) != 0) {
-        frml = cfmuxl_remove_dnlayer(cnfg->mux, phy_layer->id);
+                pr_info("Wait for device inuse\n");
+                list_add_rcu(&phyinfo->node, &cnfg->phys);
+                mutex_unlock(&cnfg->lock);
+                return -EAGAIN;
+        }
+        frml = phyinfo->frm_layer;
        frml_dn = frml->dn;
        cffrml_set_uplayer(frml, NULL);
        cffrml_set_dnlayer(frml, NULL);
-        kfree(frml);
        if (phy_layer != frml_dn) {
                layer_set_up(frml_dn, NULL);
                layer_set_dn(frml_dn, NULL);
-                kfree(frml_dn);
        }
        layer_set_up(phy_layer, NULL);
+        if (phyinfo->phy_layer != frml_dn)
+                kfree(frml_dn);
+        cffrml_free(frml);
+        kfree(phyinfo);
+        mutex_unlock(&cnfg->lock);
        return 0;
 }
 EXPORT_SYMBOL(cfcnfg_del_phy_layer);
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
index 3cd8f978e309..e22671bed669 100644
--- a/net/caif/cfctrl.c
+++ b/net/caif/cfctrl.c
@@ -17,7 +17,6 @@
 #define UTILITY_NAME_LENGTH 16
 #define CFPKT_CTRL_PKT_LEN 20
 #ifdef CAIF_NO_LOOP
 static int handle_loop(struct cfctrl *ctrl,
                              int cmd, struct cfpkt *pkt){
@@ -51,14 +50,31 @@ struct cflayer *cfctrl_create(void)
        this->serv.layer.receive = cfctrl_recv;
        sprintf(this->serv.layer.name, "ctrl");
        this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
+#ifndef CAIF_NO_LOOP
        spin_lock_init(&this->loop_linkid_lock);
+        this->loop_linkid = 1;
+#endif
        spin_lock_init(&this->info_list_lock);
        INIT_LIST_HEAD(&this->list);
-        this->loop_linkid = 1;
        return &this->serv.layer;
 }
-static bool param_eq(struct cfctrl_link_param *p1, struct cfctrl_link_param *p2)
+void cfctrl_remove(struct cflayer *layer)
+{
+        struct cfctrl_request_info *p, *tmp;
+        struct cfctrl *ctrl = container_obj(layer);
+        spin_lock_bh(&ctrl->info_list_lock);
+        list_for_each_entry_safe(p, tmp, &ctrl->list, list) {
+                list_del(&p->list);
+                kfree(p);
+        }
+        spin_unlock_bh(&ctrl->info_list_lock);
+        kfree(layer);
+}
+static bool param_eq(const struct cfctrl_link_param *p1,
+                        const struct cfctrl_link_param *p2)
 {
        bool eq =
            p1->linktype == p2->linktype &&
@@ -100,8 +116,8 @@ static bool param_eq(struct cfctrl_link_param *p1, struct cfctrl_link_param *p2)
        return false;
 }
-bool cfctrl_req_eq(struct cfctrl_request_info *r1,
+static bool cfctrl_req_eq(const struct cfctrl_request_info *r1,
-                   struct cfctrl_request_info *r2)
+                          const struct cfctrl_request_info *r2)
 {
        if (r1->cmd != r2->cmd)
                return false;
@@ -112,23 +128,22 @@ bool cfctrl_req_eq(struct cfctrl_request_info *r1,
 }
 /* Insert request at the end */
-void cfctrl_insert_req(struct cfctrl *ctrl,
+static void cfctrl_insert_req(struct cfctrl *ctrl,
                              struct cfctrl_request_info *req)
 {
-        spin_lock(&ctrl->info_list_lock);
+        spin_lock_bh(&ctrl->info_list_lock);
        atomic_inc(&ctrl->req_seq_no);
        req->sequence_no = atomic_read(&ctrl->req_seq_no);
        list_add_tail(&req->list, &ctrl->list);
-        spin_unlock(&ctrl->info_list_lock);
+        spin_unlock_bh(&ctrl->info_list_lock);
 }
 /* Compare and remove request */
-struct cfctrl_request_info *cfctrl_remove_req(struct cfctrl *ctrl,
+static struct cfctrl_request_info *cfctrl_remove_req(struct cfctrl *ctrl,
-                                              struct cfctrl_request_info *req)
+                                                struct cfctrl_request_info *req)
 {
        struct cfctrl_request_info *p, *tmp, *first;
-        spin_lock(&ctrl->info_list_lock);
        first = list_first_entry(&ctrl->list, struct cfctrl_request_info, list);
        list_for_each_entry_safe(p, tmp, &ctrl->list, list) {
@@ -144,7 +159,6 @@ struct cfctrl_request_info *cfctrl_remove_req(struct cfctrl *ctrl,
        }
        p = NULL;
 out:
-        spin_unlock(&ctrl->info_list_lock);
        return p;
 }
@@ -154,16 +168,6 @@ struct cfctrl_rsp *cfctrl_get_respfuncs(struct cflayer *layer)
        return &this->res;
 }
-void cfctrl_set_dnlayer(struct cflayer *this, struct cflayer *dn)
-{
-        this->dn = dn;
-}
-void cfctrl_set_uplayer(struct cflayer *this, struct cflayer *up)
-{
-        this->up = up;
-}
 static void init_info(struct caif_payload_info *info, struct cfctrl *cfctrl)
 {
        info->hdr_len = 0;
@@ -174,24 +178,23 @@ static void init_info(struct caif_payload_info *info, struct cfctrl *cfctrl)
 void cfctrl_enum_req(struct cflayer *layer, u8 physlinkid)
 {
        struct cfctrl *cfctrl = container_obj(layer);
-        int ret;
        struct cfpkt *pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
+        struct cflayer *dn = cfctrl->serv.layer.dn;
        if (!pkt) {
                pr_warn("Out of memory\n");
                return;
        }
+        if (!dn) {
+                pr_debug("not able to send enum request\n");
+                return;
+        }
        caif_assert(offsetof(struct cfctrl, serv.layer) == 0);
        init_info(cfpkt_info(pkt), cfctrl);
        cfpkt_info(pkt)->dev_info->id = physlinkid;
        cfctrl->serv.dev_info.id = physlinkid;
        cfpkt_addbdy(pkt, CFCTRL_CMD_ENUM);
        cfpkt_addbdy(pkt, physlinkid);
-        ret =
+        dn->transmit(dn, pkt);
-            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
-        if (ret < 0) {
-                pr_err("Could not transmit enum message\n");
-                cfpkt_destroy(pkt);
-        }
 }
 int cfctrl_linkup_request(struct cflayer *layer,
@@ -205,14 +208,29 @@ int cfctrl_linkup_request(struct cflayer *layer,
        struct cfctrl_request_info *req;
        int ret;
        char utility_name[16];
-        struct cfpkt *pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
+        struct cfpkt *pkt;
+        struct cflayer *dn = cfctrl->serv.layer.dn;
+        if (!dn) {
+                pr_debug("not able to send linkup request\n");
+                return -ENODEV;
+        }
+        if (cfctrl_cancel_req(layer, user_layer) > 0) {
+                /* Slight Paranoia, check if already connecting */
+                pr_err("Duplicate connect request for same client\n");
+                WARN_ON(1);
+                return -EALREADY;
+        }
+        pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
        if (!pkt) {
                pr_warn("Out of memory\n");
                return -ENOMEM;
        }
        cfpkt_addbdy(pkt, CFCTRL_CMD_LINK_SETUP);
-        cfpkt_addbdy(pkt, (param->chtype << 4) + param->linktype);
+        cfpkt_addbdy(pkt, (param->chtype << 4) | param->linktype);
-        cfpkt_addbdy(pkt, (param->priority << 3) + param->phyid);
+        cfpkt_addbdy(pkt, (param->priority << 3) | param->phyid);
        cfpkt_addbdy(pkt, param->endpoint & 0x03);
        switch (param->linktype) {
@@ -273,11 +291,15 @@ int cfctrl_linkup_request(struct cflayer *layer,
         */
        cfpkt_info(pkt)->dev_info->id = param->phyid;
        ret =
-            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
+            dn->transmit(dn, pkt);
        if (ret < 0) {
-                pr_err("Could not transmit linksetup request\n");
+                int count;
-                cfpkt_destroy(pkt);
-                return -ENODEV;
+                count = cfctrl_cancel_req(&cfctrl->serv.layer,
+                                                user_layer);
+                if (count != 1)
+                        pr_err("Could not remove request (%d)", count);
+                        return -ENODEV;
        }
        return 0;
 }
@@ -288,89 +310,46 @@ int cfctrl_linkdown_req(struct cflayer *layer, u8 channelid,
        int ret;
        struct cfctrl *cfctrl = container_obj(layer);
        struct cfpkt *pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
-        if (!pkt) {
+        struct cflayer *dn = cfctrl->serv.layer.dn;
-                pr_warn("Out of memory\n");
-                return -ENOMEM;
-        }
-        cfpkt_addbdy(pkt, CFCTRL_CMD_LINK_DESTROY);
-        cfpkt_addbdy(pkt, channelid);
-        init_info(cfpkt_info(pkt), cfctrl);
-        ret =
-            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
-        if (ret < 0) {
-                pr_err("Could not transmit link-down request\n");
-                cfpkt_destroy(pkt);
-        }
-        return ret;
-}
-void cfctrl_sleep_req(struct cflayer *layer)
-{
-        int ret;
-        struct cfctrl *cfctrl = container_obj(layer);
-        struct cfpkt *pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
        if (!pkt) {
                pr_warn("Out of memory\n");
-                return;
+                return -ENOMEM;
        }
-        cfpkt_addbdy(pkt, CFCTRL_CMD_SLEEP);
-        init_info(cfpkt_info(pkt), cfctrl);
-        ret =
-            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
-        if (ret < 0)
-                cfpkt_destroy(pkt);
-}
-void cfctrl_wake_req(struct cflayer *layer)
+        if (!dn) {
-{
+                pr_debug("not able to send link-down request\n");
-        int ret;
+                return -ENODEV;
-        struct cfctrl *cfctrl = container_obj(layer);
-        struct cfpkt *pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
-        if (!pkt) {
-                pr_warn("Out of memory\n");
-                return;
        }
-        cfpkt_addbdy(pkt, CFCTRL_CMD_WAKE);
-        init_info(cfpkt_info(pkt), cfctrl);
-        ret =
-            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
-        if (ret < 0)
-                cfpkt_destroy(pkt);
-}
-void cfctrl_getstartreason_req(struct cflayer *layer)
+        cfpkt_addbdy(pkt, CFCTRL_CMD_LINK_DESTROY);
-{
+        cfpkt_addbdy(pkt, channelid);
-        int ret;
-        struct cfctrl *cfctrl = container_obj(layer);
-        struct cfpkt *pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
-        if (!pkt) {
-                pr_warn("Out of memory\n");
-                return;
-        }
-        cfpkt_addbdy(pkt, CFCTRL_CMD_START_REASON);
        init_info(cfpkt_info(pkt), cfctrl);
        ret =
-            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
+            dn->transmit(dn, pkt);
-        if (ret < 0)
+#ifndef CAIF_NO_LOOP
-                cfpkt_destroy(pkt);
+        cfctrl->loop_linkused[channelid] = 0;
+#endif
+        return ret;
 }
+int cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer)
-void cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer)
 {
        struct cfctrl_request_info *p, *tmp;
        struct cfctrl *ctrl = container_obj(layr);
-        spin_lock(&ctrl->info_list_lock);
+        int found = 0;
+        spin_lock_bh(&ctrl->info_list_lock);
        list_for_each_entry_safe(p, tmp, &ctrl->list, list) {
                if (p->client_layer == adap_layer) {
-                        pr_debug("cancel req :%d\n", p->sequence_no);
                        list_del(&p->list);
                        kfree(p);
+                        found++;
                }
        }
-        spin_unlock(&ctrl->info_list_lock);
+        spin_unlock_bh(&ctrl->info_list_lock);
+        return found;
 }
 static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
@@ -389,7 +368,8 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
        cfpkt_extr_head(pkt, &cmdrsp, 1);
        cmd = cmdrsp & CFCTRL_CMD_MASK;
        if (cmd != CFCTRL_CMD_LINK_ERR
-            && CFCTRL_RSP_BIT != (CFCTRL_RSP_BIT & cmdrsp)) {
+            && CFCTRL_RSP_BIT != (CFCTRL_RSP_BIT & cmdrsp)
+                && CFCTRL_ERR_BIT != (CFCTRL_ERR_BIT & cmdrsp)) {
                if (handle_loop(cfctrl, cmd, pkt) != 0)
                        cmdrsp |= CFCTRL_ERR_BIT;
        }
@@ -515,18 +495,20 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
                                cfpkt_extr_head(pkt, &param, len);
                                break;
                        default:
-                                pr_warn("Request setup - invalid link type (%d)\n",
+                                pr_warn("Request setup, invalid type (%d)\n",
                                        serv);
                                goto error;
                        }
                        rsp.cmd = cmd;
                        rsp.param = linkparam;
+                        spin_lock_bh(&cfctrl->info_list_lock);
                        req = cfctrl_remove_req(cfctrl, &rsp);
                        if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
                                cfpkt_erroneous(pkt)) {
-                                pr_err("Invalid O/E bit or parse error on CAIF control channel\n");
+                                pr_err("Invalid O/E bit or parse error "
+                                                "on CAIF control channel\n");
                                cfctrl->res.reject_rsp(cfctrl->serv.layer.up,
                                                       0,
                                                       req ? req->client_layer
@@ -541,6 +523,8 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
                        if (req != NULL)
                                kfree(req);
+                        spin_unlock_bh(&cfctrl->info_list_lock);
                }
                break;
        case CFCTRL_CMD_LINK_DESTROY:
@@ -584,12 +568,28 @@ static void cfctrl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
        switch (ctrl) {
        case _CAIF_CTRLCMD_PHYIF_FLOW_OFF_IND:
        case CAIF_CTRLCMD_FLOW_OFF_IND:
-                spin_lock(&this->info_list_lock);
+                spin_lock_bh(&this->info_list_lock);
-                if (!list_empty(&this->list)) {
+                if (!list_empty(&this->list))
                        pr_debug("Received flow off in control layer\n");
+                spin_unlock_bh(&this->info_list_lock);
+                break;
+        case _CAIF_CTRLCMD_PHYIF_DOWN_IND: {
+                struct cfctrl_request_info *p, *tmp;
+                /* Find all connect request and report failure */
+                spin_lock_bh(&this->info_list_lock);
+                list_for_each_entry_safe(p, tmp, &this->list, list) {
+                        if (p->param.phyid == phyid) {
+                                list_del(&p->list);
+                                p->client_layer->ctrlcmd(p->client_layer,
+                                                CAIF_CTRLCMD_INIT_FAIL_RSP,
+                                                phyid);
+                                kfree(p);
+                        }
                }
-                spin_unlock(&this->info_list_lock);
+                spin_unlock_bh(&this->info_list_lock);
                break;
+        }
        default:
                break;
        }
@@ -599,27 +599,33 @@ static void cfctrl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
 static int handle_loop(struct cfctrl *ctrl, int cmd, struct cfpkt *pkt)
 {
        static int last_linkid;
+        static int dec;
        u8 linkid, linktype, tmp;
        switch (cmd) {
        case CFCTRL_CMD_LINK_SETUP:
-                spin_lock(&ctrl->loop_linkid_lock);
+                spin_lock_bh(&ctrl->loop_linkid_lock);
-                for (linkid = last_linkid + 1; linkid < 255; linkid++)
+                if (!dec) {
-                        if (!ctrl->loop_linkused[linkid])
+                        for (linkid = last_linkid + 1; linkid < 254; linkid++)
-                                goto found;
+                                if (!ctrl->loop_linkused[linkid])
-                for (linkid = last_linkid - 1; linkid > 0; linkid--)
+                                        goto found;
+                }
+                dec = 1;
+                for (linkid = last_linkid - 1; linkid > 1; linkid--)
                        if (!ctrl->loop_linkused[linkid])
                                goto found;
-                spin_unlock(&ctrl->loop_linkid_lock);
+                spin_unlock_bh(&ctrl->loop_linkid_lock);
-                pr_err("Out of link-ids\n");
+                return -1;
-                return -EINVAL;
 found:
+                if (linkid < 10)
+                        dec = 0;
                if (!ctrl->loop_linkused[linkid])
                        ctrl->loop_linkused[linkid] = 1;
                last_linkid = linkid;
                cfpkt_add_trail(pkt, &linkid, 1);
-                spin_unlock(&ctrl->loop_linkid_lock);
+                spin_unlock_bh(&ctrl->loop_linkid_lock);
                cfpkt_peek_head(pkt, &linktype, 1);
                if (linktype ==  CFCTRL_SRV_UTIL) {
                        tmp = 0x01;
@@ -629,10 +635,10 @@ found:
                break;
        case CFCTRL_CMD_LINK_DESTROY:
-                spin_lock(&ctrl->loop_linkid_lock);
+                spin_lock_bh(&ctrl->loop_linkid_lock);
                cfpkt_peek_head(pkt, &linkid, 1);
                ctrl->loop_linkused[linkid] = 0;
-                spin_unlock(&ctrl->loop_linkid_lock);
+                spin_unlock_bh(&ctrl->loop_linkid_lock);
                break;
        default:
                break;
diff --git a/net/caif/cfdgml.c b/net/caif/cfdgml.c
index 054fdb5aeb88..0382dec84fdc 100644
--- a/net/caif/cfdgml.c
+++ b/net/caif/cfdgml.c
@@ -108,10 +108,5 @@ static int cfdgml_transmit(struct cflayer *layr, struct cfpkt *pkt)
         */
        info->hdr_len = 4;
        info->dev_info = &service->dev_info;
-        ret = layr->dn->transmit(layr->dn, pkt);
+        return layr->dn->transmit(layr->dn, pkt);
-        if (ret < 0) {
-                u32 tmp32;
-                cfpkt_extr_head(pkt, &tmp32, 4);
-        }
-        return ret;
 }
diff --git a/net/caif/cffrml.c b/net/caif/cffrml.c
index a445043931ae..04204b202718 100644
--- a/net/caif/cffrml.c
+++ b/net/caif/cffrml.c
@@ -12,6 +12,7 @@
 #include <linux/spinlock.h>
 #include <linux/slab.h>
 #include <linux/crc-ccitt.h>
+#include <linux/netdevice.h>
 #include <net/caif/caif_layer.h>
 #include <net/caif/cfpkt.h>
 #include <net/caif/cffrml.h>
@@ -21,6 +22,7 @@
 struct cffrml {
        struct cflayer layer;
        bool dofcs;             /* !< FCS active */
+        int __percpu            *pcpu_refcnt;
 };
 static int cffrml_receive(struct cflayer *layr, struct cfpkt *pkt);
@@ -37,6 +39,12 @@ struct cflayer *cffrml_create(u16 phyid, bool use_fcs)
                pr_warn("Out of memory\n");
                return NULL;
        }
+        this->pcpu_refcnt = alloc_percpu(int);
+        if (this->pcpu_refcnt == NULL) {
+                kfree(this);
+                return NULL;
+        }
        caif_assert(offsetof(struct cffrml, layer) == 0);
        memset(this, 0, sizeof(struct cflayer));
@@ -49,6 +57,13 @@ struct cflayer *cffrml_create(u16 phyid, bool use_fcs)
        return (struct cflayer *) this;
 }
+void cffrml_free(struct cflayer *layer)
+{
+        struct cffrml *this = container_obj(layer);
+        free_percpu(this->pcpu_refcnt);
+        kfree(layer);
+}
 void cffrml_set_uplayer(struct cflayer *this, struct cflayer *up)
 {
        this->up = up;
@@ -112,6 +127,13 @@ static int cffrml_receive(struct cflayer *layr, struct cfpkt *pkt)
                cfpkt_destroy(pkt);
                return -EPROTO;
        }
+        if (layr->up == NULL) {
+                pr_err("Layr up is missing!\n");
+                cfpkt_destroy(pkt);
+                return -EINVAL;
+        }
        return layr->up->receive(layr->up, pkt);
 }
@@ -120,7 +142,6 @@ static int cffrml_transmit(struct cflayer *layr, struct cfpkt *pkt)
        int tmp;
        u16 chks;
        u16 len;
-        int ret;
        struct cffrml *this = container_obj(layr);
        if (this->dofcs) {
                chks = cfpkt_iterate(pkt, cffrml_checksum, 0xffff);
@@ -135,19 +156,44 @@ static int cffrml_transmit(struct cflayer *layr, struct cfpkt *pkt)
        cfpkt_info(pkt)->hdr_len += 2;
        if (cfpkt_erroneous(pkt)) {
                pr_err("Packet is erroneous!\n");
+                cfpkt_destroy(pkt);
                return -EPROTO;
        }
-        ret = layr->dn->transmit(layr->dn, pkt);
-        if (ret < 0) {
+        if (layr->dn == NULL) {
-                /* Remove header on faulty packet. */
+                cfpkt_destroy(pkt);
-                cfpkt_extr_head(pkt, &tmp, 2);
+                return -ENODEV;
        }
-        return ret;
+        return layr->dn->transmit(layr->dn, pkt);
 }
 static void cffrml_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
                                        int phyid)
 {
-        if (layr->up->ctrlcmd)
+        if (layr->up && layr->up->ctrlcmd)
                layr->up->ctrlcmd(layr->up, ctrl, layr->id);
 }
+void cffrml_put(struct cflayer *layr)
+{
+        struct cffrml *this = container_obj(layr);
+        if (layr != NULL && this->pcpu_refcnt != NULL)
+                irqsafe_cpu_dec(*this->pcpu_refcnt);
+}
+void cffrml_hold(struct cflayer *layr)
+{
+        struct cffrml *this = container_obj(layr);
+        if (layr != NULL && this->pcpu_refcnt != NULL)
+                irqsafe_cpu_inc(*this->pcpu_refcnt);
+}
+int cffrml_refcnt_read(struct cflayer *layr)
+{
+        int i, refcnt = 0;
+        struct cffrml *this = container_obj(layr);
+        for_each_possible_cpu(i)
+                refcnt += *per_cpu_ptr(this->pcpu_refcnt, i);
+        return refcnt;
+}
diff --git a/net/caif/cfmuxl.c b/net/caif/cfmuxl.c
index 24f1ffa74b06..c23979e79dfa 100644
--- a/net/caif/cfmuxl.c
+++ b/net/caif/cfmuxl.c
@@ -9,6 +9,7 @@
 #include <linux/stddef.h>
 #include <linux/spinlock.h>
 #include <linux/slab.h>
+#include <linux/rculist.h>
 #include <net/caif/cfpkt.h>
 #include <net/caif/cfmuxl.h>
 #include <net/caif/cfsrvl.h>
@@ -61,111 +62,88 @@ struct cflayer *cfmuxl_create(void)
        return &this->layer;
 }
-int cfmuxl_set_uplayer(struct cflayer *layr, struct cflayer *up, u8 linkid)
+int cfmuxl_set_dnlayer(struct cflayer *layr, struct cflayer *dn, u8 phyid)
 {
-        struct cfmuxl *muxl = container_obj(layr);
+        struct cfmuxl *muxl = (struct cfmuxl *) layr;
-        spin_lock(&muxl->receive_lock);
-        cfsrvl_get(up);
+        spin_lock_bh(&muxl->transmit_lock);
-        list_add(&up->node, &muxl->srvl_list);
+        list_add_rcu(&dn->node, &muxl->frml_list);
-        spin_unlock(&muxl->receive_lock);
+        spin_unlock_bh(&muxl->transmit_lock);
        return 0;
 }
-bool cfmuxl_is_phy_inuse(struct cflayer *layr, u8 phyid)
+static struct cflayer *get_from_id(struct list_head *list, u16 id)
 {
-        struct list_head *node;
+        struct cflayer *lyr;
-        struct cflayer *layer;
+        list_for_each_entry_rcu(lyr, list, node) {
-        struct cfmuxl *muxl = container_obj(layr);
+                if (lyr->id == id)
-        bool match = false;
+                        return lyr;
-        spin_lock(&muxl->receive_lock);
-        list_for_each(node, &muxl->srvl_list) {
-                layer = list_entry(node, struct cflayer, node);
-                if (cfsrvl_phyid_match(layer, phyid)) {
-                        match = true;
-                        break;
-                }
        }
-        spin_unlock(&muxl->receive_lock);
-        return match;
+        return NULL;
 }
-u8 cfmuxl_get_phyid(struct cflayer *layr, u8 channel_id)
+int cfmuxl_set_uplayer(struct cflayer *layr, struct cflayer *up, u8 linkid)
 {
-        struct cflayer *up;
-        int phyid;
        struct cfmuxl *muxl = container_obj(layr);
-        spin_lock(&muxl->receive_lock);
+        struct cflayer *old;
-        up = get_up(muxl, channel_id);
-        if (up != NULL)
-                phyid = cfsrvl_getphyid(up);
-        else
-                phyid = 0;
-        spin_unlock(&muxl->receive_lock);
-        return phyid;
-}
-int cfmuxl_set_dnlayer(struct cflayer *layr, struct cflayer *dn, u8 phyid)
+        spin_lock_bh(&muxl->receive_lock);
-{
-        struct cfmuxl *muxl = (struct cfmuxl *) layr;
-        spin_lock(&muxl->transmit_lock);
-        list_add(&dn->node, &muxl->frml_list);
-        spin_unlock(&muxl->transmit_lock);
-        return 0;
-}
-static struct cflayer *get_from_id(struct list_head *list, u16 id)
+        /* Two entries with same id is wrong, so remove old layer from mux */
-{
+        old = get_from_id(&muxl->srvl_list, linkid);
-        struct list_head *node;
+        if (old != NULL)
-        struct cflayer *layer;
+                list_del_rcu(&old->node);
-        list_for_each(node, list) {
-                layer = list_entry(node, struct cflayer, node);
+        list_add_rcu(&up->node, &muxl->srvl_list);
-                if (layer->id == id)
+        spin_unlock_bh(&muxl->receive_lock);
-                        return layer;
-        }
+        return 0;
-        return NULL;
 }
 struct cflayer *cfmuxl_remove_dnlayer(struct cflayer *layr, u8 phyid)
 {
        struct cfmuxl *muxl = container_obj(layr);
        struct cflayer *dn;
-        spin_lock(&muxl->transmit_lock);
+        int idx = phyid % DN_CACHE_SIZE;
-        memset(muxl->dn_cache, 0, sizeof(muxl->dn_cache));
+        spin_lock_bh(&muxl->transmit_lock);
+        rcu_assign_pointer(muxl->dn_cache[idx], NULL);
        dn = get_from_id(&muxl->frml_list, phyid);
-        if (dn == NULL) {
+        if (dn == NULL)
-                spin_unlock(&muxl->transmit_lock);
+                goto out;
-                return NULL;
-        }
+        list_del_rcu(&dn->node);
-        list_del(&dn->node);
        caif_assert(dn != NULL);
-        spin_unlock(&muxl->transmit_lock);
+out:
+        spin_unlock_bh(&muxl->transmit_lock);
        return dn;
 }
-/* Invariant: lock is taken */
 static struct cflayer *get_up(struct cfmuxl *muxl, u16 id)
 {
        struct cflayer *up;
        int idx = id % UP_CACHE_SIZE;
-        up = muxl->up_cache[idx];
+        up = rcu_dereference(muxl->up_cache[idx]);
        if (up == NULL || up->id != id) {
+                spin_lock_bh(&muxl->receive_lock);
                up = get_from_id(&muxl->srvl_list, id);
-                muxl->up_cache[idx] = up;
+                rcu_assign_pointer(muxl->up_cache[idx], up);
+                spin_unlock_bh(&muxl->receive_lock);
        }
        return up;
 }
-/* Invariant: lock is taken */
 static struct cflayer *get_dn(struct cfmuxl *muxl, struct dev_info *dev_info)
 {
        struct cflayer *dn;
        int idx = dev_info->id % DN_CACHE_SIZE;
-        dn = muxl->dn_cache[idx];
+        dn = rcu_dereference(muxl->dn_cache[idx]);
        if (dn == NULL || dn->id != dev_info->id) {
+                spin_lock_bh(&muxl->transmit_lock);
                dn = get_from_id(&muxl->frml_list, dev_info->id);
-                muxl->dn_cache[idx] = dn;
+                rcu_assign_pointer(muxl->dn_cache[idx], dn);
+                spin_unlock_bh(&muxl->transmit_lock);
        }
        return dn;
 }
@@ -174,15 +152,22 @@ struct cflayer *cfmuxl_remove_uplayer(struct cflayer *layr, u8 id)
 {
        struct cflayer *up;
        struct cfmuxl *muxl = container_obj(layr);
-        spin_lock(&muxl->receive_lock);
+        int idx = id % UP_CACHE_SIZE;
-        up = get_up(muxl, id);
+        if (id == 0) {
+                pr_warn("Trying to remove control layer\n");
+                return NULL;
+        }
+        spin_lock_bh(&muxl->receive_lock);
+        up = get_from_id(&muxl->srvl_list, id);
        if (up == NULL)
                goto out;
-        memset(muxl->up_cache, 0, sizeof(muxl->up_cache));
-        list_del(&up->node);
+        rcu_assign_pointer(muxl->up_cache[idx], NULL);
-        cfsrvl_put(up);
+        list_del_rcu(&up->node);
 out:
-        spin_unlock(&muxl->receive_lock);
+        spin_unlock_bh(&muxl->receive_lock);
        return up;
 }
@@ -197,58 +182,92 @@ static int cfmuxl_receive(struct cflayer *layr, struct cfpkt *pkt)
                cfpkt_destroy(pkt);
                return -EPROTO;
        }
+        rcu_read_lock();
-        spin_lock(&muxl->receive_lock);
        up = get_up(muxl, id);
-        spin_unlock(&muxl->receive_lock);
        if (up == NULL) {
-                pr_info("Received data on unknown link ID = %d (0x%x) up == NULL",
+                pr_debug("Received data on unknown link ID = %d (0x%x)"
-                        id, id);
+                        " up == NULL", id, id);
                cfpkt_destroy(pkt);
                /*
                 * Don't return ERROR, since modem misbehaves and sends out
                 * flow on before linksetup response.
                 */
+                rcu_read_unlock();
                return /* CFGLU_EPROT; */ 0;
        }
+        /* We can't hold rcu_lock during receive, so take a ref count instead */
        cfsrvl_get(up);
+        rcu_read_unlock();
        ret = up->receive(up, pkt);
        cfsrvl_put(up);
        return ret;
 }
 static int cfmuxl_transmit(struct cflayer *layr, struct cfpkt *pkt)
 {
-        int ret;
        struct cfmuxl *muxl = container_obj(layr);
+        int err;
        u8 linkid;
        struct cflayer *dn;
        struct caif_payload_info *info = cfpkt_info(pkt);
-        dn = get_dn(muxl, cfpkt_info(pkt)->dev_info);
+        BUG_ON(!info);
+        rcu_read_lock();
+        dn = get_dn(muxl, info->dev_info);
        if (dn == NULL) {
-                pr_warn("Send data on unknown phy ID = %d (0x%x)\n",
+                pr_debug("Send data on unknown phy ID = %d (0x%x)\n",
                        info->dev_info->id, info->dev_info->id);
+                rcu_read_unlock();
+                cfpkt_destroy(pkt);
                return -ENOTCONN;
        }
        info->hdr_len += 1;
        linkid = info->channel_id;
        cfpkt_add_head(pkt, &linkid, 1);
-        ret = dn->transmit(dn, pkt);
-        /* Remove MUX protocol header upon error. */
+        /* We can't hold rcu_lock during receive, so take a ref count instead */
-        if (ret < 0)
+        cffrml_hold(dn);
-                cfpkt_extr_head(pkt, &linkid, 1);
-        return ret;
+        rcu_read_unlock();
+        err = dn->transmit(dn, pkt);
+        cffrml_put(dn);
+        return err;
 }
 static void cfmuxl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
                                int phyid)
 {
        struct cfmuxl *muxl = container_obj(layr);
-        struct list_head *node, *next;
        struct cflayer *layer;
-        list_for_each_safe(node, next, &muxl->srvl_list) {
+        int idx;
-                layer = list_entry(node, struct cflayer, node);
-                if (cfsrvl_phyid_match(layer, phyid))
+        rcu_read_lock();
+        list_for_each_entry_rcu(layer, &muxl->srvl_list, node) {
+                if (cfsrvl_phyid_match(layer, phyid) && layer->ctrlcmd) {
+                        if ((ctrl == _CAIF_CTRLCMD_PHYIF_DOWN_IND ||
+                                ctrl == CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND) &&
+                                        layer->id != 0) {
+                                idx = layer->id % UP_CACHE_SIZE;
+                                spin_lock_bh(&muxl->receive_lock);
+                                rcu_assign_pointer(muxl->up_cache[idx], NULL);
+                                list_del_rcu(&layer->node);
+                                spin_unlock_bh(&muxl->receive_lock);
+                        }
+                        /* NOTE: ctrlcmd is not allowed to block */
                        layer->ctrlcmd(layer, ctrl, phyid);
+                }
        }
+        rcu_read_unlock();
 }
diff --git a/net/caif/cfpkt_skbuff.c b/net/caif/cfpkt_skbuff.c
index d7e865e2ff65..75d4bfae1a78 100644
--- a/net/caif/cfpkt_skbuff.c
+++ b/net/caif/cfpkt_skbuff.c
@@ -42,22 +42,22 @@ struct cfpkt_priv_data {
        bool erronous;
 };
-inline struct cfpkt_priv_data *cfpkt_priv(struct cfpkt *pkt)
+static inline struct cfpkt_priv_data *cfpkt_priv(struct cfpkt *pkt)
 {
        return (struct cfpkt_priv_data *) pkt->skb.cb;
 }
-inline bool is_erronous(struct cfpkt *pkt)
+static inline bool is_erronous(struct cfpkt *pkt)
 {
        return cfpkt_priv(pkt)->erronous;
 }
-inline struct sk_buff *pkt_to_skb(struct cfpkt *pkt)
+static inline struct sk_buff *pkt_to_skb(struct cfpkt *pkt)
 {
        return &pkt->skb;
 }
-inline struct cfpkt *skb_to_pkt(struct sk_buff *skb)
+static inline struct cfpkt *skb_to_pkt(struct sk_buff *skb)
 {
        return (struct cfpkt *) skb;
 }
@@ -97,21 +97,20 @@ inline struct cfpkt *cfpkt_create(u16 len)
 {
        return cfpkt_create_pfx(len + PKT_POSTFIX, PKT_PREFIX);
 }
-EXPORT_SYMBOL(cfpkt_create);
 void cfpkt_destroy(struct cfpkt *pkt)
 {
        struct sk_buff *skb = pkt_to_skb(pkt);
        kfree_skb(skb);
 }
-EXPORT_SYMBOL(cfpkt_destroy);
 inline bool cfpkt_more(struct cfpkt *pkt)
 {
        struct sk_buff *skb = pkt_to_skb(pkt);
        return skb->len > 0;
 }
-EXPORT_SYMBOL(cfpkt_more);
 int cfpkt_peek_head(struct cfpkt *pkt, void *data, u16 len)
 {
@@ -123,7 +122,6 @@ int cfpkt_peek_head(struct cfpkt *pkt, void *data, u16 len)
        return !cfpkt_extr_head(pkt, data, len) &&
            !cfpkt_add_head(pkt, data, len);
 }
-EXPORT_SYMBOL(cfpkt_peek_head);
 int cfpkt_extr_head(struct cfpkt *pkt, void *data, u16 len)
 {
@@ -148,7 +146,6 @@ int cfpkt_extr_head(struct cfpkt *pkt, void *data, u16 len)
        memcpy(data, from, len);
        return 0;
 }
-EXPORT_SYMBOL(cfpkt_extr_head);
 int cfpkt_extr_trail(struct cfpkt *pkt, void *dta, u16 len)
 {
@@ -171,13 +168,13 @@ int cfpkt_extr_trail(struct cfpkt *pkt, void *dta, u16 len)
        memcpy(data, from, len);
        return 0;
 }
-EXPORT_SYMBOL(cfpkt_extr_trail);
 int cfpkt_pad_trail(struct cfpkt *pkt, u16 len)
 {
        return cfpkt_add_body(pkt, NULL, len);
 }
-EXPORT_SYMBOL(cfpkt_pad_trail);
 int cfpkt_add_body(struct cfpkt *pkt, const void *data, u16 len)
 {
@@ -226,13 +223,11 @@ int cfpkt_add_body(struct cfpkt *pkt, const void *data, u16 len)
                memcpy(to, data, len);
        return 0;
 }
-EXPORT_SYMBOL(cfpkt_add_body);
 inline int cfpkt_addbdy(struct cfpkt *pkt, u8 data)
 {
        return cfpkt_add_body(pkt, &data, 1);
 }
-EXPORT_SYMBOL(cfpkt_addbdy);
 int cfpkt_add_head(struct cfpkt *pkt, const void *data2, u16 len)
 {
@@ -259,20 +254,20 @@ int cfpkt_add_head(struct cfpkt *pkt, const void *data2, u16 len)
        memcpy(to, data, len);
        return 0;
 }
-EXPORT_SYMBOL(cfpkt_add_head);
 inline int cfpkt_add_trail(struct cfpkt *pkt, const void *data, u16 len)
 {
        return cfpkt_add_body(pkt, data, len);
 }
-EXPORT_SYMBOL(cfpkt_add_trail);
 inline u16 cfpkt_getlen(struct cfpkt *pkt)
 {
        struct sk_buff *skb = pkt_to_skb(pkt);
        return skb->len;
 }
-EXPORT_SYMBOL(cfpkt_getlen);
 inline u16 cfpkt_iterate(struct cfpkt *pkt,
                            u16 (*iter_func)(u16, void *, u16),
@@ -290,7 +285,7 @@ inline u16 cfpkt_iterate(struct cfpkt *pkt,
        }
        return iter_func(data, pkt->skb.data, cfpkt_getlen(pkt));
 }
-EXPORT_SYMBOL(cfpkt_iterate);
 int cfpkt_setlen(struct cfpkt *pkt, u16 len)
 {
@@ -315,18 +310,6 @@ int cfpkt_setlen(struct cfpkt *pkt, u16 len)
        return cfpkt_getlen(pkt);
 }
-EXPORT_SYMBOL(cfpkt_setlen);
-struct cfpkt *cfpkt_create_uplink(const unsigned char *data, unsigned int len)
-{
-        struct cfpkt *pkt = cfpkt_create_pfx(len + PKT_POSTFIX, PKT_PREFIX);
-        if (!pkt)
-                return NULL;
-        if (unlikely(data != NULL))
-                cfpkt_add_body(pkt, data, len);
-        return pkt;
-}
-EXPORT_SYMBOL(cfpkt_create_uplink);
 struct cfpkt *cfpkt_append(struct cfpkt *dstpkt,
                             struct cfpkt *addpkt,
@@ -368,7 +351,6 @@ struct cfpkt *cfpkt_append(struct cfpkt *dstpkt,
        dst->len += addlen;
        return skb_to_pkt(dst);
 }
-EXPORT_SYMBOL(cfpkt_append);
 struct cfpkt *cfpkt_split(struct cfpkt *pkt, u16 pos)
 {
@@ -406,174 +388,13 @@ struct cfpkt *cfpkt_split(struct cfpkt *pkt, u16 pos)
        skb2->len += len2nd;
        return skb_to_pkt(skb2);
 }
-EXPORT_SYMBOL(cfpkt_split);
-char *cfpkt_log_pkt(struct cfpkt *pkt, char *buf, int buflen)
-{
-        struct sk_buff *skb = pkt_to_skb(pkt);
-        char *p = buf;
-        int i;
-        /*
-         * Sanity check buffer length, it needs to be at least as large as
-         * the header info: ~=50+ bytes
-         */
-        if (buflen < 50)
-                return NULL;
-        snprintf(buf, buflen, "%s: pkt:%p len:%ld(%ld+%ld) {%ld,%ld} data: [",
-                is_erronous(pkt) ? "ERRONOUS-SKB" :
-                 (skb->data_len != 0 ? "COMPLEX-SKB" : "SKB"),
-                 skb,
-                 (long) skb->len,
-                 (long) (skb_tail_pointer(skb) - skb->data),
-                 (long) skb->data_len,
-                 (long) (skb->data - skb->head),
-                 (long) (skb_tail_pointer(skb) - skb->head));
-        p = buf + strlen(buf);
-        for (i = 0; i < skb_tail_pointer(skb) - skb->data && i < 300; i++) {
-                if (p > buf + buflen - 10) {
-                        sprintf(p, "...");
-                        p = buf + strlen(buf);
-                        break;
-                }
-                sprintf(p, "%02x,", skb->data[i]);
-                p = buf + strlen(buf);
-        }
-        sprintf(p, "]\n");
-        return buf;
-}
-EXPORT_SYMBOL(cfpkt_log_pkt);
-int cfpkt_raw_append(struct cfpkt *pkt, void **buf, unsigned int buflen)
-{
-        struct sk_buff *skb = pkt_to_skb(pkt);
-        struct sk_buff *lastskb;
-        caif_assert(buf != NULL);
-        if (unlikely(is_erronous(pkt)))
-                return -EPROTO;
-        /* Make sure SKB is writable */
-        if (unlikely(skb_cow_data(skb, 0, &lastskb) < 0)) {
-                PKT_ERROR(pkt, "skb_cow_data failed\n");
-                return -EPROTO;
-        }
-        if (unlikely(skb_linearize(skb) != 0)) {
-                PKT_ERROR(pkt, "linearize failed\n");
-                return -EPROTO;
-        }
-        if (unlikely(skb_tailroom(skb) < buflen)) {
-                PKT_ERROR(pkt, "buffer too short - failed\n");
-                return -EPROTO;
-        }
-        *buf = skb_put(skb, buflen);
-        return 1;
-}
-EXPORT_SYMBOL(cfpkt_raw_append);
-int cfpkt_raw_extract(struct cfpkt *pkt, void **buf, unsigned int buflen)
+bool cfpkt_erroneous(struct cfpkt *pkt)
-{
-        struct sk_buff *skb = pkt_to_skb(pkt);
-        caif_assert(buf != NULL);
-        if (unlikely(is_erronous(pkt)))
-                return -EPROTO;
-        if (unlikely(buflen > skb->len)) {
-                PKT_ERROR(pkt, "buflen too large - failed\n");
-                return -EPROTO;
-        }
-        if (unlikely(buflen > skb_headlen(skb))) {
-                if (unlikely(skb_linearize(skb) != 0)) {
-                        PKT_ERROR(pkt, "linearize failed\n");
-                        return -EPROTO;
-                }
-        }
-        *buf = skb->data;
-        skb_pull(skb, buflen);
-        return 1;
-}
-EXPORT_SYMBOL(cfpkt_raw_extract);
-inline bool cfpkt_erroneous(struct cfpkt *pkt)
 {
        return cfpkt_priv(pkt)->erronous;
 }
-EXPORT_SYMBOL(cfpkt_erroneous);
-struct cfpktq *cfpktq_create(void)
-{
-        struct cfpktq *q = kmalloc(sizeof(struct cfpktq), GFP_ATOMIC);
-        if (!q)
-                return NULL;
-        skb_queue_head_init(&q->head);
-        atomic_set(&q->count, 0);
-        spin_lock_init(&q->lock);
-        return q;
-}
-EXPORT_SYMBOL(cfpktq_create);
-void cfpkt_queue(struct cfpktq *pktq, struct cfpkt *pkt, unsigned short prio)
-{
-        atomic_inc(&pktq->count);
-        spin_lock(&pktq->lock);
-        skb_queue_tail(&pktq->head, pkt_to_skb(pkt));
-        spin_unlock(&pktq->lock);
-}
-EXPORT_SYMBOL(cfpkt_queue);
-struct cfpkt *cfpkt_qpeek(struct cfpktq *pktq)
-{
-        struct cfpkt *tmp;
-        spin_lock(&pktq->lock);
-        tmp = skb_to_pkt(skb_peek(&pktq->head));
-        spin_unlock(&pktq->lock);
-        return tmp;
-}
-EXPORT_SYMBOL(cfpkt_qpeek);
-struct cfpkt *cfpkt_dequeue(struct cfpktq *pktq)
-{
-        struct cfpkt *pkt;
-        spin_lock(&pktq->lock);
-        pkt = skb_to_pkt(skb_dequeue(&pktq->head));
-        if (pkt) {
-                atomic_dec(&pktq->count);
-                caif_assert(atomic_read(&pktq->count) >= 0);
-        }
-        spin_unlock(&pktq->lock);
-        return pkt;
-}
-EXPORT_SYMBOL(cfpkt_dequeue);
-int cfpkt_qcount(struct cfpktq *pktq)
-{
-        return atomic_read(&pktq->count);
-}
-EXPORT_SYMBOL(cfpkt_qcount);
-struct cfpkt *cfpkt_clone_release(struct cfpkt *pkt)
-{
-        struct cfpkt *clone;
-        clone  = skb_to_pkt(skb_clone(pkt_to_skb(pkt), GFP_ATOMIC));
-        /* Free original packet. */
-        cfpkt_destroy(pkt);
-        if (!clone)
-                return NULL;
-        return clone;
-}
-EXPORT_SYMBOL(cfpkt_clone_release);
 struct caif_payload_info *cfpkt_info(struct cfpkt *pkt)
 {
        return (struct caif_payload_info *)&pkt_to_skb(pkt)->cb;
 }
-EXPORT_SYMBOL(cfpkt_info);
diff --git a/net/caif/cfrfml.c b/net/caif/cfrfml.c
index e2fb5fa75795..0deabb440051 100644
--- a/net/caif/cfrfml.c
+++ b/net/caif/cfrfml.c
@@ -31,9 +31,9 @@ struct cfrfml {
        spinlock_t sync;
 };
-static void cfrfml_release(struct kref *kref)
+static void cfrfml_release(struct cflayer *layer)
 {
-        struct cfsrvl *srvl = container_of(kref, struct cfsrvl, ref);
+        struct cfsrvl *srvl = container_of(layer, struct cfsrvl, layer);
        struct cfrfml *rfml = container_obj(&srvl->layer);
        if (rfml->incomplete_frm)
diff --git a/net/caif/cfserl.c b/net/caif/cfserl.c
index 8303fe3ebf89..2715c84cfa87 100644
--- a/net/caif/cfserl.c
+++ b/net/caif/cfserl.c
@@ -179,15 +179,10 @@ static int cfserl_receive(struct cflayer *l, struct cfpkt *newpkt)
 static int cfserl_transmit(struct cflayer *layer, struct cfpkt *newpkt)
 {
        struct cfserl *layr = container_obj(layer);
-        int ret;
        u8 tmp8 = CFSERL_STX;
        if (layr->usestx)
                cfpkt_add_head(newpkt, &tmp8, 1);
-        ret = layer->dn->transmit(layer->dn, newpkt);
+        return layer->dn->transmit(layer->dn, newpkt);
-        if (ret < 0)
-                cfpkt_extr_head(newpkt, &tmp8, 1);
-        return ret;
 }
 static void cfserl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
diff --git a/net/caif/cfsrvl.c b/net/caif/cfsrvl.c
index ab5e542526bf..535a1e72b366 100644
--- a/net/caif/cfsrvl.c
+++ b/net/caif/cfsrvl.c
@@ -10,6 +10,7 @@
 #include <linux/types.h>
 #include <linux/errno.h>
 #include <linux/slab.h>
+#include <linux/module.h>
 #include <net/caif/caif_layer.h>
 #include <net/caif/cfsrvl.h>
 #include <net/caif/cfpkt.h>
@@ -27,8 +28,8 @@ static void cfservl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
 {
        struct cfsrvl *service = container_obj(layr);
-        caif_assert(layr->up != NULL);
+        if (layr->up == NULL || layr->up->ctrlcmd == NULL)
-        caif_assert(layr->up->ctrlcmd != NULL);
+                return;
        switch (ctrl) {
        case CAIF_CTRLCMD_INIT_RSP:
@@ -151,14 +152,9 @@ static int cfservl_modemcmd(struct cflayer *layr, enum caif_modemcmd ctrl)
        return -EINVAL;
 }
-void cfservl_destroy(struct cflayer *layer)
+static void cfsrvl_release(struct cflayer *layer)
 {
-        kfree(layer);
+        struct cfsrvl *service = container_of(layer, struct cfsrvl, layer);
-}
-void cfsrvl_release(struct kref *kref)
-{
-        struct cfsrvl *service = container_of(kref, struct cfsrvl, ref);
        kfree(service);
 }
@@ -178,10 +174,8 @@ void cfsrvl_init(struct cfsrvl *service,
        service->dev_info = *dev_info;
        service->supports_flowctrl = supports_flowctrl;
        service->release = cfsrvl_release;
-        kref_init(&service->ref);
 }
 bool cfsrvl_ready(struct cfsrvl *service, int *err)
 {
        if (service->open && service->modem_flow_on && service->phy_flow_on)
@@ -194,6 +188,7 @@ bool cfsrvl_ready(struct cfsrvl *service, int *err)
        *err = -EAGAIN;
        return false;
 }
 u8 cfsrvl_getphyid(struct cflayer *layer)
 {
        struct cfsrvl *servl = container_obj(layer);
@@ -205,3 +200,26 @@ bool cfsrvl_phyid_match(struct cflayer *layer, int phyid)
        struct cfsrvl *servl = container_obj(layer);
        return servl->dev_info.id == phyid;
 }
+void caif_free_client(struct cflayer *adap_layer)
+{
+        struct cfsrvl *servl;
+        if (adap_layer == NULL || adap_layer->dn == NULL)
+                return;
+        servl = container_obj(adap_layer->dn);
+        servl->release(&servl->layer);
+}
+EXPORT_SYMBOL(caif_free_client);
+void caif_client_register_refcnt(struct cflayer *adapt_layer,
+                                        void (*hold)(struct cflayer *lyr),
+                                        void (*put)(struct cflayer *lyr))
+{
+        struct cfsrvl *service;
+        service = container_of(adapt_layer->dn, struct cfsrvl, layer);
+        WARN_ON(adapt_layer == NULL || adapt_layer->dn == NULL);
+        service->hold = hold;
+        service->put = put;
+}
+EXPORT_SYMBOL(caif_client_register_refcnt);
diff --git a/net/caif/cfutill.c b/net/caif/cfutill.c
index 315c0d601368..98e027db18ed 100644
--- a/net/caif/cfutill.c
+++ b/net/caif/cfutill.c
@@ -100,10 +100,5 @@ static int cfutill_transmit(struct cflayer *layr, struct cfpkt *pkt)
         */
        info->hdr_len = 1;
        info->dev_info = &service->dev_info;
-        ret = layr->dn->transmit(layr->dn, pkt);
+        return layr->dn->transmit(layr->dn, pkt);
-        if (ret < 0) {
-                u32 tmp32;
-                cfpkt_extr_head(pkt, &tmp32, 4);
-        }
-        return ret;
 }
diff --git a/net/caif/cfveil.c b/net/caif/cfveil.c
index c3b1dec4acf6..3ec83fbc2887 100644
--- a/net/caif/cfveil.c
+++ b/net/caif/cfveil.c
@@ -82,13 +82,14 @@ static int cfvei_transmit(struct cflayer *layr, struct cfpkt *pkt)
        int ret;
        struct cfsrvl *service = container_obj(layr);
        if (!cfsrvl_ready(service, &ret))
-                return ret;
+                goto err;
        caif_assert(layr->dn != NULL);
        caif_assert(layr->dn->transmit != NULL);
        if (cfpkt_add_head(pkt, &tmp, 1) < 0) {
                pr_err("Packet is erroneous!\n");
-                return -EPROTO;
+                ret = -EPROTO;
+                goto err;
        }
        /* Add info-> for MUX-layer to route the packet out. */
@@ -96,8 +97,8 @@ static int cfvei_transmit(struct cflayer *layr, struct cfpkt *pkt)
        info->channel_id = service->layer.id;
        info->hdr_len = 1;
        info->dev_info = &service->dev_info;
-        ret = layr->dn->transmit(layr->dn, pkt);
+        return layr->dn->transmit(layr->dn, pkt);
-        if (ret < 0)
+err:
-                cfpkt_extr_head(pkt, &tmp, 1);
+        cfpkt_destroy(pkt);
        return ret;
 }
diff --git a/net/caif/cfvidl.c b/net/caif/cfvidl.c
index bf6fef2a0eff..b2f5989ad455 100644
--- a/net/caif/cfvidl.c
+++ b/net/caif/cfvidl.c
@@ -60,8 +60,5 @@ static int cfvidl_transmit(struct cflayer *layr, struct cfpkt *pkt)
        info = cfpkt_info(pkt);
        info->channel_id = service->layer.id;
        info->dev_info = &service->dev_info;
-        ret = layr->dn->transmit(layr->dn, pkt);
+        return layr->dn->transmit(layr->dn, pkt);
-        if (ret < 0)
-                cfpkt_extr_head(pkt, &videoheader, 4);
-        return ret;
 }
diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
index 6008d6dc18a0..adbb424403d4 100644
--- a/net/caif/chnl_net.c
+++ b/net/caif/chnl_net.c
@@ -20,7 +20,6 @@
 #include <linux/caif/if_caif.h>
 #include <net/rtnetlink.h>
 #include <net/caif/caif_layer.h>
-#include <net/caif/cfcnfg.h>
 #include <net/caif/cfpkt.h>
 #include <net/caif/caif_dev.h>
@@ -84,10 +83,11 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt)
        if (!priv)
                return -EINVAL;
+        skb = (struct sk_buff *) cfpkt_tonative(pkt);
        /* Get length of CAIF packet. */
-        pktlen = cfpkt_getlen(pkt);
+        pktlen = skb->len;
-        skb = (struct sk_buff *) cfpkt_tonative(pkt);
        /* Pass some minimum information and
         * send the packet to the net stack.
         */
@@ -139,20 +139,29 @@ static void close_work(struct work_struct *work)
        struct chnl_net *dev = NULL;
        struct list_head *list_node;
        struct list_head *_tmp;
-        /* May be called with or without RTNL lock held */
-        int islocked = rtnl_is_locked();
+        rtnl_lock();
-        if (!islocked)
-                rtnl_lock();
        list_for_each_safe(list_node, _tmp, &chnl_net_list) {
                dev = list_entry(list_node, struct chnl_net, list_field);
                if (dev->state == CAIF_SHUTDOWN)
                        dev_close(dev->netdev);
        }
-        if (!islocked)
+        rtnl_unlock();
-                rtnl_unlock();
 }
 static DECLARE_WORK(close_worker, close_work);
+static void chnl_hold(struct cflayer *lyr)
+{
+        struct chnl_net *priv = container_of(lyr, struct chnl_net, chnl);
+        dev_hold(priv->netdev);
+}
+static void chnl_put(struct cflayer *lyr)
+{
+        struct chnl_net *priv = container_of(lyr, struct chnl_net, chnl);
+        dev_put(priv->netdev);
+}
 static void chnl_flowctrl_cb(struct cflayer *layr, enum caif_ctrlcmd flow,
                                int phyid)
 {
@@ -190,6 +199,7 @@ static void chnl_flowctrl_cb(struct cflayer *layr, enum caif_ctrlcmd flow,
                netif_wake_queue(priv->netdev);
                break;
        case CAIF_CTRLCMD_INIT_RSP:
+                caif_client_register_refcnt(&priv->chnl, chnl_hold, chnl_put);
                priv->state = CAIF_CONNECTED;
                priv->flowenabled = true;
                netif_wake_queue(priv->netdev);
@@ -257,8 +267,9 @@ static int chnl_net_open(struct net_device *dev)
        if (priv->state != CAIF_CONNECTING) {
                priv->state = CAIF_CONNECTING;
-                result = caif_connect_client(&priv->conn_req, &priv->chnl,
+                result = caif_connect_client(dev_net(dev), &priv->conn_req,
-                                        &llifindex, &headroom, &tailroom);
+                                                &priv->chnl, &llifindex,
+                                                &headroom, &tailroom);
                if (result != 0) {
                                pr_debug("err: "
                                         "Unable to register and open device,"
@@ -314,7 +325,7 @@ static int chnl_net_open(struct net_device *dev)
        if (result == 0) {
                pr_debug("connect timeout\n");
-                caif_disconnect_client(&priv->chnl);
+                caif_disconnect_client(dev_net(dev), &priv->chnl);
                priv->state = CAIF_DISCONNECTED;
                pr_debug("state disconnected\n");
                result = -ETIMEDOUT;
@@ -330,7 +341,7 @@ static int chnl_net_open(struct net_device *dev)
        return 0;
 error:
-        caif_disconnect_client(&priv->chnl);
+        caif_disconnect_client(dev_net(dev), &priv->chnl);
        priv->state = CAIF_DISCONNECTED;
        pr_debug("state disconnected\n");
        return result;
@@ -344,7 +355,7 @@ static int chnl_net_stop(struct net_device *dev)
        ASSERT_RTNL();
        priv = netdev_priv(dev);
        priv->state = CAIF_DISCONNECTED;
-        caif_disconnect_client(&priv->chnl);
+        caif_disconnect_client(dev_net(dev), &priv->chnl);
        return 0;
 }
@@ -373,11 +384,18 @@ static const struct net_device_ops netdev_ops = {
        .ndo_start_xmit = chnl_net_start_xmit,
 };
+static void chnl_net_destructor(struct net_device *dev)
+{
+        struct chnl_net *priv = netdev_priv(dev);
+        caif_free_client(&priv->chnl);
+        free_netdev(dev);
+}
 static void ipcaif_net_setup(struct net_device *dev)
 {
        struct chnl_net *priv;
        dev->netdev_ops = &netdev_ops;
-        dev->destructor = free_netdev;
+        dev->destructor = chnl_net_destructor;
        dev->flags |= IFF_NOARP;
        dev->flags |= IFF_POINTOPOINT;
        dev->mtu = GPRS_PDP_MTU;
@@ -391,7 +409,7 @@ static void ipcaif_net_setup(struct net_device *dev)
        priv->conn_req.link_selector = CAIF_LINK_HIGH_BANDW;
        priv->conn_req.priority = CAIF_PRIO_LOW;
        /* Insert illegal value */
-        priv->conn_req.sockaddr.u.dgm.connection_id = -1;
+        priv->conn_req.sockaddr.u.dgm.connection_id = 0;
        priv->flowenabled = false;
        init_waitqueue_head(&priv->netmgmt_wq);
@@ -453,6 +471,10 @@ static int ipcaif_newlink(struct net *src_net, struct net_device *dev,
                pr_warn("device rtml registration failed\n");
        else
                list_add(&caifdev->list_field, &chnl_net_list);
+        /* Take ifindex as connection-id if null */
+        if (caifdev->conn_req.sockaddr.u.dgm.connection_id == 0)
+                caifdev->conn_req.sockaddr.u.dgm.connection_id = dev->ifindex;
        return ret;
 }
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 733d66f1b05a..094fc5332d42 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -84,8 +84,8 @@ static DEFINE_SPINLOCK(can_rcvlists_lock);
 static struct kmem_cache *rcv_cache __read_mostly;
 /* table of registered CAN protocols */
-static struct can_proto *proto_tab[CAN_NPROTO] __read_mostly;
+static const struct can_proto *proto_tab[CAN_NPROTO] __read_mostly;
-static DEFINE_SPINLOCK(proto_tab_lock);
+static DEFINE_MUTEX(proto_tab_lock);
 struct timer_list can_stattimer;   /* timer for statistics update */
 struct s_stats    can_stats;       /* packet statistics */
@@ -115,11 +115,29 @@ static void can_sock_destruct(struct sock *sk)
        skb_queue_purge(&sk->sk_receive_queue);
 }
+static const struct can_proto *can_get_proto(int protocol)
+{
+        const struct can_proto *cp;
+        rcu_read_lock();
+        cp = rcu_dereference(proto_tab[protocol]);
+        if (cp && !try_module_get(cp->prot->owner))
+                cp = NULL;
+        rcu_read_unlock();
+        return cp;
+}
+static inline void can_put_proto(const struct can_proto *cp)
+{
+        module_put(cp->prot->owner);
+}
 static int can_create(struct net *net, struct socket *sock, int protocol,
                      int kern)
 {
        struct sock *sk;
-        struct can_proto *cp;
+        const struct can_proto *cp;
        int err = 0;
        sock->state = SS_UNCONNECTED;
@@ -130,9 +148,12 @@ static int can_create(struct net *net, struct socket *sock, int protocol,
        if (!net_eq(net, &init_net))
                return -EAFNOSUPPORT;
+        cp = can_get_proto(protocol);
 #ifdef CONFIG_MODULES
-        /* try to load protocol module kernel is modular */
+        if (!cp) {
-        if (!proto_tab[protocol]) {
+                /* try to load protocol module if kernel is modular */
                err = request_module("can-proto-%d", protocol);
                /*
@@ -143,22 +164,18 @@ static int can_create(struct net *net, struct socket *sock, int protocol,
                if (err && printk_ratelimit())
                        printk(KERN_ERR "can: request_module "
                               "(can-proto-%d) failed.\n", protocol);
+                cp = can_get_proto(protocol);
        }
 #endif
-        spin_lock(&proto_tab_lock);
-        cp = proto_tab[protocol];
-        if (cp && !try_module_get(cp->prot->owner))
-                cp = NULL;
-        spin_unlock(&proto_tab_lock);
        /* check for available protocol and correct usage */
        if (!cp)
                return -EPROTONOSUPPORT;
        if (cp->type != sock->type) {
-                err = -EPROTONOSUPPORT;
+                err = -EPROTOTYPE;
                goto errout;
        }
@@ -183,7 +200,7 @@ static int can_create(struct net *net, struct socket *sock, int protocol,
        }
 errout:
-        module_put(cp->prot->owner);
+        can_put_proto(cp);
        return err;
 }
@@ -679,7 +696,7 @@ drop:
 *  -EBUSY  protocol already in use
 *  -ENOBUF if proto_register() fails
 */
-int can_proto_register(struct can_proto *cp)
+int can_proto_register(const struct can_proto *cp)
 {
        int proto = cp->protocol;
        int err = 0;
@@ -694,15 +711,16 @@ int can_proto_register(struct can_proto *cp)
        if (err < 0)
                return err;
-        spin_lock(&proto_tab_lock);
+        mutex_lock(&proto_tab_lock);
        if (proto_tab[proto]) {
                printk(KERN_ERR "can: protocol %d already registered\n",
                       proto);
                err = -EBUSY;
        } else
-                proto_tab[proto] = cp;
+                rcu_assign_pointer(proto_tab[proto], cp);
-        spin_unlock(&proto_tab_lock);
+        mutex_unlock(&proto_tab_lock);
        if (err < 0)
                proto_unregister(cp->prot);
@@ -715,17 +733,16 @@ EXPORT_SYMBOL(can_proto_register);
 * can_proto_unregister - unregister CAN transport protocol
 * @cp: pointer to CAN protocol structure
 */
-void can_proto_unregister(struct can_proto *cp)
+void can_proto_unregister(const struct can_proto *cp)
 {
        int proto = cp->protocol;
-        spin_lock(&proto_tab_lock);
+        mutex_lock(&proto_tab_lock);
-        if (!proto_tab[proto]) {
+        BUG_ON(proto_tab[proto] != cp);
-                printk(KERN_ERR "BUG: can: protocol %d is not registered\n",
+        rcu_assign_pointer(proto_tab[proto], NULL);
-                       proto);
+        mutex_unlock(&proto_tab_lock);
-        }
-        proto_tab[proto] = NULL;
+        synchronize_rcu();
-        spin_unlock(&proto_tab_lock);
        proto_unregister(cp->prot);
 }
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 8a6a05e7c3c8..184a6572b67e 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -165,9 +165,9 @@ static int bcm_proc_show(struct seq_file *m, void *v)
        struct bcm_sock *bo = bcm_sk(sk);
        struct bcm_op *op;
-        seq_printf(m, ">>> socket %p", sk->sk_socket);
+        seq_printf(m, ">>> socket %pK", sk->sk_socket);
-        seq_printf(m, " / sk %p", sk);
+        seq_printf(m, " / sk %pK", sk);
-        seq_printf(m, " / bo %p", bo);
+        seq_printf(m, " / bo %pK", bo);
        seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
        seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
        seq_printf(m, " <<<\n");
@@ -1601,7 +1601,7 @@ static struct proto bcm_proto __read_mostly = {
        .init       = bcm_init,
 };
-static struct can_proto bcm_can_proto __read_mostly = {
+static const struct can_proto bcm_can_proto = {
        .type       = SOCK_DGRAM,
        .protocol   = CAN_BCM,
        .ops        = &bcm_ops,
diff --git a/net/can/proc.c b/net/can/proc.c
index f4265cc9c3fb..0016f7339699 100644
--- a/net/can/proc.c
+++ b/net/can/proc.c
@@ -204,12 +204,11 @@ static void can_print_rcvlist(struct seq_file *m, struct hlist_head *rx_list,
        hlist_for_each_entry_rcu(r, n, rx_list, list) {
                char *fmt = (r->can_id & CAN_EFF_FLAG)?
-                        "   %-5s  %08X  %08x  %08x  %08x  %8ld  %s\n" :
+                        "   %-5s  %08x  %08x  %pK  %pK  %8ld  %s\n" :
-                        "   %-5s     %03X    %08x  %08lx  %08lx  %8ld  %s\n";
+                        "   %-5s     %03x    %08x  %pK  %pK  %8ld  %s\n";
                seq_printf(m, fmt, DNAME(dev), r->can_id, r->mask,
-                                (unsigned long)r->func, (unsigned long)r->data,
+                                r->func, r->data, r->matches, r->ident);
-                                r->matches, r->ident);
        }
 }
diff --git a/net/can/raw.c b/net/can/raw.c
index 0eb39a7fdf64..dea99a6e596c 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -774,7 +774,7 @@ static struct proto raw_proto __read_mostly = {
        .init       = raw_init,
 };
-static struct can_proto raw_can_proto __read_mostly = {
+static const struct can_proto raw_can_proto = {
        .type       = SOCK_RAW,
        .protocol   = CAN_RAW,
        .ops        = &raw_ops,
diff --git a/net/compat.c b/net/compat.c
index 3649d5895361..c578d9382e19 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -722,11 +722,11 @@ EXPORT_SYMBOL(compat_mc_getsockopt);
 /* Argument list sizes for compat_sys_socketcall */
 #define AL(x) ((x) * sizeof(u32))
-static unsigned char nas[20] = {
+static unsigned char nas[21] = {
        AL(0), AL(3), AL(3), AL(3), AL(2), AL(3),
        AL(3), AL(3), AL(4), AL(4), AL(4), AL(6),
        AL(6), AL(2), AL(5), AL(5), AL(3), AL(3),
-        AL(4), AL(5)
+        AL(4), AL(5), AL(4)
 };
 #undef AL
@@ -735,6 +735,13 @@ asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, uns
        return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
 }
+asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+                                    unsigned vlen, unsigned int flags)
+{
+        return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+                              flags | MSG_CMSG_COMPAT);
+}
 asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
 {
        return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
@@ -780,7 +787,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
        u32 a[6];
        u32 a0, a1;
-        if (call < SYS_SOCKET || call > SYS_RECVMMSG)
+        if (call < SYS_SOCKET || call > SYS_SENDMMSG)
                return -EINVAL;
        if (copy_from_user(a, args, nas[call]))
                return -EFAULT;
@@ -839,6 +846,9 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
        case SYS_SENDMSG:
                ret = compat_sys_sendmsg(a0, compat_ptr(a1), a[2]);
                break;
+        case SYS_SENDMMSG:
+                ret = compat_sys_sendmmsg(a0, compat_ptr(a1), a[2], a[3]);
+                break;
        case SYS_RECVMSG:
                ret = compat_sys_recvmsg(a0, compat_ptr(a1), a[2]);
                break;
diff --git a/net/core/dev.c b/net/core/dev.c
index b624fe4d9bd7..9c58c1ec41a9 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -948,7 +948,7 @@ int dev_alloc_name(struct net_device *dev, const char *name)
 }
 EXPORT_SYMBOL(dev_alloc_name);
-static int dev_get_valid_name(struct net_device *dev, const char *name, bool fmt)
+static int dev_get_valid_name(struct net_device *dev, const char *name)
 {
        struct net *net;
@@ -958,7 +958,7 @@ static int dev_get_valid_name(struct net_device *dev, const char *name, bool fmt
        if (!dev_valid_name(name))
                return -EINVAL;
-        if (fmt && strchr(name, '%'))
+        if (strchr(name, '%'))
                return dev_alloc_name(dev, name);
        else if (__dev_get_by_name(net, name))
                return -EEXIST;
@@ -995,7 +995,7 @@ int dev_change_name(struct net_device *dev, const char *newname)
        memcpy(oldname, dev->name, IFNAMSIZ);
-        err = dev_get_valid_name(dev, newname, 1);
+        err = dev_get_valid_name(dev, newname);
        if (err < 0)
                return err;
@@ -1007,7 +1007,7 @@ rollback:
        }
        write_lock_bh(&dev_base_lock);
-        hlist_del(&dev->name_hlist);
+        hlist_del_rcu(&dev->name_hlist);
        write_unlock_bh(&dev_base_lock);
        synchronize_rcu();
@@ -1308,6 +1308,13 @@ void dev_disable_lro(struct net_device *dev)
 {
        u32 flags;
+        /*
+         * If we're trying to disable lro on a vlan device
+         * use the underlying physical device instead
+         */
+        if (is_vlan_dev(dev))
+                dev = vlan_dev_real_dev(dev);
        if (dev->ethtool_ops && dev->ethtool_ops->get_flags)
                flags = dev->ethtool_ops->get_flags(dev);
        else
@@ -1317,7 +1324,8 @@ void dev_disable_lro(struct net_device *dev)
                return;
        __ethtool_set_flags(dev, flags & ~ETH_FLAG_LRO);
-        WARN_ON(dev->features & NETIF_F_LRO);
+        if (unlikely(dev->features & NETIF_F_LRO))
+                netdev_WARN(dev, "failed to disable LRO!\n");
 }
 EXPORT_SYMBOL(dev_disable_lro);
@@ -2088,6 +2096,7 @@ int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
 {
        const struct net_device_ops *ops = dev->netdev_ops;
        int rc = NETDEV_TX_OK;
+        unsigned int skb_len;
        if (likely(!skb->next)) {
                u32 features;
@@ -2138,8 +2147,9 @@ int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
                        }
                }
+                skb_len = skb->len;
                rc = ops->ndo_start_xmit(skb, dev);
-                trace_net_dev_xmit(skb, rc);
+                trace_net_dev_xmit(skb, rc, dev, skb_len);
                if (rc == NETDEV_TX_OK)
                        txq_trans_update(txq);
                return rc;
@@ -2159,8 +2169,9 @@ gso:
                if (dev->priv_flags & IFF_XMIT_DST_RELEASE)
                        skb_dst_drop(nskb);
+                skb_len = nskb->len;
                rc = ops->ndo_start_xmit(nskb, dev);
-                trace_net_dev_xmit(nskb, rc);
+                trace_net_dev_xmit(nskb, rc, dev, skb_len);
                if (unlikely(rc != NETDEV_TX_OK)) {
                        if (rc & ~NETDEV_TX_MASK)
                                goto out_kfree_gso_skb;
@@ -2504,8 +2515,8 @@ static inline void ____napi_schedule(struct softnet_data *sd,
 __u32 __skb_get_rxhash(struct sk_buff *skb)
 {
        int nhoff, hash = 0, poff;
-        struct ipv6hdr *ip6;
+        const struct ipv6hdr *ip6;
-        struct iphdr *ip;
+        const struct iphdr *ip;
        u8 ip_proto;
        u32 addr1, addr2, ihl;
        union {
@@ -2520,7 +2531,7 @@ __u32 __skb_get_rxhash(struct sk_buff *skb)
                if (!pskb_may_pull(skb, sizeof(*ip) + nhoff))
                        goto done;
-                ip = (struct iphdr *) (skb->data + nhoff);
+                ip = (const struct iphdr *) (skb->data + nhoff);
                if (ip->frag_off & htons(IP_MF | IP_OFFSET))
                        ip_proto = 0;
                else
@@ -2533,7 +2544,7 @@ __u32 __skb_get_rxhash(struct sk_buff *skb)
                if (!pskb_may_pull(skb, sizeof(*ip6) + nhoff))
                        goto done;
-                ip6 = (struct ipv6hdr *) (skb->data + nhoff);
+                ip6 = (const struct ipv6hdr *) (skb->data + nhoff);
                ip_proto = ip6->nexthdr;
                addr1 = (__force u32) ip6->saddr.s6_addr32[3];
                addr2 = (__force u32) ip6->daddr.s6_addr32[3];
@@ -3078,25 +3089,6 @@ void netdev_rx_handler_unregister(struct net_device *dev)
 }
 EXPORT_SYMBOL_GPL(netdev_rx_handler_unregister);
-static void vlan_on_bond_hook(struct sk_buff *skb)
-{
-        /*
-         * Make sure ARP frames received on VLAN interfaces stacked on
-         * bonding interfaces still make their way to any base bonding
-         * device that may have registered for a specific ptype.
-         */
-        if (skb->dev->priv_flags & IFF_802_1Q_VLAN &&
-            vlan_dev_real_dev(skb->dev)->priv_flags & IFF_BONDING &&
-            skb->protocol == htons(ETH_P_ARP)) {
-                struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
-                if (!skb2)
-                        return;
-                skb2->dev = vlan_dev_real_dev(skb->dev);
-                netif_rx(skb2);
-        }
-}
 static int __netif_receive_skb(struct sk_buff *skb)
 {
        struct packet_type *ptype, *pt_prev;
@@ -3122,7 +3114,7 @@ static int __netif_receive_skb(struct sk_buff *skb)
        skb_reset_network_header(skb);
        skb_reset_transport_header(skb);
-        skb->mac_len = skb->network_header - skb->mac_header;
+        skb_reset_mac_len(skb);
        pt_prev = NULL;
@@ -3132,6 +3124,12 @@ another_round:
        __this_cpu_inc(softnet_data.processed);
+        if (skb->protocol == cpu_to_be16(ETH_P_8021Q)) {
+                skb = vlan_untag(skb);
+                if (unlikely(!skb))
+                        goto out;
+        }
 #ifdef CONFIG_NET_CLS_ACT
        if (skb->tc_verd & TC_NCLS) {
                skb->tc_verd = CLR_TC_NCLS(skb->tc_verd);
@@ -3179,15 +3177,13 @@ ncls:
                        ret = deliver_skb(skb, pt_prev, orig_dev);
                        pt_prev = NULL;
                }
-                if (vlan_hwaccel_do_receive(&skb)) {
+                if (vlan_do_receive(&skb)) {
                        ret = __netif_receive_skb(skb);
                        goto out;
                } else if (unlikely(!skb))
                        goto out;
        }
-        vlan_on_bond_hook(skb);
        /* deliver only exact match when indicated */
        null_or_dev = deliver_exact ? skb->dev : NULL;
@@ -4308,10 +4304,8 @@ int netdev_set_master(struct net_device *slave, struct net_device *master)
        slave->master = master;
-        if (old) {
+        if (old)
-                synchronize_net();
                dev_put(old);
-        }
        return 0;
 }
 EXPORT_SYMBOL(netdev_set_master);
@@ -4512,6 +4506,30 @@ void dev_set_rx_mode(struct net_device *dev)
 }
 /**
+ *      dev_ethtool_get_settings - call device's ethtool_ops::get_settings()
+ *      @dev: device
+ *      @cmd: memory area for ethtool_ops::get_settings() result
+ *
+ *      The cmd arg is initialized properly (cleared and
+ *      ethtool_cmd::cmd field set to ETHTOOL_GSET).
+ *
+ *      Return device's ethtool_ops::get_settings() result value or
+ *      -EOPNOTSUPP when device doesn't expose
+ *      ethtool_ops::get_settings() operation.
+ */
+int dev_ethtool_get_settings(struct net_device *dev,
+                             struct ethtool_cmd *cmd)
+{
+        if (!dev->ethtool_ops || !dev->ethtool_ops->get_settings)
+                return -EOPNOTSUPP;
+        memset(cmd, 0, sizeof(struct ethtool_cmd));
+        cmd->cmd = ETHTOOL_GSET;
+        return dev->ethtool_ops->get_settings(dev, cmd);
+}
+EXPORT_SYMBOL(dev_ethtool_get_settings);
+/**
 *      dev_get_flags - get flags reported to userspace
 *      @dev: device
 *
@@ -5116,7 +5134,7 @@ static void rollback_registered_many(struct list_head *head)
                        list_del(&dev->unreg_list);
                        continue;
                }
+                dev->dismantle = true;
                BUG_ON(dev->reg_state != NETREG_REGISTERED);
        }
@@ -5242,11 +5260,13 @@ u32 netdev_fix_features(struct net_device *dev, u32 features)
 }
 EXPORT_SYMBOL(netdev_fix_features);
-void netdev_update_features(struct net_device *dev)
+int __netdev_update_features(struct net_device *dev)
 {
        u32 features;
        int err = 0;
+        ASSERT_RTNL();
        features = netdev_get_wanted_features(dev);
        if (dev->netdev_ops->ndo_fix_features)
@@ -5256,24 +5276,60 @@ void netdev_update_features(struct net_device *dev)
        features = netdev_fix_features(dev, features);
        if (dev->features == features)
-                return;
+                return 0;
-        netdev_info(dev, "Features changed: 0x%08x -> 0x%08x\n",
+        netdev_dbg(dev, "Features changed: 0x%08x -> 0x%08x\n",
                dev->features, features);
        if (dev->netdev_ops->ndo_set_features)
                err = dev->netdev_ops->ndo_set_features(dev, features);
-        if (!err)
+        if (unlikely(err < 0)) {
-                dev->features = features;
-        else if (err < 0)
                netdev_err(dev,
                        "set_features() failed (%d); wanted 0x%08x, left 0x%08x\n",
                        err, features, dev->features);
+                return -1;
+        }
+        if (!err)
+                dev->features = features;
+        return 1;
+}
+/**
+ *      netdev_update_features - recalculate device features
+ *      @dev: the device to check
+ *
+ *      Recalculate dev->features set and send notifications if it
+ *      has changed. Should be called after driver or hardware dependent
+ *      conditions might have changed that influence the features.
+ */
+void netdev_update_features(struct net_device *dev)
+{
+        if (__netdev_update_features(dev))
+                netdev_features_change(dev);
 }
 EXPORT_SYMBOL(netdev_update_features);
 /**
+ *      netdev_change_features - recalculate device features
+ *      @dev: the device to check
+ *
+ *      Recalculate dev->features set and send notifications even
+ *      if they have not changed. Should be called instead of
+ *      netdev_update_features() if also dev->vlan_features might
+ *      have changed to allow the changes to be propagated to stacked
+ *      VLAN devices.
+ */
+void netdev_change_features(struct net_device *dev)
+{
+        __netdev_update_features(dev);
+        netdev_features_change(dev);
+}
+EXPORT_SYMBOL(netdev_change_features);
+/**
 *      netif_stacked_transfer_operstate -      transfer operstate
 *      @rootdev: the root or lower level device to transfer state from
 *      @dev: the device to transfer operstate to
@@ -5389,6 +5445,10 @@ int register_netdevice(struct net_device *dev)
        dev->iflink = -1;
+        ret = dev_get_valid_name(dev, dev->name);
+        if (ret < 0)
+                goto out;
        /* Init, if this function is available */
        if (dev->netdev_ops->ndo_init) {
                ret = dev->netdev_ops->ndo_init(dev);
@@ -5399,10 +5459,6 @@ int register_netdevice(struct net_device *dev)
                }
        }
-        ret = dev_get_valid_name(dev, dev->name, 0);
-        if (ret)
-                goto err_uninit;
        dev->ifindex = dev_new_index(net);
        if (dev->iflink == -1)
                dev->iflink = dev->ifindex;
@@ -5414,6 +5470,14 @@ int register_netdevice(struct net_device *dev)
        dev->features |= NETIF_F_SOFT_FEATURES;
        dev->wanted_features = dev->features & dev->hw_features;
+        /* Turn on no cache copy if HW is doing checksum */
+        dev->hw_features |= NETIF_F_NOCACHE_COPY;
+        if ((dev->features & NETIF_F_ALL_CSUM) &&
+            !(dev->features & NETIF_F_NO_CSUM)) {
+                dev->wanted_features |= NETIF_F_NOCACHE_COPY;
+                dev->features |= NETIF_F_NOCACHE_COPY;
+        }
        /* Enable GRO and NETIF_F_HIGHDMA for vlans by default,
         * vlan_dev_init() will do the dev->features check, so these features
         * are enabled only if supported by underlying device.
@@ -5430,7 +5494,7 @@ int register_netdevice(struct net_device *dev)
                goto err_uninit;
        dev->reg_state = NETREG_REGISTERED;
-        netdev_update_features(dev);
+        __netdev_update_features(dev);
        /*
         *      Default initial state at registry is that the
@@ -5527,19 +5591,7 @@ int register_netdev(struct net_device *dev)
        int err;
        rtnl_lock();
-        /*
-         * If the name is a format string the caller wants us to do a
-         * name allocation.
-         */
-        if (strchr(dev->name, '%')) {
-                err = dev_alloc_name(dev, dev->name);
-                if (err < 0)
-                        goto out;
-        }
        err = register_netdevice(dev);
-out:
        rtnl_unlock();
        return err;
 }
@@ -5912,7 +5964,10 @@ EXPORT_SYMBOL(free_netdev);
 void synchronize_net(void)
 {
        might_sleep();
-        synchronize_rcu();
+        if (rtnl_is_locked())
+                synchronize_rcu_expedited();
+        else
+                synchronize_rcu();
 }
 EXPORT_SYMBOL(synchronize_net);
@@ -6021,7 +6076,7 @@ int dev_change_net_namespace(struct net_device *dev, struct net *net, const char
                /* We get here if we can't use the current device name */
                if (!pat)
                        goto out;
-                if (dev_get_valid_name(dev, pat, 1))
+                if (dev_get_valid_name(dev, pat) < 0)
                        goto out;
        }
@@ -6123,6 +6178,11 @@ static int dev_cpu_callback(struct notifier_block *nfb,
                oldsd->output_queue = NULL;
                oldsd->output_queue_tailp = &oldsd->output_queue;
        }
+        /* Append NAPI poll list from offline CPU. */
+        if (!list_empty(&oldsd->poll_list)) {
+                list_splice_init(&oldsd->poll_list, &sd->poll_list);
+                raise_softirq_irqoff(NET_RX_SOFTIRQ);
+        }
        raise_softirq_irqoff(NET_TX_SOFTIRQ);
        local_irq_enable();
@@ -6153,29 +6213,20 @@ static int dev_cpu_callback(struct notifier_block *nfb,
 */
 u32 netdev_increment_features(u32 all, u32 one, u32 mask)
 {
-        /* If device needs checksumming, downgrade to it. */
+        if (mask & NETIF_F_GEN_CSUM)
-        if (all & NETIF_F_NO_CSUM && !(one & NETIF_F_NO_CSUM))
+                mask |= NETIF_F_ALL_CSUM;
-                all ^= NETIF_F_NO_CSUM | (one & NETIF_F_ALL_CSUM);
+        mask |= NETIF_F_VLAN_CHALLENGED;
-        else if (mask & NETIF_F_ALL_CSUM) {
-                /* If one device supports v4/v6 checksumming, set for all. */
-                if (one & (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM) &&
-                    !(all & NETIF_F_GEN_CSUM)) {
-                        all &= ~NETIF_F_ALL_CSUM;
-                        all |= one & (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM);
-                }
-                /* If one device supports hw checksumming, set for all. */
+        all |= one & (NETIF_F_ONE_FOR_ALL|NETIF_F_ALL_CSUM) & mask;
-                if (one & NETIF_F_GEN_CSUM && !(all & NETIF_F_GEN_CSUM)) {
+        all &= one | ~NETIF_F_ALL_FOR_ALL;
-                        all &= ~NETIF_F_ALL_CSUM;
-                        all |= NETIF_F_HW_CSUM;
-                }
-        }
-        one |= NETIF_F_ALL_CSUM;
+        /* If device needs checksumming, downgrade to it. */
+        if (all & (NETIF_F_ALL_CSUM & ~NETIF_F_NO_CSUM))
+                all &= ~NETIF_F_NO_CSUM;
-        one |= all & NETIF_F_ONE_FOR_ALL;
+        /* If one device supports hw checksumming, set for all. */
-        all &= one | NETIF_F_LLTX | NETIF_F_GSO | NETIF_F_UFO;
+        if (all & NETIF_F_GEN_CSUM)
-        all |= one & mask & NETIF_F_ONE_FOR_ALL;
+                all &= ~(NETIF_F_ALL_CSUM & ~NETIF_F_GEN_CSUM);
        return all;
 }
@@ -6218,29 +6269,23 @@ err_name:
 /**
 *      netdev_drivername - network driver for the device
 *      @dev: network device
- *      @buffer: buffer for resulting name
- *      @len: size of buffer
 *
 *      Determine network driver for device.
 */
-char *netdev_drivername(const struct net_device *dev, char *buffer, int len)
+const char *netdev_drivername(const struct net_device *dev)
 {
        const struct device_driver *driver;
        const struct device *parent;
+        const char *empty = "";
-        if (len <= 0 || !buffer)
-                return buffer;
-        buffer[0] = 0;
        parent = dev->dev.parent;
        if (!parent)
-                return buffer;
+                return empty;
        driver = parent->driver;
        if (driver && driver->name)
-                strlcpy(buffer, driver->name, len);
+                return driver->name;
-        return buffer;
+        return empty;
 }
 static int __netdev_printk(const char *level, const struct net_device *dev,
diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
index 7b39f3ed2fda..e2e66939ed00 100644
--- a/net/core/dev_addr_lists.c
+++ b/net/core/dev_addr_lists.c
@@ -68,14 +68,6 @@ static int __hw_addr_add(struct netdev_hw_addr_list *list, unsigned char *addr,
        return __hw_addr_add_ex(list, addr, addr_len, addr_type, false);
 }
-static void ha_rcu_free(struct rcu_head *head)
-{
-        struct netdev_hw_addr *ha;
-        ha = container_of(head, struct netdev_hw_addr, rcu_head);
-        kfree(ha);
-}
 static int __hw_addr_del_ex(struct netdev_hw_addr_list *list,
                            unsigned char *addr, int addr_len,
                            unsigned char addr_type, bool global)
@@ -94,7 +86,7 @@ static int __hw_addr_del_ex(struct netdev_hw_addr_list *list,
                        if (--ha->refcount)
                                return 0;
                        list_del_rcu(&ha->list);
-                        call_rcu(&ha->rcu_head, ha_rcu_free);
+                        kfree_rcu(ha, rcu_head);
                        list->count--;
                        return 0;
                }
@@ -197,7 +189,7 @@ void __hw_addr_flush(struct netdev_hw_addr_list *list)
        list_for_each_entry_safe(ha, tmp, &list->list, list) {
                list_del_rcu(&ha->list);
-                call_rcu(&ha->rcu_head, ha_rcu_free);
+                kfree_rcu(ha, rcu_head);
        }
        list->count = 0;
 }
diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
index 706502ff64aa..7f36b38e060f 100644
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -207,14 +207,6 @@ static void trace_napi_poll_hit(void *ignore, struct napi_struct *napi)
        rcu_read_unlock();
 }
-static void free_dm_hw_stat(struct rcu_head *head)
-{
-        struct dm_hw_stat_delta *n;
-        n = container_of(head, struct dm_hw_stat_delta, rcu);
-        kfree(n);
-}
 static int set_all_monitor_traces(int state)
 {
        int rc = 0;
@@ -245,7 +237,7 @@ static int set_all_monitor_traces(int state)
                list_for_each_entry_safe(new_stat, temp, &hw_stats_list, list) {
                        if (new_stat->dev == NULL) {
                                list_del_rcu(&new_stat->list);
-                                call_rcu(&new_stat->rcu, free_dm_hw_stat);
+                                kfree_rcu(new_stat, rcu);
                        }
                }
                break;
@@ -314,7 +306,7 @@ static int dropmon_net_event(struct notifier_block *ev_block,
                                new_stat->dev = NULL;
                                if (trace_state == TRACE_OFF) {
                                        list_del_rcu(&new_stat->list);
-                                        call_rcu(&new_stat->rcu, free_dm_hw_stat);
+                                        kfree_rcu(new_stat, rcu);
                                        break;
                                }
                        }
diff --git a/net/core/dst.c b/net/core/dst.c
index 91104d35de7d..6135f3671692 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -19,6 +19,7 @@
 #include <linux/types.h>
 #include <net/net_namespace.h>
 #include <linux/sched.h>
+#include <linux/prefetch.h>
 #include <net/dst.h>
@@ -33,9 +34,6 @@
 * 3) This list is guarded by a mutex,
 *    so that the gc_task and dst_dev_event() can be synchronized.
 */
-#if RT_CACHE_DEBUG >= 2
-static atomic_t                  dst_total = ATOMIC_INIT(0);
-#endif
 /*
 * We want to keep lock & list close together
@@ -69,10 +67,6 @@ static void dst_gc_task(struct work_struct *work)
        unsigned long expires = ~0L;
        struct dst_entry *dst, *next, head;
        struct dst_entry *last = &head;
-#if RT_CACHE_DEBUG >= 2
-        ktime_t time_start = ktime_get();
-        struct timespec elapsed;
-#endif
        mutex_lock(&dst_gc_mutex);
        next = dst_busy_list;
@@ -146,15 +140,6 @@ loop:
        spin_unlock_bh(&dst_garbage.lock);
        mutex_unlock(&dst_gc_mutex);
-#if RT_CACHE_DEBUG >= 2
-        elapsed = ktime_to_timespec(ktime_sub(ktime_get(), time_start));
-        printk(KERN_DEBUG "dst_total: %d delayed: %d work_perf: %d"
-                " expires: %lu elapsed: %lu us\n",
-                atomic_read(&dst_total), delayed, work_performed,
-                expires,
-                elapsed.tv_sec * USEC_PER_SEC +
-                  elapsed.tv_nsec / NSEC_PER_USEC);
-#endif
 }
 int dst_discard(struct sk_buff *skb)
@@ -166,7 +151,8 @@ EXPORT_SYMBOL(dst_discard);
 const u32 dst_default_metrics[RTAX_MAX];
-void *dst_alloc(struct dst_ops *ops, int initial_ref)
+void *dst_alloc(struct dst_ops *ops, struct net_device *dev,
+                int initial_ref, int initial_obsolete, int flags)
 {
        struct dst_entry *dst;
@@ -174,19 +160,38 @@ void *dst_alloc(struct dst_ops *ops, int initial_ref)
                if (ops->gc(ops))
                        return NULL;
        }
-        dst = kmem_cache_zalloc(ops->kmem_cachep, GFP_ATOMIC);
+        dst = kmem_cache_alloc(ops->kmem_cachep, GFP_ATOMIC);
        if (!dst)
                return NULL;
-        atomic_set(&dst->__refcnt, initial_ref);
+        dst->child = NULL;
+        dst->dev = dev;
+        if (dev)
+                dev_hold(dev);
        dst->ops = ops;
-        dst->lastuse = jiffies;
-        dst->path = dst;
-        dst->input = dst->output = dst_discard;
        dst_init_metrics(dst, dst_default_metrics, true);
-#if RT_CACHE_DEBUG >= 2
+        dst->expires = 0UL;
-        atomic_inc(&dst_total);
+        dst->path = dst;
+        dst->neighbour = NULL;
+        dst->hh = NULL;
+#ifdef CONFIG_XFRM
+        dst->xfrm = NULL;
+#endif
+        dst->input = dst_discard;
+        dst->output = dst_discard;
+        dst->error = 0;
+        dst->obsolete = initial_obsolete;
+        dst->header_len = 0;
+        dst->trailer_len = 0;
+#ifdef CONFIG_IP_ROUTE_CLASSID
+        dst->tclassid = 0;
 #endif
-        dst_entries_add(ops, 1);
+        atomic_set(&dst->__refcnt, initial_ref);
+        dst->__use = 0;
+        dst->lastuse = jiffies;
+        dst->flags = flags;
+        dst->next = NULL;
+        if (!(flags & DST_NOCOUNT))
+                dst_entries_add(ops, 1);
        return dst;
 }
 EXPORT_SYMBOL(dst_alloc);
@@ -239,15 +244,13 @@ again:
                neigh_release(neigh);
        }
-        dst_entries_add(dst->ops, -1);
+        if (!(dst->flags & DST_NOCOUNT))
+                dst_entries_add(dst->ops, -1);
        if (dst->ops->destroy)
                dst->ops->destroy(dst);
        if (dst->dev)
                dev_put(dst->dev);
-#if RT_CACHE_DEBUG >= 2
-        atomic_dec(&dst_total);
-#endif
        kmem_cache_free(dst->ops->kmem_cachep, dst);
        dst = child;
@@ -314,7 +317,7 @@ void __dst_destroy_metrics_generic(struct dst_entry *dst, unsigned long old)
 {
        unsigned long prev, new;
-        new = (unsigned long) dst_default_metrics;
+        new = ((unsigned long) dst_default_metrics) | DST_METRICS_READ_ONLY;
        prev = cmpxchg(&dst->_metrics, old, new);
        if (prev == old)
                kfree(__DST_METRICS_PTR(old));
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 74ead9eca126..fd14116ad7f0 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -21,6 +21,8 @@
 #include <linux/uaccess.h>
 #include <linux/vmalloc.h>
 #include <linux/slab.h>
+#include <linux/rtnetlink.h>
+#include <linux/sched.h>
 /*
 * Some useful ethtool_ops methods that're device independent.
@@ -231,6 +233,29 @@ static int ethtool_set_feature_compat(struct net_device *dev,
        return 1;
 }
+static int ethtool_set_flags_compat(struct net_device *dev,
+        int (*legacy_set)(struct net_device *, u32),
+        struct ethtool_set_features_block *features, u32 mask)
+{
+        u32 value;
+        if (!legacy_set)
+                return 0;
+        if (!(features[0].valid & mask))
+                return 0;
+        value = dev->features & ~features[0].valid;
+        value |= features[0].requested;
+        features[0].valid &= ~mask;
+        if (legacy_set(dev, value & mask) < 0)
+                netdev_info(dev, "Legacy flags change failed\n");
+        return 1;
+}
 static int ethtool_set_features_compat(struct net_device *dev,
        struct ethtool_set_features_block *features)
 {
@@ -247,7 +272,7 @@ static int ethtool_set_features_compat(struct net_device *dev,
                features, NETIF_F_ALL_TSO);
        compat |= ethtool_set_feature_compat(dev, dev->ethtool_ops->set_rx_csum,
                features, NETIF_F_RXCSUM);
-        compat |= ethtool_set_feature_compat(dev, dev->ethtool_ops->set_flags,
+        compat |= ethtool_set_flags_compat(dev, dev->ethtool_ops->set_flags,
                features, flags_dup_features);
        return compat;
@@ -317,7 +342,7 @@ static int ethtool_set_features(struct net_device *dev, void __user *useraddr)
        dev->wanted_features &= ~features[0].valid;
        dev->wanted_features |= features[0].valid & features[0].requested;
-        netdev_update_features(dev);
+        __netdev_update_features(dev);
        if ((dev->wanted_features ^ dev->features) & features[0].valid)
                ret |= ETHTOOL_F_WISH;
@@ -330,7 +355,7 @@ static const char netdev_features_strings[ETHTOOL_DEV_FEATURE_WORDS * 32][ETH_GS
        /* NETIF_F_IP_CSUM */         "tx-checksum-ipv4",
        /* NETIF_F_NO_CSUM */         "tx-checksum-unneeded",
        /* NETIF_F_HW_CSUM */         "tx-checksum-ip-generic",
-        /* NETIF_F_IPV6_CSUM */       "tx_checksum-ipv6",
+        /* NETIF_F_IPV6_CSUM */       "tx-checksum-ipv6",
        /* NETIF_F_HIGHDMA */         "highdma",
        /* NETIF_F_FRAGLIST */        "tx-scatter-gather-fraglist",
        /* NETIF_F_HW_VLAN_TX */      "tx-vlan-hw-insert",
@@ -359,8 +384,8 @@ static const char netdev_features_strings[ETHTOOL_DEV_FEATURE_WORDS * 32][ETH_GS
        /* NETIF_F_NTUPLE */          "rx-ntuple-filter",
        /* NETIF_F_RXHASH */          "rx-hashing",
        /* NETIF_F_RXCSUM */          "rx-checksum",
-        "",
+        /* NETIF_F_NOCACHE_COPY */    "tx-nocache-copy",
-        "",
+        /* NETIF_F_LOOPBACK */        "loopback",
 };
 static int __ethtool_get_sset_count(struct net_device *dev, int sset)
@@ -499,7 +524,7 @@ static int ethtool_set_one_feature(struct net_device *dev,
                else
                        dev->wanted_features &= ~mask;
-                netdev_update_features(dev);
+                __netdev_update_features(dev);
                return 0;
        }
@@ -544,14 +569,14 @@ int __ethtool_set_flags(struct net_device *dev, u32 data)
        }
        /* allow changing only bits set in hw_features */
-        changed = (data ^ dev->wanted_features) & flags_dup_features;
+        changed = (data ^ dev->features) & flags_dup_features;
        if (changed & ~dev->hw_features)
                return (changed & dev->hw_features) ? -EINVAL : -EOPNOTSUPP;
        dev->wanted_features =
-                (dev->wanted_features & ~changed) | data;
+                (dev->wanted_features & ~changed) | (data & dev->hw_features);
-        netdev_update_features(dev);
+        __netdev_update_features(dev);
        return 0;
 }
@@ -908,6 +933,9 @@ static noinline_for_stack int ethtool_set_rx_ntuple(struct net_device *dev,
        struct ethtool_rx_ntuple_flow_spec_container *fsc = NULL;
        int ret;
+        if (!ops->set_rx_ntuple)
+                return -EOPNOTSUPP;
        if (!(dev->features & NETIF_F_NTUPLE))
                return -EINVAL;
@@ -1441,6 +1469,35 @@ static int ethtool_set_ringparam(struct net_device *dev, void __user *useraddr)
        return dev->ethtool_ops->set_ringparam(dev, &ringparam);
 }
+static noinline_for_stack int ethtool_get_channels(struct net_device *dev,
+                                                   void __user *useraddr)
+{
+        struct ethtool_channels channels = { .cmd = ETHTOOL_GCHANNELS };
+        if (!dev->ethtool_ops->get_channels)
+                return -EOPNOTSUPP;
+        dev->ethtool_ops->get_channels(dev, &channels);
+        if (copy_to_user(useraddr, &channels, sizeof(channels)))
+                return -EFAULT;
+        return 0;
+}
+static noinline_for_stack int ethtool_set_channels(struct net_device *dev,
+                                                   void __user *useraddr)
+{
+        struct ethtool_channels channels;
+        if (!dev->ethtool_ops->set_channels)
+                return -EOPNOTSUPP;
+        if (copy_from_user(&channels, useraddr, sizeof(channels)))
+                return -EFAULT;
+        return dev->ethtool_ops->set_channels(dev, &channels);
+}
 static int ethtool_get_pauseparam(struct net_device *dev, void __user *useraddr)
 {
        struct ethtool_pauseparam pauseparam = { ETHTOOL_GPAUSEPARAM };
@@ -1618,14 +1675,60 @@ out:
 static int ethtool_phys_id(struct net_device *dev, void __user *useraddr)
 {
        struct ethtool_value id;
+        static bool busy;
+        int rc;
-        if (!dev->ethtool_ops->phys_id)
+        if (!dev->ethtool_ops->set_phys_id)
                return -EOPNOTSUPP;
+        if (busy)
+                return -EBUSY;
        if (copy_from_user(&id, useraddr, sizeof(id)))
                return -EFAULT;
-        return dev->ethtool_ops->phys_id(dev, id.data);
+        rc = dev->ethtool_ops->set_phys_id(dev, ETHTOOL_ID_ACTIVE);
+        if (rc < 0)
+                return rc;
+        /* Drop the RTNL lock while waiting, but prevent reentry or
+         * removal of the device.
+         */
+        busy = true;
+        dev_hold(dev);
+        rtnl_unlock();
+        if (rc == 0) {
+                /* Driver will handle this itself */
+                schedule_timeout_interruptible(
+                        id.data ? (id.data * HZ) : MAX_SCHEDULE_TIMEOUT);
+        } else {
+                /* Driver expects to be called at twice the frequency in rc */
+                int n = rc * 2, i, interval = HZ / n;
+                /* Count down seconds */
+                do {
+                        /* Count down iterations per second */
+                        i = n;
+                        do {
+                                rtnl_lock();
+                                rc = dev->ethtool_ops->set_phys_id(dev,
+                                    (i & 1) ? ETHTOOL_ID_OFF : ETHTOOL_ID_ON);
+                                rtnl_unlock();
+                                if (rc)
+                                        break;
+                                schedule_timeout_interruptible(interval);
+                        } while (!signal_pending(current) && --i != 0);
+                } while (!signal_pending(current) &&
+                         (id.data == 0 || --id.data != 0));
+        }
+        rtnl_lock();
+        dev_put(dev);
+        busy = false;
+        (void)dev->ethtool_ops->set_phys_id(dev, ETHTOOL_ID_INACTIVE);
+        return rc;
 }
 static int ethtool_get_stats(struct net_device *dev, void __user *useraddr)
@@ -1743,6 +1846,87 @@ static noinline_for_stack int ethtool_flash_device(struct net_device *dev,
        return dev->ethtool_ops->flash_device(dev, &efl);
 }
+static int ethtool_set_dump(struct net_device *dev,
+                        void __user *useraddr)
+{
+        struct ethtool_dump dump;
+        if (!dev->ethtool_ops->set_dump)
+                return -EOPNOTSUPP;
+        if (copy_from_user(&dump, useraddr, sizeof(dump)))
+                return -EFAULT;
+        return dev->ethtool_ops->set_dump(dev, &dump);
+}
+static int ethtool_get_dump_flag(struct net_device *dev,
+                                void __user *useraddr)
+{
+        int ret;
+        struct ethtool_dump dump;
+        const struct ethtool_ops *ops = dev->ethtool_ops;
+        if (!dev->ethtool_ops->get_dump_flag)
+                return -EOPNOTSUPP;
+        if (copy_from_user(&dump, useraddr, sizeof(dump)))
+                return -EFAULT;
+        ret = ops->get_dump_flag(dev, &dump);
+        if (ret)
+                return ret;
+        if (copy_to_user(useraddr, &dump, sizeof(dump)))
+                return -EFAULT;
+        return 0;
+}
+static int ethtool_get_dump_data(struct net_device *dev,
+                                void __user *useraddr)
+{
+        int ret;
+        __u32 len;
+        struct ethtool_dump dump, tmp;
+        const struct ethtool_ops *ops = dev->ethtool_ops;
+        void *data = NULL;
+        if (!dev->ethtool_ops->get_dump_data ||
+                !dev->ethtool_ops->get_dump_flag)
+                return -EOPNOTSUPP;
+        if (copy_from_user(&dump, useraddr, sizeof(dump)))
+                return -EFAULT;
+        memset(&tmp, 0, sizeof(tmp));
+        tmp.cmd = ETHTOOL_GET_DUMP_FLAG;
+        ret = ops->get_dump_flag(dev, &tmp);
+        if (ret)
+                return ret;
+        len = (tmp.len > dump.len) ? dump.len : tmp.len;
+        if (!len)
+                return -EFAULT;
+        data = vzalloc(tmp.len);
+        if (!data)
+                return -ENOMEM;
+        ret = ops->get_dump_data(dev, &dump, data);
+        if (ret)
+                goto out;
+        if (copy_to_user(useraddr, &dump, sizeof(dump))) {
+                ret = -EFAULT;
+                goto out;
+        }
+        useraddr += offsetof(struct ethtool_dump, data);
+        if (copy_to_user(useraddr, data, len))
+                ret = -EFAULT;
+out:
+        vfree(data);
+        return ret;
+}
 /* The main entry point in this file.  Called from net/core/dev.c */
 int dev_ethtool(struct net *net, struct ifreq *ifr)
@@ -1953,6 +2137,21 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
        case ETHTOOL_SGRO:
                rc = ethtool_set_one_feature(dev, useraddr, ethcmd);
                break;
+        case ETHTOOL_GCHANNELS:
+                rc = ethtool_get_channels(dev, useraddr);
+                break;
+        case ETHTOOL_SCHANNELS:
+                rc = ethtool_set_channels(dev, useraddr);
+                break;
+        case ETHTOOL_SET_DUMP:
+                rc = ethtool_set_dump(dev, useraddr);
+                break;
+        case ETHTOOL_GET_DUMP_FLAG:
+                rc = ethtool_get_dump_flag(dev, useraddr);
+                break;
+        case ETHTOOL_GET_DUMP_DATA:
+                rc = ethtool_get_dump_data(dev, useraddr);
+                break;
        default:
                rc = -EOPNOTSUPP;
        }
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 8248ebb5891d..008dc70b064b 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -590,7 +590,8 @@ static int dump_rules(struct sk_buff *skb, struct netlink_callback *cb,
        int idx = 0;
        struct fib_rule *rule;
-        list_for_each_entry(rule, &ops->rules_list, list) {
+        rcu_read_lock();
+        list_for_each_entry_rcu(rule, &ops->rules_list, list) {
                if (idx < cb->args[1])
                        goto skip;
@@ -601,6 +602,7 @@ static int dump_rules(struct sk_buff *skb, struct netlink_callback *cb,
 skip:
                idx++;
        }
+        rcu_read_unlock();
        cb->args[1] = idx;
        rules_ops_put(ops);
diff --git a/net/core/filter.c b/net/core/filter.c
index afb8afb066bb..36f975fa87cb 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -38,65 +38,7 @@
 #include <asm/unaligned.h>
 #include <linux/filter.h>
 #include <linux/reciprocal_div.h>
+#include <linux/ratelimit.h>
-enum {
-        BPF_S_RET_K = 1,
-        BPF_S_RET_A,
-        BPF_S_ALU_ADD_K,
-        BPF_S_ALU_ADD_X,
-        BPF_S_ALU_SUB_K,
-        BPF_S_ALU_SUB_X,
-        BPF_S_ALU_MUL_K,
-        BPF_S_ALU_MUL_X,
-        BPF_S_ALU_DIV_X,
-        BPF_S_ALU_AND_K,
-        BPF_S_ALU_AND_X,
-        BPF_S_ALU_OR_K,
-        BPF_S_ALU_OR_X,
-        BPF_S_ALU_LSH_K,
-        BPF_S_ALU_LSH_X,
-        BPF_S_ALU_RSH_K,
-        BPF_S_ALU_RSH_X,
-        BPF_S_ALU_NEG,
-        BPF_S_LD_W_ABS,
-        BPF_S_LD_H_ABS,
-        BPF_S_LD_B_ABS,
-        BPF_S_LD_W_LEN,
-        BPF_S_LD_W_IND,
-        BPF_S_LD_H_IND,
-        BPF_S_LD_B_IND,
-        BPF_S_LD_IMM,
-        BPF_S_LDX_W_LEN,
-        BPF_S_LDX_B_MSH,
-        BPF_S_LDX_IMM,
-        BPF_S_MISC_TAX,
-        BPF_S_MISC_TXA,
-        BPF_S_ALU_DIV_K,
-        BPF_S_LD_MEM,
-        BPF_S_LDX_MEM,
-        BPF_S_ST,
-        BPF_S_STX,
-        BPF_S_JMP_JA,
-        BPF_S_JMP_JEQ_K,
-        BPF_S_JMP_JEQ_X,
-        BPF_S_JMP_JGE_K,
-        BPF_S_JMP_JGE_X,
-        BPF_S_JMP_JGT_K,
-        BPF_S_JMP_JGT_X,
-        BPF_S_JMP_JSET_K,
-        BPF_S_JMP_JSET_X,
-        /* Ancillary data */
-        BPF_S_ANC_PROTOCOL,
-        BPF_S_ANC_PKTTYPE,
-        BPF_S_ANC_IFINDEX,
-        BPF_S_ANC_NLATTR,
-        BPF_S_ANC_NLATTR_NEST,
-        BPF_S_ANC_MARK,
-        BPF_S_ANC_QUEUE,
-        BPF_S_ANC_HATYPE,
-        BPF_S_ANC_RXHASH,
-        BPF_S_ANC_CPU,
-};
 /* No hurry in this branch */
 static void *__load_pointer(const struct sk_buff *skb, int k, unsigned int size)
@@ -145,7 +87,7 @@ int sk_filter(struct sock *sk, struct sk_buff *skb)
        rcu_read_lock();
        filter = rcu_dereference(sk->sk_filter);
        if (filter) {
-                unsigned int pkt_len = sk_run_filter(skb, filter->insns);
+                unsigned int pkt_len = SK_RUN_FILTER(filter, skb);
                err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
        }
@@ -409,7 +351,9 @@ load_b:
                        continue;
                }
                default:
-                        WARN_ON(1);
+                        WARN_RATELIMIT(1, "Unknown code:%u jt:%u tf:%u k:%u\n",
+                                       fentry->code, fentry->jt,
+                                       fentry->jf, fentry->k);
                        return 0;
                }
        }
@@ -638,6 +582,7 @@ void sk_filter_release_rcu(struct rcu_head *rcu)
 {
        struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);
+        bpf_jit_free(fp);
        kfree(fp);
 }
 EXPORT_SYMBOL(sk_filter_release_rcu);
@@ -672,6 +617,7 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
        atomic_set(&fp->refcnt, 1);
        fp->len = fprog->len;
+        fp->bpf_func = sk_run_filter;
        err = sk_chk_filter(fp->insns, fp->len);
        if (err) {
@@ -679,6 +625,8 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
                return err;
        }
+        bpf_jit_compile(fp);
        old_fp = rcu_dereference_protected(sk->sk_filter,
                                           sock_owned_by_user(sk));
        rcu_assign_pointer(sk->sk_filter, fp);
diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c
index 7c2373321b74..43b03dd71e85 100644
--- a/net/core/gen_estimator.c
+++ b/net/core/gen_estimator.c
@@ -249,13 +249,6 @@ int gen_new_estimator(struct gnet_stats_basic_packed *bstats,
 }
 EXPORT_SYMBOL(gen_new_estimator);
-static void __gen_kill_estimator(struct rcu_head *head)
-{
-        struct gen_estimator *e = container_of(head,
-                                        struct gen_estimator, e_rcu);
-        kfree(e);
-}
 /**
 * gen_kill_estimator - remove a rate estimator
 * @bstats: basic statistics
@@ -279,7 +272,7 @@ void gen_kill_estimator(struct gnet_stats_basic_packed *bstats,
                write_unlock(&est_lock);
                list_del_rcu(&e->list);
-                call_rcu(&e->e_rcu, __gen_kill_estimator);
+                kfree_rcu(e, e_rcu);
        }
        spin_unlock_bh(&est_tree_lock);
 }
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 5ceb257e860c..33d2a1fba131 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -28,6 +28,7 @@
 static const char fmt_hex[] = "%#x\n";
 static const char fmt_long_hex[] = "%#lx\n";
 static const char fmt_dec[] = "%d\n";
+static const char fmt_udec[] = "%u\n";
 static const char fmt_ulong[] = "%lu\n";
 static const char fmt_u64[] = "%llu\n";
@@ -145,13 +146,10 @@ static ssize_t show_speed(struct device *dev,
        if (!rtnl_trylock())
                return restart_syscall();
-        if (netif_running(netdev) &&
+        if (netif_running(netdev)) {
-            netdev->ethtool_ops &&
+                struct ethtool_cmd cmd;
-            netdev->ethtool_ops->get_settings) {
+                if (!dev_ethtool_get_settings(netdev, &cmd))
-                struct ethtool_cmd cmd = { ETHTOOL_GSET };
+                        ret = sprintf(buf, fmt_udec, ethtool_cmd_speed(&cmd));
-                if (!netdev->ethtool_ops->get_settings(netdev, &cmd))
-                        ret = sprintf(buf, fmt_dec, ethtool_cmd_speed(&cmd));
        }
        rtnl_unlock();
        return ret;
@@ -166,13 +164,11 @@ static ssize_t show_duplex(struct device *dev,
        if (!rtnl_trylock())
                return restart_syscall();
-        if (netif_running(netdev) &&
+        if (netif_running(netdev)) {
-            netdev->ethtool_ops &&
+                struct ethtool_cmd cmd;
-            netdev->ethtool_ops->get_settings) {
+                if (!dev_ethtool_get_settings(netdev, &cmd))
-                struct ethtool_cmd cmd = { ETHTOOL_GSET };
+                        ret = sprintf(buf, "%s\n",
+                                      cmd.duplex ? "full" : "half");
-                if (!netdev->ethtool_ops->get_settings(netdev, &cmd))
-                        ret = sprintf(buf, "%s\n", cmd.duplex ? "full" : "half");
        }
        rtnl_unlock();
        return ret;
@@ -565,13 +561,6 @@ static ssize_t show_rps_map(struct netdev_rx_queue *queue,
        return len;
 }
-static void rps_map_release(struct rcu_head *rcu)
-{
-        struct rps_map *map = container_of(rcu, struct rps_map, rcu);
-        kfree(map);
-}
 static ssize_t store_rps_map(struct netdev_rx_queue *queue,
                      struct rx_queue_attribute *attribute,
                      const char *buf, size_t len)
@@ -619,7 +608,7 @@ static ssize_t store_rps_map(struct netdev_rx_queue *queue,
        spin_unlock(&rps_map_lock);
        if (old_map)
-                call_rcu(&old_map->rcu, rps_map_release);
+                kfree_rcu(old_map, rcu);
        free_cpumask_var(mask);
        return len;
@@ -728,7 +717,7 @@ static void rx_queue_release(struct kobject *kobj)
        map = rcu_dereference_raw(queue->rps_map);
        if (map) {
                RCU_INIT_POINTER(queue->rps_map, NULL);
-                call_rcu(&map->rcu, rps_map_release);
+                kfree_rcu(map, rcu);
        }
        flow_table = rcu_dereference_raw(queue->rps_flow_table);
@@ -898,21 +887,6 @@ static ssize_t show_xps_map(struct netdev_queue *queue,
        return len;
 }
-static void xps_map_release(struct rcu_head *rcu)
-{
-        struct xps_map *map = container_of(rcu, struct xps_map, rcu);
-        kfree(map);
-}
-static void xps_dev_maps_release(struct rcu_head *rcu)
-{
-        struct xps_dev_maps *dev_maps =
-            container_of(rcu, struct xps_dev_maps, rcu);
-        kfree(dev_maps);
-}
 static DEFINE_MUTEX(xps_map_mutex);
 #define xmap_dereference(P)             \
        rcu_dereference_protected((P), lockdep_is_held(&xps_map_mutex))
@@ -968,7 +942,7 @@ static ssize_t store_xps_map(struct netdev_queue *queue,
                } else
                        pos = map_len = alloc_len = 0;
-                need_set = cpu_isset(cpu, *mask) && cpu_online(cpu);
+                need_set = cpumask_test_cpu(cpu, mask) && cpu_online(cpu);
 #ifdef CONFIG_NUMA
                if (need_set) {
                        if (numa_node == -2)
@@ -1009,7 +983,7 @@ static ssize_t store_xps_map(struct netdev_queue *queue,
                map = dev_maps ?
                        xmap_dereference(dev_maps->cpu_map[cpu]) : NULL;
                if (map && xmap_dereference(new_dev_maps->cpu_map[cpu]) != map)
-                        call_rcu(&map->rcu, xps_map_release);
+                        kfree_rcu(map, rcu);
                if (new_dev_maps->cpu_map[cpu])
                        nonempty = 1;
        }
@@ -1022,7 +996,7 @@ static ssize_t store_xps_map(struct netdev_queue *queue,
        }
        if (dev_maps)
-                call_rcu(&dev_maps->rcu, xps_dev_maps_release);
+                kfree_rcu(dev_maps, rcu);
        netdev_queue_numa_node_write(queue, (numa_node >= 0) ? numa_node :
                                            NUMA_NO_NODE);
@@ -1084,7 +1058,7 @@ static void netdev_queue_release(struct kobject *kobj)
                                else {
                                        RCU_INIT_POINTER(dev_maps->cpu_map[i],
                                            NULL);
-                                        call_rcu(&map->rcu, xps_map_release);
+                                        kfree_rcu(map, rcu);
                                        map = NULL;
                                }
                        }
@@ -1094,7 +1068,7 @@ static void netdev_queue_release(struct kobject *kobj)
                if (!nonempty) {
                        RCU_INIT_POINTER(dev->xps_maps, NULL);
-                        call_rcu(&dev_maps->rcu, xps_dev_maps_release);
+                        kfree_rcu(dev_maps, rcu);
                }
        }
@@ -1205,9 +1179,14 @@ static void remove_queue_kobjects(struct net_device *net)
 #endif
 }
-static const void *net_current_ns(void)
+static void *net_grab_current_ns(void)
 {
-        return current->nsproxy->net_ns;
+        struct net *ns = current->nsproxy->net_ns;
+#ifdef CONFIG_NET_NS
+        if (ns)
+                atomic_inc(&ns->passive);
+#endif
+        return ns;
 }
 static const void *net_initial_ns(void)
@@ -1222,22 +1201,13 @@ static const void *net_netlink_ns(struct sock *sk)
 struct kobj_ns_type_operations net_ns_type_operations = {
        .type = KOBJ_NS_TYPE_NET,
-        .current_ns = net_current_ns,
+        .grab_current_ns = net_grab_current_ns,
        .netlink_ns = net_netlink_ns,
        .initial_ns = net_initial_ns,
+        .drop_ns = net_drop_ns,
 };
 EXPORT_SYMBOL_GPL(net_ns_type_operations);
-static void net_kobj_ns_exit(struct net *net)
-{
-        kobj_ns_exit(KOBJ_NS_TYPE_NET, net);
-}
-static struct pernet_operations kobj_net_ops = {
-        .exit = net_kobj_ns_exit,
-};
 #ifdef CONFIG_HOTPLUG
 static int netdev_uevent(struct device *d, struct kobj_uevent_env *env)
 {
@@ -1365,6 +1335,5 @@ EXPORT_SYMBOL(netdev_class_remove_file);
 int netdev_kobject_init(void)
 {
        kobj_ns_type_register(&net_ns_type_operations);
-        register_pernet_subsys(&kobj_net_ops);
        return class_register(&net_class);
 }
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 3f860261c5ee..ea489db1bc23 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -8,6 +8,8 @@
 #include <linux/idr.h>
 #include <linux/rculist.h>
 #include <linux/nsproxy.h>
+#include <linux/proc_fs.h>
+#include <linux/file.h>
 #include <net/net_namespace.h>
 #include <net/netns/generic.h>
@@ -27,14 +29,6 @@ EXPORT_SYMBOL(init_net);
 #define INITIAL_NET_GEN_PTRS    13 /* +1 for len +2 for rcu_head */
-static void net_generic_release(struct rcu_head *rcu)
-{
-        struct net_generic *ng;
-        ng = container_of(rcu, struct net_generic, rcu);
-        kfree(ng);
-}
 static int net_assign_generic(struct net *net, int id, void *data)
 {
        struct net_generic *ng, *old_ng;
@@ -68,7 +62,7 @@ static int net_assign_generic(struct net *net, int id, void *data)
        memcpy(&ng->ptr, &old_ng->ptr, old_ng->len * sizeof(void*));
        rcu_assign_pointer(net->gen, ng);
-        call_rcu(&old_ng->rcu, net_generic_release);
+        kfree_rcu(old_ng, rcu);
 assign:
        ng->ptr[id - 1] = data;
        return 0;
@@ -134,6 +128,7 @@ static __net_init int setup_net(struct net *net)
        LIST_HEAD(net_exit_list);
        atomic_set(&net->count, 1);
+        atomic_set(&net->passive, 1);
 #ifdef NETNS_REFCNT_DEBUG
        atomic_set(&net->use_count, 0);
@@ -216,11 +211,21 @@ static void net_free(struct net *net)
        kmem_cache_free(net_cachep, net);
 }
-static struct net *net_create(void)
+void net_drop_ns(void *p)
+{
+        struct net *ns = p;
+        if (ns && atomic_dec_and_test(&ns->passive))
+                net_free(ns);
+}
+struct net *copy_net_ns(unsigned long flags, struct net *old_net)
 {
        struct net *net;
        int rv;
+        if (!(flags & CLONE_NEWNET))
+                return get_net(old_net);
        net = net_alloc();
        if (!net)
                return ERR_PTR(-ENOMEM);
@@ -233,19 +238,12 @@ static struct net *net_create(void)
        }
        mutex_unlock(&net_mutex);
        if (rv < 0) {
-                net_free(net);
+                net_drop_ns(net);
                return ERR_PTR(rv);
        }
        return net;
 }
-struct net *copy_net_ns(unsigned long flags, struct net *old_net)
-{
-        if (!(flags & CLONE_NEWNET))
-                return get_net(old_net);
-        return net_create();
-}
 static DEFINE_SPINLOCK(cleanup_list_lock);
 static LIST_HEAD(cleanup_list);  /* Must hold cleanup_list_lock to touch */
@@ -296,7 +294,7 @@ static void cleanup_net(struct work_struct *work)
        /* Finally it is safe to free my network namespace structure */
        list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) {
                list_del_init(&net->exit_list);
-                net_free(net);
+                net_drop_ns(net);
        }
 }
 static DECLARE_WORK(net_cleanup_work, cleanup_net);
@@ -314,6 +312,26 @@ void __put_net(struct net *net)
 }
 EXPORT_SYMBOL_GPL(__put_net);
+struct net *get_net_ns_by_fd(int fd)
+{
+        struct proc_inode *ei;
+        struct file *file;
+        struct net *net;
+        file = proc_ns_fget(fd);
+        if (IS_ERR(file))
+                return ERR_CAST(file);
+        ei = PROC_I(file->f_dentry->d_inode);
+        if (ei->ns_ops == &netns_operations)
+                net = get_net(ei->ns);
+        else
+                net = ERR_PTR(-EINVAL);
+        fput(file);
+        return net;
+}
 #else
 struct net *copy_net_ns(unsigned long flags, struct net *old_net)
 {
@@ -321,6 +339,11 @@ struct net *copy_net_ns(unsigned long flags, struct net *old_net)
                return ERR_PTR(-EINVAL);
        return old_net;
 }
+struct net *get_net_ns_by_fd(int fd)
+{
+        return ERR_PTR(-EINVAL);
+}
 #endif
 struct net *get_net_ns_by_pid(pid_t pid)
@@ -573,3 +596,39 @@ void unregister_pernet_device(struct pernet_operations *ops)
        mutex_unlock(&net_mutex);
 }
 EXPORT_SYMBOL_GPL(unregister_pernet_device);
+#ifdef CONFIG_NET_NS
+static void *netns_get(struct task_struct *task)
+{
+        struct net *net = NULL;
+        struct nsproxy *nsproxy;
+        rcu_read_lock();
+        nsproxy = task_nsproxy(task);
+        if (nsproxy)
+                net = get_net(nsproxy->net_ns);
+        rcu_read_unlock();
+        return net;
+}
+static void netns_put(void *ns)
+{
+        put_net(ns);
+}
+static int netns_install(struct nsproxy *nsproxy, void *ns)
+{
+        put_net(nsproxy->net_ns);
+        nsproxy->net_ns = get_net(ns);
+        return 0;
+}
+const struct proc_ns_operations netns_operations = {
+        .name           = "net",
+        .type           = CLONE_NEWNET,
+        .get            = netns_get,
+        .put            = netns_put,
+        .install        = netns_install,
+};
+#endif
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 06be2431753e..18d9cbda3a39 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -539,7 +539,7 @@ int __netpoll_rx(struct sk_buff *skb)
 {
        int proto, len, ulen;
        int hits = 0;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct udphdr *uh;
        struct netpoll_info *npinfo = skb->dev->npinfo;
        struct netpoll *np, *tmp;
@@ -698,32 +698,8 @@ int netpoll_parse_options(struct netpoll *np, char *opt)
        if (*cur != 0) {
                /* MAC address */
-                if ((delim = strchr(cur, ':')) == NULL)
+                if (!mac_pton(cur, np->remote_mac))
-                        goto parse_failed;
-                *delim = 0;
-                np->remote_mac[0] = simple_strtol(cur, NULL, 16);
-                cur = delim + 1;
-                if ((delim = strchr(cur, ':')) == NULL)
-                        goto parse_failed;
-                *delim = 0;
-                np->remote_mac[1] = simple_strtol(cur, NULL, 16);
-                cur = delim + 1;
-                if ((delim = strchr(cur, ':')) == NULL)
-                        goto parse_failed;
-                *delim = 0;
-                np->remote_mac[2] = simple_strtol(cur, NULL, 16);
-                cur = delim + 1;
-                if ((delim = strchr(cur, ':')) == NULL)
                        goto parse_failed;
-                *delim = 0;
-                np->remote_mac[3] = simple_strtol(cur, NULL, 16);
-                cur = delim + 1;
-                if ((delim = strchr(cur, ':')) == NULL)
-                        goto parse_failed;
-                *delim = 0;
-                np->remote_mac[4] = simple_strtol(cur, NULL, 16);
-                cur = delim + 1;
-                np->remote_mac[5] = simple_strtol(cur, NULL, 16);
        }
        netpoll_print_options(np);
@@ -816,6 +792,13 @@ int netpoll_setup(struct netpoll *np)
                return -ENODEV;
        }
+        if (ndev->master) {
+                printk(KERN_ERR "%s: %s is a slave device, aborting.\n",
+                       np->name, np->dev_name);
+                err = -EBUSY;
+                goto put;
+        }
        if (!netif_running(ndev)) {
                unsigned long atmost, atleast;
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index aeeece72b72f..f76079cd750c 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -156,6 +156,7 @@
 #include <linux/wait.h>
 #include <linux/etherdevice.h>
 #include <linux/kthread.h>
+#include <linux/prefetch.h>
 #include <net/net_namespace.h>
 #include <net/checksum.h>
 #include <net/ipv6.h>
@@ -449,7 +450,6 @@ static void pktgen_stop(struct pktgen_thread *t);
 static void pktgen_clear_counters(struct pktgen_dev *pkt_dev);
 static unsigned int scan_ip6(const char *s, char ip[16]);
-static unsigned int fmt_ip6(char *s, const char ip[16]);
 /* Module parameters, defaults. */
 static int pg_count_d __read_mostly = 1000;
@@ -556,21 +556,13 @@ static int pktgen_if_show(struct seq_file *seq, void *v)
                           pkt_dev->skb_priority);
        if (pkt_dev->flags & F_IPV6) {
-                char b1[128], b2[128], b3[128];
-                fmt_ip6(b1, pkt_dev->in6_saddr.s6_addr);
-                fmt_ip6(b2, pkt_dev->min_in6_saddr.s6_addr);
-                fmt_ip6(b3, pkt_dev->max_in6_saddr.s6_addr);
                seq_printf(seq,
-                           "     saddr: %s  min_saddr: %s  max_saddr: %s\n", b1,
+                           "     saddr: %pI6c  min_saddr: %pI6c  max_saddr: %pI6c\n"
-                           b2, b3);
+                           "     daddr: %pI6c  min_daddr: %pI6c  max_daddr: %pI6c\n",
+                           &pkt_dev->in6_saddr,
-                fmt_ip6(b1, pkt_dev->in6_daddr.s6_addr);
+                           &pkt_dev->min_in6_saddr, &pkt_dev->max_in6_saddr,
-                fmt_ip6(b2, pkt_dev->min_in6_daddr.s6_addr);
+                           &pkt_dev->in6_daddr,
-                fmt_ip6(b3, pkt_dev->max_in6_daddr.s6_addr);
+                           &pkt_dev->min_in6_daddr, &pkt_dev->max_in6_daddr);
-                seq_printf(seq,
-                           "     daddr: %s  min_daddr: %s  max_daddr: %s\n", b1,
-                           b2, b3);
        } else {
                seq_printf(seq,
                           "     dst_min: %s  dst_max: %s\n",
@@ -706,10 +698,9 @@ static int pktgen_if_show(struct seq_file *seq, void *v)
                   pkt_dev->cur_src_mac_offset);
        if (pkt_dev->flags & F_IPV6) {
-                char b1[128], b2[128];
+                seq_printf(seq, "     cur_saddr: %pI6c  cur_daddr: %pI6c\n",
-                fmt_ip6(b1, pkt_dev->cur_in6_daddr.s6_addr);
+                                &pkt_dev->cur_in6_saddr,
-                fmt_ip6(b2, pkt_dev->cur_in6_saddr.s6_addr);
+                                &pkt_dev->cur_in6_daddr);
-                seq_printf(seq, "     cur_saddr: %s  cur_daddr: %s\n", b2, b1);
        } else
                seq_printf(seq, "     cur_saddr: 0x%x  cur_daddr: 0x%x\n",
                           pkt_dev->cur_saddr, pkt_dev->cur_daddr);
@@ -1309,7 +1300,7 @@ static ssize_t pktgen_if_write(struct file *file,
                buf[len] = 0;
                scan_ip6(buf, pkt_dev->in6_daddr.s6_addr);
-                fmt_ip6(buf, pkt_dev->in6_daddr.s6_addr);
+                snprintf(buf, sizeof(buf), "%pI6c", &pkt_dev->in6_daddr);
                ipv6_addr_copy(&pkt_dev->cur_in6_daddr, &pkt_dev->in6_daddr);
@@ -1332,7 +1323,7 @@ static ssize_t pktgen_if_write(struct file *file,
                buf[len] = 0;
                scan_ip6(buf, pkt_dev->min_in6_daddr.s6_addr);
-                fmt_ip6(buf, pkt_dev->min_in6_daddr.s6_addr);
+                snprintf(buf, sizeof(buf), "%pI6c", &pkt_dev->min_in6_daddr);
                ipv6_addr_copy(&pkt_dev->cur_in6_daddr,
                               &pkt_dev->min_in6_daddr);
@@ -1355,7 +1346,7 @@ static ssize_t pktgen_if_write(struct file *file,
                buf[len] = 0;
                scan_ip6(buf, pkt_dev->max_in6_daddr.s6_addr);
-                fmt_ip6(buf, pkt_dev->max_in6_daddr.s6_addr);
+                snprintf(buf, sizeof(buf), "%pI6c", &pkt_dev->max_in6_daddr);
                if (debug)
                        printk(KERN_DEBUG "pktgen: dst6_max set to: %s\n", buf);
@@ -1376,7 +1367,7 @@ static ssize_t pktgen_if_write(struct file *file,
                buf[len] = 0;
                scan_ip6(buf, pkt_dev->in6_saddr.s6_addr);
-                fmt_ip6(buf, pkt_dev->in6_saddr.s6_addr);
+                snprintf(buf, sizeof(buf), "%pI6c", &pkt_dev->in6_saddr);
                ipv6_addr_copy(&pkt_dev->cur_in6_saddr, &pkt_dev->in6_saddr);
@@ -1430,11 +1421,6 @@ static ssize_t pktgen_if_write(struct file *file,
                return count;
        }
        if (!strcmp(name, "dst_mac")) {
-                char *v = valstr;
-                unsigned char old_dmac[ETH_ALEN];
-                unsigned char *m = pkt_dev->dst_mac;
-                memcpy(old_dmac, pkt_dev->dst_mac, ETH_ALEN);
                len = strn_len(&user_buffer[i], sizeof(valstr) - 1);
                if (len < 0)
                        return len;
@@ -1442,35 +1428,16 @@ static ssize_t pktgen_if_write(struct file *file,
                memset(valstr, 0, sizeof(valstr));
                if (copy_from_user(valstr, &user_buffer[i], len))
                        return -EFAULT;
-                i += len;
-                for (*m = 0; *v && m < pkt_dev->dst_mac + 6; v++) {
-                        int value;
-                        value = hex_to_bin(*v);
-                        if (value >= 0)
-                                *m = *m * 16 + value;
-                        if (*v == ':') {
-                                m++;
-                                *m = 0;
-                        }
-                }
+                if (!mac_pton(valstr, pkt_dev->dst_mac))
+                        return -EINVAL;
                /* Set up Dest MAC */
-                if (compare_ether_addr(old_dmac, pkt_dev->dst_mac))
+                memcpy(&pkt_dev->hh[0], pkt_dev->dst_mac, ETH_ALEN);
-                        memcpy(&(pkt_dev->hh[0]), pkt_dev->dst_mac, ETH_ALEN);
-                sprintf(pg_result, "OK: dstmac");
+                sprintf(pg_result, "OK: dstmac %pM", pkt_dev->dst_mac);
                return count;
        }
        if (!strcmp(name, "src_mac")) {
-                char *v = valstr;
-                unsigned char old_smac[ETH_ALEN];
-                unsigned char *m = pkt_dev->src_mac;
-                memcpy(old_smac, pkt_dev->src_mac, ETH_ALEN);
                len = strn_len(&user_buffer[i], sizeof(valstr) - 1);
                if (len < 0)
                        return len;
@@ -1478,26 +1445,13 @@ static ssize_t pktgen_if_write(struct file *file,
                memset(valstr, 0, sizeof(valstr));
                if (copy_from_user(valstr, &user_buffer[i], len))
                        return -EFAULT;
-                i += len;
-                for (*m = 0; *v && m < pkt_dev->src_mac + 6; v++) {
-                        int value;
-                        value = hex_to_bin(*v);
-                        if (value >= 0)
-                                *m = *m * 16 + value;
-                        if (*v == ':') {
-                                m++;
-                                *m = 0;
-                        }
-                }
+                if (!mac_pton(valstr, pkt_dev->src_mac))
+                        return -EINVAL;
                /* Set up Src MAC */
-                if (compare_ether_addr(old_smac, pkt_dev->src_mac))
+                memcpy(&pkt_dev->hh[6], pkt_dev->src_mac, ETH_ALEN);
-                        memcpy(&(pkt_dev->hh[6]), pkt_dev->src_mac, ETH_ALEN);
-                sprintf(pg_result, "OK: srcmac");
+                sprintf(pg_result, "OK: srcmac %pM", pkt_dev->src_mac);
                return count;
        }
@@ -2514,7 +2468,6 @@ static int pktgen_output_ipsec(struct sk_buff *skb, struct pktgen_dev *pkt_dev)
 {
        struct xfrm_state *x = pkt_dev->flows[pkt_dev->curfl].x;
        int err = 0;
-        struct iphdr *iph;
        if (!x)
                return 0;
@@ -2524,7 +2477,6 @@ static int pktgen_output_ipsec(struct sk_buff *skb, struct pktgen_dev *pkt_dev)
                return 0;
        spin_lock(&x->lock);
-        iph = ip_hdr(skb);
        err = x->outer_mode->output(x, skb);
        if (err)
@@ -2624,6 +2576,7 @@ static void pktgen_finalize_skb(struct pktgen_dev *pkt_dev, struct sk_buff *skb,
        } else {
                int frags = pkt_dev->nfrags;
                int i, len;
+                int frag_len;
                if (frags > MAX_SKB_FRAGS)
@@ -2635,6 +2588,8 @@ static void pktgen_finalize_skb(struct pktgen_dev *pkt_dev, struct sk_buff *skb,
                }
                i = 0;
+                frag_len = (datalen/frags) < PAGE_SIZE ?
+                           (datalen/frags) : PAGE_SIZE;
                while (datalen > 0) {
                        if (unlikely(!pkt_dev->page)) {
                                int node = numa_node_id();
@@ -2648,38 +2603,18 @@ static void pktgen_finalize_skb(struct pktgen_dev *pkt_dev, struct sk_buff *skb,
                        skb_shinfo(skb)->frags[i].page = pkt_dev->page;
                        get_page(pkt_dev->page);
                        skb_shinfo(skb)->frags[i].page_offset = 0;
-                        skb_shinfo(skb)->frags[i].size =
+                        /*last fragment, fill rest of data*/
-                            (datalen < PAGE_SIZE ? datalen : PAGE_SIZE);
+                        if (i == (frags - 1))
+                                skb_shinfo(skb)->frags[i].size =
+                                    (datalen < PAGE_SIZE ? datalen : PAGE_SIZE);
+                        else
+                                skb_shinfo(skb)->frags[i].size = frag_len;
                        datalen -= skb_shinfo(skb)->frags[i].size;
                        skb->len += skb_shinfo(skb)->frags[i].size;
                        skb->data_len += skb_shinfo(skb)->frags[i].size;
                        i++;
                        skb_shinfo(skb)->nr_frags = i;
                }
-                while (i < frags) {
-                        int rem;
-                        if (i == 0)
-                                break;
-                        rem = skb_shinfo(skb)->frags[i - 1].size / 2;
-                        if (rem == 0)
-                                break;
-                        skb_shinfo(skb)->frags[i - 1].size -= rem;
-                        skb_shinfo(skb)->frags[i] =
-                            skb_shinfo(skb)->frags[i - 1];
-                        get_page(skb_shinfo(skb)->frags[i].page);
-                        skb_shinfo(skb)->frags[i].page =
-                            skb_shinfo(skb)->frags[i - 1].page;
-                        skb_shinfo(skb)->frags[i].page_offset +=
-                            skb_shinfo(skb)->frags[i - 1].size;
-                        skb_shinfo(skb)->frags[i].size = rem;
-                        i++;
-                        skb_shinfo(skb)->nr_frags = i;
-                }
        }
        /* Stamp the time, and sequence number,
@@ -2917,79 +2852,6 @@ static unsigned int scan_ip6(const char *s, char ip[16])
        return len;
 }
-static char tohex(char hexdigit)
-{
-        return hexdigit > 9 ? hexdigit + 'a' - 10 : hexdigit + '0';
-}
-static int fmt_xlong(char *s, unsigned int i)
-{
-        char *bak = s;
-        *s = tohex((i >> 12) & 0xf);
-        if (s != bak || *s != '0')
-                ++s;
-        *s = tohex((i >> 8) & 0xf);
-        if (s != bak || *s != '0')
-                ++s;
-        *s = tohex((i >> 4) & 0xf);
-        if (s != bak || *s != '0')
-                ++s;
-        *s = tohex(i & 0xf);
-        return s - bak + 1;
-}
-static unsigned int fmt_ip6(char *s, const char ip[16])
-{
-        unsigned int len;
-        unsigned int i;
-        unsigned int temp;
-        unsigned int compressing;
-        int j;
-        len = 0;
-        compressing = 0;
-        for (j = 0; j < 16; j += 2) {
-#ifdef V4MAPPEDPREFIX
-                if (j == 12 && !memcmp(ip, V4mappedprefix, 12)) {
-                        inet_ntoa_r(*(struct in_addr *)(ip + 12), s);
-                        temp = strlen(s);
-                        return len + temp;
-                }
-#endif
-                temp = ((unsigned long)(unsigned char)ip[j] << 8) +
-                    (unsigned long)(unsigned char)ip[j + 1];
-                if (temp == 0) {
-                        if (!compressing) {
-                                compressing = 1;
-                                if (j == 0) {
-                                        *s++ = ':';
-                                        ++len;
-                                }
-                        }
-                } else {
-                        if (compressing) {
-                                compressing = 0;
-                                *s++ = ':';
-                                ++len;
-                        }
-                        i = fmt_xlong(s, temp);
-                        len += i;
-                        s += i;
-                        if (j < 14) {
-                                *s++ = ':';
-                                ++len;
-                        }
-                }
-        }
-        if (compressing) {
-                *s++ = ':';
-                ++len;
-        }
-        *s = 0;
-        return len;
-}
 static struct sk_buff *fill_packet_ipv6(struct net_device *odev,
                                        struct pktgen_dev *pkt_dev)
 {
@@ -3682,13 +3544,12 @@ static int pktgen_add_device(struct pktgen_thread *t, const char *ifname)
                return -ENOMEM;
        strcpy(pkt_dev->odevname, ifname);
-        pkt_dev->flows = vmalloc_node(MAX_CFLOWS * sizeof(struct flow_state),
+        pkt_dev->flows = vzalloc_node(MAX_CFLOWS * sizeof(struct flow_state),
                                      node);
        if (pkt_dev->flows == NULL) {
                kfree(pkt_dev);
                return -ENOMEM;
        }
-        memset(pkt_dev->flows, 0, MAX_CFLOWS * sizeof(struct flow_state));
        pkt_dev->removal_mark = 0;
        pkt_dev->min_pkt_size = ETH_ZLEN;
@@ -3846,6 +3707,7 @@ static int __init pg_init(void)
 {
        int cpu;
        struct proc_dir_entry *pe;
+        int ret = 0;
        pr_info("%s", version);
@@ -3856,11 +3718,10 @@ static int __init pg_init(void)
        pe = proc_create(PGCTRL, 0600, pg_proc_dir, &pktgen_fops);
        if (pe == NULL) {
                pr_err("ERROR: cannot create %s procfs entry\n", PGCTRL);
-                proc_net_remove(&init_net, PG_PROC_DIR);
+                ret = -EINVAL;
-                return -EINVAL;
+                goto remove_dir;
        }
-        /* Register us to receive netdevice events */
        register_netdevice_notifier(&pktgen_notifier_block);
        for_each_online_cpu(cpu) {
@@ -3874,13 +3735,18 @@ static int __init pg_init(void)
        if (list_empty(&pktgen_threads)) {
                pr_err("ERROR: Initialization failed for all threads\n");
-                unregister_netdevice_notifier(&pktgen_notifier_block);
+                ret = -ENODEV;
-                remove_proc_entry(PGCTRL, pg_proc_dir);
+                goto unregister;
-                proc_net_remove(&init_net, PG_PROC_DIR);
-                return -ENODEV;
        }
        return 0;
+ unregister:
+        unregister_netdevice_notifier(&pktgen_notifier_block);
+        remove_proc_entry(PGCTRL, pg_proc_dir);
+ remove_dir:
+        proc_net_remove(&init_net, PG_PROC_DIR);
+        return ret;
 }
 static void __exit pg_cleanup(void)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index d7c4bb4b1820..abd936d8a716 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -850,6 +850,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
        struct nlattr *attr, *af_spec;
        struct rtnl_af_ops *af_ops;
+        ASSERT_RTNL();
        nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ifm), flags);
        if (nlh == NULL)
                return -EMSGSIZE;
@@ -1007,10 +1008,11 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
        s_h = cb->args[0];
        s_idx = cb->args[1];
+        rcu_read_lock();
        for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
                idx = 0;
                head = &net->dev_index_head[h];
-                hlist_for_each_entry(dev, node, head, index_hlist) {
+                hlist_for_each_entry_rcu(dev, node, head, index_hlist) {
                        if (idx < s_idx)
                                goto cont;
                        if (rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK,
@@ -1023,6 +1025,7 @@ cont:
                }
        }
 out:
+        rcu_read_unlock();
        cb->args[1] = idx;
        cb->args[0] = h;
@@ -1043,6 +1046,7 @@ const struct nla_policy ifla_policy[IFLA_MAX+1] = {
        [IFLA_LINKMODE]         = { .type = NLA_U8 },
        [IFLA_LINKINFO]         = { .type = NLA_NESTED },
        [IFLA_NET_NS_PID]       = { .type = NLA_U32 },
+        [IFLA_NET_NS_FD]        = { .type = NLA_U32 },
        [IFLA_IFALIAS]          = { .type = NLA_STRING, .len = IFALIASZ-1 },
        [IFLA_VFINFO_LIST]      = {. type = NLA_NESTED },
        [IFLA_VF_PORTS]         = { .type = NLA_NESTED },
@@ -1091,6 +1095,8 @@ struct net *rtnl_link_get_net(struct net *src_net, struct nlattr *tb[])
         */
        if (tb[IFLA_NET_NS_PID])
                net = get_net_ns_by_pid(nla_get_u32(tb[IFLA_NET_NS_PID]));
+        else if (tb[IFLA_NET_NS_FD])
+                net = get_net_ns_by_fd(nla_get_u32(tb[IFLA_NET_NS_FD]));
        else
                net = get_net(src_net);
        return net;
@@ -1221,7 +1227,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
        int send_addr_notify = 0;
        int err;
-        if (tb[IFLA_NET_NS_PID]) {
+        if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]) {
                struct net *net = rtnl_link_get_net(dev_net(dev), tb);
                if (IS_ERR(net)) {
                        err = PTR_ERR(net);
@@ -1499,6 +1505,7 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
        char ifname[IFNAMSIZ];
        struct nlattr *tb[IFLA_MAX+1];
        int err;
+        LIST_HEAD(list_kill);
        err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy);
        if (err < 0)
@@ -1522,7 +1529,9 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
        if (!ops)
                return -EOPNOTSUPP;
-        ops->dellink(dev, NULL);
+        ops->dellink(dev, &list_kill);
+        unregister_netdevice_many(&list_kill);
+        list_del(&list_kill);
        return 0;
 }
@@ -1570,12 +1579,6 @@ struct net_device *rtnl_create_link(struct net *src_net, struct net *net,
        dev->rtnl_link_state = RTNL_LINK_INITIALIZING;
        dev->real_num_tx_queues = real_num_queues;
-        if (strchr(dev->name, '%')) {
-                err = dev_alloc_name(dev, dev->name);
-                if (err < 0)
-                        goto err_free;
-        }
        if (tb[IFLA_MTU])
                dev->mtu = nla_get_u32(tb[IFLA_MTU]);
        if (tb[IFLA_ADDRESS])
@@ -1595,8 +1598,6 @@ struct net_device *rtnl_create_link(struct net *src_net, struct net *net,
        return dev;
-err_free:
-        free_netdev(dev);
 err:
        return ERR_PTR(err);
 }
@@ -1963,6 +1964,8 @@ static int rtnetlink_event(struct notifier_block *this, unsigned long event, voi
        case NETDEV_GOING_DOWN:
        case NETDEV_UNREGISTER:
        case NETDEV_UNREGISTER_BATCH:
+        case NETDEV_RELEASE:
+        case NETDEV_JOIN:
                break;
        default:
                rtmsg_ifinfo(RTM_NEWLINK, dev, 0);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 7ebeed0a877c..46cbd28f40f9 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -57,6 +57,7 @@
 #include <linux/init.h>
 #include <linux/scatterlist.h>
 #include <linux/errqueue.h>
+#include <linux/prefetch.h>
 #include <net/protocol.h>
 #include <net/dst.h>
@@ -2993,6 +2994,9 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
        skb->destructor = sock_rmem_free;
        atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+        /* before exiting rcu section, make sure dst is refcounted */
+        skb_dst_force(skb);
        skb_queue_tail(&sk->sk_error_queue, skb);
        if (!sock_flag(sk, SOCK_DEAD))
                sk->sk_data_ready(sk, skb->len);
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index 385b6095fdc4..77a65f031488 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -17,6 +17,7 @@
 #include <net/ip.h>
 #include <net/sock.h>
+#include <net/net_ratelimit.h>
 #ifdef CONFIG_RPS
 static int rps_sock_flow_sysctl(ctl_table *table, int write,
@@ -122,6 +123,15 @@ static struct ctl_table net_core_table[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec
        },
+#ifdef CONFIG_BPF_JIT
+        {
+                .procname       = "bpf_jit_enable",
+                .data           = &bpf_jit_enable,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec
+        },
+#endif
        {
                .procname       = "netdev_tstamp_prequeue",
                .data           = &netdev_tstamp_prequeue,
diff --git a/net/core/utils.c b/net/core/utils.c
index 5fea0ab21902..386e263f6066 100644
--- a/net/core/utils.c
+++ b/net/core/utils.c
@@ -27,6 +27,7 @@
 #include <linux/ratelimit.h>
 #include <net/sock.h>
+#include <net/net_ratelimit.h>
 #include <asm/byteorder.h>
 #include <asm/system.h>
@@ -296,3 +297,27 @@ void inet_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
                                csum_unfold(*sum)));
 }
 EXPORT_SYMBOL(inet_proto_csum_replace4);
+int mac_pton(const char *s, u8 *mac)
+{
+        int i;
+        /* XX:XX:XX:XX:XX:XX */
+        if (strlen(s) < 3 * ETH_ALEN - 1)
+                return 0;
+        /* Don't dirty result unless string is valid MAC. */
+        for (i = 0; i < ETH_ALEN; i++) {
+                if (!strchr("0123456789abcdefABCDEF", s[i * 3]))
+                        return 0;
+                if (!strchr("0123456789abcdefABCDEF", s[i * 3 + 1]))
+                        return 0;
+                if (i != ETH_ALEN - 1 && s[i * 3 + 2] != ':')
+                        return 0;
+        }
+        for (i = 0; i < ETH_ALEN; i++) {
+                mac[i] = (hex_to_bin(s[i * 3]) << 4) | hex_to_bin(s[i * 3 + 1]);
+        }
+        return 1;
+}
+EXPORT_SYMBOL(mac_pton);
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index ae451c6d83ba..8c36adfd1919 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -40,13 +40,15 @@
 int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 {
+        const struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
        struct inet_sock *inet = inet_sk(sk);
        struct dccp_sock *dp = dccp_sk(sk);
-        const struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
        __be16 orig_sport, orig_dport;
-        struct rtable *rt;
        __be32 daddr, nexthop;
+        struct flowi4 *fl4;
+        struct rtable *rt;
        int err;
+        struct ip_options_rcu *inet_opt;
        dp->dccps_role = DCCP_ROLE_CLIENT;
@@ -57,15 +59,19 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
                return -EAFNOSUPPORT;
        nexthop = daddr = usin->sin_addr.s_addr;
-        if (inet->opt != NULL && inet->opt->srr) {
+        inet_opt = rcu_dereference_protected(inet->inet_opt,
+                                             sock_owned_by_user(sk));
+        if (inet_opt != NULL && inet_opt->opt.srr) {
                if (daddr == 0)
                        return -EINVAL;
-                nexthop = inet->opt->faddr;
+                nexthop = inet_opt->opt.faddr;
        }
        orig_sport = inet->inet_sport;
        orig_dport = usin->sin_port;
-        rt = ip_route_connect(nexthop, inet->inet_saddr,
+        fl4 = &inet->cork.fl.u.ip4;
+        rt = ip_route_connect(fl4, nexthop, inet->inet_saddr,
                              RT_CONN_FLAGS(sk), sk->sk_bound_dev_if,
                              IPPROTO_DCCP,
                              orig_sport, orig_dport, sk, true);
@@ -77,19 +83,19 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
                return -ENETUNREACH;
        }
-        if (inet->opt == NULL || !inet->opt->srr)
+        if (inet_opt == NULL || !inet_opt->opt.srr)
-                daddr = rt->rt_dst;
+                daddr = fl4->daddr;
        if (inet->inet_saddr == 0)
-                inet->inet_saddr = rt->rt_src;
+                inet->inet_saddr = fl4->saddr;
        inet->inet_rcv_saddr = inet->inet_saddr;
        inet->inet_dport = usin->sin_port;
        inet->inet_daddr = daddr;
        inet_csk(sk)->icsk_ext_hdr_len = 0;
-        if (inet->opt != NULL)
+        if (inet_opt)
-                inet_csk(sk)->icsk_ext_hdr_len = inet->opt->optlen;
+                inet_csk(sk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
        /*
         * Socket identity is still unknown (sport may be zero).
         * However we set state to DCCP_REQUESTING and not releasing socket
@@ -101,8 +107,7 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        if (err != 0)
                goto failure;
-        rt = ip_route_newports(rt, IPPROTO_DCCP,
+        rt = ip_route_newports(fl4, rt, orig_sport, orig_dport,
-                               orig_sport, orig_dport,
                               inet->inet_sport, inet->inet_dport, sk);
        if (IS_ERR(rt)) {
                rt = NULL;
@@ -391,32 +396,30 @@ struct sock *dccp_v4_request_recv_sock(struct sock *sk, struct sk_buff *skb,
        if (sk_acceptq_is_full(sk))
                goto exit_overflow;
-        if (dst == NULL && (dst = inet_csk_route_req(sk, req)) == NULL)
-                goto exit;
        newsk = dccp_create_openreq_child(sk, req, skb);
        if (newsk == NULL)
                goto exit_nonewsk;
-        sk_setup_caps(newsk, dst);
        newinet            = inet_sk(newsk);
        ireq               = inet_rsk(req);
        newinet->inet_daddr     = ireq->rmt_addr;
        newinet->inet_rcv_saddr = ireq->loc_addr;
        newinet->inet_saddr     = ireq->loc_addr;
-        newinet->opt       = ireq->opt;
+        newinet->inet_opt       = ireq->opt;
        ireq->opt          = NULL;
        newinet->mc_index  = inet_iif(skb);
        newinet->mc_ttl    = ip_hdr(skb)->ttl;
        newinet->inet_id   = jiffies;
+        if (dst == NULL && (dst = inet_csk_route_child_sock(sk, newsk, req)) == NULL)
+                goto put_and_exit;
+        sk_setup_caps(newsk, dst);
        dccp_sync_mss(newsk, dst_mtu(dst));
-        if (__inet_inherit_port(sk, newsk) < 0) {
+        if (__inet_inherit_port(sk, newsk) < 0)
-                sock_put(newsk);
+                goto put_and_exit;
-                goto exit;
-        }
        __inet_hash_nolisten(newsk, NULL);
        return newsk;
@@ -428,6 +431,9 @@ exit_nonewsk:
 exit:
        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
        return NULL;
+put_and_exit:
+        sock_put(newsk);
+        goto exit;
 }
 EXPORT_SYMBOL_GPL(dccp_v4_request_recv_sock);
@@ -491,8 +497,9 @@ static int dccp_v4_send_response(struct sock *sk, struct request_sock *req,
        int err = -1;
        struct sk_buff *skb;
        struct dst_entry *dst;
+        struct flowi4 fl4;
-        dst = inet_csk_route_req(sk, req);
+        dst = inet_csk_route_req(sk, &fl4, req);
        if (dst == NULL)
                goto out;
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index de1b7e37ad5b..8dc4348774a5 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -54,8 +54,8 @@ static void dccp_v6_hash(struct sock *sk)
 /* add pseudo-header to DCCP checksum stored in skb->csum */
 static inline __sum16 dccp_v6_csum_finish(struct sk_buff *skb,
-                                      struct in6_addr *saddr,
+                                      const struct in6_addr *saddr,
-                                      struct in6_addr *daddr)
+                                      const struct in6_addr *daddr)
 {
        return csum_ipv6_magic(saddr, daddr, skb->len, IPPROTO_DCCP, skb->csum);
 }
@@ -87,7 +87,7 @@ static inline __u32 dccp_v6_init_sequence(struct sk_buff *skb)
 static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                        u8 type, u8 code, int offset, __be32 info)
 {
-        struct ipv6hdr *hdr = (struct ipv6hdr *)skb->data;
+        const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data;
        const struct dccp_hdr *dh = (struct dccp_hdr *)(skb->data + offset);
        struct dccp_sock *dp;
        struct ipv6_pinfo *np;
@@ -296,7 +296,7 @@ static void dccp_v6_reqsk_destructor(struct request_sock *req)
 static void dccp_v6_ctl_send_reset(struct sock *sk, struct sk_buff *rxskb)
 {
-        struct ipv6hdr *rxip6h;
+        const struct ipv6hdr *rxip6h;
        struct sk_buff *skb;
        struct flowi6 fl6;
        struct net *net = dev_net(skb_dst(rxskb)->dev);
@@ -573,7 +573,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
           First: no IPv4 options.
         */
-        newinet->opt = NULL;
+        newinet->inet_opt = NULL;
        /* Clone RX bits */
        newnp->rxopt.all = np->rxopt.all;
diff --git a/net/dccp/output.c b/net/dccp/output.c
index 136d41cbcd02..fab108e51e5a 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -43,7 +43,7 @@ static void dccp_skb_entail(struct sock *sk, struct sk_buff *skb)
 static int dccp_transmit_skb(struct sock *sk, struct sk_buff *skb)
 {
        if (likely(skb != NULL)) {
-                const struct inet_sock *inet = inet_sk(sk);
+                struct inet_sock *inet = inet_sk(sk);
                const struct inet_connection_sock *icsk = inet_csk(sk);
                struct dccp_sock *dp = dccp_sk(sk);
                struct dccp_skb_cb *dcb = DCCP_SKB_CB(skb);
@@ -136,7 +136,7 @@ static int dccp_transmit_skb(struct sock *sk, struct sk_buff *skb)
                DCCP_INC_STATS(DCCP_MIB_OUTSEGS);
-                err = icsk->icsk_af_ops->queue_xmit(skb);
+                err = icsk->icsk_af_ops->queue_xmit(skb, &inet->cork.fl);
                return net_xmit_eval(err);
        }
        return -ENOBUFS;
diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
index 0dcaa903e00e..cf26ac74a188 100644
--- a/net/decnet/dn_dev.c
+++ b/net/decnet/dn_dev.c
@@ -332,14 +332,9 @@ static struct dn_ifaddr *dn_dev_alloc_ifa(void)
        return ifa;
 }
-static void dn_dev_free_ifa_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct dn_ifaddr, rcu));
-}
 static void dn_dev_free_ifa(struct dn_ifaddr *ifa)
 {
-        call_rcu(&ifa->rcu, dn_dev_free_ifa_rcu);
+        kfree_rcu(ifa, rcu);
 }
 static void dn_dev_del_ifa(struct dn_dev *dn_db, struct dn_ifaddr __rcu **ifap, int destroy)
@@ -752,7 +747,8 @@ static int dn_nl_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
        skip_naddr = cb->args[1];
        idx = 0;
-        for_each_netdev(&init_net, dev) {
+        rcu_read_lock();
+        for_each_netdev_rcu(&init_net, dev) {
                if (idx < skip_ndevs)
                        goto cont;
                else if (idx > skip_ndevs) {
@@ -761,11 +757,11 @@ static int dn_nl_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
                        skip_naddr = 0;
                }
-                if ((dn_db = rtnl_dereference(dev->dn_ptr)) == NULL)
+                if ((dn_db = rcu_dereference(dev->dn_ptr)) == NULL)
                        goto cont;
-                for (ifa = rtnl_dereference(dn_db->ifa_list), dn_idx = 0; ifa;
+                for (ifa = rcu_dereference(dn_db->ifa_list), dn_idx = 0; ifa;
-                     ifa = rtnl_dereference(ifa->ifa_next), dn_idx++) {
+                     ifa = rcu_dereference(ifa->ifa_next), dn_idx++) {
                        if (dn_idx < skip_naddr)
                                continue;
@@ -778,6 +774,7 @@ cont:
                idx++;
        }
 done:
+        rcu_read_unlock();
        cb->args[0] = idx;
        cb->args[1] = dn_idx;
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c
index 9f09d4fc2880..74544bc6fdec 100644
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -1125,13 +1125,11 @@ make_route:
        if (dev_out->flags & IFF_LOOPBACK)
                flags |= RTCF_LOCAL;
-        rt = dst_alloc(&dn_dst_ops, 0);
+        rt = dst_alloc(&dn_dst_ops, dev_out, 1, 0, DST_HOST);
        if (rt == NULL)
                goto e_nobufs;
-        atomic_set(&rt->dst.__refcnt, 1);
+        memset(&rt->fld, 0, sizeof(rt->fld));
-        rt->dst.flags   = DST_HOST;
        rt->fld.saddr        = oldflp->saddr;
        rt->fld.daddr        = oldflp->daddr;
        rt->fld.flowidn_oif  = oldflp->flowidn_oif;
@@ -1146,8 +1144,6 @@ make_route:
        rt->rt_dst_map    = fld.daddr;
        rt->rt_src_map    = fld.saddr;
-        rt->dst.dev = dev_out;
-        dev_hold(dev_out);
        rt->dst.neighbour = neigh;
        neigh = NULL;
@@ -1399,10 +1395,11 @@ static int dn_route_input_slow(struct sk_buff *skb)
        }
 make_route:
-        rt = dst_alloc(&dn_dst_ops, 0);
+        rt = dst_alloc(&dn_dst_ops, out_dev, 0, 0, DST_HOST);
        if (rt == NULL)
                goto e_nobufs;
+        memset(&rt->fld, 0, sizeof(rt->fld));
        rt->rt_saddr      = fld.saddr;
        rt->rt_daddr      = fld.daddr;
        rt->rt_gateway    = fld.daddr;
@@ -1419,9 +1416,7 @@ make_route:
        rt->fld.flowidn_iif  = in_dev->ifindex;
        rt->fld.flowidn_mark = fld.flowidn_mark;
-        rt->dst.flags = DST_HOST;
        rt->dst.neighbour = neigh;
-        rt->dst.dev = out_dev;
        rt->dst.lastuse = jiffies;
        rt->dst.output = dn_rt_bug;
        switch(res.type) {
@@ -1440,8 +1435,6 @@ make_route:
                        rt->dst.input = dst_discard;
        }
        rt->rt_flags = flags;
-        if (rt->dst.dev)
-                dev_hold(rt->dst.dev);
        err = dn_rt_set_next_hop(rt, &res);
        if (err)
diff --git a/net/decnet/dn_table.c b/net/decnet/dn_table.c
index 99d8d3a40998..bd0a52dd1d40 100644
--- a/net/decnet/dn_table.c
+++ b/net/decnet/dn_table.c
@@ -123,11 +123,11 @@ static inline void dn_rebuild_zone(struct dn_zone *dz,
                                   struct dn_fib_node **old_ht,
                                   int old_divisor)
 {
-        int i;
        struct dn_fib_node *f, **fp, *next;
+        int i;
        for(i = 0; i < old_divisor; i++) {
-                for(f = old_ht[i]; f; f = f->fn_next) {
+                for(f = old_ht[i]; f; f = next) {
                        next = f->fn_next;
                        for(fp = dn_chain_p(f->fn_key, dz);
                                *fp && dn_key_leq((*fp)->fn_key, f->fn_key);
diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index cfa7a5e1c5c9..fa000d26dc60 100644
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -212,10 +212,12 @@ static void dns_resolver_describe(const struct key *key, struct seq_file *m)
        int err = key->type_data.x[0];
        seq_puts(m, key->description);
-        if (err)
+        if (key_is_instantiated(key)) {
-                seq_printf(m, ": %d", err);
+                if (err)
-        else
+                        seq_printf(m, ": %d", err);
-                seq_printf(m, ": %u", key->datalen);
+                else
+                        seq_printf(m, ": %u", key->datalen);
+        }
 }
 /*
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index 64ca2a6fa0d4..0a47b6c37038 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -288,7 +288,6 @@ static const struct ethtool_ops dsa_slave_ethtool_ops = {
        .get_drvinfo            = dsa_slave_get_drvinfo,
        .nway_reset             = dsa_slave_nway_reset,
        .get_link               = dsa_slave_get_link,
-        .set_sg                 = ethtool_op_set_sg,
        .get_strings            = dsa_slave_get_strings,
        .get_ethtool_stats      = dsa_slave_get_ethtool_stats,
        .get_sset_count         = dsa_slave_get_sset_count,
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index 116d3fd3d669..a1d9f3787dd5 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -935,7 +935,6 @@ static void aun_data_available(struct sock *sk, int slen)
        struct sk_buff *skb;
        unsigned char *data;
        struct aunhdr *ah;
-        struct iphdr *ip;
        size_t len;
        while ((skb = skb_recv_datagram(sk, 0, 1, &err)) == NULL) {
@@ -949,7 +948,6 @@ static void aun_data_available(struct sock *sk, int slen)
        data = skb_transport_header(skb) + sizeof(struct udphdr);
        ah = (struct aunhdr *)data;
        len = skb->len - sizeof(struct udphdr);
-        ip = ip_hdr(skb);
        switch (ah->code)
        {
@@ -962,12 +960,6 @@ static void aun_data_available(struct sock *sk, int slen)
        case 4:
                aun_tx_ack(ah->handle, ECTYPE_TRANSMIT_NOT_LISTENING);
                break;
-#if 0
-                /* This isn't quite right yet. */
-        case 5:
-                aun_send_response(ip->saddr, ah->handle, 6, ah->cb);
-                break;
-#endif
        default:
                printk(KERN_DEBUG "unknown AUN packet (type %d)\n", data[0]);
        }
diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c
index ed0eab39f531..02548b292b53 100644
--- a/net/ieee802154/nl-phy.c
+++ b/net/ieee802154/nl-phy.c
@@ -44,7 +44,7 @@ static int ieee802154_nl_fill_phy(struct sk_buff *msg, u32 pid,
        pr_debug("%s\n", __func__);
        if (!buf)
-                goto out;
+                return -EMSGSIZE;
        hdr = genlmsg_put(msg, 0, seq, &nl802154_family, flags,
                IEEE802154_LIST_PHY);
@@ -65,6 +65,7 @@ static int ieee802154_nl_fill_phy(struct sk_buff *msg, u32 pid,
                                pages * sizeof(uint32_t), buf);
        mutex_unlock(&phy->pib_lock);
+        kfree(buf);
        return genlmsg_end(msg, hdr);
 nla_put_failure:
diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
index 0dc772d0d125..f2dc69cffb57 100644
--- a/net/ipv4/Makefile
+++ b/net/ipv4/Makefile
@@ -11,7 +11,7 @@ obj-y     := route.o inetpeer.o protocol.o \
             datagram.o raw.o udp.o udplite.o \
             arp.o icmp.o devinet.o af_inet.o  igmp.o \
             fib_frontend.o fib_semantics.o fib_trie.o \
-             inet_fragment.o
+             inet_fragment.o ping.o
 obj-$(CONFIG_SYSCTL) += sysctl_net_ipv4.o
 obj-$(CONFIG_PROC_FS) += proc.o
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 807d83c02ef6..ef1528af7abf 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -105,6 +105,7 @@
 #include <net/tcp.h>
 #include <net/udp.h>
 #include <net/udplite.h>
+#include <net/ping.h>
 #include <linux/skbuff.h>
 #include <net/sock.h>
 #include <net/raw.h>
@@ -153,7 +154,7 @@ void inet_sock_destruct(struct sock *sk)
        WARN_ON(sk->sk_wmem_queued);
        WARN_ON(sk->sk_forward_alloc);
-        kfree(inet->opt);
+        kfree(rcu_dereference_protected(inet->inet_opt, 1));
        dst_release(rcu_dereference_check(sk->sk_dst_cache, 1));
        sk_refcnt_debug_dec(sk);
 }
@@ -464,6 +465,11 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        if (addr_len < sizeof(struct sockaddr_in))
                goto out;
+        if (addr->sin_family != AF_INET) {
+                err = -EAFNOSUPPORT;
+                goto out;
+        }
        chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr);
        /* Not specified by any standard per-se, however it breaks too
@@ -672,6 +678,7 @@ int inet_accept(struct socket *sock, struct socket *newsock, int flags)
        lock_sock(sk2);
+        sock_rps_record_flow(sk2);
        WARN_ON(!((1 << sk2->sk_state) &
                  (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT | TCPF_CLOSE)));
@@ -1008,6 +1015,14 @@ static struct inet_protosw inetsw_array[] =
                .flags =      INET_PROTOSW_PERMANENT,
       },
+       {
+                .type =       SOCK_DGRAM,
+                .protocol =   IPPROTO_ICMP,
+                .prot =       &ping_prot,
+                .ops =        &inet_dgram_ops,
+                .no_check =   UDP_CSUM_DEFAULT,
+                .flags =      INET_PROTOSW_REUSE,
+       },
       {
               .type =       SOCK_RAW,
@@ -1103,14 +1118,19 @@ static int inet_sk_reselect_saddr(struct sock *sk)
        struct inet_sock *inet = inet_sk(sk);
        __be32 old_saddr = inet->inet_saddr;
        __be32 daddr = inet->inet_daddr;
+        struct flowi4 *fl4;
        struct rtable *rt;
        __be32 new_saddr;
+        struct ip_options_rcu *inet_opt;
-        if (inet->opt && inet->opt->srr)
+        inet_opt = rcu_dereference_protected(inet->inet_opt,
-                daddr = inet->opt->faddr;
+                                             sock_owned_by_user(sk));
+        if (inet_opt && inet_opt->opt.srr)
+                daddr = inet_opt->opt.faddr;
        /* Query new route. */
-        rt = ip_route_connect(daddr, 0, RT_CONN_FLAGS(sk),
+        fl4 = &inet->cork.fl.u.ip4;
+        rt = ip_route_connect(fl4, daddr, 0, RT_CONN_FLAGS(sk),
                              sk->sk_bound_dev_if, sk->sk_protocol,
                              inet->inet_sport, inet->inet_dport, sk, false);
        if (IS_ERR(rt))
@@ -1118,7 +1138,7 @@ static int inet_sk_reselect_saddr(struct sock *sk)
        sk_setup_caps(sk, &rt->dst);
-        new_saddr = rt->rt_src;
+        new_saddr = fl4->saddr;
        if (new_saddr == old_saddr)
                return 0;
@@ -1147,6 +1167,8 @@ int inet_sk_rebuild_header(struct sock *sk)
        struct inet_sock *inet = inet_sk(sk);
        struct rtable *rt = (struct rtable *)__sk_dst_check(sk, 0);
        __be32 daddr;
+        struct ip_options_rcu *inet_opt;
+        struct flowi4 *fl4;
        int err;
        /* Route is OK, nothing to do. */
@@ -1154,10 +1176,14 @@ int inet_sk_rebuild_header(struct sock *sk)
                return 0;
        /* Reroute. */
+        rcu_read_lock();
+        inet_opt = rcu_dereference(inet->inet_opt);
        daddr = inet->inet_daddr;
-        if (inet->opt && inet->opt->srr)
+        if (inet_opt && inet_opt->opt.srr)
-                daddr = inet->opt->faddr;
+                daddr = inet_opt->opt.faddr;
-        rt = ip_route_output_ports(sock_net(sk), sk, daddr, inet->inet_saddr,
+        rcu_read_unlock();
+        fl4 = &inet->cork.fl.u.ip4;
+        rt = ip_route_output_ports(sock_net(sk), fl4, sk, daddr, inet->inet_saddr,
                                   inet->inet_dport, inet->inet_sport,
                                   sk->sk_protocol, RT_CONN_FLAGS(sk),
                                   sk->sk_bound_dev_if);
@@ -1186,7 +1212,7 @@ EXPORT_SYMBOL(inet_sk_rebuild_header);
 static int inet_gso_send_check(struct sk_buff *skb)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        const struct net_protocol *ops;
        int proto;
        int ihl;
@@ -1293,7 +1319,7 @@ static struct sk_buff **inet_gro_receive(struct sk_buff **head,
        const struct net_protocol *ops;
        struct sk_buff **pp = NULL;
        struct sk_buff *p;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        unsigned int hlen;
        unsigned int off;
        unsigned int id;
@@ -1516,6 +1542,7 @@ static const struct net_protocol udp_protocol = {
 static const struct net_protocol icmp_protocol = {
        .handler =      icmp_rcv,
+        .err_handler =  ping_err,
        .no_policy =    1,
        .netns_ok =     1,
 };
@@ -1631,6 +1658,10 @@ static int __init inet_init(void)
        if (rc)
                goto out_unregister_udp_proto;
+        rc = proto_register(&ping_prot, 1);
+        if (rc)
+                goto out_unregister_raw_proto;
        /*
         *      Tell SOCKET that we are alive...
         */
@@ -1686,6 +1717,8 @@ static int __init inet_init(void)
        /* Add UDP-Lite (RFC 3828) */
        udplite4_register();
+        ping_init();
        /*
         *      Set the ICMP layer up
         */
@@ -1716,6 +1749,8 @@ static int __init inet_init(void)
        rc = 0;
 out:
        return rc;
+out_unregister_raw_proto:
+        proto_unregister(&raw_prot);
 out_unregister_udp_proto:
        proto_unregister(&udp_prot);
 out_unregister_tcp_proto:
@@ -1740,11 +1775,15 @@ static int __init ipv4_proc_init(void)
                goto out_tcp;
        if (udp4_proc_init())
                goto out_udp;
+        if (ping_proc_init())
+                goto out_ping;
        if (ip_misc_proc_init())
                goto out_misc;
 out:
        return rc;
 out_misc:
+        ping_proc_exit();
+out_ping:
        udp4_proc_exit();
 out_udp:
        tcp4_proc_exit();
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index 4286fd3cc0e2..c1f4154552fc 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -73,7 +73,7 @@ static inline struct scatterlist *ah_req_sg(struct crypto_ahash *ahash,
 * into IP header for icv calculation. Options are already checked
 * for validity, so paranoia is not required. */
-static int ip_clear_mutable_options(struct iphdr *iph, __be32 *daddr)
+static int ip_clear_mutable_options(const struct iphdr *iph, __be32 *daddr)
 {
        unsigned char * optptr = (unsigned char*)(iph+1);
        int  l = iph->ihl*4 - sizeof(struct iphdr);
@@ -396,7 +396,7 @@ out:
 static void ah4_err(struct sk_buff *skb, u32 info)
 {
        struct net *net = dev_net(skb->dev);
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        struct ip_auth_hdr *ah = (struct ip_auth_hdr *)(skb->data+(iph->ihl<<2));
        struct xfrm_state *x;
@@ -404,7 +404,8 @@ static void ah4_err(struct sk_buff *skb, u32 info)
            icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
                return;
-        x = xfrm_state_lookup(net, skb->mark, (xfrm_address_t *)&iph->daddr, ah->spi, IPPROTO_AH, AF_INET);
+        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+                              ah->spi, IPPROTO_AH, AF_INET);
        if (!x)
                return;
        printk(KERN_DEBUG "pmtu discovery on SA AH/%08x/%08x\n",
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index a0af7ea87870..2b3c23c287cd 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1857,6 +1857,11 @@ static int cipso_v4_genopt(unsigned char *buf, u32 buf_len,
        return CIPSO_V4_HDR_LEN + ret_val;
 }
+static void opt_kfree_rcu(struct rcu_head *head)
+{
+        kfree(container_of(head, struct ip_options_rcu, rcu));
+}
 /**
 * cipso_v4_sock_setattr - Add a CIPSO option to a socket
 * @sk: the socket
@@ -1879,7 +1884,7 @@ int cipso_v4_sock_setattr(struct sock *sk,
        unsigned char *buf = NULL;
        u32 buf_len;
        u32 opt_len;
-        struct ip_options *opt = NULL;
+        struct ip_options_rcu *old, *opt = NULL;
        struct inet_sock *sk_inet;
        struct inet_connection_sock *sk_conn;
@@ -1915,22 +1920,25 @@ int cipso_v4_sock_setattr(struct sock *sk,
                ret_val = -ENOMEM;
                goto socket_setattr_failure;
        }
-        memcpy(opt->__data, buf, buf_len);
+        memcpy(opt->opt.__data, buf, buf_len);
-        opt->optlen = opt_len;
+        opt->opt.optlen = opt_len;
-        opt->cipso = sizeof(struct iphdr);
+        opt->opt.cipso = sizeof(struct iphdr);
        kfree(buf);
        buf = NULL;
        sk_inet = inet_sk(sk);
+        old = rcu_dereference_protected(sk_inet->inet_opt, sock_owned_by_user(sk));
        if (sk_inet->is_icsk) {
                sk_conn = inet_csk(sk);
-                if (sk_inet->opt)
+                if (old)
-                        sk_conn->icsk_ext_hdr_len -= sk_inet->opt->optlen;
+                        sk_conn->icsk_ext_hdr_len -= old->opt.optlen;
-                sk_conn->icsk_ext_hdr_len += opt->optlen;
+                sk_conn->icsk_ext_hdr_len += opt->opt.optlen;
                sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
        }
-        opt = xchg(&sk_inet->opt, opt);
+        rcu_assign_pointer(sk_inet->inet_opt, opt);
-        kfree(opt);
+        if (old)
+                call_rcu(&old->rcu, opt_kfree_rcu);
        return 0;
@@ -1960,7 +1968,7 @@ int cipso_v4_req_setattr(struct request_sock *req,
        unsigned char *buf = NULL;
        u32 buf_len;
        u32 opt_len;
-        struct ip_options *opt = NULL;
+        struct ip_options_rcu *opt = NULL;
        struct inet_request_sock *req_inet;
        /* We allocate the maximum CIPSO option size here so we are probably
@@ -1988,15 +1996,16 @@ int cipso_v4_req_setattr(struct request_sock *req,
                ret_val = -ENOMEM;
                goto req_setattr_failure;
        }
-        memcpy(opt->__data, buf, buf_len);
+        memcpy(opt->opt.__data, buf, buf_len);
-        opt->optlen = opt_len;
+        opt->opt.optlen = opt_len;
-        opt->cipso = sizeof(struct iphdr);
+        opt->opt.cipso = sizeof(struct iphdr);
        kfree(buf);
        buf = NULL;
        req_inet = inet_rsk(req);
        opt = xchg(&req_inet->opt, opt);
-        kfree(opt);
+        if (opt)
+                call_rcu(&opt->rcu, opt_kfree_rcu);
        return 0;
@@ -2016,34 +2025,34 @@ req_setattr_failure:
 * values on failure.
 *
 */
-static int cipso_v4_delopt(struct ip_options **opt_ptr)
+static int cipso_v4_delopt(struct ip_options_rcu **opt_ptr)
 {
        int hdr_delta = 0;
-        struct ip_options *opt = *opt_ptr;
+        struct ip_options_rcu *opt = *opt_ptr;
-        if (opt->srr || opt->rr || opt->ts || opt->router_alert) {
+        if (opt->opt.srr || opt->opt.rr || opt->opt.ts || opt->opt.router_alert) {
                u8 cipso_len;
                u8 cipso_off;
                unsigned char *cipso_ptr;
                int iter;
                int optlen_new;
-                cipso_off = opt->cipso - sizeof(struct iphdr);
+                cipso_off = opt->opt.cipso - sizeof(struct iphdr);
-                cipso_ptr = &opt->__data[cipso_off];
+                cipso_ptr = &opt->opt.__data[cipso_off];
                cipso_len = cipso_ptr[1];
-                if (opt->srr > opt->cipso)
+                if (opt->opt.srr > opt->opt.cipso)
-                        opt->srr -= cipso_len;
+                        opt->opt.srr -= cipso_len;
-                if (opt->rr > opt->cipso)
+                if (opt->opt.rr > opt->opt.cipso)
-                        opt->rr -= cipso_len;
+                        opt->opt.rr -= cipso_len;
-                if (opt->ts > opt->cipso)
+                if (opt->opt.ts > opt->opt.cipso)
-                        opt->ts -= cipso_len;
+                        opt->opt.ts -= cipso_len;
-                if (opt->router_alert > opt->cipso)
+                if (opt->opt.router_alert > opt->opt.cipso)
-                        opt->router_alert -= cipso_len;
+                        opt->opt.router_alert -= cipso_len;
-                opt->cipso = 0;
+                opt->opt.cipso = 0;
                memmove(cipso_ptr, cipso_ptr + cipso_len,
-                        opt->optlen - cipso_off - cipso_len);
+                        opt->opt.optlen - cipso_off - cipso_len);
                /* determining the new total option length is tricky because of
                 * the padding necessary, the only thing i can think to do at
@@ -2052,21 +2061,21 @@ static int cipso_v4_delopt(struct ip_options **opt_ptr)
                 * from there we can determine the new total option length */
                iter = 0;
                optlen_new = 0;
-                while (iter < opt->optlen)
+                while (iter < opt->opt.optlen)
-                        if (opt->__data[iter] != IPOPT_NOP) {
+                        if (opt->opt.__data[iter] != IPOPT_NOP) {
-                                iter += opt->__data[iter + 1];
+                                iter += opt->opt.__data[iter + 1];
                                optlen_new = iter;
                        } else
                                iter++;
-                hdr_delta = opt->optlen;
+                hdr_delta = opt->opt.optlen;
-                opt->optlen = (optlen_new + 3) & ~3;
+                opt->opt.optlen = (optlen_new + 3) & ~3;
-                hdr_delta -= opt->optlen;
+                hdr_delta -= opt->opt.optlen;
        } else {
                /* only the cipso option was present on the socket so we can
                 * remove the entire option struct */
                *opt_ptr = NULL;
-                hdr_delta = opt->optlen;
+                hdr_delta = opt->opt.optlen;
-                kfree(opt);
+                call_rcu(&opt->rcu, opt_kfree_rcu);
        }
        return hdr_delta;
@@ -2083,15 +2092,15 @@ static int cipso_v4_delopt(struct ip_options **opt_ptr)
 void cipso_v4_sock_delattr(struct sock *sk)
 {
        int hdr_delta;
-        struct ip_options *opt;
+        struct ip_options_rcu *opt;
        struct inet_sock *sk_inet;
        sk_inet = inet_sk(sk);
-        opt = sk_inet->opt;
+        opt = rcu_dereference_protected(sk_inet->inet_opt, 1);
-        if (opt == NULL || opt->cipso == 0)
+        if (opt == NULL || opt->opt.cipso == 0)
                return;
-        hdr_delta = cipso_v4_delopt(&sk_inet->opt);
+        hdr_delta = cipso_v4_delopt(&sk_inet->inet_opt);
        if (sk_inet->is_icsk && hdr_delta > 0) {
                struct inet_connection_sock *sk_conn = inet_csk(sk);
                sk_conn->icsk_ext_hdr_len -= hdr_delta;
@@ -2109,12 +2118,12 @@ void cipso_v4_sock_delattr(struct sock *sk)
 */
 void cipso_v4_req_delattr(struct request_sock *req)
 {
-        struct ip_options *opt;
+        struct ip_options_rcu *opt;
        struct inet_request_sock *req_inet;
        req_inet = inet_rsk(req);
        opt = req_inet->opt;
-        if (opt == NULL || opt->cipso == 0)
+        if (opt == NULL || opt->opt.cipso == 0)
                return;
        cipso_v4_delopt(&req_inet->opt);
@@ -2184,14 +2193,18 @@ getattr_return:
 */
 int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
 {
-        struct ip_options *opt;
+        struct ip_options_rcu *opt;
+        int res = -ENOMSG;
-        opt = inet_sk(sk)->opt;
+        rcu_read_lock();
-        if (opt == NULL || opt->cipso == 0)
+        opt = rcu_dereference(inet_sk(sk)->inet_opt);
-                return -ENOMSG;
+        if (opt && opt->opt.cipso)
+                res = cipso_v4_getattr(opt->opt.__data +
-        return cipso_v4_getattr(opt->__data + opt->cipso - sizeof(struct iphdr),
+                                                opt->opt.cipso -
-                                secattr);
+                                                sizeof(struct iphdr),
+                                       secattr);
+        rcu_read_unlock();
+        return res;
 }
 /**
diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
index 85bd24ca4f6d..424fafbc8cb0 100644
--- a/net/ipv4/datagram.c
+++ b/net/ipv4/datagram.c
@@ -24,6 +24,7 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 {
        struct inet_sock *inet = inet_sk(sk);
        struct sockaddr_in *usin = (struct sockaddr_in *) uaddr;
+        struct flowi4 *fl4;
        struct rtable *rt;
        __be32 saddr;
        int oif;
@@ -38,6 +39,8 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        sk_dst_reset(sk);
+        lock_sock(sk);
        oif = sk->sk_bound_dev_if;
        saddr = inet->inet_saddr;
        if (ipv4_is_multicast(usin->sin_addr.s_addr)) {
@@ -46,7 +49,8 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
                if (!saddr)
                        saddr = inet->mc_addr;
        }
-        rt = ip_route_connect(usin->sin_addr.s_addr, saddr,
+        fl4 = &inet->cork.fl.u.ip4;
+        rt = ip_route_connect(fl4, usin->sin_addr.s_addr, saddr,
                              RT_CONN_FLAGS(sk), oif,
                              sk->sk_protocol,
                              inet->inet_sport, usin->sin_port, sk, true);
@@ -54,26 +58,30 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
                err = PTR_ERR(rt);
                if (err == -ENETUNREACH)
                        IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
-                return err;
+                goto out;
        }
        if ((rt->rt_flags & RTCF_BROADCAST) && !sock_flag(sk, SOCK_BROADCAST)) {
                ip_rt_put(rt);
-                return -EACCES;
+                err = -EACCES;
+                goto out;
        }
        if (!inet->inet_saddr)
-                inet->inet_saddr = rt->rt_src;  /* Update source address */
+                inet->inet_saddr = fl4->saddr;  /* Update source address */
        if (!inet->inet_rcv_saddr) {
-                inet->inet_rcv_saddr = rt->rt_src;
+                inet->inet_rcv_saddr = fl4->saddr;
                if (sk->sk_prot->rehash)
                        sk->sk_prot->rehash(sk);
        }
-        inet->inet_daddr = rt->rt_dst;
+        inet->inet_daddr = fl4->daddr;
        inet->inet_dport = usin->sin_port;
        sk->sk_state = TCP_ESTABLISHED;
        inet->inet_id = jiffies;
        sk_dst_set(sk, &rt->dst);
-        return 0;
+        err = 0;
+out:
+        release_sock(sk);
+        return err;
 }
 EXPORT_SYMBOL(ip4_datagram_connect);
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index cd9ca0811cfa..0d4a184af16f 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1369,7 +1369,7 @@ errout:
 static size_t inet_get_link_af_size(const struct net_device *dev)
 {
-        struct in_device *in_dev = __in_dev_get_rtnl(dev);
+        struct in_device *in_dev = rcu_dereference_rtnl(dev->ip_ptr);
        if (!in_dev)
                return 0;
@@ -1379,7 +1379,7 @@ static size_t inet_get_link_af_size(const struct net_device *dev)
 static int inet_fill_link_af(struct sk_buff *skb, const struct net_device *dev)
 {
-        struct in_device *in_dev = __in_dev_get_rtnl(dev);
+        struct in_device *in_dev = rcu_dereference_rtnl(dev->ip_ptr);
        struct nlattr *nla;
        int i;
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 03f994bcf7de..a5b413416da3 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -276,7 +276,7 @@ error:
 static int esp_input_done2(struct sk_buff *skb, int err)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct xfrm_state *x = xfrm_input_state(skb);
        struct esp_data *esp = x->data;
        struct crypto_aead *aead = esp->aead;
@@ -484,7 +484,7 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)
 static void esp4_err(struct sk_buff *skb, u32 info)
 {
        struct net *net = dev_net(skb->dev);
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        struct ip_esp_hdr *esph = (struct ip_esp_hdr *)(skb->data+(iph->ihl<<2));
        struct xfrm_state *x;
@@ -492,7 +492,8 @@ static void esp4_err(struct sk_buff *skb, u32 info)
            icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
                return;
-        x = xfrm_state_lookup(net, skb->mark, (xfrm_address_t *)&iph->daddr, esph->spi, IPPROTO_ESP, AF_INET);
+        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+                              esph->spi, IPPROTO_ESP, AF_INET);
        if (!x)
                return;
        NETDEBUG(KERN_DEBUG "pmtu discovery on SA ESP/%08x/%08x\n",
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 451088330bbb..22524716fe70 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -44,6 +44,7 @@
 #include <net/arp.h>
 #include <net/ip_fib.h>
 #include <net/rtnetlink.h>
+#include <net/xfrm.h>
 #ifndef CONFIG_IP_MULTIPLE_TABLES
@@ -188,9 +189,9 @@ EXPORT_SYMBOL(inet_dev_addr_type);
 * - check, that packet arrived from expected physical interface.
 * called with rcu_read_lock()
 */
-int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
+int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, u8 tos,
-                        struct net_device *dev, __be32 *spec_dst,
+                        int oif, struct net_device *dev, __be32 *spec_dst,
-                        u32 *itag, u32 mark)
+                        u32 *itag)
 {
        struct in_device *in_dev;
        struct flowi4 fl4;
@@ -202,7 +203,6 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
        fl4.flowi4_oif = 0;
        fl4.flowi4_iif = oif;
-        fl4.flowi4_mark = mark;
        fl4.daddr = src;
        fl4.saddr = dst;
        fl4.flowi4_tos = tos;
@@ -212,10 +212,12 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
        in_dev = __in_dev_get_rcu(dev);
        if (in_dev) {
                no_addr = in_dev->ifa_list == NULL;
-                rpf = IN_DEV_RPFILTER(in_dev);
+                /* Ignore rp_filter for packets protected by IPsec. */
+                rpf = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(in_dev);
                accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);
-                if (mark && !IN_DEV_SRC_VMARK(in_dev))
+                fl4.flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0;
-                        fl4.flowi4_mark = 0;
        }
        if (in_dev == NULL)
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 641a5a2a9f9c..33e2c35b74b7 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -141,18 +141,8 @@ const struct fib_prop fib_props[RTN_MAX + 1] = {
        },
 };
 /* Release a nexthop info record */
-static void free_fib_info_rcu(struct rcu_head *head)
-{
-        struct fib_info *fi = container_of(head, struct fib_info, rcu);
-        if (fi->fib_metrics != (u32 *) dst_default_metrics)
-                kfree(fi->fib_metrics);
-        kfree(fi);
-}
 void free_fib_info(struct fib_info *fi)
 {
        if (fi->fib_dead == 0) {
@@ -166,7 +156,7 @@ void free_fib_info(struct fib_info *fi)
        } endfor_nexthops(fi);
        fib_info_cnt--;
        release_net(fi->fib_net);
-        call_rcu(&fi->rcu, free_fib_info_rcu);
+        kfree_rcu(fi, rcu);
 }
 void fib_release_info(struct fib_info *fi)
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 5fe9b8b41df3..58c25ea5a5c1 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -72,6 +72,7 @@
 #include <linux/init.h>
 #include <linux/list.h>
 #include <linux/slab.h>
+#include <linux/prefetch.h>
 #include <net/net_namespace.h>
 #include <net/ip.h>
 #include <net/protocol.h>
@@ -126,7 +127,7 @@ struct tnode {
                struct work_struct work;
                struct tnode *tnode_free;
        };
-        struct rt_trie_node *child[0];
+        struct rt_trie_node __rcu *child[0];
 };
 #ifdef CONFIG_IP_FIB_TRIE_STATS
@@ -151,7 +152,7 @@ struct trie_stat {
 };
 struct trie {
-        struct rt_trie_node *trie;
+        struct rt_trie_node __rcu *trie;
 #ifdef CONFIG_IP_FIB_TRIE_STATS
        struct trie_use_stats stats;
 #endif
@@ -177,16 +178,29 @@ static const int sync_pages = 128;
 static struct kmem_cache *fn_alias_kmem __read_mostly;
 static struct kmem_cache *trie_leaf_kmem __read_mostly;
-static inline struct tnode *node_parent(struct rt_trie_node *node)
+/*
+ * caller must hold RTNL
+ */
+static inline struct tnode *node_parent(const struct rt_trie_node *node)
 {
-        return (struct tnode *)(node->parent & ~NODE_TYPE_MASK);
+        unsigned long parent;
+        parent = rcu_dereference_index_check(node->parent, lockdep_rtnl_is_held());
+        return (struct tnode *)(parent & ~NODE_TYPE_MASK);
 }
-static inline struct tnode *node_parent_rcu(struct rt_trie_node *node)
+/*
+ * caller must hold RCU read lock or RTNL
+ */
+static inline struct tnode *node_parent_rcu(const struct rt_trie_node *node)
 {
-        struct tnode *ret = node_parent(node);
+        unsigned long parent;
-        return rcu_dereference_rtnl(ret);
+        parent = rcu_dereference_index_check(node->parent, rcu_read_lock_held() ||
+                                                           lockdep_rtnl_is_held());
+        return (struct tnode *)(parent & ~NODE_TYPE_MASK);
 }
 /* Same as rcu_assign_pointer
@@ -198,18 +212,24 @@ static inline void node_set_parent(struct rt_trie_node *node, struct tnode *ptr)
        node->parent = (unsigned long)ptr | NODE_TYPE(node);
 }
-static inline struct rt_trie_node *tnode_get_child(struct tnode *tn, unsigned int i)
+/*
+ * caller must hold RTNL
+ */
+static inline struct rt_trie_node *tnode_get_child(const struct tnode *tn, unsigned int i)
 {
        BUG_ON(i >= 1U << tn->bits);
-        return tn->child[i];
+        return rtnl_dereference(tn->child[i]);
 }
-static inline struct rt_trie_node *tnode_get_child_rcu(struct tnode *tn, unsigned int i)
+/*
+ * caller must hold RCU read lock or RTNL
+ */
+static inline struct rt_trie_node *tnode_get_child_rcu(const struct tnode *tn, unsigned int i)
 {
-        struct rt_trie_node *ret = tnode_get_child(tn, i);
+        BUG_ON(i >= 1U << tn->bits);
-        return rcu_dereference_rtnl(ret);
+        return rcu_dereference_rtnl(tn->child[i]);
 }
 static inline int tnode_child_length(const struct tnode *tn)
@@ -350,14 +370,9 @@ static inline void free_leaf(struct leaf *l)
        call_rcu_bh(&l->rcu, __leaf_free_rcu);
 }
-static void __leaf_info_free_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct leaf_info, rcu));
-}
 static inline void free_leaf_info(struct leaf_info *leaf)
 {
-        call_rcu(&leaf->rcu, __leaf_info_free_rcu);
+        kfree_rcu(leaf, rcu);
 }
 static struct tnode *tnode_alloc(size_t size)
@@ -487,7 +502,7 @@ static inline void put_child(struct trie *t, struct tnode *tn, int i,
 static void tnode_put_child_reorg(struct tnode *tn, int i, struct rt_trie_node *n,
                                  int wasfull)
 {
-        struct rt_trie_node *chi = tn->child[i];
+        struct rt_trie_node *chi = rtnl_dereference(tn->child[i]);
        int isfull;
        BUG_ON(i >= 1<<tn->bits);
@@ -665,7 +680,7 @@ one_child:
                for (i = 0; i < tnode_child_length(tn); i++) {
                        struct rt_trie_node *n;
-                        n = tn->child[i];
+                        n = rtnl_dereference(tn->child[i]);
                        if (!n)
                                continue;
@@ -679,6 +694,20 @@ one_child:
        return (struct rt_trie_node *) tn;
 }
+static void tnode_clean_free(struct tnode *tn)
+{
+        int i;
+        struct tnode *tofree;
+        for (i = 0; i < tnode_child_length(tn); i++) {
+                tofree = (struct tnode *)rtnl_dereference(tn->child[i]);
+                if (tofree)
+                        tnode_free(tofree);
+        }
+        tnode_free(tn);
+}
 static struct tnode *inflate(struct trie *t, struct tnode *tn)
 {
        struct tnode *oldtnode = tn;
@@ -755,8 +784,8 @@ static struct tnode *inflate(struct trie *t, struct tnode *tn)
                inode = (struct tnode *) node;
                if (inode->bits == 1) {
-                        put_child(t, tn, 2*i, inode->child[0]);
+                        put_child(t, tn, 2*i, rtnl_dereference(inode->child[0]));
-                        put_child(t, tn, 2*i+1, inode->child[1]);
+                        put_child(t, tn, 2*i+1, rtnl_dereference(inode->child[1]));
                        tnode_free_safe(inode);
                        continue;
@@ -797,8 +826,8 @@ static struct tnode *inflate(struct trie *t, struct tnode *tn)
                size = tnode_child_length(left);
                for (j = 0; j < size; j++) {
-                        put_child(t, left, j, inode->child[j]);
+                        put_child(t, left, j, rtnl_dereference(inode->child[j]));
-                        put_child(t, right, j, inode->child[j + size]);
+                        put_child(t, right, j, rtnl_dereference(inode->child[j + size]));
                }
                put_child(t, tn, 2*i, resize(t, left));
                put_child(t, tn, 2*i+1, resize(t, right));
@@ -808,18 +837,8 @@ static struct tnode *inflate(struct trie *t, struct tnode *tn)
        tnode_free_safe(oldtnode);
        return tn;
 nomem:
-        {
+        tnode_clean_free(tn);
-                int size = tnode_child_length(tn);
+        return ERR_PTR(-ENOMEM);
-                int j;
-                for (j = 0; j < size; j++)
-                        if (tn->child[j])
-                                tnode_free((struct tnode *)tn->child[j]);
-                tnode_free(tn);
-                return ERR_PTR(-ENOMEM);
-        }
 }
 static struct tnode *halve(struct trie *t, struct tnode *tn)
@@ -890,18 +909,8 @@ static struct tnode *halve(struct trie *t, struct tnode *tn)
        tnode_free_safe(oldtnode);
        return tn;
 nomem:
-        {
+        tnode_clean_free(tn);
-                int size = tnode_child_length(tn);
+        return ERR_PTR(-ENOMEM);
-                int j;
-                for (j = 0; j < size; j++)
-                        if (tn->child[j])
-                                tnode_free((struct tnode *)tn->child[j]);
-                tnode_free(tn);
-                return ERR_PTR(-ENOMEM);
-        }
 }
 /* readside must use rcu_read_lock currently dump routines
@@ -1033,7 +1042,7 @@ static struct list_head *fib_insert_node(struct trie *t, u32 key, int plen)
        t_key cindex;
        pos = 0;
-        n = t->trie;
+        n = rtnl_dereference(t->trie);
        /* If we point to NULL, stop. Either the tree is empty and we should
         * just put a new leaf in if, or we have reached an empty child slot,
@@ -1319,6 +1328,9 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
                }
        }
+        if (!plen)
+                tb->tb_num_default++;
        list_add_tail_rcu(&new_fa->fa_list,
                          (fa ? &fa->fa_list : fa_head));
@@ -1684,6 +1696,9 @@ int fib_table_delete(struct fib_table *tb, struct fib_config *cfg)
        list_del_rcu(&fa->fa_list);
+        if (!plen)
+                tb->tb_num_default--;
        if (list_empty(fa_head)) {
                hlist_del_rcu(&li->hlist);
                free_leaf_info(li);
@@ -1756,7 +1771,7 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct rt_trie_node *c)
                                continue;
                        if (IS_LEAF(c)) {
-                                prefetch(p->child[idx]);
+                                prefetch(rcu_dereference_rtnl(p->child[idx]));
                                return (struct leaf *) c;
                        }
@@ -1974,6 +1989,7 @@ struct fib_table *fib_trie_table(u32 id)
        tb->tb_id = id;
        tb->tb_default = -1;
+        tb->tb_num_default = 0;
        t = (struct trie *) tb->tb_data;
        memset(t, 0, sizeof(*t));
@@ -2269,7 +2285,7 @@ static void *fib_trie_seq_next(struct seq_file *seq, void *v, loff_t *pos)
        /* walk rest of this hash chain */
        h = tb->tb_id & (FIB_TABLE_HASHSZ - 1);
-        while ( (tb_node = rcu_dereference(tb->tb_hlist.next)) ) {
+        while ((tb_node = rcu_dereference(hlist_next_rcu(&tb->tb_hlist)))) {
                tb = hlist_entry(tb_node, struct fib_table, tb_hlist);
                n = fib_trie_get_first(iter, (struct trie *) tb->tb_data);
                if (n)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index e5f8a71d3a2a..5395e45dcce6 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -83,6 +83,7 @@
 #include <net/tcp.h>
 #include <net/udp.h>
 #include <net/raw.h>
+#include <net/ping.h>
 #include <linux/skbuff.h>
 #include <net/sock.h>
 #include <linux/errno.h>
@@ -108,8 +109,7 @@ struct icmp_bxm {
                __be32         times[3];
        } data;
        int head_len;
-        struct ip_options replyopts;
+        struct ip_options_data replyopts;
-        unsigned char  optbuf[40];
 };
 /* An array of errno for error messages from dest unreach. */
@@ -234,7 +234,7 @@ static inline void icmp_xmit_unlock(struct sock *sk)
 */
 static inline bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
-                int type, int code)
+                                      struct flowi4 *fl4, int type, int code)
 {
        struct dst_entry *dst = &rt->dst;
        bool rc = true;
@@ -253,7 +253,7 @@ static inline bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
        /* Limit if icmp type is enabled in ratemask. */
        if ((1 << type) & net->ipv4.sysctl_icmp_ratemask) {
                if (!rt->peer)
-                        rt_bind_peer(rt, 1);
+                        rt_bind_peer(rt, fl4->daddr, 1);
                rc = inet_peer_xrlim_allow(rt->peer,
                                           net->ipv4.sysctl_icmp_ratelimit);
        }
@@ -291,13 +291,14 @@ static int icmp_glue_bits(void *from, char *to, int offset, int len, int odd,
 }
 static void icmp_push_reply(struct icmp_bxm *icmp_param,
+                            struct flowi4 *fl4,
                            struct ipcm_cookie *ipc, struct rtable **rt)
 {
        struct sock *sk;
        struct sk_buff *skb;
        sk = icmp_sk(dev_net((*rt)->dst.dev));
-        if (ip_append_data(sk, icmp_glue_bits, icmp_param,
+        if (ip_append_data(sk, fl4, icmp_glue_bits, icmp_param,
                           icmp_param->data_len+icmp_param->head_len,
                           icmp_param->head_len,
                           ipc, rt, MSG_DONTWAIT) < 0) {
@@ -316,7 +317,7 @@ static void icmp_push_reply(struct icmp_bxm *icmp_param,
                                                 icmp_param->head_len, csum);
                icmph->checksum = csum_fold(csum);
                skb->ip_summed = CHECKSUM_NONE;
-                ip_push_pending_frames(sk);
+                ip_push_pending_frames(sk, fl4);
        }
 }
@@ -329,11 +330,12 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb)
        struct ipcm_cookie ipc;
        struct rtable *rt = skb_rtable(skb);
        struct net *net = dev_net(rt->dst.dev);
+        struct flowi4 fl4;
        struct sock *sk;
        struct inet_sock *inet;
        __be32 daddr;
-        if (ip_options_echo(&icmp_param->replyopts, skb))
+        if (ip_options_echo(&icmp_param->replyopts.opt.opt, skb))
                return;
        sk = icmp_xmit_lock(net);
@@ -344,65 +346,60 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb)
        icmp_param->data.icmph.checksum = 0;
        inet->tos = ip_hdr(skb)->tos;
-        daddr = ipc.addr = rt->rt_src;
+        daddr = ipc.addr = ip_hdr(skb)->saddr;
        ipc.opt = NULL;
        ipc.tx_flags = 0;
-        if (icmp_param->replyopts.optlen) {
+        if (icmp_param->replyopts.opt.opt.optlen) {
-                ipc.opt = &icmp_param->replyopts;
+                ipc.opt = &icmp_param->replyopts.opt;
-                if (ipc.opt->srr)
+                if (ipc.opt->opt.srr)
-                        daddr = icmp_param->replyopts.faddr;
+                        daddr = icmp_param->replyopts.opt.opt.faddr;
        }
-        {
+        memset(&fl4, 0, sizeof(fl4));
-                struct flowi4 fl4 = {
+        fl4.daddr = daddr;
-                        .daddr = daddr,
+        fl4.saddr = rt->rt_spec_dst;
-                        .saddr = rt->rt_spec_dst,
+        fl4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos);
-                        .flowi4_tos = RT_TOS(ip_hdr(skb)->tos),
+        fl4.flowi4_proto = IPPROTO_ICMP;
-                        .flowi4_proto = IPPROTO_ICMP,
+        security_skb_classify_flow(skb, flowi4_to_flowi(&fl4));
-                };
+        rt = ip_route_output_key(net, &fl4);
-                security_skb_classify_flow(skb, flowi4_to_flowi(&fl4));
+        if (IS_ERR(rt))
-                rt = ip_route_output_key(net, &fl4);
+                goto out_unlock;
-                if (IS_ERR(rt))
+        if (icmpv4_xrlim_allow(net, rt, &fl4, icmp_param->data.icmph.type,
-                        goto out_unlock;
-        }
-        if (icmpv4_xrlim_allow(net, rt, icmp_param->data.icmph.type,
                               icmp_param->data.icmph.code))
-                icmp_push_reply(icmp_param, &ipc, &rt);
+                icmp_push_reply(icmp_param, &fl4, &ipc, &rt);
        ip_rt_put(rt);
 out_unlock:
        icmp_xmit_unlock(sk);
 }
-static struct rtable *icmp_route_lookup(struct net *net, struct sk_buff *skb_in,
+static struct rtable *icmp_route_lookup(struct net *net,
-                                        struct iphdr *iph,
+                                        struct flowi4 *fl4,
+                                        struct sk_buff *skb_in,
+                                        const struct iphdr *iph,
                                        __be32 saddr, u8 tos,
                                        int type, int code,
                                        struct icmp_bxm *param)
 {
-        struct flowi4 fl4 = {
-                .daddr = (param->replyopts.srr ?
-                          param->replyopts.faddr : iph->saddr),
-                .saddr = saddr,
-                .flowi4_tos = RT_TOS(tos),
-                .flowi4_proto = IPPROTO_ICMP,
-                .fl4_icmp_type = type,
-                .fl4_icmp_code = code,
-        };
        struct rtable *rt, *rt2;
        int err;
-        security_skb_classify_flow(skb_in, flowi4_to_flowi(&fl4));
+        memset(fl4, 0, sizeof(*fl4));
-        rt = __ip_route_output_key(net, &fl4);
+        fl4->daddr = (param->replyopts.opt.opt.srr ?
+                      param->replyopts.opt.opt.faddr : iph->saddr);
+        fl4->saddr = saddr;
+        fl4->flowi4_tos = RT_TOS(tos);
+        fl4->flowi4_proto = IPPROTO_ICMP;
+        fl4->fl4_icmp_type = type;
+        fl4->fl4_icmp_code = code;
+        security_skb_classify_flow(skb_in, flowi4_to_flowi(fl4));
+        rt = __ip_route_output_key(net, fl4);
        if (IS_ERR(rt))
                return rt;
        /* No need to clone since we're just using its address. */
        rt2 = rt;
-        if (!fl4.saddr)
-                fl4.saddr = rt->rt_src;
        rt = (struct rtable *) xfrm_lookup(net, &rt->dst,
-                                           flowi4_to_flowi(&fl4), NULL, 0);
+                                           flowi4_to_flowi(fl4), NULL, 0);
        if (!IS_ERR(rt)) {
                if (rt != rt2)
                        return rt;
@@ -411,19 +408,19 @@ static struct rtable *icmp_route_lookup(struct net *net, struct sk_buff *skb_in,
        } else
                return rt;
-        err = xfrm_decode_session_reverse(skb_in, flowi4_to_flowi(&fl4), AF_INET);
+        err = xfrm_decode_session_reverse(skb_in, flowi4_to_flowi(fl4), AF_INET);
        if (err)
                goto relookup_failed;
-        if (inet_addr_type(net, fl4.saddr) == RTN_LOCAL) {
+        if (inet_addr_type(net, fl4->saddr) == RTN_LOCAL) {
-                rt2 = __ip_route_output_key(net, &fl4);
+                rt2 = __ip_route_output_key(net, fl4);
                if (IS_ERR(rt2))
                        err = PTR_ERR(rt2);
        } else {
                struct flowi4 fl4_2 = {};
                unsigned long orefdst;
-                fl4_2.daddr = fl4.saddr;
+                fl4_2.daddr = fl4->saddr;
                rt2 = ip_route_output_key(net, &fl4_2);
                if (IS_ERR(rt2)) {
                        err = PTR_ERR(rt2);
@@ -431,7 +428,7 @@ static struct rtable *icmp_route_lookup(struct net *net, struct sk_buff *skb_in,
                }
                /* Ugh! */
                orefdst = skb_in->_skb_refdst; /* save old refdst */
-                err = ip_route_input(skb_in, fl4.daddr, fl4.saddr,
+                err = ip_route_input(skb_in, fl4->daddr, fl4->saddr,
                                     RT_TOS(tos), rt2->dst.dev);
                dst_release(&rt2->dst);
@@ -443,7 +440,7 @@ static struct rtable *icmp_route_lookup(struct net *net, struct sk_buff *skb_in,
                goto relookup_failed;
        rt2 = (struct rtable *) xfrm_lookup(net, &rt2->dst,
-                                            flowi4_to_flowi(&fl4), NULL,
+                                            flowi4_to_flowi(fl4), NULL,
                                            XFRM_LOOKUP_ICMP);
        if (!IS_ERR(rt2)) {
                dst_release(&rt->dst);
@@ -482,6 +479,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
        struct icmp_bxm icmp_param;
        struct rtable *rt = skb_rtable(skb_in);
        struct ipcm_cookie ipc;
+        struct flowi4 fl4;
        __be32 saddr;
        u8  tos;
        struct net *net;
@@ -581,7 +579,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
                                           IPTOS_PREC_INTERNETCONTROL) :
                                          iph->tos;
-        if (ip_options_echo(&icmp_param.replyopts, skb_in))
+        if (ip_options_echo(&icmp_param.replyopts.opt.opt, skb_in))
                goto out_unlock;
@@ -597,15 +595,15 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
        icmp_param.offset = skb_network_offset(skb_in);
        inet_sk(sk)->tos = tos;
        ipc.addr = iph->saddr;
-        ipc.opt = &icmp_param.replyopts;
+        ipc.opt = &icmp_param.replyopts.opt;
        ipc.tx_flags = 0;
-        rt = icmp_route_lookup(net, skb_in, iph, saddr, tos,
+        rt = icmp_route_lookup(net, &fl4, skb_in, iph, saddr, tos,
                               type, code, &icmp_param);
        if (IS_ERR(rt))
                goto out_unlock;
-        if (!icmpv4_xrlim_allow(net, rt, type, code))
+        if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code))
                goto ende;
        /* RFC says return as much as we can without exceeding 576 bytes. */
@@ -613,7 +611,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
        room = dst_mtu(&rt->dst);
        if (room > 576)
                room = 576;
-        room -= sizeof(struct iphdr) + icmp_param.replyopts.optlen;
+        room -= sizeof(struct iphdr) + icmp_param.replyopts.opt.opt.optlen;
        room -= sizeof(struct icmphdr);
        icmp_param.data_len = skb_in->len - icmp_param.offset;
@@ -621,7 +619,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
                icmp_param.data_len = room;
        icmp_param.head_len = sizeof(struct icmphdr);
-        icmp_push_reply(&icmp_param, &ipc, &rt);
+        icmp_push_reply(&icmp_param, &fl4, &ipc, &rt);
 ende:
        ip_rt_put(rt);
 out_unlock:
@@ -637,7 +635,7 @@ EXPORT_SYMBOL(icmp_send);
 static void icmp_unreach(struct sk_buff *skb)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct icmphdr *icmph;
        int hash, protocol;
        const struct net_protocol *ipprot;
@@ -656,7 +654,7 @@ static void icmp_unreach(struct sk_buff *skb)
                goto out_err;
        icmph = icmp_hdr(skb);
-        iph   = (struct iphdr *)skb->data;
+        iph   = (const struct iphdr *)skb->data;
        if (iph->ihl < 5) /* Mangled header, drop. */
                goto out_err;
@@ -729,7 +727,7 @@ static void icmp_unreach(struct sk_buff *skb)
        if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
                goto out;
-        iph = (struct iphdr *)skb->data;
+        iph = (const struct iphdr *)skb->data;
        protocol = iph->protocol;
        /*
@@ -758,7 +756,7 @@ out_err:
 static void icmp_redirect(struct sk_buff *skb)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        if (skb->len < sizeof(struct iphdr))
                goto out_err;
@@ -769,7 +767,7 @@ static void icmp_redirect(struct sk_buff *skb)
        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
                goto out;
-        iph = (struct iphdr *)skb->data;
+        iph = (const struct iphdr *)skb->data;
        switch (icmp_hdr(skb)->code & 7) {
        case ICMP_REDIR_NET:
@@ -784,6 +782,15 @@ static void icmp_redirect(struct sk_buff *skb)
                               iph->saddr, skb->dev);
                break;
        }
+        /* Ping wants to see redirects.
+         * Let's pretend they are errors of sorts... */
+        if (iph->protocol == IPPROTO_ICMP &&
+            iph->ihl >= 5 &&
+            pskb_may_pull(skb, (iph->ihl<<2)+8)) {
+                ping_err(skb, icmp_hdr(skb)->un.gateway);
+        }
 out:
        return;
 out_err:
@@ -933,12 +940,12 @@ static void icmp_address_reply(struct sk_buff *skb)
                BUG_ON(mp == NULL);
                for (ifa = in_dev->ifa_list; ifa; ifa = ifa->ifa_next) {
                        if (*mp == ifa->ifa_mask &&
-                            inet_ifa_match(rt->rt_src, ifa))
+                            inet_ifa_match(ip_hdr(skb)->saddr, ifa))
                                break;
                }
                if (!ifa && net_ratelimit()) {
                        printk(KERN_INFO "Wrong address mask %pI4 from %s/%pI4\n",
-                               mp, dev->name, &rt->rt_src);
+                               mp, dev->name, &ip_hdr(skb)->saddr);
                }
        }
 }
@@ -1044,7 +1051,7 @@ error:
 */
 static const struct icmp_control icmp_pointers[NR_ICMP_TYPES + 1] = {
        [ICMP_ECHOREPLY] = {
-                .handler = icmp_discard,
+                .handler = ping_rcv,
        },
        [1] = {
                .handler = icmp_discard,
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 1fd3d9ce8398..f1d27f6c9351 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -149,17 +149,11 @@ static void ip_mc_clear_src(struct ip_mc_list *pmc);
 static int ip_mc_add_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
                         int sfcount, __be32 *psfsrc, int delta);
-static void ip_mc_list_reclaim(struct rcu_head *head)
-{
-        kfree(container_of(head, struct ip_mc_list, rcu));
-}
 static void ip_ma_put(struct ip_mc_list *im)
 {
        if (atomic_dec_and_test(&im->refcnt)) {
                in_dev_put(im->interface);
-                call_rcu(&im->rcu, ip_mc_list_reclaim);
+                kfree_rcu(im, rcu);
        }
 }
@@ -309,6 +303,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
        struct iphdr *pip;
        struct igmpv3_report *pig;
        struct net *net = dev_net(dev);
+        struct flowi4 fl4;
        while (1) {
                skb = alloc_skb(size + LL_ALLOCATED_SPACE(dev),
@@ -321,18 +316,13 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
        }
        igmp_skb_size(skb) = size;
-        rt = ip_route_output_ports(net, NULL, IGMPV3_ALL_MCR, 0,
+        rt = ip_route_output_ports(net, &fl4, NULL, IGMPV3_ALL_MCR, 0,
                                   0, 0,
                                   IPPROTO_IGMP, 0, dev->ifindex);
        if (IS_ERR(rt)) {
                kfree_skb(skb);
                return NULL;
        }
-        if (rt->rt_src == 0) {
-                kfree_skb(skb);
-                ip_rt_put(rt);
-                return NULL;
-        }
        skb_dst_set(skb, &rt->dst);
        skb->dev = dev;
@@ -348,8 +338,8 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
        pip->tos      = 0xc0;
        pip->frag_off = htons(IP_DF);
        pip->ttl      = 1;
-        pip->daddr    = rt->rt_dst;
+        pip->daddr    = fl4.daddr;
-        pip->saddr    = rt->rt_src;
+        pip->saddr    = fl4.saddr;
        pip->protocol = IPPROTO_IGMP;
        pip->tot_len  = 0;      /* filled in later */
        ip_select_ident(pip, &rt->dst, NULL);
@@ -655,6 +645,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
        struct net_device *dev = in_dev->dev;
        struct net *net = dev_net(dev);
        __be32  group = pmc ? pmc->multiaddr : 0;
+        struct flowi4 fl4;
        __be32  dst;
        if (type == IGMPV3_HOST_MEMBERSHIP_REPORT)
@@ -664,17 +655,12 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
        else
                dst = group;
-        rt = ip_route_output_ports(net, NULL, dst, 0,
+        rt = ip_route_output_ports(net, &fl4, NULL, dst, 0,
                                   0, 0,
                                   IPPROTO_IGMP, 0, dev->ifindex);
        if (IS_ERR(rt))
                return -1;
-        if (rt->rt_src == 0) {
-                ip_rt_put(rt);
-                return -1;
-        }
        skb = alloc_skb(IGMP_SIZE+LL_ALLOCATED_SPACE(dev), GFP_ATOMIC);
        if (skb == NULL) {
                ip_rt_put(rt);
@@ -695,7 +681,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
        iph->frag_off = htons(IP_DF);
        iph->ttl      = 1;
        iph->daddr    = dst;
-        iph->saddr    = rt->rt_src;
+        iph->saddr    = fl4.saddr;
        iph->protocol = IPPROTO_IGMP;
        ip_select_ident(iph, &rt->dst, NULL);
        ((u8*)&iph[1])[0] = IPOPT_RA;
@@ -1169,20 +1155,18 @@ static void igmp_group_dropped(struct ip_mc_list *im)
        if (!in_dev->dead) {
                if (IGMP_V1_SEEN(in_dev))
-                        goto done;
+                        return;
                if (IGMP_V2_SEEN(in_dev)) {
                        if (reporter)
                                igmp_send_report(in_dev, im, IGMP_HOST_LEAVE_MESSAGE);
-                        goto done;
+                        return;
                }
                /* IGMPv3 */
                igmpv3_add_delrec(in_dev, im);
                igmp_ifc_event(in_dev);
        }
-done:
 #endif
-        ip_mc_clear_src(im);
 }
 static void igmp_group_added(struct ip_mc_list *im)
@@ -1319,6 +1303,7 @@ void ip_mc_dec_group(struct in_device *in_dev, __be32 addr)
                                *ip = i->next_rcu;
                                in_dev->mc_count--;
                                igmp_group_dropped(i);
+                                ip_mc_clear_src(i);
                                if (!in_dev->dead)
                                        ip_rt_multicast_event(in_dev);
@@ -1428,7 +1413,8 @@ void ip_mc_destroy_dev(struct in_device *in_dev)
                in_dev->mc_list = i->next_rcu;
                in_dev->mc_count--;
-                igmp_group_dropped(i);
+                /* We've dropped the groups in ip_mc_down already */
+                ip_mc_clear_src(i);
                ip_ma_put(i);
        }
 }
@@ -1836,12 +1822,6 @@ done:
 }
 EXPORT_SYMBOL(ip_mc_join_group);
-static void ip_sf_socklist_reclaim(struct rcu_head *rp)
-{
-        kfree(container_of(rp, struct ip_sf_socklist, rcu));
-        /* sk_omem_alloc should have been decreased by the caller*/
-}
 static int ip_mc_leave_src(struct sock *sk, struct ip_mc_socklist *iml,
                           struct in_device *in_dev)
 {
@@ -1858,18 +1838,10 @@ static int ip_mc_leave_src(struct sock *sk, struct ip_mc_socklist *iml,
        rcu_assign_pointer(iml->sflist, NULL);
        /* decrease mem now to avoid the memleak warning */
        atomic_sub(IP_SFLSIZE(psf->sl_max), &sk->sk_omem_alloc);
-        call_rcu(&psf->rcu, ip_sf_socklist_reclaim);
+        kfree_rcu(psf, rcu);
        return err;
 }
-static void ip_mc_socklist_reclaim(struct rcu_head *rp)
-{
-        kfree(container_of(rp, struct ip_mc_socklist, rcu));
-        /* sk_omem_alloc should have been decreased by the caller*/
-}
 /*
 *      Ask a socket to leave a group.
 */
@@ -1909,7 +1881,7 @@ int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr)
                rtnl_unlock();
                /* decrease mem now to avoid the memleak warning */
                atomic_sub(sizeof(*iml), &sk->sk_omem_alloc);
-                call_rcu(&iml->rcu, ip_mc_socklist_reclaim);
+                kfree_rcu(iml, rcu);
                return 0;
        }
        if (!in_dev)
@@ -2026,7 +1998,7 @@ int ip_mc_source(int add, int omode, struct sock *sk, struct
                                newpsl->sl_addr[i] = psl->sl_addr[i];
                        /* decrease mem now to avoid the memleak warning */
                        atomic_sub(IP_SFLSIZE(psl->sl_max), &sk->sk_omem_alloc);
-                        call_rcu(&psl->rcu, ip_sf_socklist_reclaim);
+                        kfree_rcu(psl, rcu);
                }
                rcu_assign_pointer(pmc->sflist, newpsl);
                psl = newpsl;
@@ -2127,7 +2099,7 @@ int ip_mc_msfilter(struct sock *sk, struct ip_msfilter *msf, int ifindex)
                        psl->sl_count, psl->sl_addr, 0);
                /* decrease mem now to avoid the memleak warning */
                atomic_sub(IP_SFLSIZE(psl->sl_max), &sk->sk_omem_alloc);
-                call_rcu(&psl->rcu, ip_sf_socklist_reclaim);
+                kfree_rcu(psl, rcu);
        } else
                (void) ip_mc_del_src(in_dev, &msf->imsf_multiaddr, pmc->sfmode,
                        0, NULL, 0);
@@ -2324,7 +2296,7 @@ void ip_mc_drop_socket(struct sock *sk)
                        ip_mc_dec_group(in_dev, iml->multi.imr_multiaddr.s_addr);
                /* decrease mem now to avoid the memleak warning */
                atomic_sub(sizeof(*iml), &sk->sk_omem_alloc);
-                call_rcu(&iml->rcu, ip_mc_socklist_reclaim);
+                kfree_rcu(iml, rcu);
        }
        rtnl_unlock();
 }
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 38f23e721b80..c14d88ad348d 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -33,7 +33,7 @@ EXPORT_SYMBOL(inet_csk_timer_bug_msg);
 * This struct holds the first and last local port number.
 */
 struct local_ports sysctl_local_ports __read_mostly = {
-        .lock = SEQLOCK_UNLOCKED,
+        .lock = __SEQLOCK_UNLOCKED(sysctl_local_ports.lock),
        .range = { 32768, 61000 },
 };
@@ -350,30 +350,24 @@ void inet_csk_reset_keepalive_timer(struct sock *sk, unsigned long len)
 EXPORT_SYMBOL(inet_csk_reset_keepalive_timer);
 struct dst_entry *inet_csk_route_req(struct sock *sk,
+                                     struct flowi4 *fl4,
                                     const struct request_sock *req)
 {
        struct rtable *rt;
        const struct inet_request_sock *ireq = inet_rsk(req);
-        struct ip_options *opt = inet_rsk(req)->opt;
+        struct ip_options_rcu *opt = inet_rsk(req)->opt;
-        struct flowi4 fl4 = {
-                .flowi4_oif = sk->sk_bound_dev_if,
-                .flowi4_mark = sk->sk_mark,
-                .daddr = ((opt && opt->srr) ?
-                          opt->faddr : ireq->rmt_addr),
-                .saddr = ireq->loc_addr,
-                .flowi4_tos = RT_CONN_FLAGS(sk),
-                .flowi4_proto = sk->sk_protocol,
-                .flowi4_flags = inet_sk_flowi_flags(sk),
-                .fl4_sport = inet_sk(sk)->inet_sport,
-                .fl4_dport = ireq->rmt_port,
-        };
        struct net *net = sock_net(sk);
-        security_req_classify_flow(req, flowi4_to_flowi(&fl4));
+        flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark,
-        rt = ip_route_output_flow(net, &fl4, sk);
+                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
+                           sk->sk_protocol, inet_sk_flowi_flags(sk),
+                           (opt && opt->opt.srr) ? opt->opt.faddr : ireq->rmt_addr,
+                           ireq->loc_addr, ireq->rmt_port, inet_sk(sk)->inet_sport);
+        security_req_classify_flow(req, flowi4_to_flowi(fl4));
+        rt = ip_route_output_flow(net, fl4, sk);
        if (IS_ERR(rt))
                goto no_route;
-        if (opt && opt->is_strictroute && rt->rt_dst != rt->rt_gateway)
+        if (opt && opt->opt.is_strictroute && fl4->daddr != rt->rt_gateway)
                goto route_err;
        return &rt->dst;
@@ -385,6 +379,39 @@ no_route:
 }
 EXPORT_SYMBOL_GPL(inet_csk_route_req);
+struct dst_entry *inet_csk_route_child_sock(struct sock *sk,
+                                            struct sock *newsk,
+                                            const struct request_sock *req)
+{
+        const struct inet_request_sock *ireq = inet_rsk(req);
+        struct inet_sock *newinet = inet_sk(newsk);
+        struct ip_options_rcu *opt = ireq->opt;
+        struct net *net = sock_net(sk);
+        struct flowi4 *fl4;
+        struct rtable *rt;
+        fl4 = &newinet->cork.fl.u.ip4;
+        flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark,
+                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
+                           sk->sk_protocol, inet_sk_flowi_flags(sk),
+                           (opt && opt->opt.srr) ? opt->opt.faddr : ireq->rmt_addr,
+                           ireq->loc_addr, ireq->rmt_port, inet_sk(sk)->inet_sport);
+        security_req_classify_flow(req, flowi4_to_flowi(fl4));
+        rt = ip_route_output_flow(net, fl4, sk);
+        if (IS_ERR(rt))
+                goto no_route;
+        if (opt && opt->opt.is_strictroute && fl4->daddr != rt->rt_gateway)
+                goto route_err;
+        return &rt->dst;
+route_err:
+        ip_rt_put(rt);
+no_route:
+        IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
+        return NULL;
+}
+EXPORT_SYMBOL_GPL(inet_csk_route_child_sock);
 static inline u32 inet_synq_hash(const __be32 raddr, const __be16 rport,
                                 const u32 rnd, const u32 synq_hsize)
 {
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 2ada17129fce..3267d3898437 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -124,7 +124,7 @@ static int inet_csk_diag_fill(struct sock *sk,
 #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
        if (r->idiag_family == AF_INET6) {
-                struct ipv6_pinfo *np = inet6_sk(sk);
+                const struct ipv6_pinfo *np = inet6_sk(sk);
                ipv6_addr_copy((struct in6_addr *)r->id.idiag_src,
                               &np->rcv_saddr);
@@ -437,7 +437,7 @@ static int valid_cc(const void *bc, int len, int cc)
                        return 0;
                if (cc == len)
                        return 1;
-                if (op->yes < 4)
+                if (op->yes < 4 || op->yes & 3)
                        return 0;
                len -= op->yes;
                bc  += op->yes;
@@ -447,11 +447,11 @@ static int valid_cc(const void *bc, int len, int cc)
 static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
 {
-        const unsigned char *bc = bytecode;
+        const void *bc = bytecode;
        int  len = bytecode_len;
        while (len > 0) {
-                struct inet_diag_bc_op *op = (struct inet_diag_bc_op *)bc;
+                const struct inet_diag_bc_op *op = bc;
 //printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
                switch (op->code) {
@@ -462,22 +462,20 @@ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
                case INET_DIAG_BC_S_LE:
                case INET_DIAG_BC_D_GE:
                case INET_DIAG_BC_D_LE:
-                        if (op->yes < 4 || op->yes > len + 4)
-                                return -EINVAL;
                case INET_DIAG_BC_JMP:
-                        if (op->no < 4 || op->no > len + 4)
+                        if (op->no < 4 || op->no > len + 4 || op->no & 3)
                                return -EINVAL;
                        if (op->no < len &&
                            !valid_cc(bytecode, bytecode_len, len - op->no))
                                return -EINVAL;
                        break;
                case INET_DIAG_BC_NOP:
-                        if (op->yes < 4 || op->yes > len + 4)
-                                return -EINVAL;
                        break;
                default:
                        return -EINVAL;
                }
+                if (op->yes < 4 || op->yes > len + 4 || op->yes & 3)
+                        return -EINVAL;
                bc  += op->yes;
                len -= op->yes;
        }
diff --git a/net/ipv4/inet_lro.c b/net/ipv4/inet_lro.c
index 47038cb6c138..85a0f75dae64 100644
--- a/net/ipv4/inet_lro.c
+++ b/net/ipv4/inet_lro.c
@@ -51,8 +51,8 @@ MODULE_DESCRIPTION("Large Receive Offload (ipv4 / tcp)");
 * Basic tcp checks whether packet is suitable for LRO
 */
-static int lro_tcp_ip_check(struct iphdr *iph, struct tcphdr *tcph,
+static int lro_tcp_ip_check(const struct iphdr *iph, const struct tcphdr *tcph,
-                            int len, struct net_lro_desc *lro_desc)
+                            int len, const struct net_lro_desc *lro_desc)
 {
        /* check ip header: don't aggregate padded frames */
        if (ntohs(iph->tot_len) != len)
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
index 9df4e635fb5f..ce616d92cc54 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -154,11 +154,9 @@ void __init inet_initpeers(void)
 /* Called with or without local BH being disabled. */
 static void unlink_from_unused(struct inet_peer *p)
 {
-        if (!list_empty(&p->unused)) {
+        spin_lock_bh(&unused_peers.lock);
-                spin_lock_bh(&unused_peers.lock);
+        list_del_init(&p->unused);
-                list_del_init(&p->unused);
+        spin_unlock_bh(&unused_peers.lock);
-                spin_unlock_bh(&unused_peers.lock);
-        }
 }
 static int addr_compare(const struct inetpeer_addr *a,
@@ -205,6 +203,20 @@ static int addr_compare(const struct inetpeer_addr *a,
        u;                                                      \
 })
+static bool atomic_add_unless_return(atomic_t *ptr, int a, int u, int *newv)
+{
+        int cur, old = atomic_read(ptr);
+        while (old != u) {
+                *newv = old + a;
+                cur = atomic_cmpxchg(ptr, old, *newv);
+                if (cur == old)
+                        return true;
+                old = cur;
+        }
+        return false;
+}
 /*
 * Called with rcu_read_lock()
 * Because we hold no lock against a writer, its quite possible we fall
@@ -213,7 +225,8 @@ static int addr_compare(const struct inetpeer_addr *a,
 * We exit from this function if number of links exceeds PEER_MAXDEPTH
 */
 static struct inet_peer *lookup_rcu(const struct inetpeer_addr *daddr,
-                                    struct inet_peer_base *base)
+                                    struct inet_peer_base *base,
+                                    int *newrefcnt)
 {
        struct inet_peer *u = rcu_dereference(base->root);
        int count = 0;
@@ -226,7 +239,7 @@ static struct inet_peer *lookup_rcu(const struct inetpeer_addr *daddr,
                         * distinction between an unused entry (refcnt=0) and
                         * a freed one.
                         */
-                        if (unlikely(!atomic_add_unless(&u->refcnt, 1, -1)))
+                        if (!atomic_add_unless_return(&u->refcnt, 1, -1, newrefcnt))
                                u = NULL;
                        return u;
                }
@@ -465,22 +478,23 @@ struct inet_peer *inet_getpeer(struct inetpeer_addr *daddr, int create)
        struct inet_peer_base *base = family_to_base(daddr->family);
        struct inet_peer *p;
        unsigned int sequence;
-        int invalidated;
+        int invalidated, newrefcnt = 0;
        /* Look up for the address quickly, lockless.
         * Because of a concurrent writer, we might not find an existing entry.
         */
        rcu_read_lock();
        sequence = read_seqbegin(&base->lock);
-        p = lookup_rcu(daddr, base);
+        p = lookup_rcu(daddr, base, &newrefcnt);
        invalidated = read_seqretry(&base->lock, sequence);
        rcu_read_unlock();
        if (p) {
-                /* The existing node has been found.
+found:          /* The existing node has been found.
                 * Remove the entry from unused list if it was there.
                 */
-                unlink_from_unused(p);
+                if (newrefcnt == 1)
+                        unlink_from_unused(p);
                return p;
        }
@@ -494,11 +508,9 @@ struct inet_peer *inet_getpeer(struct inetpeer_addr *daddr, int create)
        write_seqlock_bh(&base->lock);
        p = lookup(daddr, stack, base);
        if (p != peer_avl_empty) {
-                atomic_inc(&p->refcnt);
+                newrefcnt = atomic_inc_return(&p->refcnt);
                write_sequnlock_bh(&base->lock);
-                /* Remove the entry from unused list if it was there. */
+                goto found;
-                unlink_from_unused(p);
-                return p;
        }
        p = create ? kmem_cache_alloc(peer_cachep, GFP_ATOMIC) : NULL;
        if (p) {
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index 99461f09320f..3b34d1c86270 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -84,7 +84,7 @@ int ip_forward(struct sk_buff *skb)
        rt = skb_rtable(skb);
-        if (opt->is_strictroute && rt->rt_dst != rt->rt_gateway)
+        if (opt->is_strictroute && ip_hdr(skb)->daddr != rt->rt_gateway)
                goto sr_failed;
        if (unlikely(skb->len > dst_mtu(&rt->dst) && !skb_is_gso(skb) &&
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index b1d282f11be7..0ad6035f6366 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -77,22 +77,40 @@ struct ipq {
        struct inet_peer *peer;
 };
-#define IPFRAG_ECN_CLEAR  0x01 /* one frag had INET_ECN_NOT_ECT */
+/* RFC 3168 support :
-#define IPFRAG_ECN_SET_CE 0x04 /* one frag had INET_ECN_CE */
+ * We want to check ECN values of all fragments, do detect invalid combinations.
+ * In ipq->ecn, we store the OR value of each ip4_frag_ecn() fragment value.
+ */
+#define IPFRAG_ECN_NOT_ECT      0x01 /* one frag had ECN_NOT_ECT */
+#define IPFRAG_ECN_ECT_1        0x02 /* one frag had ECN_ECT_1 */
+#define IPFRAG_ECN_ECT_0        0x04 /* one frag had ECN_ECT_0 */
+#define IPFRAG_ECN_CE           0x08 /* one frag had ECN_CE */
 static inline u8 ip4_frag_ecn(u8 tos)
 {
-        tos = (tos & INET_ECN_MASK) + 1;
+        return 1 << (tos & INET_ECN_MASK);
-        /*
-         * After the last operation we have (in binary):
-         * INET_ECN_NOT_ECT => 001
-         * INET_ECN_ECT_1   => 010
-         * INET_ECN_ECT_0   => 011
-         * INET_ECN_CE      => 100
-         */
-        return (tos & 2) ? 0 : tos;
 }
+/* Given the OR values of all fragments, apply RFC 3168 5.3 requirements
+ * Value : 0xff if frame should be dropped.
+ *         0 or INET_ECN_CE value, to be ORed in to final iph->tos field
+ */
+static const u8 ip4_frag_ecn_table[16] = {
+        /* at least one fragment had CE, and others ECT_0 or ECT_1 */
+        [IPFRAG_ECN_CE | IPFRAG_ECN_ECT_0]                      = INET_ECN_CE,
+        [IPFRAG_ECN_CE | IPFRAG_ECN_ECT_1]                      = INET_ECN_CE,
+        [IPFRAG_ECN_CE | IPFRAG_ECN_ECT_0 | IPFRAG_ECN_ECT_1]   = INET_ECN_CE,
+        /* invalid combinations : drop frame */
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_CE] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_ECT_0] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_ECT_1] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_ECT_0 | IPFRAG_ECN_ECT_1] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_CE | IPFRAG_ECN_ECT_0] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_CE | IPFRAG_ECN_ECT_1] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_CE | IPFRAG_ECN_ECT_0 | IPFRAG_ECN_ECT_1] = 0xff,
+};
 static struct inet_frags ip4_frags;
 int ip_frag_nqueues(struct net *net)
@@ -524,9 +542,15 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
        int len;
        int ihlen;
        int err;
+        u8 ecn;
        ipq_kill(qp);
+        ecn = ip4_frag_ecn_table[qp->ecn];
+        if (unlikely(ecn == 0xff)) {
+                err = -EINVAL;
+                goto out_fail;
+        }
        /* Make the one we just received the head. */
        if (prev) {
                head = prev->next;
@@ -605,17 +629,7 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
        iph = ip_hdr(head);
        iph->frag_off = 0;
        iph->tot_len = htons(len);
-        /* RFC3168 5.3 Fragmentation support
+        iph->tos |= ecn;
-         * If one fragment had INET_ECN_NOT_ECT,
-         *      reassembled frame also has INET_ECN_NOT_ECT
-         * Elif one fragment had INET_ECN_CE
-         *      reassembled frame also has INET_ECN_CE
-         */
-        if (qp->ecn & IPFRAG_ECN_CLEAR)
-                iph->tos &= ~INET_ECN_MASK;
-        else if (qp->ecn & IPFRAG_ECN_SET_CE)
-                iph->tos |= INET_ECN_CE;
        IP_INC_STATS_BH(net, IPSTATS_MIB_REASMOKS);
        qp->q.fragments = NULL;
        qp->q.fragments_tail = NULL;
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index da5941f18c3c..8871067560db 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -413,11 +413,6 @@ static struct ip_tunnel *ipgre_tunnel_locate(struct net *net,
        dev_net_set(dev, net);
-        if (strchr(name, '%')) {
-                if (dev_alloc_name(dev, name) < 0)
-                        goto failed_free;
-        }
        nt = netdev_priv(dev);
        nt->parms = *parms;
        dev->rtnl_link_ops = &ipgre_link_ops;
@@ -462,7 +457,7 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
   by themself???
 */
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        __be16       *p = (__be16*)(skb->data+(iph->ihl<<2));
        int grehlen = (iph->ihl<<2) + 4;
        const int type = icmp_hdr(skb)->type;
@@ -534,7 +529,7 @@ out:
        rcu_read_unlock();
 }
-static inline void ipgre_ecn_decapsulate(struct iphdr *iph, struct sk_buff *skb)
+static inline void ipgre_ecn_decapsulate(const struct iphdr *iph, struct sk_buff *skb)
 {
        if (INET_ECN_is_ce(iph->tos)) {
                if (skb->protocol == htons(ETH_P_IP)) {
@@ -546,19 +541,19 @@ static inline void ipgre_ecn_decapsulate(struct iphdr *iph, struct sk_buff *skb)
 }
 static inline u8
-ipgre_ecn_encapsulate(u8 tos, struct iphdr *old_iph, struct sk_buff *skb)
+ipgre_ecn_encapsulate(u8 tos, const struct iphdr *old_iph, struct sk_buff *skb)
 {
        u8 inner = 0;
        if (skb->protocol == htons(ETH_P_IP))
                inner = old_iph->tos;
        else if (skb->protocol == htons(ETH_P_IPV6))
-                inner = ipv6_get_dsfield((struct ipv6hdr *)old_iph);
+                inner = ipv6_get_dsfield((const struct ipv6hdr *)old_iph);
        return INET_ECN_encapsulate(tos, inner);
 }
 static int ipgre_rcv(struct sk_buff *skb)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        u8     *h;
        __be16    flags;
        __sum16   csum = 0;
@@ -697,8 +692,9 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
 {
        struct ip_tunnel *tunnel = netdev_priv(dev);
        struct pcpu_tstats *tstats;
-        struct iphdr  *old_iph = ip_hdr(skb);
+        const struct iphdr  *old_iph = ip_hdr(skb);
-        struct iphdr  *tiph;
+        const struct iphdr  *tiph;
+        struct flowi4 fl4;
        u8     tos;
        __be16 df;
        struct rtable *rt;                      /* Route to the other host */
@@ -714,7 +710,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
        if (dev->header_ops && dev->type == ARPHRD_IPGRE) {
                gre_hlen = 0;
-                tiph = (struct iphdr *)skb->data;
+                tiph = (const struct iphdr *)skb->data;
        } else {
                gre_hlen = tunnel->hlen;
                tiph = &tunnel->parms.iph;
@@ -735,14 +731,14 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
                }
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
                else if (skb->protocol == htons(ETH_P_IPV6)) {
-                        struct in6_addr *addr6;
+                        const struct in6_addr *addr6;
                        int addr_type;
                        struct neighbour *neigh = skb_dst(skb)->neighbour;
                        if (neigh == NULL)
                                goto tx_error;
-                        addr6 = (struct in6_addr *)&neigh->primary_key;
+                        addr6 = (const struct in6_addr *)&neigh->primary_key;
                        addr_type = ipv6_addr_type(addr6);
                        if (addr_type == IPV6_ADDR_ANY) {
@@ -766,10 +762,10 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
                if (skb->protocol == htons(ETH_P_IP))
                        tos = old_iph->tos;
                else if (skb->protocol == htons(ETH_P_IPV6))
-                        tos = ipv6_get_dsfield((struct ipv6hdr *)old_iph);
+                        tos = ipv6_get_dsfield((const struct ipv6hdr *)old_iph);
        }
-        rt = ip_route_output_gre(dev_net(dev), dst, tiph->saddr,
+        rt = ip_route_output_gre(dev_net(dev), &fl4, dst, tiph->saddr,
                                 tunnel->parms.o_key, RT_TOS(tos),
                                 tunnel->parms.link);
        if (IS_ERR(rt)) {
@@ -873,15 +869,15 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
        iph->frag_off           =       df;
        iph->protocol           =       IPPROTO_GRE;
        iph->tos                =       ipgre_ecn_encapsulate(tos, old_iph, skb);
-        iph->daddr              =       rt->rt_dst;
+        iph->daddr              =       fl4.daddr;
-        iph->saddr              =       rt->rt_src;
+        iph->saddr              =       fl4.saddr;
        if ((iph->ttl = tiph->ttl) == 0) {
                if (skb->protocol == htons(ETH_P_IP))
                        iph->ttl = old_iph->ttl;
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
                else if (skb->protocol == htons(ETH_P_IPV6))
-                        iph->ttl = ((struct ipv6hdr *)old_iph)->hop_limit;
+                        iph->ttl = ((const struct ipv6hdr *)old_iph)->hop_limit;
 #endif
                else
                        iph->ttl = ip4_dst_hoplimit(&rt->dst);
@@ -927,7 +923,7 @@ static int ipgre_tunnel_bind_dev(struct net_device *dev)
 {
        struct net_device *tdev = NULL;
        struct ip_tunnel *tunnel;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        int hlen = LL_MAX_HEADER;
        int mtu = ETH_DATA_LEN;
        int addend = sizeof(struct iphdr) + 4;
@@ -938,12 +934,14 @@ static int ipgre_tunnel_bind_dev(struct net_device *dev)
        /* Guess output device to choose reasonable mtu and needed_headroom */
        if (iph->daddr) {
-                struct rtable *rt = ip_route_output_gre(dev_net(dev),
+                struct flowi4 fl4;
-                                                        iph->daddr, iph->saddr,
+                struct rtable *rt;
-                                                        tunnel->parms.o_key,
-                                                        RT_TOS(iph->tos),
+                rt = ip_route_output_gre(dev_net(dev), &fl4,
-                                                        tunnel->parms.link);
+                                         iph->daddr, iph->saddr,
+                                         tunnel->parms.o_key,
+                                         RT_TOS(iph->tos),
+                                         tunnel->parms.link);
                if (!IS_ERR(rt)) {
                        tdev = rt->dst.dev;
                        ip_rt_put(rt);
@@ -1180,7 +1178,7 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
 static int ipgre_header_parse(const struct sk_buff *skb, unsigned char *haddr)
 {
-        struct iphdr *iph = (struct iphdr *) skb_mac_header(skb);
+        const struct iphdr *iph = (const struct iphdr *) skb_mac_header(skb);
        memcpy(haddr, &iph->saddr, 4);
        return 4;
 }
@@ -1196,13 +1194,15 @@ static int ipgre_open(struct net_device *dev)
        struct ip_tunnel *t = netdev_priv(dev);
        if (ipv4_is_multicast(t->parms.iph.daddr)) {
-                struct rtable *rt = ip_route_output_gre(dev_net(dev),
+                struct flowi4 fl4;
-                                                        t->parms.iph.daddr,
+                struct rtable *rt;
-                                                        t->parms.iph.saddr,
-                                                        t->parms.o_key,
+                rt = ip_route_output_gre(dev_net(dev), &fl4,
-                                                        RT_TOS(t->parms.iph.tos),
+                                         t->parms.iph.daddr,
-                                                        t->parms.link);
+                                         t->parms.iph.saddr,
+                                         t->parms.o_key,
+                                         RT_TOS(t->parms.iph.tos),
+                                         t->parms.link);
                if (IS_ERR(rt))
                        return -EADDRNOTAVAIL;
                dev = rt->dst.dev;
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index d7b2b0987a3b..c8f48efc5fd3 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -268,7 +268,7 @@ int ip_local_deliver(struct sk_buff *skb)
 static inline int ip_rcv_options(struct sk_buff *skb)
 {
        struct ip_options *opt;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct net_device *dev = skb->dev;
        /* It looks as overkill, because not all
@@ -374,7 +374,7 @@ drop:
 */
 int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        u32 len;
        /* When the interface is in promisc. mode, drop all the crap
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 2391b24e8251..ec93335901dd 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -14,6 +14,7 @@
 #include <linux/slab.h>
 #include <linux/types.h>
 #include <asm/uaccess.h>
+#include <asm/unaligned.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/icmp.h>
@@ -36,8 +37,8 @@
 * saddr is address of outgoing interface.
 */
-void ip_options_build(struct sk_buff * skb, struct ip_options * opt,
+void ip_options_build(struct sk_buff *skb, struct ip_options *opt,
-                            __be32 daddr, struct rtable *rt, int is_frag)
+                      __be32 daddr, struct rtable *rt, int is_frag)
 {
        unsigned char *iph = skb_network_header(skb);
@@ -50,9 +51,9 @@ void ip_options_build(struct sk_buff * skb, struct ip_options * opt,
        if (!is_frag) {
                if (opt->rr_needaddr)
-                        ip_rt_get_source(iph+opt->rr+iph[opt->rr+2]-5, rt);
+                        ip_rt_get_source(iph+opt->rr+iph[opt->rr+2]-5, skb, rt);
                if (opt->ts_needaddr)
-                        ip_rt_get_source(iph+opt->ts+iph[opt->ts+2]-9, rt);
+                        ip_rt_get_source(iph+opt->ts+iph[opt->ts+2]-9, skb, rt);
                if (opt->ts_needtime) {
                        struct timespec tv;
                        __be32 midtime;
@@ -83,9 +84,9 @@ void ip_options_build(struct sk_buff * skb, struct ip_options * opt,
 * NOTE: dopt cannot point to skb.
 */
-int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb)
+int ip_options_echo(struct ip_options *dopt, struct sk_buff *skb)
 {
-        struct ip_options *sopt;
+        const struct ip_options *sopt;
        unsigned char *sptr, *dptr;
        int soffset, doffset;
        int     optlen;
@@ -95,10 +96,8 @@ int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb)
        sopt = &(IPCB(skb)->opt);
-        if (sopt->optlen == 0) {
+        if (sopt->optlen == 0)
-                dopt->optlen = 0;
                return 0;
-        }
        sptr = skb_network_header(skb);
        dptr = dopt->__data;
@@ -157,7 +156,7 @@ int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb)
                dopt->optlen += optlen;
        }
        if (sopt->srr) {
-                unsigned char * start = sptr+sopt->srr;
+                unsigned char *start = sptr+sopt->srr;
                __be32 faddr;
                optlen  = start[1];
@@ -352,7 +351,7 @@ int ip_options_compile(struct net *net,
                                goto error;
                        }
                        if (optptr[2] <= optlen) {
-                                __be32 *timeptr = NULL;
+                                unsigned char *timeptr = NULL;
                                if (optptr[2]+3 > optptr[1]) {
                                        pp_ptr = optptr + 2;
                                        goto error;
@@ -361,7 +360,7 @@ int ip_options_compile(struct net *net,
                                      case IPOPT_TS_TSONLY:
                                        opt->ts = optptr - iph;
                                        if (skb)
-                                                timeptr = (__be32*)&optptr[optptr[2]-1];
+                                                timeptr = &optptr[optptr[2]-1];
                                        opt->ts_needtime = 1;
                                        optptr[2] += 4;
                                        break;
@@ -373,7 +372,7 @@ int ip_options_compile(struct net *net,
                                        opt->ts = optptr - iph;
                                        if (rt)  {
                                                memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4);
-                                                timeptr = (__be32*)&optptr[optptr[2]+3];
+                                                timeptr = &optptr[optptr[2]+3];
                                        }
                                        opt->ts_needaddr = 1;
                                        opt->ts_needtime = 1;
@@ -391,7 +390,7 @@ int ip_options_compile(struct net *net,
                                                if (inet_addr_type(net, addr) == RTN_UNICAST)
                                                        break;
                                                if (skb)
-                                                        timeptr = (__be32*)&optptr[optptr[2]+3];
+                                                        timeptr = &optptr[optptr[2]+3];
                                        }
                                        opt->ts_needtime = 1;
                                        optptr[2] += 8;
@@ -405,10 +404,10 @@ int ip_options_compile(struct net *net,
                                }
                                if (timeptr) {
                                        struct timespec tv;
-                                        __be32  midtime;
+                                        u32  midtime;
                                        getnstimeofday(&tv);
-                                        midtime = htonl((tv.tv_sec % 86400) * MSEC_PER_SEC + tv.tv_nsec / NSEC_PER_MSEC);
+                                        midtime = (tv.tv_sec % 86400) * MSEC_PER_SEC + tv.tv_nsec / NSEC_PER_MSEC;
-                                        memcpy(timeptr, &midtime, sizeof(__be32));
+                                        put_unaligned_be32(midtime, timeptr);
                                        opt->is_changed = 1;
                                }
                        } else {
@@ -499,19 +498,19 @@ void ip_options_undo(struct ip_options * opt)
        }
 }
-static struct ip_options *ip_options_get_alloc(const int optlen)
+static struct ip_options_rcu *ip_options_get_alloc(const int optlen)
 {
-        return kzalloc(sizeof(struct ip_options) + ((optlen + 3) & ~3),
+        return kzalloc(sizeof(struct ip_options_rcu) + ((optlen + 3) & ~3),
                       GFP_KERNEL);
 }
-static int ip_options_get_finish(struct net *net, struct ip_options **optp,
+static int ip_options_get_finish(struct net *net, struct ip_options_rcu **optp,
-                                 struct ip_options *opt, int optlen)
+                                 struct ip_options_rcu *opt, int optlen)
 {
        while (optlen & 3)
-                opt->__data[optlen++] = IPOPT_END;
+                opt->opt.__data[optlen++] = IPOPT_END;
-        opt->optlen = optlen;
+        opt->opt.optlen = optlen;
-        if (optlen && ip_options_compile(net, opt, NULL)) {
+        if (optlen && ip_options_compile(net, &opt->opt, NULL)) {
                kfree(opt);
                return -EINVAL;
        }
@@ -520,29 +519,29 @@ static int ip_options_get_finish(struct net *net, struct ip_options **optp,
        return 0;
 }
-int ip_options_get_from_user(struct net *net, struct ip_options **optp,
+int ip_options_get_from_user(struct net *net, struct ip_options_rcu **optp,
                             unsigned char __user *data, int optlen)
 {
-        struct ip_options *opt = ip_options_get_alloc(optlen);
+        struct ip_options_rcu *opt = ip_options_get_alloc(optlen);
        if (!opt)
                return -ENOMEM;
-        if (optlen && copy_from_user(opt->__data, data, optlen)) {
+        if (optlen && copy_from_user(opt->opt.__data, data, optlen)) {
                kfree(opt);
                return -EFAULT;
        }
        return ip_options_get_finish(net, optp, opt, optlen);
 }
-int ip_options_get(struct net *net, struct ip_options **optp,
+int ip_options_get(struct net *net, struct ip_options_rcu **optp,
                   unsigned char *data, int optlen)
 {
-        struct ip_options *opt = ip_options_get_alloc(optlen);
+        struct ip_options_rcu *opt = ip_options_get_alloc(optlen);
        if (!opt)
                return -ENOMEM;
        if (optlen)
-                memcpy(opt->__data, data, optlen);
+                memcpy(opt->opt.__data, data, optlen);
        return ip_options_get_finish(net, optp, opt, optlen);
 }
@@ -555,7 +554,7 @@ void ip_forward_options(struct sk_buff *skb)
        if (opt->rr_needaddr) {
                optptr = (unsigned char *)raw + opt->rr;
-                ip_rt_get_source(&optptr[optptr[2]-5], rt);
+                ip_rt_get_source(&optptr[optptr[2]-5], skb, rt);
                opt->is_changed = 1;
        }
        if (opt->srr_is_hit) {
@@ -569,19 +568,18 @@ void ip_forward_options(struct sk_buff *skb)
                     ) {
                        if (srrptr + 3 > srrspace)
                                break;
-                        if (memcmp(&rt->rt_dst, &optptr[srrptr-1], 4) == 0)
+                        if (memcmp(&ip_hdr(skb)->daddr, &optptr[srrptr-1], 4) == 0)
                                break;
                }
                if (srrptr + 3 <= srrspace) {
                        opt->is_changed = 1;
-                        ip_rt_get_source(&optptr[srrptr-1], rt);
+                        ip_rt_get_source(&optptr[srrptr-1], skb, rt);
-                        ip_hdr(skb)->daddr = rt->rt_dst;
                        optptr[2] = srrptr+4;
                } else if (net_ratelimit())
                        printk(KERN_CRIT "ip_forward(): Argh! Destination lost!\n");
                if (opt->ts_needaddr) {
                        optptr = raw + opt->ts;
-                        ip_rt_get_source(&optptr[optptr[2]-9], rt);
+                        ip_rt_get_source(&optptr[optptr[2]-9], skb, rt);
                        opt->is_changed = 1;
                }
        }
@@ -603,7 +601,7 @@ int ip_options_rcv_srr(struct sk_buff *skb)
        unsigned long orefdst;
        int err;
-        if (!opt->srr || !rt)
+        if (!rt)
                return 0;
        if (skb->pkt_type != PACKET_HOST)
@@ -637,7 +635,7 @@ int ip_options_rcv_srr(struct sk_buff *skb)
                if (rt2->rt_type != RTN_LOCAL)
                        break;
                /* Superfast 8) loopback forward */
-                memcpy(&iph->daddr, &optptr[srrptr-1], 4);
+                iph->daddr = nexthop;
                opt->is_changed = 1;
        }
        if (srrptr <= srrspace) {
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 459c011b1d4a..84f26e8e6c60 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -140,14 +140,14 @@ static inline int ip_select_ttl(struct inet_sock *inet, struct dst_entry *dst)
 *
 */
 int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk,
-                          __be32 saddr, __be32 daddr, struct ip_options *opt)
+                          __be32 saddr, __be32 daddr, struct ip_options_rcu *opt)
 {
        struct inet_sock *inet = inet_sk(sk);
        struct rtable *rt = skb_rtable(skb);
        struct iphdr *iph;
        /* Build the IP header. */
-        skb_push(skb, sizeof(struct iphdr) + (opt ? opt->optlen : 0));
+        skb_push(skb, sizeof(struct iphdr) + (opt ? opt->opt.optlen : 0));
        skb_reset_network_header(skb);
        iph = ip_hdr(skb);
        iph->version  = 4;
@@ -158,14 +158,14 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk,
        else
                iph->frag_off = 0;
        iph->ttl      = ip_select_ttl(inet, &rt->dst);
-        iph->daddr    = rt->rt_dst;
+        iph->daddr    = (opt && opt->opt.srr ? opt->opt.faddr : daddr);
-        iph->saddr    = rt->rt_src;
+        iph->saddr    = saddr;
        iph->protocol = sk->sk_protocol;
        ip_select_ident(iph, &rt->dst, sk);
-        if (opt && opt->optlen) {
+        if (opt && opt->opt.optlen) {
-                iph->ihl += opt->optlen>>2;
+                iph->ihl += opt->opt.optlen>>2;
-                ip_options_build(skb, opt, daddr, rt, 0);
+                ip_options_build(skb, &opt->opt, daddr, rt, 0);
        }
        skb->priority = sk->sk_priority;
@@ -312,11 +312,12 @@ int ip_output(struct sk_buff *skb)
                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
-int ip_queue_xmit(struct sk_buff *skb)
+int ip_queue_xmit(struct sk_buff *skb, struct flowi *fl)
 {
        struct sock *sk = skb->sk;
        struct inet_sock *inet = inet_sk(sk);
-        struct ip_options *opt = inet->opt;
+        struct ip_options_rcu *inet_opt;
+        struct flowi4 *fl4;
        struct rtable *rt;
        struct iphdr *iph;
        int res;
@@ -325,6 +326,8 @@ int ip_queue_xmit(struct sk_buff *skb)
         * f.e. by something like SCTP.
         */
        rcu_read_lock();
+        inet_opt = rcu_dereference(inet->inet_opt);
+        fl4 = &fl->u.ip4;
        rt = skb_rtable(skb);
        if (rt != NULL)
                goto packet_routed;
@@ -336,14 +339,14 @@ int ip_queue_xmit(struct sk_buff *skb)
                /* Use correct destination address if we have options. */
                daddr = inet->inet_daddr;
-                if(opt && opt->srr)
+                if (inet_opt && inet_opt->opt.srr)
-                        daddr = opt->faddr;
+                        daddr = inet_opt->opt.faddr;
                /* If this fails, retransmit mechanism of transport layer will
                 * keep trying until route appears or the connection times
                 * itself out.
                 */
-                rt = ip_route_output_ports(sock_net(sk), sk,
+                rt = ip_route_output_ports(sock_net(sk), fl4, sk,
                                           daddr, inet->inet_saddr,
                                           inet->inet_dport,
                                           inet->inet_sport,
@@ -357,11 +360,11 @@ int ip_queue_xmit(struct sk_buff *skb)
        skb_dst_set_noref(skb, &rt->dst);
 packet_routed:
-        if (opt && opt->is_strictroute && rt->rt_dst != rt->rt_gateway)
+        if (inet_opt && inet_opt->opt.is_strictroute && fl4->daddr != rt->rt_gateway)
                goto no_route;
        /* OK, we know where to send it, allocate and build IP header. */
-        skb_push(skb, sizeof(struct iphdr) + (opt ? opt->optlen : 0));
+        skb_push(skb, sizeof(struct iphdr) + (inet_opt ? inet_opt->opt.optlen : 0));
        skb_reset_network_header(skb);
        iph = ip_hdr(skb);
        *((__be16 *)iph) = htons((4 << 12) | (5 << 8) | (inet->tos & 0xff));
@@ -371,13 +374,13 @@ packet_routed:
                iph->frag_off = 0;
        iph->ttl      = ip_select_ttl(inet, &rt->dst);
        iph->protocol = sk->sk_protocol;
-        iph->saddr    = rt->rt_src;
+        iph->saddr    = fl4->saddr;
-        iph->daddr    = rt->rt_dst;
+        iph->daddr    = fl4->daddr;
        /* Transport layer set skb->h.foo itself. */
-        if (opt && opt->optlen) {
+        if (inet_opt && inet_opt->opt.optlen) {
-                iph->ihl += opt->optlen >> 2;
+                iph->ihl += inet_opt->opt.optlen >> 2;
-                ip_options_build(skb, opt, inet->inet_daddr, rt, 0);
+                ip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0);
        }
        ip_select_ident_more(iph, &rt->dst, sk,
@@ -773,7 +776,9 @@ static inline int ip_ufo_append_data(struct sock *sk,
                                       (length - transhdrlen));
 }
-static int __ip_append_data(struct sock *sk, struct sk_buff_head *queue,
+static int __ip_append_data(struct sock *sk,
+                            struct flowi4 *fl4,
+                            struct sk_buff_head *queue,
                            struct inet_cork *cork,
                            int getfrag(void *from, char *to, int offset,
                                        int len, int odd, struct sk_buff *skb),
@@ -794,9 +799,9 @@ static int __ip_append_data(struct sock *sk, struct sk_buff_head *queue,
        int csummode = CHECKSUM_NONE;
        struct rtable *rt = (struct rtable *)cork->dst;
-        exthdrlen = transhdrlen ? rt->dst.header_len : 0;
+        skb = skb_peek_tail(queue);
-        length += exthdrlen;
-        transhdrlen += exthdrlen;
+        exthdrlen = !skb ? rt->dst.header_len : 0;
        mtu = cork->fragsize;
        hh_len = LL_RESERVED_SPACE(rt->dst.dev);
@@ -805,7 +810,7 @@ static int __ip_append_data(struct sock *sk, struct sk_buff_head *queue,
        maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen;
        if (cork->length + length > 0xFFFF - fragheaderlen) {
-                ip_local_error(sk, EMSGSIZE, rt->rt_dst, inet->inet_dport,
+                ip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport,
                               mtu-exthdrlen);
                return -EMSGSIZE;
        }
@@ -820,12 +825,10 @@ static int __ip_append_data(struct sock *sk, struct sk_buff_head *queue,
            !exthdrlen)
                csummode = CHECKSUM_PARTIAL;
-        skb = skb_peek_tail(queue);
        cork->length += length;
        if (((length > mtu) || (skb && skb_is_gso(skb))) &&
            (sk->sk_protocol == IPPROTO_UDP) &&
-            (rt->dst.dev->features & NETIF_F_UFO)) {
+            (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
                err = ip_ufo_append_data(sk, queue, getfrag, from, length,
                                         hh_len, fragheaderlen, transhdrlen,
                                         mtu, flags);
@@ -878,17 +881,16 @@ alloc_new_skb:
                        else
                                alloclen = fraglen;
+                        alloclen += exthdrlen;
                        /* The last fragment gets additional space at tail.
                         * Note, with MSG_MORE we overallocate on fragments,
                         * because we have no idea what fragment will be
                         * the last.
                         */
-                        if (datalen == length + fraggap) {
+                        if (datalen == length + fraggap)
                                alloclen += rt->dst.trailer_len;
-                                /* make sure mtu is not reached */
-                                if (datalen > mtu - fragheaderlen - rt->dst.trailer_len)
-                                        datalen -= ALIGN(rt->dst.trailer_len, 8);
-                        }
                        if (transhdrlen) {
                                skb = sock_alloc_send_skb(sk,
                                                alloclen + hh_len + 15,
@@ -921,11 +923,11 @@ alloc_new_skb:
                        /*
                         *      Find where to start putting bytes.
                         */
-                        data = skb_put(skb, fraglen);
+                        data = skb_put(skb, fraglen + exthdrlen);
                        skb_set_network_header(skb, exthdrlen);
                        skb->transport_header = (skb->network_header +
                                                 fragheaderlen);
-                        data += fragheaderlen;
+                        data += fragheaderlen + exthdrlen;
                        if (fraggap) {
                                skb->csum = skb_copy_and_csum_bits(
@@ -1033,7 +1035,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
                         struct ipcm_cookie *ipc, struct rtable **rtp)
 {
        struct inet_sock *inet = inet_sk(sk);
-        struct ip_options *opt;
+        struct ip_options_rcu *opt;
        struct rtable *rt;
        /*
@@ -1047,7 +1049,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
                        if (unlikely(cork->opt == NULL))
                                return -ENOBUFS;
                }
-                memcpy(cork->opt, opt, sizeof(struct ip_options) + opt->optlen);
+                memcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen);
                cork->flags |= IPCORK_OPT;
                cork->addr = ipc->addr;
        }
@@ -1059,7 +1061,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
         */
        *rtp = NULL;
        cork->fragsize = inet->pmtudisc == IP_PMTUDISC_PROBE ?
-                         rt->dst.dev->mtu : dst_mtu(rt->dst.path);
+                         rt->dst.dev->mtu : dst_mtu(&rt->dst);
        cork->dst = &rt->dst;
        cork->length = 0;
        cork->tx_flags = ipc->tx_flags;
@@ -1080,7 +1082,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
 *
 *      LATER: length must be adjusted by pad at tail, when it is required.
 */
-int ip_append_data(struct sock *sk,
+int ip_append_data(struct sock *sk, struct flowi4 *fl4,
                   int getfrag(void *from, char *to, int offset, int len,
                               int odd, struct sk_buff *skb),
                   void *from, int length, int transhdrlen,
@@ -1094,24 +1096,25 @@ int ip_append_data(struct sock *sk,
                return 0;
        if (skb_queue_empty(&sk->sk_write_queue)) {
-                err = ip_setup_cork(sk, &inet->cork, ipc, rtp);
+                err = ip_setup_cork(sk, &inet->cork.base, ipc, rtp);
                if (err)
                        return err;
        } else {
                transhdrlen = 0;
        }
-        return __ip_append_data(sk, &sk->sk_write_queue, &inet->cork, getfrag,
+        return __ip_append_data(sk, fl4, &sk->sk_write_queue, &inet->cork.base, getfrag,
                                from, length, transhdrlen, flags);
 }
-ssize_t ip_append_page(struct sock *sk, struct page *page,
+ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
                       int offset, size_t size, int flags)
 {
        struct inet_sock *inet = inet_sk(sk);
        struct sk_buff *skb;
        struct rtable *rt;
        struct ip_options *opt = NULL;
+        struct inet_cork *cork;
        int hh_len;
        int mtu;
        int len;
@@ -1127,28 +1130,29 @@ ssize_t	ip_append_page(struct sock *sk, struct page *page,
        if (skb_queue_empty(&sk->sk_write_queue))
                return -EINVAL;
-        rt = (struct rtable *)inet->cork.dst;
+        cork = &inet->cork.base;
-        if (inet->cork.flags & IPCORK_OPT)
+        rt = (struct rtable *)cork->dst;
-                opt = inet->cork.opt;
+        if (cork->flags & IPCORK_OPT)
+                opt = cork->opt;
        if (!(rt->dst.dev->features&NETIF_F_SG))
                return -EOPNOTSUPP;
        hh_len = LL_RESERVED_SPACE(rt->dst.dev);
-        mtu = inet->cork.fragsize;
+        mtu = cork->fragsize;
        fragheaderlen = sizeof(struct iphdr) + (opt ? opt->optlen : 0);
        maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen;
-        if (inet->cork.length + size > 0xFFFF - fragheaderlen) {
+        if (cork->length + size > 0xFFFF - fragheaderlen) {
-                ip_local_error(sk, EMSGSIZE, rt->rt_dst, inet->inet_dport, mtu);
+                ip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport, mtu);
                return -EMSGSIZE;
        }
        if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
                return -EINVAL;
-        inet->cork.length += size;
+        cork->length += size;
        if ((size + skb->len > mtu) &&
            (sk->sk_protocol == IPPROTO_UDP) &&
            (rt->dst.dev->features & NETIF_F_UFO)) {
@@ -1243,7 +1247,7 @@ ssize_t	ip_append_page(struct sock *sk, struct page *page,
        return 0;
 error:
-        inet->cork.length -= size;
+        cork->length -= size;
        IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTDISCARDS);
        return err;
 }
@@ -1262,6 +1266,7 @@ static void ip_cork_release(struct inet_cork *cork)
 *      and push them out.
 */
 struct sk_buff *__ip_make_skb(struct sock *sk,
+                              struct flowi4 *fl4,
                              struct sk_buff_head *queue,
                              struct inet_cork *cork)
 {
@@ -1319,17 +1324,18 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
        iph = (struct iphdr *)skb->data;
        iph->version = 4;
        iph->ihl = 5;
-        if (opt) {
-                iph->ihl += opt->optlen>>2;
-                ip_options_build(skb, opt, cork->addr, rt, 0);
-        }
        iph->tos = inet->tos;
        iph->frag_off = df;
        ip_select_ident(iph, &rt->dst, sk);
        iph->ttl = ttl;
        iph->protocol = sk->sk_protocol;
-        iph->saddr = rt->rt_src;
+        iph->saddr = fl4->saddr;
-        iph->daddr = rt->rt_dst;
+        iph->daddr = fl4->daddr;
+        if (opt) {
+                iph->ihl += opt->optlen>>2;
+                ip_options_build(skb, opt, cork->addr, rt, 0);
+        }
        skb->priority = sk->sk_priority;
        skb->mark = sk->sk_mark;
@@ -1365,11 +1371,11 @@ int ip_send_skb(struct sk_buff *skb)
        return err;
 }
-int ip_push_pending_frames(struct sock *sk)
+int ip_push_pending_frames(struct sock *sk, struct flowi4 *fl4)
 {
        struct sk_buff *skb;
-        skb = ip_finish_skb(sk);
+        skb = ip_finish_skb(sk, fl4);
        if (!skb)
                return 0;
@@ -1394,17 +1400,18 @@ static void __ip_flush_pending_frames(struct sock *sk,
 void ip_flush_pending_frames(struct sock *sk)
 {
-        __ip_flush_pending_frames(sk, &sk->sk_write_queue, &inet_sk(sk)->cork);
+        __ip_flush_pending_frames(sk, &sk->sk_write_queue, &inet_sk(sk)->cork.base);
 }
 struct sk_buff *ip_make_skb(struct sock *sk,
+                            struct flowi4 *fl4,
                            int getfrag(void *from, char *to, int offset,
                                        int len, int odd, struct sk_buff *skb),
                            void *from, int length, int transhdrlen,
                            struct ipcm_cookie *ipc, struct rtable **rtp,
                            unsigned int flags)
 {
-        struct inet_cork cork = {};
+        struct inet_cork cork;
        struct sk_buff_head queue;
        int err;
@@ -1413,18 +1420,21 @@ struct sk_buff *ip_make_skb(struct sock *sk,
        __skb_queue_head_init(&queue);
+        cork.flags = 0;
+        cork.addr = 0;
+        cork.opt = NULL;
        err = ip_setup_cork(sk, &cork, ipc, rtp);
        if (err)
                return ERR_PTR(err);
-        err = __ip_append_data(sk, &queue, &cork, getfrag,
+        err = __ip_append_data(sk, fl4, &queue, &cork, getfrag,
                               from, length, transhdrlen, flags);
        if (err) {
                __ip_flush_pending_frames(sk, &queue, &cork);
                return ERR_PTR(err);
        }
-        return __ip_make_skb(sk, &queue, &cork);
+        return __ip_make_skb(sk, fl4, &queue, &cork);
 }
 /*
@@ -1447,48 +1457,39 @@ static int ip_reply_glue_bits(void *dptr, char *to, int offset,
 *      Should run single threaded per socket because it uses the sock
 *      structure to pass arguments.
 */
-void ip_send_reply(struct sock *sk, struct sk_buff *skb, struct ip_reply_arg *arg,
+void ip_send_reply(struct sock *sk, struct sk_buff *skb, __be32 daddr,
-                   unsigned int len)
+                   struct ip_reply_arg *arg, unsigned int len)
 {
        struct inet_sock *inet = inet_sk(sk);
-        struct {
+        struct ip_options_data replyopts;
-                struct ip_options       opt;
-                char                    data[40];
-        } replyopts;
        struct ipcm_cookie ipc;
-        __be32 daddr;
+        struct flowi4 fl4;
        struct rtable *rt = skb_rtable(skb);
-        if (ip_options_echo(&replyopts.opt, skb))
+        if (ip_options_echo(&replyopts.opt.opt, skb))
                return;
-        daddr = ipc.addr = rt->rt_src;
+        ipc.addr = daddr;
        ipc.opt = NULL;
        ipc.tx_flags = 0;
-        if (replyopts.opt.optlen) {
+        if (replyopts.opt.opt.optlen) {
                ipc.opt = &replyopts.opt;
-                if (ipc.opt->srr)
+                if (replyopts.opt.opt.srr)
-                        daddr = replyopts.opt.faddr;
+                        daddr = replyopts.opt.opt.faddr;
        }
-        {
+        flowi4_init_output(&fl4, arg->bound_dev_if, 0,
-                struct flowi4 fl4 = {
+                           RT_TOS(ip_hdr(skb)->tos),
-                        .flowi4_oif = arg->bound_dev_if,
+                           RT_SCOPE_UNIVERSE, sk->sk_protocol,
-                        .daddr = daddr,
+                           ip_reply_arg_flowi_flags(arg),
-                        .saddr = rt->rt_spec_dst,
+                           daddr, rt->rt_spec_dst,
-                        .flowi4_tos = RT_TOS(ip_hdr(skb)->tos),
+                           tcp_hdr(skb)->source, tcp_hdr(skb)->dest);
-                        .fl4_sport = tcp_hdr(skb)->dest,
+        security_skb_classify_flow(skb, flowi4_to_flowi(&fl4));
-                        .fl4_dport = tcp_hdr(skb)->source,
+        rt = ip_route_output_key(sock_net(sk), &fl4);
-                        .flowi4_proto = sk->sk_protocol,
+        if (IS_ERR(rt))
-                        .flowi4_flags = ip_reply_arg_flowi_flags(arg),
+                return;
-                };
-                security_skb_classify_flow(skb, flowi4_to_flowi(&fl4));
-                rt = ip_route_output_key(sock_net(sk), &fl4);
-                if (IS_ERR(rt))
-                        return;
-        }
        /* And let IP do all the hard work.
@@ -1501,7 +1502,7 @@ void ip_send_reply(struct sock *sk, struct sk_buff *skb, struct ip_reply_arg *ar
        sk->sk_priority = skb->priority;
        sk->sk_protocol = ip_hdr(skb)->protocol;
        sk->sk_bound_dev_if = arg->bound_dev_if;
-        ip_append_data(sk, ip_reply_glue_bits, arg->iov->iov_base, len, 0,
+        ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base, len, 0,
                       &ipc, &rt, MSG_DONTWAIT);
        if ((skb = skb_peek(&sk->sk_write_queue)) != NULL) {
                if (arg->csumoffset >= 0)
@@ -1509,7 +1510,7 @@ void ip_send_reply(struct sock *sk, struct sk_buff *skb, struct ip_reply_arg *ar
                          arg->csumoffset) = csum_fold(csum_add(skb->csum,
                                                                arg->csum));
                skb->ip_summed = CHECKSUM_NONE;
-                ip_push_pending_frames(sk);
+                ip_push_pending_frames(sk, &fl4);
        }
        bh_unlock_sock(sk);
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 3948c86e59ca..ab0c9efd1efa 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -131,7 +131,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
 {
        struct sockaddr_in sin;
-        struct iphdr *iph = ip_hdr(skb);
+        const struct iphdr *iph = ip_hdr(skb);
        __be16 *ports = (__be16 *)skb_transport_header(skb);
        if (skb_transport_offset(skb) + 4 > skb->len)
@@ -451,6 +451,11 @@ out:
 }
+static void opt_kfree_rcu(struct rcu_head *head)
+{
+        kfree(container_of(head, struct ip_options_rcu, rcu));
+}
 /*
 *      Socket option code for IP. This is the end of the line after any
 *      TCP,UDP etc options on an IP socket.
@@ -497,13 +502,16 @@ static int do_ip_setsockopt(struct sock *sk, int level,
        switch (optname) {
        case IP_OPTIONS:
        {
-                struct ip_options *opt = NULL;
+                struct ip_options_rcu *old, *opt = NULL;
                if (optlen > 40)
                        goto e_inval;
                err = ip_options_get_from_user(sock_net(sk), &opt,
                                               optval, optlen);
                if (err)
                        break;
+                old = rcu_dereference_protected(inet->inet_opt,
+                                                sock_owned_by_user(sk));
                if (inet->is_icsk) {
                        struct inet_connection_sock *icsk = inet_csk(sk);
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
@@ -512,17 +520,18 @@ static int do_ip_setsockopt(struct sock *sk, int level,
                               (TCPF_LISTEN | TCPF_CLOSE)) &&
                             inet->inet_daddr != LOOPBACK4_IPV6)) {
 #endif
-                                if (inet->opt)
+                                if (old)
-                                        icsk->icsk_ext_hdr_len -= inet->opt->optlen;
+                                        icsk->icsk_ext_hdr_len -= old->opt.optlen;
                                if (opt)
-                                        icsk->icsk_ext_hdr_len += opt->optlen;
+                                        icsk->icsk_ext_hdr_len += opt->opt.optlen;
                                icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
                        }
 #endif
                }
-                opt = xchg(&inet->opt, opt);
+                rcu_assign_pointer(inet->inet_opt, opt);
-                kfree(opt);
+                if (old)
+                        call_rcu(&old->rcu, opt_kfree_rcu);
                break;
        }
        case IP_PKTINFO:
@@ -1081,12 +1090,16 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
        case IP_OPTIONS:
        {
                unsigned char optbuf[sizeof(struct ip_options)+40];
-                struct ip_options * opt = (struct ip_options *)optbuf;
+                struct ip_options *opt = (struct ip_options *)optbuf;
+                struct ip_options_rcu *inet_opt;
+                inet_opt = rcu_dereference_protected(inet->inet_opt,
+                                                     sock_owned_by_user(sk));
                opt->optlen = 0;
-                if (inet->opt)
+                if (inet_opt)
-                        memcpy(optbuf, inet->opt,
+                        memcpy(optbuf, &inet_opt->opt,
-                               sizeof(struct ip_options)+
+                               sizeof(struct ip_options) +
-                               inet->opt->optlen);
+                               inet_opt->opt.optlen);
                release_sock(sk);
                if (opt->optlen == 0)
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index 629067571f02..c857f6f49b03 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -27,7 +27,7 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info)
 {
        struct net *net = dev_net(skb->dev);
        __be32 spi;
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        struct ip_comp_hdr *ipch = (struct ip_comp_hdr *)(skb->data+(iph->ihl<<2));
        struct xfrm_state *x;
@@ -36,7 +36,7 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info)
                return;
        spi = htonl(ntohs(ipch->cpi));
-        x = xfrm_state_lookup(net, skb->mark, (xfrm_address_t *)&iph->daddr,
+        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
                              spi, IPPROTO_COMP, AF_INET);
        if (!x)
                return;
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index cbff2ecccf3d..ab7e5542c1cf 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -87,8 +87,8 @@
 #endif
 /* Define the friendly delay before and after opening net devices */
-#define CONF_PRE_OPEN           500     /* Before opening: 1/2 second */
+#define CONF_POST_OPEN          10      /* After opening: 10 msecs */
-#define CONF_POST_OPEN          1       /* After opening: 1 second */
+#define CONF_CARRIER_TIMEOUT    120000  /* Wait for carrier timeout */
 /* Define the timeout for waiting for a DHCP/BOOTP/RARP reply */
 #define CONF_OPEN_RETRIES       2       /* (Re)open devices twice */
@@ -188,14 +188,14 @@ struct ic_device {
 static struct ic_device *ic_first_dev __initdata = NULL;/* List of open device */
 static struct net_device *ic_dev __initdata = NULL;     /* Selected device */
-static bool __init ic_device_match(struct net_device *dev)
+static bool __init ic_is_init_dev(struct net_device *dev)
 {
-        if (user_dev_name[0] ? !strcmp(dev->name, user_dev_name) :
+        if (dev->flags & IFF_LOOPBACK)
+                return false;
+        return user_dev_name[0] ? !strcmp(dev->name, user_dev_name) :
            (!(dev->flags & IFF_LOOPBACK) &&
             (dev->flags & (IFF_POINTOPOINT|IFF_BROADCAST)) &&
-             strncmp(dev->name, "dummy", 5)))
+             strncmp(dev->name, "dummy", 5));
-                return true;
-        return false;
 }
 static int __init ic_open_devs(void)
@@ -203,6 +203,7 @@ static int __init ic_open_devs(void)
        struct ic_device *d, **last;
        struct net_device *dev;
        unsigned short oflags;
+        unsigned long start;
        last = &ic_first_dev;
        rtnl_lock();
@@ -216,9 +217,7 @@ static int __init ic_open_devs(void)
        }
        for_each_netdev(&init_net, dev) {
-                if (dev->flags & IFF_LOOPBACK)
+                if (ic_is_init_dev(dev)) {
-                        continue;
-                if (ic_device_match(dev)) {
                        int able = 0;
                        if (dev->mtu >= 364)
                                able |= IC_BOOTP;
@@ -252,6 +251,17 @@ static int __init ic_open_devs(void)
                                dev->name, able, d->xid));
                }
        }
+        /* wait for a carrier on at least one device */
+        start = jiffies;
+        while (jiffies - start < msecs_to_jiffies(CONF_CARRIER_TIMEOUT)) {
+                for_each_netdev(&init_net, dev)
+                        if (ic_is_init_dev(dev) && netif_carrier_ok(dev))
+                                goto have_carrier;
+                msleep(1);
+        }
+have_carrier:
        rtnl_unlock();
        *last = NULL;
@@ -1324,14 +1334,13 @@ static int __init wait_for_devices(void)
 {
        int i;
-        msleep(CONF_PRE_OPEN);
        for (i = 0; i < DEVICE_WAIT_MAX; i++) {
                struct net_device *dev;
                int found = 0;
                rtnl_lock();
                for_each_netdev(&init_net, dev) {
-                        if (ic_device_match(dev)) {
+                        if (ic_is_init_dev(dev)) {
                                found = 1;
                                break;
                        }
@@ -1378,7 +1387,7 @@ static int __init ip_auto_config(void)
                return err;
        /* Give drivers a chance to settle */
-        ssleep(CONF_POST_OPEN);
+        msleep(CONF_POST_OPEN);
        /*
         * If the config information is insufficient (e.g., our IP address or
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index bfc17c5914e7..378b20b7ca6e 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -276,11 +276,6 @@ static struct ip_tunnel * ipip_tunnel_locate(struct net *net,
        dev_net_set(dev, net);
-        if (strchr(name, '%')) {
-                if (dev_alloc_name(dev, name) < 0)
-                        goto failed_free;
-        }
        nt = netdev_priv(dev);
        nt->parms = *parms;
@@ -319,7 +314,7 @@ static int ipip_err(struct sk_buff *skb, u32 info)
   8 bytes of packet payload. It means, that precise relaying of
   ICMP in the real Internet is absolutely infeasible.
 */
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        const int type = icmp_hdr(skb)->type;
        const int code = icmp_hdr(skb)->code;
        struct ip_tunnel *t;
@@ -433,15 +428,16 @@ static netdev_tx_t ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
 {
        struct ip_tunnel *tunnel = netdev_priv(dev);
        struct pcpu_tstats *tstats;
-        struct iphdr  *tiph = &tunnel->parms.iph;
+        const struct iphdr  *tiph = &tunnel->parms.iph;
        u8     tos = tunnel->parms.iph.tos;
        __be16 df = tiph->frag_off;
        struct rtable *rt;                      /* Route to the other host */
        struct net_device *tdev;                /* Device to other host */
-        struct iphdr  *old_iph = ip_hdr(skb);
+        const struct iphdr  *old_iph = ip_hdr(skb);
        struct iphdr  *iph;                     /* Our new IP header */
        unsigned int max_headroom;              /* The extra header space needed */
        __be32 dst = tiph->daddr;
+        struct flowi4 fl4;
        int    mtu;
        if (skb->protocol != htons(ETH_P_IP))
@@ -460,7 +456,7 @@ static netdev_tx_t ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
                        goto tx_error_icmp;
        }
-        rt = ip_route_output_ports(dev_net(dev), NULL,
+        rt = ip_route_output_ports(dev_net(dev), &fl4, NULL,
                                   dst, tiph->saddr,
                                   0, 0,
                                   IPPROTO_IPIP, RT_TOS(tos),
@@ -549,8 +545,8 @@ static netdev_tx_t ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
        iph->frag_off           =       df;
        iph->protocol           =       IPPROTO_IPIP;
        iph->tos                =       INET_ECN_encapsulate(tos, old_iph->tos);
-        iph->daddr              =       rt->rt_dst;
+        iph->daddr              =       fl4.daddr;
-        iph->saddr              =       rt->rt_src;
+        iph->saddr              =       fl4.saddr;
        if ((iph->ttl = tiph->ttl) == 0)
                iph->ttl        =       old_iph->ttl;
@@ -572,19 +568,21 @@ static void ipip_tunnel_bind_dev(struct net_device *dev)
 {
        struct net_device *tdev = NULL;
        struct ip_tunnel *tunnel;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        tunnel = netdev_priv(dev);
        iph = &tunnel->parms.iph;
        if (iph->daddr) {
-                struct rtable *rt = ip_route_output_ports(dev_net(dev), NULL,
+                struct rtable *rt;
-                                                          iph->daddr, iph->saddr,
+                struct flowi4 fl4;
-                                                          0, 0,
-                                                          IPPROTO_IPIP,
+                rt = ip_route_output_ports(dev_net(dev), &fl4, NULL,
-                                                          RT_TOS(iph->tos),
+                                           iph->daddr, iph->saddr,
-                                                          tunnel->parms.link);
+                                           0, 0,
+                                           IPPROTO_IPIP,
+                                           RT_TOS(iph->tos),
+                                           tunnel->parms.link);
                if (!IS_ERR(rt)) {
                        tdev = rt->dst.dev;
                        ip_rt_put(rt);
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 1f62eaeb6de4..30a7763c400e 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1549,7 +1549,7 @@ static struct notifier_block ip_mr_notifier = {
 static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr)
 {
        struct iphdr *iph;
-        struct iphdr *old_iph = ip_hdr(skb);
+        const struct iphdr *old_iph = ip_hdr(skb);
        skb_push(skb, sizeof(struct iphdr));
        skb->transport_header = skb->network_header;
@@ -1595,6 +1595,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
        struct vif_device *vif = &mrt->vif_table[vifi];
        struct net_device *dev;
        struct rtable *rt;
+        struct flowi4 fl4;
        int    encap = 0;
        if (vif->dev == NULL)
@@ -1612,7 +1613,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
 #endif
        if (vif->flags & VIFF_TUNNEL) {
-                rt = ip_route_output_ports(net, NULL,
+                rt = ip_route_output_ports(net, &fl4, NULL,
                                           vif->remote, vif->local,
                                           0, 0,
                                           IPPROTO_IPIP,
@@ -1621,7 +1622,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
                        goto out_free;
                encap = sizeof(struct iphdr);
        } else {
-                rt = ip_route_output_ports(net, NULL, iph->daddr, 0,
+                rt = ip_route_output_ports(net, &fl4, NULL, iph->daddr, 0,
                                           0, 0,
                                           IPPROTO_IPIP,
                                           RT_TOS(iph->tos), vif->link);
@@ -1788,12 +1789,14 @@ dont_forward:
        return 0;
 }
-static struct mr_table *ipmr_rt_fib_lookup(struct net *net, struct rtable *rt)
+static struct mr_table *ipmr_rt_fib_lookup(struct net *net, struct sk_buff *skb)
 {
+        struct rtable *rt = skb_rtable(skb);
+        struct iphdr *iph = ip_hdr(skb);
        struct flowi4 fl4 = {
-                .daddr = rt->rt_key_dst,
+                .daddr = iph->daddr,
-                .saddr = rt->rt_key_src,
+                .saddr = iph->saddr,
-                .flowi4_tos = rt->rt_tos,
+                .flowi4_tos = iph->tos,
                .flowi4_oif = rt->rt_oif,
                .flowi4_iif = rt->rt_iif,
                .flowi4_mark = rt->rt_mark,
@@ -1825,7 +1828,7 @@ int ip_mr_input(struct sk_buff *skb)
        if (IPCB(skb)->flags & IPSKB_FORWARDED)
                goto dont_forward;
-        mrt = ipmr_rt_fib_lookup(net, skb_rtable(skb));
+        mrt = ipmr_rt_fib_lookup(net, skb);
        if (IS_ERR(mrt)) {
                kfree_skb(skb);
                return PTR_ERR(mrt);
@@ -1957,7 +1960,7 @@ int pim_rcv_v1(struct sk_buff *skb)
        pim = igmp_hdr(skb);
-        mrt = ipmr_rt_fib_lookup(net, skb_rtable(skb));
+        mrt = ipmr_rt_fib_lookup(net, skb);
        if (IS_ERR(mrt))
                goto drop;
        if (!mrt->mroute_do_pim ||
@@ -1989,7 +1992,7 @@ static int pim_rcv(struct sk_buff *skb)
             csum_fold(skb_checksum(skb, 0, skb->len, 0))))
                goto drop;
-        mrt = ipmr_rt_fib_lookup(net, skb_rtable(skb));
+        mrt = ipmr_rt_fib_lookup(net, skb);
        if (IS_ERR(mrt))
                goto drop;
        if (__pim_rcv(mrt, skb, sizeof(*pim))) {
@@ -2038,20 +2041,20 @@ rtattr_failure:
        return -EMSGSIZE;
 }
-int ipmr_get_route(struct net *net,
+int ipmr_get_route(struct net *net, struct sk_buff *skb,
-                   struct sk_buff *skb, struct rtmsg *rtm, int nowait)
+                   __be32 saddr, __be32 daddr,
+                   struct rtmsg *rtm, int nowait)
 {
-        int err;
-        struct mr_table *mrt;
        struct mfc_cache *cache;
-        struct rtable *rt = skb_rtable(skb);
+        struct mr_table *mrt;
+        int err;
        mrt = ipmr_get_table(net, RT_TABLE_DEFAULT);
        if (mrt == NULL)
                return -ENOENT;
        rcu_read_lock();
-        cache = ipmr_cache_find(mrt, rt->rt_src, rt->rt_dst);
+        cache = ipmr_cache_find(mrt, saddr, daddr);
        if (cache == NULL) {
                struct sk_buff *skb2;
@@ -2084,8 +2087,8 @@ int ipmr_get_route(struct net *net,
                skb_reset_network_header(skb2);
                iph = ip_hdr(skb2);
                iph->ihl = sizeof(struct iphdr) >> 2;
-                iph->saddr = rt->rt_src;
+                iph->saddr = saddr;
-                iph->daddr = rt->rt_dst;
+                iph->daddr = daddr;
                iph->version = 0;
                err = ipmr_cache_unresolved(mrt, vif, skb2);
                read_unlock(&mrt_lock);
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 4614babdc45f..2e97e3ec1eb7 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -17,51 +17,35 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
        const struct iphdr *iph = ip_hdr(skb);
        struct rtable *rt;
        struct flowi4 fl4 = {};
-        unsigned long orefdst;
+        __be32 saddr = iph->saddr;
+        __u8 flags = 0;
        unsigned int hh_len;
-        unsigned int type;
-        type = inet_addr_type(net, iph->saddr);
+        if (!skb->sk && addr_type != RTN_LOCAL) {
-        if (skb->sk && inet_sk(skb->sk)->transparent)
+                if (addr_type == RTN_UNSPEC)
-                type = RTN_LOCAL;
+                        addr_type = inet_addr_type(net, saddr);
-        if (addr_type == RTN_UNSPEC)
+                if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
-                addr_type = type;
+                        flags |= FLOWI_FLAG_ANYSRC;
+                else
+                        saddr = 0;
+        }
        /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
         * packets with foreign saddr to appear on the NF_INET_LOCAL_OUT hook.
         */
-        if (addr_type == RTN_LOCAL) {
+        fl4.daddr = iph->daddr;
-                fl4.daddr = iph->daddr;
+        fl4.saddr = saddr;
-                if (type == RTN_LOCAL)
+        fl4.flowi4_tos = RT_TOS(iph->tos);
-                        fl4.saddr = iph->saddr;
+        fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
-                fl4.flowi4_tos = RT_TOS(iph->tos);
+        fl4.flowi4_mark = skb->mark;
-                fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
+        fl4.flowi4_flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : flags;
-                fl4.flowi4_mark = skb->mark;
+        rt = ip_route_output_key(net, &fl4);
-                fl4.flowi4_flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
+        if (IS_ERR(rt))
-                rt = ip_route_output_key(net, &fl4);
+                return -1;
-                if (IS_ERR(rt))
-                        return -1;
-                /* Drop old route. */
-                skb_dst_drop(skb);
-                skb_dst_set(skb, &rt->dst);
-        } else {
-                /* non-local src, find valid iif to satisfy
-                 * rp-filter when calling ip_route_input. */
-                fl4.daddr = iph->saddr;
-                rt = ip_route_output_key(net, &fl4);
-                if (IS_ERR(rt))
-                        return -1;
-                orefdst = skb->_skb_refdst;
+        /* Drop old route. */
-                if (ip_route_input(skb, iph->daddr, iph->saddr,
+        skb_dst_drop(skb);
-                                   RT_TOS(iph->tos), rt->dst.dev) != 0) {
+        skb_dst_set(skb, &rt->dst);
-                        dst_release(&rt->dst);
-                        return -1;
-                }
-                dst_release(&rt->dst);
-                refdst_drop(orefdst);
-        }
        if (skb_dst(skb)->error)
                return -1;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 89bc7e66d598..fd7a3f68917f 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -260,6 +260,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
        void *table_base;
        const struct xt_table_info *private;
        struct xt_action_param acpar;
+        unsigned int addend;
        if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
                return NF_DROP;
@@ -267,7 +268,8 @@ unsigned int arpt_do_table(struct sk_buff *skb,
        indev = in ? in->name : nulldevname;
        outdev = out ? out->name : nulldevname;
-        xt_info_rdlock_bh();
+        local_bh_disable();
+        addend = xt_write_recseq_begin();
        private = table->private;
        table_base = private->entries[smp_processor_id()];
@@ -338,7 +340,8 @@ unsigned int arpt_do_table(struct sk_buff *skb,
                        /* Verdict */
                        break;
        } while (!acpar.hotdrop);
-        xt_info_rdunlock_bh();
+        xt_write_recseq_end(addend);
+        local_bh_enable();
        if (acpar.hotdrop)
                return NF_DROP;
@@ -712,7 +715,7 @@ static void get_counters(const struct xt_table_info *t,
        unsigned int i;
        for_each_possible_cpu(cpu) {
-                seqlock_t *lock = &per_cpu(xt_info_locks, cpu).lock;
+                seqcount_t *s = &per_cpu(xt_recseq, cpu);
                i = 0;
                xt_entry_foreach(iter, t->entries[cpu], t->size) {
@@ -720,10 +723,10 @@ static void get_counters(const struct xt_table_info *t,
                        unsigned int start;
                        do {
-                                start = read_seqbegin(lock);
+                                start = read_seqcount_begin(s);
                                bcnt = iter->counters.bcnt;
                                pcnt = iter->counters.pcnt;
-                        } while (read_seqretry(lock, start));
+                        } while (read_seqcount_retry(s, start));
                        ADD_COUNTER(counters[i], bcnt, pcnt);
                        ++i;
@@ -1115,6 +1118,7 @@ static int do_add_counters(struct net *net, const void __user *user,
        int ret = 0;
        void *loc_cpu_entry;
        struct arpt_entry *iter;
+        unsigned int addend;
 #ifdef CONFIG_COMPAT
        struct compat_xt_counters_info compat_tmp;
@@ -1171,12 +1175,12 @@ static int do_add_counters(struct net *net, const void __user *user,
        /* Choose the copy that is on our node */
        curcpu = smp_processor_id();
        loc_cpu_entry = private->entries[curcpu];
-        xt_info_wrlock(curcpu);
+        addend = xt_write_recseq_begin();
        xt_entry_foreach(iter, loc_cpu_entry, private->size) {
                ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
                ++i;
        }
-        xt_info_wrunlock(curcpu);
+        xt_write_recseq_end(addend);
 unlock_up_free:
        local_bh_enable();
        xt_table_unlock(t);
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index d2c1311cb28d..5c9b9d963918 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -203,7 +203,8 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
        else
                pmsg->outdev_name[0] = '\0';
-        if (entry->indev && entry->skb->dev) {
+        if (entry->indev && entry->skb->dev &&
+            entry->skb->mac_header != entry->skb->network_header) {
                pmsg->hw_type = entry->skb->dev->type;
                pmsg->hw_addrlen = dev_parse_header(entry->skb,
                                                    pmsg->hw_addr);
@@ -402,7 +403,8 @@ ipq_dev_drop(int ifindex)
 static inline void
 __ipq_rcv_skb(struct sk_buff *skb)
 {
-        int status, type, pid, flags, nlmsglen, skblen;
+        int status, type, pid, flags;
+        unsigned int nlmsglen, skblen;
        struct nlmsghdr *nlh;
        skblen = skb->len;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 704915028009..24e556e83a3b 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -68,15 +68,6 @@ void *ipt_alloc_initial_table(const struct xt_table *info)
 }
 EXPORT_SYMBOL_GPL(ipt_alloc_initial_table);
-/*
-   We keep a set of rules for each CPU, so we can avoid write-locking
-   them in the softirq when updating the counters and therefore
-   only need to read-lock in the softirq; doing a write_lock_bh() in user
-   context stops packets coming through and allows user context to read
-   the counters or update the rules.
-   Hence the start of any table is given by get_table() below.  */
 /* Returns whether matches rule or not. */
 /* Performance critical - called for every packet */
 static inline bool
@@ -311,6 +302,7 @@ ipt_do_table(struct sk_buff *skb,
        unsigned int *stackptr, origptr, cpu;
        const struct xt_table_info *private;
        struct xt_action_param acpar;
+        unsigned int addend;
        /* Initialization */
        ip = ip_hdr(skb);
@@ -331,7 +323,8 @@ ipt_do_table(struct sk_buff *skb,
        acpar.hooknum = hook;
        IP_NF_ASSERT(table->valid_hooks & (1 << hook));
-        xt_info_rdlock_bh();
+        local_bh_disable();
+        addend = xt_write_recseq_begin();
        private = table->private;
        cpu        = smp_processor_id();
        table_base = private->entries[cpu];
@@ -430,7 +423,9 @@ ipt_do_table(struct sk_buff *skb,
        pr_debug("Exiting %s; resetting sp from %u to %u\n",
                 __func__, *stackptr, origptr);
        *stackptr = origptr;
-        xt_info_rdunlock_bh();
+        xt_write_recseq_end(addend);
+        local_bh_enable();
 #ifdef DEBUG_ALLOW_ALL
        return NF_ACCEPT;
 #else
@@ -571,7 +566,7 @@ check_entry(const struct ipt_entry *e, const char *name)
        const struct xt_entry_target *t;
        if (!ip_checkentry(&e->ip)) {
-                duprintf("ip check failed %p %s.\n", e, par->match->name);
+                duprintf("ip check failed %p %s.\n", e, name);
                return -EINVAL;
        }
@@ -886,7 +881,7 @@ get_counters(const struct xt_table_info *t,
        unsigned int i;
        for_each_possible_cpu(cpu) {
-                seqlock_t *lock = &per_cpu(xt_info_locks, cpu).lock;
+                seqcount_t *s = &per_cpu(xt_recseq, cpu);
                i = 0;
                xt_entry_foreach(iter, t->entries[cpu], t->size) {
@@ -894,10 +889,10 @@ get_counters(const struct xt_table_info *t,
                        unsigned int start;
                        do {
-                                start = read_seqbegin(lock);
+                                start = read_seqcount_begin(s);
                                bcnt = iter->counters.bcnt;
                                pcnt = iter->counters.pcnt;
-                        } while (read_seqretry(lock, start));
+                        } while (read_seqcount_retry(s, start));
                        ADD_COUNTER(counters[i], bcnt, pcnt);
                        ++i; /* macro does multi eval of i */
@@ -1312,6 +1307,7 @@ do_add_counters(struct net *net, const void __user *user,
        int ret = 0;
        void *loc_cpu_entry;
        struct ipt_entry *iter;
+        unsigned int addend;
 #ifdef CONFIG_COMPAT
        struct compat_xt_counters_info compat_tmp;
@@ -1368,12 +1364,12 @@ do_add_counters(struct net *net, const void __user *user,
        /* Choose the copy that is on our node */
        curcpu = smp_processor_id();
        loc_cpu_entry = private->entries[curcpu];
-        xt_info_wrlock(curcpu);
+        addend = xt_write_recseq_begin();
        xt_entry_foreach(iter, loc_cpu_entry, private->size) {
                ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
                ++i;
        }
-        xt_info_wrunlock(curcpu);
+        xt_write_recseq_end(addend);
 unlock_up_free:
        local_bh_enable();
        xt_table_unlock(t);
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index d609ac3cb9a4..5c9e97c79017 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -307,7 +307,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
         * error messages (RELATED) and information requests (see below) */
        if (ip_hdr(skb)->protocol == IPPROTO_ICMP &&
            (ctinfo == IP_CT_RELATED ||
-             ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY))
+             ctinfo == IP_CT_RELATED_REPLY))
                return XT_CONTINUE;
        /* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
@@ -321,12 +321,12 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
                        ct->mark = hash;
                        break;
                case IP_CT_RELATED:
-                case IP_CT_RELATED+IP_CT_IS_REPLY:
+                case IP_CT_RELATED_REPLY:
                        /* FIXME: we don't handle expectations at the
                         * moment.  they can arrive on a different node than
                         * the master connection (e.g. FTP passive mode) */
                case IP_CT_ESTABLISHED:
-                case IP_CT_ESTABLISHED+IP_CT_IS_REPLY:
+                case IP_CT_ESTABLISHED_REPLY:
                        break;
                default:
                        break;
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index d2ed9dc74ebc..9931152a78b5 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -60,7 +60,7 @@ masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
        nat = nfct_nat(ct);
        NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
-                            ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
+                            ctinfo == IP_CT_RELATED_REPLY));
        /* Source address is 0.0.0.0 - locally generated packet that is
         * probably not supposed to be masqueraded.
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 1ff79e557f96..51f13f8ec724 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -40,7 +40,6 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        struct iphdr *niph;
        const struct tcphdr *oth;
        struct tcphdr _otcph, *tcph;
-        unsigned int addr_type;
        /* IP header checks: fragment. */
        if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
@@ -55,6 +54,9 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        if (oth->rst)
                return;
+        if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
+                return;
        /* Check checksum */
        if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
                return;
@@ -101,19 +103,11 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        nskb->csum_start = (unsigned char *)tcph - nskb->head;
        nskb->csum_offset = offsetof(struct tcphdr, check);
-        addr_type = RTN_UNSPEC;
-        if (hook != NF_INET_FORWARD
-#ifdef CONFIG_BRIDGE_NETFILTER
-            || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
-#endif
-           )
-                addr_type = RTN_LOCAL;
        /* ip_route_me_harder expects skb->dst to be set */
        skb_dst_set_noref(nskb, skb_dst(oldskb));
        nskb->protocol = htons(ETH_P_IP);
-        if (ip_route_me_harder(nskb, addr_type))
+        if (ip_route_me_harder(nskb, RTN_UNSPEC))
                goto free_nskb;
        niph->ttl       = ip4_dst_hoplimit(skb_dst(nskb));
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index af6e9c778345..2b57e52c746c 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -25,7 +25,8 @@ MODULE_LICENSE("GPL");
 static inline bool match_ip(const struct sk_buff *skb,
                            const struct ipt_ecn_info *einfo)
 {
-        return (ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect;
+        return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
+               !!(einfo->invert & IPT_ECN_OP_MATCH_IP);
 }
 static inline bool match_tcp(const struct sk_buff *skb,
@@ -76,8 +77,6 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
                        return false;
        if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
-                if (ip_hdr(skb)->protocol != IPPROTO_TCP)
-                        return false;
                if (!match_tcp(skb, info, &par->hotdrop))
                        return false;
        }
@@ -97,7 +96,7 @@ static int ecn_mt_check(const struct xt_mtchk_param *par)
                return -EINVAL;
        if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
-            ip->proto != IPPROTO_TCP) {
+            (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
                pr_info("cannot match TCP bits in rule for non-tcp packets\n");
                return -EINVAL;
        }
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 5a03c02af999..de9da21113a1 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -101,7 +101,7 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
        /* This is where we call the helper: as the packet goes out. */
        ct = nf_ct_get(skb, &ctinfo);
-        if (!ct || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)
+        if (!ct || ctinfo == IP_CT_RELATED_REPLY)
                goto out;
        help = nfct_help(ct);
@@ -121,7 +121,9 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
                return ret;
        }
-        if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status)) {
+        /* adjust seqs for loopback traffic only in outgoing direction */
+        if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
+            !nf_is_loopback_packet(skb)) {
                typeof(nf_nat_seq_adjust_hook) seq_adjust;
                seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook);
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 7404bde95994..ab5b27a2916f 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -160,7 +160,7 @@ icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
        /* Update skb to refer to this connection */
        skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general;
        skb->nfctinfo = *ctinfo;
-        return -NF_ACCEPT;
+        return NF_ACCEPT;
 }
 /* Small and modified version of icmp_rcv */
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 9c71b2755ce3..3346de5d94d0 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -433,7 +433,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
        /* Must be RELATED */
        NF_CT_ASSERT(skb->nfctinfo == IP_CT_RELATED ||
-                     skb->nfctinfo == IP_CT_RELATED+IP_CT_IS_REPLY);
+                     skb->nfctinfo == IP_CT_RELATED_REPLY);
        /* Redirects on non-null nats must be dropped, else they'll
           start talking to each other without our translation, and be
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index 31427fb57aa8..ebc5f8894f99 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -153,14 +153,14 @@ void nf_nat_set_seq_adjust(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
 }
 EXPORT_SYMBOL_GPL(nf_nat_set_seq_adjust);
-static void nf_nat_csum(struct sk_buff *skb, struct iphdr *iph, void *data,
+static void nf_nat_csum(struct sk_buff *skb, const struct iphdr *iph, void *data,
                        int datalen, __sum16 *check, int oldlen)
 {
        struct rtable *rt = skb_rtable(skb);
        if (skb->ip_summed != CHECKSUM_PARTIAL) {
                if (!(rt->rt_flags & RTCF_LOCAL) &&
-                    skb->dev->features & NETIF_F_V4_CSUM) {
+                    (!skb->dev || skb->dev->features & NETIF_F_V4_CSUM)) {
                        skb->ip_summed = CHECKSUM_PARTIAL;
                        skb->csum_start = skb_headroom(skb) +
                                          skb_network_offset(skb) +
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 21c30426480b..733c9abc1cbd 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -53,7 +53,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
        /* Connection must be valid and new. */
        NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
-                            ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
+                            ctinfo == IP_CT_RELATED_REPLY));
        NF_CT_ASSERT(par->out != NULL);
        return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC);
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 7317bdf1d457..483b76d042da 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -116,7 +116,7 @@ nf_nat_fn(unsigned int hooknum,
        switch (ctinfo) {
        case IP_CT_RELATED:
-        case IP_CT_RELATED+IP_CT_IS_REPLY:
+        case IP_CT_RELATED_REPLY:
                if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
                        if (!nf_nat_icmp_reply_translation(ct, ctinfo,
                                                           hooknum, skb))
@@ -144,7 +144,7 @@ nf_nat_fn(unsigned int hooknum,
        default:
                /* ESTABLISHED */
                NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
-                             ctinfo == (IP_CT_ESTABLISHED+IP_CT_IS_REPLY));
+                             ctinfo == IP_CT_ESTABLISHED_REPLY);
        }
        return nf_nat_packet(ct, ctinfo, hooknum, skb);
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
new file mode 100644
index 000000000000..39b403f854c6
--- /dev/null
+++ b/net/ipv4/ping.c
@@ -0,0 +1,931 @@
+/*
+ * INET         An implementation of the TCP/IP protocol suite for the LINUX
+ *              operating system.  INET is implemented using the  BSD Socket
+ *              interface as the means of communication with the user level.
+ *
+ *              "Ping" sockets
+ *
+ *              This program is free software; you can redistribute it and/or
+ *              modify it under the terms of the GNU General Public License
+ *              as published by the Free Software Foundation; either version
+ *              2 of the License, or (at your option) any later version.
+ *
+ * Based on ipv4/udp.c code.
+ *
+ * Authors:     Vasiliy Kulikov / Openwall (for Linux 2.6),
+ *              Pavel Kankovsky (for Linux 2.4.32)
+ *
+ * Pavel gave all rights to bugs to Vasiliy,
+ * none of the bugs are Pavel's now.
+ *
+ */
+#include <asm/system.h>
+#include <linux/uaccess.h>
+#include <linux/types.h>
+#include <linux/fcntl.h>
+#include <linux/socket.h>
+#include <linux/sockios.h>
+#include <linux/in.h>
+#include <linux/errno.h>
+#include <linux/timer.h>
+#include <linux/mm.h>
+#include <linux/inet.h>
+#include <linux/netdevice.h>
+#include <net/snmp.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/icmp.h>
+#include <net/protocol.h>
+#include <linux/skbuff.h>
+#include <linux/proc_fs.h>
+#include <net/sock.h>
+#include <net/ping.h>
+#include <net/udp.h>
+#include <net/route.h>
+#include <net/inet_common.h>
+#include <net/checksum.h>
+static struct ping_table ping_table;
+static u16 ping_port_rover;
+static inline int ping_hashfn(struct net *net, unsigned num, unsigned mask)
+{
+        int res = (num + net_hash_mix(net)) & mask;
+        pr_debug("hash(%d) = %d\n", num, res);
+        return res;
+}
+static inline struct hlist_nulls_head *ping_hashslot(struct ping_table *table,
+                                             struct net *net, unsigned num)
+{
+        return &table->hash[ping_hashfn(net, num, PING_HTABLE_MASK)];
+}
+static int ping_v4_get_port(struct sock *sk, unsigned short ident)
+{
+        struct hlist_nulls_node *node;
+        struct hlist_nulls_head *hlist;
+        struct inet_sock *isk, *isk2;
+        struct sock *sk2 = NULL;
+        isk = inet_sk(sk);
+        write_lock_bh(&ping_table.lock);
+        if (ident == 0) {
+                u32 i;
+                u16 result = ping_port_rover + 1;
+                for (i = 0; i < (1L << 16); i++, result++) {
+                        if (!result)
+                                result++; /* avoid zero */
+                        hlist = ping_hashslot(&ping_table, sock_net(sk),
+                                            result);
+                        ping_portaddr_for_each_entry(sk2, node, hlist) {
+                                isk2 = inet_sk(sk2);
+                                if (isk2->inet_num == result)
+                                        goto next_port;
+                        }
+                        /* found */
+                        ping_port_rover = ident = result;
+                        break;
+next_port:
+                        ;
+                }
+                if (i >= (1L << 16))
+                        goto fail;
+        } else {
+                hlist = ping_hashslot(&ping_table, sock_net(sk), ident);
+                ping_portaddr_for_each_entry(sk2, node, hlist) {
+                        isk2 = inet_sk(sk2);
+                        if ((isk2->inet_num == ident) &&
+                            (sk2 != sk) &&
+                            (!sk2->sk_reuse || !sk->sk_reuse))
+                                goto fail;
+                }
+        }
+        pr_debug("found port/ident = %d\n", ident);
+        isk->inet_num = ident;
+        if (sk_unhashed(sk)) {
+                pr_debug("was not hashed\n");
+                sock_hold(sk);
+                hlist_nulls_add_head(&sk->sk_nulls_node, hlist);
+                sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+        }
+        write_unlock_bh(&ping_table.lock);
+        return 0;
+fail:
+        write_unlock_bh(&ping_table.lock);
+        return 1;
+}
+static void ping_v4_hash(struct sock *sk)
+{
+        pr_debug("ping_v4_hash(sk->port=%u)\n", inet_sk(sk)->inet_num);
+        BUG(); /* "Please do not press this button again." */
+}
+static void ping_v4_unhash(struct sock *sk)
+{
+        struct inet_sock *isk = inet_sk(sk);
+        pr_debug("ping_v4_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
+        if (sk_hashed(sk)) {
+                write_lock_bh(&ping_table.lock);
+                hlist_nulls_del(&sk->sk_nulls_node);
+                sock_put(sk);
+                isk->inet_num = isk->inet_sport = 0;
+                sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+                write_unlock_bh(&ping_table.lock);
+        }
+}
+static struct sock *ping_v4_lookup(struct net *net, u32 saddr, u32 daddr,
+                                   u16 ident, int dif)
+{
+        struct hlist_nulls_head *hslot = ping_hashslot(&ping_table, net, ident);
+        struct sock *sk = NULL;
+        struct inet_sock *isk;
+        struct hlist_nulls_node *hnode;
+        pr_debug("try to find: num = %d, daddr = %ld, dif = %d\n",
+                         (int)ident, (unsigned long)daddr, dif);
+        read_lock_bh(&ping_table.lock);
+        ping_portaddr_for_each_entry(sk, hnode, hslot) {
+                isk = inet_sk(sk);
+                pr_debug("found: %p: num = %d, daddr = %ld, dif = %d\n", sk,
+                         (int)isk->inet_num, (unsigned long)isk->inet_rcv_saddr,
+                         sk->sk_bound_dev_if);
+                pr_debug("iterate\n");
+                if (isk->inet_num != ident)
+                        continue;
+                if (isk->inet_rcv_saddr && isk->inet_rcv_saddr != daddr)
+                        continue;
+                if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif)
+                        continue;
+                sock_hold(sk);
+                goto exit;
+        }
+        sk = NULL;
+exit:
+        read_unlock_bh(&ping_table.lock);
+        return sk;
+}
+static void inet_get_ping_group_range_net(struct net *net, gid_t *low,
+                                          gid_t *high)
+{
+        gid_t *data = net->ipv4.sysctl_ping_group_range;
+        unsigned seq;
+        do {
+                seq = read_seqbegin(&sysctl_local_ports.lock);
+                *low = data[0];
+                *high = data[1];
+        } while (read_seqretry(&sysctl_local_ports.lock, seq));
+}
+static int ping_init_sock(struct sock *sk)
+{
+        struct net *net = sock_net(sk);
+        gid_t group = current_egid();
+        gid_t range[2];
+        struct group_info *group_info = get_current_groups();
+        int i, j, count = group_info->ngroups;
+        inet_get_ping_group_range_net(net, range, range+1);
+        if (range[0] <= group && group <= range[1])
+                return 0;
+        for (i = 0; i < group_info->nblocks; i++) {
+                int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
+                for (j = 0; j < cp_count; j++) {
+                        group = group_info->blocks[i][j];
+                        if (range[0] <= group && group <= range[1])
+                                return 0;
+                }
+                count -= cp_count;
+        }
+        return -EACCES;
+}
+static void ping_close(struct sock *sk, long timeout)
+{
+        pr_debug("ping_close(sk=%p,sk->num=%u)\n",
+                inet_sk(sk), inet_sk(sk)->inet_num);
+        pr_debug("isk->refcnt = %d\n", sk->sk_refcnt.counter);
+        sk_common_release(sk);
+}
+/*
+ * We need our own bind because there are no privileged id's == local ports.
+ * Moreover, we don't allow binding to multi- and broadcast addresses.
+ */
+static int ping_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+{
+        struct sockaddr_in *addr = (struct sockaddr_in *)uaddr;
+        struct inet_sock *isk = inet_sk(sk);
+        unsigned short snum;
+        int chk_addr_ret;
+        int err;
+        if (addr_len < sizeof(struct sockaddr_in))
+                return -EINVAL;
+        pr_debug("ping_v4_bind(sk=%p,sa_addr=%08x,sa_port=%d)\n",
+                sk, addr->sin_addr.s_addr, ntohs(addr->sin_port));
+        chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr);
+        if (addr->sin_addr.s_addr == INADDR_ANY)
+                chk_addr_ret = RTN_LOCAL;
+        if ((sysctl_ip_nonlocal_bind == 0 &&
+            isk->freebind == 0 && isk->transparent == 0 &&
+             chk_addr_ret != RTN_LOCAL) ||
+            chk_addr_ret == RTN_MULTICAST ||
+            chk_addr_ret == RTN_BROADCAST)
+                return -EADDRNOTAVAIL;
+        lock_sock(sk);
+        err = -EINVAL;
+        if (isk->inet_num != 0)
+                goto out;
+        err = -EADDRINUSE;
+        isk->inet_rcv_saddr = isk->inet_saddr = addr->sin_addr.s_addr;
+        snum = ntohs(addr->sin_port);
+        if (ping_v4_get_port(sk, snum) != 0) {
+                isk->inet_saddr = isk->inet_rcv_saddr = 0;
+                goto out;
+        }
+        pr_debug("after bind(): num = %d, daddr = %ld, dif = %d\n",
+                (int)isk->inet_num,
+                (unsigned long) isk->inet_rcv_saddr,
+                (int)sk->sk_bound_dev_if);
+        err = 0;
+        if (isk->inet_rcv_saddr)
+                sk->sk_userlocks |= SOCK_BINDADDR_LOCK;
+        if (snum)
+                sk->sk_userlocks |= SOCK_BINDPORT_LOCK;
+        isk->inet_sport = htons(isk->inet_num);
+        isk->inet_daddr = 0;
+        isk->inet_dport = 0;
+        sk_dst_reset(sk);
+out:
+        release_sock(sk);
+        pr_debug("ping_v4_bind -> %d\n", err);
+        return err;
+}
+/*
+ * Is this a supported type of ICMP message?
+ */
+static inline int ping_supported(int type, int code)
+{
+        if (type == ICMP_ECHO && code == 0)
+                return 1;
+        return 0;
+}
+/*
+ * This routine is called by the ICMP module when it gets some
+ * sort of error condition.
+ */
+static int ping_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
+void ping_err(struct sk_buff *skb, u32 info)
+{
+        struct iphdr *iph = (struct iphdr *)skb->data;
+        struct icmphdr *icmph = (struct icmphdr *)(skb->data+(iph->ihl<<2));
+        struct inet_sock *inet_sock;
+        int type = icmph->type;
+        int code = icmph->code;
+        struct net *net = dev_net(skb->dev);
+        struct sock *sk;
+        int harderr;
+        int err;
+        /* We assume the packet has already been checked by icmp_unreach */
+        if (!ping_supported(icmph->type, icmph->code))
+                return;
+        pr_debug("ping_err(type=%04x,code=%04x,id=%04x,seq=%04x)\n", type,
+                code, ntohs(icmph->un.echo.id), ntohs(icmph->un.echo.sequence));
+        sk = ping_v4_lookup(net, iph->daddr, iph->saddr,
+                            ntohs(icmph->un.echo.id), skb->dev->ifindex);
+        if (sk == NULL) {
+                ICMP_INC_STATS_BH(net, ICMP_MIB_INERRORS);
+                pr_debug("no socket, dropping\n");
+                return; /* No socket for error */
+        }
+        pr_debug("err on socket %p\n", sk);
+        err = 0;
+        harderr = 0;
+        inet_sock = inet_sk(sk);
+        switch (type) {
+        default:
+        case ICMP_TIME_EXCEEDED:
+                err = EHOSTUNREACH;
+                break;
+        case ICMP_SOURCE_QUENCH:
+                /* This is not a real error but ping wants to see it.
+                 * Report it with some fake errno. */
+                err = EREMOTEIO;
+                break;
+        case ICMP_PARAMETERPROB:
+                err = EPROTO;
+                harderr = 1;
+                break;
+        case ICMP_DEST_UNREACH:
+                if (code == ICMP_FRAG_NEEDED) { /* Path MTU discovery */
+                        if (inet_sock->pmtudisc != IP_PMTUDISC_DONT) {
+                                err = EMSGSIZE;
+                                harderr = 1;
+                                break;
+                        }
+                        goto out;
+                }
+                err = EHOSTUNREACH;
+                if (code <= NR_ICMP_UNREACH) {
+                        harderr = icmp_err_convert[code].fatal;
+                        err = icmp_err_convert[code].errno;
+                }
+                break;
+        case ICMP_REDIRECT:
+                /* See ICMP_SOURCE_QUENCH */
+                err = EREMOTEIO;
+                break;
+        }
+        /*
+         *      RFC1122: OK.  Passes ICMP errors back to application, as per
+         *      4.1.3.3.
+         */
+        if (!inet_sock->recverr) {
+                if (!harderr || sk->sk_state != TCP_ESTABLISHED)
+                        goto out;
+        } else {
+                ip_icmp_error(sk, skb, err, 0 /* no remote port */,
+                         info, (u8 *)icmph);
+        }
+        sk->sk_err = err;
+        sk->sk_error_report(sk);
+out:
+        sock_put(sk);
+}
+/*
+ *      Copy and checksum an ICMP Echo packet from user space into a buffer.
+ */
+struct pingfakehdr {
+        struct icmphdr icmph;
+        struct iovec *iov;
+        u32 wcheck;
+};
+static int ping_getfrag(void *from, char * to,
+                        int offset, int fraglen, int odd, struct sk_buff *skb)
+{
+        struct pingfakehdr *pfh = (struct pingfakehdr *)from;
+        if (offset == 0) {
+                if (fraglen < sizeof(struct icmphdr))
+                        BUG();
+                if (csum_partial_copy_fromiovecend(to + sizeof(struct icmphdr),
+                            pfh->iov, 0, fraglen - sizeof(struct icmphdr),
+                            &pfh->wcheck))
+                        return -EFAULT;
+                return 0;
+        }
+        if (offset < sizeof(struct icmphdr))
+                BUG();
+        if (csum_partial_copy_fromiovecend
+                        (to, pfh->iov, offset - sizeof(struct icmphdr),
+                         fraglen, &pfh->wcheck))
+                return -EFAULT;
+        return 0;
+}
+static int ping_push_pending_frames(struct sock *sk, struct pingfakehdr *pfh,
+                                    struct flowi4 *fl4)
+{
+        struct sk_buff *skb = skb_peek(&sk->sk_write_queue);
+        pfh->wcheck = csum_partial((char *)&pfh->icmph,
+                sizeof(struct icmphdr), pfh->wcheck);
+        pfh->icmph.checksum = csum_fold(pfh->wcheck);
+        memcpy(icmp_hdr(skb), &pfh->icmph, sizeof(struct icmphdr));
+        skb->ip_summed = CHECKSUM_NONE;
+        return ip_push_pending_frames(sk, fl4);
+}
+static int ping_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+                        size_t len)
+{
+        struct net *net = sock_net(sk);
+        struct flowi4 fl4;
+        struct inet_sock *inet = inet_sk(sk);
+        struct ipcm_cookie ipc;
+        struct icmphdr user_icmph;
+        struct pingfakehdr pfh;
+        struct rtable *rt = NULL;
+        struct ip_options_data opt_copy;
+        int free = 0;
+        u32 saddr, daddr, faddr;
+        u8  tos;
+        int err;
+        pr_debug("ping_sendmsg(sk=%p,sk->num=%u)\n", inet, inet->inet_num);
+        if (len > 0xFFFF)
+                return -EMSGSIZE;
+        /*
+         *      Check the flags.
+         */
+        /* Mirror BSD error message compatibility */
+        if (msg->msg_flags & MSG_OOB)
+                return -EOPNOTSUPP;
+        /*
+         *      Fetch the ICMP header provided by the userland.
+         *      iovec is modified!
+         */
+        if (memcpy_fromiovec((u8 *)&user_icmph, msg->msg_iov,
+                             sizeof(struct icmphdr)))
+                return -EFAULT;
+        if (!ping_supported(user_icmph.type, user_icmph.code))
+                return -EINVAL;
+        /*
+         *      Get and verify the address.
+         */
+        if (msg->msg_name) {
+                struct sockaddr_in *usin = (struct sockaddr_in *)msg->msg_name;
+                if (msg->msg_namelen < sizeof(*usin))
+                        return -EINVAL;
+                if (usin->sin_family != AF_INET)
+                        return -EINVAL;
+                daddr = usin->sin_addr.s_addr;
+                /* no remote port */
+        } else {
+                if (sk->sk_state != TCP_ESTABLISHED)
+                        return -EDESTADDRREQ;
+                daddr = inet->inet_daddr;
+                /* no remote port */
+        }
+        ipc.addr = inet->inet_saddr;
+        ipc.opt = NULL;
+        ipc.oif = sk->sk_bound_dev_if;
+        ipc.tx_flags = 0;
+        err = sock_tx_timestamp(sk, &ipc.tx_flags);
+        if (err)
+                return err;
+        if (msg->msg_controllen) {
+                err = ip_cmsg_send(sock_net(sk), msg, &ipc);
+                if (err)
+                        return err;
+                if (ipc.opt)
+                        free = 1;
+        }
+        if (!ipc.opt) {
+                struct ip_options_rcu *inet_opt;
+                rcu_read_lock();
+                inet_opt = rcu_dereference(inet->inet_opt);
+                if (inet_opt) {
+                        memcpy(&opt_copy, inet_opt,
+                               sizeof(*inet_opt) + inet_opt->opt.optlen);
+                        ipc.opt = &opt_copy.opt;
+                }
+                rcu_read_unlock();
+        }
+        saddr = ipc.addr;
+        ipc.addr = faddr = daddr;
+        if (ipc.opt && ipc.opt->opt.srr) {
+                if (!daddr)
+                        return -EINVAL;
+                faddr = ipc.opt->opt.faddr;
+        }
+        tos = RT_TOS(inet->tos);
+        if (sock_flag(sk, SOCK_LOCALROUTE) ||
+            (msg->msg_flags & MSG_DONTROUTE) ||
+            (ipc.opt && ipc.opt->opt.is_strictroute)) {
+                tos |= RTO_ONLINK;
+        }
+        if (ipv4_is_multicast(daddr)) {
+                if (!ipc.oif)
+                        ipc.oif = inet->mc_index;
+                if (!saddr)
+                        saddr = inet->mc_addr;
+        }
+        flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
+                           RT_SCOPE_UNIVERSE, sk->sk_protocol,
+                           inet_sk_flowi_flags(sk), faddr, saddr, 0, 0);
+        security_sk_classify_flow(sk, flowi4_to_flowi(&fl4));
+        rt = ip_route_output_flow(net, &fl4, sk);
+        if (IS_ERR(rt)) {
+                err = PTR_ERR(rt);
+                rt = NULL;
+                if (err == -ENETUNREACH)
+                        IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
+                goto out;
+        }
+        err = -EACCES;
+        if ((rt->rt_flags & RTCF_BROADCAST) &&
+            !sock_flag(sk, SOCK_BROADCAST))
+                goto out;
+        if (msg->msg_flags & MSG_CONFIRM)
+                goto do_confirm;
+back_from_confirm:
+        if (!ipc.addr)
+                ipc.addr = fl4.daddr;
+        lock_sock(sk);
+        pfh.icmph.type = user_icmph.type; /* already checked */
+        pfh.icmph.code = user_icmph.code; /* ditto */
+        pfh.icmph.checksum = 0;
+        pfh.icmph.un.echo.id = inet->inet_sport;
+        pfh.icmph.un.echo.sequence = user_icmph.un.echo.sequence;
+        pfh.iov = msg->msg_iov;
+        pfh.wcheck = 0;
+        err = ip_append_data(sk, &fl4, ping_getfrag, &pfh, len,
+                        0, &ipc, &rt, msg->msg_flags);
+        if (err)
+                ip_flush_pending_frames(sk);
+        else
+                err = ping_push_pending_frames(sk, &pfh, &fl4);
+        release_sock(sk);
+out:
+        ip_rt_put(rt);
+        if (free)
+                kfree(ipc.opt);
+        if (!err) {
+                icmp_out_count(sock_net(sk), user_icmph.type);
+                return len;
+        }
+        return err;
+do_confirm:
+        dst_confirm(&rt->dst);
+        if (!(msg->msg_flags & MSG_PROBE) || len)
+                goto back_from_confirm;
+        err = 0;
+        goto out;
+}
+static int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+                        size_t len, int noblock, int flags, int *addr_len)
+{
+        struct inet_sock *isk = inet_sk(sk);
+        struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;
+        struct sk_buff *skb;
+        int copied, err;
+        pr_debug("ping_recvmsg(sk=%p,sk->num=%u)\n", isk, isk->inet_num);
+        if (flags & MSG_OOB)
+                goto out;
+        if (addr_len)
+                *addr_len = sizeof(*sin);
+        if (flags & MSG_ERRQUEUE)
+                return ip_recv_error(sk, msg, len);
+        skb = skb_recv_datagram(sk, flags, noblock, &err);
+        if (!skb)
+                goto out;
+        copied = skb->len;
+        if (copied > len) {
+                msg->msg_flags |= MSG_TRUNC;
+                copied = len;
+        }
+        /* Don't bother checking the checksum */
+        err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+        if (err)
+                goto done;
+        sock_recv_timestamp(msg, sk, skb);
+        /* Copy the address. */
+        if (sin) {
+                sin->sin_family = AF_INET;
+                sin->sin_port = 0 /* skb->h.uh->source */;
+                sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+                memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
+        }
+        if (isk->cmsg_flags)
+                ip_cmsg_recv(msg, skb);
+        err = copied;
+done:
+        skb_free_datagram(sk, skb);
+out:
+        pr_debug("ping_recvmsg -> %d\n", err);
+        return err;
+}
+static int ping_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+{
+        pr_debug("ping_queue_rcv_skb(sk=%p,sk->num=%d,skb=%p)\n",
+                inet_sk(sk), inet_sk(sk)->inet_num, skb);
+        if (sock_queue_rcv_skb(sk, skb) < 0) {
+                ICMP_INC_STATS_BH(sock_net(sk), ICMP_MIB_INERRORS);
+                kfree_skb(skb);
+                pr_debug("ping_queue_rcv_skb -> failed\n");
+                return -1;
+        }
+        return 0;
+}
+/*
+ *      All we need to do is get the socket.
+ */
+void ping_rcv(struct sk_buff *skb)
+{
+        struct sock *sk;
+        struct net *net = dev_net(skb->dev);
+        struct iphdr *iph = ip_hdr(skb);
+        struct icmphdr *icmph = icmp_hdr(skb);
+        u32 saddr = iph->saddr;
+        u32 daddr = iph->daddr;
+        /* We assume the packet has already been checked by icmp_rcv */
+        pr_debug("ping_rcv(skb=%p,id=%04x,seq=%04x)\n",
+                skb, ntohs(icmph->un.echo.id), ntohs(icmph->un.echo.sequence));
+        /* Push ICMP header back */
+        skb_push(skb, skb->data - (u8 *)icmph);
+        sk = ping_v4_lookup(net, saddr, daddr, ntohs(icmph->un.echo.id),
+                            skb->dev->ifindex);
+        if (sk != NULL) {
+                pr_debug("rcv on socket %p\n", sk);
+                ping_queue_rcv_skb(sk, skb_get(skb));
+                sock_put(sk);
+                return;
+        }
+        pr_debug("no socket, dropping\n");
+        /* We're called from icmp_rcv(). kfree_skb() is done there. */
+}
+struct proto ping_prot = {
+        .name =         "PING",
+        .owner =        THIS_MODULE,
+        .init =         ping_init_sock,
+        .close =        ping_close,
+        .connect =      ip4_datagram_connect,
+        .disconnect =   udp_disconnect,
+        .setsockopt =   ip_setsockopt,
+        .getsockopt =   ip_getsockopt,
+        .sendmsg =      ping_sendmsg,
+        .recvmsg =      ping_recvmsg,
+        .bind =         ping_bind,
+        .backlog_rcv =  ping_queue_rcv_skb,
+        .hash =         ping_v4_hash,
+        .unhash =       ping_v4_unhash,
+        .get_port =     ping_v4_get_port,
+        .obj_size =     sizeof(struct inet_sock),
+};
+EXPORT_SYMBOL(ping_prot);
+#ifdef CONFIG_PROC_FS
+static struct sock *ping_get_first(struct seq_file *seq, int start)
+{
+        struct sock *sk;
+        struct ping_iter_state *state = seq->private;
+        struct net *net = seq_file_net(seq);
+        for (state->bucket = start; state->bucket < PING_HTABLE_SIZE;
+             ++state->bucket) {
+                struct hlist_nulls_node *node;
+                struct hlist_nulls_head *hslot;
+                hslot = &ping_table.hash[state->bucket];
+                if (hlist_nulls_empty(hslot))
+                        continue;
+                sk_nulls_for_each(sk, node, hslot) {
+                        if (net_eq(sock_net(sk), net))
+                                goto found;
+                }
+        }
+        sk = NULL;
+found:
+        return sk;
+}
+static struct sock *ping_get_next(struct seq_file *seq, struct sock *sk)
+{
+        struct ping_iter_state *state = seq->private;
+        struct net *net = seq_file_net(seq);
+        do {
+                sk = sk_nulls_next(sk);
+        } while (sk && (!net_eq(sock_net(sk), net)));
+        if (!sk)
+                return ping_get_first(seq, state->bucket + 1);
+        return sk;
+}
+static struct sock *ping_get_idx(struct seq_file *seq, loff_t pos)
+{
+        struct sock *sk = ping_get_first(seq, 0);
+        if (sk)
+                while (pos && (sk = ping_get_next(seq, sk)) != NULL)
+                        --pos;
+        return pos ? NULL : sk;
+}
+static void *ping_seq_start(struct seq_file *seq, loff_t *pos)
+{
+        struct ping_iter_state *state = seq->private;
+        state->bucket = 0;
+        read_lock_bh(&ping_table.lock);
+        return *pos ? ping_get_idx(seq, *pos-1) : SEQ_START_TOKEN;
+}
+static void *ping_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+{
+        struct sock *sk;
+        if (v == SEQ_START_TOKEN)
+                sk = ping_get_idx(seq, 0);
+        else
+                sk = ping_get_next(seq, v);
+        ++*pos;
+        return sk;
+}
+static void ping_seq_stop(struct seq_file *seq, void *v)
+{
+        read_unlock_bh(&ping_table.lock);
+}
+static void ping_format_sock(struct sock *sp, struct seq_file *f,
+                int bucket, int *len)
+{
+        struct inet_sock *inet = inet_sk(sp);
+        __be32 dest = inet->inet_daddr;
+        __be32 src = inet->inet_rcv_saddr;
+        __u16 destp = ntohs(inet->inet_dport);
+        __u16 srcp = ntohs(inet->inet_sport);
+        seq_printf(f, "%5d: %08X:%04X %08X:%04X"
+                " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d%n",
+                bucket, src, srcp, dest, destp, sp->sk_state,
+                sk_wmem_alloc_get(sp),
+                sk_rmem_alloc_get(sp),
+                0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
+                atomic_read(&sp->sk_refcnt), sp,
+                atomic_read(&sp->sk_drops), len);
+}
+static int ping_seq_show(struct seq_file *seq, void *v)
+{
+        if (v == SEQ_START_TOKEN)
+                seq_printf(seq, "%-127s\n",
+                           "  sl  local_address rem_address   st tx_queue "
+                           "rx_queue tr tm->when retrnsmt   uid  timeout "
+                           "inode ref pointer drops");
+        else {
+                struct ping_iter_state *state = seq->private;
+                int len;
+                ping_format_sock(v, seq, state->bucket, &len);
+                seq_printf(seq, "%*s\n", 127 - len, "");
+        }
+        return 0;
+}
+static const struct seq_operations ping_seq_ops = {
+        .show           = ping_seq_show,
+        .start          = ping_seq_start,
+        .next           = ping_seq_next,
+        .stop           = ping_seq_stop,
+};
+static int ping_seq_open(struct inode *inode, struct file *file)
+{
+        return seq_open_net(inode, file, &ping_seq_ops,
+                           sizeof(struct ping_iter_state));
+}
+static const struct file_operations ping_seq_fops = {
+        .open           = ping_seq_open,
+        .read           = seq_read,
+        .llseek         = seq_lseek,
+        .release        = seq_release_net,
+};
+static int ping_proc_register(struct net *net)
+{
+        struct proc_dir_entry *p;
+        int rc = 0;
+        p = proc_net_fops_create(net, "icmp", S_IRUGO, &ping_seq_fops);
+        if (!p)
+                rc = -ENOMEM;
+        return rc;
+}
+static void ping_proc_unregister(struct net *net)
+{
+        proc_net_remove(net, "icmp");
+}
+static int __net_init ping_proc_init_net(struct net *net)
+{
+        return ping_proc_register(net);
+}
+static void __net_exit ping_proc_exit_net(struct net *net)
+{
+        ping_proc_unregister(net);
+}
+static struct pernet_operations ping_net_ops = {
+        .init = ping_proc_init_net,
+        .exit = ping_proc_exit_net,
+};
+int __init ping_proc_init(void)
+{
+        return register_pernet_subsys(&ping_net_ops);
+}
+void ping_proc_exit(void)
+{
+        unregister_pernet_subsys(&ping_net_ops);
+}
+#endif
+void __init ping_init(void)
+{
+        int i;
+        for (i = 0; i < PING_HTABLE_SIZE; i++)
+                INIT_HLIST_NULLS_HEAD(&ping_table.hash[i], i);
+        rwlock_init(&ping_table.lock);
+}
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index bceaec42c37d..c9893d43242e 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -154,7 +154,7 @@ static __inline__ int icmp_filter(struct sock *sk, struct sk_buff *skb)
 * RFC 1122: SHOULD pass TOS value up to the transport layer.
 * -> It does. And not only TOS, but all IP header.
 */
-static int raw_v4_input(struct sk_buff *skb, struct iphdr *iph, int hash)
+static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash)
 {
        struct sock *sk;
        struct hlist_head *head;
@@ -247,7 +247,7 @@ static void raw_err(struct sock *sk, struct sk_buff *skb, u32 info)
        }
        if (inet->recverr) {
-                struct iphdr *iph = (struct iphdr *)skb->data;
+                const struct iphdr *iph = (const struct iphdr *)skb->data;
                u8 *payload = skb->data + (iph->ihl << 2);
                if (inet->hdrincl)
@@ -265,7 +265,7 @@ void raw_icmp_error(struct sk_buff *skb, int protocol, u32 info)
 {
        int hash;
        struct sock *raw_sk;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct net *net;
        hash = protocol & (RAW_HTABLE_SIZE - 1);
@@ -273,7 +273,7 @@ void raw_icmp_error(struct sk_buff *skb, int protocol, u32 info)
        read_lock(&raw_v4_hashinfo.lock);
        raw_sk = sk_head(&raw_v4_hashinfo.ht[hash]);
        if (raw_sk != NULL) {
-                iph = (struct iphdr *)skb->data;
+                iph = (const struct iphdr *)skb->data;
                net = dev_net(skb->dev);
                while ((raw_sk = __raw_v4_lookup(net, raw_sk, protocol,
@@ -281,7 +281,7 @@ void raw_icmp_error(struct sk_buff *skb, int protocol, u32 info)
                                                skb->dev->ifindex)) != NULL) {
                        raw_err(raw_sk, skb, info);
                        raw_sk = sk_next(raw_sk);
-                        iph = (struct iphdr *)skb->data;
+                        iph = (const struct iphdr *)skb->data;
                }
        }
        read_unlock(&raw_v4_hashinfo.lock);
@@ -314,9 +314,10 @@ int raw_rcv(struct sock *sk, struct sk_buff *skb)
        return 0;
 }
-static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
+static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
-                        struct rtable **rtp,
+                           void *from, size_t length,
-                        unsigned int flags)
+                           struct rtable **rtp,
+                           unsigned int flags)
 {
        struct inet_sock *inet = inet_sk(sk);
        struct net *net = sock_net(sk);
@@ -327,7 +328,7 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
        struct rtable *rt = *rtp;
        if (length > rt->dst.dev->mtu) {
-                ip_local_error(sk, EMSGSIZE, rt->rt_dst, inet->inet_dport,
+                ip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport,
                               rt->dst.dev->mtu);
                return -EMSGSIZE;
        }
@@ -372,7 +373,7 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
        if (iphlen >= sizeof(*iph)) {
                if (!iph->saddr)
-                        iph->saddr = rt->rt_src;
+                        iph->saddr = fl4->saddr;
                iph->check   = 0;
                iph->tot_len = htons(length);
                if (!iph->id)
@@ -455,11 +456,13 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        struct inet_sock *inet = inet_sk(sk);
        struct ipcm_cookie ipc;
        struct rtable *rt = NULL;
+        struct flowi4 fl4;
        int free = 0;
        __be32 daddr;
        __be32 saddr;
        u8  tos;
        int err;
+        struct ip_options_data opt_copy;
        err = -EMSGSIZE;
        if (len > 0xFFFF)
@@ -520,8 +523,18 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        saddr = ipc.addr;
        ipc.addr = daddr;
-        if (!ipc.opt)
+        if (!ipc.opt) {
-                ipc.opt = inet->opt;
+                struct ip_options_rcu *inet_opt;
+                rcu_read_lock();
+                inet_opt = rcu_dereference(inet->inet_opt);
+                if (inet_opt) {
+                        memcpy(&opt_copy, inet_opt,
+                               sizeof(*inet_opt) + inet_opt->opt.optlen);
+                        ipc.opt = &opt_copy.opt;
+                }
+                rcu_read_unlock();
+        }
        if (ipc.opt) {
                err = -EINVAL;
@@ -530,10 +543,10 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                 */
                if (inet->hdrincl)
                        goto done;
-                if (ipc.opt->srr) {
+                if (ipc.opt->opt.srr) {
                        if (!daddr)
                                goto done;
-                        daddr = ipc.opt->faddr;
+                        daddr = ipc.opt->opt.faddr;
                }
        }
        tos = RT_CONN_FLAGS(sk);
@@ -547,31 +560,23 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                        saddr = inet->mc_addr;
        }
-        {
+        flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
-                struct flowi4 fl4 = {
+                           RT_SCOPE_UNIVERSE,
-                        .flowi4_oif = ipc.oif,
+                           inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
-                        .flowi4_mark = sk->sk_mark,
+                           FLOWI_FLAG_CAN_SLEEP, daddr, saddr, 0, 0);
-                        .daddr = daddr,
-                        .saddr = saddr,
-                        .flowi4_tos = tos,
-                        .flowi4_proto = (inet->hdrincl ?
-                                         IPPROTO_RAW :
-                                         sk->sk_protocol),
-                        .flowi4_flags = FLOWI_FLAG_CAN_SLEEP,
-                };
-                if (!inet->hdrincl) {
-                        err = raw_probe_proto_opt(&fl4, msg);
-                        if (err)
-                                goto done;
-                }
-                security_sk_classify_flow(sk, flowi4_to_flowi(&fl4));
+        if (!inet->hdrincl) {
-                rt = ip_route_output_flow(sock_net(sk), &fl4, sk);
+                err = raw_probe_proto_opt(&fl4, msg);
-                if (IS_ERR(rt)) {
+                if (err)
-                        err = PTR_ERR(rt);
-                        rt = NULL;
                        goto done;
-                }
+        }
+        security_sk_classify_flow(sk, flowi4_to_flowi(&fl4));
+        rt = ip_route_output_flow(sock_net(sk), &fl4, sk);
+        if (IS_ERR(rt)) {
+                err = PTR_ERR(rt);
+                rt = NULL;
+                goto done;
        }
        err = -EACCES;
@@ -583,19 +588,20 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
 back_from_confirm:
        if (inet->hdrincl)
-                err = raw_send_hdrinc(sk, msg->msg_iov, len,
+                err = raw_send_hdrinc(sk, &fl4, msg->msg_iov, len,
-                                        &rt, msg->msg_flags);
+                                      &rt, msg->msg_flags);
         else {
                if (!ipc.addr)
-                        ipc.addr = rt->rt_dst;
+                        ipc.addr = fl4.daddr;
                lock_sock(sk);
-                err = ip_append_data(sk, ip_generic_getfrag, msg->msg_iov, len, 0,
+                err = ip_append_data(sk, &fl4, ip_generic_getfrag,
-                                        &ipc, &rt, msg->msg_flags);
+                                     msg->msg_iov, len, 0,
+                                     &ipc, &rt, msg->msg_flags);
                if (err)
                        ip_flush_pending_frames(sk);
                else if (!(msg->msg_flags & MSG_MORE)) {
-                        err = ip_push_pending_frames(sk);
+                        err = ip_push_pending_frames(sk, &fl4);
                        if (err == -ENOBUFS && !inet->recverr)
                                err = 0;
                }
@@ -973,7 +979,7 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
              srcp  = inet->inet_num;
        seq_printf(seq, "%4d: %08X:%04X %08X:%04X"
-                " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",
+                " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
                i, src, srcp, dest, destp, sp->sk_state,
                sk_wmem_alloc_get(sp),
                sk_rmem_alloc_get(sp),
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 99e6e4bb1c72..aa13ef105110 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -156,7 +156,7 @@ static u32 *ipv4_cow_metrics(struct dst_entry *dst, unsigned long old)
        u32 *p = NULL;
        if (!rt->peer)
-                rt_bind_peer(rt, 1);
+                rt_bind_peer(rt, rt->rt_dst, 1);
        peer = rt->peer;
        if (peer) {
@@ -424,7 +424,7 @@ static int rt_cache_seq_show(struct seq_file *seq, void *v)
                        dst_metric(&r->dst, RTAX_WINDOW),
                        (int)((dst_metric(&r->dst, RTAX_RTT) >> 3) +
                              dst_metric(&r->dst, RTAX_RTTVAR)),
-                        r->rt_tos,
+                        r->rt_key_tos,
                        r->dst.hh ? atomic_read(&r->dst.hh->hh_refcnt) : -1,
                        r->dst.hh ? (r->dst.hh->hh_output ==
                                       dev_queue_xmit) : 0,
@@ -724,7 +724,7 @@ static inline int compare_keys(struct rtable *rt1, struct rtable *rt2)
        return (((__force u32)rt1->rt_key_dst ^ (__force u32)rt2->rt_key_dst) |
                ((__force u32)rt1->rt_key_src ^ (__force u32)rt2->rt_key_src) |
                (rt1->rt_mark ^ rt2->rt_mark) |
-                (rt1->rt_tos ^ rt2->rt_tos) |
+                (rt1->rt_key_tos ^ rt2->rt_key_tos) |
                (rt1->rt_oif ^ rt2->rt_oif) |
                (rt1->rt_iif ^ rt2->rt_iif)) == 0;
 }
@@ -968,10 +968,6 @@ static int rt_garbage_collect(struct dst_ops *ops)
                        break;
                expire >>= 1;
-#if RT_CACHE_DEBUG >= 2
-                printk(KERN_DEBUG "expire>> %u %d %d %d\n", expire,
-                                dst_entries_get_fast(&ipv4_dst_ops), goal, i);
-#endif
                if (dst_entries_get_fast(&ipv4_dst_ops) < ip_rt_max_size)
                        goto out;
@@ -992,10 +988,6 @@ work_done:
            dst_entries_get_fast(&ipv4_dst_ops) < ipv4_dst_ops.gc_thresh ||
            dst_entries_get_slow(&ipv4_dst_ops) < ipv4_dst_ops.gc_thresh)
                expire = ip_rt_gc_timeout;
-#if RT_CACHE_DEBUG >= 2
-        printk(KERN_DEBUG "expire++ %u %d %d %d\n", expire,
-                        dst_entries_get_fast(&ipv4_dst_ops), goal, rover);
-#endif
 out:    return 0;
 }
@@ -1179,16 +1171,6 @@ restart:
        rt->dst.rt_next = rt_hash_table[hash].chain;
-#if RT_CACHE_DEBUG >= 2
-        if (rt->dst.rt_next) {
-                struct rtable *trt;
-                printk(KERN_DEBUG "rt_cache @%02x: %pI4",
-                       hash, &rt->rt_dst);
-                for (trt = rt->dst.rt_next; trt; trt = trt->dst.rt_next)
-                        printk(" . %pI4", &trt->rt_dst);
-                printk("\n");
-        }
-#endif
        /*
         * Since lookup is lockfree, we must make sure
         * previous writes to rt are committed to memory
@@ -1211,11 +1193,11 @@ static u32 rt_peer_genid(void)
        return atomic_read(&__rt_peer_genid);
 }
-void rt_bind_peer(struct rtable *rt, int create)
+void rt_bind_peer(struct rtable *rt, __be32 daddr, int create)
 {
        struct inet_peer *peer;
-        peer = inet_getpeer_v4(rt->rt_dst, create);
+        peer = inet_getpeer_v4(daddr, create);
        if (peer && cmpxchg(&rt->peer, NULL, peer) != NULL)
                inet_putpeer(peer);
@@ -1249,7 +1231,7 @@ void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more)
        if (rt) {
                if (rt->peer == NULL)
-                        rt_bind_peer(rt, 1);
+                        rt_bind_peer(rt, rt->rt_dst, 1);
                /* If peer is attached to destination, it is never detached,
                   so that we need not to grab a lock to dereference it.
@@ -1334,6 +1316,23 @@ reject_redirect:
        ;
 }
+static bool peer_pmtu_expired(struct inet_peer *peer)
+{
+        unsigned long orig = ACCESS_ONCE(peer->pmtu_expires);
+        return orig &&
+               time_after_eq(jiffies, orig) &&
+               cmpxchg(&peer->pmtu_expires, orig, 0) == orig;
+}
+static bool peer_pmtu_cleaned(struct inet_peer *peer)
+{
+        unsigned long orig = ACCESS_ONCE(peer->pmtu_expires);
+        return orig &&
+               cmpxchg(&peer->pmtu_expires, orig, 0) == orig;
+}
 static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst)
 {
        struct rtable *rt = (struct rtable *)dst;
@@ -1347,20 +1346,10 @@ static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst)
                        unsigned hash = rt_hash(rt->rt_key_dst, rt->rt_key_src,
                                                rt->rt_oif,
                                                rt_genid(dev_net(dst->dev)));
-#if RT_CACHE_DEBUG >= 1
-                        printk(KERN_DEBUG "ipv4_negative_advice: redirect to %pI4/%02x dropped\n",
-                                &rt->rt_dst, rt->rt_tos);
-#endif
                        rt_del(hash, rt);
                        ret = NULL;
-                } else if (rt->peer &&
+                } else if (rt->peer && peer_pmtu_expired(rt->peer)) {
-                           rt->peer->pmtu_expires &&
+                        dst_metric_set(dst, RTAX_MTU, rt->peer->pmtu_orig);
-                           time_after_eq(jiffies, rt->peer->pmtu_expires)) {
-                        unsigned long orig = rt->peer->pmtu_expires;
-                        if (cmpxchg(&rt->peer->pmtu_expires, orig, 0) == orig)
-                                dst_metric_set(dst, RTAX_MTU,
-                                               rt->peer->pmtu_orig);
                }
        }
        return ret;
@@ -1399,7 +1388,7 @@ void ip_rt_send_redirect(struct sk_buff *skb)
        rcu_read_unlock();
        if (!rt->peer)
-                rt_bind_peer(rt, 1);
+                rt_bind_peer(rt, rt->rt_dst, 1);
        peer = rt->peer;
        if (!peer) {
                icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, rt->rt_gateway);
@@ -1435,7 +1424,7 @@ void ip_rt_send_redirect(struct sk_buff *skb)
                    peer->rate_tokens == ip_rt_redirect_number &&
                    net_ratelimit())
                        printk(KERN_WARNING "host %pI4/if%d ignores redirects for %pI4 to %pI4.\n",
-                                &rt->rt_src, rt->rt_iif,
+                               &ip_hdr(skb)->saddr, rt->rt_iif,
                                &rt->rt_dst, &rt->rt_gateway);
 #endif
        }
@@ -1467,7 +1456,7 @@ static int ip_error(struct sk_buff *skb)
        }
        if (!rt->peer)
-                rt_bind_peer(rt, 1);
+                rt_bind_peer(rt, rt->rt_dst, 1);
        peer = rt->peer;
        send = true;
@@ -1507,7 +1496,7 @@ static inline unsigned short guess_mtu(unsigned short old_mtu)
        return 68;
 }
-unsigned short ip_rt_frag_needed(struct net *net, struct iphdr *iph,
+unsigned short ip_rt_frag_needed(struct net *net, const struct iphdr *iph,
                                 unsigned short new_mtu,
                                 struct net_device *dev)
 {
@@ -1553,8 +1542,10 @@ unsigned short ip_rt_frag_needed(struct net *net, struct iphdr *iph,
 static void check_peer_pmtu(struct dst_entry *dst, struct inet_peer *peer)
 {
-        unsigned long expires = peer->pmtu_expires;
+        unsigned long expires = ACCESS_ONCE(peer->pmtu_expires);
+        if (!expires)
+                return;
        if (time_before(jiffies, expires)) {
                u32 orig_dst_mtu = dst_mtu(dst);
                if (peer->pmtu_learned < orig_dst_mtu) {
@@ -1574,13 +1565,14 @@ static void ip_rt_update_pmtu(struct dst_entry *dst, u32 mtu)
        dst_confirm(dst);
        if (!rt->peer)
-                rt_bind_peer(rt, 1);
+                rt_bind_peer(rt, rt->rt_dst, 1);
        peer = rt->peer;
        if (peer) {
+                unsigned long pmtu_expires = ACCESS_ONCE(peer->pmtu_expires);
                if (mtu < ip_rt_min_pmtu)
                        mtu = ip_rt_min_pmtu;
-                if (!peer->pmtu_expires || mtu < peer->pmtu_learned) {
+                if (!pmtu_expires || mtu < peer->pmtu_learned) {
-                        unsigned long pmtu_expires;
                        pmtu_expires = jiffies + ip_rt_mtu_expires;
                        if (!pmtu_expires)
@@ -1631,16 +1623,17 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie)
                struct inet_peer *peer;
                if (!rt->peer)
-                        rt_bind_peer(rt, 0);
+                        rt_bind_peer(rt, rt->rt_dst, 0);
                peer = rt->peer;
-                if (peer && peer->pmtu_expires)
+                if (peer) {
                        check_peer_pmtu(dst, peer);
-                if (peer && peer->redirect_learned.a4 &&
+                        if (peer->redirect_learned.a4 &&
-                    peer->redirect_learned.a4 != rt->rt_gateway) {
+                            peer->redirect_learned.a4 != rt->rt_gateway) {
-                        if (check_peer_redir(dst, peer))
+                                if (check_peer_redir(dst, peer))
-                                return NULL;
+                                        return NULL;
+                        }
                }
                rt->rt_peer_genid = rt_peer_genid();
@@ -1671,14 +1664,8 @@ static void ipv4_link_failure(struct sk_buff *skb)
        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
        rt = skb_rtable(skb);
-        if (rt &&
+        if (rt && rt->peer && peer_pmtu_cleaned(rt->peer))
-            rt->peer &&
+                dst_metric_set(&rt->dst, RTAX_MTU, rt->peer->pmtu_orig);
-            rt->peer->pmtu_expires) {
-                unsigned long orig = rt->peer->pmtu_expires;
-                if (cmpxchg(&rt->peer->pmtu_expires, orig, 0) == orig)
-                        dst_metric_set(&rt->dst, RTAX_MTU, rt->peer->pmtu_orig);
-        }
 }
 static int ip_rt_bug(struct sk_buff *skb)
@@ -1687,6 +1674,7 @@ static int ip_rt_bug(struct sk_buff *skb)
                &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr,
                skb->dev ? skb->dev->name : "?");
        kfree_skb(skb);
+        WARN_ON(1);
        return 0;
 }
@@ -1699,22 +1687,26 @@ static int ip_rt_bug(struct sk_buff *skb)
   in IP options!
 */
-void ip_rt_get_source(u8 *addr, struct rtable *rt)
+void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt)
 {
        __be32 src;
-        struct fib_result res;
        if (rt_is_output_route(rt))
-                src = rt->rt_src;
+                src = ip_hdr(skb)->saddr;
        else {
-                struct flowi4 fl4 = {
+                struct fib_result res;
-                        .daddr = rt->rt_key_dst,
+                struct flowi4 fl4;
-                        .saddr = rt->rt_key_src,
+                struct iphdr *iph;
-                        .flowi4_tos = rt->rt_tos,
-                        .flowi4_oif = rt->rt_oif,
+                iph = ip_hdr(skb);
-                        .flowi4_iif = rt->rt_iif,
-                        .flowi4_mark = rt->rt_mark,
+                memset(&fl4, 0, sizeof(fl4));
-                };
+                fl4.daddr = iph->daddr;
+                fl4.saddr = iph->saddr;
+                fl4.flowi4_tos = iph->tos;
+                fl4.flowi4_oif = rt->dst.dev->ifindex;
+                fl4.flowi4_iif = skb->dev->ifindex;
+                fl4.flowi4_mark = skb->mark;
                rcu_read_lock();
                if (fib_lookup(dev_net(rt->dst.dev), &fl4, &res) == 0)
@@ -1767,7 +1759,7 @@ static unsigned int ipv4_default_mtu(const struct dst_entry *dst)
        return mtu;
 }
-static void rt_init_metrics(struct rtable *rt, const struct flowi4 *oldflp4,
+static void rt_init_metrics(struct rtable *rt, const struct flowi4 *fl4,
                            struct fib_info *fi)
 {
        struct inet_peer *peer;
@@ -1776,7 +1768,7 @@ static void rt_init_metrics(struct rtable *rt, const struct flowi4 *oldflp4,
        /* If a peer entry exists for this destination, we must hook
         * it up in order to get at cached metrics.
         */
-        if (oldflp4 && (oldflp4->flowi4_flags & FLOWI_FLAG_PRECOW_METRICS))
+        if (fl4 && (fl4->flowi4_flags & FLOWI_FLAG_PRECOW_METRICS))
                create = 1;
        rt->peer = peer = inet_getpeer_v4(rt->rt_dst, create);
@@ -1787,8 +1779,7 @@ static void rt_init_metrics(struct rtable *rt, const struct flowi4 *oldflp4,
                               sizeof(u32) * RTAX_MAX);
                dst_init_metrics(&rt->dst, peer->metrics, false);
-                if (peer->pmtu_expires)
+                check_peer_pmtu(&rt->dst, peer);
-                        check_peer_pmtu(&rt->dst, peer);
                if (peer->redirect_learned.a4 &&
                    peer->redirect_learned.a4 != rt->rt_gateway) {
                        rt->rt_gateway = peer->redirect_learned.a4;
@@ -1803,7 +1794,7 @@ static void rt_init_metrics(struct rtable *rt, const struct flowi4 *oldflp4,
        }
 }
-static void rt_set_nexthop(struct rtable *rt, const struct flowi4 *oldflp4,
+static void rt_set_nexthop(struct rtable *rt, const struct flowi4 *fl4,
                           const struct fib_result *res,
                           struct fib_info *fi, u16 type, u32 itag)
 {
@@ -1813,7 +1804,7 @@ static void rt_set_nexthop(struct rtable *rt, const struct flowi4 *oldflp4,
                if (FIB_RES_GW(*res) &&
                    FIB_RES_NH(*res).nh_scope == RT_SCOPE_LINK)
                        rt->rt_gateway = FIB_RES_GW(*res);
-                rt_init_metrics(rt, oldflp4, fi);
+                rt_init_metrics(rt, fl4, fi);
 #ifdef CONFIG_IP_ROUTE_CLASSID
                dst->tclassid = FIB_RES_NH(*res).nh_tclassid;
 #endif
@@ -1830,20 +1821,15 @@ static void rt_set_nexthop(struct rtable *rt, const struct flowi4 *oldflp4,
 #endif
        set_class_tag(rt, itag);
 #endif
-        rt->rt_type = type;
 }
-static struct rtable *rt_dst_alloc(bool nopolicy, bool noxfrm)
+static struct rtable *rt_dst_alloc(struct net_device *dev,
+                                   bool nopolicy, bool noxfrm)
 {
-        struct rtable *rt = dst_alloc(&ipv4_dst_ops, 1);
+        return dst_alloc(&ipv4_dst_ops, dev, 1, -1,
-        if (rt) {
+                         DST_HOST |
-                rt->dst.obsolete = -1;
+                         (nopolicy ? DST_NOPOLICY : 0) |
+                         (noxfrm ? DST_NOXFRM : 0));
-                rt->dst.flags = DST_HOST |
-                        (nopolicy ? DST_NOPOLICY : 0) |
-                        (noxfrm ? DST_NOXFRM : 0);
-        }
-        return rt;
 }
 /* called in rcu_read_lock() section */
@@ -1871,36 +1857,38 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
                        goto e_inval;
                spec_dst = inet_select_addr(dev, 0, RT_SCOPE_LINK);
        } else {
-                err = fib_validate_source(saddr, 0, tos, 0, dev, &spec_dst,
+                err = fib_validate_source(skb, saddr, 0, tos, 0, dev, &spec_dst,
-                                          &itag, 0);
+                                          &itag);
                if (err < 0)
                        goto e_err;
        }
-        rth = rt_dst_alloc(IN_DEV_CONF_GET(in_dev, NOPOLICY), false);
+        rth = rt_dst_alloc(init_net.loopback_dev,
+                           IN_DEV_CONF_GET(in_dev, NOPOLICY), false);
        if (!rth)
                goto e_nobufs;
+#ifdef CONFIG_IP_ROUTE_CLASSID
+        rth->dst.tclassid = itag;
+#endif
        rth->dst.output = ip_rt_bug;
        rth->rt_key_dst = daddr;
-        rth->rt_dst     = daddr;
-        rth->rt_tos     = tos;
-        rth->rt_mark    = skb->mark;
        rth->rt_key_src = saddr;
+        rth->rt_genid   = rt_genid(dev_net(dev));
+        rth->rt_flags   = RTCF_MULTICAST;
+        rth->rt_type    = RTN_MULTICAST;
+        rth->rt_key_tos = tos;
+        rth->rt_dst     = daddr;
        rth->rt_src     = saddr;
-#ifdef CONFIG_IP_ROUTE_CLASSID
-        rth->dst.tclassid = itag;
-#endif
        rth->rt_route_iif = dev->ifindex;
        rth->rt_iif     = dev->ifindex;
-        rth->dst.dev    = init_net.loopback_dev;
-        dev_hold(rth->dst.dev);
        rth->rt_oif     = 0;
+        rth->rt_mark    = skb->mark;
        rth->rt_gateway = daddr;
        rth->rt_spec_dst= spec_dst;
-        rth->rt_genid   = rt_genid(dev_net(dev));
+        rth->rt_peer_genid = 0;
-        rth->rt_flags   = RTCF_MULTICAST;
+        rth->peer = NULL;
-        rth->rt_type    = RTN_MULTICAST;
+        rth->fi = NULL;
        if (our) {
                rth->dst.input= ip_local_deliver;
                rth->rt_flags |= RTCF_LOCAL;
@@ -1914,9 +1902,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
        hash = rt_hash(daddr, saddr, dev->ifindex, rt_genid(dev_net(dev)));
        rth = rt_intern_hash(hash, rth, skb, dev->ifindex);
-        err = 0;
+        return IS_ERR(rth) ? PTR_ERR(rth) : 0;
-        if (IS_ERR(rth))
-                err = PTR_ERR(rth);
 e_nobufs:
        return -ENOBUFS;
@@ -1981,8 +1967,8 @@ static int __mkroute_input(struct sk_buff *skb,
        }
-        err = fib_validate_source(saddr, daddr, tos, FIB_RES_OIF(*res),
+        err = fib_validate_source(skb, saddr, daddr, tos, FIB_RES_OIF(*res),
-                                  in_dev->dev, &spec_dst, &itag, skb->mark);
+                                  in_dev->dev, &spec_dst, &itag);
        if (err < 0) {
                ip_handle_martian_source(in_dev->dev, in_dev, skb, daddr,
                                         saddr);
@@ -2013,7 +1999,8 @@ static int __mkroute_input(struct sk_buff *skb,
                }
        }
-        rth = rt_dst_alloc(IN_DEV_CONF_GET(in_dev, NOPOLICY),
+        rth = rt_dst_alloc(out_dev->dev,
+                           IN_DEV_CONF_GET(in_dev, NOPOLICY),
                           IN_DEV_CONF_GET(out_dev, NOXFRM));
        if (!rth) {
                err = -ENOBUFS;
@@ -2021,27 +2008,28 @@ static int __mkroute_input(struct sk_buff *skb,
        }
        rth->rt_key_dst = daddr;
-        rth->rt_dst     = daddr;
-        rth->rt_tos     = tos;
-        rth->rt_mark    = skb->mark;
        rth->rt_key_src = saddr;
+        rth->rt_genid = rt_genid(dev_net(rth->dst.dev));
+        rth->rt_flags = flags;
+        rth->rt_type = res->type;
+        rth->rt_key_tos = tos;
+        rth->rt_dst     = daddr;
        rth->rt_src     = saddr;
-        rth->rt_gateway = daddr;
        rth->rt_route_iif = in_dev->dev->ifindex;
        rth->rt_iif     = in_dev->dev->ifindex;
-        rth->dst.dev    = (out_dev)->dev;
-        dev_hold(rth->dst.dev);
        rth->rt_oif     = 0;
+        rth->rt_mark    = skb->mark;
+        rth->rt_gateway = daddr;
        rth->rt_spec_dst= spec_dst;
+        rth->rt_peer_genid = 0;
+        rth->peer = NULL;
+        rth->fi = NULL;
        rth->dst.input = ip_forward;
        rth->dst.output = ip_output;
-        rth->rt_genid = rt_genid(dev_net(rth->dst.dev));
        rt_set_nexthop(rth, NULL, res, res->fi, res->type, itag);
-        rth->rt_flags = flags;
        *result = rth;
        err = 0;
 cleanup:
@@ -2150,9 +2138,9 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
                goto brd_input;
        if (res.type == RTN_LOCAL) {
-                err = fib_validate_source(saddr, daddr, tos,
+                err = fib_validate_source(skb, saddr, daddr, tos,
                                          net->loopback_dev->ifindex,
-                                          dev, &spec_dst, &itag, skb->mark);
+                                          dev, &spec_dst, &itag);
                if (err < 0)
                        goto martian_source_keep_err;
                if (err)
@@ -2176,8 +2164,8 @@ brd_input:
        if (ipv4_is_zeronet(saddr))
                spec_dst = inet_select_addr(dev, 0, RT_SCOPE_LINK);
        else {
-                err = fib_validate_source(saddr, 0, tos, 0, dev, &spec_dst,
+                err = fib_validate_source(skb, saddr, 0, tos, 0, dev, &spec_dst,
-                                          &itag, skb->mark);
+                                          &itag);
                if (err < 0)
                        goto martian_source_keep_err;
                if (err)
@@ -2188,36 +2176,42 @@ brd_input:
        RT_CACHE_STAT_INC(in_brd);
 local_input:
-        rth = rt_dst_alloc(IN_DEV_CONF_GET(in_dev, NOPOLICY), false);
+        rth = rt_dst_alloc(net->loopback_dev,
+                           IN_DEV_CONF_GET(in_dev, NOPOLICY), false);
        if (!rth)
                goto e_nobufs;
+        rth->dst.input= ip_local_deliver;
        rth->dst.output= ip_rt_bug;
-        rth->rt_genid = rt_genid(net);
+#ifdef CONFIG_IP_ROUTE_CLASSID
+        rth->dst.tclassid = itag;
+#endif
        rth->rt_key_dst = daddr;
-        rth->rt_dst     = daddr;
-        rth->rt_tos     = tos;
-        rth->rt_mark    = skb->mark;
        rth->rt_key_src = saddr;
+        rth->rt_genid = rt_genid(net);
+        rth->rt_flags   = flags|RTCF_LOCAL;
+        rth->rt_type    = res.type;
+        rth->rt_key_tos = tos;
+        rth->rt_dst     = daddr;
        rth->rt_src     = saddr;
 #ifdef CONFIG_IP_ROUTE_CLASSID
        rth->dst.tclassid = itag;
 #endif
        rth->rt_route_iif = dev->ifindex;
        rth->rt_iif     = dev->ifindex;
-        rth->dst.dev    = net->loopback_dev;
+        rth->rt_oif     = 0;
-        dev_hold(rth->dst.dev);
+        rth->rt_mark    = skb->mark;
        rth->rt_gateway = daddr;
        rth->rt_spec_dst= spec_dst;
-        rth->dst.input= ip_local_deliver;
+        rth->rt_peer_genid = 0;
-        rth->rt_flags   = flags|RTCF_LOCAL;
+        rth->peer = NULL;
+        rth->fi = NULL;
        if (res.type == RTN_UNREACHABLE) {
                rth->dst.input= ip_error;
                rth->dst.error= -err;
                rth->rt_flags   &= ~RTCF_LOCAL;
        }
-        rth->rt_type    = res.type;
        hash = rt_hash(daddr, saddr, fl4.flowi4_iif, rt_genid(net));
        rth = rt_intern_hash(hash, rth, skb, fl4.flowi4_iif);
        err = 0;
@@ -2288,7 +2282,7 @@ int ip_route_input_common(struct sk_buff *skb, __be32 daddr, __be32 saddr,
                     ((__force u32)rth->rt_key_src ^ (__force u32)saddr) |
                     (rth->rt_iif ^ iif) |
                     rth->rt_oif |
-                     (rth->rt_tos ^ tos)) == 0 &&
+                     (rth->rt_key_tos ^ tos)) == 0 &&
                    rth->rt_mark == skb->mark &&
                    net_eq(dev_net(rth->dst.dev), net) &&
                    !rt_is_expired(rth)) {
@@ -2349,12 +2343,12 @@ EXPORT_SYMBOL(ip_route_input_common);
 /* called with rcu_read_lock() */
 static struct rtable *__mkroute_output(const struct fib_result *res,
                                       const struct flowi4 *fl4,
-                                       const struct flowi4 *oldflp4,
+                                       __be32 orig_daddr, __be32 orig_saddr,
-                                       struct net_device *dev_out,
+                                       int orig_oif, struct net_device *dev_out,
                                       unsigned int flags)
 {
        struct fib_info *fi = res->fi;
-        u32 tos = RT_FL_TOS(oldflp4);
+        u32 tos = RT_FL_TOS(fl4);
        struct in_device *in_dev;
        u16 type = res->type;
        struct rtable *rth;
@@ -2381,8 +2375,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
                fi = NULL;
        } else if (type == RTN_MULTICAST) {
                flags |= RTCF_MULTICAST | RTCF_LOCAL;
-                if (!ip_check_mc_rcu(in_dev, oldflp4->daddr, oldflp4->saddr,
+                if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr,
-                                     oldflp4->flowi4_proto))
+                                     fl4->flowi4_proto))
                        flags &= ~RTCF_LOCAL;
                /* If multicast route do not exist use
                 * default one, but do not gateway in this case.
@@ -2392,29 +2386,31 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
                        fi = NULL;
        }
-        rth = rt_dst_alloc(IN_DEV_CONF_GET(in_dev, NOPOLICY),
+        rth = rt_dst_alloc(dev_out,
+                           IN_DEV_CONF_GET(in_dev, NOPOLICY),
                           IN_DEV_CONF_GET(in_dev, NOXFRM));
        if (!rth)
                return ERR_PTR(-ENOBUFS);
-        rth->rt_key_dst = oldflp4->daddr;
+        rth->dst.output = ip_output;
-        rth->rt_tos     = tos;
-        rth->rt_key_src = oldflp4->saddr;
+        rth->rt_key_dst = orig_daddr;
-        rth->rt_oif     = oldflp4->flowi4_oif;
+        rth->rt_key_src = orig_saddr;
-        rth->rt_mark    = oldflp4->flowi4_mark;
+        rth->rt_genid = rt_genid(dev_net(dev_out));
+        rth->rt_flags   = flags;
+        rth->rt_type    = type;
+        rth->rt_key_tos = tos;
        rth->rt_dst     = fl4->daddr;
        rth->rt_src     = fl4->saddr;
        rth->rt_route_iif = 0;
-        rth->rt_iif     = oldflp4->flowi4_oif ? : dev_out->ifindex;
+        rth->rt_iif     = orig_oif ? : dev_out->ifindex;
-        /* get references to the devices that are to be hold by the routing
+        rth->rt_oif     = orig_oif;
-           cache entry */
+        rth->rt_mark    = fl4->flowi4_mark;
-        rth->dst.dev    = dev_out;
-        dev_hold(dev_out);
        rth->rt_gateway = fl4->daddr;
        rth->rt_spec_dst= fl4->saddr;
+        rth->rt_peer_genid = 0;
-        rth->dst.output=ip_output;
+        rth->peer = NULL;
-        rth->rt_genid = rt_genid(dev_net(dev_out));
+        rth->fi = NULL;
        RT_CACHE_STAT_INC(out_slow_tot);
@@ -2432,7 +2428,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
 #ifdef CONFIG_IP_MROUTE
                if (type == RTN_MULTICAST) {
                        if (IN_DEV_MFORWARD(in_dev) &&
-                            !ipv4_is_local_multicast(oldflp4->daddr)) {
+                            !ipv4_is_local_multicast(fl4->daddr)) {
                                rth->dst.input = ip_mr_input;
                                rth->dst.output = ip_mc_output;
                        }
@@ -2440,9 +2436,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
 #endif
        }
-        rt_set_nexthop(rth, oldflp4, res, fi, type, 0);
+        rt_set_nexthop(rth, fl4, res, fi, type, 0);
-        rth->rt_flags = flags;
        return rth;
 }
@@ -2451,36 +2446,37 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
 * called with rcu_read_lock();
 */
-static struct rtable *ip_route_output_slow(struct net *net,
+static struct rtable *ip_route_output_slow(struct net *net, struct flowi4 *fl4)
-                                           const struct flowi4 *oldflp4)
 {
-        u32 tos = RT_FL_TOS(oldflp4);
-        struct flowi4 fl4;
-        struct fib_result res;
-        unsigned int flags = 0;
        struct net_device *dev_out = NULL;
+        u32 tos = RT_FL_TOS(fl4);
+        unsigned int flags = 0;
+        struct fib_result res;
        struct rtable *rth;
+        __be32 orig_daddr;
+        __be32 orig_saddr;
+        int orig_oif;
        res.fi          = NULL;
 #ifdef CONFIG_IP_MULTIPLE_TABLES
        res.r           = NULL;
 #endif
-        fl4.flowi4_oif = oldflp4->flowi4_oif;
+        orig_daddr = fl4->daddr;
-        fl4.flowi4_iif = net->loopback_dev->ifindex;
+        orig_saddr = fl4->saddr;
-        fl4.flowi4_mark = oldflp4->flowi4_mark;
+        orig_oif = fl4->flowi4_oif;
-        fl4.daddr = oldflp4->daddr;
-        fl4.saddr = oldflp4->saddr;
+        fl4->flowi4_iif = net->loopback_dev->ifindex;
-        fl4.flowi4_tos = tos & IPTOS_RT_MASK;
+        fl4->flowi4_tos = tos & IPTOS_RT_MASK;
-        fl4.flowi4_scope = ((tos & RTO_ONLINK) ?
+        fl4->flowi4_scope = ((tos & RTO_ONLINK) ?
-                        RT_SCOPE_LINK : RT_SCOPE_UNIVERSE);
+                         RT_SCOPE_LINK : RT_SCOPE_UNIVERSE);
        rcu_read_lock();
-        if (oldflp4->saddr) {
+        if (fl4->saddr) {
                rth = ERR_PTR(-EINVAL);
-                if (ipv4_is_multicast(oldflp4->saddr) ||
+                if (ipv4_is_multicast(fl4->saddr) ||
-                    ipv4_is_lbcast(oldflp4->saddr) ||
+                    ipv4_is_lbcast(fl4->saddr) ||
-                    ipv4_is_zeronet(oldflp4->saddr))
+                    ipv4_is_zeronet(fl4->saddr))
                        goto out;
                /* I removed check for oif == dev_out->oif here.
@@ -2491,11 +2487,11 @@ static struct rtable *ip_route_output_slow(struct net *net,
                      of another iface. --ANK
                 */
-                if (oldflp4->flowi4_oif == 0 &&
+                if (fl4->flowi4_oif == 0 &&
-                    (ipv4_is_multicast(oldflp4->daddr) ||
+                    (ipv4_is_multicast(fl4->daddr) ||
-                     ipv4_is_lbcast(oldflp4->daddr))) {
+                     ipv4_is_lbcast(fl4->daddr))) {
                        /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
-                        dev_out = __ip_dev_find(net, oldflp4->saddr, false);
+                        dev_out = __ip_dev_find(net, fl4->saddr, false);
                        if (dev_out == NULL)
                                goto out;
@@ -2514,20 +2510,20 @@ static struct rtable *ip_route_output_slow(struct net *net,
                           Luckily, this hack is good workaround.
                         */
-                        fl4.flowi4_oif = dev_out->ifindex;
+                        fl4->flowi4_oif = dev_out->ifindex;
                        goto make_route;
                }
-                if (!(oldflp4->flowi4_flags & FLOWI_FLAG_ANYSRC)) {
+                if (!(fl4->flowi4_flags & FLOWI_FLAG_ANYSRC)) {
                        /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
-                        if (!__ip_dev_find(net, oldflp4->saddr, false))
+                        if (!__ip_dev_find(net, fl4->saddr, false))
                                goto out;
                }
        }
-        if (oldflp4->flowi4_oif) {
+        if (fl4->flowi4_oif) {
-                dev_out = dev_get_by_index_rcu(net, oldflp4->flowi4_oif);
+                dev_out = dev_get_by_index_rcu(net, fl4->flowi4_oif);
                rth = ERR_PTR(-ENODEV);
                if (dev_out == NULL)
                        goto out;
@@ -2537,37 +2533,37 @@ static struct rtable *ip_route_output_slow(struct net *net,
                        rth = ERR_PTR(-ENETUNREACH);
                        goto out;
                }
-                if (ipv4_is_local_multicast(oldflp4->daddr) ||
+                if (ipv4_is_local_multicast(fl4->daddr) ||
-                    ipv4_is_lbcast(oldflp4->daddr)) {
+                    ipv4_is_lbcast(fl4->daddr)) {
-                        if (!fl4.saddr)
+                        if (!fl4->saddr)
-                                fl4.saddr = inet_select_addr(dev_out, 0,
+                                fl4->saddr = inet_select_addr(dev_out, 0,
-                                                             RT_SCOPE_LINK);
+                                                              RT_SCOPE_LINK);
                        goto make_route;
                }
-                if (!fl4.saddr) {
+                if (fl4->saddr) {
-                        if (ipv4_is_multicast(oldflp4->daddr))
+                        if (ipv4_is_multicast(fl4->daddr))
-                                fl4.saddr = inet_select_addr(dev_out, 0,
+                                fl4->saddr = inet_select_addr(dev_out, 0,
-                                                             fl4.flowi4_scope);
+                                                              fl4->flowi4_scope);
-                        else if (!oldflp4->daddr)
+                        else if (!fl4->daddr)
-                                fl4.saddr = inet_select_addr(dev_out, 0,
+                                fl4->saddr = inet_select_addr(dev_out, 0,
-                                                             RT_SCOPE_HOST);
+                                                              RT_SCOPE_HOST);
                }
        }
-        if (!fl4.daddr) {
+        if (!fl4->daddr) {
-                fl4.daddr = fl4.saddr;
+                fl4->daddr = fl4->saddr;
-                if (!fl4.daddr)
+                if (!fl4->daddr)
-                        fl4.daddr = fl4.saddr = htonl(INADDR_LOOPBACK);
+                        fl4->daddr = fl4->saddr = htonl(INADDR_LOOPBACK);
                dev_out = net->loopback_dev;
-                fl4.flowi4_oif = net->loopback_dev->ifindex;
+                fl4->flowi4_oif = net->loopback_dev->ifindex;
                res.type = RTN_LOCAL;
                flags |= RTCF_LOCAL;
                goto make_route;
        }
-        if (fib_lookup(net, &fl4, &res)) {
+        if (fib_lookup(net, fl4, &res)) {
                res.fi = NULL;
-                if (oldflp4->flowi4_oif) {
+                if (fl4->flowi4_oif) {
                        /* Apparently, routing tables are wrong. Assume,
                           that the destination is on link.
@@ -2586,9 +2582,9 @@ static struct rtable *ip_route_output_slow(struct net *net,
                           likely IPv6, but we do not.
                         */
-                        if (fl4.saddr == 0)
+                        if (fl4->saddr == 0)
-                                fl4.saddr = inet_select_addr(dev_out, 0,
+                                fl4->saddr = inet_select_addr(dev_out, 0,
-                                                             RT_SCOPE_LINK);
+                                                              RT_SCOPE_LINK);
                        res.type = RTN_UNICAST;
                        goto make_route;
                }
@@ -2597,42 +2593,45 @@ static struct rtable *ip_route_output_slow(struct net *net,
        }
        if (res.type == RTN_LOCAL) {
-                if (!fl4.saddr) {
+                if (!fl4->saddr) {
                        if (res.fi->fib_prefsrc)
-                                fl4.saddr = res.fi->fib_prefsrc;
+                                fl4->saddr = res.fi->fib_prefsrc;
                        else
-                                fl4.saddr = fl4.daddr;
+                                fl4->saddr = fl4->daddr;
                }
                dev_out = net->loopback_dev;
-                fl4.flowi4_oif = dev_out->ifindex;
+                fl4->flowi4_oif = dev_out->ifindex;
                res.fi = NULL;
                flags |= RTCF_LOCAL;
                goto make_route;
        }
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
-        if (res.fi->fib_nhs > 1 && fl4.flowi4_oif == 0)
+        if (res.fi->fib_nhs > 1 && fl4->flowi4_oif == 0)
                fib_select_multipath(&res);
        else
 #endif
-        if (!res.prefixlen && res.type == RTN_UNICAST && !fl4.flowi4_oif)
+        if (!res.prefixlen &&
+            res.table->tb_num_default > 1 &&
+            res.type == RTN_UNICAST && !fl4->flowi4_oif)
                fib_select_default(&res);
-        if (!fl4.saddr)
+        if (!fl4->saddr)
-                fl4.saddr = FIB_RES_PREFSRC(net, res);
+                fl4->saddr = FIB_RES_PREFSRC(net, res);
        dev_out = FIB_RES_DEV(res);
-        fl4.flowi4_oif = dev_out->ifindex;
+        fl4->flowi4_oif = dev_out->ifindex;
 make_route:
-        rth = __mkroute_output(&res, &fl4, oldflp4, dev_out, flags);
+        rth = __mkroute_output(&res, fl4, orig_daddr, orig_saddr, orig_oif,
+                               dev_out, flags);
        if (!IS_ERR(rth)) {
                unsigned int hash;
-                hash = rt_hash(oldflp4->daddr, oldflp4->saddr, oldflp4->flowi4_oif,
+                hash = rt_hash(orig_daddr, orig_saddr, orig_oif,
                               rt_genid(dev_net(dev_out)));
-                rth = rt_intern_hash(hash, rth, NULL, oldflp4->flowi4_oif);
+                rth = rt_intern_hash(hash, rth, NULL, orig_oif);
        }
 out:
@@ -2640,7 +2639,7 @@ out:
        return rth;
 }
-struct rtable *__ip_route_output_key(struct net *net, const struct flowi4 *flp4)
+struct rtable *__ip_route_output_key(struct net *net, struct flowi4 *flp4)
 {
        struct rtable *rth;
        unsigned int hash;
@@ -2658,13 +2657,17 @@ struct rtable *__ip_route_output_key(struct net *net, const struct flowi4 *flp4)
                    rt_is_output_route(rth) &&
                    rth->rt_oif == flp4->flowi4_oif &&
                    rth->rt_mark == flp4->flowi4_mark &&
-                    !((rth->rt_tos ^ flp4->flowi4_tos) &
+                    !((rth->rt_key_tos ^ flp4->flowi4_tos) &
                            (IPTOS_RT_MASK | RTO_ONLINK)) &&
                    net_eq(dev_net(rth->dst.dev), net) &&
                    !rt_is_expired(rth)) {
                        dst_use(&rth->dst, jiffies);
                        RT_CACHE_STAT_INC(out_hit);
                        rcu_read_unlock_bh();
+                        if (!flp4->saddr)
+                                flp4->saddr = rth->rt_src;
+                        if (!flp4->daddr)
+                                flp4->daddr = rth->rt_dst;
                        return rth;
                }
                RT_CACHE_STAT_INC(out_hlist_search);
@@ -2709,7 +2712,7 @@ static struct dst_ops ipv4_dst_blackhole_ops = {
 struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_orig)
 {
-        struct rtable *rt = dst_alloc(&ipv4_dst_blackhole_ops, 1);
+        struct rtable *rt = dst_alloc(&ipv4_dst_blackhole_ops, NULL, 1, 0, 0);
        struct rtable *ort = (struct rtable *) dst_orig;
        if (rt) {
@@ -2726,7 +2729,7 @@ struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_or
                rt->rt_key_dst = ort->rt_key_dst;
                rt->rt_key_src = ort->rt_key_src;
-                rt->rt_tos = ort->rt_tos;
+                rt->rt_key_tos = ort->rt_key_tos;
                rt->rt_route_iif = ort->rt_route_iif;
                rt->rt_iif = ort->rt_iif;
                rt->rt_oif = ort->rt_oif;
@@ -2762,15 +2765,10 @@ struct rtable *ip_route_output_flow(struct net *net, struct flowi4 *flp4,
        if (IS_ERR(rt))
                return rt;
-        if (flp4->flowi4_proto) {
+        if (flp4->flowi4_proto)
-                if (!flp4->saddr)
-                        flp4->saddr = rt->rt_src;
-                if (!flp4->daddr)
-                        flp4->daddr = rt->rt_dst;
                rt = (struct rtable *) xfrm_lookup(net, &rt->dst,
                                                   flowi4_to_flowi(flp4),
                                                   sk, 0);
-        }
        return rt;
 }
@@ -2783,7 +2781,8 @@ static int rt_fill_info(struct net *net,
        struct rtable *rt = skb_rtable(skb);
        struct rtmsg *r;
        struct nlmsghdr *nlh;
-        long expires;
+        long expires = 0;
+        const struct inet_peer *peer = rt->peer;
        u32 id = 0, ts = 0, tsage = 0, error;
        nlh = nlmsg_put(skb, pid, seq, event, sizeof(*r), flags);
@@ -2794,7 +2793,7 @@ static int rt_fill_info(struct net *net,
        r->rtm_family    = AF_INET;
        r->rtm_dst_len  = 32;
        r->rtm_src_len  = 0;
-        r->rtm_tos      = rt->rt_tos;
+        r->rtm_tos      = rt->rt_key_tos;
        r->rtm_table    = RT_TABLE_MAIN;
        NLA_PUT_U32(skb, RTA_TABLE, RT_TABLE_MAIN);
        r->rtm_type     = rt->rt_type;
@@ -2831,15 +2830,16 @@ static int rt_fill_info(struct net *net,
                NLA_PUT_BE32(skb, RTA_MARK, rt->rt_mark);
        error = rt->dst.error;
-        expires = (rt->peer && rt->peer->pmtu_expires) ?
+        if (peer) {
-                rt->peer->pmtu_expires - jiffies : 0;
-        if (rt->peer) {
                inet_peer_refcheck(rt->peer);
-                id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
+                id = atomic_read(&peer->ip_id_count) & 0xffff;
-                if (rt->peer->tcp_ts_stamp) {
+                if (peer->tcp_ts_stamp) {
-                        ts = rt->peer->tcp_ts;
+                        ts = peer->tcp_ts;
-                        tsage = get_seconds() - rt->peer->tcp_ts_stamp;
+                        tsage = get_seconds() - peer->tcp_ts_stamp;
                }
+                expires = ACCESS_ONCE(peer->pmtu_expires);
+                if (expires)
+                        expires -= jiffies;
        }
        if (rt_is_input_route(rt)) {
@@ -2848,7 +2848,9 @@ static int rt_fill_info(struct net *net,
                if (ipv4_is_multicast(dst) && !ipv4_is_local_multicast(dst) &&
                    IPV4_DEVCONF_ALL(net, MC_FORWARDING)) {
-                        int err = ipmr_get_route(net, skb, r, nowait);
+                        int err = ipmr_get_route(net, skb,
+                                                 rt->rt_src, rt->rt_dst,
+                                                 r, nowait);
                        if (err <= 0) {
                                if (!nowait) {
                                        if (err == 0)
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 8b44c6d2a79b..26461492a847 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -321,10 +321,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
         * the ACK carries the same options again (see RFC1122 4.2.3.8)
         */
        if (opt && opt->optlen) {
-                int opt_size = sizeof(struct ip_options) + opt->optlen;
+                int opt_size = sizeof(struct ip_options_rcu) + opt->optlen;
                ireq->opt = kmalloc(opt_size, GFP_ATOMIC);
-                if (ireq->opt != NULL && ip_options_echo(ireq->opt, skb)) {
+                if (ireq->opt != NULL && ip_options_echo(&ireq->opt->opt, skb)) {
                        kfree(ireq->opt);
                        ireq->opt = NULL;
                }
@@ -345,17 +345,13 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
         * no easy way to do this.
         */
        {
-                struct flowi4 fl4 = {
+                struct flowi4 fl4;
-                        .flowi4_mark = sk->sk_mark,
-                        .daddr = ((opt && opt->srr) ?
+                flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
-                                  opt->faddr : ireq->rmt_addr),
+                                   RT_SCOPE_UNIVERSE, IPPROTO_TCP,
-                        .saddr = ireq->loc_addr,
+                                   inet_sk_flowi_flags(sk),
-                        .flowi4_tos = RT_CONN_FLAGS(sk),
+                                   (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
-                        .flowi4_proto = IPPROTO_TCP,
+                                   ireq->loc_addr, th->source, th->dest);
-                        .flowi4_flags = inet_sk_flowi_flags(sk),
-                        .fl4_sport = th->dest,
-                        .fl4_dport = th->source,
-                };
                security_req_classify_flow(req, flowi4_to_flowi(&fl4));
                rt = ip_route_output_key(sock_net(sk), &fl4);
                if (IS_ERR(rt)) {
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 321e6e84dbcc..57d0752e239a 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -13,6 +13,7 @@
 #include <linux/seqlock.h>
 #include <linux/init.h>
 #include <linux/slab.h>
+#include <linux/nsproxy.h>
 #include <net/snmp.h>
 #include <net/icmp.h>
 #include <net/ip.h>
@@ -21,6 +22,7 @@
 #include <net/udp.h>
 #include <net/cipso_ipv4.h>
 #include <net/inet_frag.h>
+#include <net/ping.h>
 static int zero;
 static int tcp_retr1_max = 255;
@@ -30,6 +32,8 @@ static int tcp_adv_win_scale_min = -31;
 static int tcp_adv_win_scale_max = 31;
 static int ip_ttl_min = 1;
 static int ip_ttl_max = 255;
+static int ip_ping_group_range_min[] = { 0, 0 };
+static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
 /* Update system visible IP port range */
 static void set_local_port_range(int range[2])
@@ -68,6 +72,53 @@ static int ipv4_local_port_range(ctl_table *table, int write,
        return ret;
 }
+void inet_get_ping_group_range_table(struct ctl_table *table, gid_t *low, gid_t *high)
+{
+        gid_t *data = table->data;
+        unsigned seq;
+        do {
+                seq = read_seqbegin(&sysctl_local_ports.lock);
+                *low = data[0];
+                *high = data[1];
+        } while (read_seqretry(&sysctl_local_ports.lock, seq));
+}
+/* Update system visible IP port range */
+static void set_ping_group_range(struct ctl_table *table, int range[2])
+{
+        gid_t *data = table->data;
+        write_seqlock(&sysctl_local_ports.lock);
+        data[0] = range[0];
+        data[1] = range[1];
+        write_sequnlock(&sysctl_local_ports.lock);
+}
+/* Validate changes from /proc interface. */
+static int ipv4_ping_group_range(ctl_table *table, int write,
+                                 void __user *buffer,
+                                 size_t *lenp, loff_t *ppos)
+{
+        int ret;
+        gid_t range[2];
+        ctl_table tmp = {
+                .data = &range,
+                .maxlen = sizeof(range),
+                .mode = table->mode,
+                .extra1 = &ip_ping_group_range_min,
+                .extra2 = &ip_ping_group_range_max,
+        };
+        inet_get_ping_group_range_table(table, range, range + 1);
+        ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
+        if (write && ret == 0)
+                set_ping_group_range(table, range);
+        return ret;
+}
 static int proc_tcp_congestion_control(ctl_table *ctl, int write,
                                       void __user *buffer, size_t *lenp, loff_t *ppos)
 {
@@ -677,6 +728,13 @@ static struct ctl_table ipv4_net_table[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec
        },
+        {
+                .procname       = "ping_group_range",
+                .data           = &init_net.ipv4.sysctl_ping_group_range,
+                .maxlen         = sizeof(init_net.ipv4.sysctl_ping_group_range),
+                .mode           = 0644,
+                .proc_handler   = ipv4_ping_group_range,
+        },
        { }
 };
@@ -711,8 +769,18 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
                        &net->ipv4.sysctl_icmp_ratemask;
                table[6].data =
                        &net->ipv4.sysctl_rt_cache_rebuild_count;
+                table[7].data =
+                        &net->ipv4.sysctl_ping_group_range;
        }
+        /*
+         * Sane defaults - nobody may create ping sockets.
+         * Boot scripts should set this to distro-specific group.
+         */
+        net->ipv4.sysctl_ping_group_range[0] = 1;
+        net->ipv4.sysctl_ping_group_range[1] = 0;
        net->ipv4.sysctl_rt_cache_rebuild_count = 4;
        net->ipv4.ipv4_hdr = register_net_sysctl_table(net,
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index b22d45010545..46febcacb729 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -999,7 +999,8 @@ new_segment:
                                /* We have some space in skb head. Superb! */
                                if (copy > skb_tailroom(skb))
                                        copy = skb_tailroom(skb);
-                                if ((err = skb_add_data(skb, from, copy)) != 0)
+                                err = skb_add_data_nocache(sk, skb, from, copy);
+                                if (err)
                                        goto do_fault;
                        } else {
                                int merge = 0;
@@ -1042,8 +1043,8 @@ new_segment:
                                /* Time to copy data. We are close to
                                 * the end! */
-                                err = skb_copy_to_page(sk, from, skb, page,
+                                err = skb_copy_to_page_nocache(sk, from, skb,
-                                                       off, copy);
+                                                               page, off, copy);
                                if (err) {
                                        /* If this page was new, give it to the
                                         * socket so it does not get leaked.
@@ -3219,7 +3220,7 @@ __setup("thash_entries=", set_thash_entries);
 void __init tcp_init(void)
 {
        struct sk_buff *skb = NULL;
-        unsigned long nr_pages, limit;
+        unsigned long limit;
        int i, max_share, cnt;
        unsigned long jiffy = jiffies;
@@ -3276,13 +3277,7 @@ void __init tcp_init(void)
        sysctl_tcp_max_orphans = cnt / 2;
        sysctl_max_syn_backlog = max(128, cnt / 256);
-        /* Set the pressure threshold to be a fraction of global memory that
+        limit = nr_free_buffer_pages() / 8;
-         * is up to 1/2 at 256 MB, decreasing toward zero with the amount of
-         * memory, with a floor of 128 pages.
-         */
-        nr_pages = totalram_pages - totalhigh_pages;
-        limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
-        limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
        limit = max(limit, 128UL);
        sysctl_tcp_mem[0] = limit / 4 * 3;
        sysctl_tcp_mem[1] = limit;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index f7e6c2c2d2bb..708dc203b034 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -146,13 +146,15 @@ EXPORT_SYMBOL_GPL(tcp_twsk_unique);
 /* This will initiate an outgoing connection. */
 int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 {
+        struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
        struct inet_sock *inet = inet_sk(sk);
        struct tcp_sock *tp = tcp_sk(sk);
-        struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
        __be16 orig_sport, orig_dport;
-        struct rtable *rt;
        __be32 daddr, nexthop;
+        struct flowi4 *fl4;
+        struct rtable *rt;
        int err;
+        struct ip_options_rcu *inet_opt;
        if (addr_len < sizeof(struct sockaddr_in))
                return -EINVAL;
@@ -161,15 +163,18 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
                return -EAFNOSUPPORT;
        nexthop = daddr = usin->sin_addr.s_addr;
-        if (inet->opt && inet->opt->srr) {
+        inet_opt = rcu_dereference_protected(inet->inet_opt,
+                                             sock_owned_by_user(sk));
+        if (inet_opt && inet_opt->opt.srr) {
                if (!daddr)
                        return -EINVAL;
-                nexthop = inet->opt->faddr;
+                nexthop = inet_opt->opt.faddr;
        }
        orig_sport = inet->inet_sport;
        orig_dport = usin->sin_port;
-        rt = ip_route_connect(nexthop, inet->inet_saddr,
+        fl4 = &inet->cork.fl.u.ip4;
+        rt = ip_route_connect(fl4, nexthop, inet->inet_saddr,
                              RT_CONN_FLAGS(sk), sk->sk_bound_dev_if,
                              IPPROTO_TCP,
                              orig_sport, orig_dport, sk, true);
@@ -185,11 +190,11 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
                return -ENETUNREACH;
        }
-        if (!inet->opt || !inet->opt->srr)
+        if (!inet_opt || !inet_opt->opt.srr)
-                daddr = rt->rt_dst;
+                daddr = fl4->daddr;
        if (!inet->inet_saddr)
-                inet->inet_saddr = rt->rt_src;
+                inet->inet_saddr = fl4->saddr;
        inet->inet_rcv_saddr = inet->inet_saddr;
        if (tp->rx_opt.ts_recent_stamp && inet->inet_daddr != daddr) {
@@ -200,8 +205,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        }
        if (tcp_death_row.sysctl_tw_recycle &&
-            !tp->rx_opt.ts_recent_stamp && rt->rt_dst == daddr) {
+            !tp->rx_opt.ts_recent_stamp && fl4->daddr == daddr) {
-                struct inet_peer *peer = rt_get_peer(rt);
+                struct inet_peer *peer = rt_get_peer(rt, fl4->daddr);
                /*
                 * VJ's idea. We save last timestamp seen from
                 * the destination in peer table, when entering state
@@ -221,8 +226,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        inet->inet_daddr = daddr;
        inet_csk(sk)->icsk_ext_hdr_len = 0;
-        if (inet->opt)
+        if (inet_opt)
-                inet_csk(sk)->icsk_ext_hdr_len = inet->opt->optlen;
+                inet_csk(sk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
        tp->rx_opt.mss_clamp = TCP_MSS_DEFAULT;
@@ -236,8 +241,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        if (err)
                goto failure;
-        rt = ip_route_newports(rt, IPPROTO_TCP,
+        rt = ip_route_newports(fl4, rt, orig_sport, orig_dport,
-                               orig_sport, orig_dport,
                               inet->inet_sport, inet->inet_dport, sk);
        if (IS_ERR(rt)) {
                err = PTR_ERR(rt);
@@ -279,7 +283,7 @@ EXPORT_SYMBOL(tcp_v4_connect);
 /*
 * This routine does path mtu discovery as defined in RFC1191.
 */
-static void do_pmtu_discovery(struct sock *sk, struct iphdr *iph, u32 mtu)
+static void do_pmtu_discovery(struct sock *sk, const struct iphdr *iph, u32 mtu)
 {
        struct dst_entry *dst;
        struct inet_sock *inet = inet_sk(sk);
@@ -341,7 +345,7 @@ static void do_pmtu_discovery(struct sock *sk, struct iphdr *iph, u32 mtu)
 void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
 {
-        struct iphdr *iph = (struct iphdr *)icmp_skb->data;
+        const struct iphdr *iph = (const struct iphdr *)icmp_skb->data;
        struct tcphdr *th = (struct tcphdr *)(icmp_skb->data + (iph->ihl << 2));
        struct inet_connection_sock *icsk;
        struct tcp_sock *tp;
@@ -647,7 +651,7 @@ static void tcp_v4_send_reset(struct sock *sk, struct sk_buff *skb)
        arg.flags = (sk && inet_sk(sk)->transparent) ? IP_REPLY_ARG_NOSRCCHECK : 0;
        net = dev_net(skb_dst(skb)->dev);
-        ip_send_reply(net->ipv4.tcp_sock, skb,
+        ip_send_reply(net->ipv4.tcp_sock, skb, ip_hdr(skb)->saddr,
                      &arg, arg.iov[0].iov_len);
        TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS);
@@ -722,7 +726,7 @@ static void tcp_v4_send_ack(struct sk_buff *skb, u32 seq, u32 ack,
        if (oif)
                arg.bound_dev_if = oif;
-        ip_send_reply(net->ipv4.tcp_sock, skb,
+        ip_send_reply(net->ipv4.tcp_sock, skb, ip_hdr(skb)->saddr,
                      &arg, arg.iov[0].iov_len);
        TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS);
@@ -765,11 +769,12 @@ static int tcp_v4_send_synack(struct sock *sk, struct dst_entry *dst,
                              struct request_values *rvp)
 {
        const struct inet_request_sock *ireq = inet_rsk(req);
+        struct flowi4 fl4;
        int err = -1;
        struct sk_buff * skb;
        /* First, grab a route. */
-        if (!dst && (dst = inet_csk_route_req(sk, req)) == NULL)
+        if (!dst && (dst = inet_csk_route_req(sk, &fl4, req)) == NULL)
                return -1;
        skb = tcp_make_synack(sk, dst, req, rvp);
@@ -820,17 +825,18 @@ static void syn_flood_warning(const struct sk_buff *skb)
 /*
 * Save and compile IPv4 options into the request_sock if needed.
 */
-static struct ip_options *tcp_v4_save_options(struct sock *sk,
+static struct ip_options_rcu *tcp_v4_save_options(struct sock *sk,
-                                              struct sk_buff *skb)
+                                                  struct sk_buff *skb)
 {
-        struct ip_options *opt = &(IPCB(skb)->opt);
+        const struct ip_options *opt = &(IPCB(skb)->opt);
-        struct ip_options *dopt = NULL;
+        struct ip_options_rcu *dopt = NULL;
        if (opt && opt->optlen) {
-                int opt_size = optlength(opt);
+                int opt_size = sizeof(*dopt) + opt->optlen;
                dopt = kmalloc(opt_size, GFP_ATOMIC);
                if (dopt) {
-                        if (ip_options_echo(dopt, skb)) {
+                        if (ip_options_echo(&dopt->opt, skb)) {
                                kfree(dopt);
                                dopt = NULL;
                        }
@@ -1333,6 +1339,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
                req->cookie_ts = tmp_opt.tstamp_ok;
        } else if (!isn) {
                struct inet_peer *peer = NULL;
+                struct flowi4 fl4;
                /* VJ's idea. We save last timestamp seen
                 * from the destination in peer table, when entering
@@ -1345,9 +1352,9 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
                 */
                if (tmp_opt.saw_tstamp &&
                    tcp_death_row.sysctl_tw_recycle &&
-                    (dst = inet_csk_route_req(sk, req)) != NULL &&
+                    (dst = inet_csk_route_req(sk, &fl4, req)) != NULL &&
-                    (peer = rt_get_peer((struct rtable *)dst)) != NULL &&
+                    fl4.daddr == saddr &&
-                    peer->daddr.addr.a4 == saddr) {
+                    (peer = rt_get_peer((struct rtable *)dst, fl4.daddr)) != NULL) {
                        inet_peer_refcheck(peer);
                        if ((u32)get_seconds() - peer->tcp_ts_stamp < TCP_PAWS_MSL &&
                            (s32)(peer->tcp_ts - req->ts_recent) >
@@ -1411,19 +1418,16 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 #ifdef CONFIG_TCP_MD5SIG
        struct tcp_md5sig_key *key;
 #endif
+        struct ip_options_rcu *inet_opt;
        if (sk_acceptq_is_full(sk))
                goto exit_overflow;
-        if (!dst && (dst = inet_csk_route_req(sk, req)) == NULL)
-                goto exit;
        newsk = tcp_create_openreq_child(sk, req, skb);
        if (!newsk)
                goto exit_nonewsk;
        newsk->sk_gso_type = SKB_GSO_TCPV4;
-        sk_setup_caps(newsk, dst);
        newtp                 = tcp_sk(newsk);
        newinet               = inet_sk(newsk);
@@ -1431,15 +1435,21 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
        newinet->inet_daddr   = ireq->rmt_addr;
        newinet->inet_rcv_saddr = ireq->loc_addr;
        newinet->inet_saddr           = ireq->loc_addr;
-        newinet->opt          = ireq->opt;
+        inet_opt              = ireq->opt;
+        rcu_assign_pointer(newinet->inet_opt, inet_opt);
        ireq->opt             = NULL;
        newinet->mc_index     = inet_iif(skb);
        newinet->mc_ttl       = ip_hdr(skb)->ttl;
        inet_csk(newsk)->icsk_ext_hdr_len = 0;
-        if (newinet->opt)
+        if (inet_opt)
-                inet_csk(newsk)->icsk_ext_hdr_len = newinet->opt->optlen;
+                inet_csk(newsk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
        newinet->inet_id = newtp->write_seq ^ jiffies;
+        if (!dst && (dst = inet_csk_route_child_sock(sk, newsk, req)) == NULL)
+                goto put_and_exit;
+        sk_setup_caps(newsk, dst);
        tcp_mtup_init(newsk);
        tcp_sync_mss(newsk, dst_mtu(dst));
        newtp->advmss = dst_metric_advmss(dst);
@@ -1467,10 +1477,8 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
        }
 #endif
-        if (__inet_inherit_port(sk, newsk) < 0) {
+        if (__inet_inherit_port(sk, newsk) < 0)
-                sock_put(newsk);
+                goto put_and_exit;
-                goto exit;
-        }
        __inet_hash_nolisten(newsk, NULL);
        return newsk;
@@ -1482,6 +1490,9 @@ exit_nonewsk:
 exit:
        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
        return NULL;
+put_and_exit:
+        sock_put(newsk);
+        goto exit;
 }
 EXPORT_SYMBOL(tcp_v4_syn_recv_sock);
@@ -1578,6 +1589,7 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
                        goto discard;
                if (nsk != sk) {
+                        sock_rps_save_rxhash(nsk, skb->rxhash);
                        if (tcp_child_process(sk, nsk, skb)) {
                                rsk = nsk;
                                goto reset;
@@ -1764,12 +1776,13 @@ struct inet_peer *tcp_v4_get_peer(struct sock *sk, bool *release_it)
        struct inet_sock *inet = inet_sk(sk);
        struct inet_peer *peer;
-        if (!rt || rt->rt_dst != inet->inet_daddr) {
+        if (!rt ||
+            inet->cork.fl.u.ip4.daddr != inet->inet_daddr) {
                peer = inet_getpeer_v4(inet->inet_daddr, 1);
                *release_it = true;
        } else {
                if (!rt->peer)
-                        rt_bind_peer(rt, 1);
+                        rt_bind_peer(rt, inet->inet_daddr, 1);
                peer = rt->peer;
                *release_it = false;
        }
@@ -2359,7 +2372,7 @@ static void get_openreq4(struct sock *sk, struct request_sock *req,
        int ttd = req->expires - jiffies;
        seq_printf(f, "%4d: %08X:%04X %08X:%04X"
-                " %02X %08X:%08X %02X:%08lX %08X %5d %8d %u %d %p%n",
+                " %02X %08X:%08X %02X:%08lX %08X %5d %8d %u %d %pK%n",
                i,
                ireq->loc_addr,
                ntohs(inet_sk(sk)->inet_sport),
@@ -2414,7 +2427,7 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len)
                rx_queue = max_t(int, tp->rcv_nxt - tp->copied_seq, 0);
        seq_printf(f, "%4d: %08X:%04X %08X:%04X %02X %08X:%08X %02X:%08lX "
-                        "%08X %5d %8d %lu %d %p %lu %lu %u %u %d%n",
+                        "%08X %5d %8d %lu %d %pK %lu %lu %u %u %d%n",
                i, src, srcp, dest, destp, sk->sk_state,
                tp->write_seq - tp->snd_una,
                rx_queue,
@@ -2449,7 +2462,7 @@ static void get_timewait4_sock(struct inet_timewait_sock *tw,
        srcp  = ntohs(tw->tw_sport);
        seq_printf(f, "%4d: %08X:%04X %08X:%04X"
-                " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
+                " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK%n",
                i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
                3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
                atomic_read(&tw->tw_refcnt), tw, len);
@@ -2527,7 +2540,7 @@ void tcp4_proc_exit(void)
 struct sk_buff **tcp4_gro_receive(struct sk_buff **head, struct sk_buff *skb)
 {
-        struct iphdr *iph = skb_gro_network_header(skb);
+        const struct iphdr *iph = skb_gro_network_header(skb);
        switch (skb->ip_summed) {
        case CHECKSUM_COMPLETE:
@@ -2548,7 +2561,7 @@ struct sk_buff **tcp4_gro_receive(struct sk_buff **head, struct sk_buff *skb)
 int tcp4_gro_complete(struct sk_buff *skb)
 {
-        struct iphdr *iph = ip_hdr(skb);
+        const struct iphdr *iph = ip_hdr(skb);
        struct tcphdr *th = tcp_hdr(skb);
        th->check = ~tcp_v4_check(skb->len - skb_transport_offset(skb),
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 17388c7f49c4..882e0b0964d0 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -899,7 +899,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
                TCP_ADD_STATS(sock_net(sk), TCP_MIB_OUTSEGS,
                              tcp_skb_pcount(skb));
-        err = icsk->icsk_af_ops->queue_xmit(skb);
+        err = icsk->icsk_af_ops->queue_xmit(skb, &inet->cork.fl);
        if (likely(err <= 0))
                return err;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index f87a8eb76f3b..198f75b7bdd3 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -578,7 +578,7 @@ found:
 void __udp4_lib_err(struct sk_buff *skb, u32 info, struct udp_table *udptable)
 {
        struct inet_sock *inet;
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        struct udphdr *uh = (struct udphdr *)(skb->data+(iph->ihl<<2));
        const int type = icmp_hdr(skb)->type;
        const int code = icmp_hdr(skb)->code;
@@ -706,12 +706,11 @@ static void udp4_hwcsum(struct sk_buff *skb, __be32 src, __be32 dst)
        }
 }
-static int udp_send_skb(struct sk_buff *skb, __be32 daddr, __be32 dport)
+static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4)
 {
        struct sock *sk = skb->sk;
        struct inet_sock *inet = inet_sk(sk);
        struct udphdr *uh;
-        struct rtable *rt = (struct rtable *)skb_dst(skb);
        int err = 0;
        int is_udplite = IS_UDPLITE(sk);
        int offset = skb_transport_offset(skb);
@@ -723,7 +722,7 @@ static int udp_send_skb(struct sk_buff *skb, __be32 daddr, __be32 dport)
         */
        uh = udp_hdr(skb);
        uh->source = inet->inet_sport;
-        uh->dest = dport;
+        uh->dest = fl4->fl4_dport;
        uh->len = htons(len);
        uh->check = 0;
@@ -737,14 +736,14 @@ static int udp_send_skb(struct sk_buff *skb, __be32 daddr, __be32 dport)
        } else if (skb->ip_summed == CHECKSUM_PARTIAL) { /* UDP hardware csum */
-                udp4_hwcsum(skb, rt->rt_src, daddr);
+                udp4_hwcsum(skb, fl4->saddr, fl4->daddr);
                goto send;
        } else
                csum = udp_csum(skb);
        /* add protocol-dependent pseudo-header */
-        uh->check = csum_tcpudp_magic(rt->rt_src, daddr, len,
+        uh->check = csum_tcpudp_magic(fl4->saddr, fl4->daddr, len,
                                      sk->sk_protocol, csum);
        if (uh->check == 0)
                uh->check = CSUM_MANGLED_0;
@@ -774,11 +773,11 @@ static int udp_push_pending_frames(struct sock *sk)
        struct sk_buff *skb;
        int err = 0;
-        skb = ip_finish_skb(sk);
+        skb = ip_finish_skb(sk, fl4);
        if (!skb)
                goto out;
-        err = udp_send_skb(skb, fl4->daddr, fl4->fl4_dport);
+        err = udp_send_skb(skb, fl4);
 out:
        up->len = 0;
@@ -791,6 +790,7 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
 {
        struct inet_sock *inet = inet_sk(sk);
        struct udp_sock *up = udp_sk(sk);
+        struct flowi4 fl4_stack;
        struct flowi4 *fl4;
        int ulen = len;
        struct ipcm_cookie ipc;
@@ -804,6 +804,7 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        int corkreq = up->corkflag || msg->msg_flags&MSG_MORE;
        int (*getfrag)(void *, char *, int, int, int, struct sk_buff *);
        struct sk_buff *skb;
+        struct ip_options_data opt_copy;
        if (len > 0xFFFF)
                return -EMSGSIZE;
@@ -820,6 +821,7 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        getfrag = is_udplite ? udplite_getfrag : ip_generic_getfrag;
+        fl4 = &inet->cork.fl.u.ip4;
        if (up->pending) {
                /*
                 * There are pending frames.
@@ -877,22 +879,32 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                        free = 1;
                connected = 0;
        }
-        if (!ipc.opt)
+        if (!ipc.opt) {
-                ipc.opt = inet->opt;
+                struct ip_options_rcu *inet_opt;
+                rcu_read_lock();
+                inet_opt = rcu_dereference(inet->inet_opt);
+                if (inet_opt) {
+                        memcpy(&opt_copy, inet_opt,
+                               sizeof(*inet_opt) + inet_opt->opt.optlen);
+                        ipc.opt = &opt_copy.opt;
+                }
+                rcu_read_unlock();
+        }
        saddr = ipc.addr;
        ipc.addr = faddr = daddr;
-        if (ipc.opt && ipc.opt->srr) {
+        if (ipc.opt && ipc.opt->opt.srr) {
                if (!daddr)
                        return -EINVAL;
-                faddr = ipc.opt->faddr;
+                faddr = ipc.opt->opt.faddr;
                connected = 0;
        }
        tos = RT_TOS(inet->tos);
        if (sock_flag(sk, SOCK_LOCALROUTE) ||
            (msg->msg_flags & MSG_DONTROUTE) ||
-            (ipc.opt && ipc.opt->is_strictroute)) {
+            (ipc.opt && ipc.opt->opt.is_strictroute)) {
                tos |= RTO_ONLINK;
                connected = 0;
        }
@@ -909,22 +921,16 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                rt = (struct rtable *)sk_dst_check(sk, 0);
        if (rt == NULL) {
-                struct flowi4 fl4 = {
-                        .flowi4_oif = ipc.oif,
-                        .flowi4_mark = sk->sk_mark,
-                        .daddr = faddr,
-                        .saddr = saddr,
-                        .flowi4_tos = tos,
-                        .flowi4_proto = sk->sk_protocol,
-                        .flowi4_flags = (inet_sk_flowi_flags(sk) |
-                                         FLOWI_FLAG_CAN_SLEEP),
-                        .fl4_sport = inet->inet_sport,
-                        .fl4_dport = dport,
-                };
                struct net *net = sock_net(sk);
-                security_sk_classify_flow(sk, flowi4_to_flowi(&fl4));
+                fl4 = &fl4_stack;
-                rt = ip_route_output_flow(net, &fl4, sk);
+                flowi4_init_output(fl4, ipc.oif, sk->sk_mark, tos,
+                                   RT_SCOPE_UNIVERSE, sk->sk_protocol,
+                                   inet_sk_flowi_flags(sk)|FLOWI_FLAG_CAN_SLEEP,
+                                   faddr, saddr, dport, inet->inet_sport);
+                security_sk_classify_flow(sk, flowi4_to_flowi(fl4));
+                rt = ip_route_output_flow(net, fl4, sk);
                if (IS_ERR(rt)) {
                        err = PTR_ERR(rt);
                        rt = NULL;
@@ -945,18 +951,18 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                goto do_confirm;
 back_from_confirm:
-        saddr = rt->rt_src;
+        saddr = fl4->saddr;
        if (!ipc.addr)
-                daddr = ipc.addr = rt->rt_dst;
+                daddr = ipc.addr = fl4->daddr;
        /* Lockless fast path for the non-corking case. */
        if (!corkreq) {
-                skb = ip_make_skb(sk, getfrag, msg->msg_iov, ulen,
+                skb = ip_make_skb(sk, fl4, getfrag, msg->msg_iov, ulen,
                                  sizeof(struct udphdr), &ipc, &rt,
                                  msg->msg_flags);
                err = PTR_ERR(skb);
                if (skb && !IS_ERR(skb))
-                        err = udp_send_skb(skb, daddr, dport);
+                        err = udp_send_skb(skb, fl4);
                goto out;
        }
@@ -982,9 +988,9 @@ back_from_confirm:
 do_append_data:
        up->len += ulen;
-        err = ip_append_data(sk, getfrag, msg->msg_iov, ulen,
+        err = ip_append_data(sk, fl4, getfrag, msg->msg_iov, ulen,
-                        sizeof(struct udphdr), &ipc, &rt,
+                             sizeof(struct udphdr), &ipc, &rt,
-                        corkreq ? msg->msg_flags|MSG_MORE : msg->msg_flags);
+                             corkreq ? msg->msg_flags|MSG_MORE : msg->msg_flags);
        if (err)
                udp_flush_pending_frames(sk);
        else if (!corkreq)
@@ -1024,6 +1030,7 @@ EXPORT_SYMBOL(udp_sendmsg);
 int udp_sendpage(struct sock *sk, struct page *page, int offset,
                 size_t size, int flags)
 {
+        struct inet_sock *inet = inet_sk(sk);
        struct udp_sock *up = udp_sk(sk);
        int ret;
@@ -1048,7 +1055,8 @@ int udp_sendpage(struct sock *sk, struct page *page, int offset,
                return -EINVAL;
        }
-        ret = ip_append_page(sk, page, offset, size, flags);
+        ret = ip_append_page(sk, &inet->cork.fl.u.ip4,
+                             page, offset, size, flags);
        if (ret == -EOPNOTSUPP) {
                release_sock(sk);
                return sock_no_sendpage(sk->sk_socket, page, offset,
@@ -1241,6 +1249,9 @@ csum_copy_err:
        if (noblock)
                return -EAGAIN;
+        /* starting over for a new packet */
+        msg->msg_flags &= ~MSG_TRUNC;
        goto try_again;
 }
@@ -2082,7 +2093,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
        __u16 srcp        = ntohs(inet->inet_sport);
        seq_printf(f, "%5d: %08X:%04X %08X:%04X"
-                " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d%n",
+                " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d%n",
                bucket, src, srcp, dest, destp, sp->sk_state,
                sk_wmem_alloc_get(sp),
                sk_rmem_alloc_get(sp),
@@ -2198,16 +2209,10 @@ void __init udp_table_init(struct udp_table *table, const char *name)
 void __init udp_init(void)
 {
-        unsigned long nr_pages, limit;
+        unsigned long limit;
        udp_table_init(&udp_table, "UDP");
-        /* Set the pressure threshold up by the same strategy of TCP. It is a
+        limit = nr_free_buffer_pages() / 8;
-         * fraction of global memory that is up to 1/2 at 256 MB, decreasing
-         * toward zero with the amount of memory, with a floor of 128 pages.
-         */
-        nr_pages = totalram_pages - totalhigh_pages;
-        limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
-        limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
        limit = max(limit, 128UL);
        sysctl_udp_mem[0] = limit / 4 * 3;
        sysctl_udp_mem[1] = limit;
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 2d51840e53a1..327a617d594c 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -32,7 +32,12 @@ static int xfrm4_tunnel_check_size(struct sk_buff *skb)
        dst = skb_dst(skb);
        mtu = dst_mtu(dst);
        if (skb->len > mtu) {
-                icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
+                if (skb->sk)
+                        ip_local_error(skb->sk, EMSGSIZE, ip_hdr(skb)->daddr,
+                                       inet_sk(skb->sk)->inet_dport, mtu);
+                else
+                        icmp_send(skb, ICMP_DEST_UNREACH,
+                                  ICMP_FRAG_NEEDED, htonl(mtu));
                ret = -EMSGSIZE;
        }
 out:
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index d20a05e970d8..981e43eaf704 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -18,38 +18,46 @@
 static struct xfrm_policy_afinfo xfrm4_policy_afinfo;
-static struct dst_entry *xfrm4_dst_lookup(struct net *net, int tos,
+static struct dst_entry *__xfrm4_dst_lookup(struct net *net, struct flowi4 *fl4,
-                                          const xfrm_address_t *saddr,
+                                            int tos,
-                                          const xfrm_address_t *daddr)
+                                            const xfrm_address_t *saddr,
+                                            const xfrm_address_t *daddr)
 {
-        struct flowi4 fl4 = {
-                .daddr = daddr->a4,
-                .flowi4_tos = tos,
-        };
        struct rtable *rt;
+        memset(fl4, 0, sizeof(*fl4));
+        fl4->daddr = daddr->a4;
+        fl4->flowi4_tos = tos;
        if (saddr)
-                fl4.saddr = saddr->a4;
+                fl4->saddr = saddr->a4;
-        rt = __ip_route_output_key(net, &fl4);
+        rt = __ip_route_output_key(net, fl4);
        if (!IS_ERR(rt))
                return &rt->dst;
        return ERR_CAST(rt);
 }
+static struct dst_entry *xfrm4_dst_lookup(struct net *net, int tos,
+                                          const xfrm_address_t *saddr,
+                                          const xfrm_address_t *daddr)
+{
+        struct flowi4 fl4;
+        return __xfrm4_dst_lookup(net, &fl4, tos, saddr, daddr);
+}
 static int xfrm4_get_saddr(struct net *net,
                           xfrm_address_t *saddr, xfrm_address_t *daddr)
 {
        struct dst_entry *dst;
-        struct rtable *rt;
+        struct flowi4 fl4;
-        dst = xfrm4_dst_lookup(net, 0, NULL, daddr);
+        dst = __xfrm4_dst_lookup(net, &fl4, 0, NULL, daddr);
        if (IS_ERR(dst))
                return -EHOSTUNREACH;
-        rt = (struct rtable *)dst;
+        saddr->a4 = fl4.saddr;
-        saddr->a4 = rt->rt_src;
        dst_release(dst);
        return 0;
 }
@@ -73,7 +81,7 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
        rt->rt_key_dst = fl4->daddr;
        rt->rt_key_src = fl4->saddr;
-        rt->rt_tos = fl4->flowi4_tos;
+        rt->rt_key_tos = fl4->flowi4_tos;
        rt->rt_route_iif = fl4->flowi4_iif;
        rt->rt_iif = fl4->flowi4_iif;
        rt->rt_oif = fl4->flowi4_oif;
@@ -102,7 +110,7 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
 static void
 _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 {
-        struct iphdr *iph = ip_hdr(skb);
+        const struct iphdr *iph = ip_hdr(skb);
        u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
        struct flowi4 *fl4 = &fl->u.ip4;
diff --git a/net/ipv4/xfrm4_state.c b/net/ipv4/xfrm4_state.c
index 805d63ef4340..d9ac0a0058b5 100644
--- a/net/ipv4/xfrm4_state.c
+++ b/net/ipv4/xfrm4_state.c
@@ -55,7 +55,7 @@ xfrm4_init_temprop(struct xfrm_state *x, const struct xfrm_tmpl *tmpl,
 int xfrm4_extract_header(struct sk_buff *skb)
 {
-        struct iphdr *iph = ip_hdr(skb);
+        const struct iphdr *iph = ip_hdr(skb);
        XFRM_MODE_SKB_CB(skb)->ihl = sizeof(*iph);
        XFRM_MODE_SKB_CB(skb)->id = iph->id;
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index a7bda0757053..498b927f68be 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -289,19 +289,19 @@ static int snmp6_alloc_dev(struct inet6_dev *idev)
                          sizeof(struct ipstats_mib),
                          __alignof__(struct ipstats_mib)) < 0)
                goto err_ip;
-        if (snmp_mib_init((void __percpu **)idev->stats.icmpv6,
+        idev->stats.icmpv6dev = kzalloc(sizeof(struct icmpv6_mib_device),
-                          sizeof(struct icmpv6_mib),
+                                        GFP_KERNEL);
-                          __alignof__(struct icmpv6_mib)) < 0)
+        if (!idev->stats.icmpv6dev)
                goto err_icmp;
-        if (snmp_mib_init((void __percpu **)idev->stats.icmpv6msg,
+        idev->stats.icmpv6msgdev = kzalloc(sizeof(struct icmpv6msg_mib_device),
-                          sizeof(struct icmpv6msg_mib),
+                                           GFP_KERNEL);
-                          __alignof__(struct icmpv6msg_mib)) < 0)
+        if (!idev->stats.icmpv6msgdev)
                goto err_icmpmsg;
        return 0;
 err_icmpmsg:
-        snmp_mib_free((void __percpu **)idev->stats.icmpv6);
+        kfree(idev->stats.icmpv6dev);
 err_icmp:
        snmp_mib_free((void __percpu **)idev->stats.ipv6);
 err_ip:
@@ -310,19 +310,13 @@ err_ip:
 static void snmp6_free_dev(struct inet6_dev *idev)
 {
-        snmp_mib_free((void __percpu **)idev->stats.icmpv6msg);
+        kfree(idev->stats.icmpv6msgdev);
-        snmp_mib_free((void __percpu **)idev->stats.icmpv6);
+        kfree(idev->stats.icmpv6dev);
        snmp_mib_free((void __percpu **)idev->stats.ipv6);
 }
 /* Nobody refers to this device, we may destroy it. */
-static void in6_dev_finish_destroy_rcu(struct rcu_head *head)
-{
-        struct inet6_dev *idev = container_of(head, struct inet6_dev, rcu);
-        kfree(idev);
-}
 void in6_dev_finish_destroy(struct inet6_dev *idev)
 {
        struct net_device *dev = idev->dev;
@@ -339,7 +333,7 @@ void in6_dev_finish_destroy(struct inet6_dev *idev)
                return;
        }
        snmp6_free_dev(idev);
-        call_rcu(&idev->rcu, in6_dev_finish_destroy_rcu);
+        kfree_rcu(idev, rcu);
 }
 EXPORT_SYMBOL(in6_dev_finish_destroy);
@@ -535,12 +529,6 @@ static int addrconf_fixup_forwarding(struct ctl_table *table, int *p, int old)
 }
 #endif
-static void inet6_ifa_finish_destroy_rcu(struct rcu_head *head)
-{
-        struct inet6_ifaddr *ifp = container_of(head, struct inet6_ifaddr, rcu);
-        kfree(ifp);
-}
 /* Nobody refers to this ifaddr, destroy it */
 void inet6_ifa_finish_destroy(struct inet6_ifaddr *ifp)
 {
@@ -561,7 +549,7 @@ void inet6_ifa_finish_destroy(struct inet6_ifaddr *ifp)
        }
        dst_release(&ifp->rt->dst);
-        call_rcu(&ifp->rcu, inet6_ifa_finish_destroy_rcu);
+        kfree_rcu(ifp, rcu);
 }
 static void
@@ -825,6 +813,8 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
                dst_release(&rt->dst);
        }
+        /* clean up prefsrc entries */
+        rt6_remove_prefsrc(ifp);
 out:
        in6_ifa_put(ifp);
 }
@@ -1281,7 +1271,7 @@ static int ipv6_count_addresses(struct inet6_dev *idev)
        return cnt;
 }
-int ipv6_chk_addr(struct net *net, struct in6_addr *addr,
+int ipv6_chk_addr(struct net *net, const struct in6_addr *addr,
                  struct net_device *dev, int strict)
 {
        struct inet6_ifaddr *ifp;
@@ -1324,7 +1314,7 @@ static bool ipv6_chk_same_addr(struct net *net, const struct in6_addr *addr,
        return false;
 }
-int ipv6_chk_prefix(struct in6_addr *addr, struct net_device *dev)
+int ipv6_chk_prefix(const struct in6_addr *addr, struct net_device *dev)
 {
        struct inet6_dev *idev;
        struct inet6_ifaddr *ifa;
@@ -1455,7 +1445,7 @@ void addrconf_dad_failure(struct inet6_ifaddr *ifp)
 /* Join to solicited addr multicast group. */
-void addrconf_join_solict(struct net_device *dev, struct in6_addr *addr)
+void addrconf_join_solict(struct net_device *dev, const struct in6_addr *addr)
 {
        struct in6_addr maddr;
@@ -1466,7 +1456,7 @@ void addrconf_join_solict(struct net_device *dev, struct in6_addr *addr)
        ipv6_dev_mc_inc(dev, &maddr);
 }
-void addrconf_leave_solict(struct inet6_dev *idev, struct in6_addr *addr)
+void addrconf_leave_solict(struct inet6_dev *idev, const struct in6_addr *addr)
 {
        struct in6_addr maddr;
@@ -2111,7 +2101,7 @@ err_exit:
 /*
 *      Manual configuration of address on an interface
 */
-static int inet6_addr_add(struct net *net, int ifindex, struct in6_addr *pfx,
+static int inet6_addr_add(struct net *net, int ifindex, const struct in6_addr *pfx,
                          unsigned int plen, __u8 ifa_flags, __u32 prefered_lft,
                          __u32 valid_lft)
 {
@@ -2185,7 +2175,7 @@ static int inet6_addr_add(struct net *net, int ifindex, struct in6_addr *pfx,
        return PTR_ERR(ifp);
 }
-static int inet6_addr_del(struct net *net, int ifindex, struct in6_addr *pfx,
+static int inet6_addr_del(struct net *net, int ifindex, const struct in6_addr *pfx,
                          unsigned int plen)
 {
        struct inet6_ifaddr *ifp;
@@ -2348,7 +2338,7 @@ static void init_loopback(struct net_device *dev)
        add_addr(idev, &in6addr_loopback, 128, IFA_HOST);
 }
-static void addrconf_add_linklocal(struct inet6_dev *idev, struct in6_addr *addr)
+static void addrconf_add_linklocal(struct inet6_dev *idev, const struct in6_addr *addr)
 {
        struct inet6_ifaddr * ifp;
        u32 addr_flags = IFA_F_PERMANENT;
@@ -3119,7 +3109,7 @@ void if6_proc_exit(void)
 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
 /* Check if address is a home address configured on any interface. */
-int ipv6_chk_home_addr(struct net *net, struct in6_addr *addr)
+int ipv6_chk_home_addr(struct net *net, const struct in6_addr *addr)
 {
        int ret = 0;
        struct inet6_ifaddr *ifp = NULL;
@@ -3836,7 +3826,7 @@ static inline size_t inet6_if_nlmsg_size(void)
               + nla_total_size(inet6_ifla6_size()); /* IFLA_PROTINFO */
 }
-static inline void __snmp6_fill_stats(u64 *stats, void __percpu **mib,
+static inline void __snmp6_fill_statsdev(u64 *stats, atomic_long_t *mib,
                                      int items, int bytes)
 {
        int i;
@@ -3846,7 +3836,7 @@ static inline void __snmp6_fill_stats(u64 *stats, void __percpu **mib,
        /* Use put_unaligned() because stats may not be aligned for u64. */
        put_unaligned(items, &stats[0]);
        for (i = 1; i < items; i++)
-                put_unaligned(snmp_fold_field(mib, i), &stats[i]);
+                put_unaligned(atomic_long_read(&mib[i]), &stats[i]);
        memset(&stats[items], 0, pad);
 }
@@ -3875,7 +3865,7 @@ static void snmp6_fill_stats(u64 *stats, struct inet6_dev *idev, int attrtype,
                                     IPSTATS_MIB_MAX, bytes, offsetof(struct ipstats_mib, syncp));
                break;
        case IFLA_INET6_ICMP6STATS:
-                __snmp6_fill_stats(stats, (void __percpu **)idev->stats.icmpv6, ICMP6_MIB_MAX, bytes);
+                __snmp6_fill_statsdev(stats, idev->stats.icmpv6dev->mibs, ICMP6_MIB_MAX, bytes);
                break;
        }
 }
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index afcc7099f96d..3b5669a2582d 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -272,6 +272,10 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        if (addr_len < SIN6_LEN_RFC2133)
                return -EINVAL;
+        if (addr->sin6_family != AF_INET6)
+                return -EAFNOSUPPORT;
        addr_type = ipv6_addr_type(&addr->sin6_addr);
        if ((addr_type & IPV6_ADDR_MULTICAST) && sock->type == SOCK_STREAM)
                return -EINVAL;
@@ -740,7 +744,7 @@ static int ipv6_gso_pull_exthdrs(struct sk_buff *skb, int proto)
 static int ipv6_gso_send_check(struct sk_buff *skb)
 {
-        struct ipv6hdr *ipv6h;
+        const struct ipv6hdr *ipv6h;
        const struct inet6_protocol *ops;
        int err = -EINVAL;
diff --git a/net/ipv6/anycast.c b/net/ipv6/anycast.c
index 0e5e943446f0..674255f5e6b7 100644
--- a/net/ipv6/anycast.c
+++ b/net/ipv6/anycast.c
@@ -44,7 +44,7 @@
 #include <net/checksum.h>
-static int ipv6_dev_ac_dec(struct net_device *dev, struct in6_addr *addr);
+static int ipv6_dev_ac_dec(struct net_device *dev, const struct in6_addr *addr);
 /* Big ac list lock for all the sockets */
 static DEFINE_RWLOCK(ipv6_sk_ac_lock);
@@ -54,7 +54,7 @@ static DEFINE_RWLOCK(ipv6_sk_ac_lock);
 *      socket join an anycast group
 */
-int ipv6_sock_ac_join(struct sock *sk, int ifindex, struct in6_addr *addr)
+int ipv6_sock_ac_join(struct sock *sk, int ifindex, const struct in6_addr *addr)
 {
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct net_device *dev = NULL;
@@ -145,7 +145,7 @@ error:
 /*
 *      socket leave an anycast group
 */
-int ipv6_sock_ac_drop(struct sock *sk, int ifindex, struct in6_addr *addr)
+int ipv6_sock_ac_drop(struct sock *sk, int ifindex, const struct in6_addr *addr)
 {
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct net_device *dev;
@@ -252,7 +252,7 @@ static void aca_put(struct ifacaddr6 *ac)
 /*
 *      device anycast group inc (add if not found)
 */
-int ipv6_dev_ac_inc(struct net_device *dev, struct in6_addr *addr)
+int ipv6_dev_ac_inc(struct net_device *dev, const struct in6_addr *addr)
 {
        struct ifacaddr6 *aca;
        struct inet6_dev *idev;
@@ -324,7 +324,7 @@ out:
 /*
 *      device anycast group decrement
 */
-int __ipv6_dev_ac_dec(struct inet6_dev *idev, struct in6_addr *addr)
+int __ipv6_dev_ac_dec(struct inet6_dev *idev, const struct in6_addr *addr)
 {
        struct ifacaddr6 *aca, *prev_aca;
@@ -358,7 +358,7 @@ int __ipv6_dev_ac_dec(struct inet6_dev *idev, struct in6_addr *addr)
 }
 /* called with rcu_read_lock() */
-static int ipv6_dev_ac_dec(struct net_device *dev, struct in6_addr *addr)
+static int ipv6_dev_ac_dec(struct net_device *dev, const struct in6_addr *addr)
 {
        struct inet6_dev *idev = __in6_dev_get(dev);
@@ -371,7 +371,7 @@ static int ipv6_dev_ac_dec(struct net_device *dev, struct in6_addr *addr)
 *      check if the interface has this anycast address
 *      called with rcu_read_lock()
 */
-static int ipv6_chk_acast_dev(struct net_device *dev, struct in6_addr *addr)
+static int ipv6_chk_acast_dev(struct net_device *dev, const struct in6_addr *addr)
 {
        struct inet6_dev *idev;
        struct ifacaddr6 *aca;
@@ -392,7 +392,7 @@ static int ipv6_chk_acast_dev(struct net_device *dev, struct in6_addr *addr)
 *      check if given interface (or any, if dev==0) has this anycast address
 */
 int ipv6_chk_acast_addr(struct net *net, struct net_device *dev,
-                        struct in6_addr *addr)
+                        const struct in6_addr *addr)
 {
        int found = 0;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 59dccfbb5b11..1ac7938dd9ec 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -430,7 +430,7 @@ static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                     u8 type, u8 code, int offset, __be32 info)
 {
        struct net *net = dev_net(skb->dev);
-        struct ipv6hdr *iph = (struct ipv6hdr*)skb->data;
+        const struct ipv6hdr *iph = (const struct ipv6hdr *)skb->data;
        struct ip_esp_hdr *esph = (struct ip_esp_hdr *)(skb->data + offset);
        struct xfrm_state *x;
@@ -438,7 +438,8 @@ static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
            type != ICMPV6_PKT_TOOBIG)
                return;
-        x = xfrm_state_lookup(net, skb->mark, (xfrm_address_t *)&iph->daddr, esph->spi, IPPROTO_ESP, AF_INET6);
+        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+                              esph->spi, IPPROTO_ESP, AF_INET6);
        if (!x)
                return;
        printk(KERN_DEBUG "pmtu discovery on SA ESP/%08x/%pI6\n",
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 83cb4f9add81..11900417b1cc 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -372,7 +372,7 @@ void icmpv6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info)
        struct ipv6hdr *hdr = ipv6_hdr(skb);
        struct sock *sk;
        struct ipv6_pinfo *np;
-        struct in6_addr *saddr = NULL;
+        const struct in6_addr *saddr = NULL;
        struct dst_entry *dst;
        struct icmp6hdr tmp_hdr;
        struct flowi6 fl6;
@@ -521,7 +521,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
        struct sock *sk;
        struct inet6_dev *idev;
        struct ipv6_pinfo *np;
-        struct in6_addr *saddr = NULL;
+        const struct in6_addr *saddr = NULL;
        struct icmp6hdr *icmph = icmp6_hdr(skb);
        struct icmp6hdr tmp_hdr;
        struct flowi6 fl6;
@@ -645,8 +645,8 @@ static int icmpv6_rcv(struct sk_buff *skb)
 {
        struct net_device *dev = skb->dev;
        struct inet6_dev *idev = __in6_dev_get(dev);
-        struct in6_addr *saddr, *daddr;
+        const struct in6_addr *saddr, *daddr;
-        struct ipv6hdr *orig_hdr;
+        const struct ipv6hdr *orig_hdr;
        struct icmp6hdr *hdr;
        u8 type;
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index f2c5b0fc0f21..8a58e8cf6646 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -203,7 +203,7 @@ struct dst_entry *__inet6_csk_dst_check(struct sock *sk, u32 cookie)
        return dst;
 }
-int inet6_csk_xmit(struct sk_buff *skb)
+int inet6_csk_xmit(struct sk_buff *skb, struct flowi *fl_unused)
 {
        struct sock *sk = skb->sk;
        struct inet_sock *inet = inet_sk(sk);
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 7548905e79e1..4076a0b14b20 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -134,9 +134,9 @@ static __inline__ u32 fib6_new_sernum(void)
 # define BITOP_BE32_SWIZZLE     0
 #endif
-static __inline__ __be32 addr_bit_set(void *token, int fn_bit)
+static __inline__ __be32 addr_bit_set(const void *token, int fn_bit)
 {
-        __be32 *addr = token;
+        const __be32 *addr = token;
        /*
         * Here,
         *      1 << ((~fn_bit ^ BITOP_BE32_SWIZZLE) & 0x1f)
@@ -394,10 +394,11 @@ static int inet6_dump_fib(struct sk_buff *skb, struct netlink_callback *cb)
        arg.net = net;
        w->args = &arg;
+        rcu_read_lock();
        for (h = s_h; h < FIB6_TABLE_HASHSZ; h++, s_e = 0) {
                e = 0;
                head = &net->ipv6.fib_table_hash[h];
-                hlist_for_each_entry(tb, node, head, tb6_hlist) {
+                hlist_for_each_entry_rcu(tb, node, head, tb6_hlist) {
                        if (e < s_e)
                                goto next;
                        res = fib6_dump_table(tb, skb, cb);
@@ -408,6 +409,7 @@ next:
                }
        }
 out:
+        rcu_read_unlock();
        cb->args[1] = e;
        cb->args[0] = h;
@@ -822,7 +824,7 @@ st_failure:
 struct lookup_args {
        int             offset;         /* key offset on rt6_info       */
-        struct in6_addr *addr;          /* search key                   */
+        const struct in6_addr   *addr;          /* search key                   */
 };
 static struct fib6_node * fib6_lookup_1(struct fib6_node *root,
@@ -881,8 +883,8 @@ static struct fib6_node * fib6_lookup_1(struct fib6_node *root,
        return NULL;
 }
-struct fib6_node * fib6_lookup(struct fib6_node *root, struct in6_addr *daddr,
+struct fib6_node * fib6_lookup(struct fib6_node *root, const struct in6_addr *daddr,
-                               struct in6_addr *saddr)
+                               const struct in6_addr *saddr)
 {
        struct fib6_node *fn;
        struct lookup_args args[] = {
@@ -916,7 +918,7 @@ struct fib6_node * fib6_lookup(struct fib6_node *root, struct in6_addr *daddr,
 static struct fib6_node * fib6_locate_1(struct fib6_node *root,
-                                        struct in6_addr *addr,
+                                        const struct in6_addr *addr,
                                        int plen, int offset)
 {
        struct fib6_node *fn;
@@ -946,8 +948,8 @@ static struct fib6_node * fib6_locate_1(struct fib6_node *root,
 }
 struct fib6_node * fib6_locate(struct fib6_node *root,
-                               struct in6_addr *daddr, int dst_len,
+                               const struct in6_addr *daddr, int dst_len,
-                               struct in6_addr *saddr, int src_len)
+                               const struct in6_addr *saddr, int src_len)
 {
        struct fib6_node *fn;
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index a83e9209cecc..027c7ff6f1e5 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -57,7 +57,7 @@ inline int ip6_rcv_finish( struct sk_buff *skb)
 int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
 {
-        struct ipv6hdr *hdr;
+        const struct ipv6hdr *hdr;
        u32             pkt_len;
        struct inet6_dev *idev;
        struct net *net = dev_net(skb->dev);
@@ -186,7 +186,7 @@ resubmit:
                int ret;
                if (ipprot->flags & INET6_PROTO_FINAL) {
-                        struct ipv6hdr *hdr;
+                        const struct ipv6hdr *hdr;
                        /* Free reference early: we don't need it any more,
                           and it may hold ip_conntrack module loaded
@@ -242,7 +242,7 @@ int ip6_input(struct sk_buff *skb)
 int ip6_mc_input(struct sk_buff *skb)
 {
-        struct ipv6hdr *hdr;
+        const struct ipv6hdr *hdr;
        int deliver;
        IP6_UPD_PO_STATS_BH(dev_net(skb_dst(skb)->dev),
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 46cf7bea6769..9d4b165837d6 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -869,9 +869,9 @@ fail:
        return err;
 }
-static inline int ip6_rt_check(struct rt6key *rt_key,
+static inline int ip6_rt_check(const struct rt6key *rt_key,
-                               struct in6_addr *fl_addr,
+                               const struct in6_addr *fl_addr,
-                               struct in6_addr *addr_cache)
+                               const struct in6_addr *addr_cache)
 {
        return (rt_key->plen != 128 || !ipv6_addr_equal(fl_addr, &rt_key->addr)) &&
                (addr_cache == NULL || !ipv6_addr_equal(fl_addr, addr_cache));
@@ -879,7 +879,7 @@ static inline int ip6_rt_check(struct rt6key *rt_key,
 static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
                                          struct dst_entry *dst,
-                                          struct flowi6 *fl6)
+                                          const struct flowi6 *fl6)
 {
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct rt6_info *rt = (struct rt6_info *)dst;
@@ -930,10 +930,10 @@ static int ip6_dst_lookup_tail(struct sock *sk,
                goto out_err_release;
        if (ipv6_addr_any(&fl6->saddr)) {
-                err = ipv6_dev_get_saddr(net, ip6_dst_idev(*dst)->dev,
+                struct rt6_info *rt = (struct rt6_info *) *dst;
-                                         &fl6->daddr,
+                err = ip6_route_get_saddr(net, rt, &fl6->daddr,
-                                         sk ? inet6_sk(sk)->srcprefs : 0,
+                                          sk ? inet6_sk(sk)->srcprefs : 0,
-                                         &fl6->saddr);
+                                          &fl6->saddr);
                if (err)
                        goto out_err_release;
        }
@@ -1150,6 +1150,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
 {
        struct inet_sock *inet = inet_sk(sk);
        struct ipv6_pinfo *np = inet6_sk(sk);
+        struct inet_cork *cork;
        struct sk_buff *skb;
        unsigned int maxfraglen, fragheaderlen;
        int exthdrlen;
@@ -1163,6 +1164,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
        if (flags&MSG_PROBE)
                return 0;
+        cork = &inet->cork.base;
        if (skb_queue_empty(&sk->sk_write_queue)) {
                /*
                 * setup for corking
@@ -1202,7 +1204,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                        /* need source address above miyazawa*/
                }
                dst_hold(&rt->dst);
-                inet->cork.dst = &rt->dst;
+                cork->dst = &rt->dst;
                inet->cork.fl.u.ip6 = *fl6;
                np->cork.hop_limit = hlimit;
                np->cork.tclass = tclass;
@@ -1212,10 +1214,10 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                        if (np->frag_size)
                                mtu = np->frag_size;
                }
-                inet->cork.fragsize = mtu;
+                cork->fragsize = mtu;
                if (dst_allfrag(rt->dst.path))
-                        inet->cork.flags |= IPCORK_ALLFRAG;
+                        cork->flags |= IPCORK_ALLFRAG;
-                inet->cork.length = 0;
+                cork->length = 0;
                sk->sk_sndmsg_page = NULL;
                sk->sk_sndmsg_off = 0;
                exthdrlen = rt->dst.header_len + (opt ? opt->opt_flen : 0) -
@@ -1223,12 +1225,12 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                length += exthdrlen;
                transhdrlen += exthdrlen;
        } else {
-                rt = (struct rt6_info *)inet->cork.dst;
+                rt = (struct rt6_info *)cork->dst;
                fl6 = &inet->cork.fl.u.ip6;
                opt = np->cork.opt;
                transhdrlen = 0;
                exthdrlen = 0;
-                mtu = inet->cork.fragsize;
+                mtu = cork->fragsize;
        }
        hh_len = LL_RESERVED_SPACE(rt->dst.dev);
@@ -1238,7 +1240,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
        maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - sizeof(struct frag_hdr);
        if (mtu <= sizeof(struct ipv6hdr) + IPV6_MAXPLEN) {
-                if (inet->cork.length + length > sizeof(struct ipv6hdr) + IPV6_MAXPLEN - fragheaderlen) {
+                if (cork->length + length > sizeof(struct ipv6hdr) + IPV6_MAXPLEN - fragheaderlen) {
                        ipv6_local_error(sk, EMSGSIZE, fl6, mtu-exthdrlen);
                        return -EMSGSIZE;
                }
@@ -1267,7 +1269,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
         * --yoshfuji
         */
-        inet->cork.length += length;
+        cork->length += length;
        if (length > mtu) {
                int proto = sk->sk_protocol;
                if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
@@ -1292,7 +1294,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
        while (length > 0) {
                /* Check if the remaining data fits into current packet. */
-                copy = (inet->cork.length <= mtu && !(inet->cork.flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - skb->len;
+                copy = (cork->length <= mtu && !(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - skb->len;
                if (copy < length)
                        copy = maxfraglen - skb->len;
@@ -1317,7 +1319,7 @@ alloc_new_skb:
                         * we know we need more fragment(s).
                         */
                        datalen = length + fraggap;
-                        if (datalen > (inet->cork.length <= mtu && !(inet->cork.flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen)
+                        if (datalen > (cork->length <= mtu && !(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen)
                                datalen = maxfraglen - fragheaderlen;
                        fraglen = datalen + fragheaderlen;
@@ -1481,7 +1483,7 @@ alloc_new_skb:
        }
        return 0;
 error:
-        inet->cork.length -= length;
+        cork->length -= length;
        IP6_INC_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
        return err;
 }
@@ -1497,10 +1499,10 @@ static void ip6_cork_release(struct inet_sock *inet, struct ipv6_pinfo *np)
                np->cork.opt = NULL;
        }
-        if (inet->cork.dst) {
+        if (inet->cork.base.dst) {
-                dst_release(inet->cork.dst);
+                dst_release(inet->cork.base.dst);
-                inet->cork.dst = NULL;
+                inet->cork.base.dst = NULL;
-                inet->cork.flags &= ~IPCORK_ALLFRAG;
+                inet->cork.base.flags &= ~IPCORK_ALLFRAG;
        }
        memset(&inet->cork.fl, 0, sizeof(inet->cork.fl));
 }
@@ -1515,7 +1517,7 @@ int ip6_push_pending_frames(struct sock *sk)
        struct net *net = sock_net(sk);
        struct ipv6hdr *hdr;
        struct ipv6_txoptions *opt = np->cork.opt;
-        struct rt6_info *rt = (struct rt6_info *)inet->cork.dst;
+        struct rt6_info *rt = (struct rt6_info *)inet->cork.base.dst;
        struct flowi6 *fl6 = &inet->cork.fl.u.ip6;
        unsigned char proto = fl6->flowi6_proto;
        int err = 0;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index c1b1bd312df2..36c2842a86b2 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -162,7 +162,7 @@ static inline void ip6_tnl_dst_store(struct ip6_tnl *t, struct dst_entry *dst)
        for (t = rcu_dereference(start); t; t = rcu_dereference(t->next))
 static struct ip6_tnl *
-ip6_tnl_lookup(struct net *net, struct in6_addr *remote, struct in6_addr *local)
+ip6_tnl_lookup(struct net *net, const struct in6_addr *remote, const struct in6_addr *local)
 {
        unsigned int h0 = HASH(remote);
        unsigned int h1 = HASH(local);
@@ -194,10 +194,10 @@ ip6_tnl_lookup(struct net *net, struct in6_addr *remote, struct in6_addr *local)
 **/
 static struct ip6_tnl __rcu **
-ip6_tnl_bucket(struct ip6_tnl_net *ip6n, struct ip6_tnl_parm *p)
+ip6_tnl_bucket(struct ip6_tnl_net *ip6n, const struct ip6_tnl_parm *p)
 {
-        struct in6_addr *remote = &p->raddr;
+        const struct in6_addr *remote = &p->raddr;
-        struct in6_addr *local = &p->laddr;
+        const struct in6_addr *local = &p->laddr;
        unsigned h = 0;
        int prio = 0;
@@ -280,11 +280,6 @@ static struct ip6_tnl *ip6_tnl_create(struct net *net, struct ip6_tnl_parm *p)
        dev_net_set(dev, net);
-        if (strchr(name, '%')) {
-                if (dev_alloc_name(dev, name) < 0)
-                        goto failed_free;
-        }
        t = netdev_priv(dev);
        t->parms = *p;
        err = ip6_tnl_dev_init(dev);
@@ -321,8 +316,8 @@ failed:
 static struct ip6_tnl *ip6_tnl_locate(struct net *net,
                struct ip6_tnl_parm *p, int create)
 {
-        struct in6_addr *remote = &p->raddr;
+        const struct in6_addr *remote = &p->raddr;
-        struct in6_addr *local = &p->laddr;
+        const struct in6_addr *local = &p->laddr;
        struct ip6_tnl __rcu **tp;
        struct ip6_tnl *t;
        struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
@@ -374,7 +369,7 @@ ip6_tnl_dev_uninit(struct net_device *dev)
 static __u16
 parse_tlv_tnl_enc_lim(struct sk_buff *skb, __u8 * raw)
 {
-        struct ipv6hdr *ipv6h = (struct ipv6hdr *) raw;
+        const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) raw;
        __u8 nexthdr = ipv6h->nexthdr;
        __u16 off = sizeof (*ipv6h);
@@ -435,7 +430,7 @@ static int
 ip6_tnl_err(struct sk_buff *skb, __u8 ipproto, struct inet6_skb_parm *opt,
            u8 *type, u8 *code, int *msg, __u32 *info, int offset)
 {
-        struct ipv6hdr *ipv6h = (struct ipv6hdr *) skb->data;
+        const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) skb->data;
        struct ip6_tnl *t;
        int rel_msg = 0;
        u8 rel_type = ICMPV6_DEST_UNREACH;
@@ -535,8 +530,9 @@ ip4ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        __u32 rel_info = ntohl(info);
        int err;
        struct sk_buff *skb2;
-        struct iphdr *eiph;
+        const struct iphdr *eiph;
        struct rtable *rt;
+        struct flowi4 fl4;
        err = ip6_tnl_err(skb, IPPROTO_IPIP, opt, &rel_type, &rel_code,
                          &rel_msg, &rel_info, offset);
@@ -577,7 +573,7 @@ ip4ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        eiph = ip_hdr(skb2);
        /* Try to guess incoming interface */
-        rt = ip_route_output_ports(dev_net(skb->dev), NULL,
+        rt = ip_route_output_ports(dev_net(skb->dev), &fl4, NULL,
                                   eiph->saddr, 0,
                                   0, 0,
                                   IPPROTO_IPIP, RT_TOS(eiph->tos), 0);
@@ -590,7 +586,7 @@ ip4ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        if (rt->rt_flags & RTCF_LOCAL) {
                ip_rt_put(rt);
                rt = NULL;
-                rt = ip_route_output_ports(dev_net(skb->dev), NULL,
+                rt = ip_route_output_ports(dev_net(skb->dev), &fl4, NULL,
                                           eiph->daddr, eiph->saddr,
                                           0, 0,
                                           IPPROTO_IPIP,
@@ -669,8 +665,8 @@ ip6ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        return 0;
 }
-static void ip4ip6_dscp_ecn_decapsulate(struct ip6_tnl *t,
+static void ip4ip6_dscp_ecn_decapsulate(const struct ip6_tnl *t,
-                                        struct ipv6hdr *ipv6h,
+                                        const struct ipv6hdr *ipv6h,
                                        struct sk_buff *skb)
 {
        __u8 dsfield = ipv6_get_dsfield(ipv6h) & ~INET_ECN_MASK;
@@ -682,8 +678,8 @@ static void ip4ip6_dscp_ecn_decapsulate(struct ip6_tnl *t,
                IP_ECN_set_ce(ip_hdr(skb));
 }
-static void ip6ip6_dscp_ecn_decapsulate(struct ip6_tnl *t,
+static void ip6ip6_dscp_ecn_decapsulate(const struct ip6_tnl *t,
-                                        struct ipv6hdr *ipv6h,
+                                        const struct ipv6hdr *ipv6h,
                                        struct sk_buff *skb)
 {
        if (t->parms.flags & IP6_TNL_F_RCV_DSCP_COPY)
@@ -726,12 +722,12 @@ static inline int ip6_tnl_rcv_ctl(struct ip6_tnl *t)
 static int ip6_tnl_rcv(struct sk_buff *skb, __u16 protocol,
                       __u8 ipproto,
-                       void (*dscp_ecn_decapsulate)(struct ip6_tnl *t,
+                       void (*dscp_ecn_decapsulate)(const struct ip6_tnl *t,
-                                                    struct ipv6hdr *ipv6h,
+                                                    const struct ipv6hdr *ipv6h,
                                                    struct sk_buff *skb))
 {
        struct ip6_tnl *t;
-        struct ipv6hdr *ipv6h = ipv6_hdr(skb);
+        const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
        rcu_read_lock();
@@ -828,7 +824,7 @@ static void init_tel_txopt(struct ipv6_tel_txoption *opt, __u8 encap_limit)
 **/
 static inline int
-ip6_tnl_addr_conflict(struct ip6_tnl *t, struct ipv6hdr *hdr)
+ip6_tnl_addr_conflict(const struct ip6_tnl *t, const struct ipv6hdr *hdr)
 {
        return ipv6_addr_equal(&t->parms.raddr, &hdr->saddr);
 }
@@ -1005,7 +1001,7 @@ static inline int
 ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
 {
        struct ip6_tnl *t = netdev_priv(dev);
-        struct iphdr  *iph = ip_hdr(skb);
+        const struct iphdr  *iph = ip_hdr(skb);
        int encap_limit = -1;
        struct flowi6 fl6;
        __u8 dsfield;
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 29e48593bf22..82a809901f8e 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -989,8 +989,8 @@ static int mif6_add(struct net *net, struct mr6_table *mrt,
 }
 static struct mfc6_cache *ip6mr_cache_find(struct mr6_table *mrt,
-                                           struct in6_addr *origin,
+                                           const struct in6_addr *origin,
-                                           struct in6_addr *mcastgrp)
+                                           const struct in6_addr *mcastgrp)
 {
        int line = MFC6_HASH(mcastgrp, origin);
        struct mfc6_cache *c;
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 85cccd6ed0b7..bba658d9a03c 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -55,7 +55,7 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
 {
        struct net *net = dev_net(skb->dev);
        __be32 spi;
-        struct ipv6hdr *iph = (struct ipv6hdr*)skb->data;
+        const struct ipv6hdr *iph = (const struct ipv6hdr *)skb->data;
        struct ip_comp_hdr *ipcomph =
                (struct ip_comp_hdr *)(skb->data + offset);
        struct xfrm_state *x;
@@ -64,7 +64,8 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                return;
        spi = htonl(ntohs(ipcomph->cpi));
-        x = xfrm_state_lookup(net, skb->mark, (xfrm_address_t *)&iph->daddr, spi, IPPROTO_COMP, AF_INET6);
+        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+                              spi, IPPROTO_COMP, AF_INET6);
        if (!x)
                return;
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 76b893771e6e..3e6ebcdb4779 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -92,16 +92,16 @@ static void mld_gq_timer_expire(unsigned long data);
 static void mld_ifc_timer_expire(unsigned long data);
 static void mld_ifc_event(struct inet6_dev *idev);
 static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
-static void mld_del_delrec(struct inet6_dev *idev, struct in6_addr *addr);
+static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *addr);
 static void mld_clear_delrec(struct inet6_dev *idev);
 static int sf_setstate(struct ifmcaddr6 *pmc);
 static void sf_markstate(struct ifmcaddr6 *pmc);
 static void ip6_mc_clear_src(struct ifmcaddr6 *pmc);
-static int ip6_mc_del_src(struct inet6_dev *idev, struct in6_addr *pmca,
+static int ip6_mc_del_src(struct inet6_dev *idev, const struct in6_addr *pmca,
-                          int sfmode, int sfcount, struct in6_addr *psfsrc,
+                          int sfmode, int sfcount, const struct in6_addr *psfsrc,
                          int delta);
-static int ip6_mc_add_src(struct inet6_dev *idev, struct in6_addr *pmca,
+static int ip6_mc_add_src(struct inet6_dev *idev, const struct in6_addr *pmca,
-                          int sfmode, int sfcount, struct in6_addr *psfsrc,
+                          int sfmode, int sfcount, const struct in6_addr *psfsrc,
                          int delta);
 static int ip6_mc_leave_src(struct sock *sk, struct ipv6_mc_socklist *iml,
                            struct inet6_dev *idev);
@@ -201,10 +201,6 @@ int ipv6_sock_mc_join(struct sock *sk, int ifindex, const struct in6_addr *addr)
        return 0;
 }
-static void ipv6_mc_socklist_reclaim(struct rcu_head *head)
-{
-        kfree(container_of(head, struct ipv6_mc_socklist, rcu));
-}
 /*
 *      socket leave on multicast group
 */
@@ -239,7 +235,7 @@ int ipv6_sock_mc_drop(struct sock *sk, int ifindex, const struct in6_addr *addr)
                                (void) ip6_mc_leave_src(sk, mc_lst, NULL);
                        rcu_read_unlock();
                        atomic_sub(sizeof(*mc_lst), &sk->sk_omem_alloc);
-                        call_rcu(&mc_lst->rcu, ipv6_mc_socklist_reclaim);
+                        kfree_rcu(mc_lst, rcu);
                        return 0;
                }
        }
@@ -250,7 +246,7 @@ int ipv6_sock_mc_drop(struct sock *sk, int ifindex, const struct in6_addr *addr)
 /* called with rcu_read_lock() */
 static struct inet6_dev *ip6_mc_find_dev_rcu(struct net *net,
-                                             struct in6_addr *group,
+                                             const struct in6_addr *group,
                                             int ifindex)
 {
        struct net_device *dev = NULL;
@@ -307,7 +303,7 @@ void ipv6_sock_mc_close(struct sock *sk)
                rcu_read_unlock();
                atomic_sub(sizeof(*mc_lst), &sk->sk_omem_alloc);
-                call_rcu(&mc_lst->rcu, ipv6_mc_socklist_reclaim);
+                kfree_rcu(mc_lst, rcu);
                spin_lock(&ipv6_sk_mc_lock);
        }
@@ -451,7 +447,7 @@ done:
 int ip6_mc_msfilter(struct sock *sk, struct group_filter *gsf)
 {
-        struct in6_addr *group;
+        const struct in6_addr *group;
        struct ipv6_mc_socklist *pmc;
        struct inet6_dev *idev;
        struct ipv6_pinfo *inet6 = inet6_sk(sk);
@@ -542,7 +538,7 @@ int ip6_mc_msfget(struct sock *sk, struct group_filter *gsf,
        struct group_filter __user *optval, int __user *optlen)
 {
        int err, i, count, copycount;
-        struct in6_addr *group;
+        const struct in6_addr *group;
        struct ipv6_mc_socklist *pmc;
        struct inet6_dev *idev;
        struct ipv6_pinfo *inet6 = inet6_sk(sk);
@@ -752,7 +748,7 @@ static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im)
        spin_unlock_bh(&idev->mc_lock);
 }
-static void mld_del_delrec(struct inet6_dev *idev, struct in6_addr *pmca)
+static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca)
 {
        struct ifmcaddr6 *pmc, *pmc_prev;
        struct ip6_sf_list *psf, *psf_next;
@@ -1052,7 +1048,7 @@ static void igmp6_group_queried(struct ifmcaddr6 *ma, unsigned long resptime)
 /* mark EXCLUDE-mode sources */
 static int mld_xmarksources(struct ifmcaddr6 *pmc, int nsrcs,
-        struct in6_addr *srcs)
+        const struct in6_addr *srcs)
 {
        struct ip6_sf_list *psf;
        int i, scount;
@@ -1080,7 +1076,7 @@ static int mld_xmarksources(struct ifmcaddr6 *pmc, int nsrcs,
 }
 static int mld_marksources(struct ifmcaddr6 *pmc, int nsrcs,
-        struct in6_addr *srcs)
+        const struct in6_addr *srcs)
 {
        struct ip6_sf_list *psf;
        int i, scount;
@@ -1115,7 +1111,7 @@ int igmp6_event_query(struct sk_buff *skb)
 {
        struct mld2_query *mlh2 = NULL;
        struct ifmcaddr6 *ma;
-        struct in6_addr *group;
+        const struct in6_addr *group;
        unsigned long max_delay;
        struct inet6_dev *idev;
        struct mld_msg *mld;
@@ -1821,7 +1817,7 @@ err_out:
 }
 static int ip6_mc_del1_src(struct ifmcaddr6 *pmc, int sfmode,
-        struct in6_addr *psfsrc)
+        const struct in6_addr *psfsrc)
 {
        struct ip6_sf_list *psf, *psf_prev;
        int rv = 0;
@@ -1857,8 +1853,8 @@ static int ip6_mc_del1_src(struct ifmcaddr6 *pmc, int sfmode,
        return rv;
 }
-static int ip6_mc_del_src(struct inet6_dev *idev, struct in6_addr *pmca,
+static int ip6_mc_del_src(struct inet6_dev *idev, const struct in6_addr *pmca,
-                          int sfmode, int sfcount, struct in6_addr *psfsrc,
+                          int sfmode, int sfcount, const struct in6_addr *psfsrc,
                          int delta)
 {
        struct ifmcaddr6 *pmc;
@@ -1918,7 +1914,7 @@ static int ip6_mc_del_src(struct inet6_dev *idev, struct in6_addr *pmca,
 * Add multicast single-source filter to the interface list
 */
 static int ip6_mc_add1_src(struct ifmcaddr6 *pmc, int sfmode,
-        struct in6_addr *psfsrc, int delta)
+        const struct in6_addr *psfsrc, int delta)
 {
        struct ip6_sf_list *psf, *psf_prev;
@@ -2021,8 +2017,8 @@ static int sf_setstate(struct ifmcaddr6 *pmc)
 /*
 * Add multicast source filter list to the interface list
 */
-static int ip6_mc_add_src(struct inet6_dev *idev, struct in6_addr *pmca,
+static int ip6_mc_add_src(struct inet6_dev *idev, const struct in6_addr *pmca,
-                          int sfmode, int sfcount, struct in6_addr *psfsrc,
+                          int sfmode, int sfcount, const struct in6_addr *psfsrc,
                          int delta)
 {
        struct ifmcaddr6 *pmc;
diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
index 9b210482fb05..43242e6e6103 100644
--- a/net/ipv6/mip6.c
+++ b/net/ipv6/mip6.c
@@ -126,7 +126,7 @@ static struct mip6_report_rate_limiter mip6_report_rl = {
 static int mip6_destopt_input(struct xfrm_state *x, struct sk_buff *skb)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        struct ipv6_destopt_hdr *destopt = (struct ipv6_destopt_hdr *)skb->data;
        int err = destopt->nexthdr;
@@ -181,8 +181,8 @@ static int mip6_destopt_output(struct xfrm_state *x, struct sk_buff *skb)
 }
 static inline int mip6_report_rl_allow(struct timeval *stamp,
-                                       struct in6_addr *dst,
+                                       const struct in6_addr *dst,
-                                       struct in6_addr *src, int iif)
+                                       const struct in6_addr *src, int iif)
 {
        int allow = 0;
@@ -349,7 +349,7 @@ static const struct xfrm_type mip6_destopt_type =
 static int mip6_rthdr_input(struct xfrm_state *x, struct sk_buff *skb)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        struct rt2_hdr *rt2 = (struct rt2_hdr *)skb->data;
        int err = rt2->rt_hdr.nexthdr;
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 92f952d093db..7596f071d308 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -324,7 +324,7 @@ static inline u8 *ndisc_opt_addr_data(struct nd_opt_hdr *p,
        return lladdr + prepad;
 }
-int ndisc_mc_map(struct in6_addr *addr, char *buf, struct net_device *dev, int dir)
+int ndisc_mc_map(const struct in6_addr *addr, char *buf, struct net_device *dev, int dir)
 {
        switch (dev->type) {
        case ARPHRD_ETHER:
@@ -611,6 +611,29 @@ static void ndisc_send_na(struct net_device *dev, struct neighbour *neigh,
                     inc_opt ? ND_OPT_TARGET_LL_ADDR : 0);
 }
+static void ndisc_send_unsol_na(struct net_device *dev)
+{
+        struct inet6_dev *idev;
+        struct inet6_ifaddr *ifa;
+        struct in6_addr mcaddr;
+        idev = in6_dev_get(dev);
+        if (!idev)
+                return;
+        read_lock_bh(&idev->lock);
+        list_for_each_entry(ifa, &idev->addr_list, if_list) {
+                addrconf_addr_solict_mult(&ifa->addr, &mcaddr);
+                ndisc_send_na(dev, NULL, &mcaddr, &ifa->addr,
+                              /*router=*/ !!idev->cnf.forwarding,
+                              /*solicited=*/ false, /*override=*/ true,
+                              /*inc_opt=*/ true);
+        }
+        read_unlock_bh(&idev->lock);
+        in6_dev_put(idev);
+}
 void ndisc_send_ns(struct net_device *dev, struct neighbour *neigh,
                   const struct in6_addr *solicit,
                   const struct in6_addr *daddr, const struct in6_addr *saddr)
@@ -725,8 +748,8 @@ static int pndisc_is_router(const void *pkey,
 static void ndisc_recv_ns(struct sk_buff *skb)
 {
        struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
-        struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
+        const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
-        struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
+        const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
        u8 *lladdr = NULL;
        u32 ndoptlen = skb->tail - (skb->transport_header +
                                    offsetof(struct nd_msg, opt));
@@ -901,8 +924,8 @@ out:
 static void ndisc_recv_na(struct sk_buff *skb)
 {
        struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
-        struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
+        const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
-        struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
+        const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
        u8 *lladdr = NULL;
        u32 ndoptlen = skb->tail - (skb->transport_header +
                                    offsetof(struct nd_msg, opt));
@@ -945,9 +968,10 @@ static void ndisc_recv_na(struct sk_buff *skb)
        }
        ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
        if (ifp) {
-                if (ifp->flags & IFA_F_TENTATIVE) {
+                if (skb->pkt_type != PACKET_LOOPBACK
-                        addrconf_dad_failure(ifp);
+                    && (ifp->flags & IFA_F_TENTATIVE)) {
-                        return;
+                                addrconf_dad_failure(ifp);
+                                return;
                }
                /* What should we make now? The advertisement
                   is invalid, but ndisc specs say nothing
@@ -1014,7 +1038,7 @@ static void ndisc_recv_rs(struct sk_buff *skb)
        unsigned long ndoptlen = skb->len - sizeof(*rs_msg);
        struct neighbour *neigh;
        struct inet6_dev *idev;
-        struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
+        const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
        struct ndisc_options ndopts;
        u8 *lladdr = NULL;
@@ -1411,8 +1435,8 @@ static void ndisc_redirect_rcv(struct sk_buff *skb)
 {
        struct inet6_dev *in6_dev;
        struct icmp6hdr *icmph;
-        struct in6_addr *dest;
+        const struct in6_addr *dest;
-        struct in6_addr *target;        /* new first hop to destination */
+        const struct in6_addr *target;  /* new first hop to destination */
        struct neighbour *neigh;
        int on_link = 0;
        struct ndisc_options ndopts;
@@ -1445,7 +1469,7 @@ static void ndisc_redirect_rcv(struct sk_buff *skb)
        }
        icmph = icmp6_hdr(skb);
-        target = (struct in6_addr *) (icmph + 1);
+        target = (const struct in6_addr *) (icmph + 1);
        dest = target + 1;
        if (ipv6_addr_is_multicast(dest)) {
@@ -1722,6 +1746,9 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event,
                neigh_ifdown(&nd_tbl, dev);
                fib6_run_gc(~0UL, net);
                break;
+        case NETDEV_NOTIFY_PEERS:
+                ndisc_send_unsol_na(dev);
+                break;
        default:
                break;
        }
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 28bc1f644b7b..30fcee465448 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -13,7 +13,7 @@
 int ip6_route_me_harder(struct sk_buff *skb)
 {
        struct net *net = dev_net(skb_dst(skb)->dev);
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        struct dst_entry *dst;
        struct flowi6 fl6 = {
                .flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
@@ -67,7 +67,7 @@ static void nf_ip6_saveroute(const struct sk_buff *skb,
        struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
        if (entry->hook == NF_INET_LOCAL_OUT) {
-                struct ipv6hdr *iph = ipv6_hdr(skb);
+                const struct ipv6hdr *iph = ipv6_hdr(skb);
                rt_info->daddr = iph->daddr;
                rt_info->saddr = iph->saddr;
@@ -81,7 +81,7 @@ static int nf_ip6_reroute(struct sk_buff *skb,
        struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
        if (entry->hook == NF_INET_LOCAL_OUT) {
-                struct ipv6hdr *iph = ipv6_hdr(skb);
+                const struct ipv6hdr *iph = ipv6_hdr(skb);
                if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
                    !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
                    skb->mark != rt_info->mark)
@@ -108,7 +108,7 @@ static int nf_ip6_route(struct net *net, struct dst_entry **dst,
 __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
                             unsigned int dataoff, u_int8_t protocol)
 {
-        struct ipv6hdr *ip6h = ipv6_hdr(skb);
+        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
        __sum16 csum = 0;
        switch (skb->ip_summed) {
@@ -142,7 +142,7 @@ static __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
                                       unsigned int dataoff, unsigned int len,
                                       u_int8_t protocol)
 {
-        struct ipv6hdr *ip6h = ipv6_hdr(skb);
+        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
        __wsum hsum;
        __sum16 csum = 0;
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 413ab0754e1f..249394863284 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -204,7 +204,8 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
        else
                pmsg->outdev_name[0] = '\0';
-        if (entry->indev && entry->skb->dev) {
+        if (entry->indev && entry->skb->dev &&
+            entry->skb->mac_header != entry->skb->network_header) {
                pmsg->hw_type = entry->skb->dev->type;
                pmsg->hw_addrlen = dev_parse_header(entry->skb, pmsg->hw_addr);
        }
@@ -403,7 +404,8 @@ ipq_dev_drop(int ifindex)
 static inline void
 __ipq_rcv_skb(struct sk_buff *skb)
 {
-        int status, type, pid, flags, nlmsglen, skblen;
+        int status, type, pid, flags;
+        unsigned int nlmsglen, skblen;
        struct nlmsghdr *nlh;
        skblen = skb->len;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 5a1c6f27ffaf..94874b0bdcdc 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -340,6 +340,7 @@ ip6t_do_table(struct sk_buff *skb,
        unsigned int *stackptr, origptr, cpu;
        const struct xt_table_info *private;
        struct xt_action_param acpar;
+        unsigned int addend;
        /* Initialization */
        indev = in ? in->name : nulldevname;
@@ -358,7 +359,8 @@ ip6t_do_table(struct sk_buff *skb,
        IP_NF_ASSERT(table->valid_hooks & (1 << hook));
-        xt_info_rdlock_bh();
+        local_bh_disable();
+        addend = xt_write_recseq_begin();
        private = table->private;
        cpu        = smp_processor_id();
        table_base = private->entries[cpu];
@@ -442,7 +444,9 @@ ip6t_do_table(struct sk_buff *skb,
        } while (!acpar.hotdrop);
        *stackptr = origptr;
-        xt_info_rdunlock_bh();
+        xt_write_recseq_end(addend);
+        local_bh_enable();
 #ifdef DEBUG_ALLOW_ALL
        return NF_ACCEPT;
@@ -899,7 +903,7 @@ get_counters(const struct xt_table_info *t,
        unsigned int i;
        for_each_possible_cpu(cpu) {
-                seqlock_t *lock = &per_cpu(xt_info_locks, cpu).lock;
+                seqcount_t *s = &per_cpu(xt_recseq, cpu);
                i = 0;
                xt_entry_foreach(iter, t->entries[cpu], t->size) {
@@ -907,10 +911,10 @@ get_counters(const struct xt_table_info *t,
                        unsigned int start;
                        do {
-                                start = read_seqbegin(lock);
+                                start = read_seqcount_begin(s);
                                bcnt = iter->counters.bcnt;
                                pcnt = iter->counters.pcnt;
-                        } while (read_seqretry(lock, start));
+                        } while (read_seqcount_retry(s, start));
                        ADD_COUNTER(counters[i], bcnt, pcnt);
                        ++i;
@@ -1325,6 +1329,7 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
        int ret = 0;
        const void *loc_cpu_entry;
        struct ip6t_entry *iter;
+        unsigned int addend;
 #ifdef CONFIG_COMPAT
        struct compat_xt_counters_info compat_tmp;
@@ -1381,13 +1386,13 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
        i = 0;
        /* Choose the copy that is on our node */
        curcpu = smp_processor_id();
-        xt_info_wrlock(curcpu);
+        addend = xt_write_recseq_begin();
        loc_cpu_entry = private->entries[curcpu];
        xt_entry_foreach(iter, loc_cpu_entry, private->size) {
                ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
                ++i;
        }
-        xt_info_wrunlock(curcpu);
+        xt_write_recseq_end(addend);
 unlock_up_free:
        local_bh_enable();
@@ -1578,7 +1583,6 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
                            struct xt_table_info *newinfo, unsigned char *base)
 {
        struct xt_entry_target *t;
-        struct xt_target *target;
        struct ip6t_entry *de;
        unsigned int origsize;
        int ret, h;
@@ -1600,7 +1604,6 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
        }
        de->target_offset = e->target_offset - (origsize - *size);
        t = compat_ip6t_get_target(e);
-        target = t->u.kernel.target;
        xt_compat_target_from_user(t, dstptr, size);
        de->next_offset = e->next_offset - (origsize - *size);
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 679a0a3b7b3c..00d19173db7e 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -64,7 +64,8 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
            (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
             memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
             skb->mark != mark ||
-             ipv6_hdr(skb)->hop_limit != hop_limit))
+             ipv6_hdr(skb)->hop_limit != hop_limit ||
+             flowlabel != *((u_int32_t *)ipv6_hdr(skb))))
                return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;
        return ret;
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index c8af58b22562..4111050a9fc5 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -160,7 +160,7 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
        /* This is where we call the helper: as the packet goes out. */
        ct = nf_ct_get(skb, &ctinfo);
-        if (!ct || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)
+        if (!ct || ctinfo == IP_CT_RELATED_REPLY)
                goto out;
        help = nfct_help(ct);
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 1df3c8b6bf47..7c05e7eacbc6 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -177,7 +177,7 @@ icmpv6_error_message(struct net *net, struct nf_conn *tmpl,
        /* Update skb to refer to this connection */
        skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general;
        skb->nfctinfo = *ctinfo;
-        return -NF_ACCEPT;
+        return NF_ACCEPT;
 }
 static int
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index 24b3558b8e67..18ff5df7ec02 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -141,7 +141,11 @@ static const struct snmp_mib snmp6_udplite6_list[] = {
        SNMP_MIB_SENTINEL
 };
-static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, void __percpu **mib)
+/* can be called either with percpu mib (pcpumib != NULL),
+ * or shared one (smib != NULL)
+ */
+static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, void __percpu **pcpumib,
+                                     atomic_long_t *smib)
 {
        char name[32];
        int i;
@@ -158,14 +162,14 @@ static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, void __percpu **mib)
                snprintf(name, sizeof(name), "Icmp6%s%s",
                        i & 0x100 ? "Out" : "In", p);
                seq_printf(seq, "%-32s\t%lu\n", name,
-                        snmp_fold_field(mib, i));
+                        pcpumib ? snmp_fold_field(pcpumib, i) : atomic_long_read(smib + i));
        }
        /* print by number (nonzero only) - ICMPMsgStat format */
        for (i = 0; i < ICMP6MSG_MIB_MAX; i++) {
                unsigned long val;
-                val = snmp_fold_field(mib, i);
+                val = pcpumib ? snmp_fold_field(pcpumib, i) : atomic_long_read(smib + i);
                if (!val)
                        continue;
                snprintf(name, sizeof(name), "Icmp6%sType%u",
@@ -174,14 +178,22 @@ static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, void __percpu **mib)
        }
 }
-static void snmp6_seq_show_item(struct seq_file *seq, void __percpu **mib,
+/* can be called either with percpu mib (pcpumib != NULL),
+ * or shared one (smib != NULL)
+ */
+static void snmp6_seq_show_item(struct seq_file *seq, void __percpu **pcpumib,
+                                atomic_long_t *smib,
                                const struct snmp_mib *itemlist)
 {
        int i;
+        unsigned long val;
-        for (i = 0; itemlist[i].name; i++)
+        for (i = 0; itemlist[i].name; i++) {
-                seq_printf(seq, "%-32s\t%lu\n", itemlist[i].name,
+                val = pcpumib ?
-                           snmp_fold_field(mib, itemlist[i].entry));
+                        snmp_fold_field(pcpumib, itemlist[i].entry) :
+                        atomic_long_read(smib + itemlist[i].entry);
+                seq_printf(seq, "%-32s\t%lu\n", itemlist[i].name, val);
+        }
 }
 static void snmp6_seq_show_item64(struct seq_file *seq, void __percpu **mib,
@@ -201,13 +213,13 @@ static int snmp6_seq_show(struct seq_file *seq, void *v)
        snmp6_seq_show_item64(seq, (void __percpu **)net->mib.ipv6_statistics,
                            snmp6_ipstats_list, offsetof(struct ipstats_mib, syncp));
        snmp6_seq_show_item(seq, (void __percpu **)net->mib.icmpv6_statistics,
-                            snmp6_icmp6_list);
+                            NULL, snmp6_icmp6_list);
        snmp6_seq_show_icmpv6msg(seq,
-                            (void __percpu **)net->mib.icmpv6msg_statistics);
+                            (void __percpu **)net->mib.icmpv6msg_statistics, NULL);
        snmp6_seq_show_item(seq, (void __percpu **)net->mib.udp_stats_in6,
-                            snmp6_udp6_list);
+                            NULL, snmp6_udp6_list);
        snmp6_seq_show_item(seq, (void __percpu **)net->mib.udplite_stats_in6,
-                            snmp6_udplite6_list);
+                            NULL, snmp6_udplite6_list);
        return 0;
 }
@@ -229,11 +241,11 @@ static int snmp6_dev_seq_show(struct seq_file *seq, void *v)
        struct inet6_dev *idev = (struct inet6_dev *)seq->private;
        seq_printf(seq, "%-32s\t%u\n", "ifIndex", idev->dev->ifindex);
-        snmp6_seq_show_item(seq, (void __percpu **)idev->stats.ipv6,
+        snmp6_seq_show_item(seq, (void __percpu **)idev->stats.ipv6, NULL,
                            snmp6_ipstats_list);
-        snmp6_seq_show_item(seq, (void __percpu **)idev->stats.icmpv6,
+        snmp6_seq_show_item(seq, NULL, idev->stats.icmpv6dev->mibs,
                            snmp6_icmp6_list);
-        snmp6_seq_show_icmpv6msg(seq, (void __percpu **)idev->stats.icmpv6msg);
+        snmp6_seq_show_icmpv6msg(seq, NULL, idev->stats.icmpv6msgdev->mibs);
        return 0;
 }
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 4a1c3b46c56b..cc7313b8f7ea 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -67,8 +67,8 @@ static struct raw_hashinfo raw_v6_hashinfo = {
 };
 static struct sock *__raw_v6_lookup(struct net *net, struct sock *sk,
-                unsigned short num, struct in6_addr *loc_addr,
+                unsigned short num, const struct in6_addr *loc_addr,
-                struct in6_addr *rmt_addr, int dif)
+                const struct in6_addr *rmt_addr, int dif)
 {
        struct hlist_node *node;
        int is_multicast = ipv6_addr_is_multicast(loc_addr);
@@ -154,8 +154,8 @@ EXPORT_SYMBOL(rawv6_mh_filter_unregister);
 */
 static int ipv6_raw_deliver(struct sk_buff *skb, int nexthdr)
 {
-        struct in6_addr *saddr;
+        const struct in6_addr *saddr;
-        struct in6_addr *daddr;
+        const struct in6_addr *daddr;
        struct sock *sk;
        int delivered = 0;
        __u8 hash;
@@ -348,7 +348,7 @@ void raw6_icmp_error(struct sk_buff *skb, int nexthdr,
 {
        struct sock *sk;
        int hash;
-        struct in6_addr *saddr, *daddr;
+        const struct in6_addr *saddr, *daddr;
        struct net *net;
        hash = nexthdr & (RAW_HTABLE_SIZE - 1);
@@ -357,7 +357,7 @@ void raw6_icmp_error(struct sk_buff *skb, int nexthdr,
        sk = sk_head(&raw_v6_hashinfo.ht[hash]);
        if (sk != NULL) {
                /* Note: ipv6_hdr(skb) != skb->data */
-                struct ipv6hdr *ip6h = (struct ipv6hdr *)skb->data;
+                const struct ipv6hdr *ip6h = (const struct ipv6hdr *)skb->data;
                saddr = &ip6h->saddr;
                daddr = &ip6h->daddr;
                net = dev_net(skb->dev);
@@ -542,8 +542,8 @@ static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
                goto out;
        offset = rp->offset;
-        total_len = inet_sk(sk)->cork.length - (skb_network_header(skb) -
+        total_len = inet_sk(sk)->cork.base.length - (skb_network_header(skb) -
-                                                skb->data);
+                                                     skb->data);
        if (offset >= total_len - 1) {
                err = -EINVAL;
                ip6_flush_pending_frames(sk);
@@ -1231,7 +1231,7 @@ struct proto rawv6_prot = {
 static void raw6_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
 {
        struct ipv6_pinfo *np = inet6_sk(sp);
-        struct in6_addr *dest, *src;
+        const struct in6_addr *dest, *src;
        __u16 destp, srcp;
        dest  = &np->daddr;
@@ -1240,7 +1240,7 @@ static void raw6_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
        srcp  = inet_sk(sp)->inet_num;
        seq_printf(seq,
                   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
-                   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",
+                   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
                   i,
                   src->s6_addr32[0], src->s6_addr32[1],
                   src->s6_addr32[2], src->s6_addr32[3], srcp,
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 07beeb06f752..7b954e2539d0 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -224,7 +224,7 @@ out:
 }
 static __inline__ struct frag_queue *
-fq_find(struct net *net, __be32 id, struct in6_addr *src, struct in6_addr *dst)
+fq_find(struct net *net, __be32 id, const struct in6_addr *src, const struct in6_addr *dst)
 {
        struct inet_frag_queue *q;
        struct ip6_create_arg arg;
@@ -535,7 +535,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 {
        struct frag_hdr *fhdr;
        struct frag_queue *fq;
-        struct ipv6hdr *hdr = ipv6_hdr(skb);
+        const struct ipv6hdr *hdr = ipv6_hdr(skb);
        struct net *net = dev_net(skb_dst(skb)->dev);
        IP6_INC_STATS_BH(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMREQDS);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index fd0eec6f88c6..0ef1f086feb8 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -89,12 +89,12 @@ static void		ip6_rt_update_pmtu(struct dst_entry *dst, u32 mtu);
 #ifdef CONFIG_IPV6_ROUTE_INFO
 static struct rt6_info *rt6_add_route_info(struct net *net,
-                                           struct in6_addr *prefix, int prefixlen,
+                                           const struct in6_addr *prefix, int prefixlen,
-                                           struct in6_addr *gwaddr, int ifindex,
+                                           const struct in6_addr *gwaddr, int ifindex,
                                           unsigned pref);
 static struct rt6_info *rt6_get_route_info(struct net *net,
-                                           struct in6_addr *prefix, int prefixlen,
+                                           const struct in6_addr *prefix, int prefixlen,
-                                           struct in6_addr *gwaddr, int ifindex);
+                                           const struct in6_addr *gwaddr, int ifindex);
 #endif
 static u32 *ipv6_cow_metrics(struct dst_entry *dst, unsigned long old)
@@ -227,9 +227,15 @@ static struct rt6_info ip6_blk_hole_entry_template = {
 #endif
 /* allocate dst with ip6_dst_ops */
-static inline struct rt6_info *ip6_dst_alloc(struct dst_ops *ops)
+static inline struct rt6_info *ip6_dst_alloc(struct dst_ops *ops,
+                                             struct net_device *dev,
+                                             int flags)
 {
-        return (struct rt6_info *)dst_alloc(ops, 0);
+        struct rt6_info *rt = dst_alloc(ops, dev, 0, 0, flags);
+        memset(&rt->rt6i_table, 0, sizeof(*rt) - sizeof(struct dst_entry));
+        return rt;
 }
 static void ip6_dst_destroy(struct dst_entry *dst)
@@ -290,7 +296,7 @@ static __inline__ int rt6_check_expired(const struct rt6_info *rt)
                time_after(jiffies, rt->rt6i_expires);
 }
-static inline int rt6_need_strict(struct in6_addr *daddr)
+static inline int rt6_need_strict(const struct in6_addr *daddr)
 {
        return ipv6_addr_type(daddr) &
                (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL | IPV6_ADDR_LOOPBACK);
@@ -302,7 +308,7 @@ static inline int rt6_need_strict(struct in6_addr *daddr)
 static inline struct rt6_info *rt6_device_match(struct net *net,
                                                    struct rt6_info *rt,
-                                                    struct in6_addr *saddr,
+                                                    const struct in6_addr *saddr,
                                                    int oif,
                                                    int flags)
 {
@@ -514,7 +520,7 @@ static struct rt6_info *rt6_select(struct fib6_node *fn, int oif, int strict)
 #ifdef CONFIG_IPV6_ROUTE_INFO
 int rt6_route_rcv(struct net_device *dev, u8 *opt, int len,
-                  struct in6_addr *gwaddr)
+                  const struct in6_addr *gwaddr)
 {
        struct net *net = dev_net(dev);
        struct route_info *rinfo = (struct route_info *) opt;
@@ -677,8 +683,8 @@ int ip6_ins_rt(struct rt6_info *rt)
        return __ip6_ins_rt(rt, &info);
 }
-static struct rt6_info *rt6_alloc_cow(struct rt6_info *ort, struct in6_addr *daddr,
+static struct rt6_info *rt6_alloc_cow(struct rt6_info *ort, const struct in6_addr *daddr,
-                                      struct in6_addr *saddr)
+                                      const struct in6_addr *saddr)
 {
        struct rt6_info *rt;
@@ -746,7 +752,7 @@ static struct rt6_info *rt6_alloc_cow(struct rt6_info *ort, struct in6_addr *dad
        return rt;
 }
-static struct rt6_info *rt6_alloc_clone(struct rt6_info *ort, struct in6_addr *daddr)
+static struct rt6_info *rt6_alloc_clone(struct rt6_info *ort, const struct in6_addr *daddr)
 {
        struct rt6_info *rt = ip6_rt_copy(ort);
        if (rt) {
@@ -837,7 +843,7 @@ static struct rt6_info *ip6_pol_route_input(struct net *net, struct fib6_table *
 void ip6_route_input(struct sk_buff *skb)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        struct net *net = dev_net(skb->dev);
        int flags = RT6_LOOKUP_F_HAS_SADDR;
        struct flowi6 fl6 = {
@@ -881,11 +887,13 @@ EXPORT_SYMBOL(ip6_route_output);
 struct dst_entry *ip6_blackhole_route(struct net *net, struct dst_entry *dst_orig)
 {
-        struct rt6_info *rt = dst_alloc(&ip6_dst_blackhole_ops, 1);
+        struct rt6_info *rt, *ort = (struct rt6_info *) dst_orig;
-        struct rt6_info *ort = (struct rt6_info *) dst_orig;
        struct dst_entry *new = NULL;
+        rt = dst_alloc(&ip6_dst_blackhole_ops, ort->dst.dev, 1, 0, 0);
        if (rt) {
+                memset(&rt->rt6i_table, 0, sizeof(*rt) - sizeof(struct dst_entry));
                new = &rt->dst;
                new->__use = 1;
@@ -893,9 +901,6 @@ struct dst_entry *ip6_blackhole_route(struct net *net, struct dst_entry *dst_ori
                new->output = dst_discard;
                dst_copy_metrics(new, &ort->dst);
-                new->dev = ort->dst.dev;
-                if (new->dev)
-                        dev_hold(new->dev);
                rt->rt6i_idev = ort->rt6i_idev;
                if (rt->rt6i_idev)
                        in6_dev_hold(rt->rt6i_idev);
@@ -1038,13 +1043,12 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
        if (unlikely(idev == NULL))
                return NULL;
-        rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops);
+        rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, dev, 0);
        if (unlikely(rt == NULL)) {
                in6_dev_put(idev);
                goto out;
        }
-        dev_hold(dev);
        if (neigh)
                neigh_hold(neigh);
        else {
@@ -1053,21 +1057,12 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
                        neigh = NULL;
        }
-        rt->rt6i_dev      = dev;
        rt->rt6i_idev     = idev;
        rt->rt6i_nexthop  = neigh;
        atomic_set(&rt->dst.__refcnt, 1);
        dst_metric_set(&rt->dst, RTAX_HOPLIMIT, 255);
        rt->dst.output  = ip6_output;
-#if 0   /* there's no chance to use these for ndisc */
-        rt->dst.flags   = ipv6_addr_type(addr) & IPV6_ADDR_UNICAST
-                                ? DST_HOST
-                                : 0;
-        ipv6_addr_copy(&rt->rt6i_dst.addr, addr);
-        rt->rt6i_dst.plen = 128;
-#endif
        spin_lock_bh(&icmp6_dst_lock);
        rt->dst.next = icmp6_dst_gc_list;
        icmp6_dst_gc_list = &rt->dst;
@@ -1212,7 +1207,7 @@ int ip6_route_add(struct fib6_config *cfg)
                goto out;
        }
-        rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops);
+        rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, NULL, DST_NOCOUNT);
        if (rt == NULL) {
                err = -ENOMEM;
@@ -1242,7 +1237,7 @@ int ip6_route_add(struct fib6_config *cfg)
        ipv6_addr_prefix(&rt->rt6i_dst.addr, &cfg->fc_dst, cfg->fc_dst_len);
        rt->rt6i_dst.plen = cfg->fc_dst_len;
        if (rt->rt6i_dst.plen == 128)
-               rt->dst.flags = DST_HOST;
+               rt->dst.flags |= DST_HOST;
 #ifdef CONFIG_IPV6_SUBTREES
        ipv6_addr_prefix(&rt->rt6i_src.addr, &cfg->fc_src, cfg->fc_src_len);
@@ -1279,7 +1274,7 @@ int ip6_route_add(struct fib6_config *cfg)
        }
        if (cfg->fc_flags & RTF_GATEWAY) {
-                struct in6_addr *gw_addr;
+                const struct in6_addr *gw_addr;
                int gwa_type;
                gw_addr = &cfg->fc_gateway;
@@ -1332,6 +1327,16 @@ int ip6_route_add(struct fib6_config *cfg)
        if (dev == NULL)
                goto out;
+        if (!ipv6_addr_any(&cfg->fc_prefsrc)) {
+                if (!ipv6_chk_addr(net, &cfg->fc_prefsrc, dev, 0)) {
+                        err = -EINVAL;
+                        goto out;
+                }
+                ipv6_addr_copy(&rt->rt6i_prefsrc.addr, &cfg->fc_prefsrc);
+                rt->rt6i_prefsrc.plen = 128;
+        } else
+                rt->rt6i_prefsrc.plen = 0;
        if (cfg->fc_flags & (RTF_GATEWAY | RTF_NONEXTHOP)) {
                rt->rt6i_nexthop = __neigh_lookup_errno(&nd_tbl, &rt->rt6i_gateway, dev);
                if (IS_ERR(rt->rt6i_nexthop)) {
@@ -1509,9 +1514,9 @@ out:
        return rt;
 };
-static struct rt6_info *ip6_route_redirect(struct in6_addr *dest,
+static struct rt6_info *ip6_route_redirect(const struct in6_addr *dest,
-                                           struct in6_addr *src,
+                                           const struct in6_addr *src,
-                                           struct in6_addr *gateway,
+                                           const struct in6_addr *gateway,
                                           struct net_device *dev)
 {
        int flags = RT6_LOOKUP_F_HAS_SADDR;
@@ -1533,8 +1538,8 @@ static struct rt6_info *ip6_route_redirect(struct in6_addr *dest,
                                                   flags, __ip6_route_redirect);
 }
-void rt6_redirect(struct in6_addr *dest, struct in6_addr *src,
+void rt6_redirect(const struct in6_addr *dest, const struct in6_addr *src,
-                  struct in6_addr *saddr,
+                  const struct in6_addr *saddr,
                  struct neighbour *neigh, u8 *lladdr, int on_link)
 {
        struct rt6_info *rt, *nrt = NULL;
@@ -1608,7 +1613,7 @@ out:
 *      i.e. Path MTU discovery
 */
-static void rt6_do_pmtu_disc(struct in6_addr *daddr, struct in6_addr *saddr,
+static void rt6_do_pmtu_disc(const struct in6_addr *daddr, const struct in6_addr *saddr,
                             struct net *net, u32 pmtu, int ifindex)
 {
        struct rt6_info *rt, *nrt;
@@ -1693,7 +1698,7 @@ out:
        dst_release(&rt->dst);
 }
-void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr,
+void rt6_pmtu_discovery(const struct in6_addr *daddr, const struct in6_addr *saddr,
                        struct net_device *dev, u32 pmtu)
 {
        struct net *net = dev_net(dev);
@@ -1721,7 +1726,8 @@ void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr,
 static struct rt6_info * ip6_rt_copy(struct rt6_info *ort)
 {
        struct net *net = dev_net(ort->rt6i_dev);
-        struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops);
+        struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops,
+                                            ort->dst.dev, 0);
        if (rt) {
                rt->dst.input = ort->dst.input;
@@ -1729,9 +1735,6 @@ static struct rt6_info * ip6_rt_copy(struct rt6_info *ort)
                dst_copy_metrics(&rt->dst, &ort->dst);
                rt->dst.error = ort->dst.error;
-                rt->dst.dev = ort->dst.dev;
-                if (rt->dst.dev)
-                        dev_hold(rt->dst.dev);
                rt->rt6i_idev = ort->rt6i_idev;
                if (rt->rt6i_idev)
                        in6_dev_hold(rt->rt6i_idev);
@@ -1746,6 +1749,7 @@ static struct rt6_info * ip6_rt_copy(struct rt6_info *ort)
 #ifdef CONFIG_IPV6_SUBTREES
                memcpy(&rt->rt6i_src, &ort->rt6i_src, sizeof(struct rt6key));
 #endif
+                memcpy(&rt->rt6i_prefsrc, &ort->rt6i_prefsrc, sizeof(struct rt6key));
                rt->rt6i_table = ort->rt6i_table;
        }
        return rt;
@@ -1753,8 +1757,8 @@ static struct rt6_info * ip6_rt_copy(struct rt6_info *ort)
 #ifdef CONFIG_IPV6_ROUTE_INFO
 static struct rt6_info *rt6_get_route_info(struct net *net,
-                                           struct in6_addr *prefix, int prefixlen,
+                                           const struct in6_addr *prefix, int prefixlen,
-                                           struct in6_addr *gwaddr, int ifindex)
+                                           const struct in6_addr *gwaddr, int ifindex)
 {
        struct fib6_node *fn;
        struct rt6_info *rt = NULL;
@@ -1785,8 +1789,8 @@ out:
 }
 static struct rt6_info *rt6_add_route_info(struct net *net,
-                                           struct in6_addr *prefix, int prefixlen,
+                                           const struct in6_addr *prefix, int prefixlen,
-                                           struct in6_addr *gwaddr, int ifindex,
+                                           const struct in6_addr *gwaddr, int ifindex,
                                           unsigned pref)
 {
        struct fib6_config cfg = {
@@ -1814,7 +1818,7 @@ static struct rt6_info *rt6_add_route_info(struct net *net,
 }
 #endif
-struct rt6_info *rt6_get_dflt_router(struct in6_addr *addr, struct net_device *dev)
+struct rt6_info *rt6_get_dflt_router(const struct in6_addr *addr, struct net_device *dev)
 {
        struct rt6_info *rt;
        struct fib6_table *table;
@@ -1836,7 +1840,7 @@ struct rt6_info *rt6_get_dflt_router(struct in6_addr *addr, struct net_device *d
        return rt;
 }
-struct rt6_info *rt6_add_dflt_router(struct in6_addr *gwaddr,
+struct rt6_info *rt6_add_dflt_router(const struct in6_addr *gwaddr,
                                     struct net_device *dev,
                                     unsigned int pref)
 {
@@ -2001,7 +2005,8 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
                                    int anycast)
 {
        struct net *net = dev_net(idev->dev);
-        struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops);
+        struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops,
+                                            net->loopback_dev, 0);
        struct neighbour *neigh;
        if (rt == NULL) {
@@ -2011,13 +2016,11 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
                return ERR_PTR(-ENOMEM);
        }
-        dev_hold(net->loopback_dev);
        in6_dev_hold(idev);
-        rt->dst.flags = DST_HOST;
+        rt->dst.flags |= DST_HOST;
        rt->dst.input = ip6_input;
        rt->dst.output = ip6_output;
-        rt->rt6i_dev = net->loopback_dev;
        rt->rt6i_idev = idev;
        rt->dst.obsolete = -1;
@@ -2043,6 +2046,55 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
        return rt;
 }
+int ip6_route_get_saddr(struct net *net,
+                        struct rt6_info *rt,
+                        const struct in6_addr *daddr,
+                        unsigned int prefs,
+                        struct in6_addr *saddr)
+{
+        struct inet6_dev *idev = ip6_dst_idev((struct dst_entry*)rt);
+        int err = 0;
+        if (rt->rt6i_prefsrc.plen)
+                ipv6_addr_copy(saddr, &rt->rt6i_prefsrc.addr);
+        else
+                err = ipv6_dev_get_saddr(net, idev ? idev->dev : NULL,
+                                         daddr, prefs, saddr);
+        return err;
+}
+/* remove deleted ip from prefsrc entries */
+struct arg_dev_net_ip {
+        struct net_device *dev;
+        struct net *net;
+        struct in6_addr *addr;
+};
+static int fib6_remove_prefsrc(struct rt6_info *rt, void *arg)
+{
+        struct net_device *dev = ((struct arg_dev_net_ip *)arg)->dev;
+        struct net *net = ((struct arg_dev_net_ip *)arg)->net;
+        struct in6_addr *addr = ((struct arg_dev_net_ip *)arg)->addr;
+        if (((void *)rt->rt6i_dev == dev || dev == NULL) &&
+            rt != net->ipv6.ip6_null_entry &&
+            ipv6_addr_equal(addr, &rt->rt6i_prefsrc.addr)) {
+                /* remove prefsrc entry */
+                rt->rt6i_prefsrc.plen = 0;
+        }
+        return 0;
+}
+void rt6_remove_prefsrc(struct inet6_ifaddr *ifp)
+{
+        struct net *net = dev_net(ifp->idev->dev);
+        struct arg_dev_net_ip adni = {
+                .dev = ifp->idev->dev,
+                .net = net,
+                .addr = &ifp->addr,
+        };
+        fib6_clean_all(net, fib6_remove_prefsrc, 0, &adni);
+}
 struct arg_dev_net {
        struct net_device *dev;
        struct net *net;
@@ -2189,6 +2241,9 @@ static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
                nla_memcpy(&cfg->fc_src, tb[RTA_SRC], plen);
        }
+        if (tb[RTA_PREFSRC])
+                nla_memcpy(&cfg->fc_prefsrc, tb[RTA_PREFSRC], 16);
        if (tb[RTA_OIF])
                cfg->fc_ifindex = nla_get_u32(tb[RTA_OIF]);
@@ -2331,13 +2386,17 @@ static int rt6_fill_node(struct net *net,
 #endif
                        NLA_PUT_U32(skb, RTA_IIF, iif);
        } else if (dst) {
-                struct inet6_dev *idev = ip6_dst_idev(&rt->dst);
                struct in6_addr saddr_buf;
-                if (ipv6_dev_get_saddr(net, idev ? idev->dev : NULL,
+                if (ip6_route_get_saddr(net, rt, dst, 0, &saddr_buf) == 0)
-                                       dst, 0, &saddr_buf) == 0)
                        NLA_PUT(skb, RTA_PREFSRC, 16, &saddr_buf);
        }
+        if (rt->rt6i_prefsrc.plen) {
+                struct in6_addr saddr_buf;
+                ipv6_addr_copy(&saddr_buf, &rt->rt6i_prefsrc.addr);
+                NLA_PUT(skb, RTA_PREFSRC, 16, &saddr_buf);
+        }
        if (rtnetlink_put_metrics(skb, dst_metrics_ptr(&rt->dst)) < 0)
                goto nla_put_failure;
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 43b33373adb2..1cca5761aea9 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -250,11 +250,6 @@ static struct ip_tunnel *ipip6_tunnel_locate(struct net *net,
        dev_net_set(dev, net);
-        if (strchr(name, '%')) {
-                if (dev_alloc_name(dev, name) < 0)
-                        goto failed_free;
-        }
        nt = netdev_priv(dev);
        nt->parms = *parms;
@@ -401,11 +396,6 @@ out:
        return err;
 }
-static void prl_entry_destroy_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct ip_tunnel_prl_entry, rcu_head));
-}
 static void prl_list_destroy_rcu(struct rcu_head *head)
 {
        struct ip_tunnel_prl_entry *p, *n;
@@ -433,7 +423,7 @@ ipip6_tunnel_del_prl(struct ip_tunnel *t, struct ip_tunnel_prl *a)
                     p = &x->next) {
                        if (x->addr == a->addr) {
                                *p = x->next;
-                                call_rcu(&x->rcu_head, prl_entry_destroy_rcu);
+                                kfree_rcu(x, rcu_head);
                                t->prl_count--;
                                goto out;
                        }
@@ -452,7 +442,7 @@ out:
 }
 static int
-isatap_chksrc(struct sk_buff *skb, struct iphdr *iph, struct ip_tunnel *t)
+isatap_chksrc(struct sk_buff *skb, const struct iphdr *iph, struct ip_tunnel *t)
 {
        struct ip_tunnel_prl_entry *p;
        int ok = 1;
@@ -465,7 +455,8 @@ isatap_chksrc(struct sk_buff *skb, struct iphdr *iph, struct ip_tunnel *t)
                else
                        skb->ndisc_nodetype = NDISC_NODETYPE_NODEFAULT;
        } else {
-                struct in6_addr *addr6 = &ipv6_hdr(skb)->saddr;
+                const struct in6_addr *addr6 = &ipv6_hdr(skb)->saddr;
                if (ipv6_addr_is_isatap(addr6) &&
                    (addr6->s6_addr32[3] == iph->saddr) &&
                    ipv6_chk_prefix(addr6, t->dev))
@@ -499,7 +490,7 @@ static int ipip6_err(struct sk_buff *skb, u32 info)
   8 bytes of packet payload. It means, that precise relaying of
   ICMP in the real Internet is absolutely infeasible.
 */
-        struct iphdr *iph = (struct iphdr*)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        const int type = icmp_hdr(skb)->type;
        const int code = icmp_hdr(skb)->code;
        struct ip_tunnel *t;
@@ -557,7 +548,7 @@ out:
        return err;
 }
-static inline void ipip6_ecn_decapsulate(struct iphdr *iph, struct sk_buff *skb)
+static inline void ipip6_ecn_decapsulate(const struct iphdr *iph, struct sk_buff *skb)
 {
        if (INET_ECN_is_ce(iph->tos))
                IP6_ECN_set_ce(ipv6_hdr(skb));
@@ -565,7 +556,7 @@ static inline void ipip6_ecn_decapsulate(struct iphdr *iph, struct sk_buff *skb)
 static int ipip6_rcv(struct sk_buff *skb)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct ip_tunnel *tunnel;
        if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
@@ -621,7 +612,7 @@ out:
 * comes from 6rd / 6to4 (RFC 3056) addr space.
 */
 static inline
-__be32 try_6rd(struct in6_addr *v6dst, struct ip_tunnel *tunnel)
+__be32 try_6rd(const struct in6_addr *v6dst, struct ip_tunnel *tunnel)
 {
        __be32 dst = 0;
@@ -664,8 +655,8 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
 {
        struct ip_tunnel *tunnel = netdev_priv(dev);
        struct pcpu_tstats *tstats;
-        struct iphdr  *tiph = &tunnel->parms.iph;
+        const struct iphdr  *tiph = &tunnel->parms.iph;
-        struct ipv6hdr *iph6 = ipv6_hdr(skb);
+        const struct ipv6hdr *iph6 = ipv6_hdr(skb);
        u8     tos = tunnel->parms.iph.tos;
        __be16 df = tiph->frag_off;
        struct rtable *rt;                      /* Route to the other host */
@@ -673,8 +664,9 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
        struct iphdr  *iph;                     /* Our new IP header */
        unsigned int max_headroom;              /* The extra header space needed */
        __be32 dst = tiph->daddr;
+        struct flowi4 fl4;
        int    mtu;
-        struct in6_addr *addr6;
+        const struct in6_addr *addr6;
        int addr_type;
        if (skb->protocol != htons(ETH_P_IPV6))
@@ -693,7 +685,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                        goto tx_error;
                }
-                addr6 = (struct in6_addr*)&neigh->primary_key;
+                addr6 = (const struct in6_addr*)&neigh->primary_key;
                addr_type = ipv6_addr_type(addr6);
                if ((addr_type & IPV6_ADDR_UNICAST) &&
@@ -718,7 +710,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                        goto tx_error;
                }
-                addr6 = (struct in6_addr*)&neigh->primary_key;
+                addr6 = (const struct in6_addr*)&neigh->primary_key;
                addr_type = ipv6_addr_type(addr6);
                if (addr_type == IPV6_ADDR_ANY) {
@@ -732,7 +724,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                dst = addr6->s6_addr32[3];
        }
-        rt = ip_route_output_ports(dev_net(dev), NULL,
+        rt = ip_route_output_ports(dev_net(dev), &fl4, NULL,
                                   dst, tiph->saddr,
                                   0, 0,
                                   IPPROTO_IPV6, RT_TOS(tos),
@@ -826,8 +818,8 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
        iph->frag_off           =       df;
        iph->protocol           =       IPPROTO_IPV6;
        iph->tos                =       INET_ECN_encapsulate(tos, ipv6_get_dsfield(iph6));
-        iph->daddr              =       rt->rt_dst;
+        iph->daddr              =       fl4.daddr;
-        iph->saddr              =       rt->rt_src;
+        iph->saddr              =       fl4.saddr;
        if ((iph->ttl = tiph->ttl) == 0)
                iph->ttl        =       iph6->hop_limit;
@@ -849,13 +841,14 @@ static void ipip6_tunnel_bind_dev(struct net_device *dev)
 {
        struct net_device *tdev = NULL;
        struct ip_tunnel *tunnel;
-        struct iphdr *iph;
+        const struct iphdr *iph;
+        struct flowi4 fl4;
        tunnel = netdev_priv(dev);
        iph = &tunnel->parms.iph;
        if (iph->daddr) {
-                struct rtable *rt = ip_route_output_ports(dev_net(dev), NULL,
+                struct rtable *rt = ip_route_output_ports(dev_net(dev), &fl4, NULL,
                                                          iph->daddr, iph->saddr,
                                                          0, 0,
                                                          IPPROTO_IPV6,
diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index 352c26081f5d..8b9644a8b697 100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -66,7 +66,7 @@ static inline struct sock *get_cookie_sock(struct sock *sk, struct sk_buff *skb,
 static DEFINE_PER_CPU(__u32 [16 + 5 + SHA_WORKSPACE_WORDS],
                      ipv6_cookie_scratch);
-static u32 cookie_hash(struct in6_addr *saddr, struct in6_addr *daddr,
+static u32 cookie_hash(const struct in6_addr *saddr, const struct in6_addr *daddr,
                       __be16 sport, __be16 dport, u32 count, int c)
 {
        __u32 *tmp = __get_cpu_var(ipv6_cookie_scratch);
@@ -86,7 +86,8 @@ static u32 cookie_hash(struct in6_addr *saddr, struct in6_addr *daddr,
        return tmp[17];
 }
-static __u32 secure_tcp_syn_cookie(struct in6_addr *saddr, struct in6_addr *daddr,
+static __u32 secure_tcp_syn_cookie(const struct in6_addr *saddr,
+                                   const struct in6_addr *daddr,
                                   __be16 sport, __be16 dport, __u32 sseq,
                                   __u32 count, __u32 data)
 {
@@ -96,8 +97,8 @@ static __u32 secure_tcp_syn_cookie(struct in6_addr *saddr, struct in6_addr *dadd
                & COOKIEMASK));
 }
-static __u32 check_tcp_syn_cookie(__u32 cookie, struct in6_addr *saddr,
+static __u32 check_tcp_syn_cookie(__u32 cookie, const struct in6_addr *saddr,
-                                  struct in6_addr *daddr, __be16 sport,
+                                  const struct in6_addr *daddr, __be16 sport,
                                  __be16 dport, __u32 sseq, __u32 count,
                                  __u32 maxdiff)
 {
@@ -116,7 +117,7 @@ static __u32 check_tcp_syn_cookie(__u32 cookie, struct in6_addr *saddr,
 __u32 cookie_v6_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        const struct tcphdr *th = tcp_hdr(skb);
        int mssind;
        const __u16 mss = *mssp;
@@ -138,7 +139,7 @@ __u32 cookie_v6_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp)
 static inline int cookie_check(struct sk_buff *skb, __u32 cookie)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        const struct tcphdr *th = tcp_hdr(skb);
        __u32 seq = ntohl(th->seq) - 1;
        __u32 mssind = check_tcp_syn_cookie(cookie, &iph->saddr, &iph->daddr,
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 4f49e5dd41bb..87551ca568cd 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -76,8 +76,8 @@ static void	tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
 static int      tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb);
 static void     __tcp_v6_send_check(struct sk_buff *skb,
-                                    struct in6_addr *saddr,
+                                    const struct in6_addr *saddr,
-                                    struct in6_addr *daddr);
+                                    const struct in6_addr *daddr);
 static const struct inet_connection_sock_af_ops ipv6_mapped;
 static const struct inet_connection_sock_af_ops ipv6_specific;
@@ -86,7 +86,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv6_specific;
 static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific;
 #else
 static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
-                                                   struct in6_addr *addr)
+                                                   const struct in6_addr *addr)
 {
        return NULL;
 }
@@ -106,8 +106,8 @@ static void tcp_v6_hash(struct sock *sk)
 }
 static __inline__ __sum16 tcp_v6_check(int len,
-                                   struct in6_addr *saddr,
+                                   const struct in6_addr *saddr,
-                                   struct in6_addr *daddr,
+                                   const struct in6_addr *daddr,
                                   __wsum base)
 {
        return csum_ipv6_magic(saddr, daddr, len, IPPROTO_TCP, base);
@@ -331,7 +331,7 @@ failure:
 static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                u8 type, u8 code, int offset, __be32 info)
 {
-        struct ipv6hdr *hdr = (struct ipv6hdr*)skb->data;
+        const struct ipv6hdr *hdr = (const struct ipv6hdr*)skb->data;
        const struct tcphdr *th = (struct tcphdr *)(skb->data+offset);
        struct ipv6_pinfo *np;
        struct sock *sk;
@@ -551,7 +551,7 @@ static void tcp_v6_reqsk_destructor(struct request_sock *req)
 #ifdef CONFIG_TCP_MD5SIG
 static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
-                                                   struct in6_addr *addr)
+                                                   const struct in6_addr *addr)
 {
        struct tcp_sock *tp = tcp_sk(sk);
        int i;
@@ -580,7 +580,7 @@ static struct tcp_md5sig_key *tcp_v6_reqsk_md5_lookup(struct sock *sk,
        return tcp_v6_md5_do_lookup(sk, &inet6_rsk(req)->rmt_addr);
 }
-static int tcp_v6_md5_do_add(struct sock *sk, struct in6_addr *peer,
+static int tcp_v6_md5_do_add(struct sock *sk, const struct in6_addr *peer,
                             char *newkey, u8 newkeylen)
 {
        /* Add key to the list */
@@ -645,7 +645,7 @@ static int tcp_v6_md5_add_func(struct sock *sk, struct sock *addr_sk,
                                 newkey, newkeylen);
 }
-static int tcp_v6_md5_do_del(struct sock *sk, struct in6_addr *peer)
+static int tcp_v6_md5_do_del(struct sock *sk, const struct in6_addr *peer)
 {
        struct tcp_sock *tp = tcp_sk(sk);
        int i;
@@ -753,8 +753,8 @@ static int tcp_v6_parse_md5_keys (struct sock *sk, char __user *optval,
 }
 static int tcp_v6_md5_hash_pseudoheader(struct tcp_md5sig_pool *hp,
-                                        struct in6_addr *daddr,
+                                        const struct in6_addr *daddr,
-                                        struct in6_addr *saddr, int nbytes)
+                                        const struct in6_addr *saddr, int nbytes)
 {
        struct tcp6_pseudohdr *bp;
        struct scatterlist sg;
@@ -771,7 +771,7 @@ static int tcp_v6_md5_hash_pseudoheader(struct tcp_md5sig_pool *hp,
 }
 static int tcp_v6_md5_hash_hdr(char *md5_hash, struct tcp_md5sig_key *key,
-                               struct in6_addr *daddr, struct in6_addr *saddr,
+                               const struct in6_addr *daddr, struct in6_addr *saddr,
                               struct tcphdr *th)
 {
        struct tcp_md5sig_pool *hp;
@@ -807,7 +807,7 @@ static int tcp_v6_md5_hash_skb(char *md5_hash, struct tcp_md5sig_key *key,
                               struct sock *sk, struct request_sock *req,
                               struct sk_buff *skb)
 {
-        struct in6_addr *saddr, *daddr;
+        const struct in6_addr *saddr, *daddr;
        struct tcp_md5sig_pool *hp;
        struct hash_desc *desc;
        struct tcphdr *th = tcp_hdr(skb);
@@ -819,7 +819,7 @@ static int tcp_v6_md5_hash_skb(char *md5_hash, struct tcp_md5sig_key *key,
                saddr = &inet6_rsk(req)->loc_addr;
                daddr = &inet6_rsk(req)->rmt_addr;
        } else {
-                struct ipv6hdr *ip6h = ipv6_hdr(skb);
+                const struct ipv6hdr *ip6h = ipv6_hdr(skb);
                saddr = &ip6h->saddr;
                daddr = &ip6h->daddr;
        }
@@ -857,7 +857,7 @@ static int tcp_v6_inbound_md5_hash (struct sock *sk, struct sk_buff *skb)
 {
        __u8 *hash_location = NULL;
        struct tcp_md5sig_key *hash_expected;
-        struct ipv6hdr *ip6h = ipv6_hdr(skb);
+        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
        struct tcphdr *th = tcp_hdr(skb);
        int genhash;
        u8 newhash[16];
@@ -915,7 +915,7 @@ static const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
 #endif
 static void __tcp_v6_send_check(struct sk_buff *skb,
-                                struct in6_addr *saddr, struct in6_addr *daddr)
+                                const struct in6_addr *saddr, const struct in6_addr *daddr)
 {
        struct tcphdr *th = tcp_hdr(skb);
@@ -939,7 +939,7 @@ static void tcp_v6_send_check(struct sock *sk, struct sk_buff *skb)
 static int tcp_v6_gso_send_check(struct sk_buff *skb)
 {
-        struct ipv6hdr *ipv6h;
+        const struct ipv6hdr *ipv6h;
        struct tcphdr *th;
        if (!pskb_may_pull(skb, sizeof(*th)))
@@ -957,7 +957,7 @@ static int tcp_v6_gso_send_check(struct sk_buff *skb)
 static struct sk_buff **tcp6_gro_receive(struct sk_buff **head,
                                         struct sk_buff *skb)
 {
-        struct ipv6hdr *iph = skb_gro_network_header(skb);
+        const struct ipv6hdr *iph = skb_gro_network_header(skb);
        switch (skb->ip_summed) {
        case CHECKSUM_COMPLETE:
@@ -978,7 +978,7 @@ static struct sk_buff **tcp6_gro_receive(struct sk_buff **head,
 static int tcp6_gro_complete(struct sk_buff *skb)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        struct tcphdr *th = tcp_hdr(skb);
        th->check = ~tcp_v6_check(skb->len - skb_transport_offset(skb),
@@ -1469,7 +1469,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
           First: no IPv4 options.
         */
-        newinet->opt = NULL;
+        newinet->inet_opt = NULL;
        newnp->ipv6_fl_list = NULL;
        /* Clone RX bits */
@@ -1644,6 +1644,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
                 * the new socket..
                 */
                if(nsk != sk) {
+                        sock_rps_save_rxhash(nsk, skb->rxhash);
                        if (tcp_child_process(sk, nsk, skb))
                                goto reset;
                        if (opt_skb)
@@ -1702,7 +1703,7 @@ ipv6_pktoptions:
 static int tcp_v6_rcv(struct sk_buff *skb)
 {
        struct tcphdr *th;
-        struct ipv6hdr *hdr;
+        const struct ipv6hdr *hdr;
        struct sock *sk;
        int ret;
        struct net *net = dev_net(skb->dev);
@@ -2028,15 +2029,15 @@ static void get_openreq6(struct seq_file *seq,
                         struct sock *sk, struct request_sock *req, int i, int uid)
 {
        int ttd = req->expires - jiffies;
-        struct in6_addr *src = &inet6_rsk(req)->loc_addr;
+        const struct in6_addr *src = &inet6_rsk(req)->loc_addr;
-        struct in6_addr *dest = &inet6_rsk(req)->rmt_addr;
+        const struct in6_addr *dest = &inet6_rsk(req)->rmt_addr;
        if (ttd < 0)
                ttd = 0;
        seq_printf(seq,
                   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
-                   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p\n",
+                   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
                   i,
                   src->s6_addr32[0], src->s6_addr32[1],
                   src->s6_addr32[2], src->s6_addr32[3],
@@ -2057,7 +2058,7 @@ static void get_openreq6(struct seq_file *seq,
 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
 {
-        struct in6_addr *dest, *src;
+        const struct in6_addr *dest, *src;
        __u16 destp, srcp;
        int timer_active;
        unsigned long timer_expires;
@@ -2087,7 +2088,7 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
        seq_printf(seq,
                   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
-                   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %lu %lu %u %u %d\n",
+                   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %lu %lu %u %u %d\n",
                   i,
                   src->s6_addr32[0], src->s6_addr32[1],
                   src->s6_addr32[2], src->s6_addr32[3], srcp,
@@ -2114,7 +2115,7 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
 static void get_timewait6_sock(struct seq_file *seq,
                               struct inet_timewait_sock *tw, int i)
 {
-        struct in6_addr *dest, *src;
+        const struct in6_addr *dest, *src;
        __u16 destp, srcp;
        struct inet6_timewait_sock *tw6 = inet6_twsk((struct sock *)tw);
        int ttd = tw->tw_ttd - jiffies;
@@ -2129,7 +2130,7 @@ static void get_timewait6_sock(struct seq_file *seq,
        seq_printf(seq,
                   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
-                   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p\n",
+                   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
                   i,
                   src->s6_addr32[0], src->s6_addr32[1],
                   src->s6_addr32[2], src->s6_addr32[3], srcp,
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 9e305d74b3d4..328985c40883 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -311,7 +311,7 @@ static struct sock *__udp6_lib_lookup_skb(struct sk_buff *skb,
                                          struct udp_table *udptable)
 {
        struct sock *sk;
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        if (unlikely(sk = skb_steal_sock(skb)))
                return sk;
@@ -453,8 +453,11 @@ csum_copy_err:
        }
        unlock_sock_fast(sk, slow);
-        if (flags & MSG_DONTWAIT)
+        if (noblock)
                return -EAGAIN;
+        /* starting over for a new packet */
+        msg->msg_flags &= ~MSG_TRUNC;
        goto try_again;
 }
@@ -463,9 +466,9 @@ void __udp6_lib_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                    struct udp_table *udptable)
 {
        struct ipv6_pinfo *np;
-        struct ipv6hdr *hdr = (struct ipv6hdr*)skb->data;
+        const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data;
-        struct in6_addr *saddr = &hdr->saddr;
+        const struct in6_addr *saddr = &hdr->saddr;
-        struct in6_addr *daddr = &hdr->daddr;
+        const struct in6_addr *daddr = &hdr->daddr;
        struct udphdr *uh = (struct udphdr*)(skb->data+offset);
        struct sock *sk;
        int err;
@@ -553,8 +556,8 @@ drop_no_sk_drops_inc:
 }
 static struct sock *udp_v6_mcast_next(struct net *net, struct sock *sk,
-                                      __be16 loc_port, struct in6_addr *loc_addr,
+                                      __be16 loc_port, const struct in6_addr *loc_addr,
-                                      __be16 rmt_port, struct in6_addr *rmt_addr,
+                                      __be16 rmt_port, const struct in6_addr *rmt_addr,
                                      int dif)
 {
        struct hlist_nulls_node *node;
@@ -633,7 +636,7 @@ drop:
 * so we don't need to lock the hashes.
 */
 static int __udp6_lib_mcast_deliver(struct net *net, struct sk_buff *skb,
-                struct in6_addr *saddr, struct in6_addr *daddr,
+                const struct in6_addr *saddr, const struct in6_addr *daddr,
                struct udp_table *udptable)
 {
        struct sock *sk, *stack[256 / sizeof(struct sock *)];
@@ -716,7 +719,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
        struct net *net = dev_net(skb->dev);
        struct sock *sk;
        struct udphdr *uh;
-        struct in6_addr *saddr, *daddr;
+        const struct in6_addr *saddr, *daddr;
        u32 ulen = 0;
        if (!pskb_may_pull(skb, sizeof(struct udphdr)))
@@ -1278,7 +1281,7 @@ int compat_udpv6_getsockopt(struct sock *sk, int level, int optname,
 static int udp6_ufo_send_check(struct sk_buff *skb)
 {
-        struct ipv6hdr *ipv6h;
+        const struct ipv6hdr *ipv6h;
        struct udphdr *uh;
        if (!pskb_may_pull(skb, sizeof(*uh)))
@@ -1328,7 +1331,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
        /* Do software UFO. Complete and fill in the UDP checksum as HW cannot
         * do checksum of UDP packets sent as multiple IP fragments.
         */
-        offset = skb->csum_start - skb_headroom(skb);
+        offset = skb_checksum_start_offset(skb);
        csum = skb_checksum(skb, offset, skb->len- offset, 0);
        offset += skb->csum_offset;
        *(__sum16 *)(skb->data + offset) = csum_fold(csum);
@@ -1382,7 +1385,7 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket
 {
        struct inet_sock *inet = inet_sk(sp);
        struct ipv6_pinfo *np = inet6_sk(sp);
-        struct in6_addr *dest, *src;
+        const struct in6_addr *dest, *src;
        __u16 destp, srcp;
        dest  = &np->daddr;
@@ -1391,7 +1394,7 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket
        srcp  = ntohs(inet->inet_sport);
        seq_printf(seq,
                   "%5d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
-                   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",
+                   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
                   bucket,
                   src->s6_addr32[0], src->s6_addr32[1],
                   src->s6_addr32[2], src->s6_addr32[3], srcp,
diff --git a/net/ipv6/xfrm6_mode_beet.c b/net/ipv6/xfrm6_mode_beet.c
index bbd48b101bae..3437d7d4eed6 100644
--- a/net/ipv6/xfrm6_mode_beet.c
+++ b/net/ipv6/xfrm6_mode_beet.c
@@ -41,10 +41,8 @@ static int xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb)
 {
        struct ipv6hdr *top_iph;
        struct ip_beet_phdr *ph;
-        struct iphdr *iphv4;
        int optlen, hdr_len;
-        iphv4 = ip_hdr(skb);
        hdr_len = 0;
        optlen = XFRM_MODE_SKB_CB(skb)->optlen;
        if (unlikely(optlen))
diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
index 645cb968d450..4d6edff0498f 100644
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -20,7 +20,7 @@
 static inline void ipip6_ecn_decapsulate(struct sk_buff *skb)
 {
-        struct ipv6hdr *outer_iph = ipv6_hdr(skb);
+        const struct ipv6hdr *outer_iph = ipv6_hdr(skb);
        struct ipv6hdr *inner_iph = ipipv6_hdr(skb);
        if (INET_ECN_is_ce(ipv6_get_dsfield(outer_iph)))
@@ -55,8 +55,8 @@ static int xfrm6_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
                dsfield &= ~INET_ECN_MASK;
        ipv6_change_dsfield(top_iph, 0, dsfield);
        top_iph->hop_limit = ip6_dst_hoplimit(dst->child);
-        ipv6_addr_copy(&top_iph->saddr, (struct in6_addr *)&x->props.saddr);
+        ipv6_addr_copy(&top_iph->saddr, (const struct in6_addr *)&x->props.saddr);
-        ipv6_addr_copy(&top_iph->daddr, (struct in6_addr *)&x->id.daddr);
+        ipv6_addr_copy(&top_iph->daddr, (const struct in6_addr *)&x->id.daddr);
        return 0;
 }
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 05e34c8ec913..d879f7efbd10 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -124,7 +124,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
        struct flowi6 *fl6 = &fl->u.ip6;
        int onlyproto = 0;
        u16 offset = skb_network_header_len(skb);
-        struct ipv6hdr *hdr = ipv6_hdr(skb);
+        const struct ipv6hdr *hdr = ipv6_hdr(skb);
        struct ipv6_opt_hdr *exthdr;
        const unsigned char *nh = skb_network_header(skb);
        u8 nexthdr = nh[IP6CB(skb)->nhoff];
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 2969cad408de..4fe1db12d2a3 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -68,7 +68,7 @@ static DEFINE_SPINLOCK(xfrm6_tunnel_spi_lock);
 static struct kmem_cache *xfrm6_tunnel_spi_kmem __read_mostly;
-static inline unsigned xfrm6_tunnel_spi_hash_byaddr(xfrm_address_t *addr)
+static inline unsigned xfrm6_tunnel_spi_hash_byaddr(const xfrm_address_t *addr)
 {
        unsigned h;
@@ -85,7 +85,7 @@ static inline unsigned xfrm6_tunnel_spi_hash_byspi(u32 spi)
        return spi % XFRM6_TUNNEL_SPI_BYSPI_HSIZE;
 }
-static struct xfrm6_tunnel_spi *__xfrm6_tunnel_spi_lookup(struct net *net, xfrm_address_t *saddr)
+static struct xfrm6_tunnel_spi *__xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr)
 {
        struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
        struct xfrm6_tunnel_spi *x6spi;
@@ -101,7 +101,7 @@ static struct xfrm6_tunnel_spi *__xfrm6_tunnel_spi_lookup(struct net *net, xfrm_
        return NULL;
 }
-__be32 xfrm6_tunnel_spi_lookup(struct net *net, xfrm_address_t *saddr)
+__be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr)
 {
        struct xfrm6_tunnel_spi *x6spi;
        u32 spi;
@@ -237,11 +237,11 @@ static int xfrm6_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
 static int xfrm6_tunnel_rcv(struct sk_buff *skb)
 {
        struct net *net = dev_net(skb->dev);
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        __be32 spi;
-        spi = xfrm6_tunnel_spi_lookup(net, (xfrm_address_t *)&iph->saddr);
+        spi = xfrm6_tunnel_spi_lookup(net, (const xfrm_address_t *)&iph->saddr);
-        return xfrm6_rcv_spi(skb, IPPROTO_IPV6, spi) > 0 ? : 0;
+        return xfrm6_rcv_spi(skb, IPPROTO_IPV6, spi);
 }
 static int xfrm6_tunnel_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
diff --git a/net/irda/ircomm/ircomm_core.c b/net/irda/ircomm/ircomm_core.c
index e97082017f4f..52079f19bbbe 100644
--- a/net/irda/ircomm/ircomm_core.c
+++ b/net/irda/ircomm/ircomm_core.c
@@ -244,14 +244,8 @@ EXPORT_SYMBOL(ircomm_connect_request);
 void ircomm_connect_indication(struct ircomm_cb *self, struct sk_buff *skb,
                               struct ircomm_info *info)
 {
-        int clen = 0;
        IRDA_DEBUG(2, "%s()\n", __func__ );
-        /* Check if the packet contains data on the control channel */
-        if (skb->len > 0)
-                clen = skb->data[0];
        /*
         * If there are any data hiding in the control channel, we must
         * deliver it first. The side effect is that the control channel
diff --git a/net/irda/ircomm/ircomm_lmp.c b/net/irda/ircomm/ircomm_lmp.c
index 08fb54dc8c41..3b8095c771d4 100644
--- a/net/irda/ircomm/ircomm_lmp.c
+++ b/net/irda/ircomm/ircomm_lmp.c
@@ -75,7 +75,6 @@ static int ircomm_lmp_connect_response(struct ircomm_cb *self,
                                       struct sk_buff *userdata)
 {
        struct sk_buff *tx_skb;
-        int ret;
        IRDA_DEBUG(0, "%s()\n", __func__ );
@@ -100,9 +99,7 @@ static int ircomm_lmp_connect_response(struct ircomm_cb *self,
                tx_skb = userdata;
        }
-        ret = irlmp_connect_response(self->lsap, tx_skb);
+        return irlmp_connect_response(self->lsap, tx_skb);
-        return 0;
 }
 static int ircomm_lmp_disconnect_request(struct ircomm_cb *self,
diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
index a39cca8331df..b3cc8b3989a9 100644
--- a/net/irda/ircomm/ircomm_tty.c
+++ b/net/irda/ircomm/ircomm_tty.c
@@ -38,6 +38,7 @@
 #include <linux/seq_file.h>
 #include <linux/termios.h>
 #include <linux/tty.h>
+#include <linux/tty_flip.h>
 #include <linux/interrupt.h>
 #include <linux/device.h>               /* for MODULE_ALIAS_CHARDEV_MAJOR */
@@ -1132,7 +1133,6 @@ static int ircomm_tty_data_indication(void *instance, void *sap,
                                      struct sk_buff *skb)
 {
        struct ircomm_tty_cb *self = (struct ircomm_tty_cb *) instance;
-        struct tty_ldisc *ld;
        IRDA_DEBUG(2, "%s()\n", __func__ );
@@ -1161,15 +1161,11 @@ static int ircomm_tty_data_indication(void *instance, void *sap,
        }
        /*
-         * Just give it over to the line discipline. There is no need to
+         * Use flip buffer functions since the code may be called from interrupt
-         * involve the flip buffers, since we are not running in an interrupt
+         * context
-         * handler
         */
+        tty_insert_flip_string(self->tty, skb->data, skb->len);
-        ld = tty_ldisc_ref(self->tty);
+        tty_flip_buffer_push(self->tty);
-        if (ld)
-                ld->ops->receive_buf(self->tty, skb->data, NULL, skb->len);
-        tty_ldisc_deref(ld);
        /* No need to kfree_skb - see ircomm_ttp_data_indication() */
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index 36477538cea8..f876eed7d4aa 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -87,6 +87,8 @@ static inline void iriap_start_watchdog_timer(struct iriap_cb *self,
                         iriap_watchdog_timer_expired);
 }
+static struct lock_class_key irias_objects_key;
 /*
 * Function iriap_init (void)
 *
@@ -114,6 +116,9 @@ int __init iriap_init(void)
                return -ENOMEM;
        }
+        lockdep_set_class_and_name(&irias_objects->hb_spinlock, &irias_objects_key,
+                                   "irias_objects");
        /*
         *  Register some default services for IrLMP
         */
diff --git a/net/irda/irlan/irlan_filter.c b/net/irda/irlan/irlan_filter.c
index 9ff7823abec7..7977be7caf0f 100644
--- a/net/irda/irlan/irlan_filter.c
+++ b/net/irda/irlan/irlan_filter.c
@@ -143,12 +143,8 @@ void irlan_filter_request(struct irlan_cb *self, struct sk_buff *skb)
 */
 void irlan_check_command_param(struct irlan_cb *self, char *param, char *value)
 {
-        __u8 *bytes;
        IRDA_DEBUG(4, "%s()\n", __func__ );
-        bytes = value;
        IRDA_ASSERT(self != NULL, return;);
        IRDA_ASSERT(self->magic == IRLAN_MAGIC, return;);
diff --git a/net/irda/irlan/irlan_provider.c b/net/irda/irlan/irlan_provider.c
index 5cf5e6c872bb..b8af74ab8b68 100644
--- a/net/irda/irlan/irlan_provider.c
+++ b/net/irda/irlan/irlan_provider.c
@@ -128,7 +128,6 @@ static void irlan_provider_connect_indication(void *instance, void *sap,
 {
        struct irlan_cb *self;
        struct tsap_cb *tsap;
-        __u32 saddr, daddr;
        IRDA_DEBUG(0, "%s()\n", __func__ );
@@ -141,8 +140,6 @@ static void irlan_provider_connect_indication(void *instance, void *sap,
        IRDA_ASSERT(tsap == self->provider.tsap_ctrl,return;);
        IRDA_ASSERT(self->provider.state == IRLAN_IDLE, return;);
-        daddr = irttp_get_daddr(tsap);
-        saddr = irttp_get_saddr(tsap);
        self->provider.max_sdu_size = max_sdu_size;
        self->provider.max_header_size = max_header_size;
diff --git a/net/irda/irlap_event.c b/net/irda/irlap_event.c
index bb47021c9a55..ccd214f9d196 100644
--- a/net/irda/irlap_event.c
+++ b/net/irda/irlap_event.c
@@ -2227,8 +2227,6 @@ static int irlap_state_nrm_s(struct irlap_cb *self, IRLAP_EVENT event,
 static int irlap_state_sclose(struct irlap_cb *self, IRLAP_EVENT event,
                              struct sk_buff *skb, struct irlap_info *info)
 {
-        int ret = 0;
        IRDA_DEBUG(1, "%s()\n", __func__);
        IRDA_ASSERT(self != NULL, return -ENODEV;);
@@ -2289,7 +2287,6 @@ static int irlap_state_sclose(struct irlap_cb *self, IRLAP_EVENT event,
                IRDA_DEBUG(1, "%s(), Unknown event %d, (%s)\n", __func__,
                           event, irlap_event[event]);
-                ret = -EINVAL;
                break;
        }
diff --git a/net/irda/irproc.c b/net/irda/irproc.c
index 318766e5dbdf..b9ac598e2116 100644
--- a/net/irda/irproc.c
+++ b/net/irda/irproc.c
@@ -65,15 +65,14 @@ static const struct irda_entry irda_dirs[] = {
 void __init irda_proc_register(void)
 {
        int i;
-        struct proc_dir_entry *d;
        proc_irda = proc_mkdir("irda", init_net.proc_net);
        if (proc_irda == NULL)
                return;
        for (i = 0; i < ARRAY_SIZE(irda_dirs); i++)
-                d = proc_create(irda_dirs[i].name, 0, proc_irda,
+                (void) proc_create(irda_dirs[i].name, 0, proc_irda,
-                                irda_dirs[i].fops);
+                                   irda_dirs[i].fops);
 }
 /*
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 986b2a5e8769..e2013e434d03 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -190,7 +190,6 @@ static int afiucv_pm_freeze(struct device *dev)
 */
 static int afiucv_pm_restore_thaw(struct device *dev)
 {
-        struct iucv_sock *iucv;
        struct sock *sk;
        struct hlist_node *node;
@@ -199,7 +198,6 @@ static int afiucv_pm_restore_thaw(struct device *dev)
 #endif
        read_lock(&iucv_sk_list.lock);
        sk_for_each(sk, node, &iucv_sk_list.head) {
-                iucv = iucv_sk(sk);
                switch (sk->sk_state) {
                case IUCV_CONNECTED:
                        sk->sk_err = EPIPE;
@@ -381,7 +379,6 @@ static void iucv_sock_close(struct sock *sk)
 {
        unsigned char user_data[16];
        struct iucv_sock *iucv = iucv_sk(sk);
-        int err;
        unsigned long timeo;
        iucv_sock_clear_timer(sk);
@@ -394,8 +391,6 @@ static void iucv_sock_close(struct sock *sk)
        case IUCV_CONNECTED:
        case IUCV_DISCONN:
-                err = 0;
                sk->sk_state = IUCV_CLOSING;
                sk->sk_state_change(sk);
@@ -404,7 +399,7 @@ static void iucv_sock_close(struct sock *sk)
                                timeo = sk->sk_lingertime;
                        else
                                timeo = IUCV_DISCONN_TIMEOUT;
-                        err = iucv_sock_wait(sk,
+                        iucv_sock_wait(sk,
                                        iucv_sock_in_state(sk, IUCV_CLOSED, 0),
                                        timeo);
                }
@@ -417,7 +412,7 @@ static void iucv_sock_close(struct sock *sk)
                        low_nmcpy(user_data, iucv->src_name);
                        high_nmcpy(user_data, iucv->dst_name);
                        ASCEBC(user_data, sizeof(user_data));
-                        err = iucv_path_sever(iucv->path, user_data);
+                        iucv_path_sever(iucv->path, user_data);
                        iucv_path_free(iucv->path);
                        iucv->path = NULL;
                }
diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
index 8f156bd86be7..7f9124914b13 100644
--- a/net/iucv/iucv.c
+++ b/net/iucv/iucv.c
@@ -54,7 +54,7 @@
 #include <asm/atomic.h>
 #include <asm/ebcdic.h>
 #include <asm/io.h>
-#include <asm/s390_ext.h>
+#include <asm/irq.h>
 #include <asm/smp.h>
 /*
@@ -128,8 +128,8 @@ struct iucv_irq_list {
 };
 static struct iucv_irq_data *iucv_irq_data[NR_CPUS];
-static cpumask_t iucv_buffer_cpumask = CPU_MASK_NONE;
+static cpumask_t iucv_buffer_cpumask = { CPU_BITS_NONE };
-static cpumask_t iucv_irq_cpumask = CPU_MASK_NONE;
+static cpumask_t iucv_irq_cpumask = { CPU_BITS_NONE };
 /*
 * Queue of interrupt buffers lock for delivery via the tasklet
@@ -406,7 +406,7 @@ static void iucv_allow_cpu(void *data)
        parm->set_mask.ipmask = 0xf8;
        iucv_call_b2f0(IUCV_SETCONTROLMASK, parm);
        /* Set indication that iucv interrupts are allowed for this cpu. */
-        cpu_set(cpu, iucv_irq_cpumask);
+        cpumask_set_cpu(cpu, &iucv_irq_cpumask);
 }
 /**
@@ -426,7 +426,7 @@ static void iucv_block_cpu(void *data)
        iucv_call_b2f0(IUCV_SETMASK, parm);
        /* Clear indication that iucv interrupts are allowed for this cpu. */
-        cpu_clear(cpu, iucv_irq_cpumask);
+        cpumask_clear_cpu(cpu, &iucv_irq_cpumask);
 }
 /**
@@ -451,7 +451,7 @@ static void iucv_block_cpu_almost(void *data)
        iucv_call_b2f0(IUCV_SETCONTROLMASK, parm);
        /* Clear indication that iucv interrupts are allowed for this cpu. */
-        cpu_clear(cpu, iucv_irq_cpumask);
+        cpumask_clear_cpu(cpu, &iucv_irq_cpumask);
 }
 /**
@@ -466,7 +466,7 @@ static void iucv_declare_cpu(void *data)
        union iucv_param *parm;
        int rc;
-        if (cpu_isset(cpu, iucv_buffer_cpumask))
+        if (cpumask_test_cpu(cpu, &iucv_buffer_cpumask))
                return;
        /* Declare interrupt buffer. */
@@ -499,9 +499,9 @@ static void iucv_declare_cpu(void *data)
        }
        /* Set indication that an iucv buffer exists for this cpu. */
-        cpu_set(cpu, iucv_buffer_cpumask);
+        cpumask_set_cpu(cpu, &iucv_buffer_cpumask);
-        if (iucv_nonsmp_handler == 0 || cpus_empty(iucv_irq_cpumask))
+        if (iucv_nonsmp_handler == 0 || cpumask_empty(&iucv_irq_cpumask))
                /* Enable iucv interrupts on this cpu. */
                iucv_allow_cpu(NULL);
        else
@@ -520,7 +520,7 @@ static void iucv_retrieve_cpu(void *data)
        int cpu = smp_processor_id();
        union iucv_param *parm;
-        if (!cpu_isset(cpu, iucv_buffer_cpumask))
+        if (!cpumask_test_cpu(cpu, &iucv_buffer_cpumask))
                return;
        /* Block iucv interrupts. */
@@ -531,7 +531,7 @@ static void iucv_retrieve_cpu(void *data)
        iucv_call_b2f0(IUCV_RETRIEVE_BUFFER, parm);
        /* Clear indication that an iucv buffer exists for this cpu. */
-        cpu_clear(cpu, iucv_buffer_cpumask);
+        cpumask_clear_cpu(cpu, &iucv_buffer_cpumask);
 }
 /**
@@ -546,8 +546,8 @@ static void iucv_setmask_mp(void)
        get_online_cpus();
        for_each_online_cpu(cpu)
                /* Enable all cpus with a declared buffer. */
-                if (cpu_isset(cpu, iucv_buffer_cpumask) &&
+                if (cpumask_test_cpu(cpu, &iucv_buffer_cpumask) &&
-                    !cpu_isset(cpu, iucv_irq_cpumask))
+                    !cpumask_test_cpu(cpu, &iucv_irq_cpumask))
                        smp_call_function_single(cpu, iucv_allow_cpu,
                                                 NULL, 1);
        put_online_cpus();
@@ -564,9 +564,9 @@ static void iucv_setmask_up(void)
        int cpu;
        /* Disable all cpu but the first in cpu_irq_cpumask. */
-        cpumask = iucv_irq_cpumask;
+        cpumask_copy(&cpumask, &iucv_irq_cpumask);
-        cpu_clear(first_cpu(iucv_irq_cpumask), cpumask);
+        cpumask_clear_cpu(cpumask_first(&iucv_irq_cpumask), &cpumask);
-        for_each_cpu_mask_nr(cpu, cpumask)
+        for_each_cpu(cpu, &cpumask)
                smp_call_function_single(cpu, iucv_block_cpu, NULL, 1);
 }
@@ -593,7 +593,7 @@ static int iucv_enable(void)
        rc = -EIO;
        for_each_online_cpu(cpu)
                smp_call_function_single(cpu, iucv_declare_cpu, NULL, 1);
-        if (cpus_empty(iucv_buffer_cpumask))
+        if (cpumask_empty(&iucv_buffer_cpumask))
                /* No cpu could declare an iucv buffer. */
                goto out;
        put_online_cpus();
@@ -675,15 +675,16 @@ static int __cpuinit iucv_cpu_notify(struct notifier_block *self,
        case CPU_DOWN_PREPARE_FROZEN:
                if (!iucv_path_table)
                        break;
-                cpumask = iucv_buffer_cpumask;
+                cpumask_copy(&cpumask, &iucv_buffer_cpumask);
-                cpu_clear(cpu, cpumask);
+                cpumask_clear_cpu(cpu, &cpumask);
-                if (cpus_empty(cpumask))
+                if (cpumask_empty(&cpumask))
                        /* Can't offline last IUCV enabled cpu. */
                        return notifier_from_errno(-EINVAL);
                smp_call_function_single(cpu, iucv_retrieve_cpu, NULL, 1);
-                if (cpus_empty(iucv_irq_cpumask))
+                if (cpumask_empty(&iucv_irq_cpumask))
-                        smp_call_function_single(first_cpu(iucv_buffer_cpumask),
+                        smp_call_function_single(
-                                                 iucv_allow_cpu, NULL, 1);
+                                cpumask_first(&iucv_buffer_cpumask),
+                                iucv_allow_cpu, NULL, 1);
                break;
        }
        return NOTIFY_OK;
@@ -828,14 +829,14 @@ EXPORT_SYMBOL(iucv_unregister);
 static int iucv_reboot_event(struct notifier_block *this,
                             unsigned long event, void *ptr)
 {
-        int i, rc;
+        int i;
        get_online_cpus();
        on_each_cpu(iucv_block_cpu, NULL, 1);
        preempt_disable();
        for (i = 0; i < iucv_max_pathid; i++) {
                if (iucv_path_table[i])
-                        rc = iucv_sever_pathid(i, NULL);
+                        iucv_sever_pathid(i, NULL);
        }
        preempt_enable();
        put_online_cpus();
@@ -866,7 +867,7 @@ int iucv_path_accept(struct iucv_path *path, struct iucv_handler *handler,
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -915,7 +916,7 @@ int iucv_path_connect(struct iucv_path *path, struct iucv_handler *handler,
        spin_lock_bh(&iucv_table_lock);
        iucv_cleanup_queue();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -975,7 +976,7 @@ int iucv_path_quiesce(struct iucv_path *path, u8 userdata[16])
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1007,7 +1008,7 @@ int iucv_path_resume(struct iucv_path *path, u8 userdata[16])
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1036,7 +1037,7 @@ int iucv_path_sever(struct iucv_path *path, u8 userdata[16])
        int rc;
        preempt_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1070,7 +1071,7 @@ int iucv_message_purge(struct iucv_path *path, struct iucv_message *msg,
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1162,7 +1163,7 @@ int __iucv_message_receive(struct iucv_path *path, struct iucv_message *msg,
        if (msg->flags & IUCV_IPRMDATA)
                return iucv_message_receive_iprmdata(path, msg, flags,
                                                     buffer, size, residual);
-        if (cpus_empty(iucv_buffer_cpumask)) {
+         if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1235,7 +1236,7 @@ int iucv_message_reject(struct iucv_path *path, struct iucv_message *msg)
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1274,7 +1275,7 @@ int iucv_message_reply(struct iucv_path *path, struct iucv_message *msg,
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1324,7 +1325,7 @@ int __iucv_message_send(struct iucv_path *path, struct iucv_message *msg,
        union iucv_param *parm;
        int rc;
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1411,7 +1412,7 @@ int iucv_message_send2way(struct iucv_path *path, struct iucv_message *msg,
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1888,7 +1889,7 @@ static int iucv_pm_freeze(struct device *dev)
        printk(KERN_WARNING "iucv_pm_freeze\n");
 #endif
        if (iucv_pm_state != IUCV_PM_FREEZING) {
-                for_each_cpu_mask_nr(cpu, iucv_irq_cpumask)
+                for_each_cpu(cpu, &iucv_irq_cpumask)
                        smp_call_function_single(cpu, iucv_block_cpu_almost,
                                                 NULL, 1);
                cancel_work_sync(&iucv_work);
@@ -1928,7 +1929,7 @@ static int iucv_pm_thaw(struct device *dev)
                if (rc)
                        goto out;
        }
-        if (cpus_empty(iucv_irq_cpumask)) {
+        if (cpumask_empty(&iucv_irq_cpumask)) {
                if (iucv_nonsmp_handler)
                        /* enable interrupts on one cpu */
                        iucv_allow_cpu(NULL);
@@ -1961,7 +1962,7 @@ static int iucv_pm_restore(struct device *dev)
                pr_warning("Suspending Linux did not completely close all IUCV "
                        "connections\n");
        iucv_pm_state = IUCV_PM_RESTORING;
-        if (cpus_empty(iucv_irq_cpumask)) {
+        if (cpumask_empty(&iucv_irq_cpumask)) {
                rc = iucv_query_maxconn();
                rc = iucv_enable();
                if (rc)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 7db86ffcf070..8f92cf8116ea 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -712,7 +712,7 @@ static unsigned int pfkey_sockaddr_fill(const xfrm_address_t *xaddr, __be16 port
                sin6->sin6_family = AF_INET6;
                sin6->sin6_port = port;
                sin6->sin6_flowinfo = 0;
-                ipv6_addr_copy(&sin6->sin6_addr, (struct in6_addr *)xaddr->a6);
+                ipv6_addr_copy(&sin6->sin6_addr, (const struct in6_addr *)xaddr->a6);
                sin6->sin6_scope_id = 0;
                return 128;
            }
@@ -3656,7 +3656,7 @@ static int pfkey_seq_show(struct seq_file *f, void *v)
        if (v == SEQ_START_TOKEN)
                seq_printf(f ,"sk       RefCnt Rmem   Wmem   User   Inode\n");
        else
-                seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
+                seq_printf(f, "%pK %-6d %-6u %-6u %-6u %-6lu\n",
                               s,
                               atomic_read(&s->sk_refcnt),
                               sk_rmem_alloc_get(s),
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index c64ce0a0bb03..ed8a2335442f 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -954,7 +954,7 @@ static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
 }
 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
-                          size_t data_len)
+                          struct flowi *fl, size_t data_len)
 {
        struct l2tp_tunnel *tunnel = session->tunnel;
        unsigned int len = skb->len;
@@ -987,7 +987,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
        /* Queue the packet to IP for output */
        skb->local_df = 1;
-        error = ip_queue_xmit(skb);
+        error = ip_queue_xmit(skb, fl);
        /* Update stats */
        if (error >= 0) {
@@ -1028,6 +1028,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
        int data_len = skb->len;
        struct l2tp_tunnel *tunnel = session->tunnel;
        struct sock *sk = tunnel->sock;
+        struct flowi *fl;
        struct udphdr *uh;
        struct inet_sock *inet;
        __wsum csum;
@@ -1060,14 +1061,21 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
                              IPSKB_REROUTED);
        nf_reset(skb);
+        bh_lock_sock(sk);
+        if (sock_owned_by_user(sk)) {
+                dev_kfree_skb(skb);
+                goto out_unlock;
+        }
        /* Get routing info from the tunnel socket */
        skb_dst_drop(skb);
        skb_dst_set(skb, dst_clone(__sk_dst_get(sk)));
+        inet = inet_sk(sk);
+        fl = &inet->cork.fl;
        switch (tunnel->encap) {
        case L2TP_ENCAPTYPE_UDP:
                /* Setup UDP header */
-                inet = inet_sk(sk);
                __skb_push(skb, sizeof(*uh));
                skb_reset_transport_header(skb);
                uh = udp_hdr(skb);
@@ -1105,7 +1113,9 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
        l2tp_skb_set_owner_w(skb, sk);
-        l2tp_xmit_core(session, skb, data_len);
+        l2tp_xmit_core(session, skb, fl, data_len);
+out_unlock:
+        bh_unlock_sock(sk);
 abort:
        return 0;
@@ -1425,16 +1435,15 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
        /* Add tunnel to our list */
        INIT_LIST_HEAD(&tunnel->list);
-        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
-        list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
-        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
-        synchronize_rcu();
        atomic_inc(&l2tp_tunnel_count);
        /* Bump the reference count. The tunnel context is deleted
-         * only when this drops to zero.
+         * only when this drops to zero. Must be done before list insertion
         */
        l2tp_tunnel_inc_refcount(tunnel);
+        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
+        list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
+        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
        err = 0;
 err:
@@ -1626,7 +1635,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
                        hlist_add_head_rcu(&session->global_hlist,
                                           l2tp_session_id_hash_2(pn, session_id));
                        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
-                        synchronize_rcu();
                }
                /* Ignore management session in session count value */
diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c
index b8dbae82fab8..76130134bfa6 100644
--- a/net/l2tp/l2tp_debugfs.c
+++ b/net/l2tp/l2tp_debugfs.c
@@ -258,7 +258,7 @@ static int l2tp_dfs_seq_open(struct inode *inode, struct file *file)
         */
        pd->net = get_net_ns_by_pid(current->pid);
        if (IS_ERR(pd->net)) {
-                rc = -PTR_ERR(pd->net);
+                rc = PTR_ERR(pd->net);
                goto err_free_pd;
        }
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 5c04f3e42704..b6466e71f5e1 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -296,12 +296,12 @@ out_in_use:
 static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 {
-        int rc;
-        struct inet_sock *inet = inet_sk(sk);
        struct sockaddr_l2tpip *lsa = (struct sockaddr_l2tpip *) uaddr;
+        struct inet_sock *inet = inet_sk(sk);
+        struct flowi4 *fl4;
        struct rtable *rt;
        __be32 saddr;
-        int oif;
+        int oif, rc;
        rc = -EINVAL;
        if (addr_len < sizeof(*lsa))
@@ -311,6 +311,8 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
        if (lsa->l2tp_family != AF_INET)
                goto out;
+        lock_sock(sk);
        sk_dst_reset(sk);
        oif = sk->sk_bound_dev_if;
@@ -320,7 +322,8 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
        if (ipv4_is_multicast(lsa->l2tp_addr.s_addr))
                goto out;
-        rt = ip_route_connect(lsa->l2tp_addr.s_addr, saddr,
+        fl4 = &inet->cork.fl.u.ip4;
+        rt = ip_route_connect(fl4, lsa->l2tp_addr.s_addr, saddr,
                              RT_CONN_FLAGS(sk), oif,
                              IPPROTO_L2TP,
                              0, 0, sk, true);
@@ -340,10 +343,10 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
        l2tp_ip_sk(sk)->peer_conn_id = lsa->l2tp_conn_id;
        if (!inet->inet_saddr)
-                inet->inet_saddr = rt->rt_src;
+                inet->inet_saddr = fl4->saddr;
        if (!inet->inet_rcv_saddr)
-                inet->inet_rcv_saddr = rt->rt_src;
+                inet->inet_rcv_saddr = fl4->saddr;
-        inet->inet_daddr = rt->rt_dst;
+        inet->inet_daddr = fl4->daddr;
        sk->sk_state = TCP_ESTABLISHED;
        inet->inet_id = jiffies;
@@ -356,6 +359,7 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
        rc = 0;
 out:
+        release_sock(sk);
        return rc;
 }
@@ -416,23 +420,28 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
        int rc;
        struct l2tp_ip_sock *lsa = l2tp_ip_sk(sk);
        struct inet_sock *inet = inet_sk(sk);
-        struct ip_options *opt = inet->opt;
        struct rtable *rt = NULL;
+        struct flowi4 *fl4;
        int connected = 0;
        __be32 daddr;
+        lock_sock(sk);
+        rc = -ENOTCONN;
        if (sock_flag(sk, SOCK_DEAD))
-                return -ENOTCONN;
+                goto out;
        /* Get and verify the address. */
        if (msg->msg_name) {
                struct sockaddr_l2tpip *lip = (struct sockaddr_l2tpip *) msg->msg_name;
+                rc = -EINVAL;
                if (msg->msg_namelen < sizeof(*lip))
-                        return -EINVAL;
+                        goto out;
                if (lip->l2tp_family != AF_INET) {
+                        rc = -EAFNOSUPPORT;
                        if (lip->l2tp_family != AF_UNSPEC)
-                                return -EAFNOSUPPORT;
+                                goto out;
                }
                daddr = lip->l2tp_addr.s_addr;
@@ -467,19 +476,27 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
                goto error;
        }
+        fl4 = &inet->cork.fl.u.ip4;
        if (connected)
                rt = (struct rtable *) __sk_dst_check(sk, 0);
        if (rt == NULL) {
+                struct ip_options_rcu *inet_opt;
+                rcu_read_lock();
+                inet_opt = rcu_dereference(inet->inet_opt);
                /* Use correct destination address if we have options. */
-                if (opt && opt->srr)
+                if (inet_opt && inet_opt->opt.srr)
-                        daddr = opt->faddr;
+                        daddr = inet_opt->opt.faddr;
+                rcu_read_unlock();
                /* If this fails, retransmit mechanism of transport layer will
                 * keep trying until route appears or the connection times
                 * itself out.
                 */
-                rt = ip_route_output_ports(sock_net(sk), sk,
+                rt = ip_route_output_ports(sock_net(sk), fl4, sk,
                                           daddr, inet->inet_saddr,
                                           inet->inet_dport, inet->inet_sport,
                                           sk->sk_protocol, RT_CONN_FLAGS(sk),
@@ -491,7 +508,7 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
        skb_dst_set(skb, dst_clone(&rt->dst));
        /* Queue the packet to IP for output */
-        rc = ip_queue_xmit(skb);
+        rc = ip_queue_xmit(skb, &inet->cork.fl);
 error:
        /* Update stats */
@@ -503,12 +520,15 @@ error:
                lsa->tx_errors++;
        }
+out:
+        release_sock(sk);
        return rc;
 no_route:
        IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
        kfree_skb(skb);
-        return -EHOSTUNREACH;
+        rc = -EHOSTUNREACH;
+        goto out;
 }
 static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 4c1e540732d7..93a41a09458b 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -795,11 +795,12 @@ int l2tp_nl_register_ops(enum l2tp_pwtype pw_type, const struct l2tp_nl_cmd_ops
                goto out;
        l2tp_nl_cmd_ops[pw_type] = ops;
+        ret = 0;
 out:
        genl_unlock();
 err:
-        return 0;
+        return ret;
 }
 EXPORT_SYMBOL_GPL(l2tp_nl_register_ops);
diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
index 513f85cc2ae1..f5fdfcbf552a 100644
--- a/net/mac80211/Kconfig
+++ b/net/mac80211/Kconfig
@@ -2,7 +2,6 @@ config MAC80211
        tristate "Generic IEEE 802.11 Networking Stack (mac80211)"
        depends on CFG80211
        select CRYPTO
-        select CRYPTO_ECB
        select CRYPTO_ARC4
        select CRYPTO_AES
        select CRC32
diff --git a/net/mac80211/aes_ccm.c b/net/mac80211/aes_ccm.c
index 4bd6ef0be380..b9b595c08112 100644
--- a/net/mac80211/aes_ccm.c
+++ b/net/mac80211/aes_ccm.c
@@ -54,13 +54,12 @@ void ieee80211_aes_ccm_encrypt(struct crypto_cipher *tfm, u8 *scratch,
                               u8 *cdata, u8 *mic)
 {
        int i, j, last_len, num_blocks;
-        u8 *pos, *cpos, *b, *s_0, *e, *b_0, *aad;
+        u8 *pos, *cpos, *b, *s_0, *e, *b_0;
        b = scratch;
        s_0 = scratch + AES_BLOCK_LEN;
        e = scratch + 2 * AES_BLOCK_LEN;
        b_0 = scratch + 3 * AES_BLOCK_LEN;
-        aad = scratch + 4 * AES_BLOCK_LEN;
        num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_LEN);
        last_len = data_len % AES_BLOCK_LEN;
@@ -94,13 +93,12 @@ int ieee80211_aes_ccm_decrypt(struct crypto_cipher *tfm, u8 *scratch,
                              u8 *cdata, size_t data_len, u8 *mic, u8 *data)
 {
        int i, j, last_len, num_blocks;
-        u8 *pos, *cpos, *b, *s_0, *a, *b_0, *aad;
+        u8 *pos, *cpos, *b, *s_0, *a, *b_0;
        b = scratch;
        s_0 = scratch + AES_BLOCK_LEN;
        a = scratch + 2 * AES_BLOCK_LEN;
        b_0 = scratch + 3 * AES_BLOCK_LEN;
-        aad = scratch + 4 * AES_BLOCK_LEN;
        num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_LEN);
        last_len = data_len % AES_BLOCK_LEN;
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index 0c9d0c07eae6..9c0d76cdca92 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -63,7 +63,8 @@ void ___ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid,
        lockdep_assert_held(&sta->ampdu_mlme.mtx);
-        tid_rx = sta->ampdu_mlme.tid_rx[tid];
+        tid_rx = rcu_dereference_protected(sta->ampdu_mlme.tid_rx[tid],
+                                        lockdep_is_held(&sta->ampdu_mlme.mtx));
        if (!tid_rx)
                return;
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 63d852cb4ca2..c8be8eff70da 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -136,12 +136,12 @@ void ieee80211_send_bar(struct ieee80211_sub_if_data *sdata, u8 *ra, u16 tid, u1
        ieee80211_tx_skb(sdata, skb);
 }
-static void kfree_tid_tx(struct rcu_head *rcu_head)
+void ieee80211_assign_tid_tx(struct sta_info *sta, int tid,
+                             struct tid_ampdu_tx *tid_tx)
 {
-        struct tid_ampdu_tx *tid_tx =
+        lockdep_assert_held(&sta->ampdu_mlme.mtx);
-            container_of(rcu_head, struct tid_ampdu_tx, rcu_head);
+        lockdep_assert_held(&sta->lock);
+        rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], tid_tx);
-        kfree(tid_tx);
 }
 int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
@@ -149,21 +149,24 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
                                    bool tx)
 {
        struct ieee80211_local *local = sta->local;
-        struct tid_ampdu_tx *tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        struct tid_ampdu_tx *tid_tx;
        int ret;
        lockdep_assert_held(&sta->ampdu_mlme.mtx);
-        if (!tid_tx)
-                return -ENOENT;
        spin_lock_bh(&sta->lock);
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
+        if (!tid_tx) {
+                spin_unlock_bh(&sta->lock);
+                return -ENOENT;
+        }
        if (test_bit(HT_AGG_STATE_WANT_START, &tid_tx->state)) {
                /* not even started yet! */
-                rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], NULL);
+                ieee80211_assign_tid_tx(sta, tid, NULL);
                spin_unlock_bh(&sta->lock);
-                call_rcu(&tid_tx->rcu_head, kfree_tid_tx);
+                kfree_rcu(tid_tx, rcu_head);
                return 0;
        }
@@ -283,13 +286,13 @@ ieee80211_wake_queue_agg(struct ieee80211_local *local, int tid)
 void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid)
 {
-        struct tid_ampdu_tx *tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        struct tid_ampdu_tx *tid_tx;
        struct ieee80211_local *local = sta->local;
        struct ieee80211_sub_if_data *sdata = sta->sdata;
        u16 start_seq_num;
        int ret;
-        lockdep_assert_held(&sta->ampdu_mlme.mtx);
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        /*
         * While we're asking the driver about the aggregation,
@@ -318,11 +321,11 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid)
                                        " tid %d\n", tid);
 #endif
                spin_lock_bh(&sta->lock);
-                rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], NULL);
+                ieee80211_assign_tid_tx(sta, tid, NULL);
                spin_unlock_bh(&sta->lock);
                ieee80211_wake_queue_agg(local, tid);
-                call_rcu(&tid_tx->rcu_head, kfree_tid_tx);
+                kfree_rcu(tid_tx, rcu_head);
                return;
        }
@@ -396,9 +399,9 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid,
                goto err_unlock_sta;
        }
-        tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        /* check if the TID is not in aggregation flow already */
-        if (tid_tx) {
+        if (tid_tx || sta->ampdu_mlme.tid_start_tx[tid]) {
 #ifdef CONFIG_MAC80211_HT_DEBUG
                printk(KERN_DEBUG "BA request denied - session is not "
                                 "idle on tid %u\n", tid);
@@ -433,8 +436,11 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid,
        sta->ampdu_mlme.dialog_token_allocator++;
        tid_tx->dialog_token = sta->ampdu_mlme.dialog_token_allocator;
-        /* finally, assign it to the array */
+        /*
-        rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], tid_tx);
+         * Finally, assign it to the start array; the work item will
+         * collect it and move it to the normal array.
+         */
+        sta->ampdu_mlme.tid_start_tx[tid] = tid_tx;
        ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work);
@@ -480,16 +486,19 @@ ieee80211_agg_splice_finish(struct ieee80211_local *local, u16 tid)
 static void ieee80211_agg_tx_operational(struct ieee80211_local *local,
                                         struct sta_info *sta, u16 tid)
 {
+        struct tid_ampdu_tx *tid_tx;
        lockdep_assert_held(&sta->ampdu_mlme.mtx);
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
 #ifdef CONFIG_MAC80211_HT_DEBUG
        printk(KERN_DEBUG "Aggregation is on for tid %d\n", tid);
 #endif
        drv_ampdu_action(local, sta->sdata,
                         IEEE80211_AMPDU_TX_OPERATIONAL,
-                         &sta->sta, tid, NULL,
+                         &sta->sta, tid, NULL, tid_tx->buf_size);
-                         sta->ampdu_mlme.tid_tx[tid]->buf_size);
        /*
         * synchronize with TX path, while splicing the TX path
@@ -497,13 +506,13 @@ static void ieee80211_agg_tx_operational(struct ieee80211_local *local,
         */
        spin_lock_bh(&sta->lock);
-        ieee80211_agg_splice_packets(local, sta->ampdu_mlme.tid_tx[tid], tid);
+        ieee80211_agg_splice_packets(local, tid_tx, tid);
        /*
         * Now mark as operational. This will be visible
         * in the TX path, and lets it go lock-free in
         * the common case.
         */
-        set_bit(HT_AGG_STATE_OPERATIONAL, &sta->ampdu_mlme.tid_tx[tid]->state);
+        set_bit(HT_AGG_STATE_OPERATIONAL, &tid_tx->state);
        ieee80211_agg_splice_finish(local, tid);
        spin_unlock_bh(&sta->lock);
@@ -537,7 +546,7 @@ void ieee80211_start_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u16 tid)
        }
        mutex_lock(&sta->ampdu_mlme.mtx);
-        tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        if (WARN_ON(!tid_tx)) {
 #ifdef CONFIG_MAC80211_HT_DEBUG
@@ -615,7 +624,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid)
                return -EINVAL;
        spin_lock_bh(&sta->lock);
-        tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        if (!tid_tx) {
                ret = -ENOENT;
@@ -671,7 +680,7 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid)
        mutex_lock(&sta->ampdu_mlme.mtx);
        spin_lock_bh(&sta->lock);
-        tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        if (!tid_tx || !test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
 #ifdef CONFIG_MAC80211_HT_DEBUG
@@ -697,11 +706,11 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid)
        ieee80211_agg_splice_packets(local, tid_tx, tid);
        /* future packets must not find the tid_tx struct any more */
-        rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], NULL);
+        ieee80211_assign_tid_tx(sta, tid, NULL);
        ieee80211_agg_splice_finish(local, tid);
-        call_rcu(&tid_tx->rcu_head, kfree_tid_tx);
+        kfree_rcu(tid_tx, rcu_head);
 unlock_sta:
        spin_unlock_bh(&sta->lock);
@@ -752,7 +761,7 @@ void ieee80211_process_addba_resp(struct ieee80211_local *local,
        mutex_lock(&sta->ampdu_mlme.mtx);
-        tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        if (!tid_tx)
                goto out;
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 44049733c4ea..be70c70d3f5b 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -136,7 +136,10 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
        mutex_lock(&sdata->local->sta_mtx);
        if (mac_addr) {
-                sta = sta_info_get_bss(sdata, mac_addr);
+                if (ieee80211_vif_is_mesh(&sdata->vif))
+                        sta = sta_info_get(sdata, mac_addr);
+                else
+                        sta = sta_info_get_bss(sdata, mac_addr);
                if (!sta) {
                        ieee80211_key_free(sdata->local, key);
                        err = -ENOENT;
@@ -157,13 +160,14 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
 static int ieee80211_del_key(struct wiphy *wiphy, struct net_device *dev,
                             u8 key_idx, bool pairwise, const u8 *mac_addr)
 {
-        struct ieee80211_sub_if_data *sdata;
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_local *local = sdata->local;
        struct sta_info *sta;
+        struct ieee80211_key *key = NULL;
        int ret;
-        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        mutex_lock(&local->sta_mtx);
+        mutex_lock(&local->key_mtx);
-        mutex_lock(&sdata->local->sta_mtx);
        if (mac_addr) {
                ret = -ENOENT;
@@ -172,33 +176,24 @@ static int ieee80211_del_key(struct wiphy *wiphy, struct net_device *dev,
                if (!sta)
                        goto out_unlock;
-                if (pairwise) {
+                if (pairwise)
-                        if (sta->ptk) {
+                        key = key_mtx_dereference(local, sta->ptk);
-                                ieee80211_key_free(sdata->local, sta->ptk);
+                else
-                                ret = 0;
+                        key = key_mtx_dereference(local, sta->gtk[key_idx]);
-                        }
+        } else
-                } else {
+                key = key_mtx_dereference(local, sdata->keys[key_idx]);
-                        if (sta->gtk[key_idx]) {
-                                ieee80211_key_free(sdata->local,
-                                                   sta->gtk[key_idx]);
-                                ret = 0;
-                        }
-                }
-                goto out_unlock;
-        }
-        if (!sdata->keys[key_idx]) {
+        if (!key) {
                ret = -ENOENT;
                goto out_unlock;
        }
-        ieee80211_key_free(sdata->local, sdata->keys[key_idx]);
+        __ieee80211_key_free(key);
-        WARN_ON(sdata->keys[key_idx]);
        ret = 0;
 out_unlock:
-        mutex_unlock(&sdata->local->sta_mtx);
+        mutex_unlock(&local->key_mtx);
+        mutex_unlock(&local->sta_mtx);
        return ret;
 }
@@ -228,11 +223,11 @@ static int ieee80211_get_key(struct wiphy *wiphy, struct net_device *dev,
                        goto out;
                if (pairwise)
-                        key = sta->ptk;
+                        key = rcu_dereference(sta->ptk);
                else if (key_idx < NUM_DEFAULT_KEYS)
-                        key = sta->gtk[key_idx];
+                        key = rcu_dereference(sta->gtk[key_idx]);
        } else
-                key = sdata->keys[key_idx];
+                key = rcu_dereference(sdata->keys[key_idx]);
        if (!key)
                goto out;
@@ -330,6 +325,7 @@ static void rate_idx_to_bitrate(struct rate_info *rate, struct sta_info *sta, in
 static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
 {
        struct ieee80211_sub_if_data *sdata = sta->sdata;
+        struct timespec uptime;
        sinfo->generation = sdata->local->sta_generation;
@@ -342,7 +338,12 @@ static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
                        STATION_INFO_TX_FAILED |
                        STATION_INFO_TX_BITRATE |
                        STATION_INFO_RX_BITRATE |
-                        STATION_INFO_RX_DROP_MISC;
+                        STATION_INFO_RX_DROP_MISC |
+                        STATION_INFO_BSS_PARAM |
+                        STATION_INFO_CONNECTED_TIME;
+        do_posix_clock_monotonic_gettime(&uptime);
+        sinfo->connected_time = uptime.tv_sec - sta->last_connected;
        sinfo->inactive_time = jiffies_to_msecs(jiffies - sta->last_rx);
        sinfo->rx_bytes = sta->rx_bytes;
@@ -389,6 +390,16 @@ static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
                sinfo->plink_state = sta->plink_state;
 #endif
        }
+        sinfo->bss_param.flags = 0;
+        if (sdata->vif.bss_conf.use_cts_prot)
+                sinfo->bss_param.flags |= BSS_PARAM_FLAGS_CTS_PROT;
+        if (sdata->vif.bss_conf.use_short_preamble)
+                sinfo->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_PREAMBLE;
+        if (sdata->vif.bss_conf.use_short_slot)
+                sinfo->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_SLOT_TIME;
+        sinfo->bss_param.dtim_period = sdata->local->hw.conf.ps_dtim_period;
+        sinfo->bss_param.beacon_interval = sdata->vif.bss_conf.beacon_int;
 }
@@ -452,7 +463,7 @@ static int ieee80211_config_beacon(struct ieee80211_sub_if_data *sdata,
        int size;
        int err = -EINVAL;
-        old = sdata->u.ap.beacon;
+        old = rtnl_dereference(sdata->u.ap.beacon);
        /* head must not be zero-length */
        if (params->head && !params->head_len)
@@ -547,8 +558,7 @@ static int ieee80211_add_beacon(struct wiphy *wiphy, struct net_device *dev,
        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-        old = sdata->u.ap.beacon;
+        old = rtnl_dereference(sdata->u.ap.beacon);
        if (old)
                return -EALREADY;
@@ -563,8 +573,7 @@ static int ieee80211_set_beacon(struct wiphy *wiphy, struct net_device *dev,
        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-        old = sdata->u.ap.beacon;
+        old = rtnl_dereference(sdata->u.ap.beacon);
        if (!old)
                return -ENOENT;
@@ -578,8 +587,7 @@ static int ieee80211_del_beacon(struct wiphy *wiphy, struct net_device *dev)
        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-        old = sdata->u.ap.beacon;
+        old = rtnl_dereference(sdata->u.ap.beacon);
        if (!old)
                return -ENOENT;
@@ -675,6 +683,12 @@ static void sta_apply_parameters(struct ieee80211_local *local,
                if (set & BIT(NL80211_STA_FLAG_MFP))
                        sta->flags |= WLAN_STA_MFP;
        }
+        if (mask & BIT(NL80211_STA_FLAG_AUTHENTICATED)) {
+                sta->flags &= ~WLAN_STA_AUTH;
+                if (set & BIT(NL80211_STA_FLAG_AUTHENTICATED))
+                        sta->flags |= WLAN_STA_AUTH;
+        }
        spin_unlock_irqrestore(&sta->flaglock, flags);
        /*
@@ -712,15 +726,29 @@ static void sta_apply_parameters(struct ieee80211_local *local,
                                                  params->ht_capa,
                                                  &sta->sta.ht_cap);
-        if (ieee80211_vif_is_mesh(&sdata->vif) && params->plink_action) {
+        if (ieee80211_vif_is_mesh(&sdata->vif)) {
-                switch (params->plink_action) {
+#ifdef CONFIG_MAC80211_MESH
-                case PLINK_ACTION_OPEN:
+                if (sdata->u.mesh.security & IEEE80211_MESH_SEC_SECURED)
-                        mesh_plink_open(sta);
+                        switch (params->plink_state) {
-                        break;
+                        case NL80211_PLINK_LISTEN:
-                case PLINK_ACTION_BLOCK:
+                        case NL80211_PLINK_ESTAB:
-                        mesh_plink_block(sta);
+                        case NL80211_PLINK_BLOCKED:
-                        break;
+                                sta->plink_state = params->plink_state;
-                }
+                                break;
+                        default:
+                                /*  nothing  */
+                                break;
+                        }
+                else
+                        switch (params->plink_action) {
+                        case PLINK_ACTION_OPEN:
+                                mesh_plink_open(sta);
+                                break;
+                        case PLINK_ACTION_BLOCK:
+                                mesh_plink_block(sta);
+                                break;
+                        }
+#endif
        }
 }
@@ -921,8 +949,10 @@ static int ieee80211_change_mpath(struct wiphy *wiphy,
 static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
                            struct mpath_info *pinfo)
 {
-        if (mpath->next_hop)
+        struct sta_info *next_hop_sta = rcu_dereference(mpath->next_hop);
-                memcpy(next_hop, mpath->next_hop->sta.addr, ETH_ALEN);
+        if (next_hop_sta)
+                memcpy(next_hop, next_hop_sta->sta.addr, ETH_ALEN);
        else
                memset(next_hop, 0, ETH_ALEN);
@@ -1023,26 +1053,30 @@ static int copy_mesh_setup(struct ieee80211_if_mesh *ifmsh,
        u8 *new_ie;
        const u8 *old_ie;
-        /* first allocate the new vendor information element */
+        /* allocate information elements */
        new_ie = NULL;
-        old_ie = ifmsh->vendor_ie;
+        old_ie = ifmsh->ie;
-        ifmsh->vendor_ie_len = setup->vendor_ie_len;
+        if (setup->ie_len) {
-        if (setup->vendor_ie_len) {
+                new_ie = kmemdup(setup->ie, setup->ie_len,
-                new_ie = kmemdup(setup->vendor_ie, setup->vendor_ie_len,
                                GFP_KERNEL);
                if (!new_ie)
                        return -ENOMEM;
        }
+        ifmsh->ie_len = setup->ie_len;
+        ifmsh->ie = new_ie;
+        kfree(old_ie);
        /* now copy the rest of the setup parameters */
        ifmsh->mesh_id_len = setup->mesh_id_len;
        memcpy(ifmsh->mesh_id, setup->mesh_id, ifmsh->mesh_id_len);
        ifmsh->mesh_pp_id = setup->path_sel_proto;
        ifmsh->mesh_pm_id = setup->path_metric;
-        ifmsh->vendor_ie = new_ie;
+        ifmsh->security = IEEE80211_MESH_SEC_NONE;
+        if (setup->is_authenticated)
-        kfree(old_ie);
+                ifmsh->security |= IEEE80211_MESH_SEC_AUTHED;
+        if (setup->is_secure)
+                ifmsh->security |= IEEE80211_MESH_SEC_SECURED;
        return 0;
 }
@@ -1275,9 +1309,10 @@ static int ieee80211_set_channel(struct wiphy *wiphy,
 }
 #ifdef CONFIG_PM
-static int ieee80211_suspend(struct wiphy *wiphy)
+static int ieee80211_suspend(struct wiphy *wiphy,
+                             struct cfg80211_wowlan *wowlan)
 {
-        return __ieee80211_suspend(wiphy_priv(wiphy));
+        return __ieee80211_suspend(wiphy_priv(wiphy), wowlan);
 }
 static int ieee80211_resume(struct wiphy *wiphy)
@@ -1320,6 +1355,30 @@ static int ieee80211_scan(struct wiphy *wiphy,
        return ieee80211_request_scan(sdata, req);
 }
+static int
+ieee80211_sched_scan_start(struct wiphy *wiphy,
+                           struct net_device *dev,
+                           struct cfg80211_sched_scan_request *req)
+{
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        if (!sdata->local->ops->sched_scan_start)
+                return -EOPNOTSUPP;
+        return ieee80211_request_sched_scan_start(sdata, req);
+}
+static int
+ieee80211_sched_scan_stop(struct wiphy *wiphy, struct net_device *dev)
+{
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        if (!sdata->local->ops->sched_scan_stop)
+                return -EOPNOTSUPP;
+        return ieee80211_request_sched_scan_stop(sdata);
+}
 static int ieee80211_auth(struct wiphy *wiphy, struct net_device *dev,
                          struct cfg80211_auth_request *req)
 {
@@ -1611,16 +1670,13 @@ static int ieee80211_set_bitrate_mask(struct wiphy *wiphy,
 {
        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
        struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
-        int i;
+        int i, ret;
-        /*
-         * This _could_ be supported by providing a hook for
-         * drivers for this function, but at this point it
-         * doesn't seem worth bothering.
-         */
-        if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL)
-                return -EOPNOTSUPP;
+        if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
+                ret = drv_set_bitrate_mask(local, sdata, mask);
+                if (ret)
+                        return ret;
+        }
        for (i = 0; i < IEEE80211_NUM_BANDS; i++)
                sdata->rc_rateidx_mask[i] = mask->control[i].legacy;
@@ -2064,6 +2120,8 @@ struct cfg80211_ops mac80211_config_ops = {
        .suspend = ieee80211_suspend,
        .resume = ieee80211_resume,
        .scan = ieee80211_scan,
+        .sched_scan_start = ieee80211_sched_scan_start,
+        .sched_scan_stop = ieee80211_sched_scan_stop,
        .auth = ieee80211_auth,
        .assoc = ieee80211_assoc,
        .deauth = ieee80211_deauth,
diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
index 51f0d780dafa..186e02f7cc32 100644
--- a/net/mac80211/debugfs.c
+++ b/net/mac80211/debugfs.c
@@ -37,7 +37,7 @@ int mac80211_format_buffer(char __user *userbuf, size_t count,
        return simple_read_from_buffer(userbuf, count, ppos, buf, res);
 }
-#define DEBUGFS_READONLY_FILE(name, fmt, value...)                      \
+#define DEBUGFS_READONLY_FILE_FN(name, fmt, value...)                   \
 static ssize_t name## _read(struct file *file, char __user *userbuf,    \
                            size_t count, loff_t *ppos)                 \
 {                                                                       \
@@ -45,14 +45,19 @@ static ssize_t name## _read(struct file *file, char __user *userbuf,	\
                                                                        \
        return mac80211_format_buffer(userbuf, count, ppos,             \
                                      fmt "\n", ##value);               \
-}                                                                       \
+}
-                                                                        \
+#define DEBUGFS_READONLY_FILE_OPS(name)                 \
 static const struct file_operations name## _ops = {                     \
        .read = name## _read,                                           \
        .open = mac80211_open_file_generic,                             \
        .llseek = generic_file_llseek,                                  \
 };
+#define DEBUGFS_READONLY_FILE(name, fmt, value...)              \
+        DEBUGFS_READONLY_FILE_FN(name, fmt, value)              \
+        DEBUGFS_READONLY_FILE_OPS(name)
 #define DEBUGFS_ADD(name)                                               \
        debugfs_create_file(#name, 0400, phyd, local, &name## _ops);
@@ -130,7 +135,7 @@ static ssize_t reset_write(struct file *file, const char __user *user_buf,
        struct ieee80211_local *local = file->private_data;
        rtnl_lock();
-        __ieee80211_suspend(&local->hw);
+        __ieee80211_suspend(&local->hw, NULL);
        __ieee80211_resume(&local->hw);
        rtnl_unlock();
@@ -291,11 +296,70 @@ static ssize_t channel_type_read(struct file *file, char __user *user_buf,
        return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
 }
-static const struct file_operations channel_type_ops = {
+static ssize_t hwflags_read(struct file *file, char __user *user_buf,
-        .read = channel_type_read,
+                            size_t count, loff_t *ppos)
-        .open = mac80211_open_file_generic,
+{
-        .llseek = default_llseek,
+        struct ieee80211_local *local = file->private_data;
-};
+        int mxln = 500;
+        ssize_t rv;
+        char *buf = kzalloc(mxln, GFP_KERNEL);
+        int sf = 0; /* how many written so far */
+        sf += snprintf(buf, mxln - sf, "0x%x\n", local->hw.flags);
+        if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL)
+                sf += snprintf(buf + sf, mxln - sf, "HAS_RATE_CONTROL\n");
+        if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
+                sf += snprintf(buf + sf, mxln - sf, "RX_INCLUDES_FCS\n");
+        if (local->hw.flags & IEEE80211_HW_HOST_BROADCAST_PS_BUFFERING)
+                sf += snprintf(buf + sf, mxln - sf,
+                               "HOST_BCAST_PS_BUFFERING\n");
+        if (local->hw.flags & IEEE80211_HW_2GHZ_SHORT_SLOT_INCAPABLE)
+                sf += snprintf(buf + sf, mxln - sf,
+                               "2GHZ_SHORT_SLOT_INCAPABLE\n");
+        if (local->hw.flags & IEEE80211_HW_2GHZ_SHORT_PREAMBLE_INCAPABLE)
+                sf += snprintf(buf + sf, mxln - sf,
+                               "2GHZ_SHORT_PREAMBLE_INCAPABLE\n");
+        if (local->hw.flags & IEEE80211_HW_SIGNAL_UNSPEC)
+                sf += snprintf(buf + sf, mxln - sf, "SIGNAL_UNSPEC\n");
+        if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
+                sf += snprintf(buf + sf, mxln - sf, "SIGNAL_DBM\n");
+        if (local->hw.flags & IEEE80211_HW_NEED_DTIM_PERIOD)
+                sf += snprintf(buf + sf, mxln - sf, "NEED_DTIM_PERIOD\n");
+        if (local->hw.flags & IEEE80211_HW_SPECTRUM_MGMT)
+                sf += snprintf(buf + sf, mxln - sf, "SPECTRUM_MGMT\n");
+        if (local->hw.flags & IEEE80211_HW_AMPDU_AGGREGATION)
+                sf += snprintf(buf + sf, mxln - sf, "AMPDU_AGGREGATION\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_PS)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_PS\n");
+        if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)
+                sf += snprintf(buf + sf, mxln - sf, "PS_NULLFUNC_STACK\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_DYNAMIC_PS)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_DYNAMIC_PS\n");
+        if (local->hw.flags & IEEE80211_HW_MFP_CAPABLE)
+                sf += snprintf(buf + sf, mxln - sf, "MFP_CAPABLE\n");
+        if (local->hw.flags & IEEE80211_HW_BEACON_FILTER)
+                sf += snprintf(buf + sf, mxln - sf, "BEACON_FILTER\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_STATIC_SMPS)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_STATIC_SMPS\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_DYNAMIC_SMPS)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_DYNAMIC_SMPS\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_UAPSD)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_UAPSD\n");
+        if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
+                sf += snprintf(buf + sf, mxln - sf, "REPORTS_TX_ACK_STATUS\n");
+        if (local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR)
+                sf += snprintf(buf + sf, mxln - sf, "CONNECTION_MONITOR\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_CQM_RSSI)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_CQM_RSSI\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_PER_STA_GTK)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_PER_STA_GTK\n");
+        if (local->hw.flags & IEEE80211_HW_AP_LINK_PS)
+                sf += snprintf(buf + sf, mxln - sf, "AP_LINK_PS\n");
+        rv = simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
+        kfree(buf);
+        return rv;
+}
 static ssize_t queues_read(struct file *file, char __user *user_buf,
                           size_t count, loff_t *ppos)
@@ -315,11 +379,9 @@ static ssize_t queues_read(struct file *file, char __user *user_buf,
        return simple_read_from_buffer(user_buf, count, ppos, buf, res);
 }
-static const struct file_operations queues_ops = {
+DEBUGFS_READONLY_FILE_OPS(hwflags);
-        .read = queues_read,
+DEBUGFS_READONLY_FILE_OPS(channel_type);
-        .open = mac80211_open_file_generic,
+DEBUGFS_READONLY_FILE_OPS(queues);
-        .llseek = default_llseek,
-};
 /* statistics stuff */
@@ -395,6 +457,7 @@ void debugfs_hw_add(struct ieee80211_local *local)
        DEBUGFS_ADD(uapsd_queues);
        DEBUGFS_ADD(uapsd_max_sp_len);
        DEBUGFS_ADD(channel_type);
+        DEBUGFS_ADD(hwflags);
        DEBUGFS_ADD(user_power);
        DEBUGFS_ADD(power);
diff --git a/net/mac80211/debugfs_key.c b/net/mac80211/debugfs_key.c
index f7ef3477c24a..33c58b85c911 100644
--- a/net/mac80211/debugfs_key.c
+++ b/net/mac80211/debugfs_key.c
@@ -241,16 +241,12 @@ void ieee80211_debugfs_key_add(struct ieee80211_key *key)
        if (!key->debugfs.dir)
                return;
-        rcu_read_lock();
+        sta = key->sta;
-        sta = rcu_dereference(key->sta);
+        if (sta) {
-        if (sta)
                sprintf(buf, "../../stations/%pM", sta->sta.addr);
-        rcu_read_unlock();
-        /* using sta as a boolean is fine outside RCU lock */
-        if (sta)
                key->debugfs.stalink =
                        debugfs_create_symlink("station", key->debugfs.dir, buf);
+        }
        DEBUGFS_ADD(keylen);
        DEBUGFS_ADD(flags);
@@ -286,7 +282,8 @@ void ieee80211_debugfs_key_update_default(struct ieee80211_sub_if_data *sdata)
        lockdep_assert_held(&sdata->local->key_mtx);
        if (sdata->default_unicast_key) {
-                key = sdata->default_unicast_key;
+                key = key_mtx_dereference(sdata->local,
+                                          sdata->default_unicast_key);
                sprintf(buf, "../keys/%d", key->debugfs.cnt);
                sdata->debugfs.default_unicast_key =
                        debugfs_create_symlink("default_unicast_key",
@@ -297,7 +294,8 @@ void ieee80211_debugfs_key_update_default(struct ieee80211_sub_if_data *sdata)
        }
        if (sdata->default_multicast_key) {
-                key = sdata->default_multicast_key;
+                key = key_mtx_dereference(sdata->local,
+                                          sdata->default_multicast_key);
                sprintf(buf, "../keys/%d", key->debugfs.cnt);
                sdata->debugfs.default_multicast_key =
                        debugfs_create_symlink("default_multicast_key",
@@ -316,9 +314,8 @@ void ieee80211_debugfs_key_add_mgmt_default(struct ieee80211_sub_if_data *sdata)
        if (!sdata->debugfs.dir)
                return;
-        /* this is running under the key lock */
+        key = key_mtx_dereference(sdata->local,
+                                  sdata->default_mgmt_key);
-        key = sdata->default_mgmt_key;
        if (key) {
                sprintf(buf, "../keys/%d", key->debugfs.cnt);
                sdata->debugfs.default_mgmt_key =
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index c04a1396cf8d..a01d2137fddc 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -92,6 +92,31 @@ static ssize_t sta_inactive_ms_read(struct file *file, char __user *userbuf,
 }
 STA_OPS(inactive_ms);
+static ssize_t sta_connected_time_read(struct file *file, char __user *userbuf,
+                                        size_t count, loff_t *ppos)
+{
+        struct sta_info *sta = file->private_data;
+        struct timespec uptime;
+        struct tm result;
+        long connected_time_secs;
+        char buf[100];
+        int res;
+        do_posix_clock_monotonic_gettime(&uptime);
+        connected_time_secs = uptime.tv_sec - sta->last_connected;
+        time_to_tm(connected_time_secs, 0, &result);
+        result.tm_year -= 70;
+        result.tm_mday -= 1;
+        res = scnprintf(buf, sizeof(buf),
+                "years  - %ld\nmonths - %d\ndays   - %d\nclock  - %d:%d:%d\n\n",
+                        result.tm_year, result.tm_mon, result.tm_mday,
+                        result.tm_hour, result.tm_min, result.tm_sec);
+        return simple_read_from_buffer(userbuf, count, ppos, buf, res);
+}
+STA_OPS(connected_time);
 static ssize_t sta_last_seq_ctrl_read(struct file *file, char __user *userbuf,
                                      size_t count, loff_t *ppos)
 {
@@ -324,6 +349,7 @@ void ieee80211_sta_debugfs_add(struct sta_info *sta)
        DEBUGFS_ADD(flags);
        DEBUGFS_ADD(num_ps_buf_frames);
        DEBUGFS_ADD(inactive_ms);
+        DEBUGFS_ADD(connected_time);
        DEBUGFS_ADD(last_seq_ctrl);
        DEBUGFS_ADD(agg_status);
        DEBUGFS_ADD(dev);
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index 9c0d62bb0ea3..eebf7a67daf7 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -41,6 +41,33 @@ static inline void drv_stop(struct ieee80211_local *local)
        local->started = false;
 }
+#ifdef CONFIG_PM
+static inline int drv_suspend(struct ieee80211_local *local,
+                              struct cfg80211_wowlan *wowlan)
+{
+        int ret;
+        might_sleep();
+        trace_drv_suspend(local);
+        ret = local->ops->suspend(&local->hw, wowlan);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+static inline int drv_resume(struct ieee80211_local *local)
+{
+        int ret;
+        might_sleep();
+        trace_drv_resume(local);
+        ret = local->ops->resume(&local->hw);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+#endif
 static inline int drv_add_interface(struct ieee80211_local *local,
                                    struct ieee80211_vif *vif)
 {
@@ -185,12 +212,39 @@ static inline int drv_hw_scan(struct ieee80211_local *local,
        might_sleep();
-        trace_drv_hw_scan(local, sdata, req);
+        trace_drv_hw_scan(local, sdata);
        ret = local->ops->hw_scan(&local->hw, &sdata->vif, req);
        trace_drv_return_int(local, ret);
        return ret;
 }
+static inline int
+drv_sched_scan_start(struct ieee80211_local *local,
+                     struct ieee80211_sub_if_data *sdata,
+                     struct cfg80211_sched_scan_request *req,
+                     struct ieee80211_sched_scan_ies *ies)
+{
+        int ret;
+        might_sleep();
+        trace_drv_sched_scan_start(local, sdata);
+        ret = local->ops->sched_scan_start(&local->hw, &sdata->vif,
+                                              req, ies);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+static inline void drv_sched_scan_stop(struct ieee80211_local *local,
+                                       struct ieee80211_sub_if_data *sdata)
+{
+        might_sleep();
+        trace_drv_sched_scan_stop(local, sdata);
+        local->ops->sched_scan_stop(&local->hw, &sdata->vif);
+        trace_drv_return_void(local);
+}
 static inline void drv_sw_scan_start(struct ieee80211_local *local)
 {
        might_sleep();
@@ -552,4 +606,35 @@ static inline void drv_get_ringparam(struct ieee80211_local *local,
        trace_drv_return_void(local);
 }
+static inline bool drv_tx_frames_pending(struct ieee80211_local *local)
+{
+        bool ret = false;
+        might_sleep();
+        trace_drv_tx_frames_pending(local);
+        if (local->ops->tx_frames_pending)
+                ret = local->ops->tx_frames_pending(&local->hw);
+        trace_drv_return_bool(local, ret);
+        return ret;
+}
+static inline int drv_set_bitrate_mask(struct ieee80211_local *local,
+                                       struct ieee80211_sub_if_data *sdata,
+                                       const struct cfg80211_bitrate_mask *mask)
+{
+        int ret = -EOPNOTSUPP;
+        might_sleep();
+        trace_drv_set_bitrate_mask(local, sdata, mask);
+        if (local->ops->set_bitrate_mask)
+                ret = local->ops->set_bitrate_mask(&local->hw,
+                                                   &sdata->vif, mask);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
 #endif /* __MAC80211_DRIVER_OPS */
diff --git a/net/mac80211/driver-trace.h b/net/mac80211/driver-trace.h
index 45aab80738e2..ed9edcbd9aa5 100644
--- a/net/mac80211/driver-trace.h
+++ b/net/mac80211/driver-trace.h
@@ -55,6 +55,70 @@ DECLARE_EVENT_CLASS(local_only_evt,
        TP_printk(LOCAL_PR_FMT, LOCAL_PR_ARG)
 );
+DECLARE_EVENT_CLASS(local_sdata_addr_evt,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata),
+        TP_ARGS(local, sdata),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+                __array(char, addr, 6)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                memcpy(__entry->addr, sdata->vif.addr, 6);
+        ),
+        TP_printk(
+                LOCAL_PR_FMT  VIF_PR_FMT " addr:%pM",
+                LOCAL_PR_ARG, VIF_PR_ARG, __entry->addr
+        )
+);
+DECLARE_EVENT_CLASS(local_u32_evt,
+        TP_PROTO(struct ieee80211_local *local, u32 value),
+        TP_ARGS(local, value),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                __field(u32, value)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                __entry->value = value;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT " value:%d",
+                LOCAL_PR_ARG, __entry->value
+        )
+);
+DECLARE_EVENT_CLASS(local_sdata_evt,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata),
+        TP_ARGS(local, sdata),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT VIF_PR_FMT,
+                LOCAL_PR_ARG, VIF_PR_ARG
+        )
+);
 DEFINE_EVENT(local_only_evt, drv_return_void,
        TP_PROTO(struct ieee80211_local *local),
        TP_ARGS(local)
@@ -74,6 +138,21 @@ TRACE_EVENT(drv_return_int,
        TP_printk(LOCAL_PR_FMT " - %d", LOCAL_PR_ARG, __entry->ret)
 );
+TRACE_EVENT(drv_return_bool,
+        TP_PROTO(struct ieee80211_local *local, bool ret),
+        TP_ARGS(local, ret),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                __field(bool, ret)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                __entry->ret = ret;
+        ),
+        TP_printk(LOCAL_PR_FMT " - %s", LOCAL_PR_ARG, (__entry->ret) ?
+                  "true" : "false")
+);
 TRACE_EVENT(drv_return_u64,
        TP_PROTO(struct ieee80211_local *local, u64 ret),
        TP_ARGS(local, ret),
@@ -93,33 +172,25 @@ DEFINE_EVENT(local_only_evt, drv_start,
        TP_ARGS(local)
 );
+DEFINE_EVENT(local_only_evt, drv_suspend,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
+DEFINE_EVENT(local_only_evt, drv_resume,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
 DEFINE_EVENT(local_only_evt, drv_stop,
        TP_PROTO(struct ieee80211_local *local),
        TP_ARGS(local)
 );
-TRACE_EVENT(drv_add_interface,
+DEFINE_EVENT(local_sdata_addr_evt, drv_add_interface,
        TP_PROTO(struct ieee80211_local *local,
                 struct ieee80211_sub_if_data *sdata),
+        TP_ARGS(local, sdata)
-        TP_ARGS(local, sdata),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-                VIF_ENTRY
-                __array(char, addr, 6)
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-                VIF_ASSIGN;
-                memcpy(__entry->addr, sdata->vif.addr, 6);
-        ),
-        TP_printk(
-                LOCAL_PR_FMT  VIF_PR_FMT " addr:%pM",
-                LOCAL_PR_ARG, VIF_PR_ARG, __entry->addr
-        )
 );
 TRACE_EVENT(drv_change_interface,
@@ -150,27 +221,10 @@ TRACE_EVENT(drv_change_interface,
        )
 );
-TRACE_EVENT(drv_remove_interface,
+DEFINE_EVENT(local_sdata_addr_evt, drv_remove_interface,
-        TP_PROTO(struct ieee80211_local *local, struct ieee80211_sub_if_data *sdata),
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata),
-        TP_ARGS(local, sdata),
+        TP_ARGS(local, sdata)
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-                VIF_ENTRY
-                __array(char, addr, 6)
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-                VIF_ASSIGN;
-                memcpy(__entry->addr, sdata->vif.addr, 6);
-        ),
-        TP_printk(
-                LOCAL_PR_FMT  VIF_PR_FMT " addr:%pM",
-                LOCAL_PR_ARG, VIF_PR_ARG, __entry->addr
-        )
 );
 TRACE_EVENT(drv_config,
@@ -400,27 +454,22 @@ TRACE_EVENT(drv_update_tkip_key,
        )
 );
-TRACE_EVENT(drv_hw_scan,
+DEFINE_EVENT(local_sdata_evt, drv_hw_scan,
        TP_PROTO(struct ieee80211_local *local,
-                 struct ieee80211_sub_if_data *sdata,
+                 struct ieee80211_sub_if_data *sdata),
-                 struct cfg80211_scan_request *req),
+        TP_ARGS(local, sdata)
+);
-        TP_ARGS(local, sdata, req),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-                VIF_ENTRY
-        ),
-        TP_fast_assign(
+DEFINE_EVENT(local_sdata_evt, drv_sched_scan_start,
-                LOCAL_ASSIGN;
+        TP_PROTO(struct ieee80211_local *local,
-                VIF_ASSIGN;
+                 struct ieee80211_sub_if_data *sdata),
-        ),
+        TP_ARGS(local, sdata)
+);
-        TP_printk(
+DEFINE_EVENT(local_sdata_evt, drv_sched_scan_stop,
-                LOCAL_PR_FMT VIF_PR_FMT,
+        TP_PROTO(struct ieee80211_local *local,
-                LOCAL_PR_ARG,VIF_PR_ARG
+                 struct ieee80211_sub_if_data *sdata),
-        )
+        TP_ARGS(local, sdata)
 );
 DEFINE_EVENT(local_only_evt, drv_sw_scan_start,
@@ -489,46 +538,14 @@ TRACE_EVENT(drv_get_tkip_seq,
        )
 );
-TRACE_EVENT(drv_set_frag_threshold,
+DEFINE_EVENT(local_u32_evt, drv_set_frag_threshold,
        TP_PROTO(struct ieee80211_local *local, u32 value),
+        TP_ARGS(local, value)
-        TP_ARGS(local, value),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-                __field(u32, value)
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-                __entry->value = value;
-        ),
-        TP_printk(
-                LOCAL_PR_FMT " value:%d",
-                LOCAL_PR_ARG, __entry->value
-        )
 );
-TRACE_EVENT(drv_set_rts_threshold,
+DEFINE_EVENT(local_u32_evt, drv_set_rts_threshold,
        TP_PROTO(struct ieee80211_local *local, u32 value),
+        TP_ARGS(local, value)
-        TP_ARGS(local, value),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-                __field(u32, value)
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-                __entry->value = value;
-        ),
-        TP_printk(
-                LOCAL_PR_FMT " value:%d",
-                LOCAL_PR_ARG, __entry->value
-        )
 );
 TRACE_EVENT(drv_set_coverage_class,
@@ -964,11 +981,43 @@ TRACE_EVENT(drv_get_ringparam,
        )
 );
+DEFINE_EVENT(local_only_evt, drv_tx_frames_pending,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
 DEFINE_EVENT(local_only_evt, drv_offchannel_tx_cancel_wait,
        TP_PROTO(struct ieee80211_local *local),
        TP_ARGS(local)
 );
+TRACE_EVENT(drv_set_bitrate_mask,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 const struct cfg80211_bitrate_mask *mask),
+        TP_ARGS(local, sdata, mask),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+                __field(u32, legacy_2g)
+                __field(u32, legacy_5g)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                __entry->legacy_2g = mask->control[IEEE80211_BAND_2GHZ].legacy;
+                __entry->legacy_5g = mask->control[IEEE80211_BAND_5GHZ].legacy;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT  VIF_PR_FMT " 2G Mask:0x%x 5G Mask:0x%x",
+                LOCAL_PR_ARG, VIF_PR_ARG, __entry->legacy_2g, __entry->legacy_5g
+        )
+);
 /*
 * Tracing for API calls that drivers call.
 */
@@ -1147,6 +1196,42 @@ TRACE_EVENT(api_scan_completed,
        )
 );
+TRACE_EVENT(api_sched_scan_results,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT, LOCAL_PR_ARG
+        )
+);
+TRACE_EVENT(api_sched_scan_stopped,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT, LOCAL_PR_ARG
+        )
+);
 TRACE_EVENT(api_sta_block_awake,
        TP_PROTO(struct ieee80211_local *local,
                 struct ieee80211_sta *sta, bool block),
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
index b9e4b9bd2179..591add22bcc0 100644
--- a/net/mac80211/ht.c
+++ b/net/mac80211/ht.c
@@ -140,14 +140,29 @@ void ieee80211_ba_session_work(struct work_struct *work)
                                sta, tid, WLAN_BACK_RECIPIENT,
                                WLAN_REASON_QSTA_TIMEOUT, true);
-                tid_tx = sta->ampdu_mlme.tid_tx[tid];
+                tid_tx = sta->ampdu_mlme.tid_start_tx[tid];
-                if (!tid_tx)
+                if (tid_tx) {
-                        continue;
+                        /*
+                         * Assign it over to the normal tid_tx array
+                         * where it "goes live".
+                         */
+                        spin_lock_bh(&sta->lock);
+                        sta->ampdu_mlme.tid_start_tx[tid] = NULL;
+                        /* could there be a race? */
+                        if (sta->ampdu_mlme.tid_tx[tid])
+                                kfree(tid_tx);
+                        else
+                                ieee80211_assign_tid_tx(sta, tid, tid_tx);
+                        spin_unlock_bh(&sta->lock);
-                if (test_bit(HT_AGG_STATE_WANT_START, &tid_tx->state))
                        ieee80211_tx_ba_session_handle_start(sta, tid);
-                else if (test_and_clear_bit(HT_AGG_STATE_WANT_STOP,
+                        continue;
-                                            &tid_tx->state))
+                }
+                tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
+                if (tid_tx && test_and_clear_bit(HT_AGG_STATE_WANT_STOP,
+                                                 &tid_tx->state))
                        ___ieee80211_stop_tx_ba_session(sta, tid,
                                                        WLAN_BACK_INITIATOR,
                                                        true);
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 3e81af1fce58..56c24cabf26d 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -40,7 +40,7 @@ static void ieee80211_rx_mgmt_auth_ibss(struct ieee80211_sub_if_data *sdata,
                                        struct ieee80211_mgmt *mgmt,
                                        size_t len)
 {
-        u16 auth_alg, auth_transaction, status_code;
+        u16 auth_alg, auth_transaction;
        lockdep_assert_held(&sdata->u.ibss.mtx);
@@ -49,7 +49,6 @@ static void ieee80211_rx_mgmt_auth_ibss(struct ieee80211_sub_if_data *sdata,
        auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
        auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
-        status_code = le16_to_cpu(mgmt->u.auth.status_code);
        /*
         * IEEE 802.11 standard does not require authentication in IBSS
@@ -527,8 +526,6 @@ static void ieee80211_sta_merge_ibss(struct ieee80211_sub_if_data *sdata)
 static void ieee80211_sta_create_ibss(struct ieee80211_sub_if_data *sdata)
 {
        struct ieee80211_if_ibss *ifibss = &sdata->u.ibss;
-        struct ieee80211_local *local = sdata->local;
-        struct ieee80211_supported_band *sband;
        u8 bssid[ETH_ALEN];
        u16 capability;
        int i;
@@ -551,8 +548,6 @@ static void ieee80211_sta_create_ibss(struct ieee80211_sub_if_data *sdata)
        printk(KERN_DEBUG "%s: Creating new IBSS network, BSSID %pM\n",
               sdata->name, bssid);
-        sband = local->hw.wiphy->bands[ifibss->channel->band];
        capability = WLAN_CAPABILITY_IBSS;
        if (ifibss->privacy)
@@ -661,19 +656,22 @@ static void ieee80211_sta_find_ibss(struct ieee80211_sub_if_data *sdata)
 static void ieee80211_rx_mgmt_probe_req(struct ieee80211_sub_if_data *sdata,
                                        struct sk_buff *req)
 {
-        struct ieee80211_rx_status *rx_status = IEEE80211_SKB_RXCB(req);
        struct ieee80211_mgmt *mgmt = (void *)req->data;
        struct ieee80211_if_ibss *ifibss = &sdata->u.ibss;
        struct ieee80211_local *local = sdata->local;
        int tx_last_beacon, len = req->len;
        struct sk_buff *skb;
        struct ieee80211_mgmt *resp;
+        struct sk_buff *presp;
        u8 *pos, *end;
        lockdep_assert_held(&ifibss->mtx);
+        presp = rcu_dereference_protected(ifibss->presp,
+                                          lockdep_is_held(&ifibss->mtx));
        if (ifibss->state != IEEE80211_IBSS_MLME_JOINED ||
-            len < 24 + 2 || !ifibss->presp)
+            len < 24 + 2 || !presp)
                return;
        tx_last_beacon = drv_tx_last_beacon(local);
@@ -685,7 +683,7 @@ static void ieee80211_rx_mgmt_probe_req(struct ieee80211_sub_if_data *sdata,
               mgmt->bssid, tx_last_beacon);
 #endif /* CONFIG_MAC80211_IBSS_DEBUG */
-        if (!tx_last_beacon && !(rx_status->rx_flags & IEEE80211_RX_RA_MATCH))
+        if (!tx_last_beacon && is_multicast_ether_addr(mgmt->da))
                return;
        if (memcmp(mgmt->bssid, ifibss->bssid, ETH_ALEN) != 0 &&
@@ -711,7 +709,7 @@ static void ieee80211_rx_mgmt_probe_req(struct ieee80211_sub_if_data *sdata,
        }
        /* Reply with ProbeResp */
-        skb = skb_copy(ifibss->presp, GFP_KERNEL);
+        skb = skb_copy(presp, GFP_KERNEL);
        if (!skb)
                return;
@@ -967,6 +965,10 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
        mutex_lock(&sdata->u.ibss.mtx);
+        sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
+        memset(sdata->u.ibss.bssid, 0, ETH_ALEN);
+        sdata->u.ibss.ssid_len = 0;
        active_ibss = ieee80211_sta_active_ibss(sdata);
        if (!active_ibss && !is_zero_ether_addr(ifibss->bssid)) {
@@ -991,7 +993,8 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
        /* remove beacon */
        kfree(sdata->u.ibss.ie);
-        skb = sdata->u.ibss.presp;
+        skb = rcu_dereference_protected(sdata->u.ibss.presp,
+                                        lockdep_is_held(&sdata->u.ibss.mtx));
        rcu_assign_pointer(sdata->u.ibss.presp, NULL);
        sdata->vif.bss_conf.ibss_joined = false;
        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON_ENABLED |
@@ -1000,8 +1003,6 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
        kfree_skb(skb);
        skb_queue_purge(&sdata->skb_queue);
-        memset(sdata->u.ibss.bssid, 0, ETH_ALEN);
-        sdata->u.ibss.ssid_len = 0;
        del_timer_sync(&sdata->u.ibss.timer);
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index c18396c248d7..090b0ec1e056 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -214,7 +214,7 @@ struct beacon_data {
 };
 struct ieee80211_if_ap {
-        struct beacon_data *beacon;
+        struct beacon_data __rcu *beacon;
        struct list_head vlans;
@@ -237,7 +237,7 @@ struct ieee80211_if_vlan {
        struct list_head list;
        /* used for all tx if the VLAN is configured to 4-addr mode */
-        struct sta_info *sta;
+        struct sta_info __rcu *sta;
 };
 struct mesh_stats {
@@ -442,7 +442,8 @@ struct ieee80211_if_ibss {
        unsigned long ibss_join_req;
        /* probe response/beacon for IBSS */
-        struct sk_buff *presp, *skb;
+        struct sk_buff __rcu *presp;
+        struct sk_buff *skb;
        enum {
                IEEE80211_IBSS_MLME_SEARCH,
@@ -488,8 +489,13 @@ struct ieee80211_if_mesh {
        struct mesh_config mshcfg;
        u32 mesh_seqnum;
        bool accepting_plinks;
-        const u8 *vendor_ie;
+        const u8 *ie;
-        u8 vendor_ie_len;
+        u8 ie_len;
+        enum {
+                IEEE80211_MESH_SEC_NONE = 0x0,
+                IEEE80211_MESH_SEC_AUTHED = 0x1,
+                IEEE80211_MESH_SEC_SECURED = 0x2,
+        } security;
 };
 #ifdef CONFIG_MAC80211_MESH
@@ -562,9 +568,10 @@ struct ieee80211_sub_if_data {
        struct ieee80211_fragment_entry fragments[IEEE80211_FRAGMENT_MAX];
        unsigned int fragment_next;
-        struct ieee80211_key *keys[NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS];
+        struct ieee80211_key __rcu *keys[NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS];
-        struct ieee80211_key *default_unicast_key, *default_multicast_key;
+        struct ieee80211_key __rcu *default_unicast_key;
-        struct ieee80211_key *default_mgmt_key;
+        struct ieee80211_key __rcu *default_multicast_key;
+        struct ieee80211_key __rcu *default_mgmt_key;
        u16 sequence_number;
        __be16 control_port_protocol;
@@ -763,6 +770,9 @@ struct ieee80211_local {
        /* device is started */
        bool started;
+        /* wowlan is enabled -- don't reconfig on resume */
+        bool wowlan;
        int tx_headroom; /* required headroom for hardware/radiotap */
        /* Tasklet and skb queue to process calls from IRQ mode. All frames
@@ -794,7 +804,7 @@ struct ieee80211_local {
        spinlock_t sta_lock;
        unsigned long num_sta;
        struct list_head sta_list, sta_pending_list;
-        struct sta_info *sta_hash[STA_HASH_SIZE];
+        struct sta_info __rcu *sta_hash[STA_HASH_SIZE];
        struct timer_list sta_cleanup;
        struct work_struct sta_finish_work;
        int sta_generation;
@@ -809,8 +819,8 @@ struct ieee80211_local {
        struct rate_control_ref *rate_ctrl;
-        struct crypto_blkcipher *wep_tx_tfm;
+        struct crypto_cipher *wep_tx_tfm;
-        struct crypto_blkcipher *wep_rx_tfm;
+        struct crypto_cipher *wep_rx_tfm;
        u32 wep_iv;
        /* see iface.c */
@@ -836,6 +846,10 @@ struct ieee80211_local {
        int scan_channel_idx;
        int scan_ies_len;
+        bool sched_scanning;
+        struct ieee80211_sched_scan_ies sched_scan_ies;
+        struct work_struct sched_scan_stopped_work;
        unsigned long leave_oper_channel_time;
        enum mac80211_scan_state next_scan_state;
        struct delayed_work scan_work;
@@ -1143,6 +1157,12 @@ ieee80211_rx_bss_get(struct ieee80211_local *local, u8 *bssid, int freq,
 void ieee80211_rx_bss_put(struct ieee80211_local *local,
                          struct ieee80211_bss *bss);
+/* scheduled scan handling */
+int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
+                                       struct cfg80211_sched_scan_request *req);
+int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata);
+void ieee80211_sched_scan_stopped_work(struct work_struct *work);
 /* off-channel helpers */
 bool ieee80211_cfg_on_oper_channel(struct ieee80211_local *local);
 void ieee80211_offchannel_enable_all_ps(struct ieee80211_local *local,
@@ -1246,7 +1266,8 @@ int ieee80211_reconfig(struct ieee80211_local *local);
 void ieee80211_stop_device(struct ieee80211_local *local);
 #ifdef CONFIG_PM
-int __ieee80211_suspend(struct ieee80211_hw *hw);
+int __ieee80211_suspend(struct ieee80211_hw *hw,
+                        struct cfg80211_wowlan *wowlan);
 static inline int __ieee80211_resume(struct ieee80211_hw *hw)
 {
@@ -1259,7 +1280,8 @@ static inline int __ieee80211_resume(struct ieee80211_hw *hw)
        return ieee80211_reconfig(hw_to_local(hw));
 }
 #else
-static inline int __ieee80211_suspend(struct ieee80211_hw *hw)
+static inline int __ieee80211_suspend(struct ieee80211_hw *hw,
+                                      struct cfg80211_wowlan *wowlan)
 {
        return 0;
 }
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 4054399be907..dee30aea9ab3 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -384,11 +384,11 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
        int i;
        enum nl80211_channel_type orig_ct;
+        clear_bit(SDATA_STATE_RUNNING, &sdata->state);
        if (local->scan_sdata == sdata)
                ieee80211_scan_cancel(local);
-        clear_bit(SDATA_STATE_RUNNING, &sdata->state);
        /*
         * Stop TX on this interface first.
         */
@@ -449,7 +449,8 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
        /* APs need special treatment */
        if (sdata->vif.type == NL80211_IFTYPE_AP) {
                struct ieee80211_sub_if_data *vlan, *tmpsdata;
-                struct beacon_data *old_beacon = sdata->u.ap.beacon;
+                struct beacon_data *old_beacon =
+                        rtnl_dereference(sdata->u.ap.beacon);
                /* sdata_running will return false, so this will disable */
                ieee80211_bss_info_change_notify(sdata,
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index af3c56482c80..f825e2f0a57e 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -186,7 +186,7 @@ static void __ieee80211_set_default_key(struct ieee80211_sub_if_data *sdata,
        assert_key_lock(sdata->local);
        if (idx >= 0 && idx < NUM_DEFAULT_KEYS)
-                key = sdata->keys[idx];
+                key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
        if (uni)
                rcu_assign_pointer(sdata->default_unicast_key, key);
@@ -213,7 +213,7 @@ __ieee80211_set_default_mgmt_key(struct ieee80211_sub_if_data *sdata, int idx)
        if (idx >= NUM_DEFAULT_KEYS &&
            idx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
-                key = sdata->keys[idx];
+                key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
        rcu_assign_pointer(sdata->default_mgmt_key, key);
@@ -257,9 +257,15 @@ static void __ieee80211_key_replace(struct ieee80211_sub_if_data *sdata,
                else
                        idx = new->conf.keyidx;
-                defunikey = old && sdata->default_unicast_key == old;
+                defunikey = old &&
-                defmultikey = old && sdata->default_multicast_key == old;
+                        old == key_mtx_dereference(sdata->local,
-                defmgmtkey = old && sdata->default_mgmt_key == old;
+                                                sdata->default_unicast_key);
+                defmultikey = old &&
+                        old == key_mtx_dereference(sdata->local,
+                                                sdata->default_multicast_key);
+                defmgmtkey = old &&
+                        old == key_mtx_dereference(sdata->local,
+                                                sdata->default_mgmt_key);
                if (defunikey && !new)
                        __ieee80211_set_default_key(sdata, -1, true, false);
@@ -440,11 +446,11 @@ int ieee80211_key_link(struct ieee80211_key *key,
        mutex_lock(&sdata->local->key_mtx);
        if (sta && pairwise)
-                old_key = sta->ptk;
+                old_key = key_mtx_dereference(sdata->local, sta->ptk);
        else if (sta)
-                old_key = sta->gtk[idx];
+                old_key = key_mtx_dereference(sdata->local, sta->gtk[idx]);
        else
-                old_key = sdata->keys[idx];
+                old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
        __ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
        __ieee80211_key_destroy(old_key);
@@ -458,8 +464,11 @@ int ieee80211_key_link(struct ieee80211_key *key,
        return ret;
 }
-static void __ieee80211_key_free(struct ieee80211_key *key)
+void __ieee80211_key_free(struct ieee80211_key *key)
 {
+        if (!key)
+                return;
        /*
         * Replace key with nothingness if it was ever used.
         */
@@ -473,9 +482,6 @@ static void __ieee80211_key_free(struct ieee80211_key *key)
 void ieee80211_key_free(struct ieee80211_local *local,
                        struct ieee80211_key *key)
 {
-        if (!key)
-                return;
        mutex_lock(&local->key_mtx);
        __ieee80211_key_free(key);
        mutex_unlock(&local->key_mtx);
diff --git a/net/mac80211/key.h b/net/mac80211/key.h
index 4ddbe27eb570..d801d5351336 100644
--- a/net/mac80211/key.h
+++ b/net/mac80211/key.h
@@ -135,6 +135,7 @@ struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
 int __must_check ieee80211_key_link(struct ieee80211_key *key,
                                    struct ieee80211_sub_if_data *sdata,
                                    struct sta_info *sta);
+void __ieee80211_key_free(struct ieee80211_key *key);
 void ieee80211_key_free(struct ieee80211_local *local,
                        struct ieee80211_key *key);
 void ieee80211_set_default_key(struct ieee80211_sub_if_data *sdata, int idx,
@@ -145,4 +146,7 @@ void ieee80211_free_keys(struct ieee80211_sub_if_data *sdata);
 void ieee80211_enable_keys(struct ieee80211_sub_if_data *sdata);
 void ieee80211_disable_keys(struct ieee80211_sub_if_data *sdata);
+#define key_mtx_dereference(local, ref) \
+        rcu_dereference_protected(ref, lockdep_is_held(&((local)->key_mtx)))
 #endif /* IEEE80211_KEY_H */
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 562d2984c482..866f269183cf 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -33,12 +33,6 @@
 #include "cfg.h"
 #include "debugfs.h"
-static bool ieee80211_disable_40mhz_24ghz;
-module_param(ieee80211_disable_40mhz_24ghz, bool, 0644);
-MODULE_PARM_DESC(ieee80211_disable_40mhz_24ghz,
-                 "Disable 40MHz support in the 2.4GHz band");
 static struct lock_class_key ieee80211_rx_skb_queue_class;
 void ieee80211_configure_filter(struct ieee80211_local *local)
@@ -364,7 +358,8 @@ static void ieee80211_restart_work(struct work_struct *work)
        flush_workqueue(local->workqueue);
        mutex_lock(&local->mtx);
-        WARN(test_bit(SCAN_HW_SCANNING, &local->scanning),
+        WARN(test_bit(SCAN_HW_SCANNING, &local->scanning) ||
+             local->sched_scanning,
                "%s called with hardware scan in progress\n", __func__);
        mutex_unlock(&local->mtx);
@@ -545,7 +540,9 @@ ieee80211_default_mgmt_stypes[NUM_NL80211_IFTYPES] = {
        },
        [NL80211_IFTYPE_MESH_POINT] = {
                .tx = 0xffff,
-                .rx = BIT(IEEE80211_STYPE_ACTION >> 4),
+                .rx = BIT(IEEE80211_STYPE_ACTION >> 4) |
+                        BIT(IEEE80211_STYPE_AUTH >> 4) |
+                        BIT(IEEE80211_STYPE_DEAUTH >> 4),
        },
 };
@@ -584,8 +581,7 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
        wiphy->flags |= WIPHY_FLAG_NETNS_OK |
                        WIPHY_FLAG_4ADDR_AP |
-                        WIPHY_FLAG_4ADDR_STATION |
+                        WIPHY_FLAG_4ADDR_STATION;
-                        WIPHY_FLAG_SUPPORTS_SEPARATE_DEFAULT_KEYS;
        if (!ops->set_key)
                wiphy->flags |= WIPHY_FLAG_IBSS_RSN;
@@ -656,6 +652,9 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
        setup_timer(&local->dynamic_ps_timer,
                    ieee80211_dynamic_ps_timer, (unsigned long) local);
+        INIT_WORK(&local->sched_scan_stopped_work,
+                  ieee80211_sched_scan_stopped_work);
        sta_info_init(local);
        for (i = 0; i < IEEE80211_MAX_QUEUES; i++) {
@@ -686,7 +685,7 @@ EXPORT_SYMBOL(ieee80211_alloc_hw);
 int ieee80211_register_hw(struct ieee80211_hw *hw)
 {
        struct ieee80211_local *local = hw_to_local(hw);
-        int result;
+        int result, i;
        enum ieee80211_band band;
        int channels, max_bitrates;
        bool supp_ht;
@@ -701,6 +700,13 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                WLAN_CIPHER_SUITE_AES_CMAC
        };
+        if ((hw->wiphy->wowlan.flags || hw->wiphy->wowlan.n_patterns)
+#ifdef CONFIG_PM
+            && (!local->ops->suspend || !local->ops->resume)
+#endif
+            )
+                return -EINVAL;
        if (hw->max_report_rates == 0)
                hw->max_report_rates = hw->max_rates;
@@ -726,18 +732,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                }
                channels += sband->n_channels;
-                /*
-                 * Since ieee80211_disable_40mhz_24ghz is global, we can
-                 * modify the sband's ht data even if the driver uses a
-                 * global structure for that.
-                 */
-                if (ieee80211_disable_40mhz_24ghz &&
-                    band == IEEE80211_BAND_2GHZ &&
-                    sband->ht_cap.ht_supported) {
-                        sband->ht_cap.cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
-                        sband->ht_cap.cap &= ~IEEE80211_HT_CAP_SGI_40;
-                }
                if (max_bitrates < sband->n_bitrates)
                        max_bitrates = sband->n_bitrates;
                supp_ht = supp_ht || sband->ht_cap.ht_supported;
@@ -749,17 +743,44 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                return -ENOMEM;
        /* if low-level driver supports AP, we also support VLAN */
-        if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_AP))
+        if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_AP)) {
-                local->hw.wiphy->interface_modes |= BIT(NL80211_IFTYPE_AP_VLAN);
+                hw->wiphy->interface_modes |= BIT(NL80211_IFTYPE_AP_VLAN);
+                hw->wiphy->software_iftypes |= BIT(NL80211_IFTYPE_AP_VLAN);
+        }
        /* mac80211 always supports monitor */
-        local->hw.wiphy->interface_modes |= BIT(NL80211_IFTYPE_MONITOR);
+        hw->wiphy->interface_modes |= BIT(NL80211_IFTYPE_MONITOR);
+        hw->wiphy->software_iftypes |= BIT(NL80211_IFTYPE_MONITOR);
+        /*
+         * mac80211 doesn't support more than 1 channel, and also not more
+         * than one IBSS interface
+         */
+        for (i = 0; i < hw->wiphy->n_iface_combinations; i++) {
+                const struct ieee80211_iface_combination *c;
+                int j;
+                c = &hw->wiphy->iface_combinations[i];
+                if (c->num_different_channels > 1)
+                        return -EINVAL;
+                for (j = 0; j < c->n_limits; j++)
+                        if ((c->limits[j].types & BIT(NL80211_IFTYPE_ADHOC)) &&
+                            c->limits[j].max > 1)
+                                return -EINVAL;
+        }
 #ifndef CONFIG_MAC80211_MESH
        /* mesh depends on Kconfig, but drivers should set it if they want */
        local->hw.wiphy->interface_modes &= ~BIT(NL80211_IFTYPE_MESH_POINT);
 #endif
+        /* if the underlying driver supports mesh, mac80211 will (at least)
+         * provide routing of mesh authentication frames to userspace */
+        if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_MESH_POINT))
+                local->hw.wiphy->flags |= WIPHY_FLAG_MESH_AUTH;
        /* mac80211 supports control port protocol changing */
        local->hw.wiphy->flags |= WIPHY_FLAG_CONTROL_PORT_PROTOCOL;
@@ -838,6 +859,9 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
        if (!local->ops->remain_on_channel)
                local->hw.wiphy->max_remain_on_channel_duration = 5000;
+        if (local->ops->sched_scan_start)
+                local->hw.wiphy->flags |= WIPHY_FLAG_SUPPORTS_SCHED_SCAN;
        result = wiphy_register(local->hw.wiphy);
        if (result < 0)
                goto fail_wiphy_register;
@@ -861,8 +885,10 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
         * and we need some headroom for passing the frame to monitor
         * interfaces, but never both at the same time.
         */
+#ifndef __CHECKER__
        BUILD_BUG_ON(IEEE80211_TX_STATUS_HEADROOM !=
                        sizeof(struct ieee80211_tx_status_rtap_hdr));
+#endif
        local->tx_headroom = max_t(unsigned int , local->hw.extra_tx_headroom,
                                   sizeof(struct ieee80211_tx_status_rtap_hdr));
@@ -879,10 +905,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
        local->dynamic_ps_forced_timeout = -1;
-        result = sta_info_start(local);
-        if (result < 0)
-                goto fail_sta_info;
        result = ieee80211_wep_init(local);
        if (result < 0)
                wiphy_debug(local->hw.wiphy, "Failed to initialize wep: %d\n",
@@ -945,7 +967,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
        rtnl_unlock();
        ieee80211_wep_free(local);
        sta_info_stop(local);
- fail_sta_info:
        destroy_workqueue(local->workqueue);
 fail_workqueue:
        wiphy_unregister(local->hw.wiphy);
@@ -1069,6 +1090,8 @@ static void __exit ieee80211_exit(void)
                ieee80211s_stop();
        ieee80211_iface_exit();
+        rcu_barrier();
 }
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 2a57cc02c618..29e9980c8e60 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -279,57 +279,14 @@ void mesh_mgmt_ies_add(struct sk_buff *skb, struct ieee80211_sub_if_data *sdata)
            MESHCONF_CAPAB_ACCEPT_PLINKS : 0x00;
        *pos++ = 0x00;
-        if (sdata->u.mesh.vendor_ie) {
+        if (sdata->u.mesh.ie) {
-                int len = sdata->u.mesh.vendor_ie_len;
+                int len = sdata->u.mesh.ie_len;
-                const u8 *data = sdata->u.mesh.vendor_ie;
+                const u8 *data = sdata->u.mesh.ie;
                if (skb_tailroom(skb) > len)
                        memcpy(skb_put(skb, len), data, len);
        }
 }
-u32 mesh_table_hash(u8 *addr, struct ieee80211_sub_if_data *sdata, struct mesh_table *tbl)
-{
-        /* Use last four bytes of hw addr and interface index as hash index */
-        return jhash_2words(*(u32 *)(addr+2), sdata->dev->ifindex, tbl->hash_rnd)
-                & tbl->hash_mask;
-}
-struct mesh_table *mesh_table_alloc(int size_order)
-{
-        int i;
-        struct mesh_table *newtbl;
-        newtbl = kmalloc(sizeof(struct mesh_table), GFP_KERNEL);
-        if (!newtbl)
-                return NULL;
-        newtbl->hash_buckets = kzalloc(sizeof(struct hlist_head) *
-                        (1 << size_order), GFP_KERNEL);
-        if (!newtbl->hash_buckets) {
-                kfree(newtbl);
-                return NULL;
-        }
-        newtbl->hashwlock = kmalloc(sizeof(spinlock_t) *
-                        (1 << size_order), GFP_KERNEL);
-        if (!newtbl->hashwlock) {
-                kfree(newtbl->hash_buckets);
-                kfree(newtbl);
-                return NULL;
-        }
-        newtbl->size_order = size_order;
-        newtbl->hash_mask = (1 << size_order) - 1;
-        atomic_set(&newtbl->entries,  0);
-        get_random_bytes(&newtbl->hash_rnd,
-                        sizeof(newtbl->hash_rnd));
-        for (i = 0; i <= newtbl->hash_mask; i++)
-                spin_lock_init(&newtbl->hashwlock[i]);
-        return newtbl;
-}
 static void ieee80211_mesh_path_timer(unsigned long data)
 {
@@ -573,6 +530,10 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
        ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
                               &elems);
+        /* ignore beacons from secure mesh peers if our security is off */
+        if (elems.rsn_len && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE)
+                return;
        if (elems.ds_params && elems.ds_params_len == 1)
                freq = ieee80211_channel_to_frequency(elems.ds_params[0], band);
        else
@@ -586,9 +547,7 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
        if (elems.mesh_id && elems.mesh_config &&
            mesh_matches_local(&elems, sdata)) {
                supp_rates = ieee80211_sta_get_rates(local, &elems, band);
+                mesh_neighbour_update(mgmt->sa, supp_rates, sdata, &elems);
-                mesh_neighbour_update(mgmt->sa, supp_rates, sdata,
-                                      mesh_peer_accepts_plinks(&elems));
        }
 }
@@ -598,7 +557,7 @@ static void ieee80211_mesh_rx_mgmt_action(struct ieee80211_sub_if_data *sdata,
                                          struct ieee80211_rx_status *rx_status)
 {
        switch (mgmt->u.action.category) {
-        case WLAN_CATEGORY_MESH_PLINK:
+        case WLAN_CATEGORY_MESH_ACTION:
                mesh_rx_plink_frame(sdata, mgmt, len, rx_status);
                break;
        case WLAN_CATEGORY_MESH_PATH_SEL:
@@ -611,12 +570,9 @@ void ieee80211_mesh_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
                                   struct sk_buff *skb)
 {
        struct ieee80211_rx_status *rx_status;
-        struct ieee80211_if_mesh *ifmsh;
        struct ieee80211_mgmt *mgmt;
        u16 stype;
-        ifmsh = &sdata->u.mesh;
        rx_status = IEEE80211_SKB_RXCB(skb);
        mgmt = (struct ieee80211_mgmt *) skb->data;
        stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;
diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
index b99e230fe31c..249e733362e7 100644
--- a/net/mac80211/mesh.h
+++ b/net/mac80211/mesh.h
@@ -92,7 +92,7 @@ struct mesh_path {
        u8 dst[ETH_ALEN];
        u8 mpp[ETH_ALEN];       /* used for MPP or MAP */
        struct ieee80211_sub_if_data *sdata;
-        struct sta_info *next_hop;
+        struct sta_info __rcu *next_hop;
        struct timer_list timer;
        struct sk_buff_head frame_queue;
        struct rcu_head rcu;
@@ -120,6 +120,7 @@ struct mesh_path {
 *      buckets
 * @mean_chain_len: maximum average length for the hash buckets' list, if it is
 *      reached, the table will grow
+ * rcu_head: RCU head to free the table
 */
 struct mesh_table {
        /* Number of buckets will be 2^N */
@@ -132,6 +133,8 @@ struct mesh_table {
        int (*copy_node) (struct hlist_node *p, struct mesh_table *newtbl);
        int size_order;
        int mean_chain_len;
+        struct rcu_head rcu_head;
 };
 /* Recent multicast cache */
@@ -226,7 +229,8 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
 int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata);
 /* Mesh plinks */
 void mesh_neighbour_update(u8 *hw_addr, u32 rates,
-                struct ieee80211_sub_if_data *sdata, bool add);
+                struct ieee80211_sub_if_data *sdata,
+                struct ieee802_11_elems *ie);
 bool mesh_peer_accepts_plinks(struct ieee802_11_elems *ie);
 void mesh_accept_plinks_update(struct ieee80211_sub_if_data *sdata);
 void mesh_plink_broken(struct sta_info *sta);
@@ -239,12 +243,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
 /* Private interfaces */
 /* Mesh tables */
-struct mesh_table *mesh_table_alloc(int size_order);
-void mesh_table_free(struct mesh_table *tbl, bool free_leafs);
 void mesh_mpath_table_grow(void);
 void mesh_mpp_table_grow(void);
-u32 mesh_table_hash(u8 *addr, struct ieee80211_sub_if_data *sdata,
-                struct mesh_table *tbl);
 /* Mesh paths */
 int mesh_path_error_tx(u8 ttl, u8 *target, __le32 target_sn, __le16 target_rcode,
                       const u8 *ra, struct ieee80211_sub_if_data *sdata);
@@ -289,10 +289,6 @@ static inline bool mesh_path_sel_is_hwmp(struct ieee80211_sub_if_data *sdata)
        return sdata->u.mesh.mesh_pp_id == IEEE80211_PATH_PROTOCOL_HWMP;
 }
-#define for_each_mesh_entry(x, p, node, i) \
-        for (i = 0; i <= x->hash_mask; i++) \
-                hlist_for_each_entry_rcu(node, p, &x->hash_buckets[i], list)
 void ieee80211_mesh_notify_scan_completed(struct ieee80211_local *local);
 void ieee80211_mesh_quiesce(struct ieee80211_sub_if_data *sdata);
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 5bf64d7112b3..2b18053070c1 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -391,7 +391,6 @@ static u32 hwmp_route_info_get(struct ieee80211_sub_if_data *sdata,
                            (mpath->flags & MESH_PATH_SN_VALID)) {
                                if (SN_GT(mpath->sn, orig_sn) ||
                                    (mpath->sn == orig_sn &&
-                                     action == MPATH_PREQ &&
                                     new_metric >= mpath->metric)) {
                                        process = false;
                                        fresh_info = false;
@@ -561,6 +560,14 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
 }
+static inline struct sta_info *
+next_hop_deref_protected(struct mesh_path *mpath)
+{
+        return rcu_dereference_protected(mpath->next_hop,
+                                         lockdep_is_held(&mpath->state_lock));
+}
 static void hwmp_prep_frame_process(struct ieee80211_sub_if_data *sdata,
                                    struct ieee80211_mgmt *mgmt,
                                    u8 *prep_elem, u32 metric)
@@ -600,7 +607,7 @@ static void hwmp_prep_frame_process(struct ieee80211_sub_if_data *sdata,
                spin_unlock_bh(&mpath->state_lock);
                goto fail;
        }
-        memcpy(next_hop, mpath->next_hop->sta.addr, ETH_ALEN);
+        memcpy(next_hop, next_hop_deref_protected(mpath)->sta.addr, ETH_ALEN);
        spin_unlock_bh(&mpath->state_lock);
        --ttl;
        flags = PREP_IE_FLAGS(prep_elem);
@@ -633,7 +640,6 @@ static void hwmp_perr_frame_process(struct ieee80211_sub_if_data *sdata,
        struct mesh_path *mpath;
        u8 ttl;
        u8 *ta, *target_addr;
-        u8 target_flags;
        u32 target_sn;
        u16 target_rcode;
@@ -644,7 +650,6 @@ static void hwmp_perr_frame_process(struct ieee80211_sub_if_data *sdata,
                return;
        }
        ttl--;
-        target_flags = PERR_IE_TARGET_FLAGS(perr_elem);
        target_addr = PERR_IE_TARGET_ADDR(perr_elem);
        target_sn = PERR_IE_TARGET_SN(perr_elem);
        target_rcode = PERR_IE_TARGET_RCODE(perr_elem);
@@ -654,7 +659,8 @@ static void hwmp_perr_frame_process(struct ieee80211_sub_if_data *sdata,
        if (mpath) {
                spin_lock_bh(&mpath->state_lock);
                if (mpath->flags & MESH_PATH_ACTIVE &&
-                    memcmp(ta, mpath->next_hop->sta.addr, ETH_ALEN) == 0 &&
+                    memcmp(ta, next_hop_deref_protected(mpath)->sta.addr,
+                                                        ETH_ALEN) == 0 &&
                    (!(mpath->flags & MESH_PATH_SN_VALID) ||
                    SN_GT(target_sn, mpath->sn))) {
                        mpath->flags &= ~MESH_PATH_ACTIVE;
@@ -675,12 +681,10 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
 {
        struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
        struct mesh_path *mpath;
-        u8 *ta;
        u8 ttl, flags, hopcount;
        u8 *orig_addr;
        u32 orig_sn, metric;
-        ta = mgmt->sa;
        ttl = rann->rann_ttl;
        if (ttl <= 1) {
                ifmsh->mshstats.dropped_frames_ttl++;
@@ -918,6 +922,7 @@ int mesh_nexthop_lookup(struct sk_buff *skb,
 {
        struct sk_buff *skb_to_free = NULL;
        struct mesh_path *mpath;
+        struct sta_info *next_hop;
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
        u8 *target_addr = hdr->addr3;
        int err = 0;
@@ -945,7 +950,11 @@ int mesh_nexthop_lookup(struct sk_buff *skb,
                        mesh_queue_preq(mpath,
                                        PREQ_Q_F_START | PREQ_Q_F_REFRESH);
                }
-                memcpy(hdr->addr1, mpath->next_hop->sta.addr, ETH_ALEN);
+                next_hop = rcu_dereference(mpath->next_hop);
+                if (next_hop)
+                        memcpy(hdr->addr1, next_hop->sta.addr, ETH_ALEN);
+                else
+                        err = -ENOENT;
        } else {
                struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
                if (!(mpath->flags & MESH_PATH_RESOLVING)) {
@@ -971,20 +980,11 @@ endlookup:
 void mesh_path_timer(unsigned long data)
 {
-        struct ieee80211_sub_if_data *sdata;
+        struct mesh_path *mpath = (void *) data;
-        struct mesh_path *mpath;
+        struct ieee80211_sub_if_data *sdata = mpath->sdata;
-        rcu_read_lock();
-        mpath = (struct mesh_path *) data;
-        mpath = rcu_dereference(mpath);
-        if (!mpath)
-                goto endmpathtimer;
-        sdata = mpath->sdata;
-        if (sdata->local->quiescing) {
+        if (sdata->local->quiescing)
-                rcu_read_unlock();
                return;
-        }
        spin_lock_bh(&mpath->state_lock);
        if (mpath->flags & MESH_PATH_RESOLVED ||
@@ -1001,8 +1001,6 @@ void mesh_path_timer(unsigned long data)
        }
        spin_unlock_bh(&mpath->state_lock);
-endmpathtimer:
-        rcu_read_unlock();
 }
 void
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index 336ca9d0c5c4..0d2faacc3e87 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -36,10 +36,77 @@ struct mpath_node {
        struct mesh_path *mpath;
 };
-static struct mesh_table *mesh_paths;
+static struct mesh_table __rcu *mesh_paths;
-static struct mesh_table *mpp_paths; /* Store paths for MPP&MAP */
+static struct mesh_table __rcu *mpp_paths; /* Store paths for MPP&MAP */
 int mesh_paths_generation;
+/* This lock will have the grow table function as writer and add / delete nodes
+ * as readers. When reading the table (i.e. doing lookups) we are well protected
+ * by RCU
+ */
+static DEFINE_RWLOCK(pathtbl_resize_lock);
+static inline struct mesh_table *resize_dereference_mesh_paths(void)
+{
+        return rcu_dereference_protected(mesh_paths,
+                lockdep_is_held(&pathtbl_resize_lock));
+}
+static inline struct mesh_table *resize_dereference_mpp_paths(void)
+{
+        return rcu_dereference_protected(mpp_paths,
+                lockdep_is_held(&pathtbl_resize_lock));
+}
+/*
+ * CAREFUL -- "tbl" must not be an expression,
+ * in particular not an rcu_dereference(), since
+ * it's used twice. So it is illegal to do
+ *      for_each_mesh_entry(rcu_dereference(...), ...)
+ */
+#define for_each_mesh_entry(tbl, p, node, i) \
+        for (i = 0; i <= tbl->hash_mask; i++) \
+                hlist_for_each_entry_rcu(node, p, &tbl->hash_buckets[i], list)
+static struct mesh_table *mesh_table_alloc(int size_order)
+{
+        int i;
+        struct mesh_table *newtbl;
+        newtbl = kmalloc(sizeof(struct mesh_table), GFP_ATOMIC);
+        if (!newtbl)
+                return NULL;
+        newtbl->hash_buckets = kzalloc(sizeof(struct hlist_head) *
+                        (1 << size_order), GFP_ATOMIC);
+        if (!newtbl->hash_buckets) {
+                kfree(newtbl);
+                return NULL;
+        }
+        newtbl->hashwlock = kmalloc(sizeof(spinlock_t) *
+                        (1 << size_order), GFP_ATOMIC);
+        if (!newtbl->hashwlock) {
+                kfree(newtbl->hash_buckets);
+                kfree(newtbl);
+                return NULL;
+        }
+        newtbl->size_order = size_order;
+        newtbl->hash_mask = (1 << size_order) - 1;
+        atomic_set(&newtbl->entries,  0);
+        get_random_bytes(&newtbl->hash_rnd,
+                        sizeof(newtbl->hash_rnd));
+        for (i = 0; i <= newtbl->hash_mask; i++)
+                spin_lock_init(&newtbl->hashwlock[i]);
+        return newtbl;
+}
 static void __mesh_table_free(struct mesh_table *tbl)
 {
        kfree(tbl->hash_buckets);
@@ -47,7 +114,7 @@ static void __mesh_table_free(struct mesh_table *tbl)
        kfree(tbl);
 }
-void mesh_table_free(struct mesh_table *tbl, bool free_leafs)
+static void mesh_table_free(struct mesh_table *tbl, bool free_leafs)
 {
        struct hlist_head *mesh_hash;
        struct hlist_node *p, *q;
@@ -55,60 +122,56 @@ void mesh_table_free(struct mesh_table *tbl, bool free_leafs)
        mesh_hash = tbl->hash_buckets;
        for (i = 0; i <= tbl->hash_mask; i++) {
-                spin_lock(&tbl->hashwlock[i]);
+                spin_lock_bh(&tbl->hashwlock[i]);
                hlist_for_each_safe(p, q, &mesh_hash[i]) {
                        tbl->free_node(p, free_leafs);
                        atomic_dec(&tbl->entries);
                }
-                spin_unlock(&tbl->hashwlock[i]);
+                spin_unlock_bh(&tbl->hashwlock[i]);
        }
        __mesh_table_free(tbl);
 }
-static struct mesh_table *mesh_table_grow(struct mesh_table *tbl)
+static int mesh_table_grow(struct mesh_table *oldtbl,
+                           struct mesh_table *newtbl)
 {
-        struct mesh_table *newtbl;
        struct hlist_head *oldhash;
        struct hlist_node *p, *q;
        int i;
-        if (atomic_read(&tbl->entries)
+        if (atomic_read(&oldtbl->entries)
-                        < tbl->mean_chain_len * (tbl->hash_mask + 1))
+                        < oldtbl->mean_chain_len * (oldtbl->hash_mask + 1))
-                goto endgrow;
+                return -EAGAIN;
-        newtbl = mesh_table_alloc(tbl->size_order + 1);
+        newtbl->free_node = oldtbl->free_node;
-        if (!newtbl)
+        newtbl->mean_chain_len = oldtbl->mean_chain_len;
-                goto endgrow;
+        newtbl->copy_node = oldtbl->copy_node;
+        atomic_set(&newtbl->entries, atomic_read(&oldtbl->entries));
-        newtbl->free_node = tbl->free_node;
-        newtbl->mean_chain_len = tbl->mean_chain_len;
-        newtbl->copy_node = tbl->copy_node;
-        atomic_set(&newtbl->entries, atomic_read(&tbl->entries));
-        oldhash = tbl->hash_buckets;
+        oldhash = oldtbl->hash_buckets;
-        for (i = 0; i <= tbl->hash_mask; i++)
+        for (i = 0; i <= oldtbl->hash_mask; i++)
                hlist_for_each(p, &oldhash[i])
-                        if (tbl->copy_node(p, newtbl) < 0)
+                        if (oldtbl->copy_node(p, newtbl) < 0)
                                goto errcopy;
-        return newtbl;
+        return 0;
 errcopy:
        for (i = 0; i <= newtbl->hash_mask; i++) {
                hlist_for_each_safe(p, q, &newtbl->hash_buckets[i])
-                        tbl->free_node(p, 0);
+                        oldtbl->free_node(p, 0);
        }
-        __mesh_table_free(newtbl);
+        return -ENOMEM;
-endgrow:
-        return NULL;
 }
+static u32 mesh_table_hash(u8 *addr, struct ieee80211_sub_if_data *sdata,
+                           struct mesh_table *tbl)
+{
+        /* Use last four bytes of hw addr and interface index as hash index */
+        return jhash_2words(*(u32 *)(addr+2), sdata->dev->ifindex, tbl->hash_rnd)
+                & tbl->hash_mask;
+}
-/* This lock will have the grow table function as writer and add / delete nodes
- * as readers. When reading the table (i.e. doing lookups) we are well protected
- * by RCU
- */
-static DEFINE_RWLOCK(pathtbl_resize_lock);
 /**
 *
@@ -218,12 +281,13 @@ struct mesh_path *mpp_path_lookup(u8 *dst, struct ieee80211_sub_if_data *sdata)
 */
 struct mesh_path *mesh_path_lookup_by_idx(int idx, struct ieee80211_sub_if_data *sdata)
 {
+        struct mesh_table *tbl = rcu_dereference(mesh_paths);
        struct mpath_node *node;
        struct hlist_node *p;
        int i;
        int j = 0;
-        for_each_mesh_entry(mesh_paths, p, node, i) {
+        for_each_mesh_entry(tbl, p, node, i) {
                if (sdata && node->mpath->sdata != sdata)
                        continue;
                if (j++ == idx) {
@@ -253,6 +317,7 @@ int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata)
 {
        struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
        struct ieee80211_local *local = sdata->local;
+        struct mesh_table *tbl;
        struct mesh_path *mpath, *new_mpath;
        struct mpath_node *node, *new_node;
        struct hlist_head *bucket;
@@ -280,7 +345,7 @@ int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata)
        if (!new_node)
                goto err_node_alloc;
-        read_lock(&pathtbl_resize_lock);
+        read_lock_bh(&pathtbl_resize_lock);
        memcpy(new_mpath->dst, dst, ETH_ALEN);
        new_mpath->sdata = sdata;
        new_mpath->flags = 0;
@@ -292,10 +357,12 @@ int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata)
        spin_lock_init(&new_mpath->state_lock);
        init_timer(&new_mpath->timer);
-        hash_idx = mesh_table_hash(dst, sdata, mesh_paths);
+        tbl = resize_dereference_mesh_paths();
-        bucket = &mesh_paths->hash_buckets[hash_idx];
+        hash_idx = mesh_table_hash(dst, sdata, tbl);
+        bucket = &tbl->hash_buckets[hash_idx];
-        spin_lock(&mesh_paths->hashwlock[hash_idx]);
+        spin_lock_bh(&tbl->hashwlock[hash_idx]);
        err = -EEXIST;
        hlist_for_each_entry(node, n, bucket, list) {
@@ -305,14 +372,14 @@ int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata)
        }
        hlist_add_head_rcu(&new_node->list, bucket);
-        if (atomic_inc_return(&mesh_paths->entries) >=
+        if (atomic_inc_return(&tbl->entries) >=
-                mesh_paths->mean_chain_len * (mesh_paths->hash_mask + 1))
+            tbl->mean_chain_len * (tbl->hash_mask + 1))
                grow = 1;
        mesh_paths_generation++;
-        spin_unlock(&mesh_paths->hashwlock[hash_idx]);
+        spin_unlock_bh(&tbl->hashwlock[hash_idx]);
-        read_unlock(&pathtbl_resize_lock);
+        read_unlock_bh(&pathtbl_resize_lock);
        if (grow) {
                set_bit(MESH_WORK_GROW_MPATH_TABLE,  &ifmsh->wrkq_flags);
                ieee80211_queue_work(&local->hw, &sdata->work);
@@ -320,8 +387,8 @@ int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata)
        return 0;
 err_exists:
-        spin_unlock(&mesh_paths->hashwlock[hash_idx]);
+        spin_unlock_bh(&tbl->hashwlock[hash_idx]);
-        read_unlock(&pathtbl_resize_lock);
+        read_unlock_bh(&pathtbl_resize_lock);
        kfree(new_node);
 err_node_alloc:
        kfree(new_mpath);
@@ -330,46 +397,59 @@ err_path_alloc:
        return err;
 }
+static void mesh_table_free_rcu(struct rcu_head *rcu)
+{
+        struct mesh_table *tbl = container_of(rcu, struct mesh_table, rcu_head);
+        mesh_table_free(tbl, false);
+}
 void mesh_mpath_table_grow(void)
 {
        struct mesh_table *oldtbl, *newtbl;
-        write_lock(&pathtbl_resize_lock);
+        write_lock_bh(&pathtbl_resize_lock);
-        oldtbl = mesh_paths;
+        oldtbl = resize_dereference_mesh_paths();
-        newtbl = mesh_table_grow(mesh_paths);
+        newtbl = mesh_table_alloc(oldtbl->size_order + 1);
-        if (!newtbl) {
+        if (!newtbl)
-                write_unlock(&pathtbl_resize_lock);
+                goto out;
-                return;
+        if (mesh_table_grow(oldtbl, newtbl) < 0) {
+                __mesh_table_free(newtbl);
+                goto out;
        }
        rcu_assign_pointer(mesh_paths, newtbl);
-        write_unlock(&pathtbl_resize_lock);
-        synchronize_rcu();
+        call_rcu(&oldtbl->rcu_head, mesh_table_free_rcu);
-        mesh_table_free(oldtbl, false);
+ out:
+        write_unlock_bh(&pathtbl_resize_lock);
 }
 void mesh_mpp_table_grow(void)
 {
        struct mesh_table *oldtbl, *newtbl;
-        write_lock(&pathtbl_resize_lock);
+        write_lock_bh(&pathtbl_resize_lock);
-        oldtbl = mpp_paths;
+        oldtbl = resize_dereference_mpp_paths();
-        newtbl = mesh_table_grow(mpp_paths);
+        newtbl = mesh_table_alloc(oldtbl->size_order + 1);
-        if (!newtbl) {
+        if (!newtbl)
-                write_unlock(&pathtbl_resize_lock);
+                goto out;
-                return;
+        if (mesh_table_grow(oldtbl, newtbl) < 0) {
+                __mesh_table_free(newtbl);
+                goto out;
        }
        rcu_assign_pointer(mpp_paths, newtbl);
-        write_unlock(&pathtbl_resize_lock);
+        call_rcu(&oldtbl->rcu_head, mesh_table_free_rcu);
-        synchronize_rcu();
+ out:
-        mesh_table_free(oldtbl, false);
+        write_unlock_bh(&pathtbl_resize_lock);
 }
 int mpp_path_add(u8 *dst, u8 *mpp, struct ieee80211_sub_if_data *sdata)
 {
        struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
        struct ieee80211_local *local = sdata->local;
+        struct mesh_table *tbl;
        struct mesh_path *mpath, *new_mpath;
        struct mpath_node *node, *new_node;
        struct hlist_head *bucket;
@@ -394,7 +474,7 @@ int mpp_path_add(u8 *dst, u8 *mpp, struct ieee80211_sub_if_data *sdata)
        if (!new_node)
                goto err_node_alloc;
-        read_lock(&pathtbl_resize_lock);
+        read_lock_bh(&pathtbl_resize_lock);
        memcpy(new_mpath->dst, dst, ETH_ALEN);
        memcpy(new_mpath->mpp, mpp, ETH_ALEN);
        new_mpath->sdata = sdata;
@@ -404,10 +484,12 @@ int mpp_path_add(u8 *dst, u8 *mpp, struct ieee80211_sub_if_data *sdata)
        new_mpath->exp_time = jiffies;
        spin_lock_init(&new_mpath->state_lock);
-        hash_idx = mesh_table_hash(dst, sdata, mpp_paths);
+        tbl = resize_dereference_mpp_paths();
-        bucket = &mpp_paths->hash_buckets[hash_idx];
+        hash_idx = mesh_table_hash(dst, sdata, tbl);
+        bucket = &tbl->hash_buckets[hash_idx];
-        spin_lock(&mpp_paths->hashwlock[hash_idx]);
+        spin_lock_bh(&tbl->hashwlock[hash_idx]);
        err = -EEXIST;
        hlist_for_each_entry(node, n, bucket, list) {
@@ -417,12 +499,12 @@ int mpp_path_add(u8 *dst, u8 *mpp, struct ieee80211_sub_if_data *sdata)
        }
        hlist_add_head_rcu(&new_node->list, bucket);
-        if (atomic_inc_return(&mpp_paths->entries) >=
+        if (atomic_inc_return(&tbl->entries) >=
-                mpp_paths->mean_chain_len * (mpp_paths->hash_mask + 1))
+            tbl->mean_chain_len * (tbl->hash_mask + 1))
                grow = 1;
-        spin_unlock(&mpp_paths->hashwlock[hash_idx]);
+        spin_unlock_bh(&tbl->hashwlock[hash_idx]);
-        read_unlock(&pathtbl_resize_lock);
+        read_unlock_bh(&pathtbl_resize_lock);
        if (grow) {
                set_bit(MESH_WORK_GROW_MPP_TABLE,  &ifmsh->wrkq_flags);
                ieee80211_queue_work(&local->hw, &sdata->work);
@@ -430,8 +512,8 @@ int mpp_path_add(u8 *dst, u8 *mpp, struct ieee80211_sub_if_data *sdata)
        return 0;
 err_exists:
-        spin_unlock(&mpp_paths->hashwlock[hash_idx]);
+        spin_unlock_bh(&tbl->hashwlock[hash_idx]);
-        read_unlock(&pathtbl_resize_lock);
+        read_unlock_bh(&pathtbl_resize_lock);
        kfree(new_node);
 err_node_alloc:
        kfree(new_mpath);
@@ -450,6 +532,7 @@ err_path_alloc:
 */
 void mesh_plink_broken(struct sta_info *sta)
 {
+        struct mesh_table *tbl;
        static const u8 bcast[ETH_ALEN] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
        struct mesh_path *mpath;
        struct mpath_node *node;
@@ -458,10 +541,11 @@ void mesh_plink_broken(struct sta_info *sta)
        int i;
        rcu_read_lock();
-        for_each_mesh_entry(mesh_paths, p, node, i) {
+        tbl = rcu_dereference(mesh_paths);
+        for_each_mesh_entry(tbl, p, node, i) {
                mpath = node->mpath;
                spin_lock_bh(&mpath->state_lock);
-                if (mpath->next_hop == sta &&
+                if (rcu_dereference(mpath->next_hop) == sta &&
                    mpath->flags & MESH_PATH_ACTIVE &&
                    !(mpath->flags & MESH_PATH_FIXED)) {
                        mpath->flags &= ~MESH_PATH_ACTIVE;
@@ -490,30 +574,38 @@ void mesh_plink_broken(struct sta_info *sta)
 */
 void mesh_path_flush_by_nexthop(struct sta_info *sta)
 {
+        struct mesh_table *tbl;
        struct mesh_path *mpath;
        struct mpath_node *node;
        struct hlist_node *p;
        int i;
-        for_each_mesh_entry(mesh_paths, p, node, i) {
+        rcu_read_lock();
+        tbl = rcu_dereference(mesh_paths);
+        for_each_mesh_entry(tbl, p, node, i) {
                mpath = node->mpath;
-                if (mpath->next_hop == sta)
+                if (rcu_dereference(mpath->next_hop) == sta)
                        mesh_path_del(mpath->dst, mpath->sdata);
        }
+        rcu_read_unlock();
 }
 void mesh_path_flush(struct ieee80211_sub_if_data *sdata)
 {
+        struct mesh_table *tbl;
        struct mesh_path *mpath;
        struct mpath_node *node;
        struct hlist_node *p;
        int i;
-        for_each_mesh_entry(mesh_paths, p, node, i) {
+        rcu_read_lock();
+        tbl = rcu_dereference(mesh_paths);
+        for_each_mesh_entry(tbl, p, node, i) {
                mpath = node->mpath;
                if (mpath->sdata == sdata)
                        mesh_path_del(mpath->dst, mpath->sdata);
        }
+        rcu_read_unlock();
 }
 static void mesh_path_node_reclaim(struct rcu_head *rp)
@@ -537,6 +629,7 @@ static void mesh_path_node_reclaim(struct rcu_head *rp)
 */
 int mesh_path_del(u8 *addr, struct ieee80211_sub_if_data *sdata)
 {
+        struct mesh_table *tbl;
        struct mesh_path *mpath;
        struct mpath_node *node;
        struct hlist_head *bucket;
@@ -544,20 +637,21 @@ int mesh_path_del(u8 *addr, struct ieee80211_sub_if_data *sdata)
        int hash_idx;
        int err = 0;
-        read_lock(&pathtbl_resize_lock);
+        read_lock_bh(&pathtbl_resize_lock);
-        hash_idx = mesh_table_hash(addr, sdata, mesh_paths);
+        tbl = resize_dereference_mesh_paths();
-        bucket = &mesh_paths->hash_buckets[hash_idx];
+        hash_idx = mesh_table_hash(addr, sdata, tbl);
+        bucket = &tbl->hash_buckets[hash_idx];
-        spin_lock(&mesh_paths->hashwlock[hash_idx]);
+        spin_lock_bh(&tbl->hashwlock[hash_idx]);
        hlist_for_each_entry(node, n, bucket, list) {
                mpath = node->mpath;
                if (mpath->sdata == sdata &&
-                                memcmp(addr, mpath->dst, ETH_ALEN) == 0) {
+                    memcmp(addr, mpath->dst, ETH_ALEN) == 0) {
                        spin_lock_bh(&mpath->state_lock);
                        mpath->flags |= MESH_PATH_RESOLVING;
                        hlist_del_rcu(&node->list);
                        call_rcu(&node->rcu, mesh_path_node_reclaim);
-                        atomic_dec(&mesh_paths->entries);
+                        atomic_dec(&tbl->entries);
                        spin_unlock_bh(&mpath->state_lock);
                        goto enddel;
                }
@@ -566,8 +660,8 @@ int mesh_path_del(u8 *addr, struct ieee80211_sub_if_data *sdata)
        err = -ENXIO;
 enddel:
        mesh_paths_generation++;
-        spin_unlock(&mesh_paths->hashwlock[hash_idx]);
+        spin_unlock_bh(&tbl->hashwlock[hash_idx]);
-        read_unlock(&pathtbl_resize_lock);
+        read_unlock_bh(&pathtbl_resize_lock);
        return err;
 }
@@ -667,8 +761,10 @@ static void mesh_path_node_free(struct hlist_node *p, bool free_leafs)
        struct mpath_node *node = hlist_entry(p, struct mpath_node, list);
        mpath = node->mpath;
        hlist_del_rcu(p);
-        if (free_leafs)
+        if (free_leafs) {
+                del_timer_sync(&mpath->timer);
                kfree(mpath);
+        }
        kfree(node);
 }
@@ -693,52 +789,60 @@ static int mesh_path_node_copy(struct hlist_node *p, struct mesh_table *newtbl)
 int mesh_pathtbl_init(void)
 {
-        mesh_paths = mesh_table_alloc(INIT_PATHS_SIZE_ORDER);
+        struct mesh_table *tbl_path, *tbl_mpp;
-        if (!mesh_paths)
+        tbl_path = mesh_table_alloc(INIT_PATHS_SIZE_ORDER);
+        if (!tbl_path)
                return -ENOMEM;
-        mesh_paths->free_node = &mesh_path_node_free;
+        tbl_path->free_node = &mesh_path_node_free;
-        mesh_paths->copy_node = &mesh_path_node_copy;
+        tbl_path->copy_node = &mesh_path_node_copy;
-        mesh_paths->mean_chain_len = MEAN_CHAIN_LEN;
+        tbl_path->mean_chain_len = MEAN_CHAIN_LEN;
-        mpp_paths = mesh_table_alloc(INIT_PATHS_SIZE_ORDER);
+        tbl_mpp = mesh_table_alloc(INIT_PATHS_SIZE_ORDER);
-        if (!mpp_paths) {
+        if (!tbl_mpp) {
-                mesh_table_free(mesh_paths, true);
+                mesh_table_free(tbl_path, true);
                return -ENOMEM;
        }
-        mpp_paths->free_node = &mesh_path_node_free;
+        tbl_mpp->free_node = &mesh_path_node_free;
-        mpp_paths->copy_node = &mesh_path_node_copy;
+        tbl_mpp->copy_node = &mesh_path_node_copy;
-        mpp_paths->mean_chain_len = MEAN_CHAIN_LEN;
+        tbl_mpp->mean_chain_len = MEAN_CHAIN_LEN;
+        /* Need no locking since this is during init */
+        RCU_INIT_POINTER(mesh_paths, tbl_path);
+        RCU_INIT_POINTER(mpp_paths, tbl_mpp);
        return 0;
 }
 void mesh_path_expire(struct ieee80211_sub_if_data *sdata)
 {
+        struct mesh_table *tbl;
        struct mesh_path *mpath;
        struct mpath_node *node;
        struct hlist_node *p;
        int i;
-        read_lock(&pathtbl_resize_lock);
+        rcu_read_lock();
-        for_each_mesh_entry(mesh_paths, p, node, i) {
+        tbl = rcu_dereference(mesh_paths);
+        for_each_mesh_entry(tbl, p, node, i) {
                if (node->mpath->sdata != sdata)
                        continue;
                mpath = node->mpath;
                spin_lock_bh(&mpath->state_lock);
                if ((!(mpath->flags & MESH_PATH_RESOLVING)) &&
                    (!(mpath->flags & MESH_PATH_FIXED)) &&
-                        time_after(jiffies,
+                     time_after(jiffies, mpath->exp_time + MESH_PATH_EXPIRE)) {
-                         mpath->exp_time + MESH_PATH_EXPIRE)) {
                        spin_unlock_bh(&mpath->state_lock);
                        mesh_path_del(mpath->dst, mpath->sdata);
                } else
                        spin_unlock_bh(&mpath->state_lock);
        }
-        read_unlock(&pathtbl_resize_lock);
+        rcu_read_unlock();
 }
 void mesh_pathtbl_unregister(void)
 {
-        mesh_table_free(mesh_paths, true);
+        /* no need for locking during exit path */
-        mesh_table_free(mpp_paths, true);
+        mesh_table_free(rcu_dereference_raw(mesh_paths), true);
+        mesh_table_free(rcu_dereference_raw(mpp_paths), true);
 }
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index 44b53931ba5e..f4adc0917888 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -43,7 +43,7 @@
 #define dot11MeshMaxPeerLinks(s) (s->u.mesh.mshcfg.dot11MeshMaxPeerLinks)
 enum plink_frame_type {
-        PLINK_OPEN = 0,
+        PLINK_OPEN = 1,
        PLINK_CONFIRM,
        PLINK_CLOSE
 };
@@ -83,7 +83,7 @@ void mesh_plink_dec_estab_count(struct ieee80211_sub_if_data *sdata)
 */
 static inline void mesh_plink_fsm_restart(struct sta_info *sta)
 {
-        sta->plink_state = PLINK_LISTEN;
+        sta->plink_state = NL80211_PLINK_LISTEN;
        sta->llid = sta->plid = sta->reason = 0;
        sta->plink_retries = 0;
 }
@@ -105,7 +105,7 @@ static struct sta_info *mesh_plink_alloc(struct ieee80211_sub_if_data *sdata,
        if (!sta)
                return NULL;
-        sta->flags = WLAN_STA_AUTHORIZED;
+        sta->flags = WLAN_STA_AUTHORIZED | WLAN_STA_AUTH;
        sta->sta.supp_rates[local->hw.conf.channel->band] = rates;
        rate_control_rate_init(sta);
@@ -126,11 +126,11 @@ static bool __mesh_plink_deactivate(struct sta_info *sta)
        struct ieee80211_sub_if_data *sdata = sta->sdata;
        bool deactivated = false;
-        if (sta->plink_state == PLINK_ESTAB) {
+        if (sta->plink_state == NL80211_PLINK_ESTAB) {
                mesh_plink_dec_estab_count(sdata);
                deactivated = true;
        }
-        sta->plink_state = PLINK_BLOCKED;
+        sta->plink_state = NL80211_PLINK_BLOCKED;
        mesh_path_flush_by_nexthop(sta);
        return deactivated;
@@ -161,7 +161,7 @@ static int mesh_plink_frame_tx(struct ieee80211_sub_if_data *sdata,
                __le16 reason) {
        struct ieee80211_local *local = sdata->local;
        struct sk_buff *skb = dev_alloc_skb(local->hw.extra_tx_headroom + 400 +
-                        sdata->u.mesh.vendor_ie_len);
+                        sdata->u.mesh.ie_len);
        struct ieee80211_mgmt *mgmt;
        bool include_plid = false;
        static const u8 meshpeeringproto[] = { 0x00, 0x0F, 0xAC, 0x2A };
@@ -181,8 +181,8 @@ static int mesh_plink_frame_tx(struct ieee80211_sub_if_data *sdata,
                                          IEEE80211_STYPE_ACTION);
        memcpy(mgmt->da, da, ETH_ALEN);
        memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
-        /* BSSID is left zeroed, wildcard value */
+        memcpy(mgmt->bssid, sdata->vif.addr, ETH_ALEN);
-        mgmt->u.action.category = WLAN_CATEGORY_MESH_PLINK;
+        mgmt->u.action.category = WLAN_CATEGORY_MESH_ACTION;
        mgmt->u.action.u.plink_action.action_code = action;
        if (action == PLINK_CLOSE)
@@ -237,8 +237,9 @@ static int mesh_plink_frame_tx(struct ieee80211_sub_if_data *sdata,
        return 0;
 }
-void mesh_neighbour_update(u8 *hw_addr, u32 rates, struct ieee80211_sub_if_data *sdata,
+void mesh_neighbour_update(u8 *hw_addr, u32 rates,
-                           bool peer_accepting_plinks)
+                struct ieee80211_sub_if_data *sdata,
+                struct ieee802_11_elems *elems)
 {
        struct ieee80211_local *local = sdata->local;
        struct sta_info *sta;
@@ -248,8 +249,14 @@ void mesh_neighbour_update(u8 *hw_addr, u32 rates, struct ieee80211_sub_if_data
        sta = sta_info_get(sdata, hw_addr);
        if (!sta) {
                rcu_read_unlock();
+                /* Userspace handles peer allocation when security is enabled
-                sta = mesh_plink_alloc(sdata, hw_addr, rates);
+                 * */
+                if (sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED)
+                        cfg80211_notify_new_peer_candidate(sdata->dev, hw_addr,
+                                        elems->ie_start, elems->total_len,
+                                        GFP_KERNEL);
+                else
+                        sta = mesh_plink_alloc(sdata, hw_addr, rates);
                if (!sta)
                        return;
                if (sta_info_insert_rcu(sta)) {
@@ -260,7 +267,8 @@ void mesh_neighbour_update(u8 *hw_addr, u32 rates, struct ieee80211_sub_if_data
        sta->last_rx = jiffies;
        sta->sta.supp_rates[local->hw.conf.channel->band] = rates;
-        if (peer_accepting_plinks && sta->plink_state == PLINK_LISTEN &&
+        if (mesh_peer_accepts_plinks(elems) &&
+                        sta->plink_state == NL80211_PLINK_LISTEN &&
                        sdata->u.mesh.accepting_plinks &&
                        sdata->u.mesh.mshcfg.auto_open_plinks)
                mesh_plink_open(sta);
@@ -300,8 +308,8 @@ static void mesh_plink_timer(unsigned long data)
        sdata = sta->sdata;
        switch (sta->plink_state) {
-        case PLINK_OPN_RCVD:
+        case NL80211_PLINK_OPN_RCVD:
-        case PLINK_OPN_SNT:
+        case NL80211_PLINK_OPN_SNT:
                /* retry timer */
                if (sta->plink_retries < dot11MeshMaxRetries(sdata)) {
                        u32 rand;
@@ -320,17 +328,17 @@ static void mesh_plink_timer(unsigned long data)
                }
                reason = cpu_to_le16(MESH_MAX_RETRIES);
                /* fall through on else */
-        case PLINK_CNF_RCVD:
+        case NL80211_PLINK_CNF_RCVD:
                /* confirm timer */
                if (!reason)
                        reason = cpu_to_le16(MESH_CONFIRM_TIMEOUT);
-                sta->plink_state = PLINK_HOLDING;
+                sta->plink_state = NL80211_PLINK_HOLDING;
                mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata));
                spin_unlock_bh(&sta->lock);
                mesh_plink_frame_tx(sdata, PLINK_CLOSE, sta->sta.addr, llid, plid,
                                    reason);
                break;
-        case PLINK_HOLDING:
+        case NL80211_PLINK_HOLDING:
                /* holding timer */
                del_timer(&sta->plink_timer);
                mesh_plink_fsm_restart(sta);
@@ -372,14 +380,17 @@ int mesh_plink_open(struct sta_info *sta)
        __le16 llid;
        struct ieee80211_sub_if_data *sdata = sta->sdata;
+        if (!test_sta_flags(sta, WLAN_STA_AUTH))
+                return -EPERM;
        spin_lock_bh(&sta->lock);
        get_random_bytes(&llid, 2);
        sta->llid = llid;
-        if (sta->plink_state != PLINK_LISTEN) {
+        if (sta->plink_state != NL80211_PLINK_LISTEN) {
                spin_unlock_bh(&sta->lock);
                return -EBUSY;
        }
-        sta->plink_state = PLINK_OPN_SNT;
+        sta->plink_state = NL80211_PLINK_OPN_SNT;
        mesh_plink_timer_set(sta, dot11MeshRetryTimeout(sdata));
        spin_unlock_bh(&sta->lock);
        mpl_dbg("Mesh plink: starting establishment with %pM\n",
@@ -396,7 +407,7 @@ void mesh_plink_block(struct sta_info *sta)
        spin_lock_bh(&sta->lock);
        deactivated = __mesh_plink_deactivate(sta);
-        sta->plink_state = PLINK_BLOCKED;
+        sta->plink_state = NL80211_PLINK_BLOCKED;
        spin_unlock_bh(&sta->lock);
        if (deactivated)
@@ -419,13 +430,13 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
        __le16 plid, llid, reason;
 #ifdef CONFIG_MAC80211_VERBOSE_MPL_DEBUG
        static const char *mplstates[] = {
-                [PLINK_LISTEN] = "LISTEN",
+                [NL80211_PLINK_LISTEN] = "LISTEN",
-                [PLINK_OPN_SNT] = "OPN-SNT",
+                [NL80211_PLINK_OPN_SNT] = "OPN-SNT",
-                [PLINK_OPN_RCVD] = "OPN-RCVD",
+                [NL80211_PLINK_OPN_RCVD] = "OPN-RCVD",
-                [PLINK_CNF_RCVD] = "CNF_RCVD",
+                [NL80211_PLINK_CNF_RCVD] = "CNF_RCVD",
-                [PLINK_ESTAB] = "ESTAB",
+                [NL80211_PLINK_ESTAB] = "ESTAB",
-                [PLINK_HOLDING] = "HOLDING",
+                [NL80211_PLINK_HOLDING] = "HOLDING",
-                [PLINK_BLOCKED] = "BLOCKED"
+                [NL80211_PLINK_BLOCKED] = "BLOCKED"
        };
 #endif
@@ -449,6 +460,11 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                mpl_dbg("Mesh plink: missing necessary peer link ie\n");
                return;
        }
+        if (elems.rsn_len &&
+                        sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) {
+                mpl_dbg("Mesh plink: can't establish link with secure peer\n");
+                return;
+        }
        ftype = mgmt->u.action.u.plink_action.action_code;
        ie_len = elems.peer_link_len;
@@ -480,7 +496,13 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                return;
        }
-        if (sta && sta->plink_state == PLINK_BLOCKED) {
+        if (sta && !test_sta_flags(sta, WLAN_STA_AUTH)) {
+                mpl_dbg("Mesh plink: Action frame from non-authed peer\n");
+                rcu_read_unlock();
+                return;
+        }
+        if (sta && sta->plink_state == NL80211_PLINK_BLOCKED) {
                rcu_read_unlock();
                return;
        }
@@ -550,7 +572,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                                event = CNF_ACPT;
                        break;
                case PLINK_CLOSE:
-                        if (sta->plink_state == PLINK_ESTAB)
+                        if (sta->plink_state == NL80211_PLINK_ESTAB)
                                /* Do not check for llid or plid. This does not
                                 * follow the standard but since multiple plinks
                                 * per sta are not supported, it is necessary in
@@ -585,14 +607,14 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
        reason = 0;
        switch (sta->plink_state) {
                /* spin_unlock as soon as state is updated at each case */
-        case PLINK_LISTEN:
+        case NL80211_PLINK_LISTEN:
                switch (event) {
                case CLS_ACPT:
                        mesh_plink_fsm_restart(sta);
                        spin_unlock_bh(&sta->lock);
                        break;
                case OPN_ACPT:
-                        sta->plink_state = PLINK_OPN_RCVD;
+                        sta->plink_state = NL80211_PLINK_OPN_RCVD;
                        sta->plid = plid;
                        get_random_bytes(&llid, 2);
                        sta->llid = llid;
@@ -609,7 +631,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                }
                break;
-        case PLINK_OPN_SNT:
+        case NL80211_PLINK_OPN_SNT:
                switch (event) {
                case OPN_RJCT:
                case CNF_RJCT:
@@ -618,7 +640,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        if (!reason)
                                reason = cpu_to_le16(MESH_CLOSE_RCVD);
                        sta->reason = reason;
-                        sta->plink_state = PLINK_HOLDING;
+                        sta->plink_state = NL80211_PLINK_HOLDING;
                        if (!mod_plink_timer(sta,
                                             dot11MeshHoldingTimeout(sdata)))
                                sta->ignore_plink_timer = true;
@@ -630,7 +652,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        break;
                case OPN_ACPT:
                        /* retry timer is left untouched */
-                        sta->plink_state = PLINK_OPN_RCVD;
+                        sta->plink_state = NL80211_PLINK_OPN_RCVD;
                        sta->plid = plid;
                        llid = sta->llid;
                        spin_unlock_bh(&sta->lock);
@@ -638,7 +660,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                                            plid, 0);
                        break;
                case CNF_ACPT:
-                        sta->plink_state = PLINK_CNF_RCVD;
+                        sta->plink_state = NL80211_PLINK_CNF_RCVD;
                        if (!mod_plink_timer(sta,
                                             dot11MeshConfirmTimeout(sdata)))
                                sta->ignore_plink_timer = true;
@@ -651,7 +673,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                }
                break;
-        case PLINK_OPN_RCVD:
+        case NL80211_PLINK_OPN_RCVD:
                switch (event) {
                case OPN_RJCT:
                case CNF_RJCT:
@@ -660,7 +682,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        if (!reason)
                                reason = cpu_to_le16(MESH_CLOSE_RCVD);
                        sta->reason = reason;
-                        sta->plink_state = PLINK_HOLDING;
+                        sta->plink_state = NL80211_PLINK_HOLDING;
                        if (!mod_plink_timer(sta,
                                             dot11MeshHoldingTimeout(sdata)))
                                sta->ignore_plink_timer = true;
@@ -678,7 +700,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        break;
                case CNF_ACPT:
                        del_timer(&sta->plink_timer);
-                        sta->plink_state = PLINK_ESTAB;
+                        sta->plink_state = NL80211_PLINK_ESTAB;
                        spin_unlock_bh(&sta->lock);
                        mesh_plink_inc_estab_count(sdata);
                        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON);
@@ -691,7 +713,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                }
                break;
-        case PLINK_CNF_RCVD:
+        case NL80211_PLINK_CNF_RCVD:
                switch (event) {
                case OPN_RJCT:
                case CNF_RJCT:
@@ -700,7 +722,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        if (!reason)
                                reason = cpu_to_le16(MESH_CLOSE_RCVD);
                        sta->reason = reason;
-                        sta->plink_state = PLINK_HOLDING;
+                        sta->plink_state = NL80211_PLINK_HOLDING;
                        if (!mod_plink_timer(sta,
                                             dot11MeshHoldingTimeout(sdata)))
                                sta->ignore_plink_timer = true;
@@ -712,7 +734,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        break;
                case OPN_ACPT:
                        del_timer(&sta->plink_timer);
-                        sta->plink_state = PLINK_ESTAB;
+                        sta->plink_state = NL80211_PLINK_ESTAB;
                        spin_unlock_bh(&sta->lock);
                        mesh_plink_inc_estab_count(sdata);
                        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON);
@@ -727,13 +749,13 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                }
                break;
-        case PLINK_ESTAB:
+        case NL80211_PLINK_ESTAB:
                switch (event) {
                case CLS_ACPT:
                        reason = cpu_to_le16(MESH_CLOSE_RCVD);
                        sta->reason = reason;
                        deactivated = __mesh_plink_deactivate(sta);
-                        sta->plink_state = PLINK_HOLDING;
+                        sta->plink_state = NL80211_PLINK_HOLDING;
                        llid = sta->llid;
                        mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata));
                        spin_unlock_bh(&sta->lock);
@@ -753,7 +775,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        break;
                }
                break;
-        case PLINK_HOLDING:
+        case NL80211_PLINK_HOLDING:
                switch (event) {
                case CLS_ACPT:
                        if (del_timer(&sta->plink_timer))
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 64d92d5a7f40..d595265d6c22 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -90,20 +90,11 @@ enum rx_mgmt_action {
        /* no action required */
        RX_MGMT_NONE,
-        /* caller must call cfg80211_send_rx_auth() */
-        RX_MGMT_CFG80211_AUTH,
-        /* caller must call cfg80211_send_rx_assoc() */
-        RX_MGMT_CFG80211_ASSOC,
        /* caller must call cfg80211_send_deauth() */
        RX_MGMT_CFG80211_DEAUTH,
        /* caller must call cfg80211_send_disassoc() */
        RX_MGMT_CFG80211_DISASSOC,
-        /* caller must tell cfg80211 about internal error */
-        RX_MGMT_CFG80211_ASSOC_ERROR,
 };
 /* utils */
@@ -759,6 +750,8 @@ void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
                             dynamic_ps_enable_work);
        struct ieee80211_sub_if_data *sdata = local->ps_sdata;
        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+        unsigned long flags;
+        int q;
        /* can only happen when PS was just disabled anyway */
        if (!sdata)
@@ -767,18 +760,37 @@ void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
        if (local->hw.conf.flags & IEEE80211_CONF_PS)
                return;
+        /*
+         * transmission can be stopped by others which leads to
+         * dynamic_ps_timer expiry. Postpond the ps timer if it
+         * is not the actual idle state.
+         */
+        spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
+        for (q = 0; q < local->hw.queues; q++) {
+                if (local->queue_stop_reasons[q]) {
+                        spin_unlock_irqrestore(&local->queue_stop_reason_lock,
+                                               flags);
+                        mod_timer(&local->dynamic_ps_timer, jiffies +
+                                  msecs_to_jiffies(
+                                  local->hw.conf.dynamic_ps_timeout));
+                        return;
+                }
+        }
+        spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
        if ((local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK) &&
            (!(ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED))) {
                netif_tx_stop_all_queues(sdata->dev);
-                /*
-                 * Flush all the frames queued in the driver before
-                 * going to power save
-                 */
-                drv_flush(local, false);
-                ieee80211_send_nullfunc(local, sdata, 1);
-                /* Flush once again to get the tx status of nullfunc frame */
+                if (drv_tx_frames_pending(local))
-                drv_flush(local, false);
+                        mod_timer(&local->dynamic_ps_timer, jiffies +
+                                  msecs_to_jiffies(
+                                  local->hw.conf.dynamic_ps_timeout));
+                else {
+                        ieee80211_send_nullfunc(local, sdata, 1);
+                        /* Flush to get the tx status of nullfunc frame */
+                        drv_flush(local, false);
+                }
        }
        if (!((local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS) &&
@@ -789,7 +801,7 @@ void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
        }
-        netif_tx_start_all_queues(sdata->dev);
+        netif_tx_wake_all_queues(sdata->dev);
 }
 void ieee80211_dynamic_ps_timer(unsigned long data)
@@ -1077,6 +1089,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
                local->hw.conf.flags &= ~IEEE80211_CONF_PS;
                config_changed |= IEEE80211_CONF_CHANGE_PS;
        }
+        local->ps_sdata = NULL;
        ieee80211_hw_config(local, config_changed);
diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
index e37355193ed1..730778a2c90c 100644
--- a/net/mac80211/pm.c
+++ b/net/mac80211/pm.c
@@ -6,7 +6,7 @@
 #include "driver-ops.h"
 #include "led.h"
-int __ieee80211_suspend(struct ieee80211_hw *hw)
+int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
 {
        struct ieee80211_local *local = hw_to_local(hw);
        struct ieee80211_sub_if_data *sdata;
@@ -14,12 +14,23 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
        ieee80211_scan_cancel(local);
+        if (hw->flags & IEEE80211_HW_AMPDU_AGGREGATION) {
+                mutex_lock(&local->sta_mtx);
+                list_for_each_entry(sta, &local->sta_list, list) {
+                        set_sta_flags(sta, WLAN_STA_BLOCK_BA);
+                        ieee80211_sta_tear_down_BA_sessions(sta, true);
+                }
+                mutex_unlock(&local->sta_mtx);
+        }
        ieee80211_stop_queues_by_reason(hw,
                        IEEE80211_QUEUE_STOP_REASON_SUSPEND);
        /* flush out all packets */
        synchronize_net();
+        drv_flush(local, false);
        local->quiescing = true;
        /* make quiescing visible to timers everywhere */
        mb();
@@ -36,6 +47,16 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
        cancel_work_sync(&local->dynamic_ps_enable_work);
        del_timer_sync(&local->dynamic_ps_timer);
+        local->wowlan = wowlan && local->open_count;
+        if (local->wowlan) {
+                int err = drv_suspend(local, wowlan);
+                if (err) {
+                        local->quiescing = false;
+                        return err;
+                }
+                goto suspend;
+        }
        /* disable keys */
        list_for_each_entry(sdata, &local->interfaces, list)
                ieee80211_disable_keys(sdata);
@@ -43,11 +64,6 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
        /* tear down aggregation sessions and remove STAs */
        mutex_lock(&local->sta_mtx);
        list_for_each_entry(sta, &local->sta_list, list) {
-                if (hw->flags & IEEE80211_HW_AMPDU_AGGREGATION) {
-                        set_sta_flags(sta, WLAN_STA_BLOCK_BA);
-                        ieee80211_sta_tear_down_BA_sessions(sta, true);
-                }
                if (sta->uploaded) {
                        sdata = sta->sdata;
                        if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
@@ -98,6 +114,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
        if (local->open_count)
                ieee80211_stop_device(local);
+ suspend:
        local->suspended = true;
        /* need suspended to be visible before quiescing is false */
        barrier();
diff --git a/net/mac80211/rc80211_minstrel.c b/net/mac80211/rc80211_minstrel.c
index 778c604d7939..8adac67395f7 100644
--- a/net/mac80211/rc80211_minstrel.c
+++ b/net/mac80211/rc80211_minstrel.c
@@ -417,8 +417,8 @@ minstrel_rate_init(void *priv, struct ieee80211_supported_band *sband,
                        tx_time_single = mr->ack_time + mr->perfect_tx_time;
                        /* contention window */
-                        tx_time_single += t_slot + min(cw, mp->cw_max);
+                        tx_time_single += (t_slot * cw) >> 1;
-                        cw = (cw << 1) | 1;
+                        cw = min((cw << 1) | 1, mp->cw_max);
                        tx_time += tx_time_single;
                        tx_time_cts += tx_time_single + mi->sp_ack_dur;
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index c06aa3ac6b9d..333b5118be6d 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -464,6 +464,7 @@ minstrel_calc_retransmit(struct minstrel_priv *mp, struct minstrel_ht_sta *mi,
        const struct mcs_group *group;
        unsigned int tx_time, tx_time_rtscts, tx_time_data;
        unsigned int cw = mp->cw_min;
+        unsigned int ctime = 0;
        unsigned int t_slot = 9; /* FIXME */
        unsigned int ampdu_len = MINSTREL_TRUNC(mi->avg_ampdu_len);
@@ -480,13 +481,27 @@ minstrel_calc_retransmit(struct minstrel_priv *mp, struct minstrel_ht_sta *mi,
        group = &minstrel_mcs_groups[index / MCS_GROUP_RATES];
        tx_time_data = group->duration[index % MCS_GROUP_RATES] * ampdu_len;
-        tx_time = 2 * (t_slot + mi->overhead + tx_time_data);
-        tx_time_rtscts = 2 * (t_slot + mi->overhead_rtscts + tx_time_data);
+        /* Contention time for first 2 tries */
+        ctime = (t_slot * cw) >> 1;
+        cw = min((cw << 1) | 1, mp->cw_max);
+        ctime += (t_slot * cw) >> 1;
+        cw = min((cw << 1) | 1, mp->cw_max);
+        /* Total TX time for data and Contention after first 2 tries */
+        tx_time = ctime + 2 * (mi->overhead + tx_time_data);
+        tx_time_rtscts = ctime + 2 * (mi->overhead_rtscts + tx_time_data);
+        /* See how many more tries we can fit inside segment size */
        do {
-                cw = (cw << 1) | 1;
+                /* Contention time for this try */
-                cw = min(cw, mp->cw_max);
+                ctime = (t_slot * cw) >> 1;
-                tx_time += cw + t_slot + mi->overhead;
+                cw = min((cw << 1) | 1, mp->cw_max);
-                tx_time_rtscts += cw + t_slot + mi->overhead_rtscts;
+                /* Total TX time after this try */
+                tx_time += ctime + mi->overhead + tx_time_data;
+                tx_time_rtscts += ctime + mi->overhead_rtscts + tx_time_data;
                if (tx_time_rtscts < mp->segment_size)
                        mr->retry_count_rtscts++;
        } while ((tx_time < mp->segment_size) &&
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index c5d4530d8284..7fa8c6be7bf0 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -143,7 +143,8 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
        if (status->flag & RX_FLAG_HT) {
                /*
                 * MCS information is a separate field in radiotap,
-                 * added below.
+                 * added below. The byte here is needed as padding
+                 * for the channel though, so initialise it to 0.
                 */
                *pos = 0;
        } else {
@@ -403,11 +404,13 @@ ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx)
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
        struct sk_buff *skb = rx->skb;
-        if (likely(!(status->rx_flags & IEEE80211_RX_IN_SCAN)))
+        if (likely(!(status->rx_flags & IEEE80211_RX_IN_SCAN) &&
+                   !local->sched_scanning))
                return RX_CONTINUE;
        if (test_bit(SCAN_HW_SCANNING, &local->scanning) ||
-            test_bit(SCAN_SW_SCANNING, &local->scanning))
+            test_bit(SCAN_SW_SCANNING, &local->scanning) ||
+            local->sched_scanning)
                return ieee80211_scan_rx(rx->sdata, skb);
        /* scanning finished during invoking of handlers */
@@ -487,22 +490,26 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
         * establisment frame, beacon or probe, drop the frame.
         */
-        if (!rx->sta || sta_plink_state(rx->sta) != PLINK_ESTAB) {
+        if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
                struct ieee80211_mgmt *mgmt;
                if (!ieee80211_is_mgmt(hdr->frame_control))
                        return RX_DROP_MONITOR;
                if (ieee80211_is_action(hdr->frame_control)) {
+                        u8 category;
                        mgmt = (struct ieee80211_mgmt *)hdr;
-                        if (mgmt->u.action.category != WLAN_CATEGORY_MESH_PLINK)
+                        category = mgmt->u.action.category;
+                        if (category != WLAN_CATEGORY_MESH_ACTION &&
+                                category != WLAN_CATEGORY_SELF_PROTECTED)
                                return RX_DROP_MONITOR;
                        return RX_CONTINUE;
                }
                if (ieee80211_is_probe_req(hdr->frame_control) ||
                    ieee80211_is_probe_resp(hdr->frame_control) ||
-                    ieee80211_is_beacon(hdr->frame_control))
+                    ieee80211_is_beacon(hdr->frame_control) ||
+                    ieee80211_is_auth(hdr->frame_control))
                        return RX_CONTINUE;
                return RX_DROP_MONITOR;
@@ -650,7 +657,7 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
 set_release_timer:
                mod_timer(&tid_agg_rx->reorder_timer,
-                          tid_agg_rx->reorder_time[j] +
+                          tid_agg_rx->reorder_time[j] + 1 +
                          HT_RX_REORDER_BUF_TIMEOUT);
        } else {
                del_timer(&tid_agg_rx->reorder_timer);
@@ -707,6 +714,8 @@ static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
        /*
         * If the current MPDU is in the right order and nothing else
         * is stored we can process it directly, no need to buffer it.
+         * If it is first but there's something stored, we may be able
+         * to release frames after this one.
         */
        if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
            tid_agg_rx->stored_mpdu_num == 0) {
@@ -1583,7 +1592,7 @@ ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
 }
 static int
-__ieee80211_data_to_8023(struct ieee80211_rx_data *rx)
+__ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
 {
        struct ieee80211_sub_if_data *sdata = rx->sdata;
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
@@ -1591,6 +1600,7 @@ __ieee80211_data_to_8023(struct ieee80211_rx_data *rx)
        struct ethhdr *ehdr;
        int ret;
+        *port_control = false;
        if (ieee80211_has_a4(hdr->frame_control) &&
            sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
                return -1;
@@ -1609,11 +1619,13 @@ __ieee80211_data_to_8023(struct ieee80211_rx_data *rx)
                return -1;
        ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
-        if (ret < 0 || !check_port_control)
+        if (ret < 0)
                return ret;
        ehdr = (struct ethhdr *) rx->skb->data;
-        if (ehdr->h_proto != rx->sdata->control_port_protocol)
+        if (ehdr->h_proto == rx->sdata->control_port_protocol)
+                *port_control = true;
+        else if (check_port_control)
                return -1;
        return 0;
@@ -1771,7 +1783,7 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
        ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
                                 rx->sdata->vif.type,
-                                 rx->local->hw.extra_tx_headroom);
+                                 rx->local->hw.extra_tx_headroom, true);
        while (!skb_queue_empty(&frame_list)) {
                rx->skb = __skb_dequeue(&frame_list);
@@ -1914,6 +1926,7 @@ ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
        struct net_device *dev = sdata->dev;
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
        __le16 fc = hdr->frame_control;
+        bool port_control;
        int err;
        if (unlikely(!ieee80211_is_data(hdr->frame_control)))
@@ -1930,13 +1943,21 @@ ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
            sdata->vif.type == NL80211_IFTYPE_AP)
                return RX_DROP_MONITOR;
-        err = __ieee80211_data_to_8023(rx);
+        err = __ieee80211_data_to_8023(rx, &port_control);
        if (unlikely(err))
                return RX_DROP_UNUSABLE;
        if (!ieee80211_frame_allowed(rx, fc))
                return RX_DROP_MONITOR;
+        if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
+            unlikely(port_control) && sdata->bss) {
+                sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
+                                     u.ap);
+                dev = sdata->dev;
+                rx->sdata = sdata;
+        }
        rx->skb->dev = dev;
        dev->stats.rx_packets++;
@@ -2189,7 +2210,7 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                        goto handled;
                }
                break;
-        case WLAN_CATEGORY_MESH_PLINK:
+        case WLAN_CATEGORY_MESH_ACTION:
                if (!ieee80211_vif_is_mesh(&sdata->vif))
                        break;
                goto queue;
@@ -2352,47 +2373,6 @@ ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
        return RX_QUEUED;
 }
-static void ieee80211_rx_michael_mic_report(struct ieee80211_hdr *hdr,
-                                            struct ieee80211_rx_data *rx)
-{
-        int keyidx;
-        unsigned int hdrlen;
-        hdrlen = ieee80211_hdrlen(hdr->frame_control);
-        if (rx->skb->len >= hdrlen + 4)
-                keyidx = rx->skb->data[hdrlen + 3] >> 6;
-        else
-                keyidx = -1;
-        if (!rx->sta) {
-                /*
-                 * Some hardware seem to generate incorrect Michael MIC
-                 * reports; ignore them to avoid triggering countermeasures.
-                 */
-                return;
-        }
-        if (!ieee80211_has_protected(hdr->frame_control))
-                return;
-        if (rx->sdata->vif.type == NL80211_IFTYPE_AP && keyidx) {
-                /*
-                 * APs with pairwise keys should never receive Michael MIC
-                 * errors for non-zero keyidx because these are reserved for
-                 * group keys and only the AP is sending real multicast
-                 * frames in the BSS.
-                 */
-                return;
-        }
-        if (!ieee80211_is_data(hdr->frame_control) &&
-            !ieee80211_is_auth(hdr->frame_control))
-                return;
-        mac80211_ev_michael_mic_failure(rx->sdata, keyidx, hdr, NULL,
-                                        GFP_ATOMIC);
-}
 /* TODO: use IEEE80211_RX_FRAGMENTED */
 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
                                        struct ieee80211_rate *rate)
@@ -2736,12 +2716,6 @@ static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
        if (!prepares)
                return false;
-        if (status->flag & RX_FLAG_MMIC_ERROR) {
-                if (status->rx_flags & IEEE80211_RX_RA_MATCH)
-                        ieee80211_rx_michael_mic_report(hdr, rx);
-                return false;
-        }
        if (!consume) {
                skb = skb_copy(skb, GFP_ATOMIC);
                if (!skb) {
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index 489b6ad200d4..669d2e32efb6 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -170,7 +170,7 @@ ieee80211_scan_rx(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
                return RX_CONTINUE;
        if (skb->len < 24)
-                return RX_DROP_MONITOR;
+                return RX_CONTINUE;
        presp = ieee80211_is_probe_resp(fc);
        if (presp) {
@@ -718,6 +718,11 @@ void ieee80211_scan_work(struct work_struct *work)
         * without scheduling a new work
         */
        do {
+                if (!ieee80211_sdata_running(sdata)) {
+                        aborted = true;
+                        goto out_complete;
+                }
                switch (local->next_scan_state) {
                case SCAN_DECISION:
                        /* if no more bands/channels left, complete scan */
@@ -850,3 +855,123 @@ void ieee80211_scan_cancel(struct ieee80211_local *local)
        }
        mutex_unlock(&local->mtx);
 }
+int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
+                                       struct cfg80211_sched_scan_request *req)
+{
+        struct ieee80211_local *local = sdata->local;
+        int ret, i;
+        mutex_lock(&sdata->local->mtx);
+        if (local->sched_scanning) {
+                ret = -EBUSY;
+                goto out;
+        }
+        if (!local->ops->sched_scan_start) {
+                ret = -ENOTSUPP;
+                goto out;
+        }
+        for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
+                local->sched_scan_ies.ie[i] = kzalloc(2 +
+                                                      IEEE80211_MAX_SSID_LEN +
+                                                      local->scan_ies_len +
+                                                      req->ie_len,
+                                                      GFP_KERNEL);
+                if (!local->sched_scan_ies.ie[i]) {
+                        ret = -ENOMEM;
+                        goto out_free;
+                }
+                local->sched_scan_ies.len[i] =
+                        ieee80211_build_preq_ies(local,
+                                                 local->sched_scan_ies.ie[i],
+                                                 req->ie, req->ie_len, i,
+                                                 (u32) -1, 0);
+        }
+        ret = drv_sched_scan_start(local, sdata, req,
+                                   &local->sched_scan_ies);
+        if (ret == 0) {
+                local->sched_scanning = true;
+                goto out;
+        }
+out_free:
+        while (i > 0)
+                kfree(local->sched_scan_ies.ie[--i]);
+out:
+        mutex_unlock(&sdata->local->mtx);
+        return ret;
+}
+int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_local *local = sdata->local;
+        int ret = 0, i;
+        mutex_lock(&sdata->local->mtx);
+        if (!local->ops->sched_scan_stop) {
+                ret = -ENOTSUPP;
+                goto out;
+        }
+        if (local->sched_scanning) {
+                for (i = 0; i < IEEE80211_NUM_BANDS; i++)
+                        kfree(local->sched_scan_ies.ie[i]);
+                drv_sched_scan_stop(local, sdata);
+                local->sched_scanning = false;
+        }
+out:
+        mutex_unlock(&sdata->local->mtx);
+        return ret;
+}
+void ieee80211_sched_scan_results(struct ieee80211_hw *hw)
+{
+        struct ieee80211_local *local = hw_to_local(hw);
+        trace_api_sched_scan_results(local);
+        cfg80211_sched_scan_results(hw->wiphy);
+}
+EXPORT_SYMBOL(ieee80211_sched_scan_results);
+void ieee80211_sched_scan_stopped_work(struct work_struct *work)
+{
+        struct ieee80211_local *local =
+                container_of(work, struct ieee80211_local,
+                             sched_scan_stopped_work);
+        int i;
+        mutex_lock(&local->mtx);
+        if (!local->sched_scanning) {
+                mutex_unlock(&local->mtx);
+                return;
+        }
+        for (i = 0; i < IEEE80211_NUM_BANDS; i++)
+                kfree(local->sched_scan_ies.ie[i]);
+        local->sched_scanning = false;
+        mutex_unlock(&local->mtx);
+        cfg80211_sched_scan_stopped(local->hw.wiphy);
+}
+void ieee80211_sched_scan_stopped(struct ieee80211_hw *hw)
+{
+        struct ieee80211_local *local = hw_to_local(hw);
+        trace_api_sched_scan_stopped(local);
+        ieee80211_queue_work(&local->hw, &local->sched_scan_stopped_work);
+}
+EXPORT_SYMBOL(ieee80211_sched_scan_stopped);
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 13e8c30adf01..b83870bf60fa 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -67,7 +67,8 @@ static int sta_info_hash_del(struct ieee80211_local *local,
 {
        struct sta_info *s;
-        s = local->sta_hash[STA_HASH(sta->sta.addr)];
+        s = rcu_dereference_protected(local->sta_hash[STA_HASH(sta->sta.addr)],
+                                      lockdep_is_held(&local->sta_lock));
        if (!s)
                return -ENOENT;
        if (s == sta) {
@@ -76,9 +77,11 @@ static int sta_info_hash_del(struct ieee80211_local *local,
                return 0;
        }
-        while (s->hnext && s->hnext != sta)
+        while (rcu_access_pointer(s->hnext) &&
-                s = s->hnext;
+               rcu_access_pointer(s->hnext) != sta)
-        if (s->hnext) {
+                s = rcu_dereference_protected(s->hnext,
+                                        lockdep_is_held(&local->sta_lock));
+        if (rcu_access_pointer(s->hnext)) {
                rcu_assign_pointer(s->hnext, sta->hnext);
                return 0;
        }
@@ -228,6 +231,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
 {
        struct ieee80211_local *local = sdata->local;
        struct sta_info *sta;
+        struct timespec uptime;
        int i;
        sta = kzalloc(sizeof(*sta) + local->hw.sta_data_size, gfp);
@@ -245,6 +249,8 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
        sta->sdata = sdata;
        sta->last_rx = jiffies;
+        do_posix_clock_monotonic_gettime(&uptime);
+        sta->last_connected = uptime.tv_sec;
        ewma_init(&sta->avg_signal, 1024, 8);
        if (sta_prepare_rate_control(local, sta, gfp)) {
@@ -271,7 +277,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
 #endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
 #ifdef CONFIG_MAC80211_MESH
-        sta->plink_state = PLINK_LISTEN;
+        sta->plink_state = NL80211_PLINK_LISTEN;
        init_timer(&sta->plink_timer);
 #endif
@@ -584,7 +590,6 @@ static bool sta_info_cleanup_expire_buffered(struct ieee80211_local *local,
 {
        unsigned long flags;
        struct sk_buff *skb;
-        struct ieee80211_sub_if_data *sdata;
        if (skb_queue_empty(&sta->ps_tx_buf))
                return false;
@@ -601,7 +606,6 @@ static bool sta_info_cleanup_expire_buffered(struct ieee80211_local *local,
                if (!skb)
                        break;
-                sdata = sta->sdata;
                local->total_ps_buffered--;
 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
                printk(KERN_DEBUG "Buffered frame expired (STA %pM)\n",
@@ -609,7 +613,8 @@ static bool sta_info_cleanup_expire_buffered(struct ieee80211_local *local,
 #endif
                dev_kfree_skb(skb);
-                if (skb_queue_empty(&sta->ps_tx_buf))
+                if (skb_queue_empty(&sta->ps_tx_buf) &&
+                    !test_sta_flags(sta, WLAN_STA_PS_DRIVER_BUF))
                        sta_info_clear_tim_bit(sta);
        }
@@ -650,10 +655,12 @@ static int __must_check __sta_info_destroy(struct sta_info *sta)
        if (ret)
                return ret;
+        mutex_lock(&local->key_mtx);
        for (i = 0; i < NUM_DEFAULT_KEYS; i++)
-                ieee80211_key_free(local, sta->gtk[i]);
+                __ieee80211_key_free(key_mtx_dereference(local, sta->gtk[i]));
        if (sta->ptk)
-                ieee80211_key_free(local, sta->ptk);
+                __ieee80211_key_free(key_mtx_dereference(local, sta->ptk));
+        mutex_unlock(&local->key_mtx);
        sta->dead = true;
@@ -698,6 +705,8 @@ static int __must_check __sta_info_destroy(struct sta_info *sta)
 #endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
        cancel_work_sync(&sta->drv_unblock_wk);
+        cfg80211_del_sta(sdata->dev, sta->sta.addr, GFP_KERNEL);
        rate_control_remove_sta_debugfs(sta);
        ieee80211_sta_debugfs_remove(sta);
@@ -766,9 +775,8 @@ static void sta_info_cleanup(unsigned long data)
        if (!timer_needed)
                return;
-        local->sta_cleanup.expires =
+        mod_timer(&local->sta_cleanup,
-                round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL);
+                  round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL));
-        add_timer(&local->sta_cleanup);
 }
 void sta_info_init(struct ieee80211_local *local)
@@ -781,14 +789,6 @@ void sta_info_init(struct ieee80211_local *local)
        setup_timer(&local->sta_cleanup, sta_info_cleanup,
                    (unsigned long)local);
-        local->sta_cleanup.expires =
-                round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL);
-}
-int sta_info_start(struct ieee80211_local *local)
-{
-        add_timer(&local->sta_cleanup);
-        return 0;
 }
 void sta_info_stop(struct ieee80211_local *local)
@@ -900,6 +900,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
        struct ieee80211_local *local = sdata->local;
        int sent, buffered;
+        clear_sta_flags(sta, WLAN_STA_PS_DRIVER_BUF);
        if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS))
                drv_sta_notify(local, sdata, STA_NOTIFY_AWAKE, &sta->sta);
@@ -992,3 +993,12 @@ void ieee80211_sta_block_awake(struct ieee80211_hw *hw,
                ieee80211_queue_work(hw, &sta->drv_unblock_wk);
 }
 EXPORT_SYMBOL(ieee80211_sta_block_awake);
+void ieee80211_sta_set_tim(struct ieee80211_sta *pubsta)
+{
+        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
+        set_sta_flags(sta, WLAN_STA_PS_DRIVER_BUF);
+        sta_info_set_tim_bit(sta);
+}
+EXPORT_SYMBOL(ieee80211_sta_set_tim);
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index b2f95966c7f4..c6ae8718bd57 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -43,6 +43,8 @@
 *      be in the queues
 * @WLAN_STA_PSPOLL: Station sent PS-poll while driver was keeping
 *      station in power-save mode, reply when the driver unblocks.
+ * @WLAN_STA_PS_DRIVER_BUF: Station has frames pending in driver internal
+ *      buffers. Automatically cleared on station wake-up.
 */
 enum ieee80211_sta_info_flags {
        WLAN_STA_AUTH           = 1<<0,
@@ -58,6 +60,7 @@ enum ieee80211_sta_info_flags {
        WLAN_STA_BLOCK_BA       = 1<<11,
        WLAN_STA_PS_DRIVER      = 1<<12,
        WLAN_STA_PSPOLL         = 1<<13,
+        WLAN_STA_PS_DRIVER_BUF  = 1<<14,
 };
 #define STA_TID_NUM 16
@@ -149,6 +152,7 @@ struct tid_ampdu_rx {
 *
 * @tid_rx: aggregation info for Rx per TID -- RCU protected
 * @tid_tx: aggregation info for Tx per TID
+ * @tid_start_tx: sessions where start was requested
 * @addba_req_num: number of times addBA request has been sent.
 * @dialog_token_allocator: dialog token enumerator for each new session;
 * @work: work struct for starting/stopping aggregation
@@ -160,40 +164,18 @@ struct tid_ampdu_rx {
 struct sta_ampdu_mlme {
        struct mutex mtx;
        /* rx */
-        struct tid_ampdu_rx *tid_rx[STA_TID_NUM];
+        struct tid_ampdu_rx __rcu *tid_rx[STA_TID_NUM];
        unsigned long tid_rx_timer_expired[BITS_TO_LONGS(STA_TID_NUM)];
        /* tx */
        struct work_struct work;
-        struct tid_ampdu_tx *tid_tx[STA_TID_NUM];
+        struct tid_ampdu_tx __rcu *tid_tx[STA_TID_NUM];
+        struct tid_ampdu_tx *tid_start_tx[STA_TID_NUM];
        u8 addba_req_num[STA_TID_NUM];
        u8 dialog_token_allocator;
 };
 /**
- * enum plink_state - state of a mesh peer link finite state machine
- *
- * @PLINK_LISTEN: initial state, considered the implicit state of non existent
- *      mesh peer links
- * @PLINK_OPN_SNT: mesh plink open frame has been sent to this mesh peer
- * @PLINK_OPN_RCVD: mesh plink open frame has been received from this mesh peer
- * @PLINK_CNF_RCVD: mesh plink confirm frame has been received from this mesh
- *      peer
- * @PLINK_ESTAB: mesh peer link is established
- * @PLINK_HOLDING: mesh peer link is being closed or cancelled
- * @PLINK_BLOCKED: all frames transmitted from this mesh plink are discarded
- */
-enum plink_state {
-        PLINK_LISTEN,
-        PLINK_OPN_SNT,
-        PLINK_OPN_RCVD,
-        PLINK_CNF_RCVD,
-        PLINK_ESTAB,
-        PLINK_HOLDING,
-        PLINK_BLOCKED
-};
-/**
 * struct sta_info - STA information
 *
 * This structure collects information about a station that
@@ -226,6 +208,7 @@ enum plink_state {
 * @rx_bytes: Number of bytes received from this STA
 * @wep_weak_iv_count: number of weak WEP IVs received from this station
 * @last_rx: time (in jiffies) when last frame was received from this STA
+ * @last_connected: time (in seconds) when a station got connected
 * @num_duplicates: number of duplicate frames received from this STA
 * @rx_fragments: number of received MPDUs
 * @rx_dropped: number of dropped MPDUs from this STA
@@ -260,11 +243,11 @@ enum plink_state {
 struct sta_info {
        /* General information, mostly static */
        struct list_head list;
-        struct sta_info *hnext;
+        struct sta_info __rcu *hnext;
        struct ieee80211_local *local;
        struct ieee80211_sub_if_data *sdata;
-        struct ieee80211_key *gtk[NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS];
+        struct ieee80211_key __rcu *gtk[NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS];
-        struct ieee80211_key *ptk;
+        struct ieee80211_key __rcu *ptk;
        struct rate_control_ref *rate_ctrl;
        void *rate_ctrl_priv;
        spinlock_t lock;
@@ -295,6 +278,7 @@ struct sta_info {
        unsigned long rx_packets, rx_bytes;
        unsigned long wep_weak_iv_count;
        unsigned long last_rx;
+        long last_connected;
        unsigned long num_duplicates;
        unsigned long rx_fragments;
        unsigned long rx_dropped;
@@ -334,7 +318,7 @@ struct sta_info {
        u8 plink_retries;
        bool ignore_plink_timer;
        bool plink_timer_was_running;
-        enum plink_state plink_state;
+        enum nl80211_plink_state plink_state;
        u32 plink_timeout;
        struct timer_list plink_timer;
 #endif
@@ -352,12 +336,12 @@ struct sta_info {
        struct ieee80211_sta sta;
 };
-static inline enum plink_state sta_plink_state(struct sta_info *sta)
+static inline enum nl80211_plink_state sta_plink_state(struct sta_info *sta)
 {
 #ifdef CONFIG_MAC80211_MESH
        return sta->plink_state;
 #endif
-        return PLINK_LISTEN;
+        return NL80211_PLINK_LISTEN;
 }
 static inline void set_sta_flags(struct sta_info *sta, const u32 flags)
@@ -416,7 +400,16 @@ static inline u32 get_sta_flags(struct sta_info *sta)
        return ret;
 }
+void ieee80211_assign_tid_tx(struct sta_info *sta, int tid,
+                             struct tid_ampdu_tx *tid_tx);
+static inline struct tid_ampdu_tx *
+rcu_dereference_protected_tid_tx(struct sta_info *sta, int tid)
+{
+        return rcu_dereference_protected(sta->ampdu_mlme.tid_tx[tid],
+                                         lockdep_is_held(&sta->lock) ||
+                                         lockdep_is_held(&sta->ampdu_mlme.mtx));
+}
 #define STA_HASH_SIZE 256
 #define STA_HASH(sta) (sta[5])
@@ -497,7 +490,6 @@ void sta_info_set_tim_bit(struct sta_info *sta);
 void sta_info_clear_tim_bit(struct sta_info *sta);
 void sta_info_init(struct ieee80211_local *local);
-int sta_info_start(struct ieee80211_local *local);
 void sta_info_stop(struct ieee80211_local *local);
 int sta_info_flush(struct ieee80211_local *local,
                   struct ieee80211_sub_if_data *sdata);
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index b936dd29e92b..1658efaa2e8e 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -189,16 +189,19 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
        bool acked;
        for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) {
-                /* the HW cannot have attempted that rate */
+                if (info->status.rates[i].idx < 0) {
-                if (i >= hw->max_report_rates) {
+                        break;
+                } else if (i >= hw->max_report_rates) {
+                        /* the HW cannot have attempted that rate */
                        info->status.rates[i].idx = -1;
                        info->status.rates[i].count = 0;
-                } else if (info->status.rates[i].idx >= 0) {
+                        break;
-                        rates_idx = i;
                }
                retry_count += info->status.rates[i].count;
        }
+        rates_idx = i - 1;
        if (retry_count < 0)
                retry_count = 0;
@@ -443,3 +446,11 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
        dev_kfree_skb(skb);
 }
 EXPORT_SYMBOL(ieee80211_tx_status);
+void ieee80211_report_low_ack(struct ieee80211_sta *pubsta, u32 num_packets)
+{
+        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
+        cfg80211_cqm_pktloss_notify(sta->sdata->dev, sta->sta.addr,
+                                    num_packets, GFP_ATOMIC);
+}
+EXPORT_SYMBOL(ieee80211_report_low_ack);
diff --git a/net/mac80211/tkip.c b/net/mac80211/tkip.c
index e840c9cd46db..757e4eb2baf7 100644
--- a/net/mac80211/tkip.c
+++ b/net/mac80211/tkip.c
@@ -202,7 +202,7 @@ EXPORT_SYMBOL(ieee80211_get_tkip_key);
 * @payload_len is the length of payload (_not_ including IV/ICV length).
 * @ta is the transmitter addresses.
 */
-int ieee80211_tkip_encrypt_data(struct crypto_blkcipher *tfm,
+int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm,
                                struct ieee80211_key *key,
                                u8 *pos, size_t payload_len, u8 *ta)
 {
@@ -223,7 +223,7 @@ int ieee80211_tkip_encrypt_data(struct crypto_blkcipher *tfm,
 * beginning of the buffer containing IEEE 802.11 header payload, i.e.,
 * including IV, Ext. IV, real data, Michael MIC, ICV. @payload_len is the
 * length of payload, including IV, Ext. IV, MIC, ICV.  */
-int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
+int ieee80211_tkip_decrypt_data(struct crypto_cipher *tfm,
                                struct ieee80211_key *key,
                                u8 *payload, size_t payload_len, u8 *ta,
                                u8 *ra, int only_iv, int queue,
diff --git a/net/mac80211/tkip.h b/net/mac80211/tkip.h
index 7e83dee976fa..1cab9c86978f 100644
--- a/net/mac80211/tkip.h
+++ b/net/mac80211/tkip.h
@@ -15,7 +15,7 @@
 u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key, u16 iv16);
-int ieee80211_tkip_encrypt_data(struct crypto_blkcipher *tfm,
+int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm,
                                 struct ieee80211_key *key,
                                 u8 *pos, size_t payload_len, u8 *ta);
 enum {
@@ -24,7 +24,7 @@ enum {
        TKIP_DECRYPT_INVALID_KEYIDX = -2,
        TKIP_DECRYPT_REPLAY = -3,
 };
-int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
+int ieee80211_tkip_decrypt_data(struct crypto_cipher *tfm,
                                struct ieee80211_key *key,
                                u8 *payload, size_t payload_len, u8 *ta,
                                u8 *ra, int only_iv, int queue,
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index bd1224fd216a..3104c844b544 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1040,14 +1040,11 @@ static bool __ieee80211_parse_tx_radiotap(struct ieee80211_tx_data *tx,
        struct ieee80211_radiotap_iterator iterator;
        struct ieee80211_radiotap_header *rthdr =
                (struct ieee80211_radiotap_header *) skb->data;
-        struct ieee80211_supported_band *sband;
        bool hw_frag;
        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
        int ret = ieee80211_radiotap_iterator_init(&iterator, rthdr, skb->len,
                                                   NULL);
-        sband = tx->local->hw.wiphy->bands[tx->channel->band];
        info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
        tx->flags &= ~IEEE80211_TX_FRAGMENTED;
@@ -1154,7 +1151,7 @@ static bool ieee80211_tx_prep_agg(struct ieee80211_tx_data *tx,
                 *     packet pass through because splicing the frames
                 *     back is already done.
                 */
-                tid_tx = tx->sta->ampdu_mlme.tid_tx[tid];
+                tid_tx = rcu_dereference_protected_tid_tx(tx->sta, tid);
                if (!tid_tx) {
                        /* do nothing, let packet pass through */
@@ -1446,11 +1443,8 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
        struct ieee80211_tx_data tx;
        ieee80211_tx_result res_prepare;
        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
-        u16 queue;
        bool result = true;
-        queue = skb_get_queue_mapping(skb);
        if (unlikely(skb->len < 10)) {
                dev_kfree_skb(skb);
                return true;
@@ -1766,6 +1760,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                        ret = NETDEV_TX_OK;
                        goto fail;
                }
+                rcu_read_lock();
                if (!is_multicast_ether_addr(skb->data))
                        mppath = mpp_path_lookup(skb->data, sdata);
@@ -1780,13 +1775,13 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                    !(mppath && compare_ether_addr(mppath->mpp, skb->data))) {
                        hdrlen = ieee80211_fill_mesh_addresses(&hdr, &fc,
                                        skb->data, skb->data + ETH_ALEN);
+                        rcu_read_unlock();
                        meshhdrlen = ieee80211_new_mesh_header(&mesh_hdr,
                                        sdata, NULL, NULL);
                } else {
                        int is_mesh_mcast = 1;
                        const u8 *mesh_da;
-                        rcu_read_lock();
                        if (is_multicast_ether_addr(skb->data))
                                /* DA TA mSA AE:SA */
                                mesh_da = skb->data;
@@ -2266,7 +2261,7 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
                /* headroom, head length, tail length and maximum TIM length */
                skb = dev_alloc_skb(local->tx_headroom + 400 +
-                                sdata->u.mesh.vendor_ie_len);
+                                sdata->u.mesh.ie_len);
                if (!skb)
                        goto out;
@@ -2489,7 +2484,6 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
 {
        struct ieee80211_local *local = hw_to_local(hw);
        struct sk_buff *skb = NULL;
-        struct sta_info *sta;
        struct ieee80211_tx_data tx;
        struct ieee80211_sub_if_data *sdata;
        struct ieee80211_if_ap *bss = NULL;
@@ -2531,7 +2525,6 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
        info = IEEE80211_SKB_CB(skb);
-        sta = tx.sta;
        tx.flags |= IEEE80211_TX_PS_BUFFERED;
        tx.channel = local->hw.conf.channel;
        info->band = tx.channel->band;
@@ -2551,8 +2544,9 @@ void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
        skb_set_network_header(skb, 0);
        skb_set_transport_header(skb, 0);
-        /* send all internal mgmt frames on VO */
+        /* Send all internal mgmt frames on VO. Accordingly set TID to 7. */
-        skb_set_queue_mapping(skb, 0);
+        skb_set_queue_mapping(skb, IEEE80211_AC_VO);
+        skb->priority = 7;
        /*
         * The other path calling ieee80211_xmit is from the tasklet,
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 556647a910ac..d3fe2d237485 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1125,9 +1125,27 @@ int ieee80211_reconfig(struct ieee80211_local *local)
        struct sta_info *sta;
        int res;
+#ifdef CONFIG_PM
        if (local->suspended)
                local->resuming = true;
+        if (local->wowlan) {
+                local->wowlan = false;
+                res = drv_resume(local);
+                if (res < 0) {
+                        local->resuming = false;
+                        return res;
+                }
+                if (res == 0)
+                        goto wake_up;
+                WARN_ON(res > 1);
+                /*
+                 * res is 1, which means the driver requested
+                 * to go through a regular reset on wakeup.
+                 */
+        }
+#endif
        /* restart hardware */
        if (local->open_count) {
                /*
@@ -1258,6 +1276,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                if (ieee80211_sdata_running(sdata))
                        ieee80211_enable_keys(sdata);
+ wake_up:
        ieee80211_wake_queues_by_reason(hw,
                        IEEE80211_QUEUE_STOP_REASON_SUSPEND);
@@ -1290,7 +1309,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                }
        }
-        add_timer(&local->sta_cleanup);
+        mod_timer(&local->sta_cleanup, jiffies + 1);
        mutex_lock(&local->sta_mtx);
        list_for_each_entry(sta, &local->sta_list, list)
diff --git a/net/mac80211/wep.c b/net/mac80211/wep.c
index 2ff6d1e3ed21..a1c6bfd55f0f 100644
--- a/net/mac80211/wep.c
+++ b/net/mac80211/wep.c
@@ -30,17 +30,15 @@ int ieee80211_wep_init(struct ieee80211_local *local)
        /* start WEP IV from a random value */
        get_random_bytes(&local->wep_iv, WEP_IV_LEN);
-        local->wep_tx_tfm = crypto_alloc_blkcipher("ecb(arc4)", 0,
+        local->wep_tx_tfm = crypto_alloc_cipher("arc4", 0, CRYPTO_ALG_ASYNC);
-                                                CRYPTO_ALG_ASYNC);
        if (IS_ERR(local->wep_tx_tfm)) {
                local->wep_rx_tfm = ERR_PTR(-EINVAL);
                return PTR_ERR(local->wep_tx_tfm);
        }
-        local->wep_rx_tfm = crypto_alloc_blkcipher("ecb(arc4)", 0,
+        local->wep_rx_tfm = crypto_alloc_cipher("arc4", 0, CRYPTO_ALG_ASYNC);
-                                                CRYPTO_ALG_ASYNC);
        if (IS_ERR(local->wep_rx_tfm)) {
-                crypto_free_blkcipher(local->wep_tx_tfm);
+                crypto_free_cipher(local->wep_tx_tfm);
                local->wep_tx_tfm = ERR_PTR(-EINVAL);
                return PTR_ERR(local->wep_rx_tfm);
        }
@@ -51,9 +49,9 @@ int ieee80211_wep_init(struct ieee80211_local *local)
 void ieee80211_wep_free(struct ieee80211_local *local)
 {
        if (!IS_ERR(local->wep_tx_tfm))
-                crypto_free_blkcipher(local->wep_tx_tfm);
+                crypto_free_cipher(local->wep_tx_tfm);
        if (!IS_ERR(local->wep_rx_tfm))
-                crypto_free_blkcipher(local->wep_rx_tfm);
+                crypto_free_cipher(local->wep_rx_tfm);
 }
 static inline bool ieee80211_wep_weak_iv(u32 iv, int keylen)
@@ -127,12 +125,11 @@ static void ieee80211_wep_remove_iv(struct ieee80211_local *local,
 /* Perform WEP encryption using given key. data buffer must have tailroom
 * for 4-byte ICV. data_len must not include this ICV. Note: this function
 * does _not_ add IV. data = RC4(data | CRC32(data)) */
-int ieee80211_wep_encrypt_data(struct crypto_blkcipher *tfm, u8 *rc4key,
+int ieee80211_wep_encrypt_data(struct crypto_cipher *tfm, u8 *rc4key,
                               size_t klen, u8 *data, size_t data_len)
 {
-        struct blkcipher_desc desc = { .tfm = tfm };
-        struct scatterlist sg;
        __le32 icv;
+        int i;
        if (IS_ERR(tfm))
                return -1;
@@ -140,9 +137,9 @@ int ieee80211_wep_encrypt_data(struct crypto_blkcipher *tfm, u8 *rc4key,
        icv = cpu_to_le32(~crc32_le(~0, data, data_len));
        put_unaligned(icv, (__le32 *)(data + data_len));
-        crypto_blkcipher_setkey(tfm, rc4key, klen);
+        crypto_cipher_setkey(tfm, rc4key, klen);
-        sg_init_one(&sg, data, data_len + WEP_ICV_LEN);
+        for (i = 0; i < data_len + WEP_ICV_LEN; i++)
-        crypto_blkcipher_encrypt(&desc, &sg, &sg, sg.length);
+                crypto_cipher_encrypt_one(tfm, data + i, data + i);
        return 0;
 }
@@ -186,19 +183,18 @@ int ieee80211_wep_encrypt(struct ieee80211_local *local,
 /* Perform WEP decryption using given key. data buffer includes encrypted
 * payload, including 4-byte ICV, but _not_ IV. data_len must not include ICV.
 * Return 0 on success and -1 on ICV mismatch. */
-int ieee80211_wep_decrypt_data(struct crypto_blkcipher *tfm, u8 *rc4key,
+int ieee80211_wep_decrypt_data(struct crypto_cipher *tfm, u8 *rc4key,
                               size_t klen, u8 *data, size_t data_len)
 {
-        struct blkcipher_desc desc = { .tfm = tfm };
-        struct scatterlist sg;
        __le32 crc;
+        int i;
        if (IS_ERR(tfm))
                return -1;
-        crypto_blkcipher_setkey(tfm, rc4key, klen);
+        crypto_cipher_setkey(tfm, rc4key, klen);
-        sg_init_one(&sg, data, data_len + WEP_ICV_LEN);
+        for (i = 0; i < data_len + WEP_ICV_LEN; i++)
-        crypto_blkcipher_decrypt(&desc, &sg, &sg, sg.length);
+                crypto_cipher_decrypt_one(tfm, data + i, data + i);
        crc = cpu_to_le32(~crc32_le(~0, data, data_len));
        if (memcmp(&crc, data + data_len, WEP_ICV_LEN) != 0)
diff --git a/net/mac80211/wep.h b/net/mac80211/wep.h
index 58654ee33518..01e54840a628 100644
--- a/net/mac80211/wep.h
+++ b/net/mac80211/wep.h
@@ -18,12 +18,12 @@
 int ieee80211_wep_init(struct ieee80211_local *local);
 void ieee80211_wep_free(struct ieee80211_local *local);
-int ieee80211_wep_encrypt_data(struct crypto_blkcipher *tfm, u8 *rc4key,
+int ieee80211_wep_encrypt_data(struct crypto_cipher *tfm, u8 *rc4key,
                                size_t klen, u8 *data, size_t data_len);
 int ieee80211_wep_encrypt(struct ieee80211_local *local,
                          struct sk_buff *skb,
                          const u8 *key, int keylen, int keyidx);
-int ieee80211_wep_decrypt_data(struct crypto_blkcipher *tfm, u8 *rc4key,
+int ieee80211_wep_decrypt_data(struct crypto_cipher *tfm, u8 *rc4key,
                               size_t klen, u8 *data, size_t data_len);
 bool ieee80211_wep_is_weak_iv(struct sk_buff *skb, struct ieee80211_key *key);
diff --git a/net/mac80211/work.c b/net/mac80211/work.c
index e73c8cae036b..d2e7f0e86677 100644
--- a/net/mac80211/work.c
+++ b/net/mac80211/work.c
@@ -65,17 +65,9 @@ static void run_again(struct ieee80211_local *local,
                mod_timer(&local->work_timer, timeout);
 }
-static void work_free_rcu(struct rcu_head *head)
-{
-        struct ieee80211_work *wk =
-                container_of(head, struct ieee80211_work, rcu_head);
-        kfree(wk);
-}
 void free_work(struct ieee80211_work *wk)
 {
-        call_rcu(&wk->rcu_head, work_free_rcu);
+        kfree_rcu(wk, rcu_head);
 }
 static int ieee80211_compatible_rates(const u8 *supp_rates, int supp_rates_len,
@@ -198,9 +190,8 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata,
        struct sk_buff *skb;
        struct ieee80211_mgmt *mgmt;
        u8 *pos, qos_info;
-        const u8 *ies;
        size_t offset = 0, noffset;
-        int i, len, count, rates_len, supp_rates_len;
+        int i, count, rates_len, supp_rates_len;
        u16 capab;
        struct ieee80211_supported_band *sband;
        u32 rates = 0;
@@ -285,7 +276,7 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata,
        }
        /* SSID */
-        ies = pos = skb_put(skb, 2 + wk->assoc.ssid_len);
+        pos = skb_put(skb, 2 + wk->assoc.ssid_len);
        *pos++ = WLAN_EID_SSID;
        *pos++ = wk->assoc.ssid_len;
        memcpy(pos, wk->assoc.ssid, wk->assoc.ssid_len);
@@ -295,7 +286,6 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata,
        if (supp_rates_len > 8)
                supp_rates_len = 8;
-        len = sband->n_bitrates;
        pos = skb_put(skb, supp_rates_len + 2);
        *pos++ = WLAN_EID_SUPP_RATES;
        *pos++ = supp_rates_len;
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index f1765de2f4bf..8f6a302d2ac3 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -86,43 +86,88 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
        struct sk_buff *skb = rx->skb;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
+        int queue = rx->queue;
+        /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */
+        if (rx->queue == NUM_RX_DATA_QUEUES - 1)
+                queue = 0;
+        /*
+         * it makes no sense to check for MIC errors on anything other
+         * than data frames.
+         */
+        if (!ieee80211_is_data_present(hdr->frame_control))
+                return RX_CONTINUE;
+        /*
+         * No way to verify the MIC if the hardware stripped it or
+         * the IV with the key index. In this case we have solely rely
+         * on the driver to set RX_FLAG_MMIC_ERROR in the event of a
+         * MIC failure report.
+         */
+        if (status->flag & (RX_FLAG_MMIC_STRIPPED | RX_FLAG_IV_STRIPPED)) {
+                if (status->flag & RX_FLAG_MMIC_ERROR)
+                        goto mic_fail;
+                if (!(status->flag & RX_FLAG_IV_STRIPPED))
+                        goto update_iv;
-        /* No way to verify the MIC if the hardware stripped it */
-        if (status->flag & RX_FLAG_MMIC_STRIPPED)
                return RX_CONTINUE;
+        }
+        /*
+         * Some hardware seems to generate Michael MIC failure reports; even
+         * though, the frame was not encrypted with TKIP and therefore has no
+         * MIC. Ignore the flag them to avoid triggering countermeasures.
+         */
        if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
-            !ieee80211_has_protected(hdr->frame_control) ||
+            !(status->flag & RX_FLAG_DECRYPTED))
-            !ieee80211_is_data_present(hdr->frame_control))
                return RX_CONTINUE;
+        if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->key->conf.keyidx) {
+                /*
+                 * APs with pairwise keys should never receive Michael MIC
+                 * errors for non-zero keyidx because these are reserved for
+                 * group keys and only the AP is sending real multicast
+                 * frames in the BSS. (
+                 */
+                return RX_DROP_UNUSABLE;
+        }
+        if (status->flag & RX_FLAG_MMIC_ERROR)
+                goto mic_fail;
        hdrlen = ieee80211_hdrlen(hdr->frame_control);
        if (skb->len < hdrlen + MICHAEL_MIC_LEN)
                return RX_DROP_UNUSABLE;
        data = skb->data + hdrlen;
        data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
        key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
        michael_mic(key, hdr, data, data_len, mic);
-        if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0) {
+        if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
-                if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
+                goto mic_fail;
-                        return RX_DROP_UNUSABLE;
-                mac80211_ev_michael_mic_failure(rx->sdata, rx->key->conf.keyidx,
-                                                (void *) skb->data, NULL,
-                                                GFP_ATOMIC);
-                return RX_DROP_UNUSABLE;
-        }
        /* remove Michael MIC from payload */
        skb_trim(skb, skb->len - MICHAEL_MIC_LEN);
+update_iv:
        /* update IV in key information to be able to detect replays */
-        rx->key->u.tkip.rx[rx->queue].iv32 = rx->tkip_iv32;
+        rx->key->u.tkip.rx[queue].iv32 = rx->tkip_iv32;
-        rx->key->u.tkip.rx[rx->queue].iv16 = rx->tkip_iv16;
+        rx->key->u.tkip.rx[queue].iv16 = rx->tkip_iv16;
        return RX_CONTINUE;
+mic_fail:
+        /*
+         * In some cases the key can be unset - e.g. a multicast packet, in
+         * a driver that supports HW encryption. Send up the key idx only if
+         * the key is set.
+         */
+        mac80211_ev_michael_mic_failure(rx->sdata,
+                                        rx->key ? rx->key->conf.keyidx : -1,
+                                        (void *) skb->data, NULL, GFP_ATOMIC);
+        return RX_DROP_UNUSABLE;
 }
@@ -201,6 +246,11 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
        struct ieee80211_key *key = rx->key;
        struct sk_buff *skb = rx->skb;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
+        int queue = rx->queue;
+        /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */
+        if (rx->queue == NUM_RX_DATA_QUEUES - 1)
+                queue = 0;
        hdrlen = ieee80211_hdrlen(hdr->frame_control);
@@ -221,7 +271,7 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
        res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm,
                                          key, skb->data + hdrlen,
                                          skb->len - hdrlen, rx->sta->sta.addr,
-                                          hdr->addr1, hwaccel, rx->queue,
+                                          hdr->addr1, hwaccel, queue,
                                          &rx->tkip_iv32,
                                          &rx->tkip_iv16);
        if (res != TKIP_DECRYPT_OK)
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
index a113ff066928..ba2d16607f48 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -293,7 +293,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
        for (; !before(ip_to, ip); ip += map->hosts) {
                id = ip_to_id(map, ip);
-                ret = adtfn(set, &id, timeout);;
+                ret = adtfn(set, &id, timeout);
                if (ret && !ip_set_eexist(ret, flags))
                        return ret;
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 72d1ac611fdc..42aa64b6b0b1 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -767,7 +767,7 @@ ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
        if (!attr[IPSET_ATTR_SETNAME]) {
                for (i = 0; i < ip_set_max; i++) {
                        if (ip_set_list[i] != NULL && ip_set_list[i]->ref) {
-                                ret = IPSET_ERR_BUSY;
+                                ret = -IPSET_ERR_BUSY;
                                goto out;
                        }
                }
@@ -815,7 +815,7 @@ ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
        ip_set_id_t i;
        if (unlikely(protocol_failed(attr)))
-                return -EPROTO;
+                return -IPSET_ERR_PROTOCOL;
        if (!attr[IPSET_ATTR_SETNAME]) {
                for (i = 0; i < ip_set_max; i++)
diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c
index 8d5227212686..757143b2240a 100644
--- a/net/netfilter/ipset/ip_set_getport.c
+++ b/net/netfilter/ipset/ip_set_getport.c
@@ -11,6 +11,7 @@
 #include <linux/skbuff.h>
 #include <linux/icmp.h>
 #include <linux/icmpv6.h>
+#include <linux/sctp.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
@@ -35,7 +36,20 @@ get_port(const struct sk_buff *skb, int protocol, unsigned int protooff,
                *port = src ? th->source : th->dest;
                break;
        }
-        case IPPROTO_UDP: {
+        case IPPROTO_SCTP: {
+                sctp_sctphdr_t _sh;
+                const sctp_sctphdr_t *sh;
+                sh = skb_header_pointer(skb, protooff, sizeof(_sh), &_sh);
+                if (sh == NULL)
+                        /* No choice either */
+                        return false;
+                *port = src ? sh->source : sh->dest;
+                break;
+        }
+        case IPPROTO_UDP:
+        case IPPROTO_UDPLITE: {
                struct udphdr _udph;
                const struct udphdr *uh;
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index b9214145d357..14281b6b8074 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -491,7 +491,7 @@ static struct ip_set_type hash_ipport_type __read_mostly = {
        .features       = IPSET_TYPE_IP | IPSET_TYPE_PORT,
        .dimension      = IPSET_DIM_TWO,
        .family         = AF_UNSPEC,
-        .revision       = 0,
+        .revision       = 1,
        .create         = hash_ipport_create,
        .create_policy  = {
                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index 4642872df6e1..401c8a2531db 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -509,7 +509,7 @@ static struct ip_set_type hash_ipportip_type __read_mostly = {
        .features       = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
        .dimension      = IPSET_DIM_THREE,
        .family         = AF_UNSPEC,
-        .revision       = 0,
+        .revision       = 1,
        .create         = hash_ipportip_create,
        .create_policy  = {
                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 2cb84a54b7ad..565a7c5b8818 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -146,8 +146,9 @@ hash_ipportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
 {
        const struct ip_set_hash *h = set->data;
        ipset_adtfn adtfn = set->variant->adt[adt];
-        struct hash_ipportnet4_elem data =
+        struct hash_ipportnet4_elem data = {
-                { .cidr = h->nets[0].cidr || HOST_MASK };
+                .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
+        };
        if (data.cidr == 0)
                return -EINVAL;
@@ -394,8 +395,9 @@ hash_ipportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
 {
        const struct ip_set_hash *h = set->data;
        ipset_adtfn adtfn = set->variant->adt[adt];
-        struct hash_ipportnet6_elem data =
+        struct hash_ipportnet6_elem data = {
-                { .cidr = h->nets[0].cidr || HOST_MASK };
+                .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
+        };
        if (data.cidr == 0)
                return -EINVAL;
@@ -574,7 +576,7 @@ static struct ip_set_type hash_ipportnet_type __read_mostly = {
        .features       = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
        .dimension      = IPSET_DIM_THREE,
        .family         = AF_UNSPEC,
-        .revision       = 0,
+        .revision       = 1,
        .create         = hash_ipportnet_create,
        .create_policy  = {
                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index c4db202b7da4..2aeeabcd5a21 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -131,7 +131,9 @@ hash_net4_kadt(struct ip_set *set, const struct sk_buff *skb,
 {
        const struct ip_set_hash *h = set->data;
        ipset_adtfn adtfn = set->variant->adt[adt];
-        struct hash_net4_elem data = { .cidr = h->nets[0].cidr || HOST_MASK };
+        struct hash_net4_elem data = {
+                .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
+        };
        if (data.cidr == 0)
                return -EINVAL;
@@ -296,7 +298,9 @@ hash_net6_kadt(struct ip_set *set, const struct sk_buff *skb,
 {
        const struct ip_set_hash *h = set->data;
        ipset_adtfn adtfn = set->variant->adt[adt];
-        struct hash_net6_elem data = { .cidr = h->nets[0].cidr || HOST_MASK };
+        struct hash_net6_elem data = {
+                .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
+        };
        if (data.cidr == 0)
                return -EINVAL;
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index 8598676f2a05..e50d9bb8820b 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -144,7 +144,8 @@ hash_netport4_kadt(struct ip_set *set, const struct sk_buff *skb,
        const struct ip_set_hash *h = set->data;
        ipset_adtfn adtfn = set->variant->adt[adt];
        struct hash_netport4_elem data = {
-                .cidr = h->nets[0].cidr || HOST_MASK };
+                .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
+        };
        if (data.cidr == 0)
                return -EINVAL;
@@ -357,7 +358,8 @@ hash_netport6_kadt(struct ip_set *set, const struct sk_buff *skb,
        const struct ip_set_hash *h = set->data;
        ipset_adtfn adtfn = set->variant->adt[adt];
        struct hash_netport6_elem data = {
-                .cidr = h->nets[0].cidr || HOST_MASK };
+                .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
+        };
        if (data.cidr == 0)
                return -EINVAL;
@@ -526,7 +528,7 @@ static struct ip_set_type hash_netport_type __read_mostly = {
        .features       = IPSET_TYPE_IP | IPSET_TYPE_PORT,
        .dimension      = IPSET_DIM_TWO,
        .family         = AF_UNSPEC,
-        .revision       = 0,
+        .revision       = 1,
        .create         = hash_netport_create,
        .create_policy  = {
                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index bf28ac2fc99b..782db275ac53 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -776,8 +776,16 @@ static void ip_vs_conn_expire(unsigned long data)
                if (cp->control)
                        ip_vs_control_del(cp);
-                if (cp->flags & IP_VS_CONN_F_NFCT)
+                if (cp->flags & IP_VS_CONN_F_NFCT) {
                        ip_vs_conn_drop_conntrack(cp);
+                        /* Do not access conntracks during subsys cleanup
+                         * because nf_conntrack_find_get can not be used after
+                         * conntrack cleanup for the net.
+                         */
+                        smp_rmb();
+                        if (ipvs->enable)
+                                ip_vs_conn_drop_conntrack(cp);
+                }
                ip_vs_pe_put(cp->pe);
                kfree(cp->pe_data);
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index a74dae6c5dbc..24c28d238dcb 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1382,15 +1382,7 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
        ip_vs_in_stats(cp, skb);
        if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
                offset += 2 * sizeof(__u16);
-        verdict = ip_vs_icmp_xmit(skb, cp, pp, offset);
+        verdict = ip_vs_icmp_xmit(skb, cp, pp, offset, hooknum);
-        /* LOCALNODE from FORWARD hook is not supported */
-        if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD &&
-            skb_rtable(skb)->rt_flags & RTCF_LOCAL) {
-                IP_VS_DBG(1, "%s(): "
-                          "local delivery to %pI4 but in FORWARD\n",
-                          __func__, &skb_rtable(skb)->rt_dst);
-                verdict = NF_DROP;
-        }
  out:
        __ip_vs_conn_put(cp);
@@ -1412,7 +1404,6 @@ ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
        struct ip_vs_protocol *pp;
        struct ip_vs_proto_data *pd;
        unsigned int offset, verdict;
-        struct rt6_info *rt;
        *related = 1;
@@ -1474,23 +1465,12 @@ ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
        if (!cp)
                return NF_ACCEPT;
-        verdict = NF_DROP;
        /* do the statistics and put it back */
        ip_vs_in_stats(cp, skb);
        if (IPPROTO_TCP == cih->nexthdr || IPPROTO_UDP == cih->nexthdr ||
            IPPROTO_SCTP == cih->nexthdr)
                offset += 2 * sizeof(__u16);
-        verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset);
+        verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset, hooknum);
-        /* LOCALNODE from FORWARD hook is not supported */
-        if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD &&
-            (rt = (struct rt6_info *) skb_dst(skb)) &&
-            rt->rt6i_dev && rt->rt6i_dev->flags & IFF_LOOPBACK) {
-                IP_VS_DBG(1, "%s(): "
-                          "local delivery to %pI6 but in FORWARD\n",
-                          __func__, &rt->rt6i_dst);
-                verdict = NF_DROP;
-        }
        __ip_vs_conn_put(cp);
@@ -1792,7 +1772,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
                .owner          = THIS_MODULE,
                .pf             = PF_INET,
                .hooknum        = NF_INET_LOCAL_IN,
-                .priority       = 99,
+                .priority       = NF_IP_PRI_NAT_SRC - 2,
        },
        /* After packet filtering, forward packet through VS/DR, VS/TUN,
         * or VS/NAT(change destination), so that filtering rules can be
@@ -1802,7 +1782,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
                .owner          = THIS_MODULE,
                .pf             = PF_INET,
                .hooknum        = NF_INET_LOCAL_IN,
-                .priority       = 101,
+                .priority       = NF_IP_PRI_NAT_SRC - 1,
        },
        /* Before ip_vs_in, change source only for VS/NAT */
        {
@@ -1810,7 +1790,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
                .owner          = THIS_MODULE,
                .pf             = PF_INET,
                .hooknum        = NF_INET_LOCAL_OUT,
-                .priority       = -99,
+                .priority       = NF_IP_PRI_NAT_DST + 1,
        },
        /* After mangle, schedule and forward local requests */
        {
@@ -1818,7 +1798,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
                .owner          = THIS_MODULE,
                .pf             = PF_INET,
                .hooknum        = NF_INET_LOCAL_OUT,
-                .priority       = -98,
+                .priority       = NF_IP_PRI_NAT_DST + 2,
        },
        /* After packet filtering (but before ip_vs_out_icmp), catch icmp
         * destined for 0.0.0.0/0, which is for incoming IPVS connections */
@@ -1844,7 +1824,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_INET_LOCAL_IN,
-                .priority       = 99,
+                .priority       = NF_IP6_PRI_NAT_SRC - 2,
        },
        /* After packet filtering, forward packet through VS/DR, VS/TUN,
         * or VS/NAT(change destination), so that filtering rules can be
@@ -1854,7 +1834,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_INET_LOCAL_IN,
-                .priority       = 101,
+                .priority       = NF_IP6_PRI_NAT_SRC - 1,
        },
        /* Before ip_vs_in, change source only for VS/NAT */
        {
@@ -1862,7 +1842,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
                .owner          = THIS_MODULE,
                .pf             = PF_INET,
                .hooknum        = NF_INET_LOCAL_OUT,
-                .priority       = -99,
+                .priority       = NF_IP6_PRI_NAT_DST + 1,
        },
        /* After mangle, schedule and forward local requests */
        {
@@ -1870,7 +1850,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_INET_LOCAL_OUT,
-                .priority       = -98,
+                .priority       = NF_IP6_PRI_NAT_DST + 2,
        },
        /* After packet filtering (but before ip_vs_out_icmp), catch icmp
         * destined for 0.0.0.0/0, which is for incoming IPVS connections */
@@ -1965,6 +1945,7 @@ static void __net_exit __ip_vs_dev_cleanup(struct net *net)
 {
        EnterFunction(2);
        net_ipvs(net)->enable = 0;      /* Disable packet reception */
+        smp_wmb();
        __ip_vs_sync_cleanup(net);
        LeaveFunction(2);
 }
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 37890f228b19..699c79a55657 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2069,9 +2069,6 @@ static const struct file_operations ip_vs_info_fops = {
        .release = seq_release_net,
 };
-#endif
-#ifdef CONFIG_PROC_FS
 static int ip_vs_stats_show(struct seq_file *seq, void *v)
 {
        struct net *net = seq_file_single_net(seq);
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index 6b5dd6ddaae9..af63553fa332 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -411,25 +411,35 @@ static struct ip_vs_app ip_vs_ftp = {
 static int __net_init __ip_vs_ftp_init(struct net *net)
 {
        int i, ret;
-        struct ip_vs_app *app = &ip_vs_ftp;
+        struct ip_vs_app *app;
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        app = kmemdup(&ip_vs_ftp, sizeof(struct ip_vs_app), GFP_KERNEL);
+        if (!app)
+                return -ENOMEM;
+        INIT_LIST_HEAD(&app->a_list);
+        INIT_LIST_HEAD(&app->incs_list);
+        ipvs->ftp_app = app;
        ret = register_ip_vs_app(net, app);
        if (ret)
-                return ret;
+                goto err_exit;
        for (i=0; i<IP_VS_APP_MAX_PORTS; i++) {
                if (!ports[i])
                        continue;
                ret = register_ip_vs_app_inc(net, app, app->protocol, ports[i]);
                if (ret)
-                        break;
+                        goto err_unreg;
                pr_info("%s: loaded support on port[%d] = %d\n",
                        app->name, i, ports[i]);
        }
+        return 0;
-        if (ret)
+err_unreg:
-                unregister_ip_vs_app(net, app);
+        unregister_ip_vs_app(net, app);
+err_exit:
+        kfree(ipvs->ftp_app);
        return ret;
 }
 /*
@@ -437,9 +447,10 @@ static int __net_init __ip_vs_ftp_init(struct net *net)
 */
 static void __ip_vs_ftp_exit(struct net *net)
 {
-        struct ip_vs_app *app = &ip_vs_ftp;
+        struct netns_ipvs *ipvs = net_ipvs(net);
-        unregister_ip_vs_app(net, app);
+        unregister_ip_vs_app(net, ipvs->ftp_app);
+        kfree(ipvs->ftp_app);
 }
 static struct pernet_operations ip_vs_ftp_ops = {
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 6132b213eddc..ee319a4338b0 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -87,7 +87,7 @@ __ip_vs_dst_check(struct ip_vs_dest *dest, u32 rtos)
 /* Get route to destination or remote server */
 static struct rtable *
 __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
-                   __be32 daddr, u32 rtos, int rt_mode)
+                   __be32 daddr, u32 rtos, int rt_mode, __be32 *ret_saddr)
 {
        struct net *net = dev_net(skb_dst(skb)->dev);
        struct rtable *rt;                      /* Route to the other host */
@@ -98,7 +98,12 @@ __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
                spin_lock(&dest->dst_lock);
                if (!(rt = (struct rtable *)
                      __ip_vs_dst_check(dest, rtos))) {
-                        rt = ip_route_output(net, dest->addr.ip, 0, rtos, 0);
+                        struct flowi4 fl4;
+                        memset(&fl4, 0, sizeof(fl4));
+                        fl4.daddr = dest->addr.ip;
+                        fl4.flowi4_tos = rtos;
+                        rt = ip_route_output_key(net, &fl4);
                        if (IS_ERR(rt)) {
                                spin_unlock(&dest->dst_lock);
                                IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
@@ -106,18 +111,30 @@ __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
                                return NULL;
                        }
                        __ip_vs_dst_set(dest, rtos, dst_clone(&rt->dst), 0);
-                        IP_VS_DBG(10, "new dst %pI4, refcnt=%d, rtos=%X\n",
+                        dest->dst_saddr.ip = fl4.saddr;
-                                  &dest->addr.ip,
+                        IP_VS_DBG(10, "new dst %pI4, src %pI4, refcnt=%d, "
+                                  "rtos=%X\n",
+                                  &dest->addr.ip, &dest->dst_saddr.ip,
                                  atomic_read(&rt->dst.__refcnt), rtos);
                }
+                daddr = dest->addr.ip;
+                if (ret_saddr)
+                        *ret_saddr = dest->dst_saddr.ip;
                spin_unlock(&dest->dst_lock);
        } else {
-                rt = ip_route_output(net, daddr, 0, rtos, 0);
+                struct flowi4 fl4;
+                memset(&fl4, 0, sizeof(fl4));
+                fl4.daddr = daddr;
+                fl4.flowi4_tos = rtos;
+                rt = ip_route_output_key(net, &fl4);
                if (IS_ERR(rt)) {
                        IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
                                     &daddr);
                        return NULL;
                }
+                if (ret_saddr)
+                        *ret_saddr = fl4.saddr;
        }
        local = rt->rt_flags & RTCF_LOCAL;
@@ -125,7 +142,7 @@ __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
              rt_mode)) {
                IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI4\n",
                             (rt->rt_flags & RTCF_LOCAL) ?
-                             "local":"non-local", &rt->rt_dst);
+                             "local":"non-local", &daddr);
                ip_rt_put(rt);
                return NULL;
        }
@@ -133,14 +150,14 @@ __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
            !((ort = skb_rtable(skb)) && ort->rt_flags & RTCF_LOCAL)) {
                IP_VS_DBG_RL("Redirect from non-local address %pI4 to local "
                             "requires NAT method, dest: %pI4\n",
-                             &ip_hdr(skb)->daddr, &rt->rt_dst);
+                             &ip_hdr(skb)->daddr, &daddr);
                ip_rt_put(rt);
                return NULL;
        }
        if (unlikely(!local && ipv4_is_loopback(ip_hdr(skb)->saddr))) {
                IP_VS_DBG_RL("Stopping traffic from loopback address %pI4 "
                             "to non-local address, dest: %pI4\n",
-                             &ip_hdr(skb)->saddr, &rt->rt_dst);
+                             &ip_hdr(skb)->saddr, &daddr);
                ip_rt_put(rt);
                return NULL;
        }
@@ -229,8 +246,6 @@ out_err:
 /*
 * Get route to destination or remote server
- * rt_mode: flags, &1=Allow local dest, &2=Allow non-local dest,
- *          &4=Allow redirect from remote daddr to local
 */
 static struct rt6_info *
 __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
@@ -250,7 +265,7 @@ __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
                        u32 cookie;
                        dst = __ip_vs_route_output_v6(net, &dest->addr.in6,
-                                                      &dest->dst_saddr,
+                                                      &dest->dst_saddr.in6,
                                                      do_xfrm);
                        if (!dst) {
                                spin_unlock(&dest->dst_lock);
@@ -260,11 +275,11 @@ __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
                        cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
                        __ip_vs_dst_set(dest, 0, dst_clone(&rt->dst), cookie);
                        IP_VS_DBG(10, "new dst %pI6, src %pI6, refcnt=%d\n",
-                                  &dest->addr.in6, &dest->dst_saddr,
+                                  &dest->addr.in6, &dest->dst_saddr.in6,
                                  atomic_read(&rt->dst.__refcnt));
                }
                if (ret_saddr)
-                        ipv6_addr_copy(ret_saddr, &dest->dst_saddr);
+                        ipv6_addr_copy(ret_saddr, &dest->dst_saddr.in6);
                spin_unlock(&dest->dst_lock);
        } else {
                dst = __ip_vs_route_output_v6(net, daddr, ret_saddr, do_xfrm);
@@ -274,13 +289,14 @@ __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
        }
        local = __ip_vs_is_local_route6(rt);
-        if (!((local ? 1 : 2) & rt_mode)) {
+        if (!((local ? IP_VS_RT_MODE_LOCAL : IP_VS_RT_MODE_NON_LOCAL) &
+              rt_mode)) {
                IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI6\n",
                             local ? "local":"non-local", daddr);
                dst_release(&rt->dst);
                return NULL;
        }
-        if (local && !(rt_mode & 4) &&
+        if (local && !(rt_mode & IP_VS_RT_MODE_RDR) &&
            !((ort = (struct rt6_info *) skb_dst(skb)) &&
              __ip_vs_is_local_route6(ort))) {
                IP_VS_DBG_RL("Redirect from non-local address %pI6 to local "
@@ -386,7 +402,7 @@ ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        EnterFunction(10);
        if (!(rt = __ip_vs_get_out_rt(skb, NULL, iph->daddr, RT_TOS(iph->tos),
-                                      IP_VS_RT_MODE_NON_LOCAL)))
+                                      IP_VS_RT_MODE_NON_LOCAL, NULL)))
                goto tx_error_icmp;
        /* MTU checking */
@@ -440,7 +456,8 @@ ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        EnterFunction(10);
-        if (!(rt = __ip_vs_get_out_rt_v6(skb, NULL, &iph->daddr, NULL, 0, 2)))
+        if (!(rt = __ip_vs_get_out_rt_v6(skb, NULL, &iph->daddr, NULL, 0,
+                                         IP_VS_RT_MODE_NON_LOCAL)))
                goto tx_error_icmp;
        /* MTU checking */
@@ -517,7 +534,7 @@ ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
                                      RT_TOS(iph->tos),
                                      IP_VS_RT_MODE_LOCAL |
                                        IP_VS_RT_MODE_NON_LOCAL |
-                                        IP_VS_RT_MODE_RDR)))
+                                        IP_VS_RT_MODE_RDR, NULL)))
                goto tx_error_icmp;
        local = rt->rt_flags & RTCF_LOCAL;
        /*
@@ -539,7 +556,7 @@ ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 #endif
        /* From world but DNAT to loopback address? */
-        if (local && ipv4_is_loopback(rt->rt_dst) &&
+        if (local && ipv4_is_loopback(cp->daddr.ip) &&
            rt_is_input_route(skb_rtable(skb))) {
                IP_VS_DBG_RL_PKT(1, AF_INET, pp, skb, 0, "ip_vs_nat_xmit(): "
                                 "stopping DNAT to loopback address");
@@ -632,7 +649,9 @@ ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        }
        if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
-                                         0, 1|2|4)))
+                                         0, (IP_VS_RT_MODE_LOCAL |
+                                             IP_VS_RT_MODE_NON_LOCAL |
+                                             IP_VS_RT_MODE_RDR))))
                goto tx_error_icmp;
        local = __ip_vs_is_local_route6(rt);
        /*
@@ -748,6 +767,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
                  struct ip_vs_protocol *pp)
 {
        struct rtable *rt;                      /* Route to the other host */
+        __be32 saddr;                           /* Source for tunnel */
        struct net_device *tdev;                /* Device to other host */
        struct iphdr  *old_iph = ip_hdr(skb);
        u8     tos = old_iph->tos;
@@ -761,7 +781,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
                                      RT_TOS(tos), IP_VS_RT_MODE_LOCAL |
-                                                   IP_VS_RT_MODE_NON_LOCAL)))
+                                                   IP_VS_RT_MODE_NON_LOCAL,
+                                                   &saddr)))
                goto tx_error_icmp;
        if (rt->rt_flags & RTCF_LOCAL) {
                ip_rt_put(rt);
@@ -829,8 +850,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        iph->frag_off           =       df;
        iph->protocol           =       IPPROTO_IPIP;
        iph->tos                =       tos;
-        iph->daddr              =       rt->rt_dst;
+        iph->daddr              =       cp->daddr.ip;
-        iph->saddr              =       rt->rt_src;
+        iph->saddr              =       saddr;
        iph->ttl                =       old_iph->ttl;
        ip_select_ident(iph, &rt->dst, NULL);
@@ -875,7 +896,8 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        EnterFunction(10);
        if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6,
-                                         &saddr, 1, 1|2)))
+                                         &saddr, 1, (IP_VS_RT_MODE_LOCAL |
+                                                     IP_VS_RT_MODE_NON_LOCAL))))
                goto tx_error_icmp;
        if (__ip_vs_is_local_route6(rt)) {
                dst_release(&rt->dst);
@@ -992,7 +1014,7 @@ ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
                                      RT_TOS(iph->tos),
                                      IP_VS_RT_MODE_LOCAL |
-                                        IP_VS_RT_MODE_NON_LOCAL)))
+                                        IP_VS_RT_MODE_NON_LOCAL, NULL)))
                goto tx_error_icmp;
        if (rt->rt_flags & RTCF_LOCAL) {
                ip_rt_put(rt);
@@ -1050,7 +1072,8 @@ ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        EnterFunction(10);
        if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
-                                         0, 1|2)))
+                                         0, (IP_VS_RT_MODE_LOCAL |
+                                             IP_VS_RT_MODE_NON_LOCAL))))
                goto tx_error_icmp;
        if (__ip_vs_is_local_route6(rt)) {
                dst_release(&rt->dst);
@@ -1109,12 +1132,13 @@ tx_error:
 */
 int
 ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
-                struct ip_vs_protocol *pp, int offset)
+                struct ip_vs_protocol *pp, int offset, unsigned int hooknum)
 {
        struct rtable   *rt;    /* Route to the other host */
        int mtu;
        int rc;
        int local;
+        int rt_mode;
        EnterFunction(10);
@@ -1135,11 +1159,13 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
         * mangle and send the packet here (only for VS/NAT)
         */
+        /* LOCALNODE from FORWARD hook is not supported */
+        rt_mode = (hooknum != NF_INET_FORWARD) ?
+                  IP_VS_RT_MODE_LOCAL | IP_VS_RT_MODE_NON_LOCAL |
+                  IP_VS_RT_MODE_RDR : IP_VS_RT_MODE_NON_LOCAL;
        if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
                                      RT_TOS(ip_hdr(skb)->tos),
-                                      IP_VS_RT_MODE_LOCAL |
+                                      rt_mode, NULL)))
-                                        IP_VS_RT_MODE_NON_LOCAL |
-                                        IP_VS_RT_MODE_RDR)))
                goto tx_error_icmp;
        local = rt->rt_flags & RTCF_LOCAL;
@@ -1162,7 +1188,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 #endif
        /* From world but DNAT to loopback address? */
-        if (local && ipv4_is_loopback(rt->rt_dst) &&
+        if (local && ipv4_is_loopback(cp->daddr.ip) &&
            rt_is_input_route(skb_rtable(skb))) {
                IP_VS_DBG(1, "%s(): "
                          "stopping DNAT to loopback %pI4\n",
@@ -1227,12 +1253,13 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 #ifdef CONFIG_IP_VS_IPV6
 int
 ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
-                struct ip_vs_protocol *pp, int offset)
+                struct ip_vs_protocol *pp, int offset, unsigned int hooknum)
 {
        struct rt6_info *rt;    /* Route to the other host */
        int mtu;
        int rc;
        int local;
+        int rt_mode;
        EnterFunction(10);
@@ -1253,8 +1280,12 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
         * mangle and send the packet here (only for VS/NAT)
         */
+        /* LOCALNODE from FORWARD hook is not supported */
+        rt_mode = (hooknum != NF_INET_FORWARD) ?
+                  IP_VS_RT_MODE_LOCAL | IP_VS_RT_MODE_NON_LOCAL |
+                  IP_VS_RT_MODE_RDR : IP_VS_RT_MODE_NON_LOCAL;
        if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
-                                         0, 1|2|4)))
+                                         0, rt_mode)))
                goto tx_error_icmp;
        local = __ip_vs_is_local_route6(rt);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 2e1c11f78419..f7af8b866017 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -850,7 +850,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
        /* It exists; we have (non-exclusive) reference. */
        if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) {
-                *ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY;
+                *ctinfo = IP_CT_ESTABLISHED_REPLY;
                /* Please set reply bit if this packet OK */
                *set_reply = 1;
        } else {
@@ -922,6 +922,9 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
                        ret = -ret;
                        goto out;
                }
+                /* ICMP[v6] protocol trackers may assign one conntrack. */
+                if (skb->nfct)
+                        goto out;
        }
        ct = resolve_normal_ct(net, tmpl, skb, dataoff, pf, protonum,
@@ -1143,7 +1146,7 @@ static void nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
        /* This ICMP is in reverse direction to the packet which caused it */
        ct = nf_ct_get(skb, &ctinfo);
        if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
-                ctinfo = IP_CT_RELATED + IP_CT_IS_REPLY;
+                ctinfo = IP_CT_RELATED_REPLY;
        else
                ctinfo = IP_CT_RELATED;
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 80a23ed62bb0..05ecdc281a53 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -68,12 +68,6 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp)
        return (void *)(*ext) + off;
 }
-static void __nf_ct_ext_free_rcu(struct rcu_head *head)
-{
-        struct nf_ct_ext *ext = container_of(head, struct nf_ct_ext, rcu);
-        kfree(ext);
-}
 void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
 {
        struct nf_ct_ext *old, *new;
@@ -114,7 +108,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
                                        (void *)old + old->offset[i]);
                        rcu_read_unlock();
                }
-                call_rcu(&old->rcu, __nf_ct_ext_free_rcu);
+                kfree_rcu(old, rcu);
                ct->ext = new;
        }
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index e17cb7c7dd8f..6f5801eac999 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -368,7 +368,7 @@ static int help(struct sk_buff *skb,
        /* Until there's been traffic both ways, don't look in packets. */
        if (ctinfo != IP_CT_ESTABLISHED &&
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
+            ctinfo != IP_CT_ESTABLISHED_REPLY) {
                pr_debug("ftp: Conntrackinfo = %u\n", ctinfo);
                return NF_ACCEPT;
        }
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 18b2ce5c8ced..f03c2d4539f6 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -571,10 +571,9 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff,
        int ret;
        /* Until there's been traffic both ways, don't look in packets. */
-        if (ctinfo != IP_CT_ESTABLISHED &&
+        if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
                return NF_ACCEPT;
-        }
        pr_debug("nf_ct_h245: skblen = %u\n", skb->len);
        spin_lock_bh(&nf_h323_lock);
@@ -1125,10 +1124,9 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff,
        int ret;
        /* Until there's been traffic both ways, don't look in packets. */
-        if (ctinfo != IP_CT_ESTABLISHED &&
+        if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
                return NF_ACCEPT;
-        }
        pr_debug("nf_ct_q931: skblen = %u\n", skb->len);
        spin_lock_bh(&nf_h323_lock);
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index b394aa318776..4f9390b98697 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -125,8 +125,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
                return NF_ACCEPT;
        /* Until there's been traffic both ways, don't look in packets. */
-        if (ctinfo != IP_CT_ESTABLISHED &&
+        if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
                return NF_ACCEPT;
        /* Not a full tcp header? */
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index 088944824e13..2fd4565144de 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -519,8 +519,7 @@ conntrack_pptp_help(struct sk_buff *skb, unsigned int protoff,
        u_int16_t msg;
        /* don't do any tracking before tcp handshake complete */
-        if (ctinfo != IP_CT_ESTABLISHED &&
+        if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
                return NF_ACCEPT;
        nexthdr_off = protoff;
diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c
index d9e27734b2a2..8501823b3f9b 100644
--- a/net/netfilter/nf_conntrack_sane.c
+++ b/net/netfilter/nf_conntrack_sane.c
@@ -78,7 +78,7 @@ static int help(struct sk_buff *skb,
        ct_sane_info = &nfct_help(ct)->help.ct_sane_info;
        /* Until there's been traffic both ways, don't look in packets. */
        if (ctinfo != IP_CT_ESTABLISHED &&
-            ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY)
+            ctinfo != IP_CT_ESTABLISHED_REPLY)
                return NF_ACCEPT;
        /* Not a full tcp header? */
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 237cc1981b89..93faf6a3a637 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1419,10 +1419,11 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
        const char *dptr, *end;
        s16 diff, tdiff = 0;
        int ret = NF_ACCEPT;
+        bool term;
        typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
        if (ctinfo != IP_CT_ESTABLISHED &&
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
+            ctinfo != IP_CT_ESTABLISHED_REPLY)
                return NF_ACCEPT;
        /* No Data ? */
@@ -1453,14 +1454,21 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
                if (dptr + matchoff == end)
                        break;
-                if (end + strlen("\r\n\r\n") > dptr + datalen)
+                term = false;
-                        break;
+                for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
-                if (end[0] != '\r' || end[1] != '\n' ||
+                        if (end[0] == '\r' && end[1] == '\n' &&
-                    end[2] != '\r' || end[3] != '\n')
+                            end[2] == '\r' && end[3] == '\n') {
+                                term = true;
+                                break;
+                        }
+                }
+                if (!term)
                        break;
                end += strlen("\r\n\r\n") + clen;
                msglen = origlen = end - dptr;
+                if (msglen > datalen)
+                        return NF_DROP;
                ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen);
                if (ret != NF_ACCEPT)
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 0ae142825881..05e9feb101c3 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -245,7 +245,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
        ret = 0;
 release:
        nf_ct_put(ct);
-        return 0;
+        return ret;
 }
 static const struct seq_operations ct_seq_ops = {
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 985e9b76c916..2e7ccbb43ddb 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -381,7 +381,6 @@ __build_packet_message(struct nfulnl_instance *inst,
        struct nfulnl_msg_packet_hdr pmsg;
        struct nlmsghdr *nlh;
        struct nfgenmsg *nfmsg;
-        __be32 tmp_uint;
        sk_buff_data_t old_tail = inst->skb->tail;
        nlh = NLMSG_PUT(inst->skb, 0, 0,
@@ -428,7 +427,6 @@ __build_packet_message(struct nfulnl_instance *inst,
        }
        if (outdev) {
-                tmp_uint = htonl(outdev->ifindex);
 #ifndef CONFIG_BRIDGE_NETFILTER
                NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_OUTDEV,
                             htonl(outdev->ifindex));
@@ -458,7 +456,8 @@ __build_packet_message(struct nfulnl_instance *inst,
        if (skb->mark)
                NLA_PUT_BE32(inst->skb, NFULA_MARK, htonl(skb->mark));
-        if (indev && skb->dev) {
+        if (indev && skb->dev &&
+            skb->mac_header != skb->network_header) {
                struct nfulnl_msg_packet_hw phw;
                int len = dev_parse_header(skb, phw.hw_addr);
                if (len > 0) {
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index b83123f12b42..fdd2fafe0a14 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -335,7 +335,8 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
        if (entskb->mark)
                NLA_PUT_BE32(skb, NFQA_MARK, htonl(entskb->mark));
-        if (indev && entskb->dev) {
+        if (indev && entskb->dev &&
+            entskb->mac_header != entskb->network_header) {
                struct nfqnl_msg_packet_hw phw;
                int len = dev_parse_header(entskb, phw.hw_addr);
                if (len) {
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 8a025a585d2f..b0869fe3633b 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -762,8 +762,8 @@ void xt_compat_unlock(u_int8_t af)
 EXPORT_SYMBOL_GPL(xt_compat_unlock);
 #endif
-DEFINE_PER_CPU(struct xt_info_lock, xt_info_locks);
+DEFINE_PER_CPU(seqcount_t, xt_recseq);
-EXPORT_PER_CPU_SYMBOL_GPL(xt_info_locks);
+EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq);
 static int xt_jumpstack_alloc(struct xt_table_info *i)
 {
@@ -1362,10 +1362,7 @@ static int __init xt_init(void)
        int rv;
        for_each_possible_cpu(i) {
-                struct xt_info_lock *lock = &per_cpu(xt_info_locks, i);
+                seqcount_init(&per_cpu(xt_recseq, i));
-                seqlock_init(&lock->lock);
-                lock->readers = 0;
        }
        xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL);
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index 4327e101c047..846f895cb656 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -62,13 +62,6 @@ static const struct nla_policy xt_osf_policy[OSF_ATTR_MAX + 1] = {
        [OSF_ATTR_FINGER]       = { .len = sizeof(struct xt_osf_user_finger) },
 };
-static void xt_osf_finger_free_rcu(struct rcu_head *rcu_head)
-{
-        struct xt_osf_finger *f = container_of(rcu_head, struct xt_osf_finger, rcu_head);
-        kfree(f);
-}
 static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb,
                               const struct nlmsghdr *nlh,
                               const struct nlattr * const osf_attrs[])
@@ -133,7 +126,7 @@ static int xt_osf_remove_callback(struct sock *ctnl, struct sk_buff *skb,
                 * We are protected by nfnl mutex.
                 */
                list_del_rcu(&sf->finger_entry);
-                call_rcu(&sf->rcu_head, xt_osf_finger_free_rcu);
+                kfree_rcu(sf, rcu_head);
                err = 0;
                break;
@@ -414,7 +407,7 @@ static void __exit xt_osf_fini(void)
                list_for_each_entry_rcu(f, &xt_osf_fingers[i], finger_entry) {
                        list_del_rcu(&f->finger_entry);
-                        call_rcu(&f->rcu_head, xt_osf_finger_free_rcu);
+                        kfree_rcu(f, rcu_head);
                }
        }
        rcu_read_unlock();
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 9cc46356b577..fe39f7e913df 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -143,9 +143,9 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
        ct = nf_ct_get(skb, &ctinfo);
        if (ct && !nf_ct_is_untracked(ct) &&
            ((iph->protocol != IPPROTO_ICMP &&
-              ctinfo == IP_CT_IS_REPLY + IP_CT_ESTABLISHED) ||
+              ctinfo == IP_CT_ESTABLISHED_REPLY) ||
             (iph->protocol == IPPROTO_ICMP &&
-              ctinfo == IP_CT_IS_REPLY + IP_CT_RELATED)) &&
+              ctinfo == IP_CT_RELATED_REPLY)) &&
            (ct->status & IPS_SRC_NAT_DONE)) {
                daddr = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip;
diff --git a/net/netlabel/netlabel_addrlist.h b/net/netlabel/netlabel_addrlist.h
index 1c1c093cf279..2b9644e19de0 100644
--- a/net/netlabel/netlabel_addrlist.h
+++ b/net/netlabel/netlabel_addrlist.h
@@ -96,12 +96,12 @@ static inline struct netlbl_af4list *__af4list_valid_rcu(struct list_head *s,
 #define netlbl_af4list_foreach(iter, head)                              \
        for (iter = __af4list_valid((head)->next, head);                \
-             prefetch(iter->list.next), &iter->list != (head);          \
+             &iter->list != (head);                                     \
             iter = __af4list_valid(iter->list.next, head))
 #define netlbl_af4list_foreach_rcu(iter, head)                          \
        for (iter = __af4list_valid_rcu((head)->next, head);            \
-             prefetch(iter->list.next), &iter->list != (head);          \
+             &iter->list != (head);                                     \
             iter = __af4list_valid_rcu(iter->list.next, head))
 #define netlbl_af4list_foreach_safe(iter, tmp, head)                    \
@@ -163,12 +163,12 @@ static inline struct netlbl_af6list *__af6list_valid_rcu(struct list_head *s,
 #define netlbl_af6list_foreach(iter, head)                              \
        for (iter = __af6list_valid((head)->next, head);                \
-             prefetch(iter->list.next), &iter->list != (head);          \
+             &iter->list != (head);                                     \
             iter = __af6list_valid(iter->list.next, head))
 #define netlbl_af6list_foreach_rcu(iter, head)                          \
        for (iter = __af6list_valid_rcu((head)->next, head);            \
-             prefetch(iter->list.next), &iter->list != (head);          \
+             &iter->list != (head);                                     \
             iter = __af6list_valid_rcu(iter->list.next, head))
 #define netlbl_af6list_foreach_safe(iter, tmp, head)                    \
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index 5f14c8462e30..bae5756b1626 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -422,7 +422,6 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
 {
        int ret_val = -EINVAL;
-        const char *type_str = "(unknown)";
        struct netlbl_audit audit_info;
        if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
@@ -432,15 +431,12 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
        netlbl_netlink_auditinfo(skb, &audit_info);
        switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) {
        case CIPSO_V4_MAP_TRANS:
-                type_str = "trans";
                ret_val = netlbl_cipsov4_add_std(info, &audit_info);
                break;
        case CIPSO_V4_MAP_PASS:
-                type_str = "pass";
                ret_val = netlbl_cipsov4_add_pass(info, &audit_info);
                break;
        case CIPSO_V4_MAP_LOCAL:
-                type_str = "local";
                ret_val = netlbl_cipsov4_add_local(info, &audit_info);
                break;
        }
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index e2b0a680dd56..9c38658fba8b 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -154,44 +154,6 @@ static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1
 */
 /**
- * netlbl_unlhsh_free_addr4 - Frees an IPv4 address entry from the hash table
- * @entry: the entry's RCU field
- *
- * Description:
- * This function is designed to be used as a callback to the call_rcu()
- * function so that memory allocated to a hash table address entry can be
- * released safely.
- *
- */
-static void netlbl_unlhsh_free_addr4(struct rcu_head *entry)
-{
-        struct netlbl_unlhsh_addr4 *ptr;
-        ptr = container_of(entry, struct netlbl_unlhsh_addr4, rcu);
-        kfree(ptr);
-}
-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-/**
- * netlbl_unlhsh_free_addr6 - Frees an IPv6 address entry from the hash table
- * @entry: the entry's RCU field
- *
- * Description:
- * This function is designed to be used as a callback to the call_rcu()
- * function so that memory allocated to a hash table address entry can be
- * released safely.
- *
- */
-static void netlbl_unlhsh_free_addr6(struct rcu_head *entry)
-{
-        struct netlbl_unlhsh_addr6 *ptr;
-        ptr = container_of(entry, struct netlbl_unlhsh_addr6, rcu);
-        kfree(ptr);
-}
-#endif /* IPv6 */
-/**
 * netlbl_unlhsh_free_iface - Frees an interface entry from the hash table
 * @entry: the entry's RCU field
 *
@@ -568,7 +530,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
        if (entry == NULL)
                return -ENOENT;
-        call_rcu(&entry->rcu, netlbl_unlhsh_free_addr4);
+        kfree_rcu(entry, rcu);
        return 0;
 }
@@ -629,7 +591,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
        if (entry == NULL)
                return -ENOENT;
-        call_rcu(&entry->rcu, netlbl_unlhsh_free_addr6);
+        kfree_rcu(entry, rcu);
        return 0;
 }
 #endif /* IPv6 */
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index c8f35b5d2ee9..6ef64adf7362 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1566,12 +1566,6 @@ netlink_kernel_release(struct sock *sk)
 }
 EXPORT_SYMBOL(netlink_kernel_release);
-static void listeners_free_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct listeners, rcu));
-}
 int __netlink_change_ngroups(struct sock *sk, unsigned int groups)
 {
        struct listeners *new, *old;
@@ -1588,7 +1582,7 @@ int __netlink_change_ngroups(struct sock *sk, unsigned int groups)
                memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups));
                rcu_assign_pointer(tbl->listeners, new);
-                call_rcu(&old->rcu, listeners_free_rcu);
+                kfree_rcu(old, rcu);
        }
        tbl->groups = groups;
@@ -1991,7 +1985,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
                struct sock *s = v;
                struct netlink_sock *nlk = nlk_sk(s);
-                seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
+                seq_printf(seq, "%pK %-3d %-6d %08x %-8d %-8d %pK %-8d %-8d %-8lu\n",
                           s,
                           s->sk_protocol,
                           nlk->pid,
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 06cb02796a0e..732152f718e0 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -591,7 +591,6 @@ static int nr_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                return -EINVAL;
        }
        if ((dev = nr_dev_get(&addr->fsa_ax25.sax25_call)) == NULL) {
-                SOCK_DEBUG(sk, "NET/ROM: bind failed: invalid node callsign\n");
                release_sock(sk);
                return -EADDRNOTAVAIL;
        }
@@ -632,7 +631,7 @@ static int nr_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        sock_reset_flag(sk, SOCK_ZAPPED);
        dev_put(dev);
        release_sock(sk);
-        SOCK_DEBUG(sk, "NET/ROM: socket is bound\n");
        return 0;
 }
@@ -1082,8 +1081,6 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
                sax.sax25_call   = nr->dest_addr;
        }
-        SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
        /* Build a packet - the conventional user limit is 236 bytes. We can
           do ludicrously large NetROM frames but must not overflow */
        if (len > 65536) {
@@ -1091,7 +1088,6 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
                goto out;
        }
-        SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
        size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
        if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
@@ -1105,7 +1101,6 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
         */
        asmptr = skb_push(skb, NR_TRANSPORT_LEN);
-        SOCK_DEBUG(sk, "Building NET/ROM Header.\n");
        /* Build a NET/ROM Transport header */
@@ -1114,15 +1109,12 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
        *asmptr++ = 0;          /* To be filled in later */
        *asmptr++ = 0;          /*      Ditto            */
        *asmptr++ = NR_INFO;
-        SOCK_DEBUG(sk, "Built header.\n");
        /*
         *      Put the data on the end
         */
        skb_put(skb, len);
-        SOCK_DEBUG(sk, "NET/ROM: Appending user data\n");
        /* User data follows immediately after the NET/ROM transport header */
        if (memcpy_fromiovec(skb_transport_header(skb), msg->msg_iov, len)) {
                kfree_skb(skb);
@@ -1130,8 +1122,6 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
                goto out;
        }
-        SOCK_DEBUG(sk, "NET/ROM: Transmitting buffer\n");
        if (sk->sk_state != TCP_ESTABLISHED) {
                kfree_skb(skb);
                err = -ENOTCONN;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index b5362e96022b..c0c3cda19712 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -538,7 +538,7 @@ static inline unsigned int run_filter(const struct sk_buff *skb,
        rcu_read_lock();
        filter = rcu_dereference(sk->sk_filter);
        if (filter != NULL)
-                res = sk_run_filter(skb, filter->insns);
+                res = SK_RUN_FILTER(filter, skb);
        rcu_read_unlock();
        return res;
@@ -798,7 +798,13 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
                        getnstimeofday(&ts);
                h.h2->tp_sec = ts.tv_sec;
                h.h2->tp_nsec = ts.tv_nsec;
-                h.h2->tp_vlan_tci = vlan_tx_tag_get(skb);
+                if (vlan_tx_tag_present(skb)) {
+                        h.h2->tp_vlan_tci = vlan_tx_tag_get(skb);
+                        status |= TP_STATUS_VLAN_VALID;
+                } else {
+                        h.h2->tp_vlan_tci = 0;
+                }
+                h.h2->tp_padding = 0;
                hdrlen = sizeof(*h.h2);
                break;
        default:
@@ -1725,8 +1731,13 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock,
                aux.tp_snaplen = skb->len;
                aux.tp_mac = 0;
                aux.tp_net = skb_network_offset(skb);
-                aux.tp_vlan_tci = vlan_tx_tag_get(skb);
+                if (vlan_tx_tag_present(skb)) {
+                        aux.tp_vlan_tci = vlan_tx_tag_get(skb);
+                        aux.tp_status |= TP_STATUS_VLAN_VALID;
+                } else {
+                        aux.tp_vlan_tci = 0;
+                }
+                aux.tp_padding = 0;
                put_cmsg(msg, SOL_PACKET, PACKET_AUXDATA, sizeof(aux), &aux);
        }
@@ -2706,7 +2717,7 @@ static int packet_seq_show(struct seq_file *seq, void *v)
                const struct packet_sock *po = pkt_sk(s);
                seq_printf(seq,
-                           "%p %-6d %-4d %04x   %-5d %1d %-6u %-6u %-6lu\n",
+                           "%pK %-6d %-4d %04x   %-5d %1d %-6u %-6u %-6lu\n",
                           s,
                           atomic_read(&s->sk_refcnt),
                           s->sk_type,
diff --git a/net/phonet/pn_dev.c b/net/phonet/pn_dev.c
index 947038ddd04c..d2df8f33160b 100644
--- a/net/phonet/pn_dev.c
+++ b/net/phonet/pn_dev.c
@@ -162,14 +162,6 @@ int phonet_address_add(struct net_device *dev, u8 addr)
        return err;
 }
-static void phonet_device_rcu_free(struct rcu_head *head)
-{
-        struct phonet_device *pnd;
-        pnd = container_of(head, struct phonet_device, rcu);
-        kfree(pnd);
-}
 int phonet_address_del(struct net_device *dev, u8 addr)
 {
        struct phonet_device_list *pndevs = phonet_device_list(dev_net(dev));
@@ -188,7 +180,7 @@ int phonet_address_del(struct net_device *dev, u8 addr)
        mutex_unlock(&pndevs->lock);
        if (pnd)
-                call_rcu(&pnd->rcu, phonet_device_rcu_free);
+                kfree_rcu(pnd, rcu);
        return err;
 }
@@ -426,18 +418,14 @@ int phonet_route_del(struct net_device *dev, u8 daddr)
        return 0;
 }
-struct net_device *phonet_route_get(struct net *net, u8 daddr)
+struct net_device *phonet_route_get_rcu(struct net *net, u8 daddr)
 {
        struct phonet_net *pnn = phonet_pernet(net);
        struct phonet_routes *routes = &pnn->routes;
        struct net_device *dev;
-        ASSERT_RTNL(); /* no need to hold the device */
        daddr >>= 2;
-        rcu_read_lock();
        dev = rcu_dereference(routes->table[daddr]);
-        rcu_read_unlock();
        return dev;
 }
diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c
index 58b3b1f991ed..438accb7a5a8 100644
--- a/net/phonet/pn_netlink.c
+++ b/net/phonet/pn_netlink.c
@@ -264,10 +264,11 @@ static int route_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
        struct net *net = sock_net(skb->sk);
        u8 addr, addr_idx = 0, addr_start_idx = cb->args[0];
+        rcu_read_lock();
        for (addr = 0; addr < 64; addr++) {
                struct net_device *dev;
-                dev = phonet_route_get(net, addr << 2);
+                dev = phonet_route_get_rcu(net, addr << 2);
                if (!dev)
                        continue;
@@ -279,6 +280,7 @@ static int route_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
        }
 out:
+        rcu_read_unlock();
        cb->args[0] = addr_idx;
        cb->args[1] = 0;
diff --git a/net/phonet/socket.c b/net/phonet/socket.c
index b1adafab377c..ab07711cf2f4 100644
--- a/net/phonet/socket.c
+++ b/net/phonet/socket.c
@@ -52,7 +52,7 @@ static int pn_socket_release(struct socket *sock)
 static struct  {
        struct hlist_head hlist[PN_HASHSIZE];
-        spinlock_t lock;
+        struct mutex lock;
 } pnsocks;
 void __init pn_sock_init(void)
@@ -61,7 +61,7 @@ void __init pn_sock_init(void)
        for (i = 0; i < PN_HASHSIZE; i++)
                INIT_HLIST_HEAD(pnsocks.hlist + i);
-        spin_lock_init(&pnsocks.lock);
+        mutex_init(&pnsocks.lock);
 }
 static struct hlist_head *pn_hash_list(u16 obj)
@@ -82,9 +82,8 @@ struct sock *pn_find_sock_by_sa(struct net *net, const struct sockaddr_pn *spn)
        u8 res = spn->spn_resource;
        struct hlist_head *hlist = pn_hash_list(obj);
-        spin_lock_bh(&pnsocks.lock);
+        rcu_read_lock();
+        sk_for_each_rcu(sknode, node, hlist) {
-        sk_for_each(sknode, node, hlist) {
                struct pn_sock *pn = pn_sk(sknode);
                BUG_ON(!pn->sobject); /* unbound socket */
@@ -107,8 +106,7 @@ struct sock *pn_find_sock_by_sa(struct net *net, const struct sockaddr_pn *spn)
                sock_hold(sknode);
                break;
        }
+        rcu_read_unlock();
-        spin_unlock_bh(&pnsocks.lock);
        return rval;
 }
@@ -119,7 +117,7 @@ void pn_deliver_sock_broadcast(struct net *net, struct sk_buff *skb)
        struct hlist_head *hlist = pnsocks.hlist;
        unsigned h;
-        spin_lock(&pnsocks.lock);
+        rcu_read_lock();
        for (h = 0; h < PN_HASHSIZE; h++) {
                struct hlist_node *node;
                struct sock *sknode;
@@ -140,25 +138,26 @@ void pn_deliver_sock_broadcast(struct net *net, struct sk_buff *skb)
                }
                hlist++;
        }
-        spin_unlock(&pnsocks.lock);
+        rcu_read_unlock();
 }
 void pn_sock_hash(struct sock *sk)
 {
        struct hlist_head *hlist = pn_hash_list(pn_sk(sk)->sobject);
-        spin_lock_bh(&pnsocks.lock);
+        mutex_lock(&pnsocks.lock);
-        sk_add_node(sk, hlist);
+        sk_add_node_rcu(sk, hlist);
-        spin_unlock_bh(&pnsocks.lock);
+        mutex_unlock(&pnsocks.lock);
 }
 EXPORT_SYMBOL(pn_sock_hash);
 void pn_sock_unhash(struct sock *sk)
 {
-        spin_lock_bh(&pnsocks.lock);
+        mutex_lock(&pnsocks.lock);
-        sk_del_node_init(sk);
+        sk_del_node_init_rcu(sk);
-        spin_unlock_bh(&pnsocks.lock);
+        mutex_unlock(&pnsocks.lock);
        pn_sock_unbind_all_res(sk);
+        synchronize_rcu();
 }
 EXPORT_SYMBOL(pn_sock_unhash);
@@ -548,7 +547,7 @@ static struct sock *pn_sock_get_idx(struct seq_file *seq, loff_t pos)
        unsigned h;
        for (h = 0; h < PN_HASHSIZE; h++) {
-                sk_for_each(sknode, node, hlist) {
+                sk_for_each_rcu(sknode, node, hlist) {
                        if (!net_eq(net, sock_net(sknode)))
                                continue;
                        if (!pos)
@@ -572,9 +571,9 @@ static struct sock *pn_sock_get_next(struct seq_file *seq, struct sock *sk)
 }
 static void *pn_sock_seq_start(struct seq_file *seq, loff_t *pos)
-        __acquires(pnsocks.lock)
+        __acquires(rcu)
 {
-        spin_lock_bh(&pnsocks.lock);
+        rcu_read_lock();
        return *pos ? pn_sock_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
 }
@@ -591,9 +590,9 @@ static void *pn_sock_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 }
 static void pn_sock_seq_stop(struct seq_file *seq, void *v)
-        __releases(pnsocks.lock)
+        __releases(rcu)
 {
-        spin_unlock_bh(&pnsocks.lock);
+        rcu_read_unlock();
 }
 static int pn_sock_seq_show(struct seq_file *seq, void *v)
@@ -608,7 +607,7 @@ static int pn_sock_seq_show(struct seq_file *seq, void *v)
                struct pn_sock *pn = pn_sk(sk);
                seq_printf(seq, "%2d %04X:%04X:%02X %02X %08X:%08X %5d %lu "
-                        "%d %p %d%n",
+                        "%d %pK %d%n",
                        sk->sk_protocol, pn->sobject, pn->dobject,
                        pn->resource, sk->sk_state,
                        sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
@@ -721,13 +720,11 @@ void pn_sock_unbind_all_res(struct sock *sk)
        }
        mutex_unlock(&resource_mutex);
-        if (match == 0)
-                return;
-        synchronize_rcu();
        while (match > 0) {
-                sock_put(sk);
+                __sock_put(sk);
                match--;
        }
+        /* Caller is responsible for RCU sync before final sock_put() */
 }
 #ifdef CONFIG_PROC_FS
diff --git a/net/rds/ib.c b/net/rds/ib.c
index cce19f95c624..3b83086bcc30 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -325,7 +325,7 @@ static int rds_ib_laddr_check(__be32 addr)
        /* Create a CMA ID and try to bind it. This catches both
         * IB and iWARP capable NICs.
         */
-        cm_id = rdma_create_id(NULL, NULL, RDMA_PS_TCP);
+        cm_id = rdma_create_id(NULL, NULL, RDMA_PS_TCP, IB_QPT_RC);
        if (IS_ERR(cm_id))
                return PTR_ERR(cm_id);
diff --git a/net/rds/ib_cm.c b/net/rds/ib_cm.c
index ee369d201a65..fd453dd5124b 100644
--- a/net/rds/ib_cm.c
+++ b/net/rds/ib_cm.c
@@ -587,7 +587,7 @@ int rds_ib_conn_connect(struct rds_connection *conn)
        /* XXX I wonder what affect the port space has */
        /* delegate cm event handler to rdma_transport */
        ic->i_cm_id = rdma_create_id(rds_rdma_cm_event_handler, conn,
-                                     RDMA_PS_TCP);
+                                     RDMA_PS_TCP, IB_QPT_RC);
        if (IS_ERR(ic->i_cm_id)) {
                ret = PTR_ERR(ic->i_cm_id);
                ic->i_cm_id = NULL;
diff --git a/net/rds/iw.c b/net/rds/iw.c
index 5a9676fe594f..f7474844f096 100644
--- a/net/rds/iw.c
+++ b/net/rds/iw.c
@@ -226,7 +226,7 @@ static int rds_iw_laddr_check(__be32 addr)
        /* Create a CMA ID and try to bind it. This catches both
         * IB and iWARP capable NICs.
         */
-        cm_id = rdma_create_id(NULL, NULL, RDMA_PS_TCP);
+        cm_id = rdma_create_id(NULL, NULL, RDMA_PS_TCP, IB_QPT_RC);
        if (IS_ERR(cm_id))
                return PTR_ERR(cm_id);
diff --git a/net/rds/iw_cm.c b/net/rds/iw_cm.c
index 3a60a15d1b4a..c12db66f24c7 100644
--- a/net/rds/iw_cm.c
+++ b/net/rds/iw_cm.c
@@ -522,7 +522,7 @@ int rds_iw_conn_connect(struct rds_connection *conn)
        /* XXX I wonder what affect the port space has */
        /* delegate cm event handler to rdma_transport */
        ic->i_cm_id = rdma_create_id(rds_rdma_cm_event_handler, conn,
-                                     RDMA_PS_TCP);
+                                     RDMA_PS_TCP, IB_QPT_RC);
        if (IS_ERR(ic->i_cm_id)) {
                ret = PTR_ERR(ic->i_cm_id);
                ic->i_cm_id = NULL;
diff --git a/net/rds/rdma_transport.c b/net/rds/rdma_transport.c
index 4195a0539829..f8760e1b6688 100644
--- a/net/rds/rdma_transport.c
+++ b/net/rds/rdma_transport.c
@@ -158,7 +158,8 @@ static int rds_rdma_listen_init(void)
        struct rdma_cm_id *cm_id;
        int ret;
-        cm_id = rdma_create_id(rds_rdma_cm_event_handler, NULL, RDMA_PS_TCP);
+        cm_id = rdma_create_id(rds_rdma_cm_event_handler, NULL, RDMA_PS_TCP,
+                               IB_QPT_RC);
        if (IS_ERR(cm_id)) {
                ret = PTR_ERR(cm_id);
                printk(KERN_ERR "RDS/RDMA: failed to setup listener, "
diff --git a/net/rfkill/Kconfig b/net/rfkill/Kconfig
index 7fce6dfd2180..78efe895b663 100644
--- a/net/rfkill/Kconfig
+++ b/net/rfkill/Kconfig
@@ -22,3 +22,23 @@ config RFKILL_INPUT
        depends on RFKILL
        depends on INPUT = y || RFKILL = INPUT
        default y if !EXPERT
+config RFKILL_REGULATOR
+        tristate "Generic rfkill regulator driver"
+        depends on RFKILL || !RFKILL
+        depends on REGULATOR
+        help
+          This options enable controlling radio transmitters connected to
+          voltage regulator using the regulator framework.
+          To compile this driver as a module, choose M here: the module will
+          be called rfkill-regulator.
+config RFKILL_GPIO
+        tristate "GPIO RFKILL driver"
+        depends on RFKILL && GPIOLIB && HAVE_CLK
+        default n
+        help
+          If you say yes here you get support of a generic gpio RFKILL
+          driver. The platform should fill in the appropriate fields in the
+          rfkill_gpio_platform_data structure and pass that to the driver.
diff --git a/net/rfkill/Makefile b/net/rfkill/Makefile
index 662105352691..311768783f4a 100644
--- a/net/rfkill/Makefile
+++ b/net/rfkill/Makefile
@@ -5,3 +5,5 @@
 rfkill-y                        += core.o
 rfkill-$(CONFIG_RFKILL_INPUT)   += input.o
 obj-$(CONFIG_RFKILL)            += rfkill.o
+obj-$(CONFIG_RFKILL_REGULATOR)  += rfkill-regulator.o
+obj-$(CONFIG_RFKILL_GPIO)       += rfkill-gpio.o
diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index 0198191b756d..be90640a2774 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -1024,7 +1024,6 @@ static int rfkill_fop_open(struct inode *inode, struct file *file)
         * start getting events from elsewhere but hold mtx to get
         * startup events added first
         */
-        list_add(&data->list, &rfkill_fds);
        list_for_each_entry(rfkill, &rfkill_list, node) {
                ev = kzalloc(sizeof(*ev), GFP_KERNEL);
@@ -1033,6 +1032,7 @@ static int rfkill_fop_open(struct inode *inode, struct file *file)
                rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD);
                list_add_tail(&ev->list, &data->events);
        }
+        list_add(&data->list, &rfkill_fds);
        mutex_unlock(&data->mtx);
        mutex_unlock(&rfkill_global_mutex);
diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c
new file mode 100644
index 000000000000..256c5ddd2d72
--- /dev/null
+++ b/net/rfkill/rfkill-gpio.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (c) 2011, NVIDIA Corporation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+#include <linux/gpio.h>
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/rfkill.h>
+#include <linux/platform_device.h>
+#include <linux/clk.h>
+#include <linux/slab.h>
+#include <linux/rfkill-gpio.h>
+enum rfkill_gpio_clk_state {
+        UNSPECIFIED = 0,
+        PWR_ENABLED,
+        PWR_DISABLED
+};
+#define PWR_CLK_SET(_RF, _EN) \
+        ((_RF)->pwr_clk_enabled = (!(_EN) ? PWR_ENABLED : PWR_DISABLED))
+#define PWR_CLK_ENABLED(_RF) ((_RF)->pwr_clk_enabled == PWR_ENABLED)
+#define PWR_CLK_DISABLED(_RF) ((_RF)->pwr_clk_enabled != PWR_ENABLED)
+struct rfkill_gpio_data {
+        struct rfkill_gpio_platform_data        *pdata;
+        struct rfkill                           *rfkill_dev;
+        char                                    *reset_name;
+        char                                    *shutdown_name;
+        enum rfkill_gpio_clk_state              pwr_clk_enabled;
+        struct clk                              *pwr_clk;
+};
+static int rfkill_gpio_set_power(void *data, bool blocked)
+{
+        struct rfkill_gpio_data *rfkill = data;
+        if (blocked) {
+                if (gpio_is_valid(rfkill->pdata->shutdown_gpio))
+                        gpio_direction_output(rfkill->pdata->shutdown_gpio, 0);
+                if (gpio_is_valid(rfkill->pdata->reset_gpio))
+                        gpio_direction_output(rfkill->pdata->reset_gpio, 0);
+                if (rfkill->pwr_clk && PWR_CLK_ENABLED(rfkill))
+                        clk_disable(rfkill->pwr_clk);
+        } else {
+                if (rfkill->pwr_clk && PWR_CLK_DISABLED(rfkill))
+                        clk_enable(rfkill->pwr_clk);
+                if (gpio_is_valid(rfkill->pdata->reset_gpio))
+                        gpio_direction_output(rfkill->pdata->reset_gpio, 1);
+                if (gpio_is_valid(rfkill->pdata->shutdown_gpio))
+                        gpio_direction_output(rfkill->pdata->shutdown_gpio, 1);
+        }
+        if (rfkill->pwr_clk)
+                PWR_CLK_SET(rfkill, blocked);
+        return 0;
+}
+static const struct rfkill_ops rfkill_gpio_ops = {
+        .set_block = rfkill_gpio_set_power,
+};
+static int rfkill_gpio_probe(struct platform_device *pdev)
+{
+        struct rfkill_gpio_data *rfkill;
+        struct rfkill_gpio_platform_data *pdata = pdev->dev.platform_data;
+        int ret = 0;
+        int len = 0;
+        if (!pdata) {
+                pr_warn("%s: No platform data specified\n", __func__);
+                return -EINVAL;
+        }
+        /* make sure at-least one of the GPIO is defined and that
+         * a name is specified for this instance */
+        if (!pdata->name || (!gpio_is_valid(pdata->reset_gpio) &&
+                !gpio_is_valid(pdata->shutdown_gpio))) {
+                pr_warn("%s: invalid platform data\n", __func__);
+                return -EINVAL;
+        }
+        rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL);
+        if (!rfkill)
+                return -ENOMEM;
+        rfkill->pdata = pdata;
+        len = strlen(pdata->name);
+        rfkill->reset_name = kzalloc(len + 7, GFP_KERNEL);
+        if (!rfkill->reset_name) {
+                ret = -ENOMEM;
+                goto fail_alloc;
+        }
+        rfkill->shutdown_name = kzalloc(len + 10, GFP_KERNEL);
+        if (!rfkill->shutdown_name) {
+                ret = -ENOMEM;
+                goto fail_reset_name;
+        }
+        snprintf(rfkill->reset_name, len + 6 , "%s_reset", pdata->name);
+        snprintf(rfkill->shutdown_name, len + 9, "%s_shutdown", pdata->name);
+        if (pdata->power_clk_name) {
+                rfkill->pwr_clk = clk_get(&pdev->dev, pdata->power_clk_name);
+                if (IS_ERR(rfkill->pwr_clk)) {
+                        pr_warn("%s: can't find pwr_clk.\n", __func__);
+                        goto fail_shutdown_name;
+                }
+        }
+        if (gpio_is_valid(pdata->reset_gpio)) {
+                ret = gpio_request(pdata->reset_gpio, rfkill->reset_name);
+                if (ret) {
+                        pr_warn("%s: failed to get reset gpio.\n", __func__);
+                        goto fail_clock;
+                }
+        }
+        if (gpio_is_valid(pdata->shutdown_gpio)) {
+                ret = gpio_request(pdata->shutdown_gpio, rfkill->shutdown_name);
+                if (ret) {
+                        pr_warn("%s: failed to get shutdown gpio.\n", __func__);
+                        goto fail_reset;
+                }
+        }
+        rfkill->rfkill_dev = rfkill_alloc(pdata->name, &pdev->dev, pdata->type,
+                                &rfkill_gpio_ops, rfkill);
+        if (!rfkill->rfkill_dev)
+                goto fail_shutdown;
+        ret = rfkill_register(rfkill->rfkill_dev);
+        if (ret < 0)
+                goto fail_rfkill;
+        platform_set_drvdata(pdev, rfkill);
+        dev_info(&pdev->dev, "%s device registered.\n", pdata->name);
+        return 0;
+fail_rfkill:
+        rfkill_destroy(rfkill->rfkill_dev);
+fail_shutdown:
+        if (gpio_is_valid(pdata->shutdown_gpio))
+                gpio_free(pdata->shutdown_gpio);
+fail_reset:
+        if (gpio_is_valid(pdata->reset_gpio))
+                gpio_free(pdata->reset_gpio);
+fail_clock:
+        if (rfkill->pwr_clk)
+                clk_put(rfkill->pwr_clk);
+fail_shutdown_name:
+        kfree(rfkill->shutdown_name);
+fail_reset_name:
+        kfree(rfkill->reset_name);
+fail_alloc:
+        kfree(rfkill);
+        return ret;
+}
+static int rfkill_gpio_remove(struct platform_device *pdev)
+{
+        struct rfkill_gpio_data *rfkill = platform_get_drvdata(pdev);
+        rfkill_unregister(rfkill->rfkill_dev);
+        rfkill_destroy(rfkill->rfkill_dev);
+        if (gpio_is_valid(rfkill->pdata->shutdown_gpio))
+                gpio_free(rfkill->pdata->shutdown_gpio);
+        if (gpio_is_valid(rfkill->pdata->reset_gpio))
+                gpio_free(rfkill->pdata->reset_gpio);
+        if (rfkill->pwr_clk && PWR_CLK_ENABLED(rfkill))
+                clk_disable(rfkill->pwr_clk);
+        if (rfkill->pwr_clk)
+                clk_put(rfkill->pwr_clk);
+        kfree(rfkill->shutdown_name);
+        kfree(rfkill->reset_name);
+        kfree(rfkill);
+        return 0;
+}
+static struct platform_driver rfkill_gpio_driver = {
+        .probe = rfkill_gpio_probe,
+        .remove = __devexit_p(rfkill_gpio_remove),
+        .driver = {
+                   .name = "rfkill_gpio",
+                   .owner = THIS_MODULE,
+        },
+};
+static int __init rfkill_gpio_init(void)
+{
+        return platform_driver_register(&rfkill_gpio_driver);
+}
+static void __exit rfkill_gpio_exit(void)
+{
+        platform_driver_unregister(&rfkill_gpio_driver);
+}
+module_init(rfkill_gpio_init);
+module_exit(rfkill_gpio_exit);
+MODULE_DESCRIPTION("gpio rfkill");
+MODULE_AUTHOR("NVIDIA");
+MODULE_LICENSE("GPL");
diff --git a/net/rfkill/rfkill-regulator.c b/net/rfkill/rfkill-regulator.c
new file mode 100644
index 000000000000..18dc512a10f3
--- /dev/null
+++ b/net/rfkill/rfkill-regulator.c
@@ -0,0 +1,164 @@
+/*
+ * rfkill-regulator.c - Regulator consumer driver for rfkill
+ *
+ * Copyright (C) 2009  Guiming Zhuo <gmzhuo@gmail.com>
+ * Copyright (C) 2011  Antonio Ospite <ospite@studenti.unina.it>
+ *
+ * Implementation inspired by leds-regulator driver.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/module.h>
+#include <linux/err.h>
+#include <linux/slab.h>
+#include <linux/platform_device.h>
+#include <linux/regulator/consumer.h>
+#include <linux/rfkill.h>
+#include <linux/rfkill-regulator.h>
+struct rfkill_regulator_data {
+        struct rfkill *rf_kill;
+        bool reg_enabled;
+        struct regulator *vcc;
+};
+static int rfkill_regulator_set_block(void *data, bool blocked)
+{
+        struct rfkill_regulator_data *rfkill_data = data;
+        pr_debug("%s: blocked: %d\n", __func__, blocked);
+        if (blocked) {
+                if (rfkill_data->reg_enabled) {
+                        regulator_disable(rfkill_data->vcc);
+                        rfkill_data->reg_enabled = 0;
+                }
+        } else {
+                if (!rfkill_data->reg_enabled) {
+                        regulator_enable(rfkill_data->vcc);
+                        rfkill_data->reg_enabled = 1;
+                }
+        }
+        pr_debug("%s: regulator_is_enabled after set_block: %d\n", __func__,
+                regulator_is_enabled(rfkill_data->vcc));
+        return 0;
+}
+struct rfkill_ops rfkill_regulator_ops = {
+        .set_block = rfkill_regulator_set_block,
+};
+static int __devinit rfkill_regulator_probe(struct platform_device *pdev)
+{
+        struct rfkill_regulator_platform_data *pdata = pdev->dev.platform_data;
+        struct rfkill_regulator_data *rfkill_data;
+        struct regulator *vcc;
+        struct rfkill *rf_kill;
+        int ret = 0;
+        if (pdata == NULL) {
+                dev_err(&pdev->dev, "no platform data\n");
+                return -ENODEV;
+        }
+        if (pdata->name == NULL || pdata->type == 0) {
+                dev_err(&pdev->dev, "invalid name or type in platform data\n");
+                return -EINVAL;
+        }
+        vcc = regulator_get_exclusive(&pdev->dev, "vrfkill");
+        if (IS_ERR(vcc)) {
+                dev_err(&pdev->dev, "Cannot get vcc for %s\n", pdata->name);
+                ret = PTR_ERR(vcc);
+                goto out;
+        }
+        rfkill_data = kzalloc(sizeof(*rfkill_data), GFP_KERNEL);
+        if (rfkill_data == NULL) {
+                ret = -ENOMEM;
+                goto err_data_alloc;
+        }
+        rf_kill = rfkill_alloc(pdata->name, &pdev->dev,
+                                pdata->type,
+                                &rfkill_regulator_ops, rfkill_data);
+        if (rf_kill == NULL) {
+                dev_err(&pdev->dev, "Cannot alloc rfkill device\n");
+                ret = -ENOMEM;
+                goto err_rfkill_alloc;
+        }
+        if (regulator_is_enabled(vcc)) {
+                dev_dbg(&pdev->dev, "Regulator already enabled\n");
+                rfkill_data->reg_enabled = 1;
+        }
+        rfkill_data->vcc = vcc;
+        rfkill_data->rf_kill = rf_kill;
+        ret = rfkill_register(rf_kill);
+        if (ret) {
+                dev_err(&pdev->dev, "Cannot register rfkill device\n");
+                goto err_rfkill_register;
+        }
+        platform_set_drvdata(pdev, rfkill_data);
+        dev_info(&pdev->dev, "%s initialized\n", pdata->name);
+        return 0;
+err_rfkill_register:
+        rfkill_destroy(rf_kill);
+err_rfkill_alloc:
+        kfree(rfkill_data);
+err_data_alloc:
+        regulator_put(vcc);
+out:
+        return ret;
+}
+static int __devexit rfkill_regulator_remove(struct platform_device *pdev)
+{
+        struct rfkill_regulator_data *rfkill_data = platform_get_drvdata(pdev);
+        struct rfkill *rf_kill = rfkill_data->rf_kill;
+        rfkill_unregister(rf_kill);
+        rfkill_destroy(rf_kill);
+        regulator_put(rfkill_data->vcc);
+        kfree(rfkill_data);
+        return 0;
+}
+static struct platform_driver rfkill_regulator_driver = {
+        .probe = rfkill_regulator_probe,
+        .remove = __devexit_p(rfkill_regulator_remove),
+        .driver = {
+                .name = "rfkill-regulator",
+                .owner = THIS_MODULE,
+        },
+};
+static int __init rfkill_regulator_init(void)
+{
+        return platform_driver_register(&rfkill_regulator_driver);
+}
+module_init(rfkill_regulator_init);
+static void __exit rfkill_regulator_exit(void)
+{
+        platform_driver_unregister(&rfkill_regulator_driver);
+}
+module_exit(rfkill_regulator_exit);
+MODULE_AUTHOR("Guiming Zhuo <gmzhuo@gmail.com>");
+MODULE_AUTHOR("Antonio Ospite <ospite@studenti.unina.it>");
+MODULE_DESCRIPTION("Regulator consumer driver for rfkill");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:rfkill-regulator");
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index a80aef6e3d1f..f9ea925ad9cb 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -682,10 +682,8 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
                return -EINVAL;
-        if ((dev = rose_dev_get(&addr->srose_addr)) == NULL) {
+        if ((dev = rose_dev_get(&addr->srose_addr)) == NULL)
-                SOCK_DEBUG(sk, "ROSE: bind failed: invalid address\n");
                return -EADDRNOTAVAIL;
-        }
        source = &addr->srose_call;
@@ -716,7 +714,7 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        rose_insert_socket(sk);
        sock_reset_flag(sk, SOCK_ZAPPED);
-        SOCK_DEBUG(sk, "ROSE: socket is bound\n");
        return 0;
 }
@@ -1109,10 +1107,7 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock,
                        srose.srose_digis[n] = rose->dest_digis[n];
        }
-        SOCK_DEBUG(sk, "ROSE: sendto: Addresses built.\n");
        /* Build a packet */
-        SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
        /* Sanity check the packet size */
        if (len > 65535)
                return -EMSGSIZE;
@@ -1127,7 +1122,6 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock,
        /*
         *      Put the data on the end
         */
-        SOCK_DEBUG(sk, "ROSE: Appending user data\n");
        skb_reset_transport_header(skb);
        skb_put(skb, len);
@@ -1152,8 +1146,6 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock,
         */
        asmptr = skb_push(skb, ROSE_MIN_LEN);
-        SOCK_DEBUG(sk, "ROSE: Building Network Header.\n");
        /* Build a ROSE Network header */
        asmptr[0] = ((rose->lci >> 8) & 0x0F) | ROSE_GFI;
        asmptr[1] = (rose->lci >> 0) & 0xFF;
@@ -1162,10 +1154,6 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock,
        if (qbit)
                asmptr[0] |= ROSE_Q_BIT;
-        SOCK_DEBUG(sk, "ROSE: Built header.\n");
-        SOCK_DEBUG(sk, "ROSE: Transmitting buffer\n");
        if (sk->sk_state != TCP_ESTABLISHED) {
                kfree_skb(skb);
                return -ENOTCONN;
diff --git a/net/rxrpc/ar-ack.c b/net/rxrpc/ar-ack.c
index b6ffe4e1b84a..f99cfce7ca97 100644
--- a/net/rxrpc/ar-ack.c
+++ b/net/rxrpc/ar-ack.c
@@ -375,7 +375,6 @@ protocol_error:
 */
 static void rxrpc_rotate_tx_window(struct rxrpc_call *call, u32 hard)
 {
-        struct rxrpc_skb_priv *sp;
        unsigned long _skb;
        int tail = call->acks_tail, old_tail;
        int win = CIRC_CNT(call->acks_head, tail, call->acks_winsz);
@@ -387,7 +386,6 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, u32 hard)
        while (call->acks_hard < hard) {
                smp_read_barrier_depends();
                _skb = call->acks_window[tail] & ~1;
-                sp = rxrpc_skb((struct sk_buff *) _skb);
                rxrpc_free_skb((struct sk_buff *) _skb);
                old_tail = tail;
                tail = (tail + 1) & (call->acks_winsz - 1);
diff --git a/net/rxrpc/ar-connevent.c b/net/rxrpc/ar-connevent.c
index 0505cdc4d6d4..e7ed43a54c41 100644
--- a/net/rxrpc/ar-connevent.c
+++ b/net/rxrpc/ar-connevent.c
@@ -259,7 +259,6 @@ void rxrpc_process_connection(struct work_struct *work)
 {
        struct rxrpc_connection *conn =
                container_of(work, struct rxrpc_connection, processor);
-        struct rxrpc_skb_priv *sp;
        struct sk_buff *skb;
        u32 abort_code = RX_PROTOCOL_ERROR;
        int ret;
@@ -276,8 +275,6 @@ void rxrpc_process_connection(struct work_struct *work)
        /* go through the conn-level event packets, releasing the ref on this
         * connection that each one has when we've finished with it */
        while ((skb = skb_dequeue(&conn->rx_queue))) {
-                sp = rxrpc_skb(skb);
                ret = rxrpc_process_event(conn, skb, &abort_code);
                switch (ret) {
                case -EPROTO:
diff --git a/net/rxrpc/ar-error.c b/net/rxrpc/ar-error.c
index d4d1ae26d293..5d6b572a6704 100644
--- a/net/rxrpc/ar-error.c
+++ b/net/rxrpc/ar-error.c
@@ -139,7 +139,7 @@ void rxrpc_UDP_error_handler(struct work_struct *work)
        struct rxrpc_transport *trans =
                container_of(work, struct rxrpc_transport, error_handler);
        struct sk_buff *skb;
-        int local, err;
+        int err;
        _enter("");
@@ -157,7 +157,6 @@ void rxrpc_UDP_error_handler(struct work_struct *work)
        switch (ee->ee_origin) {
        case SO_EE_ORIGIN_ICMP:
-                local = 0;
                switch (ee->ee_type) {
                case ICMP_DEST_UNREACH:
                        switch (ee->ee_code) {
@@ -207,7 +206,6 @@ void rxrpc_UDP_error_handler(struct work_struct *work)
        case SO_EE_ORIGIN_LOCAL:
                _proto("Rx Received local error { error=%d }",
                       ee->ee_errno);
-                local = 1;
                break;
        case SO_EE_ORIGIN_NONE:
@@ -215,7 +213,6 @@ void rxrpc_UDP_error_handler(struct work_struct *work)
        default:
                _proto("Rx Received error report { orig=%u }",
                       ee->ee_origin);
-                local = 0;
                break;
        }
diff --git a/net/rxrpc/ar-peer.c b/net/rxrpc/ar-peer.c
index 55b93dc60d0c..2754f098d436 100644
--- a/net/rxrpc/ar-peer.c
+++ b/net/rxrpc/ar-peer.c
@@ -36,10 +36,11 @@ static void rxrpc_destroy_peer(struct work_struct *work);
 static void rxrpc_assess_MTU_size(struct rxrpc_peer *peer)
 {
        struct rtable *rt;
+        struct flowi4 fl4;
        peer->if_mtu = 1500;
-        rt = ip_route_output_ports(&init_net, NULL,
+        rt = ip_route_output_ports(&init_net, &fl4, NULL,
                                   peer->srx.transport.sin.sin_addr.s_addr, 0,
                                   htons(7000), htons(7001),
                                   IPPROTO_UDP, 0, 0);
@@ -156,6 +157,7 @@ struct rxrpc_peer *rxrpc_get_peer(struct sockaddr_rxrpc *srx, gfp_t gfp)
        /* we can now add the new candidate to the list */
        peer = candidate;
        candidate = NULL;
+        usage = atomic_read(&peer->usage);
        list_add_tail(&peer->link, &rxrpc_peers);
        write_unlock_bh(&rxrpc_peer_lock);
@@ -170,7 +172,7 @@ success:
             &peer->srx.transport.sin.sin_addr,
             ntohs(peer->srx.transport.sin.sin_port));
-        _leave(" = %p {u=%d}", peer, atomic_read(&peer->usage));
+        _leave(" = %p {u=%d}", peer, usage);
        return peer;
        /* we found the peer in the list immediately */
diff --git a/net/rxrpc/ar-transport.c b/net/rxrpc/ar-transport.c
index 5e0226fe587e..92df566930b9 100644
--- a/net/rxrpc/ar-transport.c
+++ b/net/rxrpc/ar-transport.c
@@ -111,6 +111,7 @@ struct rxrpc_transport *rxrpc_get_transport(struct rxrpc_local *local,
        /* we can now add the new candidate to the list */
        trans = candidate;
        candidate = NULL;
+        usage = atomic_read(&trans->usage);
        rxrpc_get_local(trans->local);
        atomic_inc(&trans->peer->usage);
@@ -125,7 +126,7 @@ success:
             trans->local->debug_id,
             trans->peer->debug_id);
-        _leave(" = %p {u=%d}", trans, atomic_read(&trans->usage));
+        _leave(" = %p {u=%d}", trans, usage);
        return trans;
        /* we found the transport in the list immediately */
diff --git a/net/sched/Kconfig b/net/sched/Kconfig
index a7a5583d4f68..2590e91b3289 100644
--- a/net/sched/Kconfig
+++ b/net/sched/Kconfig
@@ -239,6 +239,17 @@ config NET_SCH_CHOKE
          To compile this code as a module, choose M here: the
          module will be called sch_choke.
+config NET_SCH_QFQ
+        tristate "Quick Fair Queueing scheduler (QFQ)"
+        help
+          Say Y here if you want to use the Quick Fair Queueing Scheduler (QFQ)
+          packet scheduling algorithm.
+          To compile this driver as a module, choose M here: the module
+          will be called sch_qfq.
+          If unsure, say N.
 config NET_SCH_INGRESS
        tristate "Ingress Qdisc"
        depends on NET_CLS_ACT
@@ -277,6 +288,7 @@ config NET_CLS_TCINDEX
 config NET_CLS_ROUTE4
        tristate "Routing decision (ROUTE)"
+        depends on INET
        select IP_ROUTE_CLASSID
        select NET_CLS
        ---help---
diff --git a/net/sched/Makefile b/net/sched/Makefile
index 2e77b8dba22e..dc5889c0a15a 100644
--- a/net/sched/Makefile
+++ b/net/sched/Makefile
@@ -35,6 +35,7 @@ obj-$(CONFIG_NET_SCH_NETEM)	+= sch_netem.o
 obj-$(CONFIG_NET_SCH_DRR)       += sch_drr.o
 obj-$(CONFIG_NET_SCH_MQPRIO)    += sch_mqprio.o
 obj-$(CONFIG_NET_SCH_CHOKE)     += sch_choke.o
+obj-$(CONFIG_NET_SCH_QFQ)       += sch_qfq.o
 obj-$(CONFIG_NET_CLS_U32)       += cls_u32.o
 obj-$(CONFIG_NET_CLS_ROUTE4)    += cls_route.o
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 14b42f4ad791..a606025814a1 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -26,11 +26,6 @@
 #include <net/act_api.h>
 #include <net/netlink.h>
-static void tcf_common_free_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct tcf_common, tcfc_rcu));
-}
 void tcf_hash_destroy(struct tcf_common *p, struct tcf_hashinfo *hinfo)
 {
        unsigned int h = tcf_hash(p->tcfc_index, hinfo->hmask);
@@ -47,7 +42,7 @@ void tcf_hash_destroy(struct tcf_common *p, struct tcf_hashinfo *hinfo)
                         * gen_estimator est_timer() might access p->tcfc_lock
                         * or bstats, wait a RCU grace period before freeing p
                         */
-                        call_rcu(&p->tcfc_rcu, tcf_common_free_rcu);
+                        kfree_rcu(p, tcfc_rcu);
                        return;
                }
        }
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index 8a1630774fd6..b3b9b32f4e00 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -96,11 +96,6 @@ nla_put_failure:
        goto done;
 }
-static void tcf_police_free_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct tcf_police, tcf_rcu));
-}
 static void tcf_police_destroy(struct tcf_police *p)
 {
        unsigned int h = tcf_hash(p->tcf_index, POL_TAB_MASK);
@@ -121,7 +116,7 @@ static void tcf_police_destroy(struct tcf_police *p)
                         * gen_estimator est_timer() might access p->tcf_lock
                         * or bstats, wait a RCU grace period before freeing p
                         */
-                        call_rcu(&p->tcf_rcu, tcf_police_free_rcu);
+                        kfree_rcu(p, tcf_rcu);
                        return;
                }
        }
@@ -401,7 +396,6 @@ static void __exit
 police_cleanup_module(void)
 {
        tcf_unregister_action(&act_police_ops);
-        rcu_barrier(); /* Wait for completion of call_rcu()'s (tcf_police_free_rcu) */
 }
 module_init(police_init_module);
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 7490f3f2db8b..6b8627661c98 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -1673,10 +1673,8 @@ int tc_classify(struct sk_buff *skb, struct tcf_proto *tp,
 {
        int err = 0;
 #ifdef CONFIG_NET_CLS_ACT
-        __be16 protocol;
        struct tcf_proto *otp = tp;
 reclassify:
-        protocol = skb->protocol;
 #endif
        err = tc_classify_compat(skb, tp, res);
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index c84b65920d1b..b4c680900d7a 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -251,9 +251,8 @@ static void dev_watchdog(unsigned long arg)
                        }
                        if (some_queue_timedout) {
-                                char drivername[64];
                                WARN_ONCE(1, KERN_INFO "NETDEV WATCHDOG: %s (%s): transmit queue %u timed out\n",
-                                       dev->name, netdev_drivername(dev, drivername, 64), i);
+                                       dev->name, netdev_drivername(dev), i);
                                dev->netdev_ops->ndo_tx_timeout(dev);
                        }
                        if (!mod_timer(&dev->watchdog_timer,
@@ -815,9 +814,17 @@ static bool some_qdisc_is_busy(struct net_device *dev)
        return false;
 }
+/**
+ *      dev_deactivate_many - deactivate transmissions on several devices
+ *      @head: list of devices to deactivate
+ *
+ *      This function returns only when all outstanding transmissions
+ *      have completed, unless all devices are in dismantle phase.
+ */
 void dev_deactivate_many(struct list_head *head)
 {
        struct net_device *dev;
+        bool sync_needed = false;
        list_for_each_entry(dev, head, unreg_list) {
                netdev_for_each_tx_queue(dev, dev_deactivate_queue,
@@ -827,10 +834,15 @@ void dev_deactivate_many(struct list_head *head)
                                             &noop_qdisc);
                dev_watchdog_down(dev);
+                sync_needed |= !dev->dismantle;
        }
-        /* Wait for outstanding qdisc-less dev_queue_xmit calls. */
+        /* Wait for outstanding qdisc-less dev_queue_xmit calls.
-        synchronize_rcu();
+         * This is avoided if all devices are in dismantle phase :
+         * Caller will call synchronize_net() for us
+         */
+        if (sync_needed)
+                synchronize_net();
        /* Wait for outstanding qdisc_run calls. */
        list_for_each_entry(dev, head, unreg_list)
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
new file mode 100644
index 000000000000..103343408593
--- /dev/null
+++ b/net/sched/sch_qfq.c
@@ -0,0 +1,1137 @@
+/*
+ * net/sched/sch_qfq.c         Quick Fair Queueing Scheduler.
+ *
+ * Copyright (c) 2009 Fabio Checconi, Luigi Rizzo, and Paolo Valente.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/bitops.h>
+#include <linux/errno.h>
+#include <linux/netdevice.h>
+#include <linux/pkt_sched.h>
+#include <net/sch_generic.h>
+#include <net/pkt_sched.h>
+#include <net/pkt_cls.h>
+/*  Quick Fair Queueing
+    ===================
+    Sources:
+    Fabio Checconi, Luigi Rizzo, and Paolo Valente: "QFQ: Efficient
+    Packet Scheduling with Tight Bandwidth Distribution Guarantees."
+    See also:
+    http://retis.sssup.it/~fabio/linux/qfq/
+ */
+/*
+  Virtual time computations.
+  S, F and V are all computed in fixed point arithmetic with
+  FRAC_BITS decimal bits.
+  QFQ_MAX_INDEX is the maximum index allowed for a group. We need
+        one bit per index.
+  QFQ_MAX_WSHIFT is the maximum power of two supported as a weight.
+  The layout of the bits is as below:
+                   [ MTU_SHIFT ][      FRAC_BITS    ]
+                   [ MAX_INDEX    ][ MIN_SLOT_SHIFT ]
+                                 ^.__grp->index = 0
+                                 *.__grp->slot_shift
+  where MIN_SLOT_SHIFT is derived by difference from the others.
+  The max group index corresponds to Lmax/w_min, where
+  Lmax=1<<MTU_SHIFT, w_min = 1 .
+  From this, and knowing how many groups (MAX_INDEX) we want,
+  we can derive the shift corresponding to each group.
+  Because we often need to compute
+        F = S + len/w_i  and V = V + len/wsum
+  instead of storing w_i store the value
+        inv_w = (1<<FRAC_BITS)/w_i
+  so we can do F = S + len * inv_w * wsum.
+  We use W_TOT in the formulas so we can easily move between
+  static and adaptive weight sum.
+  The per-scheduler-instance data contain all the data structures
+  for the scheduler: bitmaps and bucket lists.
+ */
+/*
+ * Maximum number of consecutive slots occupied by backlogged classes
+ * inside a group.
+ */
+#define QFQ_MAX_SLOTS   32
+/*
+ * Shifts used for class<->group mapping.  We allow class weights that are
+ * in the range [1, 2^MAX_WSHIFT], and we try to map each class i to the
+ * group with the smallest index that can support the L_i / r_i configured
+ * for the class.
+ *
+ * grp->index is the index of the group; and grp->slot_shift
+ * is the shift for the corresponding (scaled) sigma_i.
+ */
+#define QFQ_MAX_INDEX           19
+#define QFQ_MAX_WSHIFT          16
+#define QFQ_MAX_WEIGHT          (1<<QFQ_MAX_WSHIFT)
+#define QFQ_MAX_WSUM            (2*QFQ_MAX_WEIGHT)
+#define FRAC_BITS               30      /* fixed point arithmetic */
+#define ONE_FP                  (1UL << FRAC_BITS)
+#define IWSUM                   (ONE_FP/QFQ_MAX_WSUM)
+#define QFQ_MTU_SHIFT           11
+#define QFQ_MIN_SLOT_SHIFT      (FRAC_BITS + QFQ_MTU_SHIFT - QFQ_MAX_INDEX)
+/*
+ * Possible group states.  These values are used as indexes for the bitmaps
+ * array of struct qfq_queue.
+ */
+enum qfq_state { ER, IR, EB, IB, QFQ_MAX_STATE };
+struct qfq_group;
+struct qfq_class {
+        struct Qdisc_class_common common;
+        unsigned int refcnt;
+        unsigned int filter_cnt;
+        struct gnet_stats_basic_packed bstats;
+        struct gnet_stats_queue qstats;
+        struct gnet_stats_rate_est rate_est;
+        struct Qdisc *qdisc;
+        struct hlist_node next; /* Link for the slot list. */
+        u64 S, F;               /* flow timestamps (exact) */
+        /* group we belong to. In principle we would need the index,
+         * which is log_2(lmax/weight), but we never reference it
+         * directly, only the group.
+         */
+        struct qfq_group *grp;
+        /* these are copied from the flowset. */
+        u32     inv_w;          /* ONE_FP/weight */
+        u32     lmax;           /* Max packet size for this flow. */
+};
+struct qfq_group {
+        u64 S, F;                       /* group timestamps (approx). */
+        unsigned int slot_shift;        /* Slot shift. */
+        unsigned int index;             /* Group index. */
+        unsigned int front;             /* Index of the front slot. */
+        unsigned long full_slots;       /* non-empty slots */
+        /* Array of RR lists of active classes. */
+        struct hlist_head slots[QFQ_MAX_SLOTS];
+};
+struct qfq_sched {
+        struct tcf_proto *filter_list;
+        struct Qdisc_class_hash clhash;
+        u64             V;              /* Precise virtual time. */
+        u32             wsum;           /* weight sum */
+        unsigned long bitmaps[QFQ_MAX_STATE];       /* Group bitmaps. */
+        struct qfq_group groups[QFQ_MAX_INDEX + 1]; /* The groups. */
+};
+static struct qfq_class *qfq_find_class(struct Qdisc *sch, u32 classid)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct Qdisc_class_common *clc;
+        clc = qdisc_class_find(&q->clhash, classid);
+        if (clc == NULL)
+                return NULL;
+        return container_of(clc, struct qfq_class, common);
+}
+static void qfq_purge_queue(struct qfq_class *cl)
+{
+        unsigned int len = cl->qdisc->q.qlen;
+        qdisc_reset(cl->qdisc);
+        qdisc_tree_decrease_qlen(cl->qdisc, len);
+}
+static const struct nla_policy qfq_policy[TCA_QFQ_MAX + 1] = {
+        [TCA_QFQ_WEIGHT] = { .type = NLA_U32 },
+        [TCA_QFQ_LMAX] = { .type = NLA_U32 },
+};
+/*
+ * Calculate a flow index, given its weight and maximum packet length.
+ * index = log_2(maxlen/weight) but we need to apply the scaling.
+ * This is used only once at flow creation.
+ */
+static int qfq_calc_index(u32 inv_w, unsigned int maxlen)
+{
+        u64 slot_size = (u64)maxlen * inv_w;
+        unsigned long size_map;
+        int index = 0;
+        size_map = slot_size >> QFQ_MIN_SLOT_SHIFT;
+        if (!size_map)
+                goto out;
+        index = __fls(size_map) + 1;    /* basically a log_2 */
+        index -= !(slot_size - (1ULL << (index + QFQ_MIN_SLOT_SHIFT - 1)));
+        if (index < 0)
+                index = 0;
+out:
+        pr_debug("qfq calc_index: W = %lu, L = %u, I = %d\n",
+                 (unsigned long) ONE_FP/inv_w, maxlen, index);
+        return index;
+}
+static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+                            struct nlattr **tca, unsigned long *arg)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl = (struct qfq_class *)*arg;
+        struct nlattr *tb[TCA_QFQ_MAX + 1];
+        u32 weight, lmax, inv_w;
+        int i, err;
+        if (tca[TCA_OPTIONS] == NULL) {
+                pr_notice("qfq: no options\n");
+                return -EINVAL;
+        }
+        err = nla_parse_nested(tb, TCA_QFQ_MAX, tca[TCA_OPTIONS], qfq_policy);
+        if (err < 0)
+                return err;
+        if (tb[TCA_QFQ_WEIGHT]) {
+                weight = nla_get_u32(tb[TCA_QFQ_WEIGHT]);
+                if (!weight || weight > (1UL << QFQ_MAX_WSHIFT)) {
+                        pr_notice("qfq: invalid weight %u\n", weight);
+                        return -EINVAL;
+                }
+        } else
+                weight = 1;
+        inv_w = ONE_FP / weight;
+        weight = ONE_FP / inv_w;
+        if (q->wsum + weight > QFQ_MAX_WSUM) {
+                pr_notice("qfq: total weight out of range (%u + %u)\n",
+                          weight, q->wsum);
+                return -EINVAL;
+        }
+        if (tb[TCA_QFQ_LMAX]) {
+                lmax = nla_get_u32(tb[TCA_QFQ_LMAX]);
+                if (!lmax || lmax > (1UL << QFQ_MTU_SHIFT)) {
+                        pr_notice("qfq: invalid max length %u\n", lmax);
+                        return -EINVAL;
+                }
+        } else
+                lmax = 1UL << QFQ_MTU_SHIFT;
+        if (cl != NULL) {
+                if (tca[TCA_RATE]) {
+                        err = gen_replace_estimator(&cl->bstats, &cl->rate_est,
+                                                    qdisc_root_sleeping_lock(sch),
+                                                    tca[TCA_RATE]);
+                        if (err)
+                                return err;
+                }
+                sch_tree_lock(sch);
+                if (tb[TCA_QFQ_WEIGHT]) {
+                        q->wsum = weight - ONE_FP / cl->inv_w;
+                        cl->inv_w = inv_w;
+                }
+                sch_tree_unlock(sch);
+                return 0;
+        }
+        cl = kzalloc(sizeof(struct qfq_class), GFP_KERNEL);
+        if (cl == NULL)
+                return -ENOBUFS;
+        cl->refcnt = 1;
+        cl->common.classid = classid;
+        cl->lmax = lmax;
+        cl->inv_w = inv_w;
+        i = qfq_calc_index(cl->inv_w, cl->lmax);
+        cl->grp = &q->groups[i];
+        q->wsum += weight;
+        cl->qdisc = qdisc_create_dflt(sch->dev_queue,
+                                      &pfifo_qdisc_ops, classid);
+        if (cl->qdisc == NULL)
+                cl->qdisc = &noop_qdisc;
+        if (tca[TCA_RATE]) {
+                err = gen_new_estimator(&cl->bstats, &cl->rate_est,
+                                        qdisc_root_sleeping_lock(sch),
+                                        tca[TCA_RATE]);
+                if (err) {
+                        qdisc_destroy(cl->qdisc);
+                        kfree(cl);
+                        return err;
+                }
+        }
+        sch_tree_lock(sch);
+        qdisc_class_hash_insert(&q->clhash, &cl->common);
+        sch_tree_unlock(sch);
+        qdisc_class_hash_grow(sch, &q->clhash);
+        *arg = (unsigned long)cl;
+        return 0;
+}
+static void qfq_destroy_class(struct Qdisc *sch, struct qfq_class *cl)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        if (cl->inv_w) {
+                q->wsum -= ONE_FP / cl->inv_w;
+                cl->inv_w = 0;
+        }
+        gen_kill_estimator(&cl->bstats, &cl->rate_est);
+        qdisc_destroy(cl->qdisc);
+        kfree(cl);
+}
+static int qfq_delete_class(struct Qdisc *sch, unsigned long arg)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        if (cl->filter_cnt > 0)
+                return -EBUSY;
+        sch_tree_lock(sch);
+        qfq_purge_queue(cl);
+        qdisc_class_hash_remove(&q->clhash, &cl->common);
+        BUG_ON(--cl->refcnt == 0);
+        /*
+         * This shouldn't happen: we "hold" one cops->get() when called
+         * from tc_ctl_tclass; the destroy method is done from cops->put().
+         */
+        sch_tree_unlock(sch);
+        return 0;
+}
+static unsigned long qfq_get_class(struct Qdisc *sch, u32 classid)
+{
+        struct qfq_class *cl = qfq_find_class(sch, classid);
+        if (cl != NULL)
+                cl->refcnt++;
+        return (unsigned long)cl;
+}
+static void qfq_put_class(struct Qdisc *sch, unsigned long arg)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        if (--cl->refcnt == 0)
+                qfq_destroy_class(sch, cl);
+}
+static struct tcf_proto **qfq_tcf_chain(struct Qdisc *sch, unsigned long cl)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        if (cl)
+                return NULL;
+        return &q->filter_list;
+}
+static unsigned long qfq_bind_tcf(struct Qdisc *sch, unsigned long parent,
+                                  u32 classid)
+{
+        struct qfq_class *cl = qfq_find_class(sch, classid);
+        if (cl != NULL)
+                cl->filter_cnt++;
+        return (unsigned long)cl;
+}
+static void qfq_unbind_tcf(struct Qdisc *sch, unsigned long arg)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        cl->filter_cnt--;
+}
+static int qfq_graft_class(struct Qdisc *sch, unsigned long arg,
+                           struct Qdisc *new, struct Qdisc **old)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        if (new == NULL) {
+                new = qdisc_create_dflt(sch->dev_queue,
+                                        &pfifo_qdisc_ops, cl->common.classid);
+                if (new == NULL)
+                        new = &noop_qdisc;
+        }
+        sch_tree_lock(sch);
+        qfq_purge_queue(cl);
+        *old = cl->qdisc;
+        cl->qdisc = new;
+        sch_tree_unlock(sch);
+        return 0;
+}
+static struct Qdisc *qfq_class_leaf(struct Qdisc *sch, unsigned long arg)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        return cl->qdisc;
+}
+static int qfq_dump_class(struct Qdisc *sch, unsigned long arg,
+                          struct sk_buff *skb, struct tcmsg *tcm)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        struct nlattr *nest;
+        tcm->tcm_parent = TC_H_ROOT;
+        tcm->tcm_handle = cl->common.classid;
+        tcm->tcm_info   = cl->qdisc->handle;
+        nest = nla_nest_start(skb, TCA_OPTIONS);
+        if (nest == NULL)
+                goto nla_put_failure;
+        NLA_PUT_U32(skb, TCA_QFQ_WEIGHT, ONE_FP/cl->inv_w);
+        NLA_PUT_U32(skb, TCA_QFQ_LMAX, cl->lmax);
+        return nla_nest_end(skb, nest);
+nla_put_failure:
+        nla_nest_cancel(skb, nest);
+        return -EMSGSIZE;
+}
+static int qfq_dump_class_stats(struct Qdisc *sch, unsigned long arg,
+                                struct gnet_dump *d)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        struct tc_qfq_stats xstats;
+        memset(&xstats, 0, sizeof(xstats));
+        cl->qdisc->qstats.qlen = cl->qdisc->q.qlen;
+        xstats.weight = ONE_FP/cl->inv_w;
+        xstats.lmax = cl->lmax;
+        if (gnet_stats_copy_basic(d, &cl->bstats) < 0 ||
+            gnet_stats_copy_rate_est(d, &cl->bstats, &cl->rate_est) < 0 ||
+            gnet_stats_copy_queue(d, &cl->qdisc->qstats) < 0)
+                return -1;
+        return gnet_stats_copy_app(d, &xstats, sizeof(xstats));
+}
+static void qfq_walk(struct Qdisc *sch, struct qdisc_walker *arg)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl;
+        struct hlist_node *n;
+        unsigned int i;
+        if (arg->stop)
+                return;
+        for (i = 0; i < q->clhash.hashsize; i++) {
+                hlist_for_each_entry(cl, n, &q->clhash.hash[i], common.hnode) {
+                        if (arg->count < arg->skip) {
+                                arg->count++;
+                                continue;
+                        }
+                        if (arg->fn(sch, (unsigned long)cl, arg) < 0) {
+                                arg->stop = 1;
+                                return;
+                        }
+                        arg->count++;
+                }
+        }
+}
+static struct qfq_class *qfq_classify(struct sk_buff *skb, struct Qdisc *sch,
+                                      int *qerr)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl;
+        struct tcf_result res;
+        int result;
+        if (TC_H_MAJ(skb->priority ^ sch->handle) == 0) {
+                pr_debug("qfq_classify: found %d\n", skb->priority);
+                cl = qfq_find_class(sch, skb->priority);
+                if (cl != NULL)
+                        return cl;
+        }
+        *qerr = NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
+        result = tc_classify(skb, q->filter_list, &res);
+        if (result >= 0) {
+#ifdef CONFIG_NET_CLS_ACT
+                switch (result) {
+                case TC_ACT_QUEUED:
+                case TC_ACT_STOLEN:
+                        *qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN;
+                case TC_ACT_SHOT:
+                        return NULL;
+                }
+#endif
+                cl = (struct qfq_class *)res.class;
+                if (cl == NULL)
+                        cl = qfq_find_class(sch, res.classid);
+                return cl;
+        }
+        return NULL;
+}
+/* Generic comparison function, handling wraparound. */
+static inline int qfq_gt(u64 a, u64 b)
+{
+        return (s64)(a - b) > 0;
+}
+/* Round a precise timestamp to its slotted value. */
+static inline u64 qfq_round_down(u64 ts, unsigned int shift)
+{
+        return ts & ~((1ULL << shift) - 1);
+}
+/* return the pointer to the group with lowest index in the bitmap */
+static inline struct qfq_group *qfq_ffs(struct qfq_sched *q,
+                                        unsigned long bitmap)
+{
+        int index = __ffs(bitmap);
+        return &q->groups[index];
+}
+/* Calculate a mask to mimic what would be ffs_from(). */
+static inline unsigned long mask_from(unsigned long bitmap, int from)
+{
+        return bitmap & ~((1UL << from) - 1);
+}
+/*
+ * The state computation relies on ER=0, IR=1, EB=2, IB=3
+ * First compute eligibility comparing grp->S, q->V,
+ * then check if someone is blocking us and possibly add EB
+ */
+static int qfq_calc_state(struct qfq_sched *q, const struct qfq_group *grp)
+{
+        /* if S > V we are not eligible */
+        unsigned int state = qfq_gt(grp->S, q->V);
+        unsigned long mask = mask_from(q->bitmaps[ER], grp->index);
+        struct qfq_group *next;
+        if (mask) {
+                next = qfq_ffs(q, mask);
+                if (qfq_gt(grp->F, next->F))
+                        state |= EB;
+        }
+        return state;
+}
+/*
+ * In principle
+ *      q->bitmaps[dst] |= q->bitmaps[src] & mask;
+ *      q->bitmaps[src] &= ~mask;
+ * but we should make sure that src != dst
+ */
+static inline void qfq_move_groups(struct qfq_sched *q, unsigned long mask,
+                                   int src, int dst)
+{
+        q->bitmaps[dst] |= q->bitmaps[src] & mask;
+        q->bitmaps[src] &= ~mask;
+}
+static void qfq_unblock_groups(struct qfq_sched *q, int index, u64 old_F)
+{
+        unsigned long mask = mask_from(q->bitmaps[ER], index + 1);
+        struct qfq_group *next;
+        if (mask) {
+                next = qfq_ffs(q, mask);
+                if (!qfq_gt(next->F, old_F))
+                        return;
+        }
+        mask = (1UL << index) - 1;
+        qfq_move_groups(q, mask, EB, ER);
+        qfq_move_groups(q, mask, IB, IR);
+}
+/*
+ * perhaps
+ *
+        old_V ^= q->V;
+        old_V >>= QFQ_MIN_SLOT_SHIFT;
+        if (old_V) {
+                ...
+        }
+ *
+ */
+static void qfq_make_eligible(struct qfq_sched *q, u64 old_V)
+{
+        unsigned long vslot = q->V >> QFQ_MIN_SLOT_SHIFT;
+        unsigned long old_vslot = old_V >> QFQ_MIN_SLOT_SHIFT;
+        if (vslot != old_vslot) {
+                unsigned long mask = (1UL << fls(vslot ^ old_vslot)) - 1;
+                qfq_move_groups(q, mask, IR, ER);
+                qfq_move_groups(q, mask, IB, EB);
+        }
+}
+/*
+ * XXX we should make sure that slot becomes less than 32.
+ * This is guaranteed by the input values.
+ * roundedS is always cl->S rounded on grp->slot_shift bits.
+ */
+static void qfq_slot_insert(struct qfq_group *grp, struct qfq_class *cl,
+                            u64 roundedS)
+{
+        u64 slot = (roundedS - grp->S) >> grp->slot_shift;
+        unsigned int i = (grp->front + slot) % QFQ_MAX_SLOTS;
+        hlist_add_head(&cl->next, &grp->slots[i]);
+        __set_bit(slot, &grp->full_slots);
+}
+/* Maybe introduce hlist_first_entry?? */
+static struct qfq_class *qfq_slot_head(struct qfq_group *grp)
+{
+        return hlist_entry(grp->slots[grp->front].first,
+                           struct qfq_class, next);
+}
+/*
+ * remove the entry from the slot
+ */
+static void qfq_front_slot_remove(struct qfq_group *grp)
+{
+        struct qfq_class *cl = qfq_slot_head(grp);
+        BUG_ON(!cl);
+        hlist_del(&cl->next);
+        if (hlist_empty(&grp->slots[grp->front]))
+                __clear_bit(0, &grp->full_slots);
+}
+/*
+ * Returns the first full queue in a group. As a side effect,
+ * adjust the bucket list so the first non-empty bucket is at
+ * position 0 in full_slots.
+ */
+static struct qfq_class *qfq_slot_scan(struct qfq_group *grp)
+{
+        unsigned int i;
+        pr_debug("qfq slot_scan: grp %u full %#lx\n",
+                 grp->index, grp->full_slots);
+        if (grp->full_slots == 0)
+                return NULL;
+        i = __ffs(grp->full_slots);  /* zero based */
+        if (i > 0) {
+                grp->front = (grp->front + i) % QFQ_MAX_SLOTS;
+                grp->full_slots >>= i;
+        }
+        return qfq_slot_head(grp);
+}
+/*
+ * adjust the bucket list. When the start time of a group decreases,
+ * we move the index down (modulo QFQ_MAX_SLOTS) so we don't need to
+ * move the objects. The mask of occupied slots must be shifted
+ * because we use ffs() to find the first non-empty slot.
+ * This covers decreases in the group's start time, but what about
+ * increases of the start time ?
+ * Here too we should make sure that i is less than 32
+ */
+static void qfq_slot_rotate(struct qfq_group *grp, u64 roundedS)
+{
+        unsigned int i = (grp->S - roundedS) >> grp->slot_shift;
+        grp->full_slots <<= i;
+        grp->front = (grp->front - i) % QFQ_MAX_SLOTS;
+}
+static void qfq_update_eligible(struct qfq_sched *q, u64 old_V)
+{
+        struct qfq_group *grp;
+        unsigned long ineligible;
+        ineligible = q->bitmaps[IR] | q->bitmaps[IB];
+        if (ineligible) {
+                if (!q->bitmaps[ER]) {
+                        grp = qfq_ffs(q, ineligible);
+                        if (qfq_gt(grp->S, q->V))
+                                q->V = grp->S;
+                }
+                qfq_make_eligible(q, old_V);
+        }
+}
+/* What is length of next packet in queue (0 if queue is empty) */
+static unsigned int qdisc_peek_len(struct Qdisc *sch)
+{
+        struct sk_buff *skb;
+        skb = sch->ops->peek(sch);
+        return skb ? qdisc_pkt_len(skb) : 0;
+}
+/*
+ * Updates the class, returns true if also the group needs to be updated.
+ */
+static bool qfq_update_class(struct qfq_group *grp, struct qfq_class *cl)
+{
+        unsigned int len = qdisc_peek_len(cl->qdisc);
+        cl->S = cl->F;
+        if (!len)
+                qfq_front_slot_remove(grp);     /* queue is empty */
+        else {
+                u64 roundedS;
+                cl->F = cl->S + (u64)len * cl->inv_w;
+                roundedS = qfq_round_down(cl->S, grp->slot_shift);
+                if (roundedS == grp->S)
+                        return false;
+                qfq_front_slot_remove(grp);
+                qfq_slot_insert(grp, cl, roundedS);
+        }
+        return true;
+}
+static struct sk_buff *qfq_dequeue(struct Qdisc *sch)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_group *grp;
+        struct qfq_class *cl;
+        struct sk_buff *skb;
+        unsigned int len;
+        u64 old_V;
+        if (!q->bitmaps[ER])
+                return NULL;
+        grp = qfq_ffs(q, q->bitmaps[ER]);
+        cl = qfq_slot_head(grp);
+        skb = qdisc_dequeue_peeked(cl->qdisc);
+        if (!skb) {
+                WARN_ONCE(1, "qfq_dequeue: non-workconserving leaf\n");
+                return NULL;
+        }
+        sch->q.qlen--;
+        qdisc_bstats_update(sch, skb);
+        old_V = q->V;
+        len = qdisc_pkt_len(skb);
+        q->V += (u64)len * IWSUM;
+        pr_debug("qfq dequeue: len %u F %lld now %lld\n",
+                 len, (unsigned long long) cl->F, (unsigned long long) q->V);
+        if (qfq_update_class(grp, cl)) {
+                u64 old_F = grp->F;
+                cl = qfq_slot_scan(grp);
+                if (!cl)
+                        __clear_bit(grp->index, &q->bitmaps[ER]);
+                else {
+                        u64 roundedS = qfq_round_down(cl->S, grp->slot_shift);
+                        unsigned int s;
+                        if (grp->S == roundedS)
+                                goto skip_unblock;
+                        grp->S = roundedS;
+                        grp->F = roundedS + (2ULL << grp->slot_shift);
+                        __clear_bit(grp->index, &q->bitmaps[ER]);
+                        s = qfq_calc_state(q, grp);
+                        __set_bit(grp->index, &q->bitmaps[s]);
+                }
+                qfq_unblock_groups(q, grp->index, old_F);
+        }
+skip_unblock:
+        qfq_update_eligible(q, old_V);
+        return skb;
+}
+/*
+ * Assign a reasonable start time for a new flow k in group i.
+ * Admissible values for \hat(F) are multiples of \sigma_i
+ * no greater than V+\sigma_i . Larger values mean that
+ * we had a wraparound so we consider the timestamp to be stale.
+ *
+ * If F is not stale and F >= V then we set S = F.
+ * Otherwise we should assign S = V, but this may violate
+ * the ordering in ER. So, if we have groups in ER, set S to
+ * the F_j of the first group j which would be blocking us.
+ * We are guaranteed not to move S backward because
+ * otherwise our group i would still be blocked.
+ */
+static void qfq_update_start(struct qfq_sched *q, struct qfq_class *cl)
+{
+        unsigned long mask;
+        uint32_t limit, roundedF;
+        int slot_shift = cl->grp->slot_shift;
+        roundedF = qfq_round_down(cl->F, slot_shift);
+        limit = qfq_round_down(q->V, slot_shift) + (1UL << slot_shift);
+        if (!qfq_gt(cl->F, q->V) || qfq_gt(roundedF, limit)) {
+                /* timestamp was stale */
+                mask = mask_from(q->bitmaps[ER], cl->grp->index);
+                if (mask) {
+                        struct qfq_group *next = qfq_ffs(q, mask);
+                        if (qfq_gt(roundedF, next->F)) {
+                                cl->S = next->F;
+                                return;
+                        }
+                }
+                cl->S = q->V;
+        } else  /* timestamp is not stale */
+                cl->S = cl->F;
+}
+static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_group *grp;
+        struct qfq_class *cl;
+        int err;
+        u64 roundedS;
+        int s;
+        cl = qfq_classify(skb, sch, &err);
+        if (cl == NULL) {
+                if (err & __NET_XMIT_BYPASS)
+                        sch->qstats.drops++;
+                kfree_skb(skb);
+                return err;
+        }
+        pr_debug("qfq_enqueue: cl = %x\n", cl->common.classid);
+        err = qdisc_enqueue(skb, cl->qdisc);
+        if (unlikely(err != NET_XMIT_SUCCESS)) {
+                pr_debug("qfq_enqueue: enqueue failed %d\n", err);
+                if (net_xmit_drop_count(err)) {
+                        cl->qstats.drops++;
+                        sch->qstats.drops++;
+                }
+                return err;
+        }
+        bstats_update(&cl->bstats, skb);
+        ++sch->q.qlen;
+        /* If the new skb is not the head of queue, then done here. */
+        if (cl->qdisc->q.qlen != 1)
+                return err;
+        /* If reach this point, queue q was idle */
+        grp = cl->grp;
+        qfq_update_start(q, cl);
+        /* compute new finish time and rounded start. */
+        cl->F = cl->S + (u64)qdisc_pkt_len(skb) * cl->inv_w;
+        roundedS = qfq_round_down(cl->S, grp->slot_shift);
+        /*
+         * insert cl in the correct bucket.
+         * If cl->S >= grp->S we don't need to adjust the
+         * bucket list and simply go to the insertion phase.
+         * Otherwise grp->S is decreasing, we must make room
+         * in the bucket list, and also recompute the group state.
+         * Finally, if there were no flows in this group and nobody
+         * was in ER make sure to adjust V.
+         */
+        if (grp->full_slots) {
+                if (!qfq_gt(grp->S, cl->S))
+                        goto skip_update;
+                /* create a slot for this cl->S */
+                qfq_slot_rotate(grp, roundedS);
+                /* group was surely ineligible, remove */
+                __clear_bit(grp->index, &q->bitmaps[IR]);
+                __clear_bit(grp->index, &q->bitmaps[IB]);
+        } else if (!q->bitmaps[ER] && qfq_gt(roundedS, q->V))
+                q->V = roundedS;
+        grp->S = roundedS;
+        grp->F = roundedS + (2ULL << grp->slot_shift);
+        s = qfq_calc_state(q, grp);
+        __set_bit(grp->index, &q->bitmaps[s]);
+        pr_debug("qfq enqueue: new state %d %#lx S %lld F %lld V %lld\n",
+                 s, q->bitmaps[s],
+                 (unsigned long long) cl->S,
+                 (unsigned long long) cl->F,
+                 (unsigned long long) q->V);
+skip_update:
+        qfq_slot_insert(grp, cl, roundedS);
+        return err;
+}
+static void qfq_slot_remove(struct qfq_sched *q, struct qfq_group *grp,
+                            struct qfq_class *cl)
+{
+        unsigned int i, offset;
+        u64 roundedS;
+        roundedS = qfq_round_down(cl->S, grp->slot_shift);
+        offset = (roundedS - grp->S) >> grp->slot_shift;
+        i = (grp->front + offset) % QFQ_MAX_SLOTS;
+        hlist_del(&cl->next);
+        if (hlist_empty(&grp->slots[i]))
+                __clear_bit(offset, &grp->full_slots);
+}
+/*
+ * called to forcibly destroy a queue.
+ * If the queue is not in the front bucket, or if it has
+ * other queues in the front bucket, we can simply remove
+ * the queue with no other side effects.
+ * Otherwise we must propagate the event up.
+ */
+static void qfq_deactivate_class(struct qfq_sched *q, struct qfq_class *cl)
+{
+        struct qfq_group *grp = cl->grp;
+        unsigned long mask;
+        u64 roundedS;
+        int s;
+        cl->F = cl->S;
+        qfq_slot_remove(q, grp, cl);
+        if (!grp->full_slots) {
+                __clear_bit(grp->index, &q->bitmaps[IR]);
+                __clear_bit(grp->index, &q->bitmaps[EB]);
+                __clear_bit(grp->index, &q->bitmaps[IB]);
+                if (test_bit(grp->index, &q->bitmaps[ER]) &&
+                    !(q->bitmaps[ER] & ~((1UL << grp->index) - 1))) {
+                        mask = q->bitmaps[ER] & ((1UL << grp->index) - 1);
+                        if (mask)
+                                mask = ~((1UL << __fls(mask)) - 1);
+                        else
+                                mask = ~0UL;
+                        qfq_move_groups(q, mask, EB, ER);
+                        qfq_move_groups(q, mask, IB, IR);
+                }
+                __clear_bit(grp->index, &q->bitmaps[ER]);
+        } else if (hlist_empty(&grp->slots[grp->front])) {
+                cl = qfq_slot_scan(grp);
+                roundedS = qfq_round_down(cl->S, grp->slot_shift);
+                if (grp->S != roundedS) {
+                        __clear_bit(grp->index, &q->bitmaps[ER]);
+                        __clear_bit(grp->index, &q->bitmaps[IR]);
+                        __clear_bit(grp->index, &q->bitmaps[EB]);
+                        __clear_bit(grp->index, &q->bitmaps[IB]);
+                        grp->S = roundedS;
+                        grp->F = roundedS + (2ULL << grp->slot_shift);
+                        s = qfq_calc_state(q, grp);
+                        __set_bit(grp->index, &q->bitmaps[s]);
+                }
+        }
+        qfq_update_eligible(q, q->V);
+}
+static void qfq_qlen_notify(struct Qdisc *sch, unsigned long arg)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        if (cl->qdisc->q.qlen == 0)
+                qfq_deactivate_class(q, cl);
+}
+static unsigned int qfq_drop(struct Qdisc *sch)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_group *grp;
+        unsigned int i, j, len;
+        for (i = 0; i <= QFQ_MAX_INDEX; i++) {
+                grp = &q->groups[i];
+                for (j = 0; j < QFQ_MAX_SLOTS; j++) {
+                        struct qfq_class *cl;
+                        struct hlist_node *n;
+                        hlist_for_each_entry(cl, n, &grp->slots[j], next) {
+                                if (!cl->qdisc->ops->drop)
+                                        continue;
+                                len = cl->qdisc->ops->drop(cl->qdisc);
+                                if (len > 0) {
+                                        sch->q.qlen--;
+                                        if (!cl->qdisc->q.qlen)
+                                                qfq_deactivate_class(q, cl);
+                                        return len;
+                                }
+                        }
+                }
+        }
+        return 0;
+}
+static int qfq_init_qdisc(struct Qdisc *sch, struct nlattr *opt)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_group *grp;
+        int i, j, err;
+        err = qdisc_class_hash_init(&q->clhash);
+        if (err < 0)
+                return err;
+        for (i = 0; i <= QFQ_MAX_INDEX; i++) {
+                grp = &q->groups[i];
+                grp->index = i;
+                grp->slot_shift = QFQ_MTU_SHIFT + FRAC_BITS
+                                   - (QFQ_MAX_INDEX - i);
+                for (j = 0; j < QFQ_MAX_SLOTS; j++)
+                        INIT_HLIST_HEAD(&grp->slots[j]);
+        }
+        return 0;
+}
+static void qfq_reset_qdisc(struct Qdisc *sch)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_group *grp;
+        struct qfq_class *cl;
+        struct hlist_node *n, *tmp;
+        unsigned int i, j;
+        for (i = 0; i <= QFQ_MAX_INDEX; i++) {
+                grp = &q->groups[i];
+                for (j = 0; j < QFQ_MAX_SLOTS; j++) {
+                        hlist_for_each_entry_safe(cl, n, tmp,
+                                                  &grp->slots[j], next) {
+                                qfq_deactivate_class(q, cl);
+                        }
+                }
+        }
+        for (i = 0; i < q->clhash.hashsize; i++) {
+                hlist_for_each_entry(cl, n, &q->clhash.hash[i], common.hnode)
+                        qdisc_reset(cl->qdisc);
+        }
+        sch->q.qlen = 0;
+}
+static void qfq_destroy_qdisc(struct Qdisc *sch)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl;
+        struct hlist_node *n, *next;
+        unsigned int i;
+        tcf_destroy_chain(&q->filter_list);
+        for (i = 0; i < q->clhash.hashsize; i++) {
+                hlist_for_each_entry_safe(cl, n, next, &q->clhash.hash[i],
+                                          common.hnode) {
+                        qfq_destroy_class(sch, cl);
+                }
+        }
+        qdisc_class_hash_destroy(&q->clhash);
+}
+static const struct Qdisc_class_ops qfq_class_ops = {
+        .change         = qfq_change_class,
+        .delete         = qfq_delete_class,
+        .get            = qfq_get_class,
+        .put            = qfq_put_class,
+        .tcf_chain      = qfq_tcf_chain,
+        .bind_tcf       = qfq_bind_tcf,
+        .unbind_tcf     = qfq_unbind_tcf,
+        .graft          = qfq_graft_class,
+        .leaf           = qfq_class_leaf,
+        .qlen_notify    = qfq_qlen_notify,
+        .dump           = qfq_dump_class,
+        .dump_stats     = qfq_dump_class_stats,
+        .walk           = qfq_walk,
+};
+static struct Qdisc_ops qfq_qdisc_ops __read_mostly = {
+        .cl_ops         = &qfq_class_ops,
+        .id             = "qfq",
+        .priv_size      = sizeof(struct qfq_sched),
+        .enqueue        = qfq_enqueue,
+        .dequeue        = qfq_dequeue,
+        .peek           = qdisc_peek_dequeued,
+        .drop           = qfq_drop,
+        .init           = qfq_init_qdisc,
+        .reset          = qfq_reset_qdisc,
+        .destroy        = qfq_destroy_qdisc,
+        .owner          = THIS_MODULE,
+};
+static int __init qfq_init(void)
+{
+        return register_qdisc(&qfq_qdisc_ops);
+}
+static void __exit qfq_exit(void)
+{
+        unregister_qdisc(&qfq_qdisc_ops);
+}
+module_init(qfq_init);
+module_exit(qfq_exit);
+MODULE_LICENSE("GPL");
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index c2e628dfaacc..b6ea6afa55b0 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -169,7 +169,7 @@ static unsigned int sfq_hash(struct sfq_sched_data *q, struct sk_buff *skb)
        }
        case htons(ETH_P_IPV6):
        {
-                struct ipv6hdr *iph;
+                const struct ipv6hdr *iph;
                int poff;
                if (!pskb_network_may_pull(skb, sizeof(*iph)))
@@ -361,7 +361,7 @@ sfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 {
        struct sfq_sched_data *q = qdisc_priv(sch);
        unsigned int hash;
-        sfq_index x;
+        sfq_index x, qlen;
        struct sfq_slot *slot;
        int uninitialized_var(ret);
@@ -405,20 +405,12 @@ sfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        if (++sch->q.qlen <= q->limit)
                return NET_XMIT_SUCCESS;
+        qlen = slot->qlen;
        sfq_drop(sch);
-        return NET_XMIT_CN;
+        /* Return Congestion Notification only if we dropped a packet
-}
+         * from this flow.
+         */
-static struct sk_buff *
+        return (qlen != slot->qlen) ? NET_XMIT_CN : NET_XMIT_SUCCESS;
-sfq_peek(struct Qdisc *sch)
-{
-        struct sfq_sched_data *q = qdisc_priv(sch);
-        /* No active slots */
-        if (q->tail == NULL)
-                return NULL;
-        return q->slots[q->tail->next].skblist_next;
 }
 static struct sk_buff *
@@ -702,7 +694,7 @@ static struct Qdisc_ops sfq_qdisc_ops __read_mostly = {
        .priv_size      =       sizeof(struct sfq_sched_data),
        .enqueue        =       sfq_enqueue,
        .dequeue        =       sfq_dequeue,
-        .peek           =       sfq_peek,
+        .peek           =       qdisc_peek_dequeued,
        .drop           =       sfq_drop,
        .init           =       sfq_init,
        .reset          =       sfq_reset,
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 1a21c571aa03..4a62888f2e43 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -64,6 +64,7 @@
 /* Forward declarations for internal functions. */
 static void sctp_assoc_bh_rcv(struct work_struct *work);
 static void sctp_assoc_free_asconf_acks(struct sctp_association *asoc);
+static void sctp_assoc_free_asconf_queue(struct sctp_association *asoc);
 /* Keep track of the new idr low so that we don't re-use association id
 * numbers too fast.  It is protected by they idr spin lock is in the
@@ -443,12 +444,7 @@ void sctp_association_free(struct sctp_association *asoc)
        asoc->peer.transport_count = 0;
-        /* Free any cached ASCONF_ACK chunk. */
+        sctp_asconf_queue_teardown(asoc);
-        sctp_assoc_free_asconf_acks(asoc);
-        /* Free any cached ASCONF chunk. */
-        if (asoc->addip_last_asconf)
-                sctp_chunk_free(asoc->addip_last_asconf);
        /* AUTH - Free the endpoint shared keys */
        sctp_auth_destroy_keys(&asoc->endpoint_shared_keys);
@@ -1578,6 +1574,18 @@ retry:
        return error;
 }
+/* Free the ASCONF queue */
+static void sctp_assoc_free_asconf_queue(struct sctp_association *asoc)
+{
+        struct sctp_chunk *asconf;
+        struct sctp_chunk *tmp;
+        list_for_each_entry_safe(asconf, tmp, &asoc->addip_chunk_list, list) {
+                list_del_init(&asconf->list);
+                sctp_chunk_free(asconf);
+        }
+}
 /* Free asconf_ack cache */
 static void sctp_assoc_free_asconf_acks(struct sctp_association *asoc)
 {
@@ -1630,3 +1638,16 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack(
        return NULL;
 }
+void sctp_asconf_queue_teardown(struct sctp_association *asoc)
+{
+        /* Free any cached ASCONF_ACK chunk. */
+        sctp_assoc_free_asconf_acks(asoc);
+        /* Free the ASCONF queue. */
+        sctp_assoc_free_asconf_queue(asoc);
+        /* Free any cached ASCONF chunk. */
+        if (asoc->addip_last_asconf)
+                sctp_chunk_free(asoc->addip_last_asconf);
+}
diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c
index faf71d179e46..83e3011c19ca 100644
--- a/net/sctp/bind_addr.c
+++ b/net/sctp/bind_addr.c
@@ -140,14 +140,12 @@ void sctp_bind_addr_init(struct sctp_bind_addr *bp, __u16 port)
 /* Dispose of the address list. */
 static void sctp_bind_addr_clean(struct sctp_bind_addr *bp)
 {
-        struct sctp_sockaddr_entry *addr;
+        struct sctp_sockaddr_entry *addr, *temp;
-        struct list_head *pos, *temp;
        /* Empty the bind address list. */
-        list_for_each_safe(pos, temp, &bp->address_list) {
+        list_for_each_entry_safe(addr, temp, &bp->address_list, list) {
-                addr = list_entry(pos, struct sctp_sockaddr_entry, list);
+                list_del_rcu(&addr->list);
-                list_del(pos);
+                kfree_rcu(addr, rcu);
-                kfree(addr);
                SCTP_DBG_OBJCNT_DEC(addr);
        }
 }
@@ -219,7 +217,7 @@ int sctp_del_bind_addr(struct sctp_bind_addr *bp, union sctp_addr *del_addr)
        }
        if (found) {
-                call_rcu(&addr->rcu, sctp_local_addr_free);
+                kfree_rcu(addr, rcu);
                SCTP_DBG_OBJCNT_DEC(addr);
                return 0;
        }
diff --git a/net/sctp/debug.c b/net/sctp/debug.c
index bf24fa697de2..ec997cfe0a7e 100644
--- a/net/sctp/debug.c
+++ b/net/sctp/debug.c
@@ -98,7 +98,6 @@ const char *sctp_cname(const sctp_subtype_t cid)
 /* These are printable forms of the states.  */
 const char *const sctp_state_tbl[SCTP_STATE_NUM_STATES] = {
-        "STATE_EMPTY",
        "STATE_CLOSED",
        "STATE_COOKIE_WAIT",
        "STATE_COOKIE_ECHOED",
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index e10acc01c75f..c8cc24e282c3 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -325,6 +325,7 @@ static struct sctp_association *__sctp_endpoint_lookup_assoc(
        struct sctp_transport **transport)
 {
        struct sctp_association *asoc = NULL;
+        struct sctp_association *tmp;
        struct sctp_transport *t = NULL;
        struct sctp_hashbucket *head;
        struct sctp_ep_common *epb;
@@ -333,25 +334,32 @@ static struct sctp_association *__sctp_endpoint_lookup_assoc(
        int rport;
        *transport = NULL;
+        /* If the local port is not set, there can't be any associations
+         * on this endpoint.
+         */
+        if (!ep->base.bind_addr.port)
+                goto out;
        rport = ntohs(paddr->v4.sin_port);
        hash = sctp_assoc_hashfn(ep->base.bind_addr.port, rport);
        head = &sctp_assoc_hashtable[hash];
        read_lock(&head->lock);
        sctp_for_each_hentry(epb, node, &head->chain) {
-                asoc = sctp_assoc(epb);
+                tmp = sctp_assoc(epb);
-                if (asoc->ep != ep || rport != asoc->peer.port)
+                if (tmp->ep != ep || rport != tmp->peer.port)
-                        goto next;
+                        continue;
-                t = sctp_assoc_lookup_paddr(asoc, paddr);
+                t = sctp_assoc_lookup_paddr(tmp, paddr);
                if (t) {
+                        asoc = tmp;
                        *transport = t;
                        break;
                }
-next:
-                asoc = NULL;
        }
        read_unlock(&head->lock);
+out:
        return asoc;
 }
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 5436c6921167..741ed1648838 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -565,7 +565,7 @@ void sctp_err_finish(struct sock *sk, struct sctp_association *asoc)
 */
 void sctp_v4_err(struct sk_buff *skb, __u32 info)
 {
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        const int ihlen = iph->ihl * 4;
        const int type = icmp_hdr(skb)->type;
        const int code = icmp_hdr(skb)->code;
@@ -661,7 +661,6 @@ static int sctp_rcv_ootb(struct sk_buff *skb)
 {
        sctp_chunkhdr_t *ch;
        __u8 *ch_end;
-        sctp_errhdr_t *err;
        ch = (sctp_chunkhdr_t *) skb->data;
@@ -697,20 +696,6 @@ static int sctp_rcv_ootb(struct sk_buff *skb)
                if (SCTP_CID_INIT == ch->type && (void *)ch != skb->data)
                        goto discard;
-                /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
-                 * or a COOKIE ACK the SCTP Packet should be silently
-                 * discarded.
-                 */
-                if (SCTP_CID_COOKIE_ACK == ch->type)
-                        goto discard;
-                if (SCTP_CID_ERROR == ch->type) {
-                        sctp_walk_errors(err, ch) {
-                                if (SCTP_ERROR_STALE_COOKIE == err->cause)
-                                        goto discard;
-                        }
-                }
                ch = (sctp_chunkhdr_t *) ch_end;
        } while (ch_end < skb_tail_pointer(skb));
@@ -1017,7 +1002,7 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
        /* Skip over the ADDIP header and find the Address parameter */
        param = (union sctp_addr_param *)(asconf + 1);
-        af = sctp_get_af_specific(param_type2af(param->v4.param_hdr.type));
+        af = sctp_get_af_specific(param_type2af(param->p.type));
        if (unlikely(!af))
                return NULL;
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 865ce7ba4e14..0bb0d7cb9f10 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -80,6 +80,13 @@
 #include <asm/uaccess.h>
+static inline int sctp_v6_addr_match_len(union sctp_addr *s1,
+                                         union sctp_addr *s2);
+static void sctp_v6_to_addr(union sctp_addr *addr, struct in6_addr *saddr,
+                              __be16 port);
+static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
+                            const union sctp_addr *addr2);
 /* Event handler for inet6 address addition/deletion events.
 * The sctp_local_addr_list needs to be protocted by a spin lock since
 * multiple notifiers (say IPv4 and IPv6) may be running at the same
@@ -123,7 +130,7 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
                }
                spin_unlock_bh(&sctp_local_addr_lock);
                if (found)
-                        call_rcu(&addr->rcu, sctp_local_addr_free);
+                        kfree_rcu(addr, rcu);
                break;
        }
@@ -240,37 +247,107 @@ static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport)
 /* Returns the dst cache entry for the given source and destination ip
 * addresses.
 */
-static struct dst_entry *sctp_v6_get_dst(struct sctp_association *asoc,
+static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
-                                         union sctp_addr *daddr,
+                            struct flowi *fl, struct sock *sk)
-                                         union sctp_addr *saddr)
 {
-        struct dst_entry *dst;
+        struct sctp_association *asoc = t->asoc;
-        struct flowi6 fl6;
+        struct dst_entry *dst = NULL;
+        struct flowi6 *fl6 = &fl->u.ip6;
+        struct sctp_bind_addr *bp;
+        struct sctp_sockaddr_entry *laddr;
+        union sctp_addr *baddr = NULL;
+        union sctp_addr *daddr = &t->ipaddr;
+        union sctp_addr dst_saddr;
+        __u8 matchlen = 0;
+        __u8 bmatchlen;
+        sctp_scope_t scope;
-        memset(&fl6, 0, sizeof(fl6));
+        memset(fl6, 0, sizeof(struct flowi6));
-        ipv6_addr_copy(&fl6.daddr, &daddr->v6.sin6_addr);
+        ipv6_addr_copy(&fl6->daddr, &daddr->v6.sin6_addr);
+        fl6->fl6_dport = daddr->v6.sin6_port;
+        fl6->flowi6_proto = IPPROTO_SCTP;
        if (ipv6_addr_type(&daddr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL)
-                fl6.flowi6_oif = daddr->v6.sin6_scope_id;
+                fl6->flowi6_oif = daddr->v6.sin6_scope_id;
+        SCTP_DEBUG_PRINTK("%s: DST=%pI6 ", __func__, &fl6->daddr);
-        SCTP_DEBUG_PRINTK("%s: DST=%pI6 ", __func__, &fl6.daddr);
+        if (asoc)
+                fl6->fl6_sport = htons(asoc->base.bind_addr.port);
        if (saddr) {
-                ipv6_addr_copy(&fl6.saddr, &saddr->v6.sin6_addr);
+                ipv6_addr_copy(&fl6->saddr, &saddr->v6.sin6_addr);
-                SCTP_DEBUG_PRINTK("SRC=%pI6 - ", &fl6.saddr);
+                fl6->fl6_sport = saddr->v6.sin6_port;
+                SCTP_DEBUG_PRINTK("SRC=%pI6 - ", &fl6->saddr);
+        }
+        dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
+        if (!asoc || saddr)
+                goto out;
+        bp = &asoc->base.bind_addr;
+        scope = sctp_scope(daddr);
+        /* ip6_dst_lookup has filled in the fl6->saddr for us.  Check
+         * to see if we can use it.
+         */
+        if (!IS_ERR(dst)) {
+                /* Walk through the bind address list and look for a bind
+                 * address that matches the source address of the returned dst.
+                 */
+                sctp_v6_to_addr(&dst_saddr, &fl6->saddr, htons(bp->port));
+                rcu_read_lock();
+                list_for_each_entry_rcu(laddr, &bp->address_list, list) {
+                        if (!laddr->valid || (laddr->state != SCTP_ADDR_SRC))
+                                continue;
+                        /* Do not compare against v4 addrs */
+                        if ((laddr->a.sa.sa_family == AF_INET6) &&
+                            (sctp_v6_cmp_addr(&dst_saddr, &laddr->a))) {
+                                rcu_read_unlock();
+                                goto out;
+                        }
+                }
+                rcu_read_unlock();
+                /* None of the bound addresses match the source address of the
+                 * dst. So release it.
+                 */
+                dst_release(dst);
+                dst = NULL;
        }
-        dst = ip6_route_output(&init_net, NULL, &fl6);
+        /* Walk through the bind address list and try to get the
-        if (!dst->error) {
+         * best source address for a given destination.
+         */
+        rcu_read_lock();
+        list_for_each_entry_rcu(laddr, &bp->address_list, list) {
+                if (!laddr->valid && laddr->state != SCTP_ADDR_SRC)
+                        continue;
+                if ((laddr->a.sa.sa_family == AF_INET6) &&
+                    (scope <= sctp_scope(&laddr->a))) {
+                        bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
+                        if (!baddr || (matchlen < bmatchlen)) {
+                                baddr = &laddr->a;
+                                matchlen = bmatchlen;
+                        }
+                }
+        }
+        rcu_read_unlock();
+        if (baddr) {
+                ipv6_addr_copy(&fl6->saddr, &baddr->v6.sin6_addr);
+                fl6->fl6_sport = baddr->v6.sin6_port;
+                dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
+        }
+out:
+        if (!IS_ERR(dst)) {
                struct rt6_info *rt;
                rt = (struct rt6_info *)dst;
+                t->dst = dst;
                SCTP_DEBUG_PRINTK("rt6_dst:%pI6 rt6_src:%pI6\n",
-                        &rt->rt6i_dst.addr, &rt->rt6i_src.addr);
+                        &rt->rt6i_dst.addr, &fl6->saddr);
-                return dst;
+        } else {
+                t->dst = NULL;
+                SCTP_DEBUG_PRINTK("NO ROUTE\n");
        }
-        SCTP_DEBUG_PRINTK("NO ROUTE\n");
-        dst_release(dst);
-        return NULL;
 }
 /* Returns the number of consecutive initial bits that match in the 2 ipv6
@@ -286,64 +363,18 @@ static inline int sctp_v6_addr_match_len(union sctp_addr *s1,
 * and asoc's bind address list.
 */
 static void sctp_v6_get_saddr(struct sctp_sock *sk,
-                              struct sctp_association *asoc,
+                              struct sctp_transport *t,
-                              struct dst_entry *dst,
+                              struct flowi *fl)
-                              union sctp_addr *daddr,
-                              union sctp_addr *saddr)
 {
-        struct sctp_bind_addr *bp;
+        struct flowi6 *fl6 = &fl->u.ip6;
-        struct sctp_sockaddr_entry *laddr;
+        union sctp_addr *saddr = &t->saddr;
-        sctp_scope_t scope;
-        union sctp_addr *baddr = NULL;
-        __u8 matchlen = 0;
-        __u8 bmatchlen;
-        SCTP_DEBUG_PRINTK("%s: asoc:%p dst:%p daddr:%pI6 ",
+        SCTP_DEBUG_PRINTK("%s: asoc:%p dst:%p\n", __func__, t->asoc, t->dst);
-                          __func__, asoc, dst, &daddr->v6.sin6_addr);
-        if (!asoc) {
-                ipv6_dev_get_saddr(sock_net(sctp_opt2sk(sk)),
-                                   dst ? ip6_dst_idev(dst)->dev : NULL,
-                                   &daddr->v6.sin6_addr,
-                                   inet6_sk(&sk->inet.sk)->srcprefs,
-                                   &saddr->v6.sin6_addr);
-                SCTP_DEBUG_PRINTK("saddr from ipv6_get_saddr: %pI6\n",
-                                  &saddr->v6.sin6_addr);
-                return;
-        }
-        scope = sctp_scope(daddr);
-        bp = &asoc->base.bind_addr;
-        /* Go through the bind address list and find the best source address
+        if (t->dst) {
-         * that matches the scope of the destination address.
+                saddr->v6.sin6_family = AF_INET6;
-         */
+                ipv6_addr_copy(&saddr->v6.sin6_addr, &fl6->saddr);
-        rcu_read_lock();
-        list_for_each_entry_rcu(laddr, &bp->address_list, list) {
-                if (!laddr->valid)
-                        continue;
-                if ((laddr->state == SCTP_ADDR_SRC) &&
-                    (laddr->a.sa.sa_family == AF_INET6) &&
-                    (scope <= sctp_scope(&laddr->a))) {
-                        bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
-                        if (!baddr || (matchlen < bmatchlen)) {
-                                baddr = &laddr->a;
-                                matchlen = bmatchlen;
-                        }
-                }
-        }
-        if (baddr) {
-                memcpy(saddr, baddr, sizeof(union sctp_addr));
-                SCTP_DEBUG_PRINTK("saddr: %pI6\n", &saddr->v6.sin6_addr);
-        } else {
-                pr_err("%s: asoc:%p Could not find a valid source "
-                       "address for the dest:%pI6\n",
-                       __func__, asoc, &daddr->v6.sin6_addr);
        }
-        rcu_read_unlock();
 }
 /* Make a copy of all potential local addresses. */
@@ -465,14 +496,13 @@ static int sctp_v6_to_addr_param(const union sctp_addr *addr,
        return length;
 }
-/* Initialize a sctp_addr from a dst_entry. */
+/* Initialize a sctp_addr from struct in6_addr. */
-static void sctp_v6_dst_saddr(union sctp_addr *addr, struct dst_entry *dst,
+static void sctp_v6_to_addr(union sctp_addr *addr, struct in6_addr *saddr,
                              __be16 port)
 {
-        struct rt6_info *rt = (struct rt6_info *)dst;
        addr->sa.sa_family = AF_INET6;
        addr->v6.sin6_port = port;
-        ipv6_addr_copy(&addr->v6.sin6_addr, &rt->rt6i_src.addr);
+        ipv6_addr_copy(&addr->v6.sin6_addr, saddr);
 }
 /* Compare addresses exactly.
@@ -531,7 +561,7 @@ static int sctp_v6_is_any(const union sctp_addr *addr)
 static int sctp_v6_available(union sctp_addr *addr, struct sctp_sock *sp)
 {
        int type;
-        struct in6_addr *in6 = (struct in6_addr *)&addr->v6.sin6_addr;
+        const struct in6_addr *in6 = (const struct in6_addr *)&addr->v6.sin6_addr;
        type = ipv6_addr_type(in6);
        if (IPV6_ADDR_ANY == type)
@@ -959,7 +989,6 @@ static struct sctp_af sctp_af_inet6 = {
        .to_sk_daddr       = sctp_v6_to_sk_daddr,
        .from_addr_param   = sctp_v6_from_addr_param,
        .to_addr_param     = sctp_v6_to_addr_param,
-        .dst_saddr         = sctp_v6_dst_saddr,
        .cmp_addr          = sctp_v6_cmp_addr,
        .scope             = sctp_v6_scope,
        .addr_valid        = sctp_v6_addr_valid,
diff --git a/net/sctp/output.c b/net/sctp/output.c
index b4f3cf06d8da..08b3cead6503 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -500,23 +500,20 @@ int sctp_packet_transmit(struct sctp_packet *packet)
         * Note: Adler-32 is no longer applicable, as has been replaced
         * by CRC32-C as described in <draft-ietf-tsvwg-sctpcsum-02.txt>.
         */
-        if (!sctp_checksum_disable &&
+        if (!sctp_checksum_disable) {
-            !(dst->dev->features & (NETIF_F_NO_CSUM | NETIF_F_SCTP_CSUM))) {
+                if (!(dst->dev->features & NETIF_F_SCTP_CSUM)) {
-                __u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
+                        __u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
-                /* 3) Put the resultant value into the checksum field in the
+                        /* 3) Put the resultant value into the checksum field in the
-                 *    common header, and leave the rest of the bits unchanged.
+                         *    common header, and leave the rest of the bits unchanged.
-                 */
+                         */
-                sh->checksum = sctp_end_cksum(crc32);
+                        sh->checksum = sctp_end_cksum(crc32);
-        } else {
+                } else {
-                if (dst->dev->features & NETIF_F_SCTP_CSUM) {
                        /* no need to seed pseudo checksum for SCTP */
                        nskb->ip_summed = CHECKSUM_PARTIAL;
                        nskb->csum_start = (skb_transport_header(nskb) -
                                            nskb->head);
                        nskb->csum_offset = offsetof(struct sctphdr, checksum);
-                } else {
-                        nskb->ip_summed = CHECKSUM_UNNECESSARY;
                }
        }
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index bf92a5b68f8b..d03682109b7a 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -131,7 +131,8 @@ static inline int sctp_cacc_skip_3_1_d(struct sctp_transport *primary,
 static inline int sctp_cacc_skip_3_1_f(struct sctp_transport *transport,
                                       int count_of_newacks)
 {
-        if (count_of_newacks < 2 && !transport->cacc.cacc_saw_newack)
+        if (count_of_newacks < 2 &&
+                        (transport && !transport->cacc.cacc_saw_newack))
                return 1;
        return 0;
 }
@@ -319,7 +320,6 @@ int sctp_outq_tail(struct sctp_outq *q, struct sctp_chunk *chunk)
                 * chunk.
                 */
                switch (q->asoc->state) {
-                case SCTP_STATE_EMPTY:
                case SCTP_STATE_CLOSED:
                case SCTP_STATE_SHUTDOWN_PENDING:
                case SCTP_STATE_SHUTDOWN_SENT:
@@ -577,6 +577,13 @@ static int sctp_outq_flush_rtx(struct sctp_outq *q, struct sctp_packet *pkt,
         * try to send as much as possible.
         */
        list_for_each_entry_safe(chunk, chunk1, lqueue, transmitted_list) {
+                /* If the chunk is abandoned, move it to abandoned list. */
+                if (sctp_chunk_abandoned(chunk)) {
+                        list_del_init(&chunk->transmitted_list);
+                        sctp_insert_list(&q->abandoned,
+                                         &chunk->transmitted_list);
+                        continue;
+                }
                /* Make sure that Gap Acked TSNs are not retransmitted.  A
                 * simple approach is just to move such TSNs out of the
@@ -618,9 +625,12 @@ redo:
                        /* If we are retransmitting, we should only
                         * send a single packet.
+                         * Otherwise, try appending this chunk again.
                         */
                        if (rtx_timeout || fast_rtx)
                                done = 1;
+                        else
+                                goto redo;
                        /* Bundle next chunk in the next round.  */
                        break;
@@ -1572,6 +1582,8 @@ static void sctp_check_transmitted(struct sctp_outq *q,
 #endif /* SCTP_DEBUG */
        if (transport) {
                if (bytes_acked) {
+                        struct sctp_association *asoc = transport->asoc;
                        /* We may have counted DATA that was migrated
                         * to this transport due to DEL-IP operation.
                         * Subtract those bytes, since the were never
@@ -1590,6 +1602,17 @@ static void sctp_check_transmitted(struct sctp_outq *q,
                        transport->error_count = 0;
                        transport->asoc->overall_error_count = 0;
+                        /*
+                         * While in SHUTDOWN PENDING, we may have started
+                         * the T5 shutdown guard timer after reaching the
+                         * retransmission limit. Stop that timer as soon
+                         * as the receiver acknowledged any data.
+                         */
+                        if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING &&
+                            del_timer(&asoc->timers
+                                [SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD]))
+                                        sctp_association_put(asoc);
                        /* Mark the destination transport address as
                         * active if it is not so marked.
                         */
@@ -1619,10 +1642,15 @@ static void sctp_check_transmitted(struct sctp_outq *q,
                         * A sender is doing zero window probing when the
                         * receiver's advertised window is zero, and there is
                         * only one data chunk in flight to the receiver.
+                         *
+                         * Allow the association to timeout while in SHUTDOWN
+                         * PENDING or SHUTDOWN RECEIVED in case the receiver
+                         * stays in zero window mode forever.
                         */
                        if (!q->asoc->peer.rwnd &&
                            !list_empty(&tlist) &&
-                            (sack_ctsn+2 == q->asoc->next_tsn)) {
+                            (sack_ctsn+2 == q->asoc->next_tsn) &&
+                            q->asoc->state < SCTP_STATE_SHUTDOWN_PENDING) {
                                SCTP_DEBUG_PRINTK("%s: SACK received for zero "
                                                  "window probe: %u\n",
                                                  __func__, sack_ctsn);
@@ -1683,8 +1711,9 @@ static void sctp_mark_missing(struct sctp_outq *q,
                        /* SFR-CACC may require us to skip marking
                         * this chunk as missing.
                         */
-                        if (!transport || !sctp_cacc_skip(primary, transport,
+                        if (!transport || !sctp_cacc_skip(primary,
-                                            count_of_newacks, tsn)) {
+                                                chunk->transport,
+                                                count_of_newacks, tsn)) {
                                chunk->tsn_missing_report++;
                                SCTP_DEBUG_PRINTK(
diff --git a/net/sctp/proc.c b/net/sctp/proc.c
index 61aacfbbaa92..05a6ce214714 100644
--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -212,7 +212,7 @@ static int sctp_eps_seq_show(struct seq_file *seq, void *v)
        sctp_for_each_hentry(epb, node, &head->chain) {
                ep = sctp_ep(epb);
                sk = epb->sk;
-                seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
+                seq_printf(seq, "%8pK %8pK %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
                           sctp_sk(sk)->type, sk->sk_state, hash,
                           epb->bind_addr.port,
                           sock_i_uid(sk), sock_i_ino(sk));
@@ -316,7 +316,7 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v)
                assoc = sctp_assoc(epb);
                sk = epb->sk;
                seq_printf(seq,
-                           "%8p %8p %-3d %-3d %-2d %-4d "
+                           "%8pK %8pK %-3d %-3d %-2d %-4d "
                           "%4d %8d %8d %7d %5lu %-5d %5d ",
                           assoc, sk, sctp_sk(sk)->type, sk->sk_state,
                           assoc->state, hash,
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index d5bf91d04f63..207175b2f40a 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -230,13 +230,6 @@ static void sctp_free_local_addr_list(void)
        }
 }
-void sctp_local_addr_free(struct rcu_head *head)
-{
-        struct sctp_sockaddr_entry *e = container_of(head,
-                                struct sctp_sockaddr_entry, rcu);
-        kfree(e);
-}
 /* Copy the local addresses which are valid for 'scope' into 'bp'.  */
 int sctp_copy_local_addr_list(struct sctp_bind_addr *bp, sctp_scope_t scope,
                              gfp_t gfp, int copy_flags)
@@ -339,13 +332,12 @@ static int sctp_v4_to_addr_param(const union sctp_addr *addr,
 }
 /* Initialize a sctp_addr from a dst_entry. */
-static void sctp_v4_dst_saddr(union sctp_addr *saddr, struct dst_entry *dst,
+static void sctp_v4_dst_saddr(union sctp_addr *saddr, struct flowi4 *fl4,
                              __be16 port)
 {
-        struct rtable *rt = (struct rtable *)dst;
        saddr->v4.sin_family = AF_INET;
        saddr->v4.sin_port = port;
-        saddr->v4.sin_addr.s_addr = rt->rt_src;
+        saddr->v4.sin_addr.s_addr = fl4->saddr;
 }
 /* Compare two addresses exactly. */
@@ -463,35 +455,36 @@ static sctp_scope_t sctp_v4_scope(union sctp_addr *addr)
 * addresses. If an association is passed, trys to get a dst entry with a
 * source address that matches an address in the bind address list.
 */
-static struct dst_entry *sctp_v4_get_dst(struct sctp_association *asoc,
+static void sctp_v4_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
-                                         union sctp_addr *daddr,
+                                struct flowi *fl, struct sock *sk)
-                                         union sctp_addr *saddr)
 {
+        struct sctp_association *asoc = t->asoc;
        struct rtable *rt;
-        struct flowi4 fl4;
+        struct flowi4 *fl4 = &fl->u.ip4;
        struct sctp_bind_addr *bp;
        struct sctp_sockaddr_entry *laddr;
        struct dst_entry *dst = NULL;
+        union sctp_addr *daddr = &t->ipaddr;
        union sctp_addr dst_saddr;
-        memset(&fl4, 0x0, sizeof(struct flowi4));
+        memset(fl4, 0x0, sizeof(struct flowi4));
-        fl4.daddr  = daddr->v4.sin_addr.s_addr;
+        fl4->daddr  = daddr->v4.sin_addr.s_addr;
-        fl4.fl4_dport = daddr->v4.sin_port;
+        fl4->fl4_dport = daddr->v4.sin_port;
-        fl4.flowi4_proto = IPPROTO_SCTP;
+        fl4->flowi4_proto = IPPROTO_SCTP;
        if (asoc) {
-                fl4.flowi4_tos = RT_CONN_FLAGS(asoc->base.sk);
+                fl4->flowi4_tos = RT_CONN_FLAGS(asoc->base.sk);
-                fl4.flowi4_oif = asoc->base.sk->sk_bound_dev_if;
+                fl4->flowi4_oif = asoc->base.sk->sk_bound_dev_if;
-                fl4.fl4_sport = htons(asoc->base.bind_addr.port);
+                fl4->fl4_sport = htons(asoc->base.bind_addr.port);
        }
        if (saddr) {
-                fl4.saddr = saddr->v4.sin_addr.s_addr;
+                fl4->saddr = saddr->v4.sin_addr.s_addr;
-                fl4.fl4_sport = saddr->v4.sin_port;
+                fl4->fl4_sport = saddr->v4.sin_port;
        }
        SCTP_DEBUG_PRINTK("%s: DST:%pI4, SRC:%pI4 - ",
-                          __func__, &fl4.daddr, &fl4.saddr);
+                          __func__, &fl4->daddr, &fl4->saddr);
-        rt = ip_route_output_key(&init_net, &fl4);
+        rt = ip_route_output_key(&init_net, fl4);
        if (!IS_ERR(rt))
                dst = &rt->dst;
@@ -507,7 +500,7 @@ static struct dst_entry *sctp_v4_get_dst(struct sctp_association *asoc,
                /* Walk through the bind address list and look for a bind
                 * address that matches the source address of the returned dst.
                 */
-                sctp_v4_dst_saddr(&dst_saddr, dst, htons(bp->port));
+                sctp_v4_dst_saddr(&dst_saddr, fl4, htons(bp->port));
                rcu_read_lock();
                list_for_each_entry_rcu(laddr, &bp->address_list, list) {
                        if (!laddr->valid || (laddr->state != SCTP_ADDR_SRC))
@@ -533,9 +526,9 @@ static struct dst_entry *sctp_v4_get_dst(struct sctp_association *asoc,
                        continue;
                if ((laddr->state == SCTP_ADDR_SRC) &&
                    (AF_INET == laddr->a.sa.sa_family)) {
-                        fl4.saddr = laddr->a.v4.sin_addr.s_addr;
+                        fl4->saddr = laddr->a.v4.sin_addr.s_addr;
-                        fl4.fl4_sport = laddr->a.v4.sin_port;
+                        fl4->fl4_sport = laddr->a.v4.sin_port;
-                        rt = ip_route_output_key(&init_net, &fl4);
+                        rt = ip_route_output_key(&init_net, fl4);
                        if (!IS_ERR(rt)) {
                                dst = &rt->dst;
                                goto out_unlock;
@@ -546,33 +539,27 @@ static struct dst_entry *sctp_v4_get_dst(struct sctp_association *asoc,
 out_unlock:
        rcu_read_unlock();
 out:
+        t->dst = dst;
        if (dst)
                SCTP_DEBUG_PRINTK("rt_dst:%pI4, rt_src:%pI4\n",
-                                  &rt->rt_dst, &rt->rt_src);
+                                  &fl4->daddr, &fl4->saddr);
        else
                SCTP_DEBUG_PRINTK("NO ROUTE\n");
-        return dst;
 }
 /* For v4, the source address is cached in the route entry(dst). So no need
 * to cache it separately and hence this is an empty routine.
 */
 static void sctp_v4_get_saddr(struct sctp_sock *sk,
-                              struct sctp_association *asoc,
+                              struct sctp_transport *t,
-                              struct dst_entry *dst,
+                              struct flowi *fl)
-                              union sctp_addr *daddr,
-                              union sctp_addr *saddr)
 {
-        struct rtable *rt = (struct rtable *)dst;
+        union sctp_addr *saddr = &t->saddr;
+        struct rtable *rt = (struct rtable *)t->dst;
-        if (!asoc)
-                return;
        if (rt) {
                saddr->v4.sin_family = AF_INET;
-                saddr->v4.sin_port = htons(asoc->base.bind_addr.port);
+                saddr->v4.sin_addr.s_addr = fl->u.ip4.saddr;
-                saddr->v4.sin_addr.s_addr = rt->rt_src;
        }
 }
@@ -681,7 +668,7 @@ static int sctp_inetaddr_event(struct notifier_block *this, unsigned long ev,
                }
                spin_unlock_bh(&sctp_local_addr_lock);
                if (found)
-                        call_rcu(&addr->rcu, sctp_local_addr_free);
+                        kfree_rcu(addr, rcu);
                break;
        }
@@ -854,14 +841,14 @@ static inline int sctp_v4_xmit(struct sk_buff *skb,
        SCTP_DEBUG_PRINTK("%s: skb:%p, len:%d, src:%pI4, dst:%pI4\n",
                          __func__, skb, skb->len,
-                          &skb_rtable(skb)->rt_src,
+                          &transport->fl.u.ip4.saddr,
-                          &skb_rtable(skb)->rt_dst);
+                          &transport->fl.u.ip4.daddr);
        inet->pmtudisc = transport->param_flags & SPP_PMTUD_ENABLE ?
                         IP_PMTUDISC_DO : IP_PMTUDISC_DONT;
        SCTP_INC_STATS(SCTP_MIB_OUTSCTPPACKS);
-        return ip_queue_xmit(skb);
+        return ip_queue_xmit(skb, &transport->fl);
 }
 static struct sctp_af sctp_af_inet;
@@ -950,7 +937,6 @@ static struct sctp_af sctp_af_inet = {
        .to_sk_daddr       = sctp_v4_to_sk_daddr,
        .from_addr_param   = sctp_v4_from_addr_param,
        .to_addr_param     = sctp_v4_to_addr_param,
-        .dst_saddr         = sctp_v4_dst_saddr,
        .cmp_addr          = sctp_v4_cmp_addr,
        .addr_valid        = sctp_v4_addr_valid,
        .inaddr_any        = sctp_v4_inaddr_any,
@@ -1072,7 +1058,6 @@ SCTP_STATIC __init int sctp_init(void)
        int status = -EINVAL;
        unsigned long goal;
        unsigned long limit;
-        unsigned long nr_pages;
        int max_share;
        int order;
@@ -1162,15 +1147,7 @@ SCTP_STATIC __init int sctp_init(void)
        /* Initialize handle used for association ids. */
        idr_init(&sctp_assocs_id);
-        /* Set the pressure threshold to be a fraction of global memory that
+        limit = nr_free_buffer_pages() / 8;
-         * is up to 1/2 at 256 MB, decreasing toward zero with the amount of
-         * memory, with a floor of 128 pages.
-         * Note this initializes the data in sctpv6_prot too
-         * Unabashedly stolen from tcp_init
-         */
-        nr_pages = totalram_pages - totalhigh_pages;
-        limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
-        limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
        limit = max(limit, 128UL);
        sysctl_sctp_mem[0] = limit / 4 * 3;
        sysctl_sctp_mem[1] = limit;
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index b3434cc7d0cf..58eb27fed4b4 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1075,20 +1075,28 @@ nodata:
 /* Make a HEARTBEAT chunk.  */
 struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *asoc,
-                                  const struct sctp_transport *transport,
+                                  const struct sctp_transport *transport)
-                                  const void *payload, const size_t paylen)
 {
-        struct sctp_chunk *retval = sctp_make_chunk(asoc, SCTP_CID_HEARTBEAT,
+        struct sctp_chunk *retval;
-                                                    0, paylen);
+        sctp_sender_hb_info_t hbinfo;
+        retval = sctp_make_chunk(asoc, SCTP_CID_HEARTBEAT, 0, sizeof(hbinfo));
        if (!retval)
                goto nodata;
+        hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO;
+        hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t));
+        hbinfo.daddr = transport->ipaddr;
+        hbinfo.sent_at = jiffies;
+        hbinfo.hb_nonce = transport->hb_nonce;
        /* Cast away the 'const', as this is just telling the chunk
         * what transport it belongs to.
         */
        retval->transport = (struct sctp_transport *) transport;
-        retval->subh.hbs_hdr = sctp_addto_chunk(retval, paylen, payload);
+        retval->subh.hbs_hdr = sctp_addto_chunk(retval, sizeof(hbinfo),
+                                                &hbinfo);
 nodata:
        return retval;
@@ -2242,14 +2250,17 @@ int sctp_verify_init(const struct sctp_association *asoc,
 * Returns 0 on failure, else success.
 * FIXME:  This is an association method.
 */
-int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid,
+int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
                      const union sctp_addr *peer_addr,
                      sctp_init_chunk_t *peer_init, gfp_t gfp)
 {
        union sctp_params param;
        struct sctp_transport *transport;
        struct list_head *pos, *temp;
+        struct sctp_af *af;
+        union sctp_addr addr;
        char *cookie;
+        int src_match = 0;
        /* We must include the address that the INIT packet came from.
         * This is the only address that matters for an INIT packet.
@@ -2261,18 +2272,31 @@ int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid,
         * added as the primary transport.  The source address seems to
         * be a a better choice than any of the embedded addresses.
         */
-        if (peer_addr) {
+        if(!sctp_assoc_add_peer(asoc, peer_addr, gfp, SCTP_ACTIVE))
-                if(!sctp_assoc_add_peer(asoc, peer_addr, gfp, SCTP_ACTIVE))
+                goto nomem;
-                        goto nomem;
-        }
+        if (sctp_cmp_addr_exact(sctp_source(chunk), peer_addr))
+                src_match = 1;
        /* Process the initialization parameters.  */
        sctp_walk_params(param, peer_init, init_hdr.params) {
+                if (!src_match && (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
+                    param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
+                        af = sctp_get_af_specific(param_type2af(param.p->type));
+                        af->from_addr_param(&addr, param.addr,
+                                            chunk->sctp_hdr->source, 0);
+                        if (sctp_cmp_addr_exact(sctp_source(chunk), &addr))
+                                src_match = 1;
+                }
                if (!sctp_process_param(asoc, param, peer_addr, gfp))
                        goto clean_up;
        }
+        /* source address of chunk may not match any valid address */
+        if (!src_match)
+                goto clean_up;
        /* AUTH: After processing the parameters, make sure that we
         * have all the required info to potentially do authentications.
         */
@@ -2923,7 +2947,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
            asconf_param->param_hdr.type != SCTP_PARAM_SET_PRIMARY)
                return SCTP_ERROR_UNKNOWN_PARAM;
-        switch (addr_param->v4.param_hdr.type) {
+        switch (addr_param->p.type) {
        case SCTP_PARAM_IPV6_ADDRESS:
                if (!asoc->peer.ipv6_address)
                        return SCTP_ERROR_DNS_FAILED;
@@ -2936,7 +2960,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
                return SCTP_ERROR_DNS_FAILED;
        }
-        af = sctp_get_af_specific(param_type2af(addr_param->v4.param_hdr.type));
+        af = sctp_get_af_specific(param_type2af(addr_param->p.type));
        if (unlikely(!af))
                return SCTP_ERROR_DNS_FAILED;
@@ -3100,7 +3124,7 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
        /* Skip the address parameter and store a pointer to the first
         * asconf parameter.
         */
-        length = ntohs(addr_param->v4.param_hdr.length);
+        length = ntohs(addr_param->p.length);
        asconf_param = (sctp_addip_param_t *)((void *)addr_param + length);
        chunk_len -= length;
@@ -3177,7 +3201,7 @@ static void sctp_asconf_param_success(struct sctp_association *asoc,
                        ((void *)asconf_param + sizeof(sctp_addip_param_t));
        /* We have checked the packet before, so we do not check again. */
-        af = sctp_get_af_specific(param_type2af(addr_param->v4.param_hdr.type));
+        af = sctp_get_af_specific(param_type2af(addr_param->p.type));
        af->from_addr_param(&addr, addr_param, htons(bp->port), 0);
        switch (asconf_param->param_hdr.type) {
@@ -3193,11 +3217,8 @@ static void sctp_asconf_param_success(struct sctp_association *asoc,
                local_bh_enable();
                list_for_each_entry(transport, &asoc->peer.transport_addr_list,
                                transports) {
-                        if (transport->state == SCTP_ACTIVE)
-                                continue;
                        dst_release(transport->dst);
-                        sctp_transport_route(transport, NULL,
+                        transport->dst = NULL;
-                                             sctp_sk(asoc->base.sk));
                }
                break;
        case SCTP_PARAM_DEL_IP:
@@ -3207,8 +3228,7 @@ static void sctp_asconf_param_success(struct sctp_association *asoc,
                list_for_each_entry(transport, &asoc->peer.transport_addr_list,
                                transports) {
                        dst_release(transport->dst);
-                        sctp_transport_route(transport, NULL,
+                        transport->dst = NULL;
-                                             sctp_sk(asoc->base.sk));
                }
                break;
        default:
@@ -3304,7 +3324,7 @@ int sctp_process_asconf_ack(struct sctp_association *asoc,
        /* Skip the address parameter in the last asconf sent and store a
         * pointer to the first asconf parameter.
         */
-        length = ntohs(addr_param->v4.param_hdr.length);
+        length = ntohs(addr_param->p.length);
        asconf_param = (sctp_addip_param_t *)((void *)addr_param + length);
        asconf_len -= length;
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 5f86ee4b54c1..6e0f88295aaf 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -595,8 +595,7 @@ static int sctp_cmd_process_init(sctp_cmd_seq_t *commands,
         * fail during INIT processing (due to malloc problems),
         * just return the error and stop processing the stack.
         */
-        if (!sctp_process_init(asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(asoc, chunk, sctp_source(chunk), peer_init, gfp))
-                               sctp_source(chunk), peer_init, gfp))
                error = -ENOMEM;
        else
                error = 0;
@@ -671,10 +670,19 @@ static void sctp_cmd_transport_on(sctp_cmd_seq_t *cmds,
        /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of the
         * HEARTBEAT should clear the error counter of the destination
         * transport address to which the HEARTBEAT was sent.
-         * The association's overall error count is also cleared.
         */
        t->error_count = 0;
-        t->asoc->overall_error_count = 0;
+        /*
+         * Although RFC4960 specifies that the overall error count must
+         * be cleared when a HEARTBEAT ACK is received, we make an
+         * exception while in SHUTDOWN PENDING. If the peer keeps its
+         * window shut forever, we may never be able to transmit our
+         * outstanding data and rely on the retransmission limit be reached
+         * to shutdown the association.
+         */
+        if (t->asoc->state != SCTP_STATE_SHUTDOWN_PENDING)
+                t->asoc->overall_error_count = 0;
        /* Clear the hb_sent flag to signal that we had a good
         * acknowledgement.
@@ -1415,12 +1423,6 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
                                        SCTP_RTXR_T3_RTX);
                        break;
-                case SCTP_CMD_TRANSMIT:
-                        /* Kick start transmission. */
-                        error = sctp_outq_uncork(&asoc->outqueue);
-                        local_cork = 0;
-                        break;
                case SCTP_CMD_ECN_CE:
                        /* Do delayed CE processing.   */
                        sctp_do_ecn_ce_work(asoc, cmd->obj.u32);
@@ -1444,6 +1446,13 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
                        sctp_cmd_setup_t2(commands, asoc, cmd->obj.ptr);
                        break;
+                case SCTP_CMD_TIMER_START_ONCE:
+                        timer = &asoc->timers[cmd->obj.to];
+                        if (timer_pending(timer))
+                                break;
+                        /* fall through */
                case SCTP_CMD_TIMER_START:
                        timer = &asoc->timers[cmd->obj.to];
                        timeout = asoc->timeouts[cmd->obj.to];
@@ -1677,6 +1686,9 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
                case SCTP_CMD_SEND_NEXT_ASCONF:
                        sctp_cmd_send_asconf(asoc);
                        break;
+                case SCTP_CMD_PURGE_ASCONF_QUEUE:
+                        sctp_asconf_queue_teardown(asoc);
+                        break;
                default:
                        pr_warn("Impossible command: %u, %p\n",
                                cmd->verb, cmd->obj.ptr);
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 76792083c379..246117142b5c 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -393,8 +393,7 @@ sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep,
                goto nomem_init;
        /* The call, sctp_process_init(), can fail on memory allocation.  */
-        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
-                               sctp_source(chunk),
                               (sctp_init_chunk_t *)chunk->chunk_hdr,
                               GFP_ATOMIC))
                goto nomem_init;
@@ -725,7 +724,7 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,
         */
        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
-        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(new_asoc, chunk,
                               &chunk->subh.cookie_hdr->c.peer_addr,
                               peer_init, GFP_ATOMIC))
                goto nomem_init;
@@ -942,18 +941,9 @@ static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
 {
        struct sctp_transport *transport = (struct sctp_transport *) arg;
        struct sctp_chunk *reply;
-        sctp_sender_hb_info_t hbinfo;
-        size_t paylen = 0;
-        hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO;
-        hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t));
-        hbinfo.daddr = transport->ipaddr;
-        hbinfo.sent_at = jiffies;
-        hbinfo.hb_nonce = transport->hb_nonce;
        /* Send a heartbeat to our peer.  */
-        paylen = sizeof(sctp_sender_hb_info_t);
+        reply = sctp_make_heartbeat(asoc, transport);
-        reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen);
        if (!reply)
                return SCTP_DISPOSITION_NOMEM;
@@ -1464,8 +1454,7 @@ static sctp_disposition_t sctp_sf_do_unexpected_init(
         * Verification Tag and Peers Verification tag into a reserved
         * place (local tie-tag and per tie-tag) within the state cookie.
         */
-        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
-                               sctp_source(chunk),
                               (sctp_init_chunk_t *)chunk->chunk_hdr,
                               GFP_ATOMIC))
                goto nomem;
@@ -1694,8 +1683,7 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep,
         */
        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
-        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
-                               sctp_source(chunk), peer_init,
                               GFP_ATOMIC))
                goto nomem;
@@ -1730,11 +1718,21 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep,
                return SCTP_DISPOSITION_CONSUME;
        }
-        /* For now, fail any unsent/unacked data.  Consider the optional
+        /* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
-         * choice of resending of this data.
+         * data. Consider the optional choice of resending of this data.
         */
+        sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
+        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
+                        SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));
        sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
+        /* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
+         * and ASCONF-ACK cache.
+         */
+        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
+                        SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
+        sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
        repl = sctp_make_cookie_ack(new_asoc, chunk);
        if (!repl)
                goto nomem;
@@ -1780,8 +1778,7 @@ static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep,
         * side effects--it is safe to run them here.
         */
        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
-        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
-                               sctp_source(chunk), peer_init,
                               GFP_ATOMIC))
                goto nomem;
@@ -2412,8 +2409,15 @@ static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
        /* See if we have an error cause code in the chunk.  */
        len = ntohs(chunk->chunk_hdr->length);
-        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
+        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
+                sctp_errhdr_t *err;
+                sctp_walk_errors(err, chunk->chunk_hdr);
+                if ((void *)err != (void *)chunk->chunk_end)
+                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
                error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
+        }
        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
        /* ASSOC_FAILED will DELETE_TCB. */
@@ -3204,6 +3208,7 @@ sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep,
                                        sctp_cmd_seq_t *commands)
 {
        struct sctp_chunk *chunk = arg;
+        sctp_errhdr_t *err;
        if (!sctp_vtag_verify(chunk, asoc))
                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
@@ -3212,6 +3217,10 @@ sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep,
        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
                                                  commands);
+        sctp_walk_errors(err, chunk->chunk_hdr);
+        if ((void *)err != (void *)chunk->chunk_end)
+                return sctp_sf_violation_paramlen(ep, asoc, type, arg,
+                                                  (void *)err, commands);
        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
                        SCTP_CHUNK(chunk));
@@ -3320,8 +3329,10 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
        struct sctp_chunk *chunk = arg;
        struct sk_buff *skb = chunk->skb;
        sctp_chunkhdr_t *ch;
+        sctp_errhdr_t *err;
        __u8 *ch_end;
        int ootb_shut_ack = 0;
+        int ootb_cookie_ack = 0;
        SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
@@ -3346,6 +3357,23 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
                if (SCTP_CID_ABORT == ch->type)
                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
+                /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
+                 * or a COOKIE ACK the SCTP Packet should be silently
+                 * discarded.
+                 */
+                if (SCTP_CID_COOKIE_ACK == ch->type)
+                        ootb_cookie_ack = 1;
+                if (SCTP_CID_ERROR == ch->type) {
+                        sctp_walk_errors(err, ch) {
+                                if (SCTP_ERROR_STALE_COOKIE == err->cause) {
+                                        ootb_cookie_ack = 1;
+                                        break;
+                                }
+                        }
+                }
                /* Report violation if chunk len overflows */
                ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
                if (ch_end > skb_tail_pointer(skb))
@@ -3357,6 +3385,8 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
        if (ootb_shut_ack)
                return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands);
+        else if (ootb_cookie_ack)
+                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
        else
                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
 }
@@ -4343,8 +4373,9 @@ static sctp_disposition_t sctp_sf_violation_chunklen(
 /*
 * Handle a protocol violation when the parameter length is invalid.
- * "Invalid" length is identified as smaller than the minimal length a
+ * If the length is smaller than the minimum length of a given parameter,
- * given parameter can be.
+ * or accumulated length in multi parameters exceeds the end of the chunk,
+ * the length is considered as invalid.
 */
 static sctp_disposition_t sctp_sf_violation_paramlen(
                                     const struct sctp_endpoint *ep,
@@ -5056,6 +5087,30 @@ sctp_disposition_t sctp_sf_ignore_primitive(
 ***************************************************************************/
 /*
+ * When the SCTP stack has no more user data to send or retransmit, this
+ * notification is given to the user. Also, at the time when a user app
+ * subscribes to this event, if there is no data to be sent or
+ * retransmit, the stack will immediately send up this notification.
+ */
+sctp_disposition_t sctp_sf_do_no_pending_tsn(
+        const struct sctp_endpoint *ep,
+        const struct sctp_association *asoc,
+        const sctp_subtype_t type,
+        void *arg,
+        sctp_cmd_seq_t *commands)
+{
+        struct sctp_ulpevent *event;
+        event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
+        if (!event)
+                return SCTP_DISPOSITION_NOMEM;
+        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
+        return SCTP_DISPOSITION_CONSUME;
+}
+/*
 * Start the shutdown negotiation.
 *
 * From Section 9.2:
@@ -5099,7 +5154,7 @@ sctp_disposition_t sctp_sf_do_9_2_start_shutdown(
         * The sender of the SHUTDOWN MAY also start an overall guard timer
         * 'T5-shutdown-guard' to bound the overall time for shutdown sequence.
         */
-        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
+        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
                        SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
        if (asoc->autoclose)
@@ -5244,14 +5299,28 @@ sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep,
        SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS);
        if (asoc->overall_error_count >= asoc->max_retrans) {
-                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
-                                SCTP_ERROR(ETIMEDOUT));
+                        /*
-                /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
+                         * We are here likely because the receiver had its rwnd
-                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
+                         * closed for a while and we have not been able to
-                                SCTP_PERR(SCTP_ERROR_NO_ERROR));
+                         * transmit the locally queued data within the maximum
-                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
+                         * retransmission attempts limit.  Start the T5
-                SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
+                         * shutdown guard timer to give the receiver one last
-                return SCTP_DISPOSITION_DELETE_TCB;
+                         * chance and some additional time to recover before
+                         * aborting.
+                         */
+                        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START_ONCE,
+                                SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
+                } else {
+                        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                        SCTP_ERROR(ETIMEDOUT));
+                        /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
+                        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
+                                        SCTP_PERR(SCTP_ERROR_NO_ERROR));
+                        SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
+                        SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
+                        return SCTP_DISPOSITION_DELETE_TCB;
+                }
        }
        /* E1) For the destination address for which the timer
diff --git a/net/sctp/sm_statetable.c b/net/sctp/sm_statetable.c
index 546d4387fb3c..7c211a7f90f4 100644
--- a/net/sctp/sm_statetable.c
+++ b/net/sctp/sm_statetable.c
@@ -107,8 +107,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 #define TYPE_SCTP_FUNC(func) {.fn = func, .name = #func}
 #define TYPE_SCTP_DATA { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -128,8 +126,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_DATA */
 #define TYPE_SCTP_INIT { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_do_5_1B_init), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -149,8 +145,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_INIT */
 #define TYPE_SCTP_INIT_ACK { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_do_5_2_3_initack), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -170,8 +164,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_INIT_ACK */
 #define TYPE_SCTP_SACK { \
-        /*  SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -191,8 +183,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_SACK */
 #define TYPE_SCTP_HEARTBEAT { \
-        /*  SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -213,8 +203,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_HEARTBEAT */
 #define TYPE_SCTP_HEARTBEAT_ACK { \
-        /*  SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -234,8 +222,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_HEARTBEAT_ACK */
 #define TYPE_SCTP_ABORT { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_pdiscard), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -255,8 +241,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_ABORT */
 #define TYPE_SCTP_SHUTDOWN { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -276,8 +260,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_SHUTDOWN */
 #define TYPE_SCTP_SHUTDOWN_ACK { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -297,8 +279,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_SHUTDOWN_ACK */
 #define TYPE_SCTP_ERROR { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -318,8 +298,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_ERROR */
 #define TYPE_SCTP_COOKIE_ECHO { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_do_5_1D_ce), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -339,8 +317,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_COOKIE_ECHO */
 #define TYPE_SCTP_COOKIE_ACK { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -360,8 +336,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_COOKIE_ACK */
 #define TYPE_SCTP_ECN_ECNE { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -381,8 +355,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_ECN_ECNE */
 #define TYPE_SCTP_ECN_CWR { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -402,8 +374,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_ECN_CWR */
 #define TYPE_SCTP_SHUTDOWN_COMPLETE { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -446,8 +416,6 @@ static const sctp_sm_table_entry_t chunk_event_table[SCTP_NUM_BASE_CHUNK_TYPES][
 }; /* state_fn_t chunk_event_table[][] */
 #define TYPE_SCTP_ASCONF { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -467,8 +435,6 @@ static const sctp_sm_table_entry_t chunk_event_table[SCTP_NUM_BASE_CHUNK_TYPES][
 } /* TYPE_SCTP_ASCONF */
 #define TYPE_SCTP_ASCONF_ACK { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -496,8 +462,6 @@ static const sctp_sm_table_entry_t addip_chunk_event_table[SCTP_NUM_ADDIP_CHUNK_
 }; /*state_fn_t addip_chunk_event_table[][] */
 #define TYPE_SCTP_FWD_TSN { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -524,8 +488,6 @@ static const sctp_sm_table_entry_t prsctp_chunk_event_table[SCTP_NUM_PRSCTP_CHUN
 }; /*state_fn_t prsctp_chunk_event_table[][] */
 #define TYPE_SCTP_AUTH { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -553,8 +515,6 @@ static const sctp_sm_table_entry_t auth_chunk_event_table[SCTP_NUM_AUTH_CHUNK_TY
 static const sctp_sm_table_entry_t
 chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
-        /* SCTP_STATE_EMPTY */
-        TYPE_SCTP_FUNC(sctp_sf_ootb),
        /* SCTP_STATE_CLOSED */
        TYPE_SCTP_FUNC(sctp_sf_ootb),
        /* SCTP_STATE_COOKIE_WAIT */
@@ -575,8 +535,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 #define TYPE_SCTP_PRIMITIVE_ASSOCIATE  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_do_prm_asoc), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -596,8 +554,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 } /* TYPE_SCTP_PRIMITIVE_ASSOCIATE */
 #define TYPE_SCTP_PRIMITIVE_SHUTDOWN  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_error_closed), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -617,8 +573,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 } /* TYPE_SCTP_PRIMITIVE_SHUTDOWN */
 #define TYPE_SCTP_PRIMITIVE_ABORT  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_error_closed), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -638,8 +592,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 } /* TYPE_SCTP_PRIMITIVE_ABORT */
 #define TYPE_SCTP_PRIMITIVE_SEND  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_error_closed), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -659,8 +611,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 } /* TYPE_SCTP_PRIMITIVE_SEND */
 #define TYPE_SCTP_PRIMITIVE_REQUESTHEARTBEAT  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_error_closed), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -680,8 +630,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 } /* TYPE_SCTP_PRIMITIVE_REQUESTHEARTBEAT */
 #define TYPE_SCTP_PRIMITIVE_ASCONF { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_error_closed), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -713,8 +661,6 @@ static const sctp_sm_table_entry_t primitive_event_table[SCTP_NUM_PRIMITIVE_TYPE
 };
 #define TYPE_SCTP_OTHER_NO_PENDING_TSN  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ignore_other), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -722,7 +668,7 @@ static const sctp_sm_table_entry_t primitive_event_table[SCTP_NUM_PRIMITIVE_TYPE
        /* SCTP_STATE_COOKIE_ECHOED */ \
        TYPE_SCTP_FUNC(sctp_sf_ignore_other), \
        /* SCTP_STATE_ESTABLISHED */ \
-        TYPE_SCTP_FUNC(sctp_sf_ignore_other), \
+        TYPE_SCTP_FUNC(sctp_sf_do_no_pending_tsn), \
        /* SCTP_STATE_SHUTDOWN_PENDING */ \
        TYPE_SCTP_FUNC(sctp_sf_do_9_2_start_shutdown), \
        /* SCTP_STATE_SHUTDOWN_SENT */ \
@@ -734,8 +680,6 @@ static const sctp_sm_table_entry_t primitive_event_table[SCTP_NUM_PRIMITIVE_TYPE
 }
 #define TYPE_SCTP_OTHER_ICMP_PROTO_UNREACH  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ignore_other), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -760,8 +704,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 };
 #define TYPE_SCTP_EVENT_TIMEOUT_NONE { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -781,8 +723,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T1_COOKIE { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -802,8 +742,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T1_INIT { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -823,8 +761,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T2_SHUTDOWN { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -844,8 +780,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T3_RTX { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -865,8 +799,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T4_RTO { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -886,8 +818,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -897,7 +827,7 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
        /* SCTP_STATE_ESTABLISHED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_SHUTDOWN_PENDING */ \
-        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
+        TYPE_SCTP_FUNC(sctp_sf_t5_timer_expire), \
        /* SCTP_STATE_SHUTDOWN_SENT */ \
        TYPE_SCTP_FUNC(sctp_sf_t5_timer_expire), \
        /* SCTP_STATE_SHUTDOWN_RECEIVED */ \
@@ -907,8 +837,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_HEARTBEAT { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -928,8 +856,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_SACK { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -949,8 +875,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_AUTOCLOSE { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index deb82e35a107..d3ccf7973c59 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -658,11 +658,15 @@ static int sctp_bindx_rem(struct sock *sk, struct sockaddr *addrs, int addrcnt)
                        goto err_bindx_rem;
                }
-                if (sa_addr->v4.sin_port != htons(bp->port)) {
+                if (sa_addr->v4.sin_port &&
+                    sa_addr->v4.sin_port != htons(bp->port)) {
                        retval = -EINVAL;
                        goto err_bindx_rem;
                }
+                if (!sa_addr->v4.sin_port)
+                        sa_addr->v4.sin_port = htons(bp->port);
                /* FIXME - There is probably a need to check if sk->sk_saddr and
                 * sk->sk_rcv_addr are currently set to one of the addresses to
                 * be removed. This is something which needs to be looked into
@@ -1380,6 +1384,7 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
        struct sctp_endpoint *ep;
        struct sctp_association *asoc;
        struct list_head *pos, *temp;
+        unsigned int data_was_unread;
        SCTP_DEBUG_PRINTK("sctp_close(sk: 0x%p, timeout:%ld)\n", sk, timeout);
@@ -1389,6 +1394,10 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
        ep = sctp_sk(sk)->ep;
+        /* Clean up any skbs sitting on the receive queue.  */
+        data_was_unread = sctp_queue_purge_ulpevents(&sk->sk_receive_queue);
+        data_was_unread += sctp_queue_purge_ulpevents(&sctp_sk(sk)->pd_lobby);
        /* Walk all associations on an endpoint.  */
        list_for_each_safe(pos, temp, &ep->asocs) {
                asoc = list_entry(pos, struct sctp_association, asocs);
@@ -1406,7 +1415,9 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
                        }
                }
-                if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime) {
+                if (data_was_unread || !skb_queue_empty(&asoc->ulpq.lobby) ||
+                    !skb_queue_empty(&asoc->ulpq.reasm) ||
+                    (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime)) {
                        struct sctp_chunk *chunk;
                        chunk = sctp_make_abort_user(asoc, NULL, 0);
@@ -1416,10 +1427,6 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
                        sctp_primitive_SHUTDOWN(asoc, NULL);
        }
-        /* Clean up any skbs sitting on the receive queue.  */
-        sctp_queue_purge_ulpevents(&sk->sk_receive_queue);
-        sctp_queue_purge_ulpevents(&sctp_sk(sk)->pd_lobby);
        /* On a TCP-style socket, block for at most linger_time if set. */
        if (sctp_style(sk, TCP) && timeout)
                sctp_wait_for_close(sk, timeout);
@@ -1492,7 +1499,7 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
        struct sctp_chunk *chunk;
        union sctp_addr to;
        struct sockaddr *msg_name = NULL;
-        struct sctp_sndrcvinfo default_sinfo = { 0 };
+        struct sctp_sndrcvinfo default_sinfo;
        struct sctp_sndrcvinfo *sinfo;
        struct sctp_initmsg *sinit;
        sctp_assoc_t associd = 0;
@@ -1756,6 +1763,7 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
                /* If the user didn't specify SNDRCVINFO, make up one with
                 * some defaults.
                 */
+                memset(&default_sinfo, 0, sizeof(default_sinfo));
                default_sinfo.sinfo_stream = asoc->default_stream;
                default_sinfo.sinfo_flags = asoc->default_flags;
                default_sinfo.sinfo_ppid = asoc->default_ppid;
@@ -1786,12 +1794,10 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
                goto out_free;
        }
-        if (sinfo) {
+        /* Check for invalid stream. */
-                /* Check for invalid stream. */
+        if (sinfo->sinfo_stream >= asoc->c.sinit_num_ostreams) {
-                if (sinfo->sinfo_stream >= asoc->c.sinit_num_ostreams) {
+                err = -EINVAL;
-                        err = -EINVAL;
+                goto out_free;
-                        goto out_free;
-                }
        }
        timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
@@ -2070,10 +2076,33 @@ static int sctp_setsockopt_disable_fragments(struct sock *sk,
 static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
                                  unsigned int optlen)
 {
+        struct sctp_association *asoc;
+        struct sctp_ulpevent *event;
        if (optlen > sizeof(struct sctp_event_subscribe))
                return -EINVAL;
        if (copy_from_user(&sctp_sk(sk)->subscribe, optval, optlen))
                return -EFAULT;
+        /*
+         * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
+         * if there is no data to be sent or retransmit, the stack will
+         * immediately send up this notification.
+         */
+        if (sctp_ulpevent_type_enabled(SCTP_SENDER_DRY_EVENT,
+                                       &sctp_sk(sk)->subscribe)) {
+                asoc = sctp_id2assoc(sk, 0);
+                if (asoc && sctp_outq_is_empty(&asoc->outqueue)) {
+                        event = sctp_ulpevent_make_sender_dry_event(asoc,
+                                        GFP_ATOMIC);
+                        if (!event)
+                                return -ENOMEM;
+                        sctp_ulpq_tail_event(&asoc->ulpq, event);
+                }
+        }
        return 0;
 }
@@ -2283,7 +2312,7 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params,
                        trans->param_flags =
                                (trans->param_flags & ~SPP_PMTUD) | pmtud_change;
                        if (update) {
-                                sctp_transport_pmtu(trans);
+                                sctp_transport_pmtu(trans, sctp_opt2sk(sp));
                                sctp_assoc_sync_pmtu(asoc);
                        }
                } else if (asoc) {
@@ -3215,14 +3244,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
        if (optlen < sizeof(struct sctp_hmacalgo))
                return -EINVAL;
-        hmacs = kmalloc(optlen, GFP_KERNEL);
+        hmacs= memdup_user(optval, optlen);
-        if (!hmacs)
+        if (IS_ERR(hmacs))
-                return -ENOMEM;
+                return PTR_ERR(hmacs);
-        if (copy_from_user(hmacs, optval, optlen)) {
-                err = -EFAULT;
-                goto out;
-        }
        idents = hmacs->shmac_num_idents;
        if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
@@ -3257,14 +3281,9 @@ static int sctp_setsockopt_auth_key(struct sock *sk,
        if (optlen <= sizeof(struct sctp_authkey))
                return -EINVAL;
-        authkey = kmalloc(optlen, GFP_KERNEL);
+        authkey= memdup_user(optval, optlen);
-        if (!authkey)
+        if (IS_ERR(authkey))
-                return -ENOMEM;
+                return PTR_ERR(authkey);
-        if (copy_from_user(authkey, optval, optlen)) {
-                ret = -EFAULT;
-                goto out;
-        }
        if (authkey->sca_keylength > optlen - sizeof(struct sctp_authkey)) {
                ret = -EINVAL;
@@ -5283,6 +5302,55 @@ static int sctp_getsockopt_assoc_number(struct sock *sk, int len,
        return 0;
 }
+/*
+ * 8.2.6. Get the Current Identifiers of Associations
+ *        (SCTP_GET_ASSOC_ID_LIST)
+ *
+ * This option gets the current list of SCTP association identifiers of
+ * the SCTP associations handled by a one-to-many style socket.
+ */
+static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
+                                    char __user *optval, int __user *optlen)
+{
+        struct sctp_sock *sp = sctp_sk(sk);
+        struct sctp_association *asoc;
+        struct sctp_assoc_ids *ids;
+        u32 num = 0;
+        if (sctp_style(sk, TCP))
+                return -EOPNOTSUPP;
+        if (len < sizeof(struct sctp_assoc_ids))
+                return -EINVAL;
+        list_for_each_entry(asoc, &(sp->ep->asocs), asocs) {
+                num++;
+        }
+        if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num)
+                return -EINVAL;
+        len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num;
+        ids = kmalloc(len, GFP_KERNEL);
+        if (unlikely(!ids))
+                return -ENOMEM;
+        ids->gaids_number_of_ids = num;
+        num = 0;
+        list_for_each_entry(asoc, &(sp->ep->asocs), asocs) {
+                ids->gaids_assoc_id[num++] = asoc->assoc_id;
+        }
+        if (put_user(len, optlen) || copy_to_user(optval, ids, len)) {
+                kfree(ids);
+                return -EFAULT;
+        }
+        kfree(ids);
+        return 0;
+}
 SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, int optname,
                                char __user *optval, int __user *optlen)
 {
@@ -5415,6 +5483,9 @@ SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, int optname,
        case SCTP_GET_ASSOC_NUMBER:
                retval = sctp_getsockopt_assoc_number(sk, len, optval, optlen);
                break;
+        case SCTP_GET_ASSOC_ID_LIST:
+                retval = sctp_getsockopt_assoc_ids(sk, len, optval, optlen);
+                break;
        default:
                retval = -ENOPROTOOPT;
                break;
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index d3ae493d234a..394c57ca2f54 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -211,15 +211,17 @@ void sctp_transport_set_owner(struct sctp_transport *transport,
 }
 /* Initialize the pmtu of a transport. */
-void sctp_transport_pmtu(struct sctp_transport *transport)
+void sctp_transport_pmtu(struct sctp_transport *transport, struct sock *sk)
 {
-        struct dst_entry *dst;
+        /* If we don't have a fresh route, look one up */
+        if (!transport->dst || transport->dst->obsolete > 1) {
-        dst = transport->af_specific->get_dst(NULL, &transport->ipaddr, NULL);
+                dst_release(transport->dst);
+                transport->af_specific->get_dst(transport, &transport->saddr,
+                                                &transport->fl, sk);
+        }
-        if (dst) {
+        if (transport->dst) {
-                transport->pathmtu = dst_mtu(dst);
+                transport->pathmtu = dst_mtu(transport->dst);
-                dst_release(dst);
        } else
                transport->pathmtu = SCTP_DEFAULT_MAXSEGMENT;
 }
@@ -270,22 +272,19 @@ void sctp_transport_route(struct sctp_transport *transport,
 {
        struct sctp_association *asoc = transport->asoc;
        struct sctp_af *af = transport->af_specific;
-        union sctp_addr *daddr = &transport->ipaddr;
-        struct dst_entry *dst;
-        dst = af->get_dst(asoc, daddr, saddr);
+        af->get_dst(transport, saddr, &transport->fl, sctp_opt2sk(opt));
        if (saddr)
                memcpy(&transport->saddr, saddr, sizeof(union sctp_addr));
        else
-                af->get_saddr(opt, asoc, dst, daddr, &transport->saddr);
+                af->get_saddr(opt, transport, &transport->fl);
-        transport->dst = dst;
        if ((transport->param_flags & SPP_PMTUD_DISABLE) && transport->pathmtu) {
                return;
        }
-        if (dst) {
+        if (transport->dst) {
-                transport->pathmtu = dst_mtu(dst);
+                transport->pathmtu = dst_mtu(transport->dst);
                /* Initialize sk->sk_rcv_saddr, if the transport is the
                 * association's active path for getsockname().
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index 61b1f5ada96a..8a84017834c2 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -843,7 +843,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_authkey(
        ak = (struct sctp_authkey_event *)
                skb_put(skb, sizeof(struct sctp_authkey_event));
-        ak->auth_type = SCTP_AUTHENTICATION_INDICATION;
+        ak->auth_type = SCTP_AUTHENTICATION_EVENT;
        ak->auth_flags = 0;
        ak->auth_length = sizeof(struct sctp_authkey_event);
@@ -862,6 +862,34 @@ fail:
        return NULL;
 }
+/*
+ * Socket Extensions for SCTP
+ * 6.3.10. SCTP_SENDER_DRY_EVENT
+ */
+struct sctp_ulpevent *sctp_ulpevent_make_sender_dry_event(
+        const struct sctp_association *asoc, gfp_t gfp)
+{
+        struct sctp_ulpevent *event;
+        struct sctp_sender_dry_event *sdry;
+        struct sk_buff *skb;
+        event = sctp_ulpevent_new(sizeof(struct sctp_sender_dry_event),
+                                  MSG_NOTIFICATION, gfp);
+        if (!event)
+                return NULL;
+        skb = sctp_event2skb(event);
+        sdry = (struct sctp_sender_dry_event *)
+                skb_put(skb, sizeof(struct sctp_sender_dry_event));
+        sdry->sender_dry_type = SCTP_SENDER_DRY_EVENT;
+        sdry->sender_dry_flags = 0;
+        sdry->sender_dry_length = sizeof(struct sctp_sender_dry_event);
+        sctp_ulpevent_set_owner(event, asoc);
+        sdry->sender_dry_assoc_id = sctp_assoc2id(asoc);
+        return event;
+}
 /* Return the notification type, assuming this is a notification
 * event.
@@ -1053,9 +1081,19 @@ void sctp_ulpevent_free(struct sctp_ulpevent *event)
 }
 /* Purge the skb lists holding ulpevents. */
-void sctp_queue_purge_ulpevents(struct sk_buff_head *list)
+unsigned int sctp_queue_purge_ulpevents(struct sk_buff_head *list)
 {
        struct sk_buff *skb;
-        while ((skb = skb_dequeue(list)) != NULL)
+        unsigned int data_unread = 0;
-                sctp_ulpevent_free(sctp_skb2event(skb));
+        while ((skb = skb_dequeue(list)) != NULL) {
+                struct sctp_ulpevent *event = sctp_skb2event(skb);
+                if (!sctp_ulpevent_is_notification(event))
+                        data_unread += skb->len;
+                sctp_ulpevent_free(event);
+        }
+        return data_unread;
 }
diff --git a/net/socket.c b/net/socket.c
index 310d16b1b3c9..02dc82db3d23 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -263,15 +263,6 @@ static struct inode *sock_alloc_inode(struct super_block *sb)
        return &ei->vfs_inode;
 }
-static void wq_free_rcu(struct rcu_head *head)
-{
-        struct socket_wq *wq = container_of(head, struct socket_wq, rcu);
-        kfree(wq);
-}
 static void sock_destroy_inode(struct inode *inode)
 {
        struct socket_alloc *ei;
@@ -279,7 +270,7 @@ static void sock_destroy_inode(struct inode *inode)
        ei = container_of(inode, struct socket_alloc, vfs_inode);
        wq = rcu_dereference_protected(ei->socket.wq, 1);
-        call_rcu(&wq->rcu, wq_free_rcu);
+        kfree_rcu(wq, rcu);
        kmem_cache_free(sock_inode_cachep, ei);
 }
@@ -551,11 +542,10 @@ int sock_tx_timestamp(struct sock *sk, __u8 *tx_flags)
 }
 EXPORT_SYMBOL(sock_tx_timestamp);
-static inline int __sock_sendmsg(struct kiocb *iocb, struct socket *sock,
+static inline int __sock_sendmsg_nosec(struct kiocb *iocb, struct socket *sock,
-                                 struct msghdr *msg, size_t size)
+                                       struct msghdr *msg, size_t size)
 {
        struct sock_iocb *si = kiocb_to_siocb(iocb);
-        int err;
        sock_update_classid(sock->sk);
@@ -564,13 +554,17 @@ static inline int __sock_sendmsg(struct kiocb *iocb, struct socket *sock,
        si->msg = msg;
        si->size = size;
-        err = security_socket_sendmsg(sock, msg, size);
-        if (err)
-                return err;
        return sock->ops->sendmsg(iocb, sock, msg, size);
 }
+static inline int __sock_sendmsg(struct kiocb *iocb, struct socket *sock,
+                                 struct msghdr *msg, size_t size)
+{
+        int err = security_socket_sendmsg(sock, msg, size);
+        return err ?: __sock_sendmsg_nosec(iocb, sock, msg, size);
+}
 int sock_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
 {
        struct kiocb iocb;
@@ -586,6 +580,20 @@ int sock_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
 }
 EXPORT_SYMBOL(sock_sendmsg);
+int sock_sendmsg_nosec(struct socket *sock, struct msghdr *msg, size_t size)
+{
+        struct kiocb iocb;
+        struct sock_iocb siocb;
+        int ret;
+        init_sync_kiocb(&iocb, NULL);
+        iocb.private = &siocb;
+        ret = __sock_sendmsg_nosec(&iocb, sock, msg, size);
+        if (-EIOCBQUEUED == ret)
+                ret = wait_on_sync_kiocb(&iocb);
+        return ret;
+}
 int kernel_sendmsg(struct socket *sock, struct msghdr *msg,
                   struct kvec *vec, size_t num, size_t size)
 {
@@ -1863,57 +1871,47 @@ SYSCALL_DEFINE2(shutdown, int, fd, int, how)
 #define COMPAT_NAMELEN(msg)     COMPAT_MSG(msg, msg_namelen)
 #define COMPAT_FLAGS(msg)       COMPAT_MSG(msg, msg_flags)
-/*
+static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
- *      BSD sendmsg interface
+                         struct msghdr *msg_sys, unsigned flags, int nosec)
- */
-SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
 {
        struct compat_msghdr __user *msg_compat =
            (struct compat_msghdr __user *)msg;
-        struct socket *sock;
        struct sockaddr_storage address;
        struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
        unsigned char ctl[sizeof(struct cmsghdr) + 20]
            __attribute__ ((aligned(sizeof(__kernel_size_t))));
        /* 20 is size of ipv6_pktinfo */
        unsigned char *ctl_buf = ctl;
-        struct msghdr msg_sys;
        int err, ctl_len, iov_size, total_len;
-        int fput_needed;
        err = -EFAULT;
        if (MSG_CMSG_COMPAT & flags) {
-                if (get_compat_msghdr(&msg_sys, msg_compat))
+                if (get_compat_msghdr(msg_sys, msg_compat))
                        return -EFAULT;
-        } else if (copy_from_user(&msg_sys, msg, sizeof(struct msghdr)))
+        } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
                return -EFAULT;
-        sock = sockfd_lookup_light(fd, &err, &fput_needed);
-        if (!sock)
-                goto out;
        /* do not move before msg_sys is valid */
        err = -EMSGSIZE;
-        if (msg_sys.msg_iovlen > UIO_MAXIOV)
+        if (msg_sys->msg_iovlen > UIO_MAXIOV)
-                goto out_put;
+                goto out;
        /* Check whether to allocate the iovec area */
        err = -ENOMEM;
-        iov_size = msg_sys.msg_iovlen * sizeof(struct iovec);
+        iov_size = msg_sys->msg_iovlen * sizeof(struct iovec);
-        if (msg_sys.msg_iovlen > UIO_FASTIOV) {
+        if (msg_sys->msg_iovlen > UIO_FASTIOV) {
                iov = sock_kmalloc(sock->sk, iov_size, GFP_KERNEL);
                if (!iov)
-                        goto out_put;
+                        goto out;
        }
        /* This will also move the address data into kernel space */
        if (MSG_CMSG_COMPAT & flags) {
-                err = verify_compat_iovec(&msg_sys, iov,
+                err = verify_compat_iovec(msg_sys, iov,
                                          (struct sockaddr *)&address,
                                          VERIFY_READ);
        } else
-                err = verify_iovec(&msg_sys, iov,
+                err = verify_iovec(msg_sys, iov,
                                   (struct sockaddr *)&address,
                                   VERIFY_READ);
        if (err < 0)
@@ -1922,17 +1920,17 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
        err = -ENOBUFS;
-        if (msg_sys.msg_controllen > INT_MAX)
+        if (msg_sys->msg_controllen > INT_MAX)
                goto out_freeiov;
-        ctl_len = msg_sys.msg_controllen;
+        ctl_len = msg_sys->msg_controllen;
        if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
                err =
-                    cmsghdr_from_user_compat_to_kern(&msg_sys, sock->sk, ctl,
+                    cmsghdr_from_user_compat_to_kern(msg_sys, sock->sk, ctl,
                                                     sizeof(ctl));
                if (err)
                        goto out_freeiov;
-                ctl_buf = msg_sys.msg_control;
+                ctl_buf = msg_sys->msg_control;
-                ctl_len = msg_sys.msg_controllen;
+                ctl_len = msg_sys->msg_controllen;
        } else if (ctl_len) {
                if (ctl_len > sizeof(ctl)) {
                        ctl_buf = sock_kmalloc(sock->sk, ctl_len, GFP_KERNEL);
@@ -1941,21 +1939,22 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
                }
                err = -EFAULT;
                /*
-                 * Careful! Before this, msg_sys.msg_control contains a user pointer.
+                 * Careful! Before this, msg_sys->msg_control contains a user pointer.
                 * Afterwards, it will be a kernel pointer. Thus the compiler-assisted
                 * checking falls down on this.
                 */
                if (copy_from_user(ctl_buf,
-                                   (void __user __force *)msg_sys.msg_control,
+                                   (void __user __force *)msg_sys->msg_control,
                                   ctl_len))
                        goto out_freectl;
-                msg_sys.msg_control = ctl_buf;
+                msg_sys->msg_control = ctl_buf;
        }
-        msg_sys.msg_flags = flags;
+        msg_sys->msg_flags = flags;
        if (sock->file->f_flags & O_NONBLOCK)
-                msg_sys.msg_flags |= MSG_DONTWAIT;
+                msg_sys->msg_flags |= MSG_DONTWAIT;
-        err = sock_sendmsg(sock, &msg_sys, total_len);
+        err = (nosec ? sock_sendmsg_nosec : sock_sendmsg)(sock, msg_sys,
+                                                          total_len);
 out_freectl:
        if (ctl_buf != ctl)
@@ -1963,12 +1962,114 @@ out_freectl:
 out_freeiov:
        if (iov != iovstack)
                sock_kfree_s(sock->sk, iov, iov_size);
-out_put:
+out:
+        return err;
+}
+/*
+ *      BSD sendmsg interface
+ */
+SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
+{
+        int fput_needed, err;
+        struct msghdr msg_sys;
+        struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+        if (!sock)
+                goto out;
+        err = __sys_sendmsg(sock, msg, &msg_sys, flags, 0);
        fput_light(sock->file, fput_needed);
 out:
        return err;
 }
+/*
+ *      Linux sendmmsg interface
+ */
+int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+                   unsigned int flags)
+{
+        int fput_needed, err, datagrams;
+        struct socket *sock;
+        struct mmsghdr __user *entry;
+        struct compat_mmsghdr __user *compat_entry;
+        struct msghdr msg_sys;
+        datagrams = 0;
+        sock = sockfd_lookup_light(fd, &err, &fput_needed);
+        if (!sock)
+                return err;
+        err = sock_error(sock->sk);
+        if (err)
+                goto out_put;
+        entry = mmsg;
+        compat_entry = (struct compat_mmsghdr __user *)mmsg;
+        while (datagrams < vlen) {
+                /*
+                 * No need to ask LSM for more than the first datagram.
+                 */
+                if (MSG_CMSG_COMPAT & flags) {
+                        err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
+                                            &msg_sys, flags, datagrams);
+                        if (err < 0)
+                                break;
+                        err = __put_user(err, &compat_entry->msg_len);
+                        ++compat_entry;
+                } else {
+                        err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
+                                            &msg_sys, flags, datagrams);
+                        if (err < 0)
+                                break;
+                        err = put_user(err, &entry->msg_len);
+                        ++entry;
+                }
+                if (err)
+                        break;
+                ++datagrams;
+        }
+out_put:
+        fput_light(sock->file, fput_needed);
+        if (err == 0)
+                return datagrams;
+        if (datagrams != 0) {
+                /*
+                 * We may send less entries than requested (vlen) if the
+                 * sock is non blocking...
+                 */
+                if (err != -EAGAIN) {
+                        /*
+                         * ... or if sendmsg returns an error after we
+                         * send some datagrams, where we record the
+                         * error to return on the next call or if the
+                         * app asks about it using getsockopt(SO_ERROR).
+                         */
+                        sock->sk->sk_err = -err;
+                }
+                return datagrams;
+        }
+        return err;
+}
+SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
+                unsigned int, vlen, unsigned int, flags)
+{
+        return __sys_sendmmsg(fd, mmsg, vlen, flags);
+}
 static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
                         struct msghdr *msg_sys, unsigned flags, int nosec)
 {
@@ -2122,14 +2223,16 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
                 */
                if (MSG_CMSG_COMPAT & flags) {
                        err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
-                                            &msg_sys, flags, datagrams);
+                                            &msg_sys, flags & ~MSG_WAITFORONE,
+                                            datagrams);
                        if (err < 0)
                                break;
                        err = __put_user(err, &compat_entry->msg_len);
                        ++compat_entry;
                } else {
                        err = __sys_recvmsg(sock, (struct msghdr __user *)entry,
-                                            &msg_sys, flags, datagrams);
+                                            &msg_sys, flags & ~MSG_WAITFORONE,
+                                            datagrams);
                        if (err < 0)
                                break;
                        err = put_user(err, &entry->msg_len);
@@ -2214,11 +2317,11 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
 #ifdef __ARCH_WANT_SYS_SOCKETCALL
 /* Argument list sizes for sys_socketcall */
 #define AL(x) ((x) * sizeof(unsigned long))
-static const unsigned char nargs[20] = {
+static const unsigned char nargs[21] = {
        AL(0), AL(3), AL(3), AL(3), AL(2), AL(3),
        AL(3), AL(3), AL(4), AL(4), AL(4), AL(6),
        AL(6), AL(2), AL(5), AL(5), AL(3), AL(3),
-        AL(4), AL(5)
+        AL(4), AL(5), AL(4)
 };
 #undef AL
@@ -2238,7 +2341,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
        int err;
        unsigned int len;
-        if (call < 1 || call > SYS_RECVMMSG)
+        if (call < 1 || call > SYS_SENDMMSG)
                return -EINVAL;
        len = nargs[call];
@@ -2313,6 +2416,9 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
        case SYS_SENDMSG:
                err = sys_sendmsg(a0, (struct msghdr __user *)a1, a[2]);
                break;
+        case SYS_SENDMMSG:
+                err = sys_sendmmsg(a0, (struct mmsghdr __user *)a1, a[2], a[3]);
+                break;
        case SYS_RECVMSG:
                err = sys_recvmsg(a0, (struct msghdr __user *)a1, a[2]);
                break;
@@ -2643,13 +2749,13 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
                return -EFAULT;
        if (convert_in) {
-                /* We expect there to be holes between fs.m_u and
+                /* We expect there to be holes between fs.m_ext and
                 * fs.ring_cookie and at the end of fs, but nowhere else.
                 */
-                BUILD_BUG_ON(offsetof(struct compat_ethtool_rxnfc, fs.m_u) +
+                BUILD_BUG_ON(offsetof(struct compat_ethtool_rxnfc, fs.m_ext) +
-                             sizeof(compat_rxnfc->fs.m_u) !=
+                             sizeof(compat_rxnfc->fs.m_ext) !=
-                             offsetof(struct ethtool_rxnfc, fs.m_u) +
+                             offsetof(struct ethtool_rxnfc, fs.m_ext) +
-                             sizeof(rxnfc->fs.m_u));
+                             sizeof(rxnfc->fs.m_ext));
                BUILD_BUG_ON(
                        offsetof(struct compat_ethtool_rxnfc, fs.location) -
                        offsetof(struct compat_ethtool_rxnfc, fs.ring_cookie) !=
@@ -2657,7 +2763,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
                        offsetof(struct ethtool_rxnfc, fs.ring_cookie));
                if (copy_in_user(rxnfc, compat_rxnfc,
-                                 (void *)(&rxnfc->fs.m_u + 1) -
+                                 (void *)(&rxnfc->fs.m_ext + 1) -
                                 (void *)rxnfc) ||
                    copy_in_user(&rxnfc->fs.ring_cookie,
                                 &compat_rxnfc->fs.ring_cookie,
@@ -2674,7 +2780,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
        if (convert_out) {
                if (copy_in_user(compat_rxnfc, rxnfc,
-                                 (const void *)(&rxnfc->fs.m_u + 1) -
+                                 (const void *)(&rxnfc->fs.m_ext + 1) -
                                 (const void *)rxnfc) ||
                    copy_in_user(&compat_rxnfc->fs.ring_cookie,
                                 &rxnfc->fs.ring_cookie,
diff --git a/net/sunrpc/addr.c b/net/sunrpc/addr.c
index 1419d0cdbbac..4195233c4914 100644
--- a/net/sunrpc/addr.c
+++ b/net/sunrpc/addr.c
@@ -151,7 +151,7 @@ static size_t rpc_pton4(const char *buf, const size_t buflen,
                return 0;
        sin->sin_family = AF_INET;
-        return sizeof(struct sockaddr_in);;
+        return sizeof(struct sockaddr_in);
 }
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c
index 67e31276682a..cd6e4aa19dbf 100644
--- a/net/sunrpc/auth.c
+++ b/net/sunrpc/auth.c
@@ -326,10 +326,12 @@ rpcauth_prune_expired(struct list_head *free, int nr_to_scan)
 * Run memory cache shrinker.
 */
 static int
-rpcauth_cache_shrinker(struct shrinker *shrink, int nr_to_scan, gfp_t gfp_mask)
+rpcauth_cache_shrinker(struct shrinker *shrink, struct shrink_control *sc)
 {
        LIST_HEAD(free);
        int res;
+        int nr_to_scan = sc->nr_to_scan;
+        gfp_t gfp_mask = sc->gfp_mask;
        if ((gfp_mask & GFP_KERNEL) != GFP_KERNEL)
                return (nr_to_scan == 0) ? 0 : -1;
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 339ba64cce1e..5daf6cc4faea 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -577,13 +577,13 @@ retry:
        }
        inode = &gss_msg->inode->vfs_inode;
        for (;;) {
-                prepare_to_wait(&gss_msg->waitqueue, &wait, TASK_INTERRUPTIBLE);
+                prepare_to_wait(&gss_msg->waitqueue, &wait, TASK_KILLABLE);
                spin_lock(&inode->i_lock);
                if (gss_msg->ctx != NULL || gss_msg->msg.errno < 0) {
                        break;
                }
                spin_unlock(&inode->i_lock);
-                if (signalled()) {
+                if (fatal_signal_pending(current)) {
                        err = -ERESTARTSYS;
                        goto out_intr;
                }
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 0a9a2ec2e469..c3b75333b821 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -43,6 +43,7 @@
 #include <linux/sunrpc/gss_krb5.h>
 #include <linux/sunrpc/xdr.h>
 #include <linux/crypto.h>
+#include <linux/sunrpc/gss_krb5_enctypes.h>
 #ifdef RPC_DEBUG
 # define RPCDBG_FACILITY        RPCDBG_AUTH
@@ -750,7 +751,7 @@ static struct gss_api_mech gss_kerberos_mech = {
        .gm_ops         = &gss_kerberos_ops,
        .gm_pf_num      = ARRAY_SIZE(gss_kerberos_pfs),
        .gm_pfs         = gss_kerberos_pfs,
-        .gm_upcall_enctypes = "18,17,16,23,3,1,2",
+        .gm_upcall_enctypes = KRB5_SUPPORTED_ENCTYPES,
 };
 static int __init init_kerberos_module(void)
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 8d83f9d48713..8c9141583d6f 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -13,10 +13,6 @@
 *      and need to be refreshed, or when a packet was damaged in transit.
 *      This may be have to be moved to the VFS layer.
 *
- *  NB: BSD uses a more intelligent approach to guessing when a request
- *  or reply has been lost by keeping the RTO estimate for each procedure.
- *  We currently make do with a constant timeout value.
- *
 *  Copyright (C) 1992,1993 Rick Sladkey <jrs@world.std.com>
 *  Copyright (C) 1995,1996 Olaf Kirch <okir@monad.swb.de>
 */
@@ -32,7 +28,9 @@
 #include <linux/slab.h>
 #include <linux/utsname.h>
 #include <linux/workqueue.h>
+#include <linux/in.h>
 #include <linux/in6.h>
+#include <linux/un.h>
 #include <linux/sunrpc/clnt.h>
 #include <linux/sunrpc/rpc_pipe_fs.h>
@@ -298,22 +296,27 @@ struct rpc_clnt *rpc_create(struct rpc_create_args *args)
         * up a string representation of the passed-in address.
         */
        if (args->servername == NULL) {
+                struct sockaddr_un *sun =
+                                (struct sockaddr_un *)args->address;
+                struct sockaddr_in *sin =
+                                (struct sockaddr_in *)args->address;
+                struct sockaddr_in6 *sin6 =
+                                (struct sockaddr_in6 *)args->address;
                servername[0] = '\0';
                switch (args->address->sa_family) {
-                case AF_INET: {
+                case AF_LOCAL:
-                        struct sockaddr_in *sin =
+                        snprintf(servername, sizeof(servername), "%s",
-                                        (struct sockaddr_in *)args->address;
+                                 sun->sun_path);
+                        break;
+                case AF_INET:
                        snprintf(servername, sizeof(servername), "%pI4",
                                 &sin->sin_addr.s_addr);
                        break;
-                }
+                case AF_INET6:
-                case AF_INET6: {
-                        struct sockaddr_in6 *sin =
-                                        (struct sockaddr_in6 *)args->address;
                        snprintf(servername, sizeof(servername), "%pI6",
-                                 &sin->sin6_addr);
+                                 &sin6->sin6_addr);
                        break;
-                }
                default:
                        /* caller wants default server name, but
                         * address family isn't recognized. */
@@ -1058,7 +1061,7 @@ call_allocate(struct rpc_task *task)
        dprintk("RPC: %5u rpc_buffer allocation failed\n", task->tk_pid);
-        if (RPC_IS_ASYNC(task) || !signalled()) {
+        if (RPC_IS_ASYNC(task) || !fatal_signal_pending(current)) {
                task->tk_action = call_allocate;
                rpc_delay(task, HZ>>4);
                return;
@@ -1172,6 +1175,9 @@ call_bind_status(struct rpc_task *task)
                        status = -EOPNOTSUPP;
                        break;
                }
+                if (task->tk_rebind_retry == 0)
+                        break;
+                task->tk_rebind_retry--;
                rpc_delay(task, 3*HZ);
                goto retry_timeout;
        case -ETIMEDOUT:
diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c
index c652e4cc9fe9..e45d2fbbe5a8 100644
--- a/net/sunrpc/rpcb_clnt.c
+++ b/net/sunrpc/rpcb_clnt.c
@@ -16,6 +16,7 @@
 #include <linux/types.h>
 #include <linux/socket.h>
+#include <linux/un.h>
 #include <linux/in.h>
 #include <linux/in6.h>
 #include <linux/kernel.h>
@@ -32,6 +33,8 @@
 # define RPCDBG_FACILITY        RPCDBG_BIND
 #endif
+#define RPCBIND_SOCK_PATHNAME   "/var/run/rpcbind.sock"
 #define RPCBIND_PROGRAM         (100000u)
 #define RPCBIND_PORT            (111u)
@@ -158,20 +161,69 @@ static void rpcb_map_release(void *data)
        kfree(map);
 }
-static const struct sockaddr_in rpcb_inaddr_loopback = {
+/*
-        .sin_family             = AF_INET,
+ * Returns zero on success, otherwise a negative errno value
-        .sin_addr.s_addr        = htonl(INADDR_LOOPBACK),
+ * is returned.
-        .sin_port               = htons(RPCBIND_PORT),
+ */
-};
+static int rpcb_create_local_unix(void)
+{
+        static const struct sockaddr_un rpcb_localaddr_rpcbind = {
+                .sun_family             = AF_LOCAL,
+                .sun_path               = RPCBIND_SOCK_PATHNAME,
+        };
+        struct rpc_create_args args = {
+                .net            = &init_net,
+                .protocol       = XPRT_TRANSPORT_LOCAL,
+                .address        = (struct sockaddr *)&rpcb_localaddr_rpcbind,
+                .addrsize       = sizeof(rpcb_localaddr_rpcbind),
+                .servername     = "localhost",
+                .program        = &rpcb_program,
+                .version        = RPCBVERS_2,
+                .authflavor     = RPC_AUTH_NULL,
+        };
+        struct rpc_clnt *clnt, *clnt4;
+        int result = 0;
+        /*
+         * Because we requested an RPC PING at transport creation time,
+         * this works only if the user space portmapper is rpcbind, and
+         * it's listening on AF_LOCAL on the named socket.
+         */
+        clnt = rpc_create(&args);
+        if (IS_ERR(clnt)) {
+                dprintk("RPC:       failed to create AF_LOCAL rpcbind "
+                                "client (errno %ld).\n", PTR_ERR(clnt));
+                result = -PTR_ERR(clnt);
+                goto out;
+        }
+        clnt4 = rpc_bind_new_program(clnt, &rpcb_program, RPCBVERS_4);
+        if (IS_ERR(clnt4)) {
+                dprintk("RPC:       failed to bind second program to "
+                                "rpcbind v4 client (errno %ld).\n",
+                                PTR_ERR(clnt4));
+                clnt4 = NULL;
+        }
+        /* Protected by rpcb_create_local_mutex */
+        rpcb_local_clnt = clnt;
+        rpcb_local_clnt4 = clnt4;
-static DEFINE_MUTEX(rpcb_create_local_mutex);
+out:
+        return result;
+}
 /*
 * Returns zero on success, otherwise a negative errno value
 * is returned.
 */
-static int rpcb_create_local(void)
+static int rpcb_create_local_net(void)
 {
+        static const struct sockaddr_in rpcb_inaddr_loopback = {
+                .sin_family             = AF_INET,
+                .sin_addr.s_addr        = htonl(INADDR_LOOPBACK),
+                .sin_port               = htons(RPCBIND_PORT),
+        };
        struct rpc_create_args args = {
                .net            = &init_net,
                .protocol       = XPRT_TRANSPORT_TCP,
@@ -186,13 +238,6 @@ static int rpcb_create_local(void)
        struct rpc_clnt *clnt, *clnt4;
        int result = 0;
-        if (rpcb_local_clnt)
-                return result;
-        mutex_lock(&rpcb_create_local_mutex);
-        if (rpcb_local_clnt)
-                goto out;
        clnt = rpc_create(&args);
        if (IS_ERR(clnt)) {
                dprintk("RPC:       failed to create local rpcbind "
@@ -214,10 +259,34 @@ static int rpcb_create_local(void)
                clnt4 = NULL;
        }
+        /* Protected by rpcb_create_local_mutex */
        rpcb_local_clnt = clnt;
        rpcb_local_clnt4 = clnt4;
 out:
+        return result;
+}
+/*
+ * Returns zero on success, otherwise a negative errno value
+ * is returned.
+ */
+static int rpcb_create_local(void)
+{
+        static DEFINE_MUTEX(rpcb_create_local_mutex);
+        int result = 0;
+        if (rpcb_local_clnt)
+                return result;
+        mutex_lock(&rpcb_create_local_mutex);
+        if (rpcb_local_clnt)
+                goto out;
+        if (rpcb_create_local_unix() != 0)
+                result = rpcb_create_local_net();
+out:
        mutex_unlock(&rpcb_create_local_mutex);
        return result;
 }
@@ -528,7 +597,7 @@ void rpcb_getport_async(struct rpc_task *task)
        u32 bind_version;
        struct rpc_xprt *xprt;
        struct rpc_clnt *rpcb_clnt;
-        static struct rpcbind_args *map;
+        struct rpcbind_args *map;
        struct rpc_task *child;
        struct sockaddr_storage addr;
        struct sockaddr *sap = (struct sockaddr *)&addr;
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index 6b43ee7221d5..4814e246a874 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -616,30 +616,25 @@ static void __rpc_execute(struct rpc_task *task)
        BUG_ON(RPC_IS_QUEUED(task));
        for (;;) {
+                void (*do_action)(struct rpc_task *);
                /*
-                 * Execute any pending callback.
+                 * Execute any pending callback first.
                 */
-                if (task->tk_callback) {
+                do_action = task->tk_callback;
-                        void (*save_callback)(struct rpc_task *);
+                task->tk_callback = NULL;
+                if (do_action == NULL) {
-                        /*
-                         * We set tk_callback to NULL before calling it,
-                         * in case it sets the tk_callback field itself:
-                         */
-                        save_callback = task->tk_callback;
-                        task->tk_callback = NULL;
-                        save_callback(task);
-                } else {
                        /*
                         * Perform the next FSM step.
-                         * tk_action may be NULL when the task has been killed
+                         * tk_action may be NULL if the task has been killed.
-                         * by someone else.
+                         * In particular, note that rpc_killall_tasks may
+                         * do this at any time, so beware when dereferencing.
                         */
-                        if (task->tk_action == NULL)
+                        do_action = task->tk_action;
+                        if (do_action == NULL)
                                break;
-                        task->tk_action(task);
                }
+                do_action(task);
                /*
                 * Lockless check for whether task is sleeping or not.
@@ -792,6 +787,7 @@ static void rpc_init_task(struct rpc_task *task, const struct rpc_task_setup *ta
        /* Initialize retry counters */
        task->tk_garb_retry = 2;
        task->tk_cred_retry = 2;
+        task->tk_rebind_retry = 2;
        task->tk_priority = task_setup_data->priority - RPC_PRIORITY_LOW;
        task->tk_owner = current->tgid;
diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index 08e05a8ce025..2b90292e9505 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -942,6 +942,8 @@ static void svc_unregister(const struct svc_serv *serv)
                        if (progp->pg_vers[i]->vs_hidden)
                                continue;
+                        dprintk("svc: attempting to unregister %sv%u\n",
+                                progp->pg_name, i);
                        __svc_unregister(progp->pg_prog, i, progp->pg_name);
                }
        }
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index b7d435c3f19e..af04f779ce9f 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -387,6 +387,33 @@ static int svc_recvfrom(struct svc_rqst *rqstp, struct kvec *iov, int nr,
        return len;
 }
+static int svc_partial_recvfrom(struct svc_rqst *rqstp,
+                                struct kvec *iov, int nr,
+                                int buflen, unsigned int base)
+{
+        size_t save_iovlen;
+        void __user *save_iovbase;
+        unsigned int i;
+        int ret;
+        if (base == 0)
+                return svc_recvfrom(rqstp, iov, nr, buflen);
+        for (i = 0; i < nr; i++) {
+                if (iov[i].iov_len > base)
+                        break;
+                base -= iov[i].iov_len;
+        }
+        save_iovlen = iov[i].iov_len;
+        save_iovbase = iov[i].iov_base;
+        iov[i].iov_len -= base;
+        iov[i].iov_base += base;
+        ret = svc_recvfrom(rqstp, &iov[i], nr - i, buflen);
+        iov[i].iov_len = save_iovlen;
+        iov[i].iov_base = save_iovbase;
+        return ret;
+}
 /*
 * Set socket snd and rcv buffer lengths
 */
@@ -409,7 +436,6 @@ static void svc_sock_setbufsize(struct socket *sock, unsigned int snd,
        lock_sock(sock->sk);
        sock->sk->sk_sndbuf = snd * 2;
        sock->sk->sk_rcvbuf = rcv * 2;
-        sock->sk->sk_userlocks |= SOCK_SNDBUF_LOCK|SOCK_RCVBUF_LOCK;
        sock->sk->sk_write_space(sock->sk);
        release_sock(sock->sk);
 #endif
@@ -884,6 +910,56 @@ failed:
        return NULL;
 }
+static unsigned int svc_tcp_restore_pages(struct svc_sock *svsk, struct svc_rqst *rqstp)
+{
+        unsigned int i, len, npages;
+        if (svsk->sk_tcplen <= sizeof(rpc_fraghdr))
+                return 0;
+        len = svsk->sk_tcplen - sizeof(rpc_fraghdr);
+        npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+        for (i = 0; i < npages; i++) {
+                if (rqstp->rq_pages[i] != NULL)
+                        put_page(rqstp->rq_pages[i]);
+                BUG_ON(svsk->sk_pages[i] == NULL);
+                rqstp->rq_pages[i] = svsk->sk_pages[i];
+                svsk->sk_pages[i] = NULL;
+        }
+        rqstp->rq_arg.head[0].iov_base = page_address(rqstp->rq_pages[0]);
+        return len;
+}
+static void svc_tcp_save_pages(struct svc_sock *svsk, struct svc_rqst *rqstp)
+{
+        unsigned int i, len, npages;
+        if (svsk->sk_tcplen <= sizeof(rpc_fraghdr))
+                return;
+        len = svsk->sk_tcplen - sizeof(rpc_fraghdr);
+        npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+        for (i = 0; i < npages; i++) {
+                svsk->sk_pages[i] = rqstp->rq_pages[i];
+                rqstp->rq_pages[i] = NULL;
+        }
+}
+static void svc_tcp_clear_pages(struct svc_sock *svsk)
+{
+        unsigned int i, len, npages;
+        if (svsk->sk_tcplen <= sizeof(rpc_fraghdr))
+                goto out;
+        len = svsk->sk_tcplen - sizeof(rpc_fraghdr);
+        npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+        for (i = 0; i < npages; i++) {
+                BUG_ON(svsk->sk_pages[i] == NULL);
+                put_page(svsk->sk_pages[i]);
+                svsk->sk_pages[i] = NULL;
+        }
+out:
+        svsk->sk_tcplen = 0;
+}
 /*
 * Receive data.
 * If we haven't gotten the record length yet, get the next four bytes.
@@ -893,31 +969,15 @@ failed:
 static int svc_tcp_recv_record(struct svc_sock *svsk, struct svc_rqst *rqstp)
 {
        struct svc_serv *serv = svsk->sk_xprt.xpt_server;
+        unsigned int want;
        int len;
-        if (test_and_clear_bit(XPT_CHNGBUF, &svsk->sk_xprt.xpt_flags))
-                /* sndbuf needs to have room for one request
-                 * per thread, otherwise we can stall even when the
-                 * network isn't a bottleneck.
-                 *
-                 * We count all threads rather than threads in a
-                 * particular pool, which provides an upper bound
-                 * on the number of threads which will access the socket.
-                 *
-                 * rcvbuf just needs to be able to hold a few requests.
-                 * Normally they will be removed from the queue
-                 * as soon a a complete request arrives.
-                 */
-                svc_sock_setbufsize(svsk->sk_sock,
-                                    (serv->sv_nrthreads+3) * serv->sv_max_mesg,
-                                    3 * serv->sv_max_mesg);
        clear_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags);
        if (svsk->sk_tcplen < sizeof(rpc_fraghdr)) {
-                int             want = sizeof(rpc_fraghdr) - svsk->sk_tcplen;
                struct kvec     iov;
+                want = sizeof(rpc_fraghdr) - svsk->sk_tcplen;
                iov.iov_base = ((char *) &svsk->sk_reclen) + svsk->sk_tcplen;
                iov.iov_len  = want;
                if ((len = svc_recvfrom(rqstp, &iov, 1, want)) < 0)
@@ -927,7 +987,7 @@ static int svc_tcp_recv_record(struct svc_sock *svsk, struct svc_rqst *rqstp)
                if (len < want) {
                        dprintk("svc: short recvfrom while reading record "
                                "length (%d of %d)\n", len, want);
-                        goto err_again; /* record header not complete */
+                        return -EAGAIN;
                }
                svsk->sk_reclen = ntohl(svsk->sk_reclen);
@@ -954,83 +1014,75 @@ static int svc_tcp_recv_record(struct svc_sock *svsk, struct svc_rqst *rqstp)
                }
        }
-        /* Check whether enough data is available */
+        if (svsk->sk_reclen < 8)
-        len = svc_recv_available(svsk);
+                goto err_delete; /* client is nuts. */
-        if (len < 0)
-                goto error;
-        if (len < svsk->sk_reclen) {
-                dprintk("svc: incomplete TCP record (%d of %d)\n",
-                        len, svsk->sk_reclen);
-                goto err_again; /* record not complete */
-        }
        len = svsk->sk_reclen;
-        set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags);
        return len;
- error:
+error:
-        if (len == -EAGAIN)
+        dprintk("RPC: TCP recv_record got %d\n", len);
-                dprintk("RPC: TCP recv_record got EAGAIN\n");
        return len;
- err_delete:
+err_delete:
        set_bit(XPT_CLOSE, &svsk->sk_xprt.xpt_flags);
- err_again:
        return -EAGAIN;
 }
-static int svc_process_calldir(struct svc_sock *svsk, struct svc_rqst *rqstp,
+static int receive_cb_reply(struct svc_sock *svsk, struct svc_rqst *rqstp)
-                               struct rpc_rqst **reqpp, struct kvec *vec)
 {
+        struct rpc_xprt *bc_xprt = svsk->sk_xprt.xpt_bc_xprt;
        struct rpc_rqst *req = NULL;
-        u32 *p;
+        struct kvec *src, *dst;
-        u32 xid;
+        __be32 *p = (__be32 *)rqstp->rq_arg.head[0].iov_base;
-        u32 calldir;
+        __be32 xid;
-        int len;
+        __be32 calldir;
-        len = svc_recvfrom(rqstp, vec, 1, 8);
-        if (len < 0)
-                goto error;
-        p = (u32 *)rqstp->rq_arg.head[0].iov_base;
        xid = *p++;
        calldir = *p;
-        if (calldir == 0) {
+        if (bc_xprt)
-                /* REQUEST is the most common case */
+                req = xprt_lookup_rqst(bc_xprt, xid);
-                vec[0] = rqstp->rq_arg.head[0];
-        } else {
-                /* REPLY */
-                struct rpc_xprt *bc_xprt = svsk->sk_xprt.xpt_bc_xprt;
-                if (bc_xprt)
-                        req = xprt_lookup_rqst(bc_xprt, xid);
-                if (!req) {
-                        printk(KERN_NOTICE
-                                "%s: Got unrecognized reply: "
-                                "calldir 0x%x xpt_bc_xprt %p xid %08x\n",
-                                __func__, ntohl(calldir),
-                                bc_xprt, xid);
-                        vec[0] = rqstp->rq_arg.head[0];
-                        goto out;
-                }
-                memcpy(&req->rq_private_buf, &req->rq_rcv_buf,
+        if (!req) {
-                       sizeof(struct xdr_buf));
+                printk(KERN_NOTICE
-                /* copy the xid and call direction */
+                        "%s: Got unrecognized reply: "
-                memcpy(req->rq_private_buf.head[0].iov_base,
+                        "calldir 0x%x xpt_bc_xprt %p xid %08x\n",
-                       rqstp->rq_arg.head[0].iov_base, 8);
+                        __func__, ntohl(calldir),
-                vec[0] = req->rq_private_buf.head[0];
+                        bc_xprt, xid);
+                return -EAGAIN;
        }
- out:
-        vec[0].iov_base += 8;
+        memcpy(&req->rq_private_buf, &req->rq_rcv_buf, sizeof(struct xdr_buf));
-        vec[0].iov_len -= 8;
+        /*
-        len = svsk->sk_reclen - 8;
+         * XXX!: cheating for now!  Only copying HEAD.
- error:
+         * But we know this is good enough for now (in fact, for any
-        *reqpp = req;
+         * callback reply in the forseeable future).
-        return len;
+         */
+        dst = &req->rq_private_buf.head[0];
+        src = &rqstp->rq_arg.head[0];
+        if (dst->iov_len < src->iov_len)
+                return -EAGAIN; /* whatever; just giving up. */
+        memcpy(dst->iov_base, src->iov_base, src->iov_len);
+        xprt_complete_rqst(req->rq_task, svsk->sk_reclen);
+        rqstp->rq_arg.len = 0;
+        return 0;
 }
+static int copy_pages_to_kvecs(struct kvec *vec, struct page **pages, int len)
+{
+        int i = 0;
+        int t = 0;
+        while (t < len) {
+                vec[i].iov_base = page_address(pages[i]);
+                vec[i].iov_len = PAGE_SIZE;
+                i++;
+                t += PAGE_SIZE;
+        }
+        return i;
+}
 /*
 * Receive data from a TCP socket.
 */
@@ -1041,8 +1093,10 @@ static int svc_tcp_recvfrom(struct svc_rqst *rqstp)
        struct svc_serv *serv = svsk->sk_xprt.xpt_server;
        int             len;
        struct kvec *vec;
-        int pnum, vlen;
+        unsigned int want, base;
-        struct rpc_rqst *req = NULL;
+        __be32 *p;
+        __be32 calldir;
+        int pnum;
        dprintk("svc: tcp_recv %p data %d conn %d close %d\n",
                svsk, test_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags),
@@ -1053,87 +1107,73 @@ static int svc_tcp_recvfrom(struct svc_rqst *rqstp)
        if (len < 0)
                goto error;
+        base = svc_tcp_restore_pages(svsk, rqstp);
+        want = svsk->sk_reclen - base;
        vec = rqstp->rq_vec;
-        vec[0] = rqstp->rq_arg.head[0];
-        vlen = PAGE_SIZE;
-        /*
+        pnum = copy_pages_to_kvecs(&vec[0], &rqstp->rq_pages[0],
-         * We have enough data for the whole tcp record. Let's try and read the
+                                                svsk->sk_reclen);
-         * first 8 bytes to get the xid and the call direction. We can use this
-         * to figure out if this is a call or a reply to a callback. If
-         * sk_reclen is < 8 (xid and calldir), then this is a malformed packet.
-         * In that case, don't bother with the calldir and just read the data.
-         * It will be rejected in svc_process.
-         */
-        if (len >= 8) {
-                len = svc_process_calldir(svsk, rqstp, &req, vec);
-                if (len < 0)
-                        goto err_again;
-                vlen -= 8;
-        }
-        pnum = 1;
-        while (vlen < len) {
-                vec[pnum].iov_base = (req) ?
-                        page_address(req->rq_private_buf.pages[pnum - 1]) :
-                        page_address(rqstp->rq_pages[pnum]);
-                vec[pnum].iov_len = PAGE_SIZE;
-                pnum++;
-                vlen += PAGE_SIZE;
-        }
        rqstp->rq_respages = &rqstp->rq_pages[pnum];
        /* Now receive data */
-        len = svc_recvfrom(rqstp, vec, pnum, len);
+        len = svc_partial_recvfrom(rqstp, vec, pnum, want, base);
-        if (len < 0)
+        if (len >= 0)
-                goto err_again;
+                svsk->sk_tcplen += len;
+        if (len != want) {
-        /*
+                if (len < 0 && len != -EAGAIN)
-         * Account for the 8 bytes we read earlier
+                        goto err_other;
-         */
+                svc_tcp_save_pages(svsk, rqstp);
-        len += 8;
+                dprintk("svc: incomplete TCP record (%d of %d)\n",
+                        svsk->sk_tcplen, svsk->sk_reclen);
-        if (req) {
+                goto err_noclose;
-                xprt_complete_rqst(req->rq_task, len);
-                len = 0;
-                goto out;
        }
-        dprintk("svc: TCP complete record (%d bytes)\n", len);
-        rqstp->rq_arg.len = len;
+        rqstp->rq_arg.len = svsk->sk_reclen;
        rqstp->rq_arg.page_base = 0;
-        if (len <= rqstp->rq_arg.head[0].iov_len) {
+        if (rqstp->rq_arg.len <= rqstp->rq_arg.head[0].iov_len) {
-                rqstp->rq_arg.head[0].iov_len = len;
+                rqstp->rq_arg.head[0].iov_len = rqstp->rq_arg.len;
                rqstp->rq_arg.page_len = 0;
-        } else {
+        } else
-                rqstp->rq_arg.page_len = len - rqstp->rq_arg.head[0].iov_len;
+                rqstp->rq_arg.page_len = rqstp->rq_arg.len - rqstp->rq_arg.head[0].iov_len;
-        }
        rqstp->rq_xprt_ctxt   = NULL;
        rqstp->rq_prot        = IPPROTO_TCP;
-out:
+        p = (__be32 *)rqstp->rq_arg.head[0].iov_base;
+        calldir = p[1];
+        if (calldir)
+                len = receive_cb_reply(svsk, rqstp);
        /* Reset TCP read info */
        svsk->sk_reclen = 0;
        svsk->sk_tcplen = 0;
+        /* If we have more data, signal svc_xprt_enqueue() to try again */
+        if (svc_recv_available(svsk) > sizeof(rpc_fraghdr))
+                set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags);
+        if (len < 0)
+                goto error;
        svc_xprt_copy_addrs(rqstp, &svsk->sk_xprt);
        if (serv->sv_stats)
                serv->sv_stats->nettcpcnt++;
-        return len;
+        dprintk("svc: TCP complete record (%d bytes)\n", rqstp->rq_arg.len);
+        return rqstp->rq_arg.len;
-err_again:
-        if (len == -EAGAIN) {
-                dprintk("RPC: TCP recvfrom got EAGAIN\n");
-                return len;
-        }
 error:
-        if (len != -EAGAIN) {
+        if (len != -EAGAIN)
-                printk(KERN_NOTICE "%s: recvfrom returned errno %d\n",
+                goto err_other;
-                       svsk->sk_xprt.xpt_server->sv_name, -len);
+        dprintk("RPC: TCP recvfrom got EAGAIN\n");
-                set_bit(XPT_CLOSE, &svsk->sk_xprt.xpt_flags);
-        }
        return -EAGAIN;
+err_other:
+        printk(KERN_NOTICE "%s: recvfrom returned errno %d\n",
+               svsk->sk_xprt.xpt_server->sv_name, -len);
+        set_bit(XPT_CLOSE, &svsk->sk_xprt.xpt_flags);
+err_noclose:
+        return -EAGAIN; /* record not complete */
 }
 /*
@@ -1304,18 +1344,10 @@ static void svc_tcp_init(struct svc_sock *svsk, struct svc_serv *serv)
                svsk->sk_reclen = 0;
                svsk->sk_tcplen = 0;
+                memset(&svsk->sk_pages[0], 0, sizeof(svsk->sk_pages));
                tcp_sk(sk)->nonagle |= TCP_NAGLE_OFF;
-                /* initialise setting must have enough space to
-                 * receive and respond to one request.
-                 * svc_tcp_recvfrom will re-adjust if necessary
-                 */
-                svc_sock_setbufsize(svsk->sk_sock,
-                                    3 * svsk->sk_xprt.xpt_server->sv_max_mesg,
-                                    3 * svsk->sk_xprt.xpt_server->sv_max_mesg);
-                set_bit(XPT_CHNGBUF, &svsk->sk_xprt.xpt_flags);
                set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags);
                if (sk->sk_state != TCP_ESTABLISHED)
                        set_bit(XPT_CLOSE, &svsk->sk_xprt.xpt_flags);
@@ -1379,8 +1411,14 @@ static struct svc_sock *svc_setup_socket(struct svc_serv *serv,
        /* Initialize the socket */
        if (sock->type == SOCK_DGRAM)
                svc_udp_init(svsk, serv);
-        else
+        else {
+                /* initialise setting must have enough space to
+                 * receive and respond to one request.
+                 */
+                svc_sock_setbufsize(svsk->sk_sock, 4 * serv->sv_max_mesg,
+                                        4 * serv->sv_max_mesg);
                svc_tcp_init(svsk, serv);
+        }
        dprintk("svc: svc_setup_socket created %p (inet %p)\n",
                                svsk, svsk->sk_sk);
@@ -1562,8 +1600,10 @@ static void svc_tcp_sock_detach(struct svc_xprt *xprt)
        svc_sock_detach(xprt);
-        if (!test_bit(XPT_LISTENER, &xprt->xpt_flags))
+        if (!test_bit(XPT_LISTENER, &xprt->xpt_flags)) {
+                svc_tcp_clear_pages(svsk);
                kernel_sock_shutdown(svsk->sk_sock, SHUT_RDWR);
+        }
 }
 /*
diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 679cd674b81d..f008c14ad34c 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -638,6 +638,25 @@ void xdr_init_decode(struct xdr_stream *xdr, struct xdr_buf *buf, __be32 *p)
 }
 EXPORT_SYMBOL_GPL(xdr_init_decode);
+/**
+ * xdr_init_decode - Initialize an xdr_stream for decoding data.
+ * @xdr: pointer to xdr_stream struct
+ * @buf: pointer to XDR buffer from which to decode data
+ * @pages: list of pages to decode into
+ * @len: length in bytes of buffer in pages
+ */
+void xdr_init_decode_pages(struct xdr_stream *xdr, struct xdr_buf *buf,
+                           struct page **pages, unsigned int len)
+{
+        memset(buf, 0, sizeof(*buf));
+        buf->pages =  pages;
+        buf->page_len =  len;
+        buf->buflen =  len;
+        buf->len = len;
+        xdr_init_decode(xdr, buf, NULL);
+}
+EXPORT_SYMBOL_GPL(xdr_init_decode_pages);
 static __be32 * __xdr_inline_decode(struct xdr_stream *xdr, size_t nbytes)
 {
        __be32 *p = xdr->p;
diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c
index 1a10dcd999ea..c3c232a88d94 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
@@ -333,7 +333,7 @@ static void rq_cq_reap(struct svcxprt_rdma *xprt)
 }
 /*
- * Processs a completion context
+ * Process a completion context
 */
 static void process_context(struct svcxprt_rdma *xprt,
                            struct svc_rdma_op_ctxt *ctxt)
@@ -695,7 +695,8 @@ static struct svc_xprt *svc_rdma_create(struct svc_serv *serv,
                return ERR_PTR(-ENOMEM);
        xprt = &cma_xprt->sc_xprt;
-        listen_id = rdma_create_id(rdma_listen_handler, cma_xprt, RDMA_PS_TCP);
+        listen_id = rdma_create_id(rdma_listen_handler, cma_xprt, RDMA_PS_TCP,
+                                   IB_QPT_RC);
        if (IS_ERR(listen_id)) {
                ret = PTR_ERR(listen_id);
                dprintk("svcrdma: rdma_create_id failed = %d\n", ret);
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index d4297dc43dc4..80f8da344df5 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -387,7 +387,7 @@ rpcrdma_create_id(struct rpcrdma_xprt *xprt,
        init_completion(&ia->ri_done);
-        id = rdma_create_id(rpcrdma_conn_upcall, xprt, RDMA_PS_TCP);
+        id = rdma_create_id(rpcrdma_conn_upcall, xprt, RDMA_PS_TCP, IB_QPT_RC);
        if (IS_ERR(id)) {
                rc = PTR_ERR(id);
                dprintk("RPC:       %s: rdma_create_id() failed %i\n",
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index bf005d3c65ef..72abb7358933 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -19,6 +19,7 @@
 */
 #include <linux/types.h>
+#include <linux/string.h>
 #include <linux/slab.h>
 #include <linux/module.h>
 #include <linux/capability.h>
@@ -28,6 +29,7 @@
 #include <linux/in.h>
 #include <linux/net.h>
 #include <linux/mm.h>
+#include <linux/un.h>
 #include <linux/udp.h>
 #include <linux/tcp.h>
 #include <linux/sunrpc/clnt.h>
@@ -45,6 +47,9 @@
 #include <net/tcp.h>
 #include "sunrpc.h"
+static void xs_close(struct rpc_xprt *xprt);
 /*
 * xprtsock tunables
 */
@@ -261,6 +266,11 @@ static inline struct sockaddr *xs_addr(struct rpc_xprt *xprt)
        return (struct sockaddr *) &xprt->addr;
 }
+static inline struct sockaddr_un *xs_addr_un(struct rpc_xprt *xprt)
+{
+        return (struct sockaddr_un *) &xprt->addr;
+}
 static inline struct sockaddr_in *xs_addr_in(struct rpc_xprt *xprt)
 {
        return (struct sockaddr_in *) &xprt->addr;
@@ -276,23 +286,34 @@ static void xs_format_common_peer_addresses(struct rpc_xprt *xprt)
        struct sockaddr *sap = xs_addr(xprt);
        struct sockaddr_in6 *sin6;
        struct sockaddr_in *sin;
+        struct sockaddr_un *sun;
        char buf[128];
-        (void)rpc_ntop(sap, buf, sizeof(buf));
-        xprt->address_strings[RPC_DISPLAY_ADDR] = kstrdup(buf, GFP_KERNEL);
        switch (sap->sa_family) {
+        case AF_LOCAL:
+                sun = xs_addr_un(xprt);
+                strlcpy(buf, sun->sun_path, sizeof(buf));
+                xprt->address_strings[RPC_DISPLAY_ADDR] =
+                                                kstrdup(buf, GFP_KERNEL);
+                break;
        case AF_INET:
+                (void)rpc_ntop(sap, buf, sizeof(buf));
+                xprt->address_strings[RPC_DISPLAY_ADDR] =
+                                                kstrdup(buf, GFP_KERNEL);
                sin = xs_addr_in(xprt);
                snprintf(buf, sizeof(buf), "%08x", ntohl(sin->sin_addr.s_addr));
                break;
        case AF_INET6:
+                (void)rpc_ntop(sap, buf, sizeof(buf));
+                xprt->address_strings[RPC_DISPLAY_ADDR] =
+                                                kstrdup(buf, GFP_KERNEL);
                sin6 = xs_addr_in6(xprt);
                snprintf(buf, sizeof(buf), "%pi6", &sin6->sin6_addr);
                break;
        default:
                BUG();
        }
        xprt->address_strings[RPC_DISPLAY_HEX_ADDR] = kstrdup(buf, GFP_KERNEL);
 }
@@ -495,6 +516,70 @@ static int xs_nospace(struct rpc_task *task)
        return ret;
 }
+/*
+ * Construct a stream transport record marker in @buf.
+ */
+static inline void xs_encode_stream_record_marker(struct xdr_buf *buf)
+{
+        u32 reclen = buf->len - sizeof(rpc_fraghdr);
+        rpc_fraghdr *base = buf->head[0].iov_base;
+        *base = cpu_to_be32(RPC_LAST_STREAM_FRAGMENT | reclen);
+}
+/**
+ * xs_local_send_request - write an RPC request to an AF_LOCAL socket
+ * @task: RPC task that manages the state of an RPC request
+ *
+ * Return values:
+ *        0:    The request has been sent
+ *   EAGAIN:    The socket was blocked, please call again later to
+ *              complete the request
+ * ENOTCONN:    Caller needs to invoke connect logic then call again
+ *    other:    Some other error occured, the request was not sent
+ */
+static int xs_local_send_request(struct rpc_task *task)
+{
+        struct rpc_rqst *req = task->tk_rqstp;
+        struct rpc_xprt *xprt = req->rq_xprt;
+        struct sock_xprt *transport =
+                                container_of(xprt, struct sock_xprt, xprt);
+        struct xdr_buf *xdr = &req->rq_snd_buf;
+        int status;
+        xs_encode_stream_record_marker(&req->rq_snd_buf);
+        xs_pktdump("packet data:",
+                        req->rq_svec->iov_base, req->rq_svec->iov_len);
+        status = xs_sendpages(transport->sock, NULL, 0,
+                                                xdr, req->rq_bytes_sent);
+        dprintk("RPC:       %s(%u) = %d\n",
+                        __func__, xdr->len - req->rq_bytes_sent, status);
+        if (likely(status >= 0)) {
+                req->rq_bytes_sent += status;
+                req->rq_xmit_bytes_sent += status;
+                if (likely(req->rq_bytes_sent >= req->rq_slen)) {
+                        req->rq_bytes_sent = 0;
+                        return 0;
+                }
+                status = -EAGAIN;
+        }
+        switch (status) {
+        case -EAGAIN:
+                status = xs_nospace(task);
+                break;
+        default:
+                dprintk("RPC:       sendmsg returned unrecognized error %d\n",
+                        -status);
+        case -EPIPE:
+                xs_close(xprt);
+                status = -ENOTCONN;
+        }
+        return status;
+}
 /**
 * xs_udp_send_request - write an RPC request to a UDP socket
 * @task: address of RPC task that manages the state of an RPC request
@@ -574,13 +659,6 @@ static void xs_tcp_shutdown(struct rpc_xprt *xprt)
                kernel_sock_shutdown(sock, SHUT_WR);
 }
-static inline void xs_encode_tcp_record_marker(struct xdr_buf *buf)
-{
-        u32 reclen = buf->len - sizeof(rpc_fraghdr);
-        rpc_fraghdr *base = buf->head[0].iov_base;
-        *base = htonl(RPC_LAST_STREAM_FRAGMENT | reclen);
-}
 /**
 * xs_tcp_send_request - write an RPC request to a TCP socket
 * @task: address of RPC task that manages the state of an RPC request
@@ -603,7 +681,7 @@ static int xs_tcp_send_request(struct rpc_task *task)
        struct xdr_buf *xdr = &req->rq_snd_buf;
        int status;
-        xs_encode_tcp_record_marker(&req->rq_snd_buf);
+        xs_encode_stream_record_marker(&req->rq_snd_buf);
        xs_pktdump("packet data:",
                                req->rq_svec->iov_base,
@@ -785,6 +863,88 @@ static inline struct rpc_xprt *xprt_from_sock(struct sock *sk)
        return (struct rpc_xprt *) sk->sk_user_data;
 }
+static int xs_local_copy_to_xdr(struct xdr_buf *xdr, struct sk_buff *skb)
+{
+        struct xdr_skb_reader desc = {
+                .skb            = skb,
+                .offset         = sizeof(rpc_fraghdr),
+                .count          = skb->len - sizeof(rpc_fraghdr),
+        };
+        if (xdr_partial_copy_from_skb(xdr, 0, &desc, xdr_skb_read_bits) < 0)
+                return -1;
+        if (desc.count)
+                return -1;
+        return 0;
+}
+/**
+ * xs_local_data_ready - "data ready" callback for AF_LOCAL sockets
+ * @sk: socket with data to read
+ * @len: how much data to read
+ *
+ * Currently this assumes we can read the whole reply in a single gulp.
+ */
+static void xs_local_data_ready(struct sock *sk, int len)
+{
+        struct rpc_task *task;
+        struct rpc_xprt *xprt;
+        struct rpc_rqst *rovr;
+        struct sk_buff *skb;
+        int err, repsize, copied;
+        u32 _xid;
+        __be32 *xp;
+        read_lock_bh(&sk->sk_callback_lock);
+        dprintk("RPC:       %s...\n", __func__);
+        xprt = xprt_from_sock(sk);
+        if (xprt == NULL)
+                goto out;
+        skb = skb_recv_datagram(sk, 0, 1, &err);
+        if (skb == NULL)
+                goto out;
+        if (xprt->shutdown)
+                goto dropit;
+        repsize = skb->len - sizeof(rpc_fraghdr);
+        if (repsize < 4) {
+                dprintk("RPC:       impossible RPC reply size %d\n", repsize);
+                goto dropit;
+        }
+        /* Copy the XID from the skb... */
+        xp = skb_header_pointer(skb, sizeof(rpc_fraghdr), sizeof(_xid), &_xid);
+        if (xp == NULL)
+                goto dropit;
+        /* Look up and lock the request corresponding to the given XID */
+        spin_lock(&xprt->transport_lock);
+        rovr = xprt_lookup_rqst(xprt, *xp);
+        if (!rovr)
+                goto out_unlock;
+        task = rovr->rq_task;
+        copied = rovr->rq_private_buf.buflen;
+        if (copied > repsize)
+                copied = repsize;
+        if (xs_local_copy_to_xdr(&rovr->rq_private_buf, skb)) {
+                dprintk("RPC:       sk_buff copy failed\n");
+                goto out_unlock;
+        }
+        xprt_complete_rqst(task, copied);
+ out_unlock:
+        spin_unlock(&xprt->transport_lock);
+ dropit:
+        skb_free_datagram(sk, skb);
+ out:
+        read_unlock_bh(&sk->sk_callback_lock);
+}
 /**
 * xs_udp_data_ready - "data ready" callback for UDP sockets
 * @sk: socket with data to read
@@ -1344,7 +1504,6 @@ static void xs_tcp_state_change(struct sock *sk)
        case TCP_CLOSE_WAIT:
                /* The server initiated a shutdown of the socket */
                xprt_force_disconnect(xprt);
-        case TCP_SYN_SENT:
                xprt->connect_cookie++;
        case TCP_CLOSING:
                /*
@@ -1571,11 +1730,31 @@ static int xs_bind(struct sock_xprt *transport, struct socket *sock)
        return err;
 }
+/*
+ * We don't support autobind on AF_LOCAL sockets
+ */
+static void xs_local_rpcbind(struct rpc_task *task)
+{
+        xprt_set_bound(task->tk_xprt);
+}
+static void xs_local_set_port(struct rpc_xprt *xprt, unsigned short port)
+{
+}
 #ifdef CONFIG_DEBUG_LOCK_ALLOC
 static struct lock_class_key xs_key[2];
 static struct lock_class_key xs_slock_key[2];
+static inline void xs_reclassify_socketu(struct socket *sock)
+{
+        struct sock *sk = sock->sk;
+        BUG_ON(sock_owned_by_user(sk));
+        sock_lock_init_class_and_name(sk, "slock-AF_LOCAL-RPC",
+                &xs_slock_key[1], "sk_lock-AF_LOCAL-RPC", &xs_key[1]);
+}
 static inline void xs_reclassify_socket4(struct socket *sock)
 {
        struct sock *sk = sock->sk;
@@ -1597,6 +1776,9 @@ static inline void xs_reclassify_socket6(struct socket *sock)
 static inline void xs_reclassify_socket(int family, struct socket *sock)
 {
        switch (family) {
+        case AF_LOCAL:
+                xs_reclassify_socketu(sock);
+                break;
        case AF_INET:
                xs_reclassify_socket4(sock);
                break;
@@ -1606,6 +1788,10 @@ static inline void xs_reclassify_socket(int family, struct socket *sock)
        }
 }
 #else
+static inline void xs_reclassify_socketu(struct socket *sock)
+{
+}
 static inline void xs_reclassify_socket4(struct socket *sock)
 {
 }
@@ -1644,6 +1830,94 @@ out:
        return ERR_PTR(err);
 }
+static int xs_local_finish_connecting(struct rpc_xprt *xprt,
+                                      struct socket *sock)
+{
+        struct sock_xprt *transport = container_of(xprt, struct sock_xprt,
+                                                                        xprt);
+        if (!transport->inet) {
+                struct sock *sk = sock->sk;
+                write_lock_bh(&sk->sk_callback_lock);
+                xs_save_old_callbacks(transport, sk);
+                sk->sk_user_data = xprt;
+                sk->sk_data_ready = xs_local_data_ready;
+                sk->sk_write_space = xs_udp_write_space;
+                sk->sk_error_report = xs_error_report;
+                sk->sk_allocation = GFP_ATOMIC;
+                xprt_clear_connected(xprt);
+                /* Reset to new socket */
+                transport->sock = sock;
+                transport->inet = sk;
+                write_unlock_bh(&sk->sk_callback_lock);
+        }
+        /* Tell the socket layer to start connecting... */
+        xprt->stat.connect_count++;
+        xprt->stat.connect_start = jiffies;
+        return kernel_connect(sock, xs_addr(xprt), xprt->addrlen, 0);
+}
+/**
+ * xs_local_setup_socket - create AF_LOCAL socket, connect to a local endpoint
+ * @xprt: RPC transport to connect
+ * @transport: socket transport to connect
+ * @create_sock: function to create a socket of the correct type
+ *
+ * Invoked by a work queue tasklet.
+ */
+static void xs_local_setup_socket(struct work_struct *work)
+{
+        struct sock_xprt *transport =
+                container_of(work, struct sock_xprt, connect_worker.work);
+        struct rpc_xprt *xprt = &transport->xprt;
+        struct socket *sock;
+        int status = -EIO;
+        if (xprt->shutdown)
+                goto out;
+        clear_bit(XPRT_CONNECTION_ABORT, &xprt->state);
+        status = __sock_create(xprt->xprt_net, AF_LOCAL,
+                                        SOCK_STREAM, 0, &sock, 1);
+        if (status < 0) {
+                dprintk("RPC:       can't create AF_LOCAL "
+                        "transport socket (%d).\n", -status);
+                goto out;
+        }
+        xs_reclassify_socketu(sock);
+        dprintk("RPC:       worker connecting xprt %p via AF_LOCAL to %s\n",
+                        xprt, xprt->address_strings[RPC_DISPLAY_ADDR]);
+        status = xs_local_finish_connecting(xprt, sock);
+        switch (status) {
+        case 0:
+                dprintk("RPC:       xprt %p connected to %s\n",
+                                xprt, xprt->address_strings[RPC_DISPLAY_ADDR]);
+                xprt_set_connected(xprt);
+                break;
+        case -ENOENT:
+                dprintk("RPC:       xprt %p: socket %s does not exist\n",
+                                xprt, xprt->address_strings[RPC_DISPLAY_ADDR]);
+                break;
+        default:
+                printk(KERN_ERR "%s: unhandled error (%d) connecting to %s\n",
+                                __func__, -status,
+                                xprt->address_strings[RPC_DISPLAY_ADDR]);
+        }
+out:
+        xprt_clear_connecting(xprt);
+        xprt_wake_pending_tasks(xprt, status);
+}
 static void xs_udp_finish_connecting(struct rpc_xprt *xprt, struct socket *sock)
 {
        struct sock_xprt *transport = container_of(xprt, struct sock_xprt, xprt);
@@ -1758,6 +2032,7 @@ static void xs_tcp_reuse_connection(struct sock_xprt *transport)
 static int xs_tcp_finish_connecting(struct rpc_xprt *xprt, struct socket *sock)
 {
        struct sock_xprt *transport = container_of(xprt, struct sock_xprt, xprt);
+        int ret = -ENOTCONN;
        if (!transport->inet) {
                struct sock *sk = sock->sk;
@@ -1789,12 +2064,22 @@ static int xs_tcp_finish_connecting(struct rpc_xprt *xprt, struct socket *sock)
        }
        if (!xprt_bound(xprt))
-                return -ENOTCONN;
+                goto out;
        /* Tell the socket layer to start connecting... */
        xprt->stat.connect_count++;
        xprt->stat.connect_start = jiffies;
-        return kernel_connect(sock, xs_addr(xprt), xprt->addrlen, O_NONBLOCK);
+        ret = kernel_connect(sock, xs_addr(xprt), xprt->addrlen, O_NONBLOCK);
+        switch (ret) {
+        case 0:
+        case -EINPROGRESS:
+                /* SYN_SENT! */
+                xprt->connect_cookie++;
+                if (xprt->reestablish_timeout < XS_TCP_INIT_REEST_TO)
+                        xprt->reestablish_timeout = XS_TCP_INIT_REEST_TO;
+        }
+out:
+        return ret;
 }
 /**
@@ -1917,6 +2202,32 @@ static void xs_connect(struct rpc_task *task)
 }
 /**
+ * xs_local_print_stats - display AF_LOCAL socket-specifc stats
+ * @xprt: rpc_xprt struct containing statistics
+ * @seq: output file
+ *
+ */
+static void xs_local_print_stats(struct rpc_xprt *xprt, struct seq_file *seq)
+{
+        long idle_time = 0;
+        if (xprt_connected(xprt))
+                idle_time = (long)(jiffies - xprt->last_used) / HZ;
+        seq_printf(seq, "\txprt:\tlocal %lu %lu %lu %ld %lu %lu %lu "
+                        "%llu %llu\n",
+                        xprt->stat.bind_count,
+                        xprt->stat.connect_count,
+                        xprt->stat.connect_time,
+                        idle_time,
+                        xprt->stat.sends,
+                        xprt->stat.recvs,
+                        xprt->stat.bad_xids,
+                        xprt->stat.req_u,
+                        xprt->stat.bklog_u);
+}
+/**
 * xs_udp_print_stats - display UDP socket-specifc stats
 * @xprt: rpc_xprt struct containing statistics
 * @seq: output file
@@ -2014,10 +2325,7 @@ static int bc_sendto(struct rpc_rqst *req)
        unsigned long headoff;
        unsigned long tailoff;
-        /*
+        xs_encode_stream_record_marker(xbufp);
-         * Set up the rpc header and record marker stuff
-         */
-        xs_encode_tcp_record_marker(xbufp);
        tailoff = (unsigned long)xbufp->tail[0].iov_base & ~PAGE_MASK;
        headoff = (unsigned long)xbufp->head[0].iov_base & ~PAGE_MASK;
@@ -2089,6 +2397,21 @@ static void bc_destroy(struct rpc_xprt *xprt)
 {
 }
+static struct rpc_xprt_ops xs_local_ops = {
+        .reserve_xprt           = xprt_reserve_xprt,
+        .release_xprt           = xs_tcp_release_xprt,
+        .rpcbind                = xs_local_rpcbind,
+        .set_port               = xs_local_set_port,
+        .connect                = xs_connect,
+        .buf_alloc              = rpc_malloc,
+        .buf_free               = rpc_free,
+        .send_request           = xs_local_send_request,
+        .set_retrans_timeout    = xprt_set_retrans_timeout_def,
+        .close                  = xs_close,
+        .destroy                = xs_destroy,
+        .print_stats            = xs_local_print_stats,
+};
 static struct rpc_xprt_ops xs_udp_ops = {
        .set_buffer_size        = xs_udp_set_buffer_size,
        .reserve_xprt           = xprt_reserve_xprt_cong,
@@ -2150,6 +2473,8 @@ static int xs_init_anyaddr(const int family, struct sockaddr *sap)
        };
        switch (family) {
+        case AF_LOCAL:
+                break;
        case AF_INET:
                memcpy(sap, &sin, sizeof(sin));
                break;
@@ -2197,6 +2522,70 @@ static struct rpc_xprt *xs_setup_xprt(struct xprt_create *args,
        return xprt;
 }
+static const struct rpc_timeout xs_local_default_timeout = {
+        .to_initval = 10 * HZ,
+        .to_maxval = 10 * HZ,
+        .to_retries = 2,
+};
+/**
+ * xs_setup_local - Set up transport to use an AF_LOCAL socket
+ * @args: rpc transport creation arguments
+ *
+ * AF_LOCAL is a "tpi_cots_ord" transport, just like TCP
+ */
+static struct rpc_xprt *xs_setup_local(struct xprt_create *args)
+{
+        struct sockaddr_un *sun = (struct sockaddr_un *)args->dstaddr;
+        struct sock_xprt *transport;
+        struct rpc_xprt *xprt;
+        struct rpc_xprt *ret;
+        xprt = xs_setup_xprt(args, xprt_tcp_slot_table_entries);
+        if (IS_ERR(xprt))
+                return xprt;
+        transport = container_of(xprt, struct sock_xprt, xprt);
+        xprt->prot = 0;
+        xprt->tsh_size = sizeof(rpc_fraghdr) / sizeof(u32);
+        xprt->max_payload = RPC_MAX_FRAGMENT_SIZE;
+        xprt->bind_timeout = XS_BIND_TO;
+        xprt->reestablish_timeout = XS_TCP_INIT_REEST_TO;
+        xprt->idle_timeout = XS_IDLE_DISC_TO;
+        xprt->ops = &xs_local_ops;
+        xprt->timeout = &xs_local_default_timeout;
+        switch (sun->sun_family) {
+        case AF_LOCAL:
+                if (sun->sun_path[0] != '/') {
+                        dprintk("RPC:       bad AF_LOCAL address: %s\n",
+                                        sun->sun_path);
+                        ret = ERR_PTR(-EINVAL);
+                        goto out_err;
+                }
+                xprt_set_bound(xprt);
+                INIT_DELAYED_WORK(&transport->connect_worker,
+                                        xs_local_setup_socket);
+                xs_format_peer_addresses(xprt, "local", RPCBIND_NETID_LOCAL);
+                break;
+        default:
+                ret = ERR_PTR(-EAFNOSUPPORT);
+                goto out_err;
+        }
+        dprintk("RPC:       set up xprt to %s via AF_LOCAL\n",
+                        xprt->address_strings[RPC_DISPLAY_ADDR]);
+        if (try_module_get(THIS_MODULE))
+                return xprt;
+        ret = ERR_PTR(-EINVAL);
+out_err:
+        xprt_free(xprt);
+        return ret;
+}
 static const struct rpc_timeout xs_udp_default_timeout = {
        .to_initval = 5 * HZ,
        .to_maxval = 30 * HZ,
@@ -2438,6 +2827,14 @@ out_err:
        return ret;
 }
+static struct xprt_class        xs_local_transport = {
+        .list           = LIST_HEAD_INIT(xs_local_transport.list),
+        .name           = "named UNIX socket",
+        .owner          = THIS_MODULE,
+        .ident          = XPRT_TRANSPORT_LOCAL,
+        .setup          = xs_setup_local,
+};
 static struct xprt_class        xs_udp_transport = {
        .list           = LIST_HEAD_INIT(xs_udp_transport.list),
        .name           = "udp",
@@ -2473,6 +2870,7 @@ int init_socket_xprt(void)
                sunrpc_table_header = register_sysctl_table(sunrpc_table);
 #endif
+        xprt_register_transport(&xs_local_transport);
        xprt_register_transport(&xs_udp_transport);
        xprt_register_transport(&xs_tcp_transport);
        xprt_register_transport(&xs_bc_tcp_transport);
@@ -2493,6 +2891,7 @@ void cleanup_socket_xprt(void)
        }
 #endif
+        xprt_unregister_transport(&xs_local_transport);
        xprt_unregister_transport(&xs_udp_transport);
        xprt_unregister_transport(&xs_tcp_transport);
        xprt_unregister_transport(&xs_bc_tcp_transport);
diff --git a/net/tipc/addr.h b/net/tipc/addr.h
index 8971aba99aea..e4f35afe3207 100644
--- a/net/tipc/addr.h
+++ b/net/tipc/addr.h
@@ -37,14 +37,17 @@
 #ifndef _TIPC_ADDR_H
 #define _TIPC_ADDR_H
+#define TIPC_ZONE_MASK          0xff000000u
+#define TIPC_CLUSTER_MASK       0xfffff000u
 static inline u32 tipc_zone_mask(u32 addr)
 {
-        return addr & 0xff000000u;
+        return addr & TIPC_ZONE_MASK;
 }
 static inline u32 tipc_cluster_mask(u32 addr)
 {
-        return addr & 0xfffff000u;
+        return addr & TIPC_CLUSTER_MASK;
 }
 static inline int in_own_cluster(u32 addr)
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 7dc1dc7151ea..fa68d1e9ff4b 100644
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -44,13 +44,6 @@
 #define BCLINK_WIN_DEFAULT 20           /* bcast link window size (default) */
-/*
- * Loss rate for incoming broadcast frames; used to test retransmission code.
- * Set to N to cause every N'th frame to be discarded; 0 => don't discard any.
- */
-#define TIPC_BCAST_LOSS_RATE 0
 /**
 * struct bcbearer_pair - a pair of bearers used by broadcast link
 * @primary: pointer to primary bearer
@@ -414,9 +407,7 @@ int tipc_bclink_send_msg(struct sk_buff *buf)
        spin_lock_bh(&bc_lock);
        res = tipc_link_send_buf(bcl, buf);
-        if (unlikely(res == -ELINKCONG))
+        if (likely(res > 0))
-                buf_discard(buf);
-        else
                bclink_set_last_sent();
        bcl->stats.queue_sz_counts++;
@@ -434,9 +425,6 @@ int tipc_bclink_send_msg(struct sk_buff *buf)
 void tipc_bclink_recv_pkt(struct sk_buff *buf)
 {
-#if (TIPC_BCAST_LOSS_RATE)
-        static int rx_count;
-#endif
        struct tipc_msg *msg = buf_msg(buf);
        struct tipc_node *node = tipc_node_find(msg_prevnode(msg));
        u32 next_in;
@@ -470,14 +458,6 @@ void tipc_bclink_recv_pkt(struct sk_buff *buf)
                return;
        }
-#if (TIPC_BCAST_LOSS_RATE)
-        if (++rx_count == TIPC_BCAST_LOSS_RATE) {
-                rx_count = 0;
-                buf_discard(buf);
-                return;
-        }
-#endif
        tipc_node_lock(node);
 receive:
        deferred = node->bclink.deferred_head;
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 411719feb803..85209eadfae6 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -46,6 +46,8 @@ static u32 media_count;
 struct tipc_bearer tipc_bearers[MAX_BEARERS];
+static void bearer_disable(struct tipc_bearer *b_ptr);
 /**
 * media_name_valid - validate media name
 *
@@ -342,15 +344,15 @@ struct sk_buff *tipc_bearer_get_names(void)
 void tipc_bearer_add_dest(struct tipc_bearer *b_ptr, u32 dest)
 {
        tipc_nmap_add(&b_ptr->nodes, dest);
-        tipc_disc_update_link_req(b_ptr->link_req);
        tipc_bcbearer_sort();
+        tipc_disc_add_dest(b_ptr->link_req);
 }
 void tipc_bearer_remove_dest(struct tipc_bearer *b_ptr, u32 dest)
 {
        tipc_nmap_remove(&b_ptr->nodes, dest);
-        tipc_disc_update_link_req(b_ptr->link_req);
        tipc_bcbearer_sort();
+        tipc_disc_remove_dest(b_ptr->link_req);
 }
 /*
@@ -493,8 +495,15 @@ int tipc_enable_bearer(const char *name, u32 disc_domain, u32 priority)
                warn("Bearer <%s> rejected, illegal name\n", name);
                return -EINVAL;
        }
-        if (!tipc_addr_domain_valid(disc_domain) ||
+        if (tipc_addr_domain_valid(disc_domain) &&
-            !tipc_in_scope(disc_domain, tipc_own_addr)) {
+            (disc_domain != tipc_own_addr)) {
+                if (tipc_in_scope(disc_domain, tipc_own_addr)) {
+                        disc_domain = tipc_own_addr & TIPC_CLUSTER_MASK;
+                        res = 0;   /* accept any node in own cluster */
+                } else if (in_own_cluster(disc_domain))
+                        res = 0;   /* accept specified node in own cluster */
+        }
+        if (res) {
                warn("Bearer <%s> rejected, illegal discovery domain\n", name);
                return -EINVAL;
        }
@@ -511,7 +520,7 @@ int tipc_enable_bearer(const char *name, u32 disc_domain, u32 priority)
        if (!m_ptr) {
                warn("Bearer <%s> rejected, media <%s> not registered\n", name,
                     b_name.media_name);
-                goto failed;
+                goto exit;
        }
        if (priority == TIPC_MEDIA_LINK_PRI)
@@ -527,14 +536,14 @@ restart:
                }
                if (!strcmp(name, tipc_bearers[i].name)) {
                        warn("Bearer <%s> rejected, already enabled\n", name);
-                        goto failed;
+                        goto exit;
                }
                if ((tipc_bearers[i].priority == priority) &&
                    (++with_this_prio > 2)) {
                        if (priority-- == 0) {
                                warn("Bearer <%s> rejected, duplicate priority\n",
                                     name);
-                                goto failed;
+                                goto exit;
                        }
                        warn("Bearer <%s> priority adjustment required %u->%u\n",
                             name, priority + 1, priority);
@@ -544,7 +553,7 @@ restart:
        if (bearer_id >= MAX_BEARERS) {
                warn("Bearer <%s> rejected, bearer limit reached (%u)\n",
                     name, MAX_BEARERS);
-                goto failed;
+                goto exit;
        }
        b_ptr = &tipc_bearers[bearer_id];
@@ -552,7 +561,7 @@ restart:
        res = m_ptr->enable_bearer(b_ptr);
        if (res) {
                warn("Bearer <%s> rejected, enable failure (%d)\n", name, -res);
-                goto failed;
+                goto exit;
        }
        b_ptr->identity = bearer_id;
@@ -562,14 +571,18 @@ restart:
        b_ptr->priority = priority;
        INIT_LIST_HEAD(&b_ptr->cong_links);
        INIT_LIST_HEAD(&b_ptr->links);
-        b_ptr->link_req = tipc_disc_init_link_req(b_ptr, &m_ptr->bcast_addr,
-                                                  disc_domain);
        spin_lock_init(&b_ptr->lock);
-        write_unlock_bh(&tipc_net_lock);
+        res = tipc_disc_create(b_ptr, &m_ptr->bcast_addr, disc_domain);
+        if (res) {
+                bearer_disable(b_ptr);
+                warn("Bearer <%s> rejected, discovery object creation failed\n",
+                     name);
+                goto exit;
+        }
        info("Enabled bearer <%s>, discovery domain %s, priority %u\n",
             name, tipc_addr_string_fill(addr_string, disc_domain), priority);
-        return 0;
+exit:
-failed:
        write_unlock_bh(&tipc_net_lock);
        return res;
 }
@@ -620,14 +633,14 @@ static void bearer_disable(struct tipc_bearer *b_ptr)
        struct link *temp_l_ptr;
        info("Disabling bearer <%s>\n", b_ptr->name);
-        tipc_disc_stop_link_req(b_ptr->link_req);
        spin_lock_bh(&b_ptr->lock);
-        b_ptr->link_req = NULL;
        b_ptr->blocked = 1;
        b_ptr->media->disable_bearer(b_ptr);
        list_for_each_entry_safe(l_ptr, temp_l_ptr, &b_ptr->links, link_list) {
                tipc_link_delete(l_ptr);
        }
+        if (b_ptr->link_req)
+                tipc_disc_delete(b_ptr->link_req);
        spin_unlock_bh(&b_ptr->lock);
        memset(b_ptr, 0, sizeof(struct tipc_bearer));
 }
diff --git a/net/tipc/core.c b/net/tipc/core.c
index c9a73e7763f6..943b6af84265 100644
--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -179,8 +179,7 @@ static int __init tipc_init(void)
        if (tipc_log_resize(CONFIG_TIPC_LOG) != 0)
                warn("Unable to create log buffer\n");
-        info("Activated (version " TIPC_MOD_VER
+        info("Activated (version " TIPC_MOD_VER ")\n");
-             " compiled " __DATE__ " " __TIME__ ")\n");
        tipc_own_addr = 0;
        tipc_remote_management = 1;
diff --git a/net/tipc/discover.c b/net/tipc/discover.c
index 491eff56b9da..0987933155b9 100644
--- a/net/tipc/discover.c
+++ b/net/tipc/discover.c
@@ -39,19 +39,17 @@
 #include "discover.h"
 #define TIPC_LINK_REQ_INIT      125     /* min delay during bearer start up */
-#define TIPC_LINK_REQ_FAST      2000    /* normal delay if bearer has no links */
+#define TIPC_LINK_REQ_FAST      1000    /* max delay if bearer has no links */
-#define TIPC_LINK_REQ_SLOW      600000  /* normal delay if bearer has links */
+#define TIPC_LINK_REQ_SLOW      60000   /* max delay if bearer has links */
+#define TIPC_LINK_REQ_INACTIVE  0xffffffff /* indicates no timer in use */
-/*
- * TODO: Most of the inter-cluster setup stuff should be
- * rewritten, and be made conformant with specification.
- */
 /**
 * struct link_req - information about an ongoing link setup request
 * @bearer: bearer issuing requests
 * @dest: destination address for request messages
+ * @domain: network domain to which links can be established
+ * @num_nodes: number of nodes currently discovered (i.e. with an active link)
 * @buf: request message to be (repeatedly) sent
 * @timer: timer governing period between requests
 * @timer_intv: current interval between requests (in ms)
@@ -59,6 +57,8 @@
 struct link_req {
        struct tipc_bearer *bearer;
        struct tipc_media_addr dest;
+        u32 domain;
+        int num_nodes;
        struct sk_buff *buf;
        struct timer_list timer;
        unsigned int timer_intv;
@@ -147,7 +147,7 @@ void tipc_disc_recv_msg(struct sk_buff *buf, struct tipc_bearer *b_ptr)
        }
        if (!tipc_in_scope(dest, tipc_own_addr))
                return;
-        if (!in_own_cluster(orig))
+        if (!tipc_in_scope(b_ptr->link_req->domain, orig))
                return;
        /* Locate structure corresponding to requesting node */
@@ -214,44 +214,54 @@ void tipc_disc_recv_msg(struct sk_buff *buf, struct tipc_bearer *b_ptr)
 }
 /**
- * tipc_disc_stop_link_req - stop sending periodic link setup requests
+ * disc_update - update frequency of periodic link setup requests
 * @req: ptr to link request structure
+ *
+ * Reinitiates discovery process if discovery object has no associated nodes
+ * and is either not currently searching or is searching at a slow rate
 */
-void tipc_disc_stop_link_req(struct link_req *req)
+static void disc_update(struct link_req *req)
 {
-        if (!req)
+        if (!req->num_nodes) {
-                return;
+                if ((req->timer_intv == TIPC_LINK_REQ_INACTIVE) ||
+                    (req->timer_intv > TIPC_LINK_REQ_FAST)) {
+                        req->timer_intv = TIPC_LINK_REQ_INIT;
+                        k_start_timer(&req->timer, req->timer_intv);
+                }
+        }
+}
-        k_cancel_timer(&req->timer);
+/**
-        k_term_timer(&req->timer);
+ * tipc_disc_add_dest - increment set of discovered nodes
-        buf_discard(req->buf);
+ * @req: ptr to link request structure
-        kfree(req);
+ */
+void tipc_disc_add_dest(struct link_req *req)
+{
+        req->num_nodes++;
 }
 /**
- * tipc_disc_update_link_req - update frequency of periodic link setup requests
+ * tipc_disc_remove_dest - decrement set of discovered nodes
 * @req: ptr to link request structure
 */
-void tipc_disc_update_link_req(struct link_req *req)
+void tipc_disc_remove_dest(struct link_req *req)
 {
-        if (!req)
+        req->num_nodes--;
-                return;
+        disc_update(req);
+}
-        if (req->timer_intv == TIPC_LINK_REQ_SLOW) {
+/**
-                if (!req->bearer->nodes.count) {
+ * disc_send_msg - send link setup request message
-                        req->timer_intv = TIPC_LINK_REQ_FAST;
+ * @req: ptr to link request structure
-                        k_start_timer(&req->timer, req->timer_intv);
+ */
-                }
-        } else if (req->timer_intv == TIPC_LINK_REQ_FAST) {
+static void disc_send_msg(struct link_req *req)
-                if (req->bearer->nodes.count) {
+{
-                        req->timer_intv = TIPC_LINK_REQ_SLOW;
+        if (!req->bearer->blocked)
-                        k_start_timer(&req->timer, req->timer_intv);
+                tipc_bearer_send(req->bearer, req->buf, &req->dest);
-                }
-        } else {
-                /* leave timer "as is" if haven't yet reached a "normal" rate */
-        }
 }
 /**
@@ -263,56 +273,86 @@ void tipc_disc_update_link_req(struct link_req *req)
 static void disc_timeout(struct link_req *req)
 {
+        int max_delay;
        spin_lock_bh(&req->bearer->lock);
-        req->bearer->media->send_msg(req->buf, req->bearer, &req->dest);
+        /* Stop searching if only desired node has been found */
-        if ((req->timer_intv == TIPC_LINK_REQ_SLOW) ||
+        if (tipc_node(req->domain) && req->num_nodes) {
-            (req->timer_intv == TIPC_LINK_REQ_FAST)) {
+                req->timer_intv = TIPC_LINK_REQ_INACTIVE;
-                /* leave timer interval "as is" if already at a "normal" rate */
+                goto exit;
-        } else {
-                req->timer_intv *= 2;
-                if (req->timer_intv > TIPC_LINK_REQ_FAST)
-                        req->timer_intv = TIPC_LINK_REQ_FAST;
-                if ((req->timer_intv == TIPC_LINK_REQ_FAST) &&
-                    (req->bearer->nodes.count))
-                        req->timer_intv = TIPC_LINK_REQ_SLOW;
        }
-        k_start_timer(&req->timer, req->timer_intv);
+        /*
+         * Send discovery message, then update discovery timer
+         *
+         * Keep doubling time between requests until limit is reached;
+         * hold at fast polling rate if don't have any associated nodes,
+         * otherwise hold at slow polling rate
+         */
+        disc_send_msg(req);
+        req->timer_intv *= 2;
+        if (req->num_nodes)
+                max_delay = TIPC_LINK_REQ_SLOW;
+        else
+                max_delay = TIPC_LINK_REQ_FAST;
+        if (req->timer_intv > max_delay)
+                req->timer_intv = max_delay;
+        k_start_timer(&req->timer, req->timer_intv);
+exit:
        spin_unlock_bh(&req->bearer->lock);
 }
 /**
- * tipc_disc_init_link_req - start sending periodic link setup requests
+ * tipc_disc_create - create object to send periodic link setup requests
 * @b_ptr: ptr to bearer issuing requests
 * @dest: destination address for request messages
- * @dest_domain: network domain of node(s) which should respond to message
+ * @dest_domain: network domain to which links can be established
 *
- * Returns pointer to link request structure, or NULL if unable to create.
+ * Returns 0 if successful, otherwise -errno.
 */
-struct link_req *tipc_disc_init_link_req(struct tipc_bearer *b_ptr,
+int tipc_disc_create(struct tipc_bearer *b_ptr,
-                                         const struct tipc_media_addr *dest,
+                     struct tipc_media_addr *dest, u32 dest_domain)
-                                         u32 dest_domain)
 {
        struct link_req *req;
        req = kmalloc(sizeof(*req), GFP_ATOMIC);
        if (!req)
-                return NULL;
+                return -ENOMEM;
        req->buf = tipc_disc_init_msg(DSC_REQ_MSG, dest_domain, b_ptr);
        if (!req->buf) {
                kfree(req);
-                return NULL;
+                return -ENOMSG;
        }
        memcpy(&req->dest, dest, sizeof(*dest));
        req->bearer = b_ptr;
+        req->domain = dest_domain;
+        req->num_nodes = 0;
        req->timer_intv = TIPC_LINK_REQ_INIT;
        k_init_timer(&req->timer, (Handler)disc_timeout, (unsigned long)req);
        k_start_timer(&req->timer, req->timer_intv);
-        return req;
+        b_ptr->link_req = req;
+        disc_send_msg(req);
+        return 0;
+}
+/**
+ * tipc_disc_delete - destroy object sending periodic link setup requests
+ * @req: ptr to link request structure
+ */
+void tipc_disc_delete(struct link_req *req)
+{
+        k_cancel_timer(&req->timer);
+        k_term_timer(&req->timer);
+        buf_discard(req->buf);
+        kfree(req);
 }
diff --git a/net/tipc/discover.h b/net/tipc/discover.h
index e48a167e47b2..a3af595b86cb 100644
--- a/net/tipc/discover.h
+++ b/net/tipc/discover.h
@@ -39,12 +39,11 @@
 struct link_req;
-struct link_req *tipc_disc_init_link_req(struct tipc_bearer *b_ptr,
+int tipc_disc_create(struct tipc_bearer *b_ptr, struct tipc_media_addr *dest,
-                                         const struct tipc_media_addr *dest,
+                     u32 dest_domain);
-                                         u32 dest_domain);
+void tipc_disc_delete(struct link_req *req);
-void tipc_disc_update_link_req(struct link_req *req);
+void tipc_disc_add_dest(struct link_req *req);
-void tipc_disc_stop_link_req(struct link_req *req);
+void tipc_disc_remove_dest(struct link_req *req);
 void tipc_disc_recv_msg(struct sk_buff *buf, struct tipc_bearer *b_ptr);
 #endif
diff --git a/net/tipc/link.c b/net/tipc/link.c
index ebf338f7b14e..5ed4b4f7452d 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -92,7 +92,8 @@ static int  link_recv_changeover_msg(struct link **l_ptr, struct sk_buff **buf);
 static void link_set_supervision_props(struct link *l_ptr, u32 tolerance);
 static int  link_send_sections_long(struct tipc_port *sender,
                                    struct iovec const *msg_sect,
-                                    u32 num_sect, u32 destnode);
+                                    u32 num_sect, unsigned int total_len,
+                                    u32 destnode);
 static void link_check_defragm_bufs(struct link *l_ptr);
 static void link_state_event(struct link *l_ptr, u32 event);
 static void link_reset_statistics(struct link *l_ptr);
@@ -842,6 +843,25 @@ static void link_add_to_outqueue(struct link *l_ptr,
                l_ptr->stats.max_queue_sz = l_ptr->out_queue_size;
 }
+static void link_add_chain_to_outqueue(struct link *l_ptr,
+                                       struct sk_buff *buf_chain,
+                                       u32 long_msgno)
+{
+        struct sk_buff *buf;
+        struct tipc_msg *msg;
+        if (!l_ptr->next_out)
+                l_ptr->next_out = buf_chain;
+        while (buf_chain) {
+                buf = buf_chain;
+                buf_chain = buf_chain->next;
+                msg = buf_msg(buf);
+                msg_set_long_msgno(msg, long_msgno);
+                link_add_to_outqueue(l_ptr, buf, msg);
+        }
+}
 /*
 * tipc_link_send_buf() is the 'full path' for messages, called from
 * inside TIPC when the 'fast path' in tipc_send_buf
@@ -864,8 +884,9 @@ int tipc_link_send_buf(struct link *l_ptr, struct sk_buff *buf)
        if (unlikely(queue_size >= queue_limit)) {
                if (imp <= TIPC_CRITICAL_IMPORTANCE) {
-                        return link_schedule_port(l_ptr, msg_origport(msg),
+                        link_schedule_port(l_ptr, msg_origport(msg), size);
-                                                  size);
+                        buf_discard(buf);
+                        return -ELINKCONG;
                }
                buf_discard(buf);
                if (imp > CONN_MANAGER) {
@@ -1042,6 +1063,7 @@ int tipc_send_buf_fast(struct sk_buff *buf, u32 destnode)
 int tipc_link_send_sections_fast(struct tipc_port *sender,
                                 struct iovec const *msg_sect,
                                 const u32 num_sect,
+                                 unsigned int total_len,
                                 u32 destaddr)
 {
        struct tipc_msg *hdr = &sender->phdr;
@@ -1057,8 +1079,8 @@ again:
         * (Must not hold any locks while building message.)
         */
-        res = tipc_msg_build(hdr, msg_sect, num_sect, sender->max_pkt,
+        res = tipc_msg_build(hdr, msg_sect, num_sect, total_len,
-                        !sender->user_port, &buf);
+                             sender->max_pkt, !sender->user_port, &buf);
        read_lock_bh(&tipc_net_lock);
        node = tipc_node_find(destaddr);
@@ -1069,8 +1091,6 @@ again:
                        if (likely(buf)) {
                                res = link_send_buf_fast(l_ptr, buf,
                                                         &sender->max_pkt);
-                                if (unlikely(res < 0))
-                                        buf_discard(buf);
 exit:
                                tipc_node_unlock(node);
                                read_unlock_bh(&tipc_net_lock);
@@ -1105,7 +1125,8 @@ exit:
                                goto again;
                        return link_send_sections_long(sender, msg_sect,
-                                                       num_sect, destaddr);
+                                                       num_sect, total_len,
+                                                       destaddr);
                }
                tipc_node_unlock(node);
        }
@@ -1117,7 +1138,7 @@ exit:
                return tipc_reject_msg(buf, TIPC_ERR_NO_NODE);
        if (res >= 0)
                return tipc_port_reject_sections(sender, hdr, msg_sect, num_sect,
-                                                 TIPC_ERR_NO_NODE);
+                                                 total_len, TIPC_ERR_NO_NODE);
        return res;
 }
@@ -1138,12 +1159,13 @@ exit:
 static int link_send_sections_long(struct tipc_port *sender,
                                   struct iovec const *msg_sect,
                                   u32 num_sect,
+                                   unsigned int total_len,
                                   u32 destaddr)
 {
        struct link *l_ptr;
        struct tipc_node *node;
        struct tipc_msg *hdr = &sender->phdr;
-        u32 dsz = msg_data_sz(hdr);
+        u32 dsz = total_len;
        u32 max_pkt, fragm_sz, rest;
        struct tipc_msg fragm_hdr;
        struct sk_buff *buf, *buf_chain, *prev;
@@ -1169,7 +1191,6 @@ again:
        tipc_msg_init(&fragm_hdr, MSG_FRAGMENTER, FIRST_FRAGMENT,
                 INT_H_SIZE, msg_destnode(hdr));
-        msg_set_link_selector(&fragm_hdr, sender->ref);
        msg_set_size(&fragm_hdr, max_pkt);
        msg_set_fragm_no(&fragm_hdr, 1);
@@ -1271,28 +1292,15 @@ reject:
                        buf_discard(buf_chain);
                }
                return tipc_port_reject_sections(sender, hdr, msg_sect, num_sect,
-                                                 TIPC_ERR_NO_NODE);
+                                                 total_len, TIPC_ERR_NO_NODE);
        }
-        /* Append whole chain to send queue: */
+        /* Append chain of fragments to send queue & send them */
-        buf = buf_chain;
+        l_ptr->long_msg_seq_no++;
-        l_ptr->long_msg_seq_no = mod(l_ptr->long_msg_seq_no + 1);
+        link_add_chain_to_outqueue(l_ptr, buf_chain, l_ptr->long_msg_seq_no);
-        if (!l_ptr->next_out)
+        l_ptr->stats.sent_fragments += fragm_no;
-                l_ptr->next_out = buf_chain;
        l_ptr->stats.sent_fragmented++;
-        while (buf) {
-                struct sk_buff *next = buf->next;
-                struct tipc_msg *msg = buf_msg(buf);
-                l_ptr->stats.sent_fragments++;
-                msg_set_long_msgno(msg, l_ptr->long_msg_seq_no);
-                link_add_to_outqueue(l_ptr, buf, msg);
-                buf = next;
-        }
-        /* Send it, if possible: */
        tipc_link_push_queue(l_ptr);
        tipc_node_unlock(node);
        return dsz;
@@ -2407,6 +2415,8 @@ void tipc_link_recv_bundle(struct sk_buff *buf)
 */
 static int link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
 {
+        struct sk_buff *buf_chain = NULL;
+        struct sk_buff *buf_chain_tail = (struct sk_buff *)&buf_chain;
        struct tipc_msg *inmsg = buf_msg(buf);
        struct tipc_msg fragm_hdr;
        u32 insize = msg_size(inmsg);
@@ -2415,7 +2425,7 @@ static int link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
        u32 rest = insize;
        u32 pack_sz = l_ptr->max_pkt;
        u32 fragm_sz = pack_sz - INT_H_SIZE;
-        u32 fragm_no = 1;
+        u32 fragm_no = 0;
        u32 destaddr;
        if (msg_short(inmsg))
@@ -2427,10 +2437,6 @@ static int link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
        tipc_msg_init(&fragm_hdr, MSG_FRAGMENTER, FIRST_FRAGMENT,
                 INT_H_SIZE, destaddr);
-        msg_set_link_selector(&fragm_hdr, msg_link_selector(inmsg));
-        msg_set_long_msgno(&fragm_hdr, mod(l_ptr->long_msg_seq_no++));
-        msg_set_fragm_no(&fragm_hdr, fragm_no);
-        l_ptr->stats.sent_fragmented++;
        /* Chop up message: */
@@ -2443,27 +2449,37 @@ static int link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
                }
                fragm = tipc_buf_acquire(fragm_sz + INT_H_SIZE);
                if (fragm == NULL) {
-                        warn("Link unable to fragment message\n");
+                        buf_discard(buf);
-                        dsz = -ENOMEM;
+                        while (buf_chain) {
-                        goto exit;
+                                buf = buf_chain;
+                                buf_chain = buf_chain->next;
+                                buf_discard(buf);
+                        }
+                        return -ENOMEM;
                }
                msg_set_size(&fragm_hdr, fragm_sz + INT_H_SIZE);
+                fragm_no++;
+                msg_set_fragm_no(&fragm_hdr, fragm_no);
                skb_copy_to_linear_data(fragm, &fragm_hdr, INT_H_SIZE);
                skb_copy_to_linear_data_offset(fragm, INT_H_SIZE, crs,
                                               fragm_sz);
-                /*  Send queued messages first, if any: */
+                buf_chain_tail->next = fragm;
+                buf_chain_tail = fragm;
-                l_ptr->stats.sent_fragments++;
-                tipc_link_send_buf(l_ptr, fragm);
-                if (!tipc_link_is_up(l_ptr))
-                        return dsz;
-                msg_set_fragm_no(&fragm_hdr, ++fragm_no);
                rest -= fragm_sz;
                crs += fragm_sz;
                msg_set_type(&fragm_hdr, FRAGMENT);
        }
-exit:
        buf_discard(buf);
+        /* Append chain of fragments to send queue & send them */
+        l_ptr->long_msg_seq_no++;
+        link_add_chain_to_outqueue(l_ptr, buf_chain, l_ptr->long_msg_seq_no);
+        l_ptr->stats.sent_fragments += fragm_no;
+        l_ptr->stats.sent_fragmented++;
+        tipc_link_push_queue(l_ptr);
        return dsz;
 }
diff --git a/net/tipc/link.h b/net/tipc/link.h
index e6a30dbe1aaa..74fbecab1ea0 100644
--- a/net/tipc/link.h
+++ b/net/tipc/link.h
@@ -228,6 +228,7 @@ u32 tipc_link_get_max_pkt(u32 dest, u32 selector);
 int tipc_link_send_sections_fast(struct tipc_port *sender,
                                 struct iovec const *msg_sect,
                                 const u32 num_sect,
+                                 unsigned int total_len,
                                 u32 destnode);
 void tipc_link_recv_bundle(struct sk_buff *buf);
 int  tipc_link_recv_fragment(struct sk_buff **pending,
diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 6d92d17e7fb5..03e57bf92c73 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -68,20 +68,6 @@ void tipc_msg_init(struct tipc_msg *m, u32 user, u32 type,
 }
 /**
- * tipc_msg_calc_data_size - determine total data size for message
- */
-int tipc_msg_calc_data_size(struct iovec const *msg_sect, u32 num_sect)
-{
-        int dsz = 0;
-        int i;
-        for (i = 0; i < num_sect; i++)
-                dsz += msg_sect[i].iov_len;
-        return dsz;
-}
-/**
 * tipc_msg_build - create message using specified header and data
 *
 * Note: Caller must not hold any locks in case copy_from_user() is interrupted!
@@ -89,18 +75,13 @@ int tipc_msg_calc_data_size(struct iovec const *msg_sect, u32 num_sect)
 * Returns message data size or errno
 */
-int tipc_msg_build(struct tipc_msg *hdr,
+int tipc_msg_build(struct tipc_msg *hdr, struct iovec const *msg_sect,
-                            struct iovec const *msg_sect, u32 num_sect,
+                   u32 num_sect, unsigned int total_len,
                            int max_size, int usrmem, struct sk_buff **buf)
 {
        int dsz, sz, hsz, pos, res, cnt;
-        dsz = tipc_msg_calc_data_size(msg_sect, num_sect);
+        dsz = total_len;
-        if (unlikely(dsz > TIPC_MAX_USER_MSG_SIZE)) {
-                *buf = NULL;
-                return -EINVAL;
-        }
        pos = hsz = msg_hdr_sz(hdr);
        sz = hsz + dsz;
        msg_set_size(hdr, sz);
diff --git a/net/tipc/msg.h b/net/tipc/msg.h
index de02339fc175..8452454731fa 100644
--- a/net/tipc/msg.h
+++ b/net/tipc/msg.h
@@ -39,41 +39,24 @@
 #include "bearer.h"
+/*
+ * Constants and routines used to read and write TIPC payload message headers
+ *
+ * Note: Some items are also used with TIPC internal message headers
+ */
 #define TIPC_VERSION              2
 /*
- *              TIPC user data message header format, version 2:
+ * Payload message users are defined in TIPC's public API:
- *
+ * - TIPC_LOW_IMPORTANCE
- *
+ * - TIPC_MEDIUM_IMPORTANCE
- *     1 0 9 8 7 6 5 4|3 2 1 0 9 8 7 6|5 4 3 2 1 0 9 8|7 6 5 4 3 2 1 0
+ * - TIPC_HIGH_IMPORTANCE
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * - TIPC_CRITICAL_IMPORTANCE
- * w0:|vers | user  |hdr sz |n|d|s|-|          message size           |
+ */
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w1:|mstyp| error |rer cnt|lsc|opt p|      broadcast ack no         |
+/*
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * Payload message types
- * w2:|        link level ack no      |   broadcast/link level seq no |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w3:|                       previous node                           |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w4:|                      originating port                         |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w5:|                      destination port                         |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w6:|                      originating node                         |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w7:|                      destination node                         |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w8:|            name type / transport sequence number              |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w9:|              name instance/multicast lower bound              |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * wA:|                    multicast upper bound                      |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *    /                                                               /
- *    \                           options                             \
- *    /                                                               /
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *
 */
 #define TIPC_CONN_MSG           0
@@ -81,6 +64,9 @@
 #define TIPC_NAMED_MSG          2
 #define TIPC_DIRECT_MSG         3
+/*
+ * Message header sizes
+ */
 #define SHORT_H_SIZE              24    /* Connected, in-cluster messages */
 #define DIR_MSG_H_SIZE            32    /* Directly addressed messages */
@@ -473,40 +459,11 @@ static inline struct tipc_msg *msg_get_wrapped(struct tipc_msg *m)
 /*
-                TIPC internal message header format, version 2
+ * Constants and routines used to read and write TIPC internal message headers
+ */
-       1 0 9 8 7 6 5 4|3 2 1 0 9 8 7 6|5 4 3 2 1 0 9 8|7 6 5 4 3 2 1 0
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w0:|vers |msg usr|hdr sz |n|resrv|            packet size          |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w1:|m typ|      sequence gap       |       broadcast ack no        |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w2:| link level ack no/bc_gap_from |     seq no / bcast_gap_to     |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w3:|                       previous node                           |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w4:|  next sent broadcast/fragm no | next sent pkt/ fragm msg no   |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w5:|          session no           |rsv=0|r|berid|link prio|netpl|p|
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w6:|                      originating node                         |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w7:|                      destination node                         |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w8:|                   transport sequence number                   |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w9:|   msg count / bcast tag       |       link tolerance          |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      \                                                               \
-      /                     User Specific Data                        /
-      \                                                               \
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      NB: CONN_MANAGER use data message format. LINK_CONFIG has own format.
-*/
 /*
- * Internal users
+ * Internal message users
 */
 #define  BCAST_PROTOCOL       5
@@ -520,7 +477,7 @@ static inline struct tipc_msg *msg_get_wrapped(struct tipc_msg *m)
 #define  LINK_CONFIG          13
 /*
- *  Connection management protocol messages
+ *  Connection management protocol message types
 */
 #define CONN_PROBE        0
@@ -528,12 +485,41 @@ static inline struct tipc_msg *msg_get_wrapped(struct tipc_msg *m)
 #define CONN_ACK          2
 /*
- * Name distributor messages
+ * Name distributor message types
 */
 #define PUBLICATION       0
 #define WITHDRAWAL        1
+/*
+ * Segmentation message types
+ */
+#define FIRST_FRAGMENT          0
+#define FRAGMENT                1
+#define LAST_FRAGMENT           2
+/*
+ * Link management protocol message types
+ */
+#define STATE_MSG               0
+#define RESET_MSG               1
+#define ACTIVATE_MSG            2
+/*
+ * Changeover tunnel message types
+ */
+#define DUPLICATE_MSG           0
+#define ORIGINAL_MSG            1
+/*
+ * Config protocol message types
+ */
+#define DSC_REQ_MSG             0
+#define DSC_RESP_MSG            1
 /*
 * Word 1
@@ -761,50 +747,11 @@ static inline void msg_set_link_tolerance(struct tipc_msg *m, u32 n)
        msg_set_bits(m, 9, 0, 0xffff, n);
 }
-/*
- * Segmentation message types
- */
-#define FIRST_FRAGMENT     0
-#define FRAGMENT           1
-#define LAST_FRAGMENT      2
-/*
- * Link management protocol message types
- */
-#define STATE_MSG       0
-#define RESET_MSG       1
-#define ACTIVATE_MSG    2
-/*
- * Changeover tunnel message types
- */
-#define DUPLICATE_MSG    0
-#define ORIGINAL_MSG     1
-/*
- * Routing table message types
- */
-#define EXT_ROUTING_TABLE    0
-#define LOCAL_ROUTING_TABLE  1          /* obsoleted */
-#define SLAVE_ROUTING_TABLE  2
-#define ROUTE_ADDITION       3
-#define ROUTE_REMOVAL        4
-/*
- * Config protocol message types
- */
-#define DSC_REQ_MSG          0
-#define DSC_RESP_MSG         1
 u32 tipc_msg_tot_importance(struct tipc_msg *m);
 void tipc_msg_init(struct tipc_msg *m, u32 user, u32 type,
                            u32 hsize, u32 destnode);
-int tipc_msg_calc_data_size(struct iovec const *msg_sect, u32 num_sect);
+int tipc_msg_build(struct tipc_msg *hdr, struct iovec const *msg_sect,
-int tipc_msg_build(struct tipc_msg *hdr,
+                   u32 num_sect, unsigned int total_len,
-                            struct iovec const *msg_sect, u32 num_sect,
                            int max_size, int usrmem, struct sk_buff **buf);
 static inline void msg_set_media_addr(struct tipc_msg *m, struct tipc_media_addr *a)
diff --git a/net/tipc/port.c b/net/tipc/port.c
index 6ff78f9c7d65..c68dc956a423 100644
--- a/net/tipc/port.c
+++ b/net/tipc/port.c
@@ -74,7 +74,8 @@ static u32 port_peerport(struct tipc_port *p_ptr)
 */
 int tipc_multicast(u32 ref, struct tipc_name_seq const *seq,
-                   u32 num_sect, struct iovec const *msg_sect)
+                   u32 num_sect, struct iovec const *msg_sect,
+                   unsigned int total_len)
 {
        struct tipc_msg *hdr;
        struct sk_buff *buf;
@@ -91,11 +92,14 @@ int tipc_multicast(u32 ref, struct tipc_name_seq const *seq,
        hdr = &oport->phdr;
        msg_set_type(hdr, TIPC_MCAST_MSG);
+        msg_set_lookup_scope(hdr, TIPC_CLUSTER_SCOPE);
+        msg_set_destport(hdr, 0);
+        msg_set_destnode(hdr, 0);
        msg_set_nametype(hdr, seq->type);
        msg_set_namelower(hdr, seq->lower);
        msg_set_nameupper(hdr, seq->upper);
        msg_set_hdr_sz(hdr, MCAST_H_SIZE);
-        res = tipc_msg_build(hdr, msg_sect, num_sect, MAX_MSG_SIZE,
+        res = tipc_msg_build(hdr, msg_sect, num_sect, total_len, MAX_MSG_SIZE,
                        !oport->user_port, &buf);
        if (unlikely(!buf))
                return res;
@@ -161,6 +165,7 @@ void tipc_port_recv_mcast(struct sk_buff *buf, struct port_list *dp)
        /* Deliver a copy of message to each destination port */
        if (dp->count != 0) {
+                msg_set_destnode(msg, tipc_own_addr);
                if (dp->count == 1) {
                        msg_set_destport(msg, dp->ports[0]);
                        tipc_port_recv_msg(buf);
@@ -414,12 +419,12 @@ int tipc_reject_msg(struct sk_buff *buf, u32 err)
 int tipc_port_reject_sections(struct tipc_port *p_ptr, struct tipc_msg *hdr,
                              struct iovec const *msg_sect, u32 num_sect,
-                              int err)
+                              unsigned int total_len, int err)
 {
        struct sk_buff *buf;
        int res;
-        res = tipc_msg_build(hdr, msg_sect, num_sect, MAX_MSG_SIZE,
+        res = tipc_msg_build(hdr, msg_sect, num_sect, total_len, MAX_MSG_SIZE,
                        !p_ptr->user_port, &buf);
        if (!buf)
                return res;
@@ -1065,6 +1070,7 @@ int tipc_connect2port(u32 ref, struct tipc_portid const *peer)
        msg_set_orignode(msg, tipc_own_addr);
        msg_set_origport(msg, p_ptr->ref);
        msg_set_type(msg, TIPC_CONN_MSG);
+        msg_set_lookup_scope(msg, 0);
        msg_set_hdr_sz(msg, SHORT_H_SIZE);
        p_ptr->probing_interval = PROBING_INTERVAL;
@@ -1158,12 +1164,13 @@ int tipc_shutdown(u32 ref)
 */
 static int tipc_port_recv_sections(struct tipc_port *sender, unsigned int num_sect,
-                                   struct iovec const *msg_sect)
+                                   struct iovec const *msg_sect,
+                                   unsigned int total_len)
 {
        struct sk_buff *buf;
        int res;
-        res = tipc_msg_build(&sender->phdr, msg_sect, num_sect,
+        res = tipc_msg_build(&sender->phdr, msg_sect, num_sect, total_len,
                        MAX_MSG_SIZE, !sender->user_port, &buf);
        if (likely(buf))
                tipc_port_recv_msg(buf);
@@ -1174,7 +1181,8 @@ static int tipc_port_recv_sections(struct tipc_port *sender, unsigned int num_se
 * tipc_send - send message sections on connection
 */
-int tipc_send(u32 ref, unsigned int num_sect, struct iovec const *msg_sect)
+int tipc_send(u32 ref, unsigned int num_sect, struct iovec const *msg_sect,
+              unsigned int total_len)
 {
        struct tipc_port *p_ptr;
        u32 destnode;
@@ -1189,9 +1197,10 @@ int tipc_send(u32 ref, unsigned int num_sect, struct iovec const *msg_sect)
                destnode = port_peernode(p_ptr);
                if (likely(destnode != tipc_own_addr))
                        res = tipc_link_send_sections_fast(p_ptr, msg_sect, num_sect,
-                                                           destnode);
+                                                           total_len, destnode);
                else
-                        res = tipc_port_recv_sections(p_ptr, num_sect, msg_sect);
+                        res = tipc_port_recv_sections(p_ptr, num_sect, msg_sect,
+                                                      total_len);
                if (likely(res != -ELINKCONG)) {
                        p_ptr->congested = 0;
@@ -1202,8 +1211,7 @@ int tipc_send(u32 ref, unsigned int num_sect, struct iovec const *msg_sect)
        }
        if (port_unreliable(p_ptr)) {
                p_ptr->congested = 0;
-                /* Just calculate msg length and return */
+                return total_len;
-                return tipc_msg_calc_data_size(msg_sect, num_sect);
        }
        return -ELINKCONG;
 }
@@ -1213,7 +1221,8 @@ int tipc_send(u32 ref, unsigned int num_sect, struct iovec const *msg_sect)
 */
 int tipc_send2name(u32 ref, struct tipc_name const *name, unsigned int domain,
-           unsigned int num_sect, struct iovec const *msg_sect)
+                   unsigned int num_sect, struct iovec const *msg_sect,
+                   unsigned int total_len)
 {
        struct tipc_port *p_ptr;
        struct tipc_msg *msg;
@@ -1240,23 +1249,23 @@ int tipc_send2name(u32 ref, struct tipc_name const *name, unsigned int domain,
        if (likely(destport)) {
                if (likely(destnode == tipc_own_addr))
                        res = tipc_port_recv_sections(p_ptr, num_sect,
-                                                      msg_sect);
+                                                      msg_sect, total_len);
                else
                        res = tipc_link_send_sections_fast(p_ptr, msg_sect,
-                                                           num_sect, destnode);
+                                                           num_sect, total_len,
+                                                           destnode);
                if (likely(res != -ELINKCONG)) {
                        if (res > 0)
                                p_ptr->sent++;
                        return res;
                }
                if (port_unreliable(p_ptr)) {
-                        /* Just calculate msg length and return */
+                        return total_len;
-                        return tipc_msg_calc_data_size(msg_sect, num_sect);
                }
                return -ELINKCONG;
        }
        return tipc_port_reject_sections(p_ptr, msg, msg_sect, num_sect,
-                                         TIPC_ERR_NO_NAME);
+                                         total_len, TIPC_ERR_NO_NAME);
 }
 /**
@@ -1264,7 +1273,8 @@ int tipc_send2name(u32 ref, struct tipc_name const *name, unsigned int domain,
 */
 int tipc_send2port(u32 ref, struct tipc_portid const *dest,
-           unsigned int num_sect, struct iovec const *msg_sect)
+                   unsigned int num_sect, struct iovec const *msg_sect,
+                   unsigned int total_len)
 {
        struct tipc_port *p_ptr;
        struct tipc_msg *msg;
@@ -1276,6 +1286,7 @@ int tipc_send2port(u32 ref, struct tipc_portid const *dest,
        msg = &p_ptr->phdr;
        msg_set_type(msg, TIPC_DIRECT_MSG);
+        msg_set_lookup_scope(msg, 0);
        msg_set_orignode(msg, tipc_own_addr);
        msg_set_origport(msg, ref);
        msg_set_destnode(msg, dest->node);
@@ -1283,18 +1294,18 @@ int tipc_send2port(u32 ref, struct tipc_portid const *dest,
        msg_set_hdr_sz(msg, DIR_MSG_H_SIZE);
        if (dest->node == tipc_own_addr)
-                res =  tipc_port_recv_sections(p_ptr, num_sect, msg_sect);
+                res =  tipc_port_recv_sections(p_ptr, num_sect, msg_sect,
+                                               total_len);
        else
                res = tipc_link_send_sections_fast(p_ptr, msg_sect, num_sect,
-                                                   dest->node);
+                                                   total_len, dest->node);
        if (likely(res != -ELINKCONG)) {
                if (res > 0)
                        p_ptr->sent++;
                return res;
        }
        if (port_unreliable(p_ptr)) {
-                /* Just calculate msg length and return */
+                return total_len;
-                return tipc_msg_calc_data_size(msg_sect, num_sect);
        }
        return -ELINKCONG;
 }
diff --git a/net/tipc/port.h b/net/tipc/port.h
index 87b9424ae0ec..b9aa34195aec 100644
--- a/net/tipc/port.h
+++ b/net/tipc/port.h
@@ -205,23 +205,27 @@ int tipc_disconnect_port(struct tipc_port *tp_ptr);
 /*
 * TIPC messaging routines
 */
-int tipc_send(u32 portref, unsigned int num_sect, struct iovec const *msg_sect);
+int tipc_send(u32 portref, unsigned int num_sect, struct iovec const *msg_sect,
+              unsigned int total_len);
 int tipc_send2name(u32 portref, struct tipc_name const *name, u32 domain,
-                unsigned int num_sect, struct iovec const *msg_sect);
+                   unsigned int num_sect, struct iovec const *msg_sect,
+                   unsigned int total_len);
 int tipc_send2port(u32 portref, struct tipc_portid const *dest,
-                unsigned int num_sect, struct iovec const *msg_sect);
+                   unsigned int num_sect, struct iovec const *msg_sect,
+                   unsigned int total_len);
 int tipc_send_buf2port(u32 portref, struct tipc_portid const *dest,
                struct sk_buff *buf, unsigned int dsz);
 int tipc_multicast(u32 portref, struct tipc_name_seq const *seq,
-                unsigned int section_count, struct iovec const *msg);
+                   unsigned int section_count, struct iovec const *msg,
+                   unsigned int total_len);
 int tipc_port_reject_sections(struct tipc_port *p_ptr, struct tipc_msg *hdr,
                              struct iovec const *msg_sect, u32 num_sect,
-                              int err);
+                              unsigned int total_len, int err);
 struct sk_buff *tipc_port_get_ports(void);
 void tipc_port_recv_proto_msg(struct sk_buff *buf);
 void tipc_port_recv_mcast(struct sk_buff *buf, struct port_list *dp);
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 29d94d53198d..338837396642 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -535,6 +535,9 @@ static int send_msg(struct kiocb *iocb, struct socket *sock,
        if (unlikely((m->msg_namelen < sizeof(*dest)) ||
                     (dest->family != AF_TIPC)))
                return -EINVAL;
+        if ((total_len > TIPC_MAX_USER_MSG_SIZE) ||
+            (m->msg_iovlen > (unsigned)INT_MAX))
+                return -EMSGSIZE;
        if (iocb)
                lock_sock(sk);
@@ -573,12 +576,14 @@ static int send_msg(struct kiocb *iocb, struct socket *sock,
                                             &dest->addr.name.name,
                                             dest->addr.name.domain,
                                             m->msg_iovlen,
-                                             m->msg_iov);
+                                             m->msg_iov,
+                                             total_len);
                } else if (dest->addrtype == TIPC_ADDR_ID) {
                        res = tipc_send2port(tport->ref,
                                             &dest->addr.id,
                                             m->msg_iovlen,
-                                             m->msg_iov);
+                                             m->msg_iov,
+                                             total_len);
                } else if (dest->addrtype == TIPC_ADDR_MCAST) {
                        if (needs_conn) {
                                res = -EOPNOTSUPP;
@@ -590,7 +595,8 @@ static int send_msg(struct kiocb *iocb, struct socket *sock,
                        res = tipc_multicast(tport->ref,
                                             &dest->addr.nameseq,
                                             m->msg_iovlen,
-                                             m->msg_iov);
+                                             m->msg_iov,
+                                             total_len);
                }
                if (likely(res != -ELINKCONG)) {
                        if (needs_conn && (res >= 0))
@@ -640,6 +646,10 @@ static int send_packet(struct kiocb *iocb, struct socket *sock,
        if (unlikely(dest))
                return send_msg(iocb, sock, m, total_len);
+        if ((total_len > TIPC_MAX_USER_MSG_SIZE) ||
+            (m->msg_iovlen > (unsigned)INT_MAX))
+                return -EMSGSIZE;
        if (iocb)
                lock_sock(sk);
@@ -652,7 +662,8 @@ static int send_packet(struct kiocb *iocb, struct socket *sock,
                        break;
                }
-                res = tipc_send(tport->ref, m->msg_iovlen, m->msg_iov);
+                res = tipc_send(tport->ref, m->msg_iovlen, m->msg_iov,
+                                total_len);
                if (likely(res != -ELINKCONG))
                        break;
                if (m->msg_flags & MSG_DONTWAIT) {
@@ -723,6 +734,12 @@ static int send_stream(struct kiocb *iocb, struct socket *sock,
                goto exit;
        }
+        if ((total_len > (unsigned)INT_MAX) ||
+            (m->msg_iovlen > (unsigned)INT_MAX)) {
+                res = -EMSGSIZE;
+                goto exit;
+        }
        /*
         * Send each iovec entry using one or more messages
         *
@@ -753,7 +770,7 @@ static int send_stream(struct kiocb *iocb, struct socket *sock,
                                bytes_to_send = curr_left;
                        my_iov.iov_base = curr_start;
                        my_iov.iov_len = bytes_to_send;
-                        res = send_packet(NULL, sock, &my_msg, 0);
+                        res = send_packet(NULL, sock, &my_msg, bytes_to_send);
                        if (res < 0) {
                                if (bytes_sent)
                                        res = bytes_sent;
diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
index aae9eae13404..6cf726863485 100644
--- a/net/tipc/subscr.c
+++ b/net/tipc/subscr.c
@@ -109,7 +109,7 @@ static void subscr_send_event(struct subscription *sub,
        sub->evt.found_upper = htohl(found_upper, sub->swap);
        sub->evt.port.ref = htohl(port_ref, sub->swap);
        sub->evt.port.node = htohl(node, sub->swap);
-        tipc_send(sub->server_ref, 1, &msg_sect);
+        tipc_send(sub->server_ref, 1, &msg_sect, msg_sect.iov_len);
 }
 /**
@@ -521,7 +521,7 @@ static void subscr_named_msg_event(void *usr_handle,
        /* Send an ACK- to complete connection handshaking */
-        tipc_send(server_port_ref, 0, NULL);
+        tipc_send(server_port_ref, 0, NULL, 0);
        /* Handle optional subscription request */
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index b1d75beb7e20..0722a25a3a33 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2254,7 +2254,7 @@ static int unix_seq_show(struct seq_file *seq, void *v)
                struct unix_sock *u = unix_sk(s);
                unix_state_lock(s);
-                seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
+                seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
                        s,
                        atomic_read(&s->sk_refcnt),
                        0,
diff --git a/net/wireless/core.c b/net/wireless/core.c
index fe01de29bfe8..880dbe2e6f94 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -46,6 +46,11 @@ static struct dentry *ieee80211_debugfs_dir;
 /* for the cleanup, scan and event works */
 struct workqueue_struct *cfg80211_wq;
+static bool cfg80211_disable_40mhz_24ghz;
+module_param(cfg80211_disable_40mhz_24ghz, bool, 0644);
+MODULE_PARM_DESC(cfg80211_disable_40mhz_24ghz,
+                 "Disable 40MHz support in the 2.4GHz band");
 /* requires cfg80211_mutex to be held! */
 struct cfg80211_registered_device *cfg80211_rdev_by_wiphy_idx(int wiphy_idx)
 {
@@ -361,11 +366,12 @@ struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
        mutex_init(&rdev->mtx);
        mutex_init(&rdev->devlist_mtx);
+        mutex_init(&rdev->sched_scan_mtx);
        INIT_LIST_HEAD(&rdev->netdev_list);
        spin_lock_init(&rdev->bss_lock);
        INIT_LIST_HEAD(&rdev->bss_list);
        INIT_WORK(&rdev->scan_done_wk, __cfg80211_scan_done);
+        INIT_WORK(&rdev->sched_scan_results_wk, __cfg80211_sched_scan_results);
 #ifdef CONFIG_CFG80211_WEXT
        rdev->wiphy.wext = &cfg80211_wext_handler;
 #endif
@@ -411,6 +417,67 @@ struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
 }
 EXPORT_SYMBOL(wiphy_new);
+static int wiphy_verify_combinations(struct wiphy *wiphy)
+{
+        const struct ieee80211_iface_combination *c;
+        int i, j;
+        /* If we have combinations enforce them */
+        if (wiphy->n_iface_combinations)
+                wiphy->flags |= WIPHY_FLAG_ENFORCE_COMBINATIONS;
+        for (i = 0; i < wiphy->n_iface_combinations; i++) {
+                u32 cnt = 0;
+                u16 all_iftypes = 0;
+                c = &wiphy->iface_combinations[i];
+                /* Combinations with just one interface aren't real */
+                if (WARN_ON(c->max_interfaces < 2))
+                        return -EINVAL;
+                /* Need at least one channel */
+                if (WARN_ON(!c->num_different_channels))
+                        return -EINVAL;
+                if (WARN_ON(!c->n_limits))
+                        return -EINVAL;
+                for (j = 0; j < c->n_limits; j++) {
+                        u16 types = c->limits[j].types;
+                        /*
+                         * interface types shouldn't overlap, this is
+                         * used in cfg80211_can_change_interface()
+                         */
+                        if (WARN_ON(types & all_iftypes))
+                                return -EINVAL;
+                        all_iftypes |= types;
+                        if (WARN_ON(!c->limits[j].max))
+                                return -EINVAL;
+                        /* Shouldn't list software iftypes in combinations! */
+                        if (WARN_ON(wiphy->software_iftypes & types))
+                                return -EINVAL;
+                        cnt += c->limits[j].max;
+                        /*
+                         * Don't advertise an unsupported type
+                         * in a combination.
+                         */
+                        if (WARN_ON((wiphy->interface_modes & types) != types))
+                                return -EINVAL;
+                }
+                /* You can't even choose that many! */
+                if (WARN_ON(cnt < c->max_interfaces))
+                        return -EINVAL;
+        }
+        return 0;
+}
 int wiphy_register(struct wiphy *wiphy)
 {
        struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
@@ -439,6 +506,10 @@ int wiphy_register(struct wiphy *wiphy)
        if (WARN_ON(ifmodes != wiphy->interface_modes))
                wiphy->interface_modes = ifmodes;
+        res = wiphy_verify_combinations(wiphy);
+        if (res)
+                return res;
        /* sanity check supported bands/channels */
        for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
                sband = wiphy->bands[band];
@@ -451,6 +522,18 @@ int wiphy_register(struct wiphy *wiphy)
                        return -EINVAL;
                /*
+                 * Since cfg80211_disable_40mhz_24ghz is global, we can
+                 * modify the sband's ht data even if the driver uses a
+                 * global structure for that.
+                 */
+                if (cfg80211_disable_40mhz_24ghz &&
+                    band == IEEE80211_BAND_2GHZ &&
+                    sband->ht_cap.ht_supported) {
+                        sband->ht_cap.cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
+                        sband->ht_cap.cap &= ~IEEE80211_HT_CAP_SGI_40;
+                }
+                /*
                 * Since we use a u32 for rate bitmaps in
                 * ieee80211_get_response_rate, we cannot
                 * have more than 32 legacy rates.
@@ -476,6 +559,13 @@ int wiphy_register(struct wiphy *wiphy)
                return -EINVAL;
        }
+        if (rdev->wiphy.wowlan.n_patterns) {
+                if (WARN_ON(!rdev->wiphy.wowlan.pattern_min_len ||
+                            rdev->wiphy.wowlan.pattern_min_len >
+                            rdev->wiphy.wowlan.pattern_max_len))
+                        return -EINVAL;
+        }
        /* check and set up bitrates */
        ieee80211_set_bitrate_flags(wiphy);
@@ -612,8 +702,10 @@ void cfg80211_dev_free(struct cfg80211_registered_device *rdev)
        rfkill_destroy(rdev->rfkill);
        mutex_destroy(&rdev->mtx);
        mutex_destroy(&rdev->devlist_mtx);
+        mutex_destroy(&rdev->sched_scan_mtx);
        list_for_each_entry_safe(scan, tmp, &rdev->bss_list, list)
                cfg80211_put_bss(&scan->pub);
+        cfg80211_rdev_free_wowlan(rdev);
        kfree(rdev);
 }
@@ -649,6 +741,15 @@ static void wdev_cleanup_work(struct work_struct *work)
        cfg80211_unlock_rdev(rdev);
+        mutex_lock(&rdev->sched_scan_mtx);
+        if (WARN_ON(rdev->sched_scan_req &&
+                    rdev->sched_scan_req->dev == wdev->netdev)) {
+                __cfg80211_stop_sched_scan(rdev, false);
+        }
+        mutex_unlock(&rdev->sched_scan_mtx);
        mutex_lock(&rdev->devlist_mtx);
        rdev->opencount--;
        mutex_unlock(&rdev->devlist_mtx);
@@ -668,6 +769,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
        struct net_device *dev = ndev;
        struct wireless_dev *wdev = dev->ieee80211_ptr;
        struct cfg80211_registered_device *rdev;
+        int ret;
        if (!wdev)
                return NOTIFY_DONE;
@@ -734,6 +836,10 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                        break;
                case NL80211_IFTYPE_P2P_CLIENT:
                case NL80211_IFTYPE_STATION:
+                        mutex_lock(&rdev->sched_scan_mtx);
+                        __cfg80211_stop_sched_scan(rdev, false);
+                        mutex_unlock(&rdev->sched_scan_mtx);
                        wdev_lock(wdev);
 #ifdef CONFIG_CFG80211_WEXT
                        kfree(wdev->wext.ie);
@@ -752,6 +858,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                default:
                        break;
                }
+                wdev->beacon_interval = 0;
                break;
        case NETDEV_DOWN:
                dev_hold(dev);
@@ -858,6 +965,9 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                        return notifier_from_errno(-EOPNOTSUPP);
                if (rfkill_blocked(rdev->rfkill))
                        return notifier_from_errno(-ERFKILL);
+                ret = cfg80211_can_add_interface(rdev, wdev->iftype);
+                if (ret)
+                        return notifier_from_errno(ret);
                break;
        }
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 26a0a084e16b..a570ff9214ec 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -60,8 +60,12 @@ struct cfg80211_registered_device {
        struct rb_root bss_tree;
        u32 bss_generation;
        struct cfg80211_scan_request *scan_req; /* protected by RTNL */
+        struct cfg80211_sched_scan_request *sched_scan_req;
        unsigned long suspend_at;
        struct work_struct scan_done_wk;
+        struct work_struct sched_scan_results_wk;
+        struct mutex sched_scan_mtx;
 #ifdef CONFIG_NL80211_TESTMODE
        struct genl_info *testmode_info;
@@ -70,6 +74,8 @@ struct cfg80211_registered_device {
        struct work_struct conn_work;
        struct work_struct event_work;
+        struct cfg80211_wowlan *wowlan;
        /* must be last because of the way we do wiphy_priv(),
         * and it should at least be aligned to NETDEV_ALIGN */
        struct wiphy wiphy __attribute__((__aligned__(NETDEV_ALIGN)));
@@ -89,6 +95,18 @@ bool wiphy_idx_valid(int wiphy_idx)
        return wiphy_idx >= 0;
 }
+static inline void
+cfg80211_rdev_free_wowlan(struct cfg80211_registered_device *rdev)
+{
+        int i;
+        if (!rdev->wowlan)
+                return;
+        for (i = 0; i < rdev->wowlan->n_patterns; i++)
+                kfree(rdev->wowlan->patterns[i].mask);
+        kfree(rdev->wowlan->patterns);
+        kfree(rdev->wowlan);
+}
 extern struct workqueue_struct *cfg80211_wq;
 extern struct mutex cfg80211_mutex;
@@ -229,6 +247,7 @@ struct cfg80211_event {
                        u16 status;
                } cr;
                struct {
+                        struct ieee80211_channel *channel;
                        u8 bssid[ETH_ALEN];
                        const u8 *req_ie;
                        const u8 *resp_ie;
@@ -376,7 +395,9 @@ int __cfg80211_disconnect(struct cfg80211_registered_device *rdev,
 int cfg80211_disconnect(struct cfg80211_registered_device *rdev,
                        struct net_device *dev, u16 reason,
                        bool wextev);
-void __cfg80211_roamed(struct wireless_dev *wdev, const u8 *bssid,
+void __cfg80211_roamed(struct wireless_dev *wdev,
+                       struct ieee80211_channel *channel,
+                       const u8 *bssid,
                       const u8 *req_ie, size_t req_ie_len,
                       const u8 *resp_ie, size_t resp_ie_len);
 int cfg80211_mgd_wext_connect(struct cfg80211_registered_device *rdev,
@@ -397,12 +418,26 @@ void cfg80211_sme_rx_auth(struct net_device *dev, const u8 *buf, size_t len);
 void cfg80211_sme_disassoc(struct net_device *dev, int idx);
 void __cfg80211_scan_done(struct work_struct *wk);
 void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, bool leak);
+void __cfg80211_sched_scan_results(struct work_struct *wk);
+int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
+                               bool driver_initiated);
 void cfg80211_upload_connect_keys(struct wireless_dev *wdev);
 int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
                          struct net_device *dev, enum nl80211_iftype ntype,
                          u32 *flags, struct vif_params *params);
 void cfg80211_process_rdev_events(struct cfg80211_registered_device *rdev);
+int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev,
+                                  struct wireless_dev *wdev,
+                                  enum nl80211_iftype iftype);
+static inline int
+cfg80211_can_add_interface(struct cfg80211_registered_device *rdev,
+                           enum nl80211_iftype iftype)
+{
+        return cfg80211_can_change_interface(rdev, NULL, iftype);
+}
 struct ieee80211_channel *
 rdev_freq_to_chan(struct cfg80211_registered_device *rdev,
                  int freq, enum nl80211_channel_type channel_type);
@@ -412,6 +447,9 @@ int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
 u16 cfg80211_calculate_bitrate(struct rate_info *rate);
+int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev,
+                                 u32 beacon_int);
 #ifdef CONFIG_CFG80211_DEVELOPER_WARNINGS
 #define CFG80211_DEV_WARN_ON(cond)      WARN_ON(cond)
 #else
diff --git a/net/wireless/lib80211_crypt_wep.c b/net/wireless/lib80211_crypt_wep.c
index e2e88878ba35..2f265e033ae2 100644
--- a/net/wireless/lib80211_crypt_wep.c
+++ b/net/wireless/lib80211_crypt_wep.c
@@ -96,13 +96,12 @@ static int lib80211_wep_build_iv(struct sk_buff *skb, int hdr_len,
                               u8 *key, int keylen, void *priv)
 {
        struct lib80211_wep_data *wep = priv;
-        u32 klen, len;
+        u32 klen;
        u8 *pos;
        if (skb_headroom(skb) < 4 || skb->len < hdr_len)
                return -1;
-        len = skb->len - hdr_len;
        pos = skb_push(skb, 4);
        memmove(pos, pos + 4, hdr_len);
        pos += hdr_len;
diff --git a/net/wireless/mesh.c b/net/wireless/mesh.c
index 73e39c171ffb..5c116083eeca 100644
--- a/net/wireless/mesh.c
+++ b/net/wireless/mesh.c
@@ -1,5 +1,6 @@
 #include <linux/ieee80211.h>
 #include <net/cfg80211.h>
+#include "nl80211.h"
 #include "core.h"
 /* Default values, timeouts in ms */
@@ -53,8 +54,9 @@ const struct mesh_config default_mesh_config = {
 const struct mesh_setup default_mesh_setup = {
        .path_sel_proto = IEEE80211_PATH_PROTOCOL_HWMP,
        .path_metric = IEEE80211_PATH_METRIC_AIRTIME,
-        .vendor_ie = NULL,
+        .ie = NULL,
-        .vendor_ie_len = 0,
+        .ie_len = 0,
+        .is_secure = false,
 };
 int __cfg80211_join_mesh(struct cfg80211_registered_device *rdev,
@@ -72,6 +74,10 @@ int __cfg80211_join_mesh(struct cfg80211_registered_device *rdev,
        if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
                return -EOPNOTSUPP;
+        if (!(rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
+              setup->is_secure)
+                return -EOPNOTSUPP;
        if (wdev->mesh_id_len)
                return -EALREADY;
@@ -105,6 +111,19 @@ int cfg80211_join_mesh(struct cfg80211_registered_device *rdev,
        return err;
 }
+void cfg80211_notify_new_peer_candidate(struct net_device *dev,
+                const u8 *macaddr, const u8* ie, u8 ie_len, gfp_t gfp)
+{
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
+                return;
+        nl80211_send_new_peer_candidate(wiphy_to_dev(wdev->wiphy), dev,
+                        macaddr, ie, ie_len, gfp);
+}
+EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
 static int __cfg80211_leave_mesh(struct cfg80211_registered_device *rdev,
                                 struct net_device *dev)
 {
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index aa5df8865ff7..493b939970cd 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -770,6 +770,15 @@ void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
 }
 EXPORT_SYMBOL(cfg80211_new_sta);
+void cfg80211_del_sta(struct net_device *dev, const u8 *mac_addr, gfp_t gfp)
+{
+        struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
+        nl80211_send_sta_del_event(rdev, dev, mac_addr, gfp);
+}
+EXPORT_SYMBOL(cfg80211_del_sta);
 struct cfg80211_mgmt_registration {
        struct list_head list;
@@ -954,6 +963,16 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
                        if (memcmp(mgmt->bssid, dev->dev_addr, ETH_ALEN))
                                err = -EINVAL;
                        break;
+                case NL80211_IFTYPE_MESH_POINT:
+                        if (memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN)) {
+                                err = -EINVAL;
+                                break;
+                        }
+                        /*
+                         * check for mesh DA must be done by driver as
+                         * cfg80211 doesn't track the stations
+                         */
+                        break;
                default:
                        err = -EOPNOTSUPP;
                        break;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 4ebce4284e9d..cea338150d05 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -124,6 +124,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
        [NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
        [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
+        [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
        [NL80211_ATTR_HT_CAPABILITY] = { .type = NLA_BINARY,
                                         .len = NL80211_HT_CAPABILITY_LEN },
@@ -172,6 +173,9 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
        [NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
        [NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
        [NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
+        [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
+        [NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
+        [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
 };
 /* policy for the key attributes */
@@ -193,6 +197,15 @@ nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
        [NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
 };
+/* policy for WoWLAN attributes */
+static const struct nla_policy
+nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
+        [NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
+        [NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
+        [NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
+        [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
+};
 /* ifidx get helper */
 static int nl80211_get_ifidx(struct netlink_callback *cb)
 {
@@ -533,6 +546,7 @@ static int nl80211_key_allowed(struct wireless_dev *wdev)
        case NL80211_IFTYPE_AP:
        case NL80211_IFTYPE_AP_VLAN:
        case NL80211_IFTYPE_P2P_GO:
+        case NL80211_IFTYPE_MESH_POINT:
                break;
        case NL80211_IFTYPE_ADHOC:
                if (!wdev->current_bss)
@@ -550,6 +564,88 @@ static int nl80211_key_allowed(struct wireless_dev *wdev)
        return 0;
 }
+static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
+{
+        struct nlattr *nl_modes = nla_nest_start(msg, attr);
+        int i;
+        if (!nl_modes)
+                goto nla_put_failure;
+        i = 0;
+        while (ifmodes) {
+                if (ifmodes & 1)
+                        NLA_PUT_FLAG(msg, i);
+                ifmodes >>= 1;
+                i++;
+        }
+        nla_nest_end(msg, nl_modes);
+        return 0;
+nla_put_failure:
+        return -ENOBUFS;
+}
+static int nl80211_put_iface_combinations(struct wiphy *wiphy,
+                                          struct sk_buff *msg)
+{
+        struct nlattr *nl_combis;
+        int i, j;
+        nl_combis = nla_nest_start(msg,
+                                NL80211_ATTR_INTERFACE_COMBINATIONS);
+        if (!nl_combis)
+                goto nla_put_failure;
+        for (i = 0; i < wiphy->n_iface_combinations; i++) {
+                const struct ieee80211_iface_combination *c;
+                struct nlattr *nl_combi, *nl_limits;
+                c = &wiphy->iface_combinations[i];
+                nl_combi = nla_nest_start(msg, i + 1);
+                if (!nl_combi)
+                        goto nla_put_failure;
+                nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
+                if (!nl_limits)
+                        goto nla_put_failure;
+                for (j = 0; j < c->n_limits; j++) {
+                        struct nlattr *nl_limit;
+                        nl_limit = nla_nest_start(msg, j + 1);
+                        if (!nl_limit)
+                                goto nla_put_failure;
+                        NLA_PUT_U32(msg, NL80211_IFACE_LIMIT_MAX,
+                                    c->limits[j].max);
+                        if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
+                                                c->limits[j].types))
+                                goto nla_put_failure;
+                        nla_nest_end(msg, nl_limit);
+                }
+                nla_nest_end(msg, nl_limits);
+                if (c->beacon_int_infra_match)
+                        NLA_PUT_FLAG(msg,
+                                NL80211_IFACE_COMB_STA_AP_BI_MATCH);
+                NLA_PUT_U32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
+                            c->num_different_channels);
+                NLA_PUT_U32(msg, NL80211_IFACE_COMB_MAXNUM,
+                            c->max_interfaces);
+                nla_nest_end(msg, nl_combi);
+        }
+        nla_nest_end(msg, nl_combis);
+        return 0;
+nla_put_failure:
+        return -ENOBUFS;
+}
 static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
                              struct cfg80211_registered_device *dev)
 {
@@ -557,13 +653,11 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
        struct nlattr *nl_bands, *nl_band;
        struct nlattr *nl_freqs, *nl_freq;
        struct nlattr *nl_rates, *nl_rate;
-        struct nlattr *nl_modes;
        struct nlattr *nl_cmds;
        enum ieee80211_band band;
        struct ieee80211_channel *chan;
        struct ieee80211_rate *rate;
        int i;
-        u16 ifmodes = dev->wiphy.interface_modes;
        const struct ieee80211_txrx_stypes *mgmt_stypes =
                                dev->wiphy.mgmt_stypes;
@@ -594,6 +688,8 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
        if (dev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)
                NLA_PUT_FLAG(msg, NL80211_ATTR_SUPPORT_IBSS_RSN);
+        if (dev->wiphy.flags & WIPHY_FLAG_MESH_AUTH)
+                NLA_PUT_FLAG(msg, NL80211_ATTR_SUPPORT_MESH_AUTH);
        NLA_PUT(msg, NL80211_ATTR_CIPHER_SUITES,
                sizeof(u32) * dev->wiphy.n_cipher_suites,
@@ -621,20 +717,10 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
                }
        }
-        nl_modes = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_IFTYPES);
+        if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
-        if (!nl_modes)
+                                dev->wiphy.interface_modes))
                goto nla_put_failure;
-        i = 0;
-        while (ifmodes) {
-                if (ifmodes & 1)
-                        NLA_PUT_FLAG(msg, i);
-                ifmodes >>= 1;
-                i++;
-        }
-        nla_nest_end(msg, nl_modes);
        nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
        if (!nl_bands)
                goto nla_put_failure;
@@ -746,6 +832,8 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
        }
        CMD(set_channel, SET_CHANNEL);
        CMD(set_wds_peer, SET_WDS_PEER);
+        if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
+                CMD(sched_scan_start, START_SCHED_SCAN);
 #undef CMD
@@ -818,6 +906,42 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
                nla_nest_end(msg, nl_ifs);
        }
+        if (dev->wiphy.wowlan.flags || dev->wiphy.wowlan.n_patterns) {
+                struct nlattr *nl_wowlan;
+                nl_wowlan = nla_nest_start(msg,
+                                NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
+                if (!nl_wowlan)
+                        goto nla_put_failure;
+                if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_ANY)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_ANY);
+                if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_DISCONNECT)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_DISCONNECT);
+                if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_MAGIC_PKT)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT);
+                if (dev->wiphy.wowlan.n_patterns) {
+                        struct nl80211_wowlan_pattern_support pat = {
+                                .max_patterns = dev->wiphy.wowlan.n_patterns,
+                                .min_pattern_len =
+                                        dev->wiphy.wowlan.pattern_min_len,
+                                .max_pattern_len =
+                                        dev->wiphy.wowlan.pattern_max_len,
+                        };
+                        NLA_PUT(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
+                                sizeof(pat), &pat);
+                }
+                nla_nest_end(msg, nl_wowlan);
+        }
+        if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
+                                dev->wiphy.software_iftypes))
+                goto nla_put_failure;
+        if (nl80211_put_iface_combinations(&dev->wiphy, msg))
+                goto nla_put_failure;
        return genlmsg_end(msg, hdr);
 nla_put_failure:
@@ -1679,14 +1803,6 @@ static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
                if (err)
                        goto out;
-                if (!(rdev->wiphy.flags &
-                                WIPHY_FLAG_SUPPORTS_SEPARATE_DEFAULT_KEYS)) {
-                        if (!key.def_uni || !key.def_multi) {
-                                err = -EOPNOTSUPP;
-                                goto out;
-                        }
-                }
                err = rdev->ops->set_default_key(&rdev->wiphy, dev, key.idx,
                                                 key.def_uni, key.def_multi);
@@ -1837,8 +1953,9 @@ static int nl80211_addset_beacon(struct sk_buff *skb, struct genl_info *info)
                    struct beacon_parameters *info);
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
        struct net_device *dev = info->user_ptr[1];
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
        struct beacon_parameters params;
-        int haveinfo = 0;
+        int haveinfo = 0, err;
        if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_BEACON_TAIL]))
                return -EINVAL;
@@ -1847,6 +1964,8 @@ static int nl80211_addset_beacon(struct sk_buff *skb, struct genl_info *info)
            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
                return -EOPNOTSUPP;
+        memset(&params, 0, sizeof(params));
        switch (info->genlhdr->cmd) {
        case NL80211_CMD_NEW_BEACON:
                /* these are required for NEW_BEACON */
@@ -1855,6 +1974,15 @@ static int nl80211_addset_beacon(struct sk_buff *skb, struct genl_info *info)
                    !info->attrs[NL80211_ATTR_BEACON_HEAD])
                        return -EINVAL;
+                params.interval =
+                        nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
+                params.dtim_period =
+                        nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
+                err = cfg80211_validate_beacon_int(rdev, params.interval);
+                if (err)
+                        return err;
                call = rdev->ops->add_beacon;
                break;
        case NL80211_CMD_SET_BEACON:
@@ -1868,20 +1996,6 @@ static int nl80211_addset_beacon(struct sk_buff *skb, struct genl_info *info)
        if (!call)
                return -EOPNOTSUPP;
-        memset(&params, 0, sizeof(params));
-        if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
-                params.interval =
-                    nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
-                haveinfo = 1;
-        }
-        if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
-                params.dtim_period =
-                    nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
-                haveinfo = 1;
-        }
        if (info->attrs[NL80211_ATTR_BEACON_HEAD]) {
                params.head = nla_data(info->attrs[NL80211_ATTR_BEACON_HEAD]);
                params.head_len =
@@ -1899,13 +2013,18 @@ static int nl80211_addset_beacon(struct sk_buff *skb, struct genl_info *info)
        if (!haveinfo)
                return -EINVAL;
-        return call(&rdev->wiphy, dev, &params);
+        err = call(&rdev->wiphy, dev, &params);
+        if (!err && params.interval)
+                wdev->beacon_interval = params.interval;
+        return err;
 }
 static int nl80211_del_beacon(struct sk_buff *skb, struct genl_info *info)
 {
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
        struct net_device *dev = info->user_ptr[1];
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        int err;
        if (!rdev->ops->del_beacon)
                return -EOPNOTSUPP;
@@ -1914,7 +2033,10 @@ static int nl80211_del_beacon(struct sk_buff *skb, struct genl_info *info)
            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
                return -EOPNOTSUPP;
-        return rdev->ops->del_beacon(&rdev->wiphy, dev);
+        err = rdev->ops->del_beacon(&rdev->wiphy, dev);
+        if (!err)
+                wdev->beacon_interval = 0;
+        return err;
 }
 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
@@ -1922,6 +2044,7 @@ static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
        [NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
        [NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
        [NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
+        [NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
 };
 static int parse_station_flags(struct genl_info *info,
@@ -2002,7 +2125,7 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
                                const u8 *mac_addr, struct station_info *sinfo)
 {
        void *hdr;
-        struct nlattr *sinfoattr;
+        struct nlattr *sinfoattr, *bss_param;
        hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_STATION);
        if (!hdr)
@@ -2016,6 +2139,9 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
        sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
        if (!sinfoattr)
                goto nla_put_failure;
+        if (sinfo->filled & STATION_INFO_CONNECTED_TIME)
+                NLA_PUT_U32(msg, NL80211_STA_INFO_CONNECTED_TIME,
+                            sinfo->connected_time);
        if (sinfo->filled & STATION_INFO_INACTIVE_TIME)
                NLA_PUT_U32(msg, NL80211_STA_INFO_INACTIVE_TIME,
                            sinfo->inactive_time);
@@ -2062,6 +2188,25 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
        if (sinfo->filled & STATION_INFO_TX_FAILED)
                NLA_PUT_U32(msg, NL80211_STA_INFO_TX_FAILED,
                            sinfo->tx_failed);
+        if (sinfo->filled & STATION_INFO_BSS_PARAM) {
+                bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
+                if (!bss_param)
+                        goto nla_put_failure;
+                if (sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT)
+                        NLA_PUT_FLAG(msg, NL80211_STA_BSS_PARAM_CTS_PROT);
+                if (sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE)
+                        NLA_PUT_FLAG(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE);
+                if (sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME)
+                        NLA_PUT_FLAG(msg,
+                                     NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME);
+                NLA_PUT_U8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
+                           sinfo->bss_param.dtim_period);
+                NLA_PUT_U16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
+                            sinfo->bss_param.beacon_interval);
+                nla_nest_end(msg, bss_param);
+        }
        nla_nest_end(msg, sinfoattr);
        return genlmsg_end(msg, hdr);
@@ -2190,6 +2335,7 @@ static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
        memset(&params, 0, sizeof(params));
        params.listen_interval = -1;
+        params.plink_state = -1;
        if (info->attrs[NL80211_ATTR_STA_AID])
                return -EINVAL;
@@ -2221,6 +2367,10 @@ static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
                params.plink_action =
                    nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
+        if (info->attrs[NL80211_ATTR_STA_PLINK_STATE])
+                params.plink_state =
+                    nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
        err = get_vlan(info, rdev, &params.vlan);
        if (err)
                goto out;
@@ -2260,9 +2410,10 @@ static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
                        err = -EINVAL;
                if (params.listen_interval >= 0)
                        err = -EINVAL;
-                if (params.supported_rates)
+                if (params.sta_flags_mask &
-                        err = -EINVAL;
+                                ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
-                if (params.sta_flags_mask)
+                                  BIT(NL80211_STA_FLAG_MFP) |
+                                  BIT(NL80211_STA_FLAG_AUTHORIZED)))
                        err = -EINVAL;
                break;
        default:
@@ -2324,11 +2475,16 @@ static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
                params.ht_capa =
                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
+        if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
+                params.plink_action =
+                    nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
        if (parse_station_flags(info, &params))
                return -EINVAL;
        if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
+            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
                return -EINVAL;
@@ -2804,8 +2960,10 @@ static const struct nla_policy
        nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
        [NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
        [NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
-        [NL80211_MESH_SETUP_VENDOR_PATH_SEL_IE] = { .type = NLA_BINARY,
+        [NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
+        [NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
                .len = IEEE80211_MAX_DATA_LEN },
+        [NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
 };
 static int nl80211_parse_mesh_config(struct genl_info *info,
@@ -2906,14 +3064,17 @@ static int nl80211_parse_mesh_setup(struct genl_info *info,
                 IEEE80211_PATH_METRIC_VENDOR :
                 IEEE80211_PATH_METRIC_AIRTIME;
-        if (tb[NL80211_MESH_SETUP_VENDOR_PATH_SEL_IE]) {
+        if (tb[NL80211_MESH_SETUP_IE]) {
                struct nlattr *ieattr =
-                        tb[NL80211_MESH_SETUP_VENDOR_PATH_SEL_IE];
+                        tb[NL80211_MESH_SETUP_IE];
                if (!is_valid_ie_attr(ieattr))
                        return -EINVAL;
-                setup->vendor_ie = nla_data(ieattr);
+                setup->ie = nla_data(ieattr);
-                setup->vendor_ie_len = nla_len(ieattr);
+                setup->ie_len = nla_len(ieattr);
        }
+        setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
+        setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
        return 0;
 }
@@ -3133,8 +3294,6 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
        struct net_device *dev = info->user_ptr[1];
        struct cfg80211_scan_request *request;
-        struct cfg80211_ssid *ssid;
-        struct ieee80211_channel *channel;
        struct nlattr *attr;
        struct wiphy *wiphy;
        int err, tmp, n_ssids = 0, n_channels, i;
@@ -3181,8 +3340,8 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
                return -EINVAL;
        request = kzalloc(sizeof(*request)
-                        + sizeof(*ssid) * n_ssids
+                        + sizeof(*request->ssids) * n_ssids
-                        + sizeof(channel) * n_channels
+                        + sizeof(*request->channels) * n_channels
                        + ie_len, GFP_KERNEL);
        if (!request)
                return -ENOMEM;
@@ -3247,12 +3406,12 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
        i = 0;
        if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
                nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
-                        if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
+                        if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
                                err = -EINVAL;
                                goto out_free;
                        }
-                        memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
                        request->ssids[i].ssid_len = nla_len(attr);
+                        memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
                        i++;
                }
        }
@@ -3282,6 +3441,197 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
        return err;
 }
+static int nl80211_start_sched_scan(struct sk_buff *skb,
+                                    struct genl_info *info)
+{
+        struct cfg80211_sched_scan_request *request;
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct net_device *dev = info->user_ptr[1];
+        struct nlattr *attr;
+        struct wiphy *wiphy;
+        int err, tmp, n_ssids = 0, n_channels, i;
+        u32 interval;
+        enum ieee80211_band band;
+        size_t ie_len;
+        if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
+            !rdev->ops->sched_scan_start)
+                return -EOPNOTSUPP;
+        if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
+                return -EINVAL;
+        if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
+                return -EINVAL;
+        interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
+        if (interval == 0)
+                return -EINVAL;
+        wiphy = &rdev->wiphy;
+        if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
+                n_channels = validate_scan_freqs(
+                                info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
+                if (!n_channels)
+                        return -EINVAL;
+        } else {
+                n_channels = 0;
+                for (band = 0; band < IEEE80211_NUM_BANDS; band++)
+                        if (wiphy->bands[band])
+                                n_channels += wiphy->bands[band]->n_channels;
+        }
+        if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
+                nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
+                                    tmp)
+                        n_ssids++;
+        if (n_ssids > wiphy->max_scan_ssids)
+                return -EINVAL;
+        if (info->attrs[NL80211_ATTR_IE])
+                ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
+        else
+                ie_len = 0;
+        if (ie_len > wiphy->max_scan_ie_len)
+                return -EINVAL;
+        mutex_lock(&rdev->sched_scan_mtx);
+        if (rdev->sched_scan_req) {
+                err = -EINPROGRESS;
+                goto out;
+        }
+        request = kzalloc(sizeof(*request)
+                        + sizeof(*request->ssids) * n_ssids
+                        + sizeof(*request->channels) * n_channels
+                        + ie_len, GFP_KERNEL);
+        if (!request) {
+                err = -ENOMEM;
+                goto out;
+        }
+        if (n_ssids)
+                request->ssids = (void *)&request->channels[n_channels];
+        request->n_ssids = n_ssids;
+        if (ie_len) {
+                if (request->ssids)
+                        request->ie = (void *)(request->ssids + n_ssids);
+                else
+                        request->ie = (void *)(request->channels + n_channels);
+        }
+        i = 0;
+        if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
+                /* user specified, bail out if channel not found */
+                nla_for_each_nested(attr,
+                                    info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
+                                    tmp) {
+                        struct ieee80211_channel *chan;
+                        chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
+                        if (!chan) {
+                                err = -EINVAL;
+                                goto out_free;
+                        }
+                        /* ignore disabled channels */
+                        if (chan->flags & IEEE80211_CHAN_DISABLED)
+                                continue;
+                        request->channels[i] = chan;
+                        i++;
+                }
+        } else {
+                /* all channels */
+                for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
+                        int j;
+                        if (!wiphy->bands[band])
+                                continue;
+                        for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
+                                struct ieee80211_channel *chan;
+                                chan = &wiphy->bands[band]->channels[j];
+                                if (chan->flags & IEEE80211_CHAN_DISABLED)
+                                        continue;
+                                request->channels[i] = chan;
+                                i++;
+                        }
+                }
+        }
+        if (!i) {
+                err = -EINVAL;
+                goto out_free;
+        }
+        request->n_channels = i;
+        i = 0;
+        if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+                nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
+                                    tmp) {
+                        if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
+                                err = -EINVAL;
+                                goto out_free;
+                        }
+                        request->ssids[i].ssid_len = nla_len(attr);
+                        memcpy(request->ssids[i].ssid, nla_data(attr),
+                               nla_len(attr));
+                        i++;
+                }
+        }
+        if (info->attrs[NL80211_ATTR_IE]) {
+                request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
+                memcpy((void *)request->ie,
+                       nla_data(info->attrs[NL80211_ATTR_IE]),
+                       request->ie_len);
+        }
+        request->dev = dev;
+        request->wiphy = &rdev->wiphy;
+        request->interval = interval;
+        err = rdev->ops->sched_scan_start(&rdev->wiphy, dev, request);
+        if (!err) {
+                rdev->sched_scan_req = request;
+                nl80211_send_sched_scan(rdev, dev,
+                                        NL80211_CMD_START_SCHED_SCAN);
+                goto out;
+        }
+out_free:
+        kfree(request);
+out:
+        mutex_unlock(&rdev->sched_scan_mtx);
+        return err;
+}
+static int nl80211_stop_sched_scan(struct sk_buff *skb,
+                                   struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        int err;
+        if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
+            !rdev->ops->sched_scan_stop)
+                return -EOPNOTSUPP;
+        mutex_lock(&rdev->sched_scan_mtx);
+        err = __cfg80211_stop_sched_scan(rdev, false);
+        mutex_unlock(&rdev->sched_scan_mtx);
+        return err;
+}
 static int nl80211_send_bss(struct sk_buff *msg, u32 pid, u32 seq, int flags,
                            struct cfg80211_registered_device *rdev,
                            struct wireless_dev *wdev,
@@ -4780,6 +5130,194 @@ static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
        return cfg80211_leave_mesh(rdev, dev);
 }
+static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct sk_buff *msg;
+        void *hdr;
+        if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns)
+                return -EOPNOTSUPP;
+        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (!msg)
+                return -ENOMEM;
+        hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
+                             NL80211_CMD_GET_WOWLAN);
+        if (!hdr)
+                goto nla_put_failure;
+        if (rdev->wowlan) {
+                struct nlattr *nl_wowlan;
+                nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
+                if (!nl_wowlan)
+                        goto nla_put_failure;
+                if (rdev->wowlan->any)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_ANY);
+                if (rdev->wowlan->disconnect)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_DISCONNECT);
+                if (rdev->wowlan->magic_pkt)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT);
+                if (rdev->wowlan->n_patterns) {
+                        struct nlattr *nl_pats, *nl_pat;
+                        int i, pat_len;
+                        nl_pats = nla_nest_start(msg,
+                                        NL80211_WOWLAN_TRIG_PKT_PATTERN);
+                        if (!nl_pats)
+                                goto nla_put_failure;
+                        for (i = 0; i < rdev->wowlan->n_patterns; i++) {
+                                nl_pat = nla_nest_start(msg, i + 1);
+                                if (!nl_pat)
+                                        goto nla_put_failure;
+                                pat_len = rdev->wowlan->patterns[i].pattern_len;
+                                NLA_PUT(msg, NL80211_WOWLAN_PKTPAT_MASK,
+                                        DIV_ROUND_UP(pat_len, 8),
+                                        rdev->wowlan->patterns[i].mask);
+                                NLA_PUT(msg, NL80211_WOWLAN_PKTPAT_PATTERN,
+                                        pat_len,
+                                        rdev->wowlan->patterns[i].pattern);
+                                nla_nest_end(msg, nl_pat);
+                        }
+                        nla_nest_end(msg, nl_pats);
+                }
+                nla_nest_end(msg, nl_wowlan);
+        }
+        genlmsg_end(msg, hdr);
+        return genlmsg_reply(msg, info);
+nla_put_failure:
+        nlmsg_free(msg);
+        return -ENOBUFS;
+}
+static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
+        struct cfg80211_wowlan no_triggers = {};
+        struct cfg80211_wowlan new_triggers = {};
+        struct wiphy_wowlan_support *wowlan = &rdev->wiphy.wowlan;
+        int err, i;
+        if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns)
+                return -EOPNOTSUPP;
+        if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS])
+                goto no_triggers;
+        err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
+                        nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
+                        nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
+                        nl80211_wowlan_policy);
+        if (err)
+                return err;
+        if (tb[NL80211_WOWLAN_TRIG_ANY]) {
+                if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
+                        return -EINVAL;
+                new_triggers.any = true;
+        }
+        if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
+                if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
+                        return -EINVAL;
+                new_triggers.disconnect = true;
+        }
+        if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
+                if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
+                        return -EINVAL;
+                new_triggers.magic_pkt = true;
+        }
+        if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
+                struct nlattr *pat;
+                int n_patterns = 0;
+                int rem, pat_len, mask_len;
+                struct nlattr *pat_tb[NUM_NL80211_WOWLAN_PKTPAT];
+                nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
+                                    rem)
+                        n_patterns++;
+                if (n_patterns > wowlan->n_patterns)
+                        return -EINVAL;
+                new_triggers.patterns = kcalloc(n_patterns,
+                                                sizeof(new_triggers.patterns[0]),
+                                                GFP_KERNEL);
+                if (!new_triggers.patterns)
+                        return -ENOMEM;
+                new_triggers.n_patterns = n_patterns;
+                i = 0;
+                nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
+                                    rem) {
+                        nla_parse(pat_tb, MAX_NL80211_WOWLAN_PKTPAT,
+                                  nla_data(pat), nla_len(pat), NULL);
+                        err = -EINVAL;
+                        if (!pat_tb[NL80211_WOWLAN_PKTPAT_MASK] ||
+                            !pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN])
+                                goto error;
+                        pat_len = nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]);
+                        mask_len = DIV_ROUND_UP(pat_len, 8);
+                        if (nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]) !=
+                            mask_len)
+                                goto error;
+                        if (pat_len > wowlan->pattern_max_len ||
+                            pat_len < wowlan->pattern_min_len)
+                                goto error;
+                        new_triggers.patterns[i].mask =
+                                kmalloc(mask_len + pat_len, GFP_KERNEL);
+                        if (!new_triggers.patterns[i].mask) {
+                                err = -ENOMEM;
+                                goto error;
+                        }
+                        new_triggers.patterns[i].pattern =
+                                new_triggers.patterns[i].mask + mask_len;
+                        memcpy(new_triggers.patterns[i].mask,
+                               nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]),
+                               mask_len);
+                        new_triggers.patterns[i].pattern_len = pat_len;
+                        memcpy(new_triggers.patterns[i].pattern,
+                               nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]),
+                               pat_len);
+                        i++;
+                }
+        }
+        if (memcmp(&new_triggers, &no_triggers, sizeof(new_triggers))) {
+                struct cfg80211_wowlan *ntrig;
+                ntrig = kmemdup(&new_triggers, sizeof(new_triggers),
+                                GFP_KERNEL);
+                if (!ntrig) {
+                        err = -ENOMEM;
+                        goto error;
+                }
+                cfg80211_rdev_free_wowlan(rdev);
+                rdev->wowlan = ntrig;
+        } else {
+ no_triggers:
+                cfg80211_rdev_free_wowlan(rdev);
+                rdev->wowlan = NULL;
+        }
+        return 0;
+ error:
+        for (i = 0; i < new_triggers.n_patterns; i++)
+                kfree(new_triggers.patterns[i].mask);
+        kfree(new_triggers.patterns);
+        return err;
+}
 #define NL80211_FLAG_NEED_WIPHY         0x01
 #define NL80211_FLAG_NEED_NETDEV        0x02
 #define NL80211_FLAG_NEED_RTNL          0x04
@@ -5064,6 +5602,22 @@ static struct genl_ops nl80211_ops[] = {
                .dumpit = nl80211_dump_scan,
        },
        {
+                .cmd = NL80211_CMD_START_SCHED_SCAN,
+                .doit = nl80211_start_sched_scan,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
+        {
+                .cmd = NL80211_CMD_STOP_SCHED_SCAN,
+                .doit = nl80211_stop_sched_scan,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
+        {
                .cmd = NL80211_CMD_AUTHENTICATE,
                .doit = nl80211_authenticate,
                .policy = nl80211_policy,
@@ -5278,6 +5832,22 @@ static struct genl_ops nl80211_ops[] = {
                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
+        {
+                .cmd = NL80211_CMD_GET_WOWLAN,
+                .doit = nl80211_get_wowlan,
+                .policy = nl80211_policy,
+                /* can be retrieved by unprivileged users */
+                .internal_flags = NL80211_FLAG_NEED_WIPHY |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
+        {
+                .cmd = NL80211_CMD_SET_WOWLAN,
+                .doit = nl80211_set_wowlan,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_WIPHY |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
 };
 static struct genl_multicast_group nl80211_mlme_mcgrp = {
@@ -5373,6 +5943,28 @@ static int nl80211_send_scan_msg(struct sk_buff *msg,
        return -EMSGSIZE;
 }
+static int
+nl80211_send_sched_scan_msg(struct sk_buff *msg,
+                            struct cfg80211_registered_device *rdev,
+                            struct net_device *netdev,
+                            u32 pid, u32 seq, int flags, u32 cmd)
+{
+        void *hdr;
+        hdr = nl80211hdr_put(msg, pid, seq, flags, cmd);
+        if (!hdr)
+                return -1;
+        NLA_PUT_U32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
+        NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex);
+        return genlmsg_end(msg, hdr);
+ nla_put_failure:
+        genlmsg_cancel(msg, hdr);
+        return -EMSGSIZE;
+}
 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
                             struct net_device *netdev)
 {
@@ -5430,6 +6022,43 @@ void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
                                nl80211_scan_mcgrp.id, GFP_KERNEL);
 }
+void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
+                                     struct net_device *netdev)
+{
+        struct sk_buff *msg;
+        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (!msg)
+                return;
+        if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
+                                        NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
+                nlmsg_free(msg);
+                return;
+        }
+        genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
+                                nl80211_scan_mcgrp.id, GFP_KERNEL);
+}
+void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
+                             struct net_device *netdev, u32 cmd)
+{
+        struct sk_buff *msg;
+        msg = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
+        if (!msg)
+                return;
+        if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
+                nlmsg_free(msg);
+                return;
+        }
+        genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
+                                nl80211_scan_mcgrp.id, GFP_KERNEL);
+}
 /*
 * This can happen on global regulatory changes or device specific settings
 * based on custom world regulatory domains.
@@ -5785,6 +6414,44 @@ void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
        nlmsg_free(msg);
 }
+void nl80211_send_new_peer_candidate(struct cfg80211_registered_device *rdev,
+                struct net_device *netdev,
+                const u8 *macaddr, const u8* ie, u8 ie_len,
+                gfp_t gfp)
+{
+        struct sk_buff *msg;
+        void *hdr;
+        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+        if (!msg)
+                return;
+        hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
+        if (!hdr) {
+                nlmsg_free(msg);
+                return;
+        }
+        NLA_PUT_U32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
+        NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex);
+        NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, macaddr);
+        if (ie_len && ie)
+                NLA_PUT(msg, NL80211_ATTR_IE, ie_len , ie);
+        if (genlmsg_end(msg, hdr) < 0) {
+                nlmsg_free(msg);
+                return;
+        }
+        genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
+                                nl80211_mlme_mcgrp.id, gfp);
+        return;
+ nla_put_failure:
+        genlmsg_cancel(msg, hdr);
+        nlmsg_free(msg);
+}
 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
                                 struct net_device *netdev, const u8 *addr,
                                 enum nl80211_key_type key_type, int key_id,
@@ -5808,7 +6475,8 @@ void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
        if (addr)
                NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, addr);
        NLA_PUT_U32(msg, NL80211_ATTR_KEY_TYPE, key_type);
-        NLA_PUT_U8(msg, NL80211_ATTR_KEY_IDX, key_id);
+        if (key_id != -1)
+                NLA_PUT_U8(msg, NL80211_ATTR_KEY_IDX, key_id);
        if (tsc)
                NLA_PUT(msg, NL80211_ATTR_KEY_SEQ, 6, tsc);
@@ -5966,6 +6634,40 @@ void nl80211_send_sta_event(struct cfg80211_registered_device *rdev,
                                nl80211_mlme_mcgrp.id, gfp);
 }
+void nl80211_send_sta_del_event(struct cfg80211_registered_device *rdev,
+                                struct net_device *dev, const u8 *mac_addr,
+                                gfp_t gfp)
+{
+        struct sk_buff *msg;
+        void *hdr;
+        msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
+        if (!msg)
+                return;
+        hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_STATION);
+        if (!hdr) {
+                nlmsg_free(msg);
+                return;
+        }
+        NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, dev->ifindex);
+        NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr);
+        if (genlmsg_end(msg, hdr) < 0) {
+                nlmsg_free(msg);
+                return;
+        }
+        genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
+                                nl80211_mlme_mcgrp.id, gfp);
+        return;
+ nla_put_failure:
+        genlmsg_cancel(msg, hdr);
+        nlmsg_free(msg);
+}
 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
                      struct net_device *netdev, u32 nlpid,
                      int freq, const u8 *buf, size_t len, gfp_t gfp)
diff --git a/net/wireless/nl80211.h b/net/wireless/nl80211.h
index e3f7fa886966..2f1bfb87a651 100644
--- a/net/wireless/nl80211.h
+++ b/net/wireless/nl80211.h
@@ -12,6 +12,10 @@ void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
                            struct net_device *netdev);
 void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
                               struct net_device *netdev);
+void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
+                             struct net_device *netdev, u32 cmd);
+void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
+                                     struct net_device *netdev);
 void nl80211_send_reg_change_event(struct regulatory_request *request);
 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
                          struct net_device *netdev,
@@ -50,6 +54,10 @@ void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
                               struct net_device *netdev, u16 reason,
                               const u8 *ie, size_t ie_len, bool from_ap);
+void nl80211_send_new_peer_candidate(struct cfg80211_registered_device *rdev,
+                                     struct net_device *netdev,
+                                     const u8 *macaddr, const u8* ie, u8 ie_len,
+                                     gfp_t gfp);
 void
 nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
                            struct net_device *netdev, const u8 *addr,
@@ -79,6 +87,9 @@ void nl80211_send_remain_on_channel_cancel(
 void nl80211_send_sta_event(struct cfg80211_registered_device *rdev,
                            struct net_device *dev, const u8 *mac_addr,
                            struct station_info *sinfo, gfp_t gfp);
+void nl80211_send_sta_del_event(struct cfg80211_registered_device *rdev,
+                                struct net_device *dev, const u8 *mac_addr,
+                                gfp_t gfp);
 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
                      struct net_device *netdev, u32 nlpid, int freq,
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index ab801a1097b2..1ad0f39fe091 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -106,6 +106,9 @@ struct reg_beacon {
 static void reg_todo(struct work_struct *work);
 static DECLARE_WORK(reg_work, reg_todo);
+static void reg_timeout_work(struct work_struct *work);
+static DECLARE_DELAYED_WORK(reg_timeout, reg_timeout_work);
 /* We keep a static world regulatory domain in case of the absence of CRDA */
 static const struct ieee80211_regdomain world_regdom = {
        .n_reg_rules = 5,
@@ -669,11 +672,9 @@ static int freq_reg_info_regd(struct wiphy *wiphy,
        for (i = 0; i < regd->n_reg_rules; i++) {
                const struct ieee80211_reg_rule *rr;
                const struct ieee80211_freq_range *fr = NULL;
-                const struct ieee80211_power_rule *pr = NULL;
                rr = &regd->reg_rules[i];
                fr = &rr->freq_range;
-                pr = &rr->power_rule;
                /*
                 * We only need to know if one frequency rule was
@@ -1330,6 +1331,9 @@ static void reg_set_request_processed(void)
                need_more_processing = true;
        spin_unlock(&reg_requests_lock);
+        if (last_request->initiator == NL80211_REGDOM_SET_BY_USER)
+                cancel_delayed_work_sync(&reg_timeout);
        if (need_more_processing)
                schedule_work(&reg_work);
 }
@@ -1440,8 +1444,18 @@ static void reg_process_hint(struct regulatory_request *reg_request)
        r = __regulatory_hint(wiphy, reg_request);
        /* This is required so that the orig_* parameters are saved */
        if (r == -EALREADY && wiphy &&
-            wiphy->flags & WIPHY_FLAG_STRICT_REGULATORY)
+            wiphy->flags & WIPHY_FLAG_STRICT_REGULATORY) {
                wiphy_update_regulatory(wiphy, initiator);
+                return;
+        }
+        /*
+         * We only time out user hints, given that they should be the only
+         * source of bogus requests.
+         */
+        if (r != -EALREADY &&
+            reg_request->initiator == NL80211_REGDOM_SET_BY_USER)
+                schedule_delayed_work(&reg_timeout, msecs_to_jiffies(3142));
 }
 /*
@@ -1744,6 +1758,8 @@ static void restore_regulatory_settings(bool reset_user)
 {
        char alpha2[2];
        struct reg_beacon *reg_beacon, *btmp;
+        struct regulatory_request *reg_request, *tmp;
+        LIST_HEAD(tmp_reg_req_list);
        mutex_lock(&cfg80211_mutex);
        mutex_lock(&reg_mutex);
@@ -1751,6 +1767,25 @@ static void restore_regulatory_settings(bool reset_user)
        reset_regdomains();
        restore_alpha2(alpha2, reset_user);
+        /*
+         * If there's any pending requests we simply
+         * stash them to a temporary pending queue and
+         * add then after we've restored regulatory
+         * settings.
+         */
+        spin_lock(&reg_requests_lock);
+        if (!list_empty(&reg_requests_list)) {
+                list_for_each_entry_safe(reg_request, tmp,
+                                         &reg_requests_list, list) {
+                        if (reg_request->initiator !=
+                            NL80211_REGDOM_SET_BY_USER)
+                                continue;
+                        list_del(&reg_request->list);
+                        list_add_tail(&reg_request->list, &tmp_reg_req_list);
+                }
+        }
+        spin_unlock(&reg_requests_lock);
        /* Clear beacon hints */
        spin_lock_bh(&reg_pending_beacons_lock);
        if (!list_empty(&reg_pending_beacons)) {
@@ -1785,8 +1820,31 @@ static void restore_regulatory_settings(bool reset_user)
         */
        if (is_an_alpha2(alpha2))
                regulatory_hint_user(user_alpha2);
-}
+        if (list_empty(&tmp_reg_req_list))
+                return;
+        mutex_lock(&cfg80211_mutex);
+        mutex_lock(&reg_mutex);
+        spin_lock(&reg_requests_lock);
+        list_for_each_entry_safe(reg_request, tmp, &tmp_reg_req_list, list) {
+                REG_DBG_PRINT("Adding request for country %c%c back "
+                              "into the queue\n",
+                              reg_request->alpha2[0],
+                              reg_request->alpha2[1]);
+                list_del(&reg_request->list);
+                list_add_tail(&reg_request->list, &reg_requests_list);
+        }
+        spin_unlock(&reg_requests_lock);
+        mutex_unlock(&reg_mutex);
+        mutex_unlock(&cfg80211_mutex);
+        REG_DBG_PRINT("Kicking the queue\n");
+        schedule_work(&reg_work);
+}
 void regulatory_hint_disconnect(void)
 {
@@ -2125,6 +2183,13 @@ out:
        mutex_unlock(&reg_mutex);
 }
+static void reg_timeout_work(struct work_struct *work)
+{
+        REG_DBG_PRINT("Timeout while waiting for CRDA to reply, "
+                      "restoring regulatory settings");
+        restore_regulatory_settings(true);
+}
 int __init regulatory_init(void)
 {
        int err = 0;
@@ -2178,6 +2243,7 @@ void /* __init_or_exit */ regulatory_exit(void)
        struct reg_beacon *reg_beacon, *btmp;
        cancel_work_sync(&reg_work);
+        cancel_delayed_work_sync(&reg_timeout);
        mutex_lock(&cfg80211_mutex);
        mutex_lock(&reg_mutex);
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index fbf6f33ae4d0..ae0c2256ba3b 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -93,6 +93,69 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted)
 }
 EXPORT_SYMBOL(cfg80211_scan_done);
+void __cfg80211_sched_scan_results(struct work_struct *wk)
+{
+        struct cfg80211_registered_device *rdev;
+        rdev = container_of(wk, struct cfg80211_registered_device,
+                            sched_scan_results_wk);
+        mutex_lock(&rdev->sched_scan_mtx);
+        /* we don't have sched_scan_req anymore if the scan is stopping */
+        if (rdev->sched_scan_req)
+                nl80211_send_sched_scan_results(rdev,
+                                                rdev->sched_scan_req->dev);
+        mutex_unlock(&rdev->sched_scan_mtx);
+}
+void cfg80211_sched_scan_results(struct wiphy *wiphy)
+{
+        /* ignore if we're not scanning */
+        if (wiphy_to_dev(wiphy)->sched_scan_req)
+                queue_work(cfg80211_wq,
+                           &wiphy_to_dev(wiphy)->sched_scan_results_wk);
+}
+EXPORT_SYMBOL(cfg80211_sched_scan_results);
+void cfg80211_sched_scan_stopped(struct wiphy *wiphy)
+{
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
+        mutex_lock(&rdev->sched_scan_mtx);
+        __cfg80211_stop_sched_scan(rdev, true);
+        mutex_unlock(&rdev->sched_scan_mtx);
+}
+EXPORT_SYMBOL(cfg80211_sched_scan_stopped);
+int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
+                               bool driver_initiated)
+{
+        int err;
+        struct net_device *dev;
+        lockdep_assert_held(&rdev->sched_scan_mtx);
+        if (!rdev->sched_scan_req)
+                return 0;
+        dev = rdev->sched_scan_req->dev;
+        if (!driver_initiated) {
+                err = rdev->ops->sched_scan_stop(&rdev->wiphy, dev);
+                if (err)
+                        return err;
+        }
+        nl80211_send_sched_scan(rdev, dev, NL80211_CMD_SCHED_SCAN_STOPPED);
+        kfree(rdev->sched_scan_req);
+        rdev->sched_scan_req = NULL;
+        return err;
+}
 static void bss_release(struct kref *ref)
 {
        struct cfg80211_internal_bss *bss;
@@ -204,13 +267,35 @@ static bool is_bss(struct cfg80211_bss *a,
        return memcmp(ssidie + 2, ssid, ssid_len) == 0;
 }
+static bool is_mesh_bss(struct cfg80211_bss *a)
+{
+        const u8 *ie;
+        if (!WLAN_CAPABILITY_IS_STA_BSS(a->capability))
+                return false;
+        ie = cfg80211_find_ie(WLAN_EID_MESH_ID,
+                              a->information_elements,
+                              a->len_information_elements);
+        if (!ie)
+                return false;
+        ie = cfg80211_find_ie(WLAN_EID_MESH_CONFIG,
+                              a->information_elements,
+                              a->len_information_elements);
+        if (!ie)
+                return false;
+        return true;
+}
 static bool is_mesh(struct cfg80211_bss *a,
                    const u8 *meshid, size_t meshidlen,
                    const u8 *meshcfg)
 {
        const u8 *ie;
-        if (!is_zero_ether_addr(a->bssid))
+        if (!WLAN_CAPABILITY_IS_STA_BSS(a->capability))
                return false;
        ie = cfg80211_find_ie(WLAN_EID_MESH_ID,
@@ -248,11 +333,7 @@ static int cmp_bss(struct cfg80211_bss *a,
        if (a->channel != b->channel)
                return b->channel->center_freq - a->channel->center_freq;
-        r = memcmp(a->bssid, b->bssid, ETH_ALEN);
+        if (is_mesh_bss(a) && is_mesh_bss(b)) {
-        if (r)
-                return r;
-        if (is_zero_ether_addr(a->bssid)) {
                r = cmp_ies(WLAN_EID_MESH_ID,
                            a->information_elements,
                            a->len_information_elements,
@@ -267,6 +348,10 @@ static int cmp_bss(struct cfg80211_bss *a,
                               b->len_information_elements);
        }
+        r = memcmp(a->bssid, b->bssid, ETH_ALEN);
+        if (r)
+                return r;
        return cmp_ies(WLAN_EID_SSID,
                       a->information_elements,
                       a->len_information_elements,
@@ -394,7 +479,6 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev,
                    struct cfg80211_internal_bss *res)
 {
        struct cfg80211_internal_bss *found = NULL;
-        const u8 *meshid, *meshcfg;
        /*
         * The reference to "res" is donated to this function.
@@ -407,22 +491,6 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev,
        res->ts = jiffies;
-        if (is_zero_ether_addr(res->pub.bssid)) {
-                /* must be mesh, verify */
-                meshid = cfg80211_find_ie(WLAN_EID_MESH_ID,
-                                          res->pub.information_elements,
-                                          res->pub.len_information_elements);
-                meshcfg = cfg80211_find_ie(WLAN_EID_MESH_CONFIG,
-                                           res->pub.information_elements,
-                                           res->pub.len_information_elements);
-                if (!meshid || !meshcfg ||
-                    meshcfg[1] != sizeof(struct ieee80211_meshconf_ie)) {
-                        /* bogus mesh */
-                        kref_put(&res->ref, bss_release);
-                        return NULL;
-                }
-        }
        spin_lock_bh(&dev->bss_lock);
        found = rb_find_bss(dev, res);
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index e17b0bee6bdc..b7b6ff8be553 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -250,7 +250,8 @@ static struct cfg80211_bss *cfg80211_get_conn_bss(struct wireless_dev *wdev)
        if (wdev->conn->params.privacy)
                capa |= WLAN_CAPABILITY_PRIVACY;
-        bss = cfg80211_get_bss(wdev->wiphy, NULL, wdev->conn->params.bssid,
+        bss = cfg80211_get_bss(wdev->wiphy, wdev->conn->params.channel,
+                               wdev->conn->params.bssid,
                               wdev->conn->params.ssid,
                               wdev->conn->params.ssid_len,
                               WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_PRIVACY,
@@ -470,7 +471,10 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
        }
        if (!bss)
-                bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
+                bss = cfg80211_get_bss(wdev->wiphy,
+                                       wdev->conn ? wdev->conn->params.channel :
+                                       NULL,
+                                       bssid,
                                       wdev->ssid, wdev->ssid_len,
                                       WLAN_CAPABILITY_ESS,
                                       WLAN_CAPABILITY_ESS);
@@ -538,7 +542,9 @@ void cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
 }
 EXPORT_SYMBOL(cfg80211_connect_result);
-void __cfg80211_roamed(struct wireless_dev *wdev, const u8 *bssid,
+void __cfg80211_roamed(struct wireless_dev *wdev,
+                       struct ieee80211_channel *channel,
+                       const u8 *bssid,
                       const u8 *req_ie, size_t req_ie_len,
                       const u8 *resp_ie, size_t resp_ie_len)
 {
@@ -565,7 +571,7 @@ void __cfg80211_roamed(struct wireless_dev *wdev, const u8 *bssid,
        cfg80211_put_bss(&wdev->current_bss->pub);
        wdev->current_bss = NULL;
-        bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
+        bss = cfg80211_get_bss(wdev->wiphy, channel, bssid,
                               wdev->ssid, wdev->ssid_len,
                               WLAN_CAPABILITY_ESS, WLAN_CAPABILITY_ESS);
@@ -603,7 +609,9 @@ void __cfg80211_roamed(struct wireless_dev *wdev, const u8 *bssid,
 #endif
 }
-void cfg80211_roamed(struct net_device *dev, const u8 *bssid,
+void cfg80211_roamed(struct net_device *dev,
+                     struct ieee80211_channel *channel,
+                     const u8 *bssid,
                     const u8 *req_ie, size_t req_ie_len,
                     const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp)
 {
@@ -619,6 +627,7 @@ void cfg80211_roamed(struct net_device *dev, const u8 *bssid,
                return;
        ev->type = EVENT_ROAMED;
+        ev->rm.channel = channel;
        memcpy(ev->rm.bssid, bssid, ETH_ALEN);
        ev->rm.req_ie = ((u8 *)ev) + sizeof(*ev);
        ev->rm.req_ie_len = req_ie_len;
diff --git a/net/wireless/sysfs.c b/net/wireless/sysfs.c
index 4294fa22bb2d..c6e4ca6a7d2e 100644
--- a/net/wireless/sysfs.c
+++ b/net/wireless/sysfs.c
@@ -93,7 +93,7 @@ static int wiphy_suspend(struct device *dev, pm_message_t state)
        if (rdev->ops->suspend) {
                rtnl_lock();
-                ret = rdev->ops->suspend(&rdev->wiphy);
+                ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan);
                rtnl_unlock();
        }
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 6a750bc6bcfe..4d7b83fbc32f 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -544,7 +544,8 @@ EXPORT_SYMBOL(ieee80211_data_from_8023);
 void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
                              const u8 *addr, enum nl80211_iftype iftype,
-                              const unsigned int extra_headroom)
+                              const unsigned int extra_headroom,
+                              bool has_80211_header)
 {
        struct sk_buff *frame = NULL;
        u16 ethertype;
@@ -553,14 +554,18 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
        int remaining, err;
        u8 dst[ETH_ALEN], src[ETH_ALEN];
-        err = ieee80211_data_to_8023(skb, addr, iftype);
+        if (has_80211_header) {
-        if (err)
+                err = ieee80211_data_to_8023(skb, addr, iftype);
-                goto out;
+                if (err)
+                        goto out;
-        /* skip the wrapping header */
+                /* skip the wrapping header */
-        eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr));
+                eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr));
-        if (!eth)
+                if (!eth)
-                goto out;
+                        goto out;
+        } else {
+                eth = (struct ethhdr *) skb->data;
+        }
        while (skb != frame) {
                u8 padding;
@@ -741,7 +746,7 @@ static void cfg80211_process_wdev_events(struct wireless_dev *wdev)
                                NULL);
                        break;
                case EVENT_ROAMED:
-                        __cfg80211_roamed(wdev, ev->rm.bssid,
+                        __cfg80211_roamed(wdev, ev->rm.channel, ev->rm.bssid,
                                          ev->rm.req_ie, ev->rm.req_ie_len,
                                          ev->rm.resp_ie, ev->rm.resp_ie_len);
                        break;
@@ -803,6 +808,11 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
                return -EBUSY;
        if (ntype != otype) {
+                err = cfg80211_can_change_interface(rdev, dev->ieee80211_ptr,
+                                                    ntype);
+                if (err)
+                        return err;
                dev->ieee80211_ptr->use_4addr = false;
                dev->ieee80211_ptr->mesh_id_up_len = 0;
@@ -896,3 +906,103 @@ u16 cfg80211_calculate_bitrate(struct rate_info *rate)
        /* do NOT round down here */
        return (bitrate + 50000) / 100000;
 }
+int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev,
+                                 u32 beacon_int)
+{
+        struct wireless_dev *wdev;
+        int res = 0;
+        if (!beacon_int)
+                return -EINVAL;
+        mutex_lock(&rdev->devlist_mtx);
+        list_for_each_entry(wdev, &rdev->netdev_list, list) {
+                if (!wdev->beacon_interval)
+                        continue;
+                if (wdev->beacon_interval != beacon_int) {
+                        res = -EINVAL;
+                        break;
+                }
+        }
+        mutex_unlock(&rdev->devlist_mtx);
+        return res;
+}
+int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev,
+                                  struct wireless_dev *wdev,
+                                  enum nl80211_iftype iftype)
+{
+        struct wireless_dev *wdev_iter;
+        int num[NUM_NL80211_IFTYPES];
+        int total = 1;
+        int i, j;
+        ASSERT_RTNL();
+        /* Always allow software iftypes */
+        if (rdev->wiphy.software_iftypes & BIT(iftype))
+                return 0;
+        /*
+         * Drivers will gradually all set this flag, until all
+         * have it we only enforce for those that set it.
+         */
+        if (!(rdev->wiphy.flags & WIPHY_FLAG_ENFORCE_COMBINATIONS))
+                return 0;
+        memset(num, 0, sizeof(num));
+        num[iftype] = 1;
+        mutex_lock(&rdev->devlist_mtx);
+        list_for_each_entry(wdev_iter, &rdev->netdev_list, list) {
+                if (wdev_iter == wdev)
+                        continue;
+                if (!netif_running(wdev_iter->netdev))
+                        continue;
+                if (rdev->wiphy.software_iftypes & BIT(wdev_iter->iftype))
+                        continue;
+                num[wdev_iter->iftype]++;
+                total++;
+        }
+        mutex_unlock(&rdev->devlist_mtx);
+        for (i = 0; i < rdev->wiphy.n_iface_combinations; i++) {
+                const struct ieee80211_iface_combination *c;
+                struct ieee80211_iface_limit *limits;
+                c = &rdev->wiphy.iface_combinations[i];
+                limits = kmemdup(c->limits, sizeof(limits[0]) * c->n_limits,
+                                 GFP_KERNEL);
+                if (!limits)
+                        return -ENOMEM;
+                if (total > c->max_interfaces)
+                        goto cont;
+                for (iftype = 0; iftype < NUM_NL80211_IFTYPES; iftype++) {
+                        if (rdev->wiphy.software_iftypes & BIT(iftype))
+                                continue;
+                        for (j = 0; j < c->n_limits; j++) {
+                                if (!(limits[j].types & iftype))
+                                        continue;
+                                if (limits[j].max < num[iftype])
+                                        goto cont;
+                                limits[j].max -= num[iftype];
+                        }
+                }
+                /* yay, it fits */
+                kfree(limits);
+                return 0;
+ cont:
+                kfree(limits);
+        }
+        return -EBUSY;
+}
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index b4d745ea8ee1..5ce74a385525 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -50,7 +50,7 @@ static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
 static void xfrm_init_pmtu(struct dst_entry *dst);
 static int stale_bundle(struct dst_entry *dst);
-static int xfrm_bundle_ok(struct xfrm_dst *xdst, int family);
+static int xfrm_bundle_ok(struct xfrm_dst *xdst);
 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
@@ -1348,7 +1348,8 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
        default:
                BUG();
        }
-        xdst = dst_alloc(dst_ops, 0);
+        xdst = dst_alloc(dst_ops, NULL, 0, 0, 0);
+        memset(&xdst->u.rt6.rt6i_table, 0, sizeof(*xdst) - sizeof(struct dst_entry));
        xfrm_policy_put_afinfo(afinfo);
        if (likely(xdst))
@@ -2240,7 +2241,7 @@ static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
 static int stale_bundle(struct dst_entry *dst)
 {
-        return !xfrm_bundle_ok((struct xfrm_dst *)dst, AF_UNSPEC);
+        return !xfrm_bundle_ok((struct xfrm_dst *)dst);
 }
 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
@@ -2312,7 +2313,7 @@ static void xfrm_init_pmtu(struct dst_entry *dst)
 * still valid.
 */
-static int xfrm_bundle_ok(struct xfrm_dst *first, int family)
+static int xfrm_bundle_ok(struct xfrm_dst *first)
 {
        struct dst_entry *dst = &first->u.dst;
        struct xfrm_dst *last;
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 47f1b8638df9..b11ea692bd7d 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -265,7 +265,7 @@ static void xfrm_replay_advance_bmp(struct xfrm_state *x, __be32 net_seq)
                        bitnr = bitnr & 0x1F;
                        replay_esn->bmp[nr] |= (1U << bitnr);
                } else {
-                        nr = replay_esn->replay_window >> 5;
+                        nr = (replay_esn->replay_window - 1) >> 5;
                        for (i = 0; i <= nr; i++)
                                replay_esn->bmp[i] = 0;
@@ -471,7 +471,7 @@ static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq)
                        bitnr = bitnr & 0x1F;
                        replay_esn->bmp[nr] |= (1U << bitnr);
                } else {
-                        nr = replay_esn->replay_window >> 5;
+                        nr = (replay_esn->replay_window - 1) >> 5;
                        for (i = 0; i <= nr; i++)
                                replay_esn->bmp[i] = 0;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index dd78536d40de..9414b9c5b1e4 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1036,15 +1036,15 @@ static struct xfrm_state *__find_acq_core(struct net *net, struct xfrm_mark *m,
                case AF_INET6:
                        ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
-                                       (struct in6_addr *)daddr);
+                                       (const struct in6_addr *)daddr);
                        ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
-                                       (struct in6_addr *)saddr);
+                                       (const struct in6_addr *)saddr);
                        x->sel.prefixlen_d = 128;
                        x->sel.prefixlen_s = 128;
                        ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
-                                       (struct in6_addr *)saddr);
+                                       (const struct in6_addr *)saddr);
                        ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
-                                       (struct in6_addr *)daddr);
+                                       (const struct in6_addr *)daddr);
                        break;
                }
@@ -1345,6 +1345,8 @@ out:
                        xfrm_state_check_expire(x1);
                err = 0;
+                x->km.state = XFRM_STATE_DEAD;
+                __xfrm_state_put(x);
        }
        spin_unlock_bh(&x1->lock);
@@ -2092,8 +2094,8 @@ static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
                                      struct audit_buffer *audit_buf)
 {
-        struct iphdr *iph4;
+        const struct iphdr *iph4;
-        struct ipv6hdr *iph6;
+        const struct ipv6hdr *iph6;
        switch (family) {
        case AF_INET: